RIAVITA PHARMA Kft. as operator of www.riavita.com webpage and data controller (seat: 1053 Budapest, Ferenciek tere 5. 2. em. 9/c., company registry number: 01-09-392982, email: info@riavita.com, telephone: +36(70) 547-5096, hereinafter: Controller) informs the data subjects using www.riavita.com webpage via this privacy notice about the personal data processed, its data processing-related practices, measures taken for protecting personal data and the rights of the data subjects, thereby fulfilling the requirements of Regulation (EU) 2016/679 of the European Parliament And of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation, GDPR) and Act CXII of 2011 on the Right to Informational Self-determination and on the Freedom of Information (hereinafter: Info Act) which stipulate obligation on providing prior information regarding the data processing.
Based on GDPR and Info Act, the terms used in this privacy notice are the following:
Data controller
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Data Subject
means an identified or identifiable natural person based on any information;
Personal data
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Consent of the data subject
means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
According to data protection laws, the personal data of the data subject may only be processed for a specific, unambiguous, and lawful purpose, in order to exercise a right and fulfill an obligation. Only such personal data of the data subject may be processed, which is essential for the realization of the purpose of data processing and is suitable for achieving the purpose. The personal data of the data subject may be processed only to the extent to achieve the purpose and for the time necessary.
The Controller acts in accordance with the data security requirements.
Categories of the personal data processed, purpose, legal basis and period of the data processing
We hereby summarize the details of the data processing activities of the Controller in regard to the webshop on riavita.com webpage:
Purpose of Processing
Creating and maintaining a registered account on the riavita.com webpage for customers.
The personal data processed
To register the account, the following personal data of the data subjects are processed:
- Name,
- E-mail address,
- Telephone number,
- Delivery and billing address.
Contrary to the above, in the case of creating a wholesaler account, the following personal data of the data subjects are processed to register the account:
- Name,
- E-mail address,
- Telephone number,
- City,
- Where the data subject heard about us,
- Why he/she wants to register as a wholesaler,
- Foreseeable annual amount of order,
- Distribution network.
The data of the orders made are recorded in the registered account.
Legal basis of the processing
Consent of the data subject (Article 6 (1)(a) of the GDPR).
Persons authorized to access the personal data
Those authorized employees and trustees of the Controller who participate in the operation of the webshop of the Controller and arrangement of the orders, to such an extent that is materially necessary to the accomplishment of the managed task.
Recipients of the personal data
The personal data are not transmitted to third parties.
Period of the data processing
The personal data are stored until the deletion of the account.
Possible consequences of failure to provide the personal data
The fulfilling of the registration form constitutes a condition of the registration on the website.
Purpose of Processing
Orders can be placed in the webshop on riavita.com webpage with or without registration. The purpose of data processing is to conclude a contract and execute, and arrange the order.
The personal data processed
For the purpose of order, the following personal data of the data subjects are processed:
- Name,
- E-mail address,
- Delivery address (if differs from billing address),
- Telephone number,
- Payment method and payment data,
- Name and quantity of products ordered.
Legal basis of the processing
Performance of the contract, or if the Controller does not confirm the order as the offer of the data subject, taking steps at the request of the data subject prior to entering into a contract (Article 6 (1)(b) of the GDPR).
Besides, in case of an order (purchase) from our webshop, based on the relevant laws, the Controller shall confirm the receipt of the order electronically; in this regard, the legal basis for processing your email address is compliance with the legal obligation of the Controller (Article 6 (1)(c) of the GDPR).
Persons authorized to access the personal data
Those authorized employees and trustees of the Controller who participate in the operation of the webshop of the Controller and arrangement of the orders, to such an extent that is materially necessary to the accomplishment of the managed task.
Recipients of the personal data
The Controller arranges the delivery of orders via the service of Magyar Posta Zrt., therefore the name and the delivery address of the data subject are transmitted to Magyar Posta Zrt.
Period of the data processing
The Controller stores the data related to the order for 5 years from placing the order.
Possible consequences of failure to provide the personal data
The fulfilling of the order form constitutes a condition of placing an order on the website.
Purpose of Processing
Handling complaints related to riavita.com webpage, orders from the web shop or the products.
The personal data processed
To handle complaints, the following personal data of the data subjects are processed:
- Name,
- Details of order and products concerned,
- The complaint, and any information provided or arising in connection with it which qualifies as personal data.
Legal basis of the processing
Compliance with the legal obligation of the Controller (Article 6 (1)(c) of the GDPR).
Persons authorized to access the personal data
Those authorized employees and trustees of the Controller who participate in the operation of the webshop of the Controller and handling of complaints, to such an extent that is materially necessary to the accomplishment of the managed task.
Recipients of the personal data
The personal data are not transmitted to third parties, except for the legal advisor of the Controller (if applicable).
Period of the data processing
The Controller is obliged to store the record made of the complaint and the copy of the answer for 3 years, and to present the same to the authorities for request.
In case of a legal dispute, the data of the complaint are stored until the final and binding closure of the legal dispute.
Purpose of Processing
Answering client requests related to the riavita.com webpage, orders from the webshop, or the products.
