Privacy policy

CALENDULAPHARMA.COM

1. Data controllers / data processors

Data controller, data processor, operator – Website owner

hereafter, WT

Name of service provider, data controller

hereafter, TSZ

Google Analytics

hereafter GA

Other data controller, data processor – Google

Online payment processor, data controller – Paypal

Online payment processor, data controller – Paypro

For payment by bank transfer, processor, controller

Billing information, data processor, data controller

Other data processors used

2. Definitions

• GDPR (General Data Protection Regulation) is the European Union (European Parliament and Council) Data Protection Regulation 2016/679;
• Data management: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
• Personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• Special data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data or biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons;
• Data controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
• Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
• Data transmission: if the data are disclosed to a specified third party;
• Disclosure to the public: if the data are made available to anyone;
• Data deletion: data rendered unrecognisable in such a way that it cannot be recovered; automated dataset: a set of data that is processed automatically;
• Machine processing: includes the following operations, if they are carried out in whole or in part by automated means: storage of data, logical or arithmetical operations on data, alteration, deletion, retrieval and dissemination of data;
• Data protection incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
• Third party: any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process the personal data;
• Visitor: visitors of the calendulapharma.com website;
• User: registered members of the calendulapharma.com website;
• Buyer: website visitors who attempt to use a service, register as a customer with the intention of making a purchase

The Operator operates a webshop for Users and Visitors through the aforementioned calendulapharma.com website for dietary supplement products made from medicinal herbs.

The content placed and published on the site can be visited, viewed and browsed by the Visitors without registration (without providing a username, password, email address, telephone, shipping and billing address).

3. Data management and processing policies

3.1. The controller(s) and processor(s) declare that they will process the personal data in accordance with the provisions of the Privacy Policy and will comply with the applicable law, in particular with regard to:

3.1.1. The Data Controller undertakes to publish a clear, prominent and unambiguous notice (privacy statement) informing users and visitors about the method, purpose and principles of data collection before recording, recording or processing any data of their users or visitors. The processing of personal data must be lawful, fair and transparent to the data subject.

3.1.2. In addition, the Data Controller draws the user’s attention to the voluntary nature of the data provision.

In all cases where the Data Controller requests personal data from its Visitors and Users, they are free to decide whether or not to provide the requested information after reading and understanding the required information text. However, if a person does not provide personal data, he or she may not be able to use the service from the Operator that requires the provision of personal data.

3.1.3. The data subject must be informed about the purposes of the processing and who will process the data. Personal data may only be collected for specified, explicit and legitimate purposes and not processed by the Controller in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purposes (“purpose limitation”);

3.1.4. In all cases where the Data Controller intends to use the data provided for purposes other than those for which they were originally collected, the Data Controller shall inform the User thereof and obtain his/her prior explicit consent or provide the User with the opportunity to prohibit such use.

3.1.5. The purposes for which personal data are processed must be adequate, relevant and limited to what is necessary.

3.1.6. Personal data must be accurate and up to date. Inaccurate personal data must be deleted without delay.

3.1.7. Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary. Personal data may be stored for longer periods only if the storage is for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes.

3.1.8. Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.

The Data Controller undertakes to ensure the security of the data, to take technical and organisational measures and to establish procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require any third party to whom it may transmit or transfer the data to fulfil its obligations in this respect.

3.1.9. All employees and senior managers of the Data Controller are entitled to access the data processed by the Data Controller. Information about processing shall also be provided where the law provides for the inclusion of data by transfer or interconnection from existing processing.

3.1.10. The data protection principles apply to any information relating to an identified or identifiable natural person.

3.1.11. The Data Controller shall in any case respect the limitations set out in the Principles when collecting, recording and processing data, and shall inform the data subject of its activities by electronic mail, as requested. The Data Controller undertakes not to impose any sanctions on a user who refuses to provide non-compulsory data.

