Free delivery within Hungary above HUF 30 000 (except MPL)

Meet the Aromazen products to bring body and soul in harmony!

Products
Featured
New
Bestseller
Sale
Vegan products
With hialuron
Facial care
Nurturing cream
Hydrating cream
Serum
Eyecare
Mask
Facial oil
Face mist
Face wash
Lipcare
Face scrub
For men
Face care bundles
Body care
Body lotion
Body oil
Soap
Body care bundles
Sun protection products
Traveller
Gifts
Gift sets
Gift cards
For men
More products
My Spirit
My Angel
Tea
Card
Jewellery
Accessories
Mini product
Gift wrapping
Product family
Rose de Luxe
Hungarian Spring
Aromazen
Shine
Traveller
Sunsol
Hungarian Bath
Madeleine
Pour Homme
My Angel
Creative cosmetics (for beauticians)
Mineralique
Lavender (for beauticians)
Beauty Inside
My Spirit
Skin type
Normal
Sensitive
Combined
Mature
Oily
Problematic
All skin types
Acne
Dry
Dehydrated
Rosacea
Inflamed
Allergic
Cuperosa
Demanding
About us
Store
Loyalty Club
Partners
Education

Privacy policy

1. Purpose and scope of the Privacy Policy and applicable law

The purpose of this Privacy Policy is to set out the data protection and data processing principles applied by ADRIENNE FELLER Cosmetics Zártkörűen Működő Részvénytársaság (hereinafter referred to as the "Company" or the "Controller") and the Company's data protection and data processing policy, which the Company, as the Controller, acknowledges as binding.

In drafting the provisions of the Policy, the Company has taken into account the provisions of Regulation 2016/679 of the European Parliament and the Council ("General Data Protection Regulation" or “GDPR”), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Information Act”), Act V of 2013 on the Civil Code (“Civil Code”), and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (“Act on Commercial Advertising”).

The scope of this Policy covers the data processing activities related to the website available at www.panarom.hu or www.adriennefellerwebshop.hu (the website subject to the User's activity hereinafter referred to as the “Website”). The Website is governed by the terms of this Policy.

For other services, this Policy should be read in conjunction with the data processing rules relating to the services used.

The data processing rules set out in the Student Statement shall apply to the data processing of courses covered by Act LXXVII of 2013 on Adult Education.

Unless otherwise stated, the scope of this Policy does not cover services and data processing related to the promotions, prize draws, services, other campaigns, and content published by third parties who advertise or otherwise appear on the Website. Unless otherwise stated, the scope of this Policy does not cover the services and data processing of websites and service providers to which the Website contains any links. The scope of this Policy does not cover the processing of data by persons (organisations, companies) whose information, newsletters, and advertising mailings the User has received from the Website. Such services are governed by the provisions of the third party service provider's privacy policy, and the Controller does not assume any responsibility for such processing.

Definitions

Processing shall mean any operation or the totality of operations performed on personal data, irrespective of the procedure applied; in particular, collecting, recording, organising, classifying, storing, modifying, changing, using, querying, viewing, disclosing, transferring, disseminating or making accessible by other means, synchronising or connecting (including profiling), blocking, deleting and erasing such data.

Controller shall mean the person, as defined in point 3, who, independently or jointly with others, determines the purposes and means of the processing.

Personal Data or Information shall mean any data or information that allows a natural person User to be identified, directly or indirectly.

Processor shall mean a service provider who processes personal data on behalf of any Controller.

User shall mean the natural person who registers on the Website as a Customer or Professional Customer and, in doing so, provides their data specified in points 8 and 9 of this Policy.

External Service Provider shall mean any third party service partner engaged by the Controller or the Website Operator, either directly or indirectly, in connection with the provision of certain services, to whom Personal Data are or may be transferred or who may transfer Personal Data to the Controller in order to provide their services. External Service Providers are also those service providers who are not in cooperation with the Controller or the service providers, but by accessing the Website, the collect data about Users that may be used to identify the User, either independently or in combination with other data. Furthermore, in providing the hosting service, the Controller also considers the User as an External Service Provider for the purposes of the data processing activities carried out on the hosting space used by the User.

