Call Us +36 20 4294-745

Welcome to our sauna webstore!

I. Introductory Provision

Szauna Bau 84 Service Provider and Trade Limited Liability Company (registered office: 2096 Üröm, Fő u. 1., registration number Cg: 13-09-148137.) as a data managing entity, acknowledges the contents of this Privacy Statement as compulsory. Commits you to ensure that all data management related to your business complies with the applicable laws. Szauna Bau 84 Service Provider and Trade Ltd. manages personal information confidentially and performs any security, technical and organizational measures that guarantees the security of the data. Szauna Bau 84 Service Provider and Trade Ltd. reserves the right to change this prospectus, which will promptly notify its customers. Szauna Bau 84 Service Provider and Trade Ltd. informs its customers that the data management principles pursued by www.szaunabau.hu are in line with current legislation on data protection and in particular with the following legislation:
  
- Act CXII of 2011 on Right to Information Self-determination and Freedom of Information (hereinafter: Avtv., Act on the Protection of Privacy);
- Act C of 2000 on Accounting (Számv. tv.);
- Act CVIII of 2001 on Electronic Commerce Services and Certain Issues of Services related on Information Society (Eker. tv.)
- Act XLVIII on 2008 on the Fundamental Terms and Limitations of Economic Advertising (Grt.).

II. Elements/Basic Concepts

data subject: any natural person specified or identified by any specific personal data, or identifiable both directly and indirectly; personal data: data related to the data subject, in particular the name, identifying mark, and the knowledge of one or more physical, physiological, mental, economic, cultural or social identities of the data subject, as well as the conclusion that may be deduced from the data; special data: a.) personal data relating to racial origin, nationality, political opinions or party affiliation, religious or other beliefs on the world view, membership of an interest-representative organization, sexual life, b) health status, abnormal passion relevant personal data as well as criminal personal data;

contribution: voluntary and decisive expression of the will of the concerned person, based on appropriate information and by which he/she gives his/her unambiguous consent to the management of his/her personal data, covering all or part of operations;
protest: the statement of the concerned person with which he/she is objecting to the management of his/her personal data and requesting the termination of data processing and the deletion of the processed data;
data controller: means a natural or legal person or an organization that does not have legal personality who either independently or with others determines the purpose of the processing of data, makes and executes decisions on data management (including the equipment used) or performs with the data processor entrusted to it;
data management: irrespective of the method used, any operation or all of the operations performed on data, such as collecting, capturing, capturing, systematizing, storing, modifying, using, querying, transmitting, publishing, aligning or linking, blocking, deleting and destroying any of the operations, or to prevent further use of the data, to take photographs, sound or images, and to record the physical characteristics (eg. finger or palm print, DNA sample, iris image) suitable for identifying the person;
data transfer: making the data available to a specific third party;
disclosure: making the data available to anyone;
data deletion: making data unrecognizable in such a way that their recovery is no longer possible;
data designation: providing the identification of the data with a view to distinguishing it;
data encryption (blocking): for the purpose of limiting the further management of the data by means of an identification mark for a definite or fixed period of time;
data destruction: complete physical destruction of data-containing media;
data processing: performing technical tasks related to data management operations, irrespective of the method and device used to implement the operations and the location of the application, provided that the technical task is carried out on the data;
data processor: means a natural or legal person or an organization without legal personality who, by virtue of a contract concluded with the data controller, including the conclusion of a contract by law, processes data;
data file: the sum of the data processed in one register;
third party: a natural or legal person or a non-legal entity which is not the same as the data subject, the data controller or the data processor;

III. In relation to the protection of personal data in the course of data processing, Szauna Bau 84 Service Provider and Trade Ltd. as a data controller considers the following:

 1.) principles of data management: - Personal data can only be handled for a specific purpose, for the exercise of the right and for the fulfillment of the obligation. At all stages of data management, the purpose of data management must be met, data entry and management must be fair and legitimate. - Only personal data that is essential for the purpose of data management can be handled to achieve this aim. Personal data can only be handled to the extent and for the duration required to achieve the aim. - Personal data preserves this quality while management it as long as its connection can be restored with the affected person. The contact with the data subject can restore if the data controller has the technical conditions that are necessary for restoration. - In the course of data processing, the accuracy, completeness and, if necessary for the purpose of data management, the up-to-dateness of the data and the identification of the data subject for the time necessary for the aim of data management.