3.1.12. By personally identifiable data and information we mean personal data relating to natural persons that can be used to identify someone personally, to contact someone for communication or to determine someone’s physical location, including but not limited to: name, address, postal address, telephone number, email address.

3.1.13. Anonymous information that is collected in a way that excludes personal identifiability and cannot be linked to a natural person is not personal data, nor is demographic data collected in a way that does not link it to the personal data of identifiable persons and thus does not establish a link to a natural person.

3.1.14. This Privacy Statement is about the protection of personal data of visitors, registered users not intended for public disclosure, but made available to the Data Controller, Operator. If a person voluntarily discloses some or all of his/her personal information, such information is not covered by this Privacy Policy.

3.1.15. In each case, we will indicate which data we ask you to provide on a “mandatory” basis during registration, for what purposes and under what conditions. The term “mandatory” in this case does not refer to the mandatory nature of the data collection, but to the fact that there are some records without which the registration cannot be completed successfully, so that leaving certain fields blank or filling them in incorrectly may lead to the rejection of the registration.

3.1.16. Personal data provided to us by Visitors and Users will not be disclosed to third parties under any circumstances unless authorised.

However, if the Data Controller is requested by the competent authorities to provide personal data in the manner required by law (e.g. in case of suspicion of a crime, in an official data seizure order), we will provide the requested and available information in compliance with our legal obligation.

Where our Users provide us with personal data, we will take all necessary steps to ensure the security of that data – both during network communication (i.e. online processing) and during storage and retention (i.e. offline processing).

3.1.17. As the Data Controller, we ensure that Visitors can access, correct and amend their own personal data through the same communication channels and by providing the same facilities through which their personal data was previously made available to us. In this way, as Data Controller, we ensure that Users’ personal data is kept up to date, accurate and timely.

3.1.18. If any User requests that we delete his or her personal data from our own system (in certain cases, of course, with the understanding that he or she will no longer be able to use the service to which the data belonged or in a way that he or she cannot use it), we will do so without delay.

3.1.19. In the case of online payment, the Data Controller may, with the prior information of the registered User, provide the e-mail address, name and telephone number assigned to the User’s profile to the payment service provider for the purposes of providing customer service assistance to Users, confirming transactions and fraud analysis.

4. Additional guarantees to protect your data

In the following sections, we draw your attention to the rights of all data subjects.

4.1. The data subject has the right to be informed about the processing of his or her data (data subject’s right of access).

4.2. The data subject shall have the right to obtain, at his or her direct request, the restriction of processing by the Controller where any of the grounds listed herein apply:

4.2.1. The data subject contests the accuracy of his or her personal data, in which case the restriction applies for the period of time that allows the Controller to verify the accuracy of the personal data;

4.2.2. The processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of their use instead;

4.2.3. Where the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims;

4.2.4. The data subject has legitimately objected to the processing; in this case, the restriction is limited to the following dates, until it is established whether the legitimate grounds of the controller prevail over the legitimate grounds of the data subject.

4.3. The data subject has the right to obtain information about the automated processing of personal data, its main purposes and the identity and habitual residence or registered office of the controller.

4.4. The data subject has the right to be informed, at reasonable intervals and without excessive delay or expense, whether or not his or her personal data are stored in an automated dataset and to be provided with information about those data in a form which he or she understands.

4.5. The data subject shall have the right to obtain, without undue delay, the rectification or erasure of such data where justified (right to be forgotten). The Controller shall inform all recipients of any rectification, erasure or restriction of processing to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the data subject of these recipients.

4.6. The data subject shall have the right to obtain, in the course of processing based on consent, in the case of automated processing, the information relating to him or her which he or she has provided to Calendula Pharma Co. Ltd. in a structured, commonly used, machine-readable format, and to obtain the right to obtain from Calendula Pharma Co. Ltd. to transfer these data to another controller. The exercise of this right shall not infringe the right to be forgotten and shall not adversely affect the rights and freedoms of others.

