PRIVACY POLICY

 

 

Gergei Erdei sole proprietor (seat: 8 Athelstane Grove, E3 5JG London, United Kingdom; unique taxpayer reference: 4220596279; hereinafter referred to as: Sole Proprietor) shall hereby provide his client (hereinafter referred to as: Client / You) with information, in accordance with his obligations arising from the GDPR (i.e. from the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).

 

In connection with the Sole Proprietor’s activity, the Sole Proprietor shall process the personal data of his natural person Clients. The Sole Proprietor shall collect and process such data through the Sole Proprietor’s website (www.gergeierdei.com) and the online store operated via the aforementioned website. The aim of this Privacy Policy is to provide the Clients with information regarding the data processing by the Sole Proprietor.

 

The Sole Proprietor reserves the right to update and modify the present Privacy Policy from time to time, in order to comply, at all times, with the obligations laid down in the effective legislative rules. In the case where any provision of the present Privacy Policy is modified, the effective version of the Privacy Policy shall be published on the Sole Proprietor’s website, by defining the date on which the modified Privacy Policy shall become effective.

 

1.1    DEFINITIONS

 

In order to comply with the requirements on clearness, clarity and on the provision of information in clear and plain language, the annex No. 1 to the present Privacy Policy shall include the principles for processing of data and the explanation of definitions used in this Privacy Policy.

 

1.2    CONTACT DETAILS OF THE SOLE PROPRIETOR AS DATA CONTROLLER

 

By taking into account the fact that the Sole Proprietor shall collect the Client’s data directly from the Client, the Sole Proprietor shall inform the Client of the followings, in accordance with the Article 13 of the GDPR:

 

  • contact details of the data controller: Gergei Erdei sole proprietor, seat: 8 Athelstane Grove, E3 5JG London, United Kingdom; unique taxpayer reference: 4220596279;
  • contact person regarding data protection related issues: Gergei Erdei, e-mail: orders@gergeierdei.com, phone number: +44 7761 811 500;
  • contact details of the data protection officer: there is no data protection officer designated.

 

The Sole Proprietor shall inform the Clients of the data required by the Article 13 of GDPR in the remaining part of this Privacy Policy.

 

1.3    CLIENT’S PERSONAL DATA PROCESSED BY THE SOLE PROPRIETOR

 

On the basis of Article 13 of GDPR, the Sole Proprietor shall hereby inform the Client of the legal basis and purposes of the processing of the Client’s personal data and also of the categories of recipients:

 

The Sole Proprietor shall process the Client’s data on the basis of the following legal basis:

 

  • legal basis marked with (A) – performance of a contract: in this case the processing of personal data is necessary for the performance of a contract to which the Client is a party (e.g. sale and purchase contract) or in order to take steps, at the request of the Client, regarding the personal data subject prior to entering into a contract – [Subsection (1) b)of Article 6 of GDPR]

 

The Sole Proprietor shall inform the Client that the data linked to this legal basis are preconditions for entering into a contract.

 

  • legal basis marked with (B) – Client’s consent: in this case the Client has given consent to the processing of his/her personal data for one or more specific purposes – [Subsection (1) a) of Article 6 of GDPR]

 

Before the consent to data processing is given, the Sole Proprietor informs the Client of the Client’s right to withdraw his/her consent at any time, which right of withdrawal is based on the Section (3) of Article 7 of GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before such withdrawal. Before the consent to data processing is given, the Sole Proprietor, regarding the data processed for direct marketing purposes, draws the Clients’ attention to the Clients’ right to object to processing his/her personal data for direct marketing purposes.