2.) the legal basis for data management: - Personal data can be managed if a) the person concerned agrees or b) it is ordered by a law or by a decree of the local government on the basis of the authorization of the law, within the scope defined therein, for reasons of public interest. - Personal data can be managed even if it is impossible or disproportionate to obtain the consent of the person concerned and that the managing of personal data a) it is necessary to comply with a legal obligation for the data controller, or b) it is necessary to enforce the legitimate interest of the data controller or a third party and the enforcement of this interest is proportionate to the limitation of the right to the protection of personal data. - If, due to the inability of the data subject to do so or for other unavoidable reasons, he/she is unable to give his/her consent, the data of the person concerned can be managed during the existence of barriers to consent, for the purpose of protecting the person's or other person's vital interests or preventing the immediate danger and the direct danger of life, physical integrity or to parry and prevent the direct danger threatening the goods. - For declaration of an unable to act or disabled minor person otherwise is required the consent of the legal representative, except for parts of the service where the declaration is intended to be massively registered in everyday life and does not require any particular consideration. For the validity of the legal declaration of a minor data subject of 16 years of age it is not necessary to be consented or the follow-up consent of his/her legal representative. - If the purpose of data-processing based on consent is to implement a contract concluded in writing with the data controller, the contract must include all information that the data subject needs to know for the purpose of personal data management - under this law - and in particular the definition of the data to be processed, the duration of the data management the purpose of the use, the fact of the transmission of data, the addressees thereof, and the fact that the data processor is using it. The contract must, in an unambiguous manner, contain that the data subject by his/her signature consents to manage its data as specified in the contract. - If the personal data has been collected with the consent of the data subject, the data controller shall manage the data recorded, in the absence of a different law a) with a view to fulfilling a legal obligation on him, or b) to enforce the legitimate interests of the data controller or third party when the enforcement of this interest is proportionate to the limitation of the right to the protection of personal data without further special consent and the management is possible also after withdrawing the consent of the data subject. - In the case of personal data necessary for the conduct of proceedings in the judicial or administrative proceedings instituted at the request of the person concerned, in the case of the personal data which he/she has requested to do so, the person concerned shall be presumed to consent. - The consent of the person concerned shall be deemed to have been granted for personal data communicated or disclosed by him/her during his/her public service. - In case of doubt, it must be presumed that the party concerned has not given his consent.

3.) requirement of data security - The data controller is obliged to design and implement data management operations to ensure the privacy of the data subjects. - In the data controller or in the scope of its activities, the data processor must ensure the security of the data, and must also take the technical and organizational measures and establish the procedural rules necessary to enforce Avtv. and other data protection and confidentiality rules. - Data shall be protected against any unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as inadvertent destruction and damage, as well as any unauthorized access resulting from a change in the technique used. - In order to protect electronic files managed in different registers, an appropriate technical solution should ensure that the data stored in the regesiters can not be directly linked and assigned to the data subject – unless permitted by law. - In the automated processing of personal data, the data controller and the data processor provide additional measures to ensure (a) preventing unauthorized data entry; (b) prevent the use of automatic data processing systems by unauthorized persons by means of data transmission equipment; (c) verifiability and determination of which organs were transmitted or may be transmitted personal data by means of data transfer equipment using personal data; (d) the verifiability and determination of which personal data, when and to whom it has been introduced into the automatic data-processing systems; (e) the repair of installed systems in case of malfunction and f) to report on errors occurring during automated processing. - The data controller and the data processor must be aware of the current state of the technique in defining and applying the data security measures. There are several possible data management solutions to choose from, providing for a higher level of protection of personal data, unless if it is a disproportionate difficult to the data controller.