Newsletter shall mean electronic mail in which the Controller sends advertisements and offers (electronic direct mail, EDM) to Users by directly contacting them.

Policy shall mean the Controller’s present Privacy Policy.

Identity and processing activities of the Controller

3.1. Controller:

Name: ADRIENNE FELLER Cosmetics Zártkörűen Működő Részvénytársaság (also referred to as “ADRIENNE FELLER”)

Registered office: H-5126 Jászfényszaru, Albert Einstein út 3.

Phone number: +36-1-336-0466

Email: info@adriennefeller.com

Data Protection Officer: Sára Palcsó

Position of the Data Protection Officer: CEO

3.2. The Controller is a company registered in Hungary.

3.3. The Controller operates the Website, which was created for the purpose of purchasing ADRIENNE FELLER and Panarom products on the Internet. Some products are available only to professional customers, while others are available to all registered customers.

3.4. The Controller is a business company also entitled to perform advertising marketing and organisational tasks. The Users of the Website operated by the Controller may, upon registration or without it, consent, either on the Website's interface or through other electronic channels provided by the Controller, to the Controller sending them EDM pursuant to Section 6 (1) of the Act on Commercial Advertising, thus allowing and targeting the display of the Controller's advertisements on EDM interfaces.

3.5. By accepting this Policy, the User agrees to receive system messages from time to time regarding the operation of the Website. These system messages may contain information related to the operation of the system, advice, and information related to system errors, malfunctions, and troubleshooting.

3.6. The User accepts that in the case of application for training courses covered by Act LXXVII of 2013 on Adult Education, data processing is based on a legal obligation, and therefore the withdrawal of consent to data processing during the period of statutory authorisation does not entail the termination of data processing.

Principles and methods of processing and applicable law

4.1. The Controller shall act in good faith, in accordance with the requirements of fairness and transparency, in cooperation with Users in the course of Processing. The Controller processes only the data specified by law or provided by Users for the purposes set out below. The scope of the Personal Data processed shall be proportionate to the purpose of the processing and shall not go beyond that purpose.

4.2. In any case where the Controller intends to use the Personal Data for a purpose other than the one for which it was originally obtained, the Controller shall inform the User and obtain his or her prior explicit consent or provide the User with the possibility to prohibit such use.

4.3. The Controller does not verify the Personal Data provided to it. The person providing the Personal Data is solely responsible for the accuracy and veracity of the Personal Data provided.

4.4. The Personal Data of a person under the age of 16 may be processed only with the consent of the person who has parental authority. As the Controller is not able to verify the eligibility of the person giving consent or the content of his or her statement, the User or the person exercising parental authority shall warrant that the consent complies with the law and the provisions of this Policy. In the absence of a consent form, the Controller does not collect Personal Data relating to a data subject under the age of 16.

4.5. The Controller does not transfer the Personal Data it processes to third parties other than the Processors specified in this Policy and, in certain cases referred to in this Policy, to External Service Providers.

An exception to the provisions of this section is the use of data in aggregate statistical form, which may not contain any other form of data that can identify the User concerned, and therefore does not constitute either Data Processing or Data Transfer.

The Controller may, in certain cases, make available to third parties the available Personal Data of the User concerned, in response to a judicial or police request, legal proceedings, or due to a reasonable suspicion of infringement of copyright, property rights or other rights, or due to a threat to the interests of the Controller, or to the provision of the service, etc. Unless prohibited by law or a decision passed by a public authority, the Controller shall notify the data subject of the transfer of his or her data.

The Processors of the Controller listed in this Privacy Policy and the External Service Providers shall record, process, and handle the Personal Data transferred to them by the Controller and processed by them in accordance with the applicable legal provisions, and they shall provide a statement thereof to the Controller.

4.6. The IT systems of the Controller may collect data on the activity of Users, which cannot be linked to the Personal Data provided by Users at the time of registration or to data generated by the use of other websites or services.

By contrast, if the User consents to the Controller sending or publishing marketing offers (EDM, customised banners, displays), the User accepts that the data collected on the User's activity within the framework of this service and solely for the purpose of providing the service will be combined with other Personal Data provided by the User at the time of registration.