 

  • legal basis marked with (C) – legitimate interest: in this case the data processing is necessary for the purposes of the legitimate interest pursued by the Sole Proprietor or by a third party, except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject which require protection of personal data – [Subsection (1) f) of Article 6 of GDPR]

 

In this case, the Sole Proprietor shall be obliged to carry out legitimate interest assessment. In the course of such legitimate interest assessment, the Sole Proprietor shall decide, on the basis of objective criteria, whether the purposes defined by the Sole Proprietor are overridden by the Client’s interest against data processing. In the course of such legitimate interest assessment, the Sole Proprietor shall particularly take into account the followings:

  • the chosen method or technology on the basis of which the data is processed, shall be necessary for the Sole Proprietor’s legitimate interest;
  • data processing shall be proportional to the business needs, i.e. to the aim pursued;
  • data processing shall constitute an intervention which is as small as possible and the data processing shall be focused on the certain area of risk.

 

The purpose of data processing on the basis of legal interest shall be for example:

  • to develop business policy;
  • to take measures to develop services and products;
  • participation in legal procedures, enforcement of claims or to defend himself against a claim;
  • to maintain the security of information systems.

 

  • legal basis marked with (D) – compliance with a legal obligation: in this case, the data processing is necessary for compliance with a legal obligation to which the Sole Proprietor is subject – [Subsection (1) c) of Article 6 of GDPR]

 

Such legal obligation shall be e.g.: compliance with accounting or administrative requirements.

 

The Sole Proprietor shall inform his Clients that there is no automated decision-making shall take place on the basis of the evaluation of Clients’ personal data.

 

1.3.1 VISITING THE SOLE PROPRIETOR’S WEBSITE

 

In the case where anyone visits the Sole Proprietor’s website without carrying out any activity (e.g. purchasing) beyond surfing the website, the Sole Proprietor shall process the following data through his website:

 

category of data processed legal basis of data processing purposes of data processing
IP address legitimate interest (C) to identify the visitors of the website; to produce statistics and analysis
information regarding the scope of interest, habits, preferences (on the basis of browsing history) data subject’s consent (B); legitimate interest (C) provision of personalized services; to create personalized advertisements, to use comfort functions by the application of cookies

 

Source of personal data:

The Sole Proprietor shall automatically record, by his hosting service provider, the user’s IP address in the data traffic record of the web server at the time when the user visits the website, and the Sole Proprietor shall process such IP address in connection with the provision of content services on the website, by taking into account the Sole Proprietor’s legitimate interest. The automatically recorded IP address shall be stored for no longer than 30 days from the date on which the IP address is recorded.

 

The Sole Proprietor shall place small data packages (i.e. cookies) on the website visitors’ computers in order to facilitate the provision of customized services. The purposes of placing cookies are to ensure the highest possible level of operation of the website and to ensure the provision of customized services and to improve the user experience. The website visitor may delete the cookie from his/her computer or may disable the cookies through the browser settings. In the case where the cookies are disabled, the full-scale operation of the Sole Proprietor’s website will not be provided. Detailed information on the use of cookies can be found in the cookie policy published on the Sole Proprietor’s website.

 

Recipients of personal data and the categories of recipients:

The Sole Proprietor shall not transfer the automatically recorded IP addresses and the data collected through cookies to any recipients other than the Sole Proprietor’s hosting service provider.

 

1.3.2 SIGN UP FOR NEWSLETTERS

 

There is a possibility to sign up for newsletters through the Sole Proprietor’s website, by giving your e-mail address. Signing up for newsletters does not require registration on the website. In the case where the Client consents to receive information relating to discounts, news or any other activities which are carried out by the Sole Proprietor, then the Sole Proprietor shall process the Client’s e-mail address for the purpose of sending newsletters in e-mails.

 

Signing up for newsletters is not a prerequisite for purchasing products through the online store. Signing up for newsletters is a separate function and is based exclusively on the Client’s need and consent.

 

In the case where the Client signs up for the newsletter through the Sole Proprietor’s website, then the Sole Proprietor shall process the Client’s following data:

 

category of data processed legal basis of data processing purposes of data processing
e-mail address data subject’s consent (B) to send newsletters; to carry out marketing and direct marketing activities

 

The Sole Proprietor hereby informs the person who sing up for newsletters that, on the basis of Section (3) of Article 7 of GDPR, he/she shall have the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

When the Client is giving his/her consent, the Sole Proprietor shall inform the Client that where the personal data are processed for direct marketing purposes, the Client shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

The Client may unsubscribe from the newsletters by clicking on the link “Click here to unsubscribe from newsletters”, provided that the Client is also entitled to notify the Sole Proprietor via an e-mail (sent to the e-mail address defined in the Subsection 1.2) that he/she is willing to unsubscribe from the newsletters.