4.) limitations of data management - If according to a law, an international treaty or a statute of a binding act of the European Union the data controller manages personal data so that the data controller-exporter at the same time as the transfer of personal data notify (a) the possible purpose of management, b) the possible duration of management, (c) possible addressees of its transmission, (d) the limitation of the rights of the party concerned under this Act, or (e) other restrictions on its management (hereinafter referred to as "data management restrictions"), the data controller-receiver (hereinafter referred to as the "data importer") receiving the personal data manages personal data in an volume and manner appropriate to the data restriction, ensuring the rights of the data subject according to the data restriction. - The data importer may menage personal data regardless of the data management restriction and may secure the rights of the data subject if it has been given prior consent by the data controller-exporter. - According to the law, international treaty or a statute of a binding act of the European Union, the data controller shall, at the same time as the transfer of personal data, inform the addressee of the applicable data restriction. - The consent specified in § 4 (2) may be granted by the data controller if it does not conflict with the legal provisions applicable to legal entities under the jurisdiction of Hungary. - At the request of the data controller-exporter, the data importer informs him/her of the use of the personal data received.

IV. According to the Act CXII of 2011 on the Right to Information Self-determination and Freedom of Information § 20, Szauna Bau 84 Service Provider and Trade Ltd., as a data controller, informs the parties concerned of:

The data management of Szauna Bau 84 Service Provider and Trade Ltd. is based on a voluntary contribution. If the data informant does not provide his/her personal data, he/she does not act on his/her own behalf, he/she must obtain the consent of the data subject. The aim of the data management is to ensure customer relationship, customer registration, differentiation, ordering facilitation, order fulfillment, customer contact, newsletter sending, documenting purchase and payment, and fulfilment of the accounting obligation. The legal basis for data processing is: the consent of the data subject according to Act CXII of 2011 on the Right to Information Self-determination and Freedom of Information § 5 (1) (a), Act C of 2000 on Accounting § § 169 (2) and Act XLVIII of 2008 on the Fundamental Terms and Limitations of Economic Advertising Activity § 6. According to the Act XLVIII of 2008. § 6 (1) on the Protection of Human Rights and Fundamental Freedoms: unless otherwise provided by a separate law, a method of direct access to a natural person, such as a direct advertisement of a recipient of an advertisement (hereinafter: direct business acquisition), in particular electronic correspondence or equivalent means, may be used, with the exception provided for in item 4, only if the addressee of the advertisement has obviously and expressly agreed in advance. (2) A declaration of consent may be made in any way including the name of the declarant – or, where the advertisement to which the consent relates may only be communicated to persons of particular age–, the place and date of birth and the scope of the personal data to which the consent of the declarant and the expression of the consent voluntarily and with the appropriate information. (3) The consent statement under item (1) may be revoked at any time without restriction or justification. In that case, the name of the declarant and all other personal data shall be deleted from the register provided for in item 5 without delay and for advertising purposes as provided for in item 1, no further information may be given. (4) In accordance with Act CI of 2003 on postal services, an advertisement in a delivery defined by the law may be sent to a natural person, as addressee of the advertisement, by direct business acquisition without the obvious and express consent of the addressee, but the advertiser and the advertising service provider shall be obliged to ensure that the addressee of the advertisement can prohibit the sending of the advertisement at any time without charge and without limitation. In the event of disqualification, an advertisement may not be sent via direct marketing to the person concerned. (5) The advertiser, advertisement provider or advertisement publisher, in the sphere defined in the consent provided for in the item (1), keep a register of the personal data of the persons making the consent declaration. The data set out in this register, concerning the receiver of the advertisement, can be managed only in accordance with the consent statement and can be handed over until its revocation, and can only be transferred to a third party with the prior consent of the person concerned. (6) In order to make a declaration of withdrawal pursuant to the item (3) or to prohibit the sending of an advertisement pursuant to item (4), it shall be possible to provide both by post and by electronic means so that the person making the declaration can be clearly identified. 7. In relation to the advertisement communicated in the manner specified in items (1) and (4), the addressee shall be clearly and conspicuously informed about the address and other contact details where he may communicate the withdrawal of his consent to the communication of such advertisements or the prohibition on sending the advertisement and, in the case provided for in item (4), for this purpose, the advertising for the same advertiser for the same receiver sent for the first time after 1 October 2009 must include the postal response letter allowing the withdrawal, with the postal address, prepaid, free of charge and delivered in a verifiable manner. (8) A direct request for demand a consent declaration under item (1) may not include advertising, except the name and designation of the business.