4.7. The Controller shall notify the User concerned and all those to whom the Personal Data was previously transmitted for the purpose of Processing of the rectification, restriction, or erasure of the Personal Data processed by the Controller. The notification may be omitted if this does not harm the legitimate interests of the User, having regard to the purpose of the processing.

4.8. In view of the relevant legal provisions, the Controller is not obliged to appoint a Data Protection Officer.

4.9. The Controller shall process Personal Data in accordance with applicable law. The legislation governing the processing of data includes in particular:

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information;
Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities;
Regulation (EU) 2016/679 of the European Parliament and the Council;
Act CVIII of 2001 on Certain Aspects of Electronic Commerce Services and Information Society Services;
Section 169 of Act C of 2000 on Accounting (regarding the retention of documents).

Legal basis for processing

5.1. Taking into account the nature of the Controller's activities, the legal basis for the processing is the User's voluntary, explicit consent based on appropriate information (Section 5 (1) (a) of the Information Act, Article 6 (1) (a) of the GDPR), the conclusion of a contract and pre-contractual measures pursuant to Article 6 (1) (b) of the GDPR), and in the case of profiling, the appropriate information of the User in accordance with the provisions of the GDPR, and Article 6 (1) (f) of the GDPR. The Users voluntarily contact the Controller, register on the Website, and use the services of the Controller. In the absence of the Users' consent, the Controller will only process data if it is specifically authorised by law to do so.

5.2. In the case of Processing based on consent, the User has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

5.3. When the User accesses the Website, the Controller records the User's IP address in connection with the provision of the service, in the legitimate interest of the Controller and for the lawful provision of the service (e.g. to prevent unlawful use or to filter unlawful content), without the User's consent.

5.4. Transfers of Data to Processors as set out in this Policy may be made without the User's consent and the User consents to such transfers by accepting this Policy. Unless otherwise provided by law, the disclosure of Personal Data to third parties or public authorities is only possible on the basis of a final decision by a public authority or with the prior express consent of the User.

5.5. When providing any User's email address and the data provided during registration (e.g. user name, ID, password, etc.), the User undertakes to be liable for being the sole person who uses the email address provided and the data provided for the services, and their use does not constitute an infringement in any way. With regard to this commitment, any liability for accessing the website using such email address and/or the data provided shall be borne solely by the User who registered the email address and provided the data.

5.6. In certain cases, the legal basis for the processing is a legal provision. If the User pays a fee to the Controller, the Controller shall process the data contained in the accounting document issued by the Controller in accordance with the provisions of the Act on Accounting. In the case of applications for training courses covered by Act LXXVII of 2013 on Adult Education, data processing is based on a legal obligation.

5.7. The legal basis for the processing may be the substantial legitimate interests of the Controller, in which case, in accordance with the relevant legal provisions, the Controller has carried out and may continue to balance interests, which demonstrates that the processing is necessary for the purposes of the legitimate interests pursued by the Controller and that the rights and freedoms of the data subject which require the protection of Personal Data do not override those interests.

Purpose of data processing

The Controller shall process Personal Data only for specific purposes, the exercise of rights, and the performance of obligations. Processing shall comply with the purpose of the processing at all stages. Data shall be collected and processed fairly and lawfully. The Controller shall endeavour to process only Personal Data that is necessary for the purpose of the processing and is suitable for achieving that purpose. Personal Data may only be processed to the extent and for the duration necessary for the purposes for which it is collected.

The purposes of data processing are primarily the operation of the Website and the provision of the Controller's services.