 

Source of personal data:

The Sole Proprietor shall collect the data listed above in the present Subsection, directly from the Client when the Client fills in the corresponding boxes displayed on the website.

 

Recipients of personal data and the categories of recipients:

The Sole Proprietor hereby informs the Clients that the data processed for the purpose of sending newsletters and carrying out marketing and direct marketing activities shall not be transferred to any other recipients.

 

1.3.3 TO CONTACT THE SOLE PROPRIETOR VIA E-MAIL OR DIRECTLY THROUGH THE WEBSITE, AND REQUEST FOR BID

 

In order to increase efficiency of the Sole Proprietor’s services and to inform the Clients, the Sole Proprietor shall provide information to his Clients by answering the mails have been sent by the Clients to the Sole Proprietor via e-mail to the Sole Proprietor’s e-mail address has been defined in the Subsection 1.2 or directly via the Sole Proprietor’s website, in connection with which answer e-mails, the Sole Proprietor shall process personal data.

 

The Client may send e-mails to the Sole Proprietor regarding the following issues: leaving text messages to the Sole Proprietor; request information, or; request for bids, or; add comments on the products or services.

 

The Client may send messages to the Sole Proprietor directly through the contact page on the website regarding the following issues: leaving text messages to the Sole Proprietor, request information, or add comments on the products or services.

 

The Sole Proprietor shall process the following data in the course of contacting with the Client via e-mail or directly through the website:

 

category of data processed legal basis of data processing purposes of data processing
last name,

first name

data subject’s consent (B) to identify the Client; to indicate the correct name in the answer e-mail.
e-mail address data subject’s consent (B) to send answer e-mail
other (data given by the Client) data subject’s consent (B) to send answer e-mail

 

Source of personal data:

The Sole Proprietor shall collect the data listed above in the present Subsection, directly from the Client.

 

Recipients of personal data and the categories of recipients:

In the case of general request from the Client (comments; request for information), the Sole Proprietor shall not transfer to any other recipient the personal data which is processed for the purpose laid down in the present Subsection.

 

The Sole Proprietor hereby informs the person who sends a message through the website or an e-mail to the Sole Proprietor that, on the basis of Section (3) of Article 7 of GDPR, he/she shall have the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

1.3.4 PURCHASE FROM THE WEBSITE (ONLINE STORE)

 

The Sole Proprietor operates an online store through his website, which enables his Clients to purchase products online.

 

The Clients cannot register on the Sole Proprietor’s website as there is not an option to register. Accordingly, it is not required to register on the Sole Proprietor’s website in order to purchase products from the online store.

 

The Sole Proprietor shall process the Clients’ personal data for different purposes during other phases of the purchase, about which data processing the Client shall be informed below.

 

  1. Ordering products from the Sole Proprietor’s website, conclusion of the contract

 

In connection with placing an order, the Sole Proprietor shall process the following personal data:

 

category of data processed legal basis of data processing purposes of data processing
last name,

first name

performance of the contract (A),

legitimate interest (C)

to identify the purchaser, to complete an order, to determine the content of contract, to conclude the contract, to register the purchasers, to distinguish purchasers from each other, to record the details of the purchase and payment, to enforce the possible claims
address (billing address) [country name, county, town, postal code, street, floor, door, doorbell] performance of the contract (A),

legitimate interest (C)

to conclude the contract, to determine the content of contract, to enforce the possible claims
e-mail address performance of the contract (A) to confirm orders, to negotiate with the Client, to provide option to give feedback on products and services (including the delivery of products, too), in order to improve the quality of services
Source of personal data:

The Sole Proprietor shall collect the data listed above in the present Subsection, directly from the Client.