4.7. The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions;

4.8. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except in the circumstances set out in Article 22 of the GDPR (automated decision-making);

4.9. The data subject shall have the right to a judicial remedy if his or her request for information or, in justified cases, for notification, rectification or erasure, as provided for by law, is not complied with. At the request of the data subject, the Controller shall provide information on the data processed by the controller or by a processor to whom the controller has delegated the processing, the purposes, legal basis and duration of the processing, the name and address (registered office) of the processor and the activities of the processor in relation to the processing, as well as the persons to whom and the purposes for which the data are or have been disclosed. The data controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but not later than 30 days. The data subject may, in the event of a breach of his or her rights, take the Controller to court. The Controller shall be liable for any damage caused to another person by unlawful processing of the data of the data subject or by a breach of the requirements of technical data protection compensate the data subject for any damage caused to another party.

The Data Controller is also liable to the data subject for damage caused by another Data Processor employed by the Data Controller. The Data Controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of the processing. No compensation shall be payable in so far as the damage resulted from the intentional or grossly negligent conduct of the person who suffered it.

5. The data processed and their legal basis

5.1. Legal basis of the data processed

The provisions on data processing and the protection of the personal data of Visitors apply only to natural persons, given that personal data can only be understood in relation to natural persons (pursuant to Act CXII of 2011 on the right to information self-determination and freedom of information), and therefore this privacy policy is binding only in relation to the processing of personal data of natural persons who register on the website.

5.1.1. The legal basis for the processing under 5.2.1 is the consent of the data subjects and the legitimate interest of the Data Controller in the performance of the contract between the data subject and the Data Controller (Article 6(1)(b) GDPR).

5.1.2. The legal basis for the processing of data under 5.2.3 – 5.2.6 is the consent of the data subjects. The data subjects give their consent during the registration process by ticking a checkbox for each processing purpose and by subsequently providing their personal data (e.g. username, password, email address, telephone number, delivery and billing address).

5.1.3. The legal basis for the processing of data under 5.2.2. is, in particular, Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax and Section 167 of Act C of 2000 on Accounting.

5.1.4. The legal basis for the processing provided for in points 5.2.5 and 5.2.6 is the legitimate interest of the Data Controller in the performance of the contract between the data subject and the Data Controller (Article 6(1)(b) GDPR).

The users of the Website accept the functioning of cookies by clicking on the “Login” button when accessing and logging in to the Website, both as a visitor and as a registered user. In case of acceptance of the use of cookies, the information and consent shall also apply to the use of the Website in subsequent connections to the user’s device.

5.2. Scope of data processed and purpose of data processing

The process personal data only for specific purposes in the exercise of its rights and obligations. The processing must comply with this purpose at all stages.
Only personal data which are necessary for the purposes of the processing, adequate for the purpose, necessary for the fulfilment of that purpose, and necessary for the purposes for which they are processed may be processed to the extent and for the duration necessary for the purposes of the processing.

5.2.1. Purpose of processing: to provide the services of the webshop, to fulfil the related contractual rights and obligations.

Data processed: surname, first name, e-mail address, password*, telephone number, delivery address.

In addition, we also process the following data to ensure the quality of the service, to comply with the General Terms and Conditions and for the legitimate interest of the service provider:

Customer service correspondence, call data (call number, time of call, duration) and log files of the use of the functions provided by the system.

*The password of the user’s choice, which is entered into the database in encrypted format in accordance with the technical and legal requirements of the present day. Passwords are not accessible to data controllers in unencrypted form.

5.2.2. Purpose of data processing: to fulfil statutory tax and accounting obligations (accounting, taxation).

Data processed: personal data as defined by law, in particular billing name, company name, tax number, billing address, e-mail address, payment details.

5.2.3. Purpose of processing: use for marketing purposes, sending newsletters (commercial offers), use for direct marketing purposes.