Purpose of Processing:

Identifying the User, contacting the User;
The performance of the contract concluded during the purchase on the Website, the fulfilment of contractual obligations by the Controller;
Conclusion of banner and display advertising contracts, definition and modification of content, monitoring of performance;
Invoicing the fees for banner and display advertising;
Enforcing claims relating to banner and display advertising fees;
Organising and running prize draws and promotions, contacting the winners and providing them with their prizes;
Fulfilling the Controller’s obligations, exercising the rights of the Controller;
Preparation of analyses and statistics, development of services – for this purpose, the Controller uses only anonymised data and aggregated data that cannot be personally identified;
Market research: to assess Users' needs and buying habits;
Protecting the rights of Users;
Editing and sending newsletters to Users;
Mapping the User's needs to create a user profile based on the data held by the Controller in order to place customised advertisements;
Sending or placing personalised direct marketing offers and other marketing offers (e.g. EDM, customised banners, displays, advertisements) according to the User's profile and interests;
Satisfying the needs and interests of Users, finding advertiser discounts, offers, and potential advertisers;
Design and implementation of advertising campaigns: Editing EDMs (content and creative elements), preparing targeting and scheduling proposals;
Sending or placing personalised direct marketing offers and other marketing offers (e.g. EDM, customised banners, displays, advertisements) according to the User's profile and interests;
Analysing the data provided by the User when giving their consent to receive the newsletter in order to optimise the range of products and services offered, and for market research purposes;
operating a loyalty scheme and evaluating customer habits to better serve customer needs, providing more effective information to loyalty customers; recording and maintaining the points credited and used; provision of discounts at the time of invoicing, recording the conditions of the discount;
Collecting and invoicing advertising fees related to own advertising activities.

Source of the Personal Data processed

The Controller processes only the Personal Data provided by the Users in relation to its core business and does not collect data from other sources (except for the IP address and cookie as referred to in section 13).

In the case of training courses covered by Act LXXVII of 2013 on Adult Education, the educational identifier of the person concerned shall be provided to the Company by the body responsible for the operation of the educational register or, by comparing the natural personal identification data of the person participating in the training, the legally designated provider of the merging register shall provide data on the data specified in points a) and b) of Section 3 (1) of Act LXXXIX of 2018 on Educational Registers through the merging register.

The data is provided during the registration of the User or when subscribing to the Newsletter or joining the loyalty program. During registration, the User provides his/her name, email address, password, address, telephone number, and date of birth.

When subscribing to the newsletter, the User provides his/her name and email address.

Joining the loyalty programme is conditional on registration, so there is no need to provide any additional information other than the information provided at registration.

The User has the option to register with an existing profile on a social networking site (Facebook, LinkedIn). In this case, the User can select the social networking site the profile of which he/she wishes to register with and then provides the login name and password used on that social networking site. The Controller imports the data from the relevant social networking site. The User may register with a social networking site profile only if he/she consents to the processing by the Controller of the data contained in that profile.

If the User has given his/her consent to the sending of direct marketing offers by subscribing to the Newsletter, the Controller shall process the following Personal Data from the following sources, in addition to the above:

in relation to customer profiling: IP address and cookie identified during user registration and browsing,
browsing data from web data sources.

Scope of the data processed

The Controller processes only the personal data provided by Users in relation to its core business and its newsletter sending service. The data processed include the following:

last name, first name, email address, mobile phone number, delivery address (city, postal code, street, house number, floor, door), month and day of birth, qualifications (certificates), tax number and/or tax identification number – The purpose of processing is to identify the User, to contact the User, and to maintain contact with the User,
the User's password, which – together with the email address – is required for logging in;
in addition to the above, based on the User's choice, the Controller may process the User's address data in connection with the use of the Website and in connection with the billing of paid services,
IP address, cookie – in relation to the provision of the service, with regard to the legitimate interest of the Controller, and for the lawful provision of the service (as detailed in section 13);
payment details, if a purchase is made
In addition to the above, the Controller processes technical data, including IP addresses, as described in section 13.

In the case of a "purchase as a guest" as defined in section 9, the Controller processes the following data for the non-registered natural person customer: last name, first name, tax number (if any), email address, telephone number, and home address.