 

In the case where the Client shall not provide the Sole Proprietor with the personal data listed above in the present Subsection 1.3.4.I., the Client will not be allowed to place an order.

 

In addition, the Sole Proprietor shall also process the following personal data in connection with placing an order:

 

category of data processed legal basis of data processing purposes of data processing
the time of use of (purchase) service performance of the contract (A),

legitimate interest (C)

to identify the purchaser, to complete an order, to determine the content of contract, to conclude the contract, to register the purchasers, to distinguish purchasers from each other, to record the details of the purchase and payment, to enforce the possible claims
purchase identification number performance of the contract (A) to identify the purchaser and the certain purchase; in the case of online payment, the protection of the Client’s personal data
Source of personal data:

The Sole Proprietor shall record the above listed personal data through his website in an automated way.

 

Recipients of personal data and the categories of recipients:

The Sole Proprietor shall not transfer to any recipients the personal data processed for the purpose defined in the present Section.

 

  1. Payment of the purchase price of the product by PayPal or credit card

 

The products shall be purchased from the Sole Proprietor’s online store via online payment by PayPal payment method or by credit card.

 

In the case of online payment by PayPal or credit card, the Sole Proprietor shall transfer the following data to the payment service provider (Stripe [www.stripe.com] who is completing the transaction:

  • time of purchase;
  • purchaser’s e-mail address;
  • name and unit price of the products purchased;
  • purchase identification number.

 

III.      Data processing in connection with the issuance of invoice and with holding invoices

 

The Sole Proprietor shall issue invoices on the purchases in accordance with the provisions of the relevant legislative rules and shall process the following data in connection with the issuance of such invoices:

 

category of data processed legal basis of data processing purposes of data processing
last name,

first name

compliance with a legal obligation (D) to issue and hold invoices in compliance with the relevant legislative rules
billing address [country name, county, town, postal code, street, floor, door, doorbell] compliance with a legal obligation (D) to issue and hold invoices in compliance with the relevant legislative rules

 

In the case where the Client shall not provide the Sole Proprietor with the personal data listed above in the present Subsection 1.3.4.III., the Client will not be allowed to place an order.

 

Source of personal data:

The Sole Proprietor shall collect the data listed above in the present Subsection, directly from the Client.

 

Recipients of personal data and the categories of recipients:

After the invoice on the purchase of product is issued, the invoices containing personal data (last name, first name, billing address) shall be transferred to the Sole Proprietor’s accountant.

 

  1. Data processing in connection with the delivery of products

 

The Sole Proprietor shall deliver the products to the Client through the DPDgroup, DHL or Hermes, and the Sole Proprietor shall process the following data in connection with such delivery:

 

category of data processed legal basis of data processing purposes of data processing
last name,

first name

performance of the contract (A) to identify the Client in the course of delivery
delivery address [country name, county, town, postal code, street, floor, door, doorbell] performance of the contract (A) to deliver the product to the address given by the Client
phone number performance of the contract (A) to complete the order; to deliver the products; to agree upon the date of delivery with the Client; to notify the Client of a possible delay in delivery
e-mail address performance of the contract (A) to inform the Client on the details of the delivery; to negotiate with the Client
other data performance of the contract (A) the other data which is given by the Client in order to complete the delivery successfully (e.g. the doorbell number)

 

Source of personal data:

The Sole Proprietor shall collect the data listed above in the present Subsection, directly from the Client.

 

Recipients of personal data and the categories of recipients:

The Sole Proprietor shall transfer the delivery related personal data to the DPDgroup, DHL or Hermes as follows:

  • data transferred in any case: last name, first name, delivery address (and other data which is given by the Client in order to complete the delivery successfully), phone number, e-mail address, package number;

 

1.3.5 DATA PROCESSING REGARDING DIRECT MARKETING ACTIVITIES

 

In the event of purchase through the online store, the Client may give his/her consent, by putting a tick sign into the checkbox, to the process of his/her personal data by the Sole Proprietor for marketing purposes in the course of the Sole Proprietor’s direct marketing activities, in accordance with the followings:

 

category of data processed legal basis of data processing purposes of data processing
last name,

first name

data subject’s consent (B) to identify and address the Client in the course of direct marketing activity
e-mail address data subject’s consent (B) recommend products to the Client in the course of direct marketing activity

 

Source of personal data:

The Sole Proprietor shall collect the data listed above in the present Subsection, directly from the Client when the Client fills in the corresponding boxes displayed on the website.