Data processed: name, e-mail address, telephone number

5.2.4. Purpose of data management: informing users, providing services.

Data processed: the data indicated in point 5.2.1

5.2.5. When visiting the calendulapharma.com website, certain parameters of Visitors and Users are recorded on TSZ servers, which may be accessed by WT.

These logging parameters – automatically recorded – can be any of the following, depending on what the website’s program code can identify for a given visitor:

• Date and time of visits, time spent on the website, activity carried out during this time, time of exit
• Visitor’s browser type, resolution, language, operating system, type of computing device
• Visitor IP Address

The purpose of processing this data is to ensure quality and to provide WT with statistics for the website. The duration of this processing is 365 days – unless the visitor requests otherwise, by indicating his/her request for deletion at one of the WT contact details provided in this information.

5.2.6. Cookie: cookies are information automatically logged by the TSZ servers. The Fund Manager uses the following cookies:

(a) Session cookies

(b) Functional cookies

The purposes, legal basis, duration and other information about the processing of cookies can be found in section 10 of this Privacy Policy.

5.3. Automated decision-making

The Data Controller uses automated decision-making (profiling) to develop discount offers as follows.

We offer discount offers based on the registration data, the time since the previous purchase and the user’s activity on the Website.

6. How the website works

6.1 Acceptance of coockies and data management

The calendulapharma.com website is an online webshop website for the purchase of herbal dietary supplement products. Visitors to the website are greeted by a pop-up window in the footer, in which both the cookies used by the site and the acceptance of this Privacy Policy are mandatory. If the visitor/user wishes to place an order or subscribe to a newsletter, he/she will not be able to proceed further in the process until he/she accepts this Privacy Policy.

The Service is free of charge to registered or unregistered users viewing and browsing the site, and charges are only incurred when purchasing the product(s).

The products can be paid by bank transfer, credit card, paypal and cash on delivery.

6.2. Registration

The content placed and published on the site can be visited, viewed and browsed by visitors without registration and free of charge (without entering a username, password or email address).

Purchases can be made without registration, but the User experience may be improved in case of a possible future order if the data does not have to be entered repeatedly each time.

6.3 Customer registration

Scope of data processed when registering as a customer:

Last Name, First Name, username, email address, password.

Without the information listed here, the registration cannot be completed and cannot be validated.

After registration, the registration becomes valid and can be used on the website by clicking on the validation link sent to the registered email address in a confirmation email.

In addition, customers provide/may provide additional data when using the website, for the purpose of using the Operator’s service and making a purchase:

Billing name, billing address, delivery address, company name, tax number, telephone number

After registration, Users can view their order history, save their shipping details, login details, favourite products, preferred payment methods to facilitate future purchases and improve the user experience.

Registered Buyers, after a successful purchase, can leave reviews on the published products, which will be visible to all visitors and users.

7. Important data processing information, request for data erasure

The duration of data processing always depends on the specific purpose of the user.

Unless otherwise provided for by law or the data subject, the Controller shall delete the data the day after the following periods (as the time when the purpose of the processing ceases to exist).

The Data Controller shall delete the data pursuant to the processing under clauses 5.2.1, 5.2.3, 5.2.4 on the 730th day after the inactivity of the User concerned, if the conditions for such inactivity set out in the legislation are met (this period being extended by the hibernation period initiated by the User in any case), and the User’s registered membership shall cease in accordance with the contractual terms between the parties.

The data processing under clause 5.2.2. shall remain valid for the period specified by law

(end of 8 years after the termination of the contract between the parties).

The Data Controller shall process the data subject to the processing under clauses 5.2.5 to 5.2.6 for the period of time specified in clause 10 of this Privacy Statement.

You may request the deletion of the data before that time, provided that you can prove that you are entitled to have the data deleted. The request for data erasure may be made in writing, by sending an e-mail to contact@calendulapharma.com or to the postal address of WT.