The personal data processed
To answer client requests, the following personal data of the data subjects are processed:
- Any information provided in or arising in connection with the request qualifies as personal data.
Legal basis of the processing
In case of placed order performance of a contract, or before confirming the order by the Controller taking steps at the request of the data subject prior to entering into a contract (Article 6 (1)(b) of the GDPR), while before placing the order consent of the data subject which is expressed by contacting the Controller (Article 6 (1)(a) of the GDPR).
Persons authorized to access the personal data
Those authorized employees and trustees of the Controller who participate in the operation of the webshop of the Controller and answer requests, to such an extent that is materially necessary to the accomplishment of the managed task.
Recipients of the personal data
The personal data are not transmitted to third parties.
Period of the data processing
The Controller stores the personal data related to the requests for 6 months after they were answered.
Purpose of Processing
Invoicing related to the orders placed in the webshop.
The personal data processed
For invoicing, the following personal data of the data subjects are processed:
- First and last name, and also company name if applicable,
- Billing address,
- Other information in the invoice (e.g. Products and their price, total amount of the invoice).
Legal basis of the processing
Compliance with the legal obligation of the Controller (Article 6 (1)(c) of the GDPR).
Persons authorized to access the personal data
Az Adatkezelő webshopjának üzemeltetésében és a számlázásban résztvevő, erre feljogosított munkatársai és megbízottjai olyan mértékben, amely az ellátott feladat teljesítéséhez elengedhetetlenül szükséges.
Recipients of the personal data
The personal data are not transmitted to third parties, except for the tax authority.
Period of the data processing
Invoices and other documents serving as a basis for an accounting directly or indirectly are stored for 8 years in accordance with Act C of 2000 on accounting.
Possible consequences of failure to provide the personal data
The fulfilling of the order form (including invoicing data) constitutes a condition of placing an order on the website.
Purpose of Processing
Sending marketing messages regarding the products and services offered by the Controller.
The personal data processed
To send newsletters, the following personal data of the data subjects are processed:
- Name,
- E-mail address.
Legal basis of the processing
Consent of the data subject (Article 6 (1)(a) of the GDPR).
Persons authorized to access the personal data
Those authorized employees and trustees of the Controller who participate in the operation of the webshop of the Controller and sending the newsletter, to such an extent that is materially necessary to the accomplishment of the managed task.
Recipients of the personal data
The personal data are not transmitted to third parties.
Period of the data processing
The Controller processes and stores the personal data related to sending newsletters until the data subject withdraws his/her consent.
A riavita.com weboldal számára a SiteGround Spain S.L. (székhelye: Calle de Prim 19. 28001 Madrid, Spanyolország, e-mail címe: sales@siteground.com) nyújt tárhelyszolgáltatást, amely e körben az Adatkezelő adatfeldolgozójaként jár el.
Az Adatkezelő fenntartja a jogot, hogy a jelen adatkezelési tájékoztatót egyoldalúan módosítsa. Az Adatkezelő a jelen adatkezelési tájékoztató hatályos változatát a riavita.com weboldalon teszi közzé.
Az Adatkezelő minden szükséges biztonsági lépést, szervezési és technikai intézkedést megtesz az általa kezelt személyes adatok legmagasabb szintű biztonsága, illetve azok jogosulatlan megváltoztatásának, megsemmisítésének és felhasználásának megakadályozása érdekében.
1. Summary of your rights (the detailed description of the rights is set forth in the next point):
- right to transparent information – you may require information about the processing of your personal data at any time;;
- right of access to your personal data – you may have access to your personal data processed by us and to the details of the processing at any time;;
- right to rectification of your personal data – if we process your personal data inaccurately, please, let us know and we will rectify them;;
- right to erasure (“right to be forgotten”) and right to restriction of the data processing – in certain cases, you are entitled to require us to erase your personal data processed, or to store them only without any other processing activity;
- right to data portability (only regarding data processed based on consent or contract, if the processing is carried out by automated means) – if you need them, we provide you, in electronic format, with your personal data which you have provided to us;
- right to object – you may object to the processing of your personal data which is based on legitimate interest at any time;
- right to remedy – in case your rights are infringed you may turn to the data protection officer or seek remedy at the Hungarian National Authority for Data Protection and Freedom of Information or the courts..
Who can you turn to if you would apply for remedy or if you have questions regarding the data processing?
You can turn to the Controller with questions, or requests anytime via its contact details set forth above.
With filing a complaint to the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian Nemzeti Adatvédelmi és Információszabadság Hatóság, seat: HU-1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf.: 9., e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu, telephone number: +36-1-391-1400).
You may launch a lawsuit for the protection of your personal data against the Controller as respondent at the regional courts competent, at your discretion, based on the seat of the Controller or your residence, which proceeds with priority in the case. The Budapest-Capital Regional Court (in Hungarian Fővárosi Törvényszék) has competence for the lawsuit based on the seat of the Controller.
2. Detailed description of the rights and remedial opportunities of the data subjects concerning the data processing
Being aware of the rights and remedial opportunities of the person affected by the data processing (hereinafter: data subject) is important since the Controller processes personal data.