 

Recipients of personal data and the categories of recipients:

The Sole Proprietor shall not transfer to any recipients the personal data defined in the present Section.

 

The Sole Proprietor hereby informs the person who gave his/her consent, by putting a tick sign into the checkbox, to the process of data that, on the basis of Section (3) of Article 7 of GDPR, he/she shall have the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

When the Client is giving his/her consent, the Sole Proprietor shall inform the Client that where the personal data are processed for direct marketing purposes, the Client shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

1.3.6 DATA PROCESSING IN CONNECTION WITH PROFILING

 

The Sole Proprietor hereby informs the Client that the Sole Proprietor shall carry out profiling in order to provide the Clients with those information about the Sole Proprietor’s services and products which information is of interest to the Client.

 

Logic of profiling:

 

Exclusively those Clients are concerned with profiling who purchased products from the online store at least one time, as well as those who send a message to the Sole Proprietor which message contains information relating to the Clients’ interest (e.g. the Client is interested in a certain type of product).

 

On the basis of the data given by the Client, the Sole Proprietor shall draw up a list of Client’s interests, in which list the following data may be included:

  • in which period of the given year was the interest communicated by the Sole Proprietor;
  • products and product groups preferred by the Client;
  • the features of those products which were ordered and put into the shopping cart but were not purchased finally;
  • interest in discount;
  • Client’s price sensitivity;
  • type and price category of the products purchased;
  • date of former purchases;
  • interest in services;
  • purchasers’ complaints regarding the products and services.

 

Consequently, the Sole Proprietor shall analyze the data included in the list of Client’s interest and shall create the Client’s profile on the basis of the Client’s purchasing habits.

 

These Client profiles shall be put on a so-called remarketing list, which profiles shall be used for the purpose of sending personalized newsletters and advertisements to the certain Client via e-mail (exclusively if the Client consented to receive newsletters). The purpose of profiling is also to improve the Sole Proprietor’s services.

 

When the Client is giving his/her consent, the Sole Proprietor shall inform the Client that where the personal data are processed for direct marketing purposes, the Client shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

1.4    RETENTION PERIOD FOR PERSONAL DATA

 

On the basis of the principle of storage limitation, the Sole Proprietor shall process the Client’s personal data for no longer than is necessary for the purposes for which the personal data are processed, in accordance with the followings:

 

Legal basis of data processing Retention period
compliance with a legal obligation period defined in legislative rules
performance of a contract until there is a legal possibility to enforce a claim in connection with the contract which has been completed
to pursue the Sole Proprietor’s or a third party’s legitimate interest until the legitimate interest exists
to protect a natural person’s vital interests the period which is necessary to protect the vital interest
data processing on the basis of the Client’s consent the period which is necessary for the purposes of data processing but at the latest until the date on which the data subject withdraws his/her consent (if there is no any other legal basis remaining on the basis of which the Sole Proprietor could process the Client’s such data)

 

Further details of the periods for which I retain data are available on request.

 

1.5    INFORMATION ON THE TRANSFERRING DATA TO RECIPIENTS LOCATED IN THIRD COUNTRIES

 

The Sole Proprietor shall not transfer the Client’s data to recipients who are located in third countries.

 

1.6    CLIENTS RIGHTS RELATING TO DATA PROCESSING, ACCORDING TO THE GDPR

 

You have several rights under the data privacy legislation. This includes, under certain circumstances, the right to:

 

  • request access to your personal data;
  • request correction of your personal data;
  • request erasure of your personal data;
  • request restriction of processing of your personal data;
  • request the transfer of your personal data;
  • object to processing of your personal data;
  • request human intervention for automated decision making.