The way to provide proof is by requesting the deletion from the email address indicated in your registration profile. In the case of a request by post, the data controllers will assess individually the presumption of identity of the person requesting the deletion and the request for deletion.

If the legal basis for the deletion of data cannot be demonstrated by the data subject in any of the above ways, a case-by-case and individual assessment may be made by requesting other identification, such as the exact date of registration (year/month/day) and/or the IP address, for example if the data subject can provide the IP address used at the time of registration.

The modification or deletion of personal data can be initiated by e-mail, telephone or letter using the contact details provided in this GDPR notice.

8. How the data is stored

As a data subject, you have the right to object to the processing of your personal data, in accordance with the procedure set out in the processing information and this notice and the legislation described in this notice.

The controller or processor in the course of his or her activities shall ensure that the data security of the data and shall take the technical and organisational measures and to establish the procedural rules necessary to comply with the Data Protection Act and the other data protection and confidentiality rules. The data must be protected in particular against unauthorised access, alteration, disclosure or deletion, damage or destruction.

9. Newsletter

We declare that the information and brochures we publish fully comply with the relevant legal provisions. In accordance with Article 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities and the provisions of the Info tv. According to Article 5 (1) a) of the Info Privacy Act, the User may expressly consent in advance to being contacted by WT with advertising offers and other mailings at the contact details provided upon registration and to the processing of his/her personal data for the purpose of sending advertising offers.

Data processed: last name, first name, username, email address,

Legal basis for data processing: the User may unsubscribe from receiving offers and newsletters without any restriction and without giving any reason, free of charge. In this case, all personal data necessary for sending advertising messages will be immediately deleted from the register and the User will not be contacted with further advertising offers.
The possibility to unsubscribe from the newsletter will be indicated at the bottom of each newsletter.

Possible data controllers: personal data may be processed by the controller’s employees or, in the case of a separate written data processing contract, by subcontractors engaged by the controller, in compliance with the data protection legislation in force at the time.

Data subjects’ rights in relation to data processing: the data subject may unsubscribe from the newsletter at any time, free of charge. The data subject may request information from the controller about the processing of his/her personal data, and may request the rectification, erasure or blocking of his/her personal data. The Service Provider as data controller shall provide the information requested by the customer in writing in an intelligible form within the shortest possible period of time from the submission of the request for information, but not later than 30 days. If you have any questions or doubts about the data processed by the Service Provider, or if you wish to obtain clarification about your data, you may do so by sending an e-mail to contact@calendulapharma.com.

The advertiser, the advertising service provider or the publisher of the advertisement shall keep a record of the personal data of the persons who have given their consent within the scope specified in the consent. The data recorded in this register, relating to the recipient of the advertising, may be processed only in accordance with the consent given in the consent form, until it is withdrawn, and may be disclosed to third parties only with the prior consent of the person concerned.

10. Cookies

We use “cookies” on our website. These are small files that store information in the visitor’s – user’s – web browser. This requires your consent when you access the site.

We use cookies in accordance with the provisions of Act C of 2003 on electronic communications, Act CVIII of 2001 on certain aspects of electronic commerce services and information society services, and the European Union.

Analytical or performance monitoring cookies:

These help us to distinguish visitors to the website and collect data on how visitors behave on the website. They do not collect information that can identify you, the data is aggregated and stored anonymously (e.g. Google Analytics)

Functional cookies:

These cookies are used to improve the user experience. They detect and store, for example, the device you use to access the website, or information you have previously provided and requested to be stored, such as automatic login, the language you have chosen, or user changes you have made to other customisable elements of the website. These “cookies” do not track your activity on other websites. However, the information they collect may include personally identifiable information that you have shared.

You can delete or disable “cookies” in the browser programs you use. By default, browsers allow “cookies” to be set. You can disable this in your browser settings and delete existing ones. You can also set the browser to notify the user when a cookie is sent to the device. It is important to stress, however, that disabling or restricting these files will degrade the browsing experience and may also cause errors in the functionality of the website.