Szauna Bau 84 Service Provider and Trade Ltd. as a data controller manages exclusively personal data, which are listed on the site szaunabau.hu/regisztracio.php. Duration of the data management: until the consent of the person concerned is withdrawn or until the end of the data management target ends. Szauna Bau 84 Service Provider and Trade Ltd. as a data controller informs its clients that, in accordance with the above legislation, in the case of a customer relationship, following the performance of the service, at the express request of the customer transmitted via the customer's e-mail sent to (raktar@Szaunabau.hu) or by post to the headquarters of Szauna Bau 84 Service Provider and the Trade Ltd. (2096 Üröm, Fő u. 1.), but at the latest 10 years, the customer's data will be deleted. For customers using the newsletter service, you can click the "Unsubscribe" link at the bottom of the newsletter to withdraw more data management.

V. Method of storing personal data.
The information systems of Szauna Bau 84 Service Provider and Trade Ltd. are located at their registered office and data retention is carried out on the server operated by the data processor. Szauna Bau 84 Service Provider and Trade Ltd. operates the IT tools used to manage personal data in the provision of the service so that the data managed: (a) its authenticity and authentication is ensured (authenticity of data management); (b) are available to the authorized persons (availability); (c) its changeless can be verified (data integrity); d) are protected against unauthorized access (confidentiality of data). Szauna Bau 84 Service Provider and Commercial Ltd. takes measures to protect the security of data management which provides an adequate level of protection against the risks associated with data management. Szauna Bau 84 Service Provider and Ltd. retains in its data management (a) confidentiality: it protects the information so that it can only access the person who is entitled to it; (b) integrity: it protects the accuracy and completeness of the information and the method of processing; c) availability: ensures that when the eligible user needs it, he/she can really access the information required and have access to the related tools. Szauna Bau 84 Service Provider and Trade Ltd.'s computer system and network are protected against computer-aided fraud, sabotage, vandalism, espionage, fire and flood, as well as computer viruses, computer burglaries, and attacks leading to service denial.

VI. Identity data, contact details of the data controller
Name: Szauna Bau 84 Service Provider and Trade Ltd.
Headquarters: 2096 Üröm, Fő u. 1
Company Registration Number: 13-09-148137
Court of Registration
Tax number: 11056892-2-13
E-mail address: raktar@Szaunabau.hu