If the User has given his/her consent to be contacted for marketing purposes, the following data will be processed in addition to the above:

Data recorded by the User: sex, date of birth, home address, telephone number (if any), interest preferences;
in order to map the User's needs, the Controller also processes the following additional Personal Data: demographic data, interest information, habits, and preferences (based on browsing history);
the fact and date of consent to the marketing enquiry, the trends resulting from previous purchases, the method of transfer used; analytical data relating to the sending and delivery of messages (e.g. date and time of sending and opening, date and time of clicking on the link in the letter, reason for undeliverability);
Contact details: the communication channels used with the Controller and when, and which of the offers provided there have been viewed and used;
payment details
IP address, cookie – linking browsing data with the User's personal data in order to identify the User;
The purpose of the processing of Personal Data is to enable the Controller to provide the User with offers and other content that are as relevant as possible to the User's needs, preferences, and interests.

If the User has enrolled in the Loyalty Program, the following data will be processed in addition to the above:

Discount details: details of the products, amount payable, currency, discount amount, number of points credited, number of points used, number of points cancelled and returned, date and number of purchase, points balance and any details related to the redemption of points.

Description of the Data Processing process

9.1. The source of the Personal Data is the User who provides the data during registration or at some later time, when accessing the Website or subscribing to the Newsletter, or when signing up for the loyalty program. The Personal Data marked with an asterisk on the registration form is mandatory, unless explicitly stated otherwise.

9.2. The User shall provide the data independently, and the Controller shall not give any binding guidelines in this regard or impose any content requirements, and the User shall be fully responsible for the data provided. The User expressly consents to the processing of the data provided by him/her. In addition to the data requested by the Controller, the User is entitled to provide other data in his/her profile, the legal basis for the processing of the data in this case is also the voluntary consent of the User.

9.3. Where the purchase of products on the Website is made by the natural person concerned without having registered ("shopping as a guest"), the legal basis for the processing of the natural person's Personal Data is partly a legal provision and partly the fact that the Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. The Controller processes certain Personal Data of the natural person purchaser (in particular the email address and the telephone number) on the basis of the natural person purchaser's explicit, voluntary, and duly informed consent.

9.4. If the User registers for a promotion organised by the Controller (e.g. on Facebook) and provides the data requested there, the User accepts the separate privacy policy related to the promotion.

In this case, by providing the data, the User does not register on the Website, but consents to the processing of the data provided as specified in the promotion information.

9.5. By registering on the Website, the User, as a Customer or Professional Customer, consents to the storage, processing and use of the Personal Data provided during registration and purchase, by the Controller and by the Controller's business partners (e.g. courier service) commissioned by the Controller to perform specific activities related to the purchase, as data processors or External Service Providers, for the purpose of order fulfilment, providing information related to the training/course, and market research, direct marketing and/or advertising, in accordance with the applicable legal provisions.

Processing for advertising purposes, sending newsletters

The User has the possibility to subscribe to the Newsletter sent by the Controller. The User may declare his/her intention to subscribe by ticking the checkbox provided after having received the information on the Newsletter.

By subscribing to the Newsletter in the context of the retail loyalty programme, the User gives his/her consent to having the Controller send him/her the retail newsletters of the Websites.

If the User grants consents, the Controller will contact the User using the contact details provided and send the User an advertisement using the direct contact method. Advertisements can be sent following a Newsletter subscription. The sending of the Newsletter is always subject to the User's consent.

The User may withdraw this consent at any time without giving any reason.

Data processing related to prize draws

From time to time, the Controller organises prize draws to increase the number of registrations and to refresh (update) registrations. As participation in the prize draw is not subject to any wagering or purchasing requirements, the prize draw is not a licensed or notifiable prize draw.

The legal basis for Processing is the consent of the User. If the User applies or registers to participate in the prize draw, he/she provides his/her data and consents to their processing as set out in this Policy. Acceptance and provision of data constitutes consent. Participation in the prize draw may occur with the following methods:

With a new registration. In this case, the person who registers during the specified period will be entered in the prize draw.
By updating registration. In this case, the persons who log in, update their details, or enter new details during the specified period will be entered into the prize draw.

The purpose of the data processing is to organise and hold the prize draw, inform the winners, and deliver the prizes.

Following the prize draw, the Controller will process the User's data as set out in this Policy.

Loyalty programme

The data subjects are those registered Users who have enrolled in the retail loyalty programme.