The cookies also record the following data to comply with the GTC and to meet legal obligations:

products viewed

time of last activity.

The cookies used on the site:

11. Data transmission

Our activities in order to provide the functions of the website, the legal basis of which is the consent of the data subject, are governed by the Infotv. § 5 (1) a) and the electronic commerce services and the information society Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services, Section 13/A (3) Paragraph 13(a) of Article 13(1) of the Act on Information Society Services.

The data processing concerns all users and the data subject to processing are includes password, first and last name of contact person, e-mail address, telephone number, delivery address and name, billing name and address, company name, tax number, payment method, comment, date of registration, IP address at the time of registration.

The processing lasts until the data subject’s consent is withdrawn.

TSZ is entitled to access the data, may process personal data as a data processor in compliance with the law.

The Operator shall transmit the User’s e-mail address, billing address and telephone number to the payment service provider(s) as defined in point 1 used for the payment of the product(s) as a separate data controller in accordance with the provisions of Directive (EU) 2015/2366 of the European Parliament and of the Council (Payment Services Directive – PSD2) and Act LXXXV of 2009 on the provision of payment services.

The scope of the data transmitted to the payment service provider is set by the card company’s specifications based on the EMV (Europay-MasterCard-Visa) standard, which is designed to enable even more secure customer authentication.

For the provision of the payment service, Erste Bank Zrt. and Paypal and Paypro, as online payment service providers, are considered as data controllers and not as data processors used by the Operator, on the basis of which they carry out the processing on the basis of their own data processing policies and under their own responsibility. The data protection notices governing the processing of data by Erste Bank Zrt. and Paypal, Paypro are available at the following links:

https://www.erstebank.hu/hu/adatkezelesi

https://www.paypal.com/webapps/mpp/ua/privacy-full

https://docs.payproglobal.com/documents/legal/privacyPolicy.pdf

The purpose of the transfer is to ensure that the payment service provider is able to process payment transactions in accordance with the provisions of the above legislation. The above data shall be made available to the payment service provider exclusively for validation purposes on the issuing bank’s side. The acquiring bank merely transmits the necessary data and does not use or store them in any form.

The legal basis for the transmission of the data is the performance of the contract between the Operator and the User in relation to the products ordered, to enable the fulfilment of the obligations arising therefrom, such as ensuring payment of the price of the product(s) by using the online payment service, the Operator’s involvement in the payment process as a Service and the enforcement of the claim relating thereto. The duration of data processing lasts until the data transfer is completed.

Other data processors used:

The parties specified in point 1 of this Privacy Statement.

Description of the data subject’s rights in relation to data processing.

The data subject may request the controller to provide information on the processing of his/her personal data, request the rectification, erasure or blocking of his/her personal data.

The information may be deleted, corrected, erased or deleted, or the data subject may request the deletion or cancellation of the data subject’s personal data.

We will provide the information requested by the customer in writing in an intelligible form.

If you have any questions or doubts about the data processed you may send an e-mail to contact@calendulapharma.com. For a detailed explanation of data subjects’ rights and remedies in relation to data processing, please refer to points 3-4-5 of this notice.

The legal basis for the transfer of data is the consent of the User, in accordance with the provisions of the Infotv. 5 (1) a) of Article 5 (1) of the GDPR point 1(a) of the Data Protection Act, and the Act CVIII of 2001 on certain aspects of electronic commerce and information society services

Data security

The controller shall design and implement data processing operations in such a way that

ensure the protection of the privacy of the data subjects.

The controller or, in the scope of his activities, the processor shall ensure that

security of the data, and shall take the technical and organisational measures necessary to

technical and procedural measures and to establish the procedural rules required by the Info

and other data protection and confidentiality rules.