VII. Rights of data subjects

- Concerned person may apply to the data controller a) information on the management of his/her personal data, b) the rectification of personal data and c) deleting or blocking his/her personal information, except mandatory data management. - At the request of the data subject concerned, the data controller shall provide information on the data processed by or on behalf of the data processor he manages, source, purpose, legal basis, duration of processing, also the name, address and data management activity of the data processor, and – in case of transfer of data subject’s personal data - the legal basis and the addressee of the transfer. - The data controller shall keep a transmission register for verify the legality of the data transfer and to inform the data subject concerned, including the date of transmission of the personal data he manages, the legal basis and the addressee of the data transfer, the definition of the scope of the personal data transmitted and other data specified in the statutory provision on data management. - The duration of the obligation to provide information on the retention of data under the above § may be limited by the law requiring data management. In the case of personal data, this limitation can not be established for a period of less than five years or, for special data, a period of less than twenty years. - The data controller must provide the information in writing in the shortest possible time, at the request of the person concerned, but not later than 30 days, in an understandable form. - The information provided above is free of charge if the information requesting has not yet been filed with the data controller for the same data field during the current year. In other cases, reimbursement can be made. The amount of reimbursement may also be fixed by a contract between the parties. The repayment of the reimbursement already paid should be refunded if the data was unlawfully managed or the request for information resulted in a correction. - The information of the data subject can be refused by the data controller only in the cases specified in the Act CXII of 2011. - In the event of non-information, the data controller shall inform the data subject in writing that the refusal to provide information it’s done on the provisions of this Act. In the event of refusal of information, the data controller informs the data subject of the judicial remedy and of the possibility of referral to the National Data Protection and Information Authority (hereinafter: the Authority). The controller shall notify the Authority of any rejected request until 31 January of the year following the reference year. - If the personal data does not comply with the reality and the personal data corresponding to the reality is available to the data controller, the personal data will be corrected by the data controller. - Personal data must be deleted if a) its management is unlawful; b) the data subject asks it – as stated in the Avtv; (c) it is incomplete or incorrect – and this condition can not be legally remedied –, provided that the deletion is not excluded by law; d) the purpose of data management has ceased or the statutory deadline for data storage has expired; e) it has been ordered by the court or the Authority. - In the case provided for in point d) above, the deletion obligation shall not apply to personal data whose media are to be kept in archives under the law on the protection of archives material. - Instead of deleting the data, the data controller will block the personal data if the data subject so requests or if, based on the information available to him, it is assumed that the deletion would violate the legitimate interests of the data subject. Personal data so locked up can only be managed as long as there is a data management target that excludes the deletion of personal data. - The data controller shall mark the personal data he/she manages if the person concerned disputes its correctness or accuracy, but the incorrect or imprecise nature of the disputed personal data can not be clearly identified. - The person concerned must be notified of the correction, blocking, marking and deletion, and be notified all who have previously been transferred data for data management. Notification may be omitted if it does not prejudice the legitimate interest of the data subject regarding the purpose of data management. If the data controller fails to comply with the request of the data subject on correction, locking or deletion request concerned, he/she shall notify the factual and legal grounds for rejecting the request for rectification, blocking or cancellation within 30 days of the receipt of the request. In the case of refusal of an request for rectification, deletion or blocking, the data controller shall inform the person concerned of the judicial remedy and the possibility of appeal to the Authority. - The rights of the person concerned as defined in this § may be restricted by the law to the external and internal security of the state, such as national defense, national security, the prevention or prosecution of criminal offenses, the security of the execution of penalties and the economic or financial interest of the state or local government, economic and financial interests, and to prevent and detect disciplinary and ethical misconduct, labor law and labor safety breaches related to the exercise of occupations – including in all cases control and supervision –, and to protect the rights of the data subject or others.

VIII. Information of the data subject
- The data subject must be informed prior to the data management that the data management is based on consent or binding. - The data subject must be clearly and thoroughly informed of all the facts related to his/her data management, including specially the purpose and legal basis of the data management, the data controller and the person entitled to process it, the duration of the data management, if the data subject's personal data is managed by the data controller according to Avtv. § 6 (5), and who may know the data. The information should also include the rights and remedies available to the data subject in question. - In the case of mandatory data management, the information may also be disclosed by making a reference to the legal provisions containing the information referred to in the above §. - If the personal information of the data subjects is impossible or with disproportionate costs, the information may also be made by disclosing the following information: a) the fact of collecting data, b) the circle of stakeholders, c) the purpose of the data collecting, d) the duration of the data processing, e) the person who is able to access the data, f) a description of the data management rights and remedies of the data subjects concerned, and g) where the data protection registration of the data is made, the registration number of the data processing, with the exception of the case provided in Avtv. § 68 (2).