The legal basis for the processing of data in the loyalty program is Article 6 (1) (b) of the GDPR (conclusion of the contract and pre-contractual measures) and the consent of the User (Article 6 (1) (a) of the GDPR).

Duration of processing: until the purpose of the processing has been achieved or until the loyalty programme participant expressly declares his/her wish to withdraw from the loyalty programme.

Product review

The product(s) purchased on the Website can be rated by the customer in text format and by awarding 1-5 stars. The product review will be displayed under the name provided by the User when submitting the review, which may be different from both the username and the real name.

The customer's review may be published on the Website, the Controller's advertising spaces, social media, and other communication platforms.

After the purchase, the Controller sends an email to the customer offering them the opportunity to review the product they have purchased.

The purpose of data processing is to promote shopping, analyse customer habits and measure customer satisfaction, monitor product sales and product popularity, and provide information on the quality of the products marketed.

Legal basis for processing: voluntary consent of the data subject pursuant to Article 6 (1) (a) of the GDPR.

The data processed: any name given by the User, rating with 1-5 stars and text

The Processor shall ensure that the product review is carried out in accordance with the Terms of Use and the Moderation Policy.

Technical data and cookie processing

The Controller's IT system automatically records the IP address of the User's computer, the starting time of the visit, and, in some cases, depending on the computer's settings, the type of browser and operating system. The data thus recorded cannot be linked to any other Personal Data, except for the case of User consents for marketing purposes and profiling. The data are processed for statistical purposes only. The User acknowledges that macros/cookies ("cookies"), including but not limited to browser cookies, tracking cookies, and computer cookies, are used on the Website operated by the Controller.

Cookies allow the Website to recognise previous visitors. Cookies help the Controller, as the Website Operator, to optimise the Website, to tailor the services of the Website to the User's habits. Cookies can also be used to

remember settings so that the User does not have to re-enter them when entering a new page,
remember previously entered data, so the User does not have to re-enter those,
analyse the use of the Website to ensure that the improvements made using the information obtained are in line with the User's expectations as much as possible, that the User can easily find the information he or she is looking for, and
monitor the effectiveness of the Controller's advertising.

If the Controller displays various content on the Website through external web services, this may result in the storage of some cookies that are not under the control of the Controller, and therefore it has no control over the data collected by these websites or external domains. Information about these cookies is provided in the policies related to the specific service.

The Controller uses cookies to serve advertisements to Users through Google and Facebook. Data processing is carried out without human intervention.

The User may set their web browser to accept all cookies, reject all cookies, or notify the User when a cookie is received. The options are usually found in the "Options" or "Preferences" menu of the browser. By disabling the use of cookies, the User acknowledges that without cookies the functionality of the Website is not fully functional.

The detailed information on the English version of the website www.aboutcookies.org also provides assistance with the settings in different browsers.

Data transfer

The Controller shall only transfer Personal Data to third parties if the User has given his/her clear consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is permitted by law.

The Controller is entitled and obliged to transfer to the competent authorities any Personal Data at its disposal and stored by it in accordance with the law, which it is obliged to transfer by law or by a final decision of a public authority. The Controller shall not be held liable for any such data transfers and the consequences thereof.

The Controller shall in all cases document the data transfers, keep records of the data transfers, and notify the User concerned thereof, unless such notification is prohibited by law or official decision.

Data Processing

The Controller is entitled to use a Processor for the performance of its activities. Processors do not take independent decisions, they are only entitled to act in accordance with the contract with the Controller and the instructions received from the Controller. The Controller shall monitor the work of Processors. Processors are entitled to use an additional processor only with the prior consent of the Controller.

The Controller shall identify the Processors used in this Policy.

Processors used by the Controller:

Development: Netgo.hu Kft. H-2100 Gödöllő, Dózsa György út 13. II em. /202-204.

Parcel delivery: GLS General Logistic System Hungary Kft. H-2351 Alsónémedi, GLS Európa utca 2.

Server operation: Netfort Bt. H-7900 Szigetvár, Deák Ferenc tér 16.

Newsletter: The Rocket Science Group LLC (MailChimp), Atlanta, GA 30308

IT system operation: Balázs Alföldy, sole entrepreneur

Supply of IT equipment: ITOM Computer Kft.