In particular, data must be protected by appropriate measures against unauthorised access, alteration, transmission, disclosure, publication, deletion or destruction, as well as accidental destruction or damage, and from changes in the technology used inaccessibility resulting from changes in the technology used.

In order to protect the data files managed electronically in the various registers appropriate technical arrangements must be in place to ensure that the data stored in the registers except where permitted by law, cannot be directly linked and be linked to the data subject.

When personal data are processed by automated means, the controller and the processor shall ensure by additional measures:

• prevent unauthorised data entry;
• the automated data processing systems are protected against unauthorised persons transmitting data with the usage of automatic data-processing systems by data transmission equipment;
• the verifiability and ascertainability of the personal data transmitted to which organisations using data transmission equipment or to which they may be transferred;
• the verifiability and ascertainability of which personal data, entered into the automated data-processing systems, when and by whom;
• the recoverability of the installed systems in case of an event of a failure; and the reporting of errors in automated processing.

Measures taken by the controller and the processor to ensure the security of the data shall take into account the state of the art in the field of data state of the art. Among several possible data processing solutions, the one that is the most appropriate should be chosen ensure a higher level of protection of personal data, unless this would involve a disproportionate would impose an excessive burden on the controller

12. Community sites

A social networking site is a media tool where the message is spread through social users. Social media uses the Internet and online publishing to enable users to engage with content. A person who fills in a form on the website – or sends an email to an email address, or a caller to a telephone number – is not directly or indirectly – automatically – linked to the social media page of the website.

Social media is the interface of web applications that hosts user-generated content, such as Facebook, Google+, Twitter, Instagram, LinkedIn, Pinterest.

Social media can take the form of public speeches, presentations, demonstrations, product or service launches. On the linked social networking site, visitors are not allowed to create their own posts or content because the controller does not provide the technical means to do so. However, visitors can comment on published articles, posts with images, video and audio. The moderation of comments is carried out by the data controller. By default, most comments are not displayed (for example, due to the use of a swear filter) and can be approved by the data controller afterwards.

The information published on social media can take the form of forums, blog posts, images, video, audio, message boards, but not email messages.

The data subjects are Users, Visitors.

It is important to note that when a user creates any personal data in his/her comment, he/she grants the social networking site operator a valid worldwide permission to store and use such content. Therefore, it is very important to make sure that the user has the right to disclose the information posted.

13. Copyright

13.1 The entire content of this website, including the source code, is the intellectual property of Calendula Pharma Co. Any reproduction of the textual, audiovisual and visual content of the website, in whole or in part, constitutes an infringement of copyright.

13.2 By ordering the Service, the User agrees that the Company may use the copyrighted elements provided by the User (in particular the text of the advertisement, the attached images and videos) without payment of any consideration, to the extent and within the scope necessary and useful for the provision of the Service, including the right to copy, reproduce, store, publish, distribute and adapt as necessary, and to grant the right to use to third parties, without any time or geographical (territorial) limitation. The right of use is exclusive and the Company is entitled to transfer it to third parties. With regard to the foregoing, the User may only transfer material created by him or other material in respect of which he holds the exclusive rights of use.

13.3 Public communication facilities

Any public communication channels (e.g. forums) that are part of our services are used by all users at their own risk. The copyright of the various postings belongs to the respective user, however, Calendula Pharma Co. Ltd. has the right to quote and reproduce them without restriction.

Comments may be printed or downloaded by third parties for personal use only, and may only be used, downloaded, downloaded or distributed by Calendula Pharma Co. Ltd. may only be used, distributed or reproduced with the written consent of Calendula Pharma Co. Ltd.

Users should note that various laws applicable to posts on public communication channels and public communications are applicable. We handle the data that can be used to reach users individually using our communication services with the utmost care, in strict confidence, without any unauthorised access and, apart from the exceptions provided for by law, without passing them on to third parties.

13.4 Links

Our Services may contain a number of links to other websites, which may be pages of other service providers. The data and information protection practices of these service providers are the responsibility of the The Data Controller is not responsible for the privacy practices of these information providers.