IX. The data subject may object to the management of his/her personal data,
a) where the processing or transmission of personal data is necessary solely for the fulfillment of a legal obligation for the data controller or to enforce the legitimate interests of the data controller, data importer or third party, except in the case of mandatory data processing; b) the use or transfer of personal data is done for direct business acquisition, polling or scientific research; as well as c) in other cases specified by law. The data controller shall examine the protest within the shortest time, but within 15 days of the submission of the request, decides on the matter of its validity and inform the applicant in writing. If the data controller establishes the validity of his/her protests, he terminates data management – including further data collection and data transfer – will lock the data, and informs about the protest and the measures taken on the basis of, all those for whom he has previously transferred the personal data involved in the protest, and who are obliged to take action to enforce the right to protest. - If the data subject disagrees with the decision of the data controller or if the data controller fails to comply with the deadline, the party concerned, within 30 days from notification of the decision or from the last day of the deadline, according to Atvtv. § 22, shall turn to the court. - If the data importer does not receive the data required to enforce his right because of the protest of the person concerned, within 15 days of the delivery of the notification, in order to obtain the data – in the manner specified by Avtv. § 22 – may turn to the court against the data controller. The data controller can also call in the lawsuit the person concerned. - If the data controller fails to notify the data importer, this latter may ask for information about the failure circumstances of data transmission from the data controller, which information must be provided by the data controller within 8 days of delivery of the data importer's request. Upon request, the data importer may turn to the court against the data controller within 15 days from the date on which the information was provided and no later than 15 days after the deadline. The data controller can also call the person concerned. The data controller can not delete the concerned person’s data if the data processing is ordered by law. However, the data can not be transmitted to the data importer if the data controller agrees to the protest or the court has found the rightness of the protest.

X. Legitimacy to Appeal
- In the event of violation of the rights of the data subject and in cases referred to in Avtv. § 21, the data importer may turn to the court against the data controller. The court proceeds out of turn. - The data controller must demonstrate that data management is in compliance with the law. In the case referred to in Avtv. § 21 (5) and (6), the data importer shall be obliged to prove the lawfulness of the transfer of data to him. - The trial is a matter for the court. The case may be initiated before the tribunal of the domicile or place of residence of the data subject, according to his choice. - There may be a party to lawsuits, who have no legal capacity in court. The Authority may intervene for lawsuit-winning of the data subject. - If the court upholds the request, the data controller shall be obliged to disclose the information, correction, blocking, cancellation of the decision taken by automated data processing, taking into account the right of protest of the person concerned, and he is obliged to provide the data requested by the data exporter specified in Avtv.§ 21. - If in the cases specified in Avtv. § 21, the data importer's request is rejected by the court, the data controller shall cancel the personal data of the data subject within 3 days of the delivery of the judgment. The data controller is also bound to delete the data if the data importer i does not turn to court within the deadline specified in Avtv. § 21 (5) and (6). The court may order the disclosure of its judgment by publishing the identity data of the data controller if it is required by the interests of data protection and by the rights of greater number of data subjects, protected by this law.

- Legal remedies are available and complaint can be lodged with the National Data Protection and Freedom Authority: Name: Nemzeti Adatvédelmi és Információszabadság Hatóság / National Data Protection and Freedom Authority Mail address: 1530 Budapest, POBox.: 5. Address: 1125 Budapest Szilágyi Erzsébet fasor 22/c Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410 E-mail: ugyfelszolgalat@naih.hu

XI. Compensation liability
- The data controller is obliged to compensate for any damage caused to others by unlawful management of the concerned person’s data or breach of the requirements of data security. The data controller is also responsible for the damage caused by the data processor to the data subject. The data controller is exempt from liability if he/she proves that the damage was caused by an unavoidable cause outside the scope of data management. - There is no need to reimburse the damage in so far as it is due to the intentional or gross negligence of the injured party.