 

Brief details of each of these rights are set out below. If you wish to exercise any of these rights, please email the Sole Proprietor at orders@gergeierdei.com.

 

1.6.1   Request access to your personal data

 

You have the right to obtain a copy of the personal data the Sole Proprietor holds about you and certain information relating to the Sole Proprietor’s processing of your personal data.

 

1.6.2   Request correction of your personal data

 

You are entitled to have your personal data corrected if it is inaccurate or incomplete. You can update your personal data at any time by emailing the Sole Proprietor at orders@gergeierdei.com.

 

1.6.3   Request erasure of your personal data

 

This enables you to request that Sole Proprietor delete your personal data, where there is no good reason for the Sole Proprietor continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

 

1.6.4   Request restriction of processing of your personal data

 

You have a right to ask the Sole Proprietor to suspend the processing of your personal data in certain scenarios, for example if you want the Sole Proprietor to establish the accuracy of the data, or you have objected to the use of your data but the Sole Proprietor needs to verify whether the Sole Proprietor has overriding legitimate grounds to use it. Where processing is restricted, Sole Proprietor is allowed to retain sufficient information about you to ensure that the restriction is respected in future.

 

1.6.5   Request the transfer of your personal data

 

You have the right to obtain a digital copy of your personal data or request the transfer of your personal data to another company. Please note though that this right only applies to automated data which you initially provided consent for the Sole Proprietor to use or where the Sole Proprietor used the data to perform a contract with you.

 

1.6.6   Object to processing of your personal data

 

You have the right to object to the processing of your personal data where the Sole Proprietor believes that the Sole Proprietor has a legitimate interest in processing it (as explained above). You also have the right to object to the Sole Proprietor’s processing of your personal data for direct marketing purposes. In some cases, the Sole Proprietor may demonstrate that the Sole Proprietor has compelling legitimate grounds to process your data which override your rights and freedoms.

 

1.6.7   Request human intervention for automated decision making and profiling

 

You have the right to request human intervention where the Sole Proprietor is carrying out automated decision making when processing your personal data. This form of processing is permitted where it is necessary as part of the Sole Proprietor’s contract with you, providing that appropriate safeguards are in place or your explicit consent has been obtained.

 

The Sole Proprietor will try to respond to all legitimate requests within one month. Occasionally, it may take longer than a month if your request is particularly complex or you have made a number of requests. In this case, the Sole Proprietor will notify you and keep you updated. The Sole Proprietor may need to request specific information from you to help the Sole Proprietor confirm your identity and ensure your right to exercise any of the above rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

 

1.6.8   Right to lodge a complaint

 

If you have any concerns or complaints regarding the way in which the Sole Proprietor processes your data, please email us directly at orders@gergeierdei.com. You also have the right to make a complaint to the ICO (the data protection regulator in the UK). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance.

 

1.7    CHANGES TO THIS PRIVACY POLICY

 

From time to time the Sole Proprietor may change this privacy policy. If there are any significant changes the Sole Proprietor will post updates on his website, applications or let you know by email.

 

1.8    HOW TO CONTACT THE SOLE PROPRIETOR

 

The Sole Proprietor welcomes feedback and is happy to answer any questions you may have about your data.

 

Please send any questions, comments or requests for more information to Gergei Erdei, who can be contacted at orders@gergeierdei.com.

 

8 Athelstane Grove, E3 5JG London, United Kingdom

phone number: +44 7761 811 500

unique taxpayer reference: 4220596279

 

 

 

 

ANNEX NO. 1 TO THE PRIVACY POLICY

 

 

  1. DEFITIONS USED IN THIS PRIVACY POLICY:

 

  1. processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

 

  1. processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

  1. controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

 

  1. personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

 

  1. pseudonymization: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

 

  1. recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

 

  1. consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

 

  1. personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

 

  1. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

 

  1. Personal data shall be:

 

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

 

  1. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

  1. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

 

  1. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

 

  1. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

 

  1. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

  1. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).