14. Proper use

The Site’s administrators and processors reserve the right to exclude visitors based on their IP address and/or telephone number and/or e-mail address in the event of improper use of the Site (such as, but not limited to, DDOS attempts, phishing, or attempts to access the Site’s administration or other non-public areas), aggressive, abusive, profane or other community-disruptive conduct, or misuse of the Site’s name. In cases deemed to be more serious, the owner will take the necessary legal action.

15. Warranty, guarantee, abuse, complaint handling

The payment system on the site – all material and moral liability is attributed to the person who initiates, attempts to initiate, or makes the transaction successful – complete. Website operators and data controllers and processors accept no financial liability for any loss or damage caused or alleged to be caused by the use of the website transactions that are initiated or processed by other unauthorised means or completed by third parties. Nor are they responsible for any charges resulting from incorrect transactions.

For more detailed terms and conditions on warranty and complaint handling, please consult the General Terms and Conditions: https://calendulapharma.com/en/terms-and-conditions/

16. Google Analytics

Calendulapharma.com uses Google Analytics. This activity is linked to the GA Privacy Statement.

https://policies.google.com/privacy?hl=hu

17. Final provisions

The information you provide is stored on a server operated by the hosting provider. In addition to the owner and operator, only our employees and those who maintain the server have access to the data, but they are all responsible for the secure handling of the data.

The name of the activity is: hosting service, server service.

Purpose of data processing: to ensure the functioning of the website.

Data processed: personal data provided by the data subject. The legal basis for processing is the consent of the data subject or processing based on law.

If you find any errors or omissions in this privacy policy, please notify us immediately. Our staff will make every effort to deal with the slightest user or visitor conflict promptly and, if necessary, to supplement or amend this Privacy Policy.

Rights in relation to data processing

Right to request information

You may request information from us, via the contact details provided, about what data our company processes, on what legal basis, for what purpose, from what source and for how long. Upon your request, we will send you information without delay, but within 30 days at the latest, to the e-mail address you have provided.

Right to rectification

You can ask us to correct any of your data using the contact details provided. Upon your request, we will do so without delay, but within 30 days at the latest, by sending you an e-mail to the e-mail address you have provided.

Right to erasure

You can ask us to delete your data using the contact details provided. At your request, we will do so without delay, but within 30 days at the latest, by sending you an e-mail to the e-mail address you have provided.

Right to blocking

You can ask us to block your data using the contact details provided. The blocking will last as long as the reason you have given us makes it necessary to store the data. Upon your request, we will do so without delay, but within a maximum of 30 days, by sending you an email to the email address you have provided.

Right to object

You may object to the processing of your personal data using the contact details provided. We will examine the objection within the shortest possible time from the date of the request, but no later than 15 days, decide whether it is justified and inform you of our decision by e-mail.

Enforcement possibilities in relation to data processing

If you experience unlawful processing, please notify us so that we can remedy the situation within a short period of time. We will do our utmost to resolve the problem in your interest.

If, in your opinion, the lawful status cannot be restored, please notify the authority using the following contact details:

Nemzeti Adatvédelmi és Információszabadság Hatóság

Postal address: 1530 Budapest, Pf.: 5.

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat(kukac)naih.hu
URL: https://naih.hu
Coordinates: N 47° 30′ 56″; E 18° 59′ 57″

Laws on which the processing is based

• REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation).
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
• Act LXVI of 1995 on public records, public archives and the protection of private archival material.
• Government Decree 335/2005 (XII. 29.) on the general requirements of document management by public bodies.
• Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.
• Act C of 2003 on electronic communications.

The service provider intends to fully comply with the legal requirements for the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.

This Privacy Policy has been prepared pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data of natural persons and on the free movement of such data, taking into account the content of Act CXII of 2011 on the right to information self-determination and freedom of information.

20.04.2023