Any information shall be qualified as personal data based on which the data subject can be identified. Accordingly, not only the name or the ID number of the data subject is personal data but any information relating to him/her. (Definition in Article 4 (1) of the GDPR) any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.)
According to the provisions of Chapter III (‘Rights of the data subject’) of the GDPR the data subjects shall have the following rights:
- Right to information (Articles 12-14 of the GDPR)
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. The Controller fulfills its obligation on providing information regarding the data processing set out here through the present document.
Right to withdraw the consent: if the data processing is based on the consent of the data subject (i.e. on Article 6 (1)(a) or Article 9 (2)(a) of the GDPR), the data subject shall have the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. - Right of access by the data subject (Article 15 of the GDPR)
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and the following information:
– the purposes of the data processing;
– the categories of personal data concerned;
– the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
– the envisaged period for which the personal data will be stored;
– the existence of the right to request from the Controller rectification or erasure of personal data, restriction of data processing, or to object to the data processing;
– the right to lodge a complaint with a supervisory authority;
– where the personal data are not collected from the data subject, any available information as to their source;
– the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.If personal data are transferred to a third country or an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
The Controller shall provide a copy of the personal data undergoing the data processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. The Controller provides the information in electronic form if the data subject requires so.
The right to information may be exercised in writing (including the electronic format) through the above contact details of the Controller, and it may be fulfilled after the identity of the data subject is verified authentically.
- Right to rectification of the data subject’s data (Article 16 of the GDPR)
The data subject shall have the right to obtain from the Controller the rectification of inaccurate personal data concerning him/her as well as to have incomplete personal data completed, which the Controller has to perform without undue delay. - Right to erasure – “right to be forgotten” (Article 17 of the GDPR)
The data subject shall have the right, should any of the following grounds exist, to obtain from the Controller the erasure of personal data concerning him/her without undue delay:
– the personal data are no longer necessary concerning the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
– the data subject objects to the processing and there are no overriding legitimate grounds for the processing (if applicable);
– the personal data have been unlawfully processed;
– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
– personal data have been collected concerning the offer of information society services.The above rule on the erasure of the data shall not apply to the extent that processing is necessary:
– for exercising the right of freedom of expression and information;
– for compliance with a legal obligation that requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or the exercise of official authority vested in the Controller;
– for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
– for the establishment, exercise, or defense of legal claims. - Right to restriction of processing (Article 18 of the GDPR)
The data subject shall have the right to obtain from the Controller restriction of the data processing if one of the following conditions applies:
– the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the Controller no longer needs the personal data for the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or
– the data subject has objected to the data processing, in which case the restriction is applicable for the period until it is verified whether the legitimate grounds of the Controller override those of the data subjectIf the data processing has been restricted, such personal data shall, except for storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or reasons of important public interest of the Union or a Member State.
A data subject who has obtained restrictions of the data processing shall be informed by the Controller before the restriction of processing is lifted.
- Notification obligation regarding rectification or erasure of personal data or restriction of the data processing (Article 19 of the GDPR)
The Controller shall communicate any rectification or erasure of the personal data or restriction of the data processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it. - Right to data portability (Article 20 of the GDPR)
The data subject shall have the right to receive the personal data concerning him/her, which he/she has provided to a Controller, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller, if
– the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
– the processing is carried out by automated means.In exercising his/her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of this right shall be without prejudice to the right to be forgotten. This right shall not adversely affect the rights and freedoms of others.
- Right to object (Article 21 of the GDPR)
The data subject shall have the right to object, on grounds relating to his/her particular situation, at any time to the processing of personal data concerning him/her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or which is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.If the personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of the personal data concerning him/her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- Right of the data subject in case of automated individual decision-making (Article 22 of the GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated data processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.The above right shall not apply if the decision:
– is necessary for entering into, or performance of, a contract between the data subject and the Controller;
– is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
– is based on the data subject’s explicit consent.
Proceeding of the Controller in case of the data subject exercises his/her rights:
The Controller shall provide information to the data subject on the action taken on a request under Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months if necessary, taking into account the complexity and number of the requests.
The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month as of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information provided and any communication and any actions taken shall be provided free of charge. If the requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.
The Controller shall communicate any rectification or erasure of the personal data or restriction of the data processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.
The Controller shall provide a copy of the personal data undergoing the data processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Possibility of remedy regarding the data processing:
You can turn to the Controller with questions, or requests anytime via its contact details set forth above.
You may file a complaint to the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian Nemzeti Adatvédelmi és Információszabadság Hatóság, seat: HU-1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf.: 9., e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu, telephone number: +36-1-391-1400).
You may launch a lawsuit for the protection of your personal data against the Controller as respondent at the regional courts competent, at your discretion, based on the seat of the Controller or your residence, which proceeds with priority in the case. The Budapest-Capital Regional Court (in Hungarian Fővárosi Törvényszék) has competence for the lawsuit based on the seat of the Controller.
The data controller uses so-called cookies on the website, the legal basis of which is your consent. A cookie is a package of information that a website sends to your browser in order to save certain settings, facilitate the use of our website and contribute to the collection of statistical information (Cookie policy >)