External Service Providers

In the operation of the Website and the provision of its services, the Controller uses External Service Providers, with which the Controller cooperates.

Personal Data processed in the systems of External Service Providers are governed by the External Service Providers' own privacy policies. The Controller shall use its best efforts to ensure that the External Service Provider processes the Personal Data transferred to it in accordance with the law and uses it only for the purposes specified by the User or set out in this Policy.

Data security, access to personal data

The Controller shall ensure the security of data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the applicable laws and the data protection and confidentiality rules. The Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, publication, erasure or destruction, accidental destruction or damage, and inaccessibility resulting from changes in the technology used.

The Controller shall keep records of the data processed by it in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting in the interests of the Controller (processors) who need to know the data in order to perform their job or task. The employees of the Controller shall carry out individual searches and individual operations on the data at the request of the User only, or if necessary for the provision of the service.

The Controller shall take into account the state of the art when defining and applying measures for data security. The Controller shall, from among several possible data processing solutions, choose the one that ensures a higher level of protection of personal data, unless this would involve a disproportionate effort.

The Controller shall ensure, in particular, in the context of its IT security responsibilities:

Measures to protect against unauthorised access, including the protection of software and hardware devices and physical protection (access protection, network protection);
Measures to ensure that data files can be recovered, including regular backups and the separate secure management of copies (mirroring, backup);
Protecting data against viruses (virus protection);
The physical protection of data files and the media on which they are stored, including protection against fire, water, lightning, and other natural hazards, and the recoverability of damage caused by such events (archiving, fire protection).

Employees and other persons acting on behalf of the Controller shall keep secure the data carriers they use or have in their possession, including personal data, regardless of the means of recording, and shall protect them against unauthorised access, alteration, disclosure, publication, erasure or destruction, accidental destruction, and damage.

The Controller shall operate the electronic register by means of an IT programme that meets the requirements of data security. The programme shall ensure that access to the data is limited to the persons who need it for the performance of their tasks, and only for the purpose for which it was collected and under controlled conditions.

Duration of Data Processing

The Controller shall delete personal data if

a) its processing is unlawful;

If it is found that the data is being processed unlawfully, the Controller will delete it without delay.

b) the User so requests (except for processing based on law);

The User may request the erasure of data processed on the basis of the User's voluntary consent. In this case, the Controller will delete the data. Erasure may be refused only if the processing of the data is authorised by law. The Controller shall in any case provide Policy of the refusal of the request for erasure and of the law allowing the processing.

the data is incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that erasure is not excluded by law;
the purpose of the processing has ceased or the statutory time limit for storing the data has expired;

Erasure may be refused (i) for the exercise of the right to freedom of expression and information, or (ii) where the processing of Personal Data is authorised by law; and (iii) where the processing is necessary for the establishment, exercise, or defence of legal claims.

The Controller shall inform the User of the refusal of a request for erasure, indicating the reasons for the refusal. Once a request for erasure of Personal Data has been complied with, the previous (erased) data may no longer be restored.

The newsletters sent by the Controller can be cancelled via the unsubscribe link in the user account or via a message sent to the adatkezeles@adriennefeller.com email address. When unsubscribing, the Controller will delete the User's Personal Data in the Newsletter database.

As the Controller provides a continuous service to the User, the relationship between the Parties is not time-limited. On this basis, unless the User requests otherwise, the Controller will process the data for as long as the relationship between the Controller and the User exists and for as long as the Controller is able to provide the User with services.

All other data will be deleted by the Controller if it is clear that the data will no longer be used, i.e. the purpose of the processing has ceased.

e) it is ordered by a court or the National Authority for Data Protection and Freedom of Information

If a court or the National Authority for Data Protection and Freedom of Information issues a final order for the erasure of the data, the Controller shall carry out the erasure.

Instead of erasure, the Controller shall, after informing the User, block the personal data if the User so requests or if the information available to the Controller suggests that deletion would harm the legitimate interests of the User. Personal Data blocked in this way may be processed only for as long as the processing purpose that precluded the erasure of the Personal Data persists. The Controller shall mark the Personal Data it processes if the User disputes its accuracy or correctness but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.

