Objective of the present data processing information is to give particulars on the activities and practice of bagaboo limited partnership (‘bagaboo Bt.’) as data controller regarding to data processing and data management, based on the Regulation No. 2016/679 (‘Regulation’) of the European Parliament and of the Council.
With the present data processing information bagaboo Bt. fulfils its obligations to provide prior information as laid down in the Act CXII of 2011 on informational self-determination and freedom of information (‘InfoAct’).
The Parties bagaboo Bt. (address: 2030 Érd, Zrínyi u. 24. Hungary, tax nr.: HU22215965
If the Customer had given its consent upon registration, bagaboo Bt. is entitled to send a newsletter and to ensure the unsubscription of it – in line with the InfoAct.
Data controller shall pay particular attention to data protection of its Customers and partners and to respect their rights to informational self-determination. Therefore, it guarantees to handle any obtained personal data confidentially and shall endeavour to make every effort to ensure safety of these data.
Data subject: any natural person, who may be identified directly or indirectly based on any definite, personal data (InfoAct, § 3, (1)) ; a natural person is defined to be identified, if directly or indirectly, it may be identified based on one or more factors regarding identity, in particular an identifying personal data (Regulation, Article 4. (1)),
Personal data: any information relating to the data subject – in particular an identification number, e.g. name, number, location data, devices used by the data subject, online identification number provided by mobile applications, tools and protocols (IP-address, cookies), as well as other identifiers (e.g. RFID) (Recital 30 of the Regulation), or any specific knowledge regarding one or more physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, as well as any conclusion drawn from those, relating to the data subject (InfoAct § 3 (2), Regulation, Article 4 (1)),
Data controller: a natural or legal person, or an entity without a legal personality, which alone or jointly with others determines the purposes and means of the processing of personal data;
reaches decisions regarding data processing (including the tool used) and implements them, or ensures the implementation by a data processor appointed by him; (InfoAct § 3 (9), Regulation, Article 4 (7)),
Data controlling: any operation or a set of operations, irrespective of the procedure applied, in particular: any collection, recording, classification, systematisation, storage, adaptation or alteration, use, consultation, consultation by transmission, disclosure, alignment, combination, restriction, blocking, erasure or destruction, as well as preventing further use of the data, taking photos, making voice or visual recordings, just as any recording of identifying physical characteristics (e.g. finger–, or palmprints, DNA-profile, iris characteristics) (InfoAct § 3 (10), Regulation, Article 4 (2)),
Data processing: operations related to the technical tasks of data processing, irrespective of the method and tools applied for the implementation of the operations, as well as the place of application, provided, that the technical task is being carried out on the data; (InfoAct § 3 (17)),
Data processor: a natural or legal person, or an entity without a legal personality, a public authority, agency or any such body processing data based on a valid contract with the data controller, including a contract in compliance with the provisions of law; controls personal data on behalf of the data controller; InfoAct § 3 (18), Regulation, Article 4 (8).
Data Protection Commissioner / DPO bagaboo Bt
Represented by: Mr. Tamás Tűhegyi
Seat: 2030 Érd, Zrínyi str 24, Hungary
Tax number: HU22215965
Accounting commissioner Szi-Szi Trans Bt.
Represented by: Mrs. Péterné Szilágyi
Seat: 1118 Budapest, Villányi út 83-85. B.ép. 1.em.2.
Tax number: 28567002-2-43
Storage of accounting-related documents KBOSS.hu Kft. (szamlazz.hu)
Represented by: Mr. János Stygár-Joó
Seat: 1031 Budapest, Záhony utca 7.
Tax number: 13421739-2-41
Phone number: +36 30 354 47 89
Website operator, webhosting, system administrator, data storage
Represented by: Mr. Mihály Lippai
Seat: 8621 Zamárdi, Csokonai utca 5.
Tax number: 13744621-2-14
Phone number: +36 30 962 52 86
Operator of the server for data storage
Magyar Telekom Nyrt.
Seat: 1013 Budapest, Krisztina krt. 55.
Phone number: 1400
Server’s physical location Hauszmann DC – 1116
Budapest, Hauszmann Alajos utca 3/A.
Data storage Google LLC (also as Alphabet Inc.)
Address: 1600 Amphitheatre Parkway, Mountain View CA 94043 USA
Phone number: 1 (650) 253-0000
Artefact Product Group LLC, c/o Smartsheet Inc. (also as Smartsheet)
Address: 10500 NE 8th St, Suite 1300; Bellevue, WA 98004
Phone number: 1 (844) 324-2360
Apple Distribution International (iCloud)
Address: Hollyhill Industrial Estate, Hollyhill Ln, Knocknaheeney, Cork, Ireland
Phone number: +353 21 428 4000
DPD Hungária Kft.
Data Protection Officer: Dr. Gergő Soltész
Seat: 1158 Budapest, Késmárk utca 14. B. ép.
Tax number: 13034283-2-42
GLS General Logistics Hungary Kft.
Seat: 2351 Alsónémedi, GLS Európa utca 2.
Tax number: 12369410-2-44
Phone number: +36 29 88 66 70
Magyar Posta Zrt.
Seat: 1138 Budapest, Dunavirág utca 2-6
Tax number: 10901232-2-44
Phone number: +36 1 767 82 82
Seat: 1031 Budapest, Vízimolnár utca 10 6/54
Tax number: 25140550-2-41
Phone number: +36 1 400 88 06
Third party: a natural or legal person, or an entity without a legal personality who or which is not identical with the data subject, the data controller or the data processor (InfoAct § 3, (22)) or those persons who have the authorisation to control personal data, under the direct management of the data controller or the data processor (Regulation, Article 4 (10));
Consent of the data subject: a freely given and explicit statement on the wishes of the data subject, which is based on appropriate information provided to them and by which it gives its unambiguous consent to the control of its personal data – unlimited or limited to certain operations;
Data transmission: making the data available to a defined third party (InfoAct § 3 (11));
Erasure of data: making data unrecognisable in a way that their restoration may not be possible any longer (InfoAct § 3 (13));
Statement of objection: a statement from the data subject to claim the processing of its data, and may demand the suspension or termination of the data processing or erasure of its data processed (InfoAct § 3 (8));
Privacy incident: a security breach may resulting in accidental or illegal annulment, lost, change or unauthorized disclosure of to the transmitted, stored or in other ways processed data or facilitates an unauthorized access to them.
Policy on processing data and data transmission
Objective of the data control: the data processor/controller and the operating parties solely process the data of the data subject in connection with the purchase or to deliver them and fulfil related legal obligations.
Data to be processed: The data of the Customer provided at www.bagaboo-bags.com, such as name, address, e-mail, delivery address, phone number, classified password. On the invoice there will be stated the name and address of the data subject. Electronic invoice may only be sent to the e-mail address provided by the Customer, or will be given to them upon personal pickup, or in case of a delivery, sent in closed packaging.
The data obtained upon registration, purchase order or e-mail request/upon placing an order are confidential and will be used and managed by the data controller and the data processor for the purpose of fulfilling purchase orders.
Data subject shall be responsible for the veracity of the data provided, these shall not infringe any personal or other rights of third parties.
Legal basis of the data control is the consent of the data subject as per § 5 (1) (a) of the InfoAct and the Article 6 (1) (a) of the Regulation.
data is provided on a voluntary basis; data control takes place based on the voluntary given consent at the time of supply of the data. The Customer gives its consent to the data processing by registering on the website, or placing a purchase order and giving its personal data voluntarily; processing of the data is being carried out by the data controller and the data processor;
Data controller may use the personal data of the data subject free of charge in order to fulfil the purchase