Privacy Policy

Download data management information: pdf, 888Kb 

  

For shopping at the pmmhealth.net webshop, for using the website 

  

Pharmarkt Med Zártkörűen Működő Részvénytársaság as a data controller (hereinafter referred to as: “Data Controller”), in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR, hereinafter referred to as the “Regulation”), informs the users and customers of the webshop as data subjects about the conditions of data processing relating to the service provided by it, as well as the rights of data subjects and their legal remedies in relation to data processing: 

  

Terms used in the Information 

  

Website: https://pmmhealth.net 

  

Webshop: the webshop available on the Website 

  

Data subject: any specific, identified or – directly or indirectly – identifiable natural person based on personal data; 

  

User: a visitor to the Website, any person who uses an online service available on the Website; 

  

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person; 

  

Consent is any voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear and unambiguous affirmative action, signifies agreement to the processing of personal data concerning him or her; 

  

Data processing: any operation or set of operations which is performed on personal data or on data files, whether or not by automated means, such as collection, recording, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

  

Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific aspects relating to the designation of the controller may also be determined by Union or Member State law; 

  

Data processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; 

  

Data transfer: the making of data available to a specified third party; 

  

Recipient: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether or not it is a third party; 

  

Third party/party: the natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process the personal data; 

  

Disclosure: the making of data available to anyone; 

  

Erasure: the rendering of data unrecognizable in such a way that their recovery is no longer possible; 

  

Data breach: any breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; 

  

Information on data processing 

  

II.1. Data controller's details and contact information 

  

The data controller is Pharmarkt Med Zártkörűen Működő Részvénytársaság 

Registered office: 1151 Budapest, Károlyi Sándor utca 121. O. ép. 2 

Tax number: 24751982-2-42, 

Company registration number: 01-10-047925 

- e-mail address: info@pmmhealth.net 

  

II.2. Data processing related to registration and purchase in the web store 

  

Scope of processed data: name, e-mail address, password in case of registration, delivery address, telephone number, order data 

  

Purpose of processing personal data: for the performance of a contract, for purchases in the web store, for payment, delivery, and the fulfillment of legal obligations incumbent on the Data Controller 

  

The legal basis for data processing: performance of a contract (Article 6 (1) b) of the Regulation, and Section 13/A (1) and (2) of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society), user consent in the event of registration (Article 6 (1) a) of the Regulation), documentation of the purchase and payment, fulfillment of accounting obligations, and fulfillment of legal obligations during the issuance of invoices and payment (Article 6 (1) c) of the Regulation), and Section 169 (2) of the Accounting Act and Section 169 of the VAT Act. 

  

In the absence of consent, the user cannot register, and therefore cannot use the convenience services available to registered users. 

  

The registered user may withdraw his/her consent at any time via the website or by contacting the Data Controller, however, this does not affect the lawfulness of the previous data processing. 

  

Duration of personal data processing: 5 years after the termination of the contract; until the consent is withdrawn with regard to data related to registration; if the Data Controller is obliged to retain the data pursuant to the Accounting Act, in the case of a product purchase, eight years pursuant to Section 169 (2) of the Accounting Act. 

  

Person of potential data controllers entitled to access the data, recipients of personal data: personal data may be processed by the Data Controller’s employees providing webshop services in the course of performing their duties. Additional potential recipients of personal data are described in the section on data processors in the Information. 

  

Payments by bank card are made via the Barion online payment system. The User provides the bank card details required for payment on the Barion website, so the Data Controller does not perform any data processing operations with the user's bank card details during payment. More information about data processing in the Barion system can be found at https://www.barion.com/hu/adatvedelmi-tajekoztato/. 

  

II. 3. Newsletter subscription 

  

The Data Controller provides the opportunity to subscribe to the newsletter on the Website. The User can thereby give prior and express consent - bearing in mind the provisions of this Information - to be contacted at the provided contact details regarding the Data Controller's offers, promotions, and other mailings (newsletter), and to the Data Controller processing his/her personal data. The Data Controller does not send unsolicited advertising messages. In the case of a newsletter, the Data Controller processes the User's data provided during the newsletter subscription until the User unsubscribes from the newsletter by clicking on the "Unsubscribe" button at the bottom of the newsletter message or requests - without limitation or obligation to justify - to be removed from the list of newsletter subscribers by e-mail or by post. In the event of unsubscribing, the Data Controller will not contact the User with further newsletters or offers. The User can unsubscribe from the newsletter free of charge at any time and withdraw their consent. 

  

The scope of personal data processed: name, e-mail address, date of subscription, IP address at the time of subscription. 

  

Purpose of data processing: sending e-mail newsletters containing commercial advertising, information about current information and promotions related to the products sold, direct marketing inquiries, making personalized offers, maintaining contact. 

  

Legal basis for data processing: the User's voluntary consent under the GDPR. Article 6 (1) a) and Section 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society, and Section 6 (5) of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities. 

  

Duration of data processing, deadline for data deletion: data processing lasts until the withdrawal of the consent declaration, i.e. until unsubscription. The User may unsubscribe from the newsletter at any time, free of charge, at the contact details of the Data Controller specified in this information. The Data Controller will inform the User electronically about the unsubscription or deletion from the newsletter address list. 

  

Potential data controllers entitled to access the data, recipients of personal data: personal data may be processed by the marketing staff of the data controller. 

  

In the event of failure to provide data, the data subject will not receive the newsletter. 

  

II.4. Customer correspondence 

  

When using the Data Controller's services, the User may contact the Data Controller. The Data Controller shall record all messages received with the sender's full name, e-mail address, date, time and other personal data provided in the message. 

gyütt deletes it after a maximum of 2 years from the date of data disclosure. 

The retention period of the records recorded during the complaint handling is 5 years from the date of recording. 

The legal basis for data processing: the User's voluntary consent pursuant to Article 6(1)(a) of the GDPR, which is given by sending the message as a referring behavior. 

  

II.5. Data of the Website visitors 

  

The scope of personal data processed: identification number, date and time of visit, IP address of the user's computer at the time of visit, name of the user's service provider. 

  

The purpose of data processing: statistical purposes, information analysis of website visits, monitoring the operation of services during website visits, prevention of abuse. 

  

The legal basis for data processing: the Data Controller has a legitimate interest in identifying users and preventing abuse; Article 6(1)(f) of the GDPR, Act on the Economy and Finance. 13/A. § (3) paragraph. 

  

Scope of users: visitors to the Website. 

  

Duration of data management: one month from the date of viewing the website. 

  

II.6. Technical data and cookies managed in connection with the use of the Website 

  

Managed data: the data of the User's login computer that is generated during the use of the service and that the Data Controller's (in this case hereinafter referred to as the Operator) system records as an automatic result of technical processes, in particular the date and time of the visit, the IP address of the User's computer, and the type of browser. 

The automatically recorded data is automatically logged by the system upon entry or exit without a separate declaration or action by the User. This data cannot be linked to other personal user data - except in cases required by law. Only the Operator has access to the data. 

  

In order to provide customized service, the Operator and the designated external service providers place and read back a small file containing a string of characters, called a cookie, on the User's computer. If the browser sends back a previously saved cookie, the service provider managing the cookie has the opportunity to link the data saved during the User's current visits with the previous ones, but only with regard to its own content. The Operator uses the following cookie: 

  

1. One type of cookie is the cookies used by a third party independent of the Operator, Google Analytics, which collects information for statistical purposes, such as which page the visitor viewed; which part of the website the user clicked on; how many pages they visited; how long each session was viewed; what were the possible error messages, etc. The purpose of Google Analytics is to create a statistical report from the data that allows the development of the website and its functions, thereby improving the experiences provided to users, and providing smooth and appropriate quality services. The data provided to the Operator by Google Analytics is transferred exclusively in an anonymized manner, in the form of statistical reports, so that individual persons cannot be identified from them, either directly or indirectly. The Operator is not responsible for the data processing carried out by Google Analytics. 

You can find further information about Google Analytics cookies at the following link: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage 

Accepting or allowing the use of Google Analytics cookies is not mandatory. You can refuse their use. All modern browsers allow changing the settings of cookies. Although most browsers automatically accept cookies by default, these can usually be changed to prevent automatic acceptance and offer you the option to choose each time. Please note that by preventing or deleting cookies, users may not be able to fully use the functions of the www.pmmhealth.com website and the website may not function as intended in your browser. 

You can find information about the cookie settings of the most popular browsers at the following links: 

  

Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu 

  

Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn 

  

Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11 

  

Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7 

  

Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9 

  

Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/in 

ternet-explorer/delete-manage-cookies#ie=ie-8 

  

Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq 

  

Safari: https://support.apple.com/hu-hu/HT201265 

  

2. The Operator uses other types of cookies to inform about the cookies used by Google Analytics. These cookies allow the user not to have to accept the use of cookies every time on the website, by remembering the IP address and the fact that the information has been provided. Apart from these two pieces of data, these types of cookies do not collect any other data, so individual persons cannot be identified from them, either directly or indirectly. 

The “Help” or “Settings” function in the menu bar of most browsers provides information on how the User can 

  

disable cookies in their own browser, 

  

how to accept new cookies, 

  

how to instruct their browser to set a new cookie, or 

  

how to disable other cookies. 

  

If the User does not want external service providers to measure the above data in the manner and for the purpose described, they should install the add-on that blocks this in their browser. 

  

II.7. Recipients, data processors used by the data controller 

  

During the delivery of the products, 

Webshippy Kft. 

Registered office, postal address, customer service address: 2151 Fót, 0221/12 

Processed data: name, telephone number, shipping address, other information related to delivery. 

  

During the technical operation of the Website and the Webshop, the data processor is 

Sigmanet Kft. 

Registered at: 1132 Budapest, Victor Hugo u. 22. 

. 

Tasks: IT systems, website operation, hosting services 

Processed data: during the performance of the data processor's task, it processes all data related to the use of the Website and the Webshop on behalf of the Data Controller. 

  

During the marketing organization, the data processor is 

GURUTECHshop Kft. 

Registered at: 1045 Budapest Széchenyi tér. 

Tasks: online and other marketing organization, management of Adwords and Facebook, Instagram TIktok accounts 

Processed data: name, e-mail address of newsletter subscribers, technical data related to the use of social media accounts 

  

II. 7. Data security measures 

  

The Data Controller ensures the security of the data, takes technical and organizational measures (password protection, logging, access rights regulation, physical security measures, etc.) and develops procedural rules that ensure that the recorded, stored and processed data are protected and prevent their destruction, unauthorized use and unauthorized modification. It calls on third parties to whom the data subject has been transferred to comply with the data security requirements. The Data Controller ensures that unauthorized persons cannot access, disclose, transfer, modify or delete the processed data. 

The Data Controller will do everything in its power to ensure that the data is not damaged or destroyed. The Data Controller also requires the above commitment from its employees involved in data processing activities and from data processors acting on behalf of the Data Controller. 

The Data Controller shall carry out the necessary developments and modifications as technical possibilities change. 

  

III. Rights of the data subjects and enforcement options 

  

Right of access 

  

The data subject has the right to request information from the Data Controller as to whether his or her personal data is being processed and, in the event of ongoing data processing, to receive access to the personal data and the following information: 

a) the purposes of the data processing; 

b) the categories of personal data concerned; 

c) the recipients or categories of recipients to whom or to which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; 

d) the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period; 

e) the right of the data subject to obtain from the controller rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data; 

f) the right to lodge a complaint with a supervisory authority; 

g) where the data were not collected from the data subject, all available information on their source; 

The data subject may request a copy of the personal data which are the subject of the processing free of charge. shall provide the data subject with a copy. For any further copies requested by the data subject, the Data Controller may charge a fee based on administrative costs. 

If the data subject has submitted the request electronically, the Controller shall provide the information in electronic format, unless the data subject requests otherwise. 

  

Right to rectification 

  

The data subject shall have the right to obtain from the Controller, upon request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement. 

  

Right to erasure, right to be forgotten 

  

At the request of the data subject, the Controller shall be obliged to erase personal data concerning the data subject without undue delay if 

- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; 

- the data subject withdraws his or her consent on which the data processing is based and there is no other legal basis for the data processing; 

- if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data are processed for direct marketing purposes and the data subject objects to the processing; 

- the personal data have been processed unlawfully; 

- the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the Controller is subject. 

  

Where the Controller has made the personal data public and is obliged to erase them on the basis of the above, the Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, those personal data (right to be forgotten). 

  

Right to restriction of processing 

  

The data subject shall have the right to obtain from the controller, at his request, restriction of processing where: 

- the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data; 

- the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead; 

  

- the data controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; 

  

- the data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override those of the data subject. 

  

Personal data subject to restrictions may be processed, with the exception of storage, only with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the Union or of a Member State. 

The Data Controller shall inform the data subject at whose request the processing has been restricted in advance of the lifting of the restriction of the processing. 

The Data Controller shall inform all recipients to whom or to whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The Data Controller shall inform the data subject of these recipients upon request. 

  

Right to data portability 

  

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another data controller, where the processing is carried out by automated means and the processing is based on the data subject's consent or on a contract to which the data subject is a party. 

  

Right to object 

  

The data subject shall have the right to object to the processing where the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party. 

In such a case, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. 

If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, insofar as it is related to direct marketing. If the data subject objects to the processing of personal data for such purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, insofar as it is related to direct marketing. 

against the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for this purpose. 

  

Procedure for exercising the rights of the data subject 

  

The Data Controller may not refuse to comply with the data subject's request to exercise the above rights, unless it proves that it is not in a position to identify the data subject. The Data Controller shall take all reasonable steps to establish the identity of the data subject requesting access. If the Data Controller can prove that it is not in a position to identify the data subject, it shall inform the data subject accordingly, if possible. In such cases, it shall not be able to comply with the request, unless the data subject provides additional information enabling his or her identification in order to exercise his or her rights. 

  

The Data Controller shall inform the data subject of the measures taken in response to his or her request as soon as possible, but no later than one month after receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the request. If the data subject submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise. 

If the Data Controller does not take action following the data subject's request, it shall inform the data subject without delay, but no later than one month from receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy. 

The Data Controller shall provide the requested information, information and action free of charge. If the request of the data subject is manifestly unfounded or excessive, in particular due to its repetitive nature, the Data Controller may charge a reasonable fee, taking into account the administrative costs of providing the requested information or taking the requested action, or may 

refuse to act on the request. 

  

Informing the data subject about the data breach 

  

If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the data breach without undue delay in a clear and intelligible manner. 

In the information provided to the data subject, the Data Controller shall describe the nature of the data breach, the name and contact details of the contact person who can provide further information; describe the likely consequences of the data breach; describe the measures taken or planned to remedy the data breach, including, where appropriate, measures to mitigate any adverse consequences resulting from the data breach. 

The data subject does not need to be informed if any of the following conditions are met: 

  

a) the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data breach, in particular measures such as the use of encryption that make the data unintelligible to persons not authorised to access the personal data; 

b) the Data Controller has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise in the future; 

c) the information would involve a disproportionate effort. In such cases, the data subjects must be informed by means of publicly published information or a similar measure must be taken to ensure that the data subjects are informed in an equally effective manner. 

  

Right to a legal remedy 

  

a) The data subject may contact the Data Controller with any comments regarding the processing of his or her personal data at any of the contact details provided in this Notice. 

b) Compensation and damages: Any person who has suffered material or non-material damage as a result of a breach of the Data Protection Regulation is entitled to compensation from the controller or processor for the damage suffered. The processor shall only be liable for damage caused by the processing of data if it has not complied with the obligations laid down in law expressly incumbent on the processor or if it has disregarded or acted contrary to the lawful instructions of the controller. 

If more than one controller or more than one processor or both the controller and the processor are involved in the same processing and are liable for the damage caused by the processing 

 

reasons, each data controller or data processor is jointly and severally liable for the entire damage. 

The data controller or data processor is exempt from liability if it proves that it is not responsible in any way for the event that caused the damage. 

  

c) Right to go to court: the data subject may go to court against the Data Controller in the event of a violation of his or her rights. The court shall proceed with the case ex officio. The court shall adjudicate the case. The court may also initiate the case – at your choice – before the court of your place of residence (you can view the list of courts and their contact details via the following link: http://birosag.hu/torvenyszekek). 

d) Data protection authority procedure – the data subject may lodge a complaint with the competent authority regarding data processing: 

Name: National Data Protection and Freedom of Information Authority 

Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. 

Mailing address: 1530 Budapest, P.O. Box: 5. 

Telephone: 06.1.391.1400 

Fax: 06.1.391.1410 

E-mail: ugyfelszolgalat@naih.hu Website: http://www.naih.hu 

  

Valid: August 20, 2022. from the 20th.