In the case of processing required by law, the erasure of data shall be governed by the law.

In the event of erasure, the Controller shall render the data unidentifiable. Where required by law, the Controller shall destroy the storage medium containing the Personal Data.

Rights of Users and their enforcement

18.1. The Controller shall inform the User about the processing of the data at the time of contacting the User. In addition, the User has the right to request information about the processing at any time.

Upon the User's request, the Controller shall provide information about the User's data processed by the Controller or by a Processor appointed by the Controller or under its instructions, the source of the data, the purpose, legal basis and duration of the data processing, the name and address of the Processor and its activities related to the data processing, the circumstances and effects of the data breach and the measures taken to remedy the data breach, and, in the event of the transfer of the User's personal data, the legal basis and the recipient of the data transfer. The Controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but not later than 25 days, upon the User's request. The information is free of charge if the person requesting the information has not yet submitted a request for information in the current year for the same set of data. In other cases, reimbursement of costs may be required. Reimbursement of costs already paid will be required if the data have been unlawfully processed or if the request for information has led to a correction.

18.2. The User may request that the Controller rectify any Personal Data incorrectly provided. In the event that the data to be corrected are regularly provided, the Controller shall, if necessary, inform the recipient of the data of the correction and shall draw the User's attention to the fact that the correction must be initiated with another controller as well.

18.3. The User may request the erasure of his/her Personal Data, except for processing required by law. The Controller will inform the User of the deletion.

18.4. The User may object to the processing of his/her personal data in accordance with the provisions of the Information Act.

18.5. The User may submit his/her request for information, rectification, or erasure in writing, by letter addressed to the registered office or place of business of the Controller, or by email to the Controller's adatkezeles@adriennefeller.com email address.

18.6. The User may request the Controller to restrict the processing of his/her Personal Data if the User contests the accuracy of the Personal Data processed. In this case the restriction is for a period enabling the Controller to verify the accuracy of the Personal Data. The Controller shall mark the Personal Data it processes if the User disputes its accuracy or correctness but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.

The User may also request the Controller to restrict the processing of his/her Personal Data if the User objects to the erasure of the Personal Data processed, and requests instead the restriction of the data processing.

The User may also request the restriction of the processing of his/her Personal Data by the Controller if the purpose of the processing has been achieved, but the User requires the processing of his/her Personal Data by the Controller for the establishment, exercise, or defence of legal claims.

18.7. The User may request that the Controller provide the Personal Data provided by the User and processed by the User in an automated way to the Controller in a structured, commonly used, machine-readable format, and/or transfer them to another data controller.

18.8. If the Controller does not comply with the User's request for rectification, blocking, or erasure, the Controller shall, within 25 days of receipt of the request, communicate in writing the reasons for refusing the request for rectification, blocking, or erasure. In case of rejection of a request for rectification, erasure, or blocking, the Controller shall inform the User of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information.

18.9. The User may make the above declarations related to the exercise of his/her rights at the contact details of the Controller provided in section 3.

18.10. The User may also submit a complaint directly to the National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11.; phone: +36-30-549-6838; email: ugyfelszolgalat@naih.hu; website: www.naih.h u ). In the event of a violation of his/her rights, the User shall be entitled to take legal action pursuant to Section 22 (1) of the Information Act. The court of appeals has jurisdiction to hear the case. The action may also be brought, at the User's option, before the court of the User's domicile or residence. Upon request, the Controller shall inform the User in detail about the possibilities and means of redress.

Amendments to the Privacy Policy

19.1. The Controller reserves the right to amend this Policy at any time by unilateral decision. In case of modification of this Policy, the Controller will inform the Users about the modification by sending a system message. On the basis of the information contained in the notification, the User is entitled to exercise his or her rights in relation to data processing as set out in this Policy and in the applicable legislation.

19.2. The User accepts the current provisions of this Policy by logging in to the Site, and it is not necessary to seek the consent of individual Users.

Done at Budapest, 10.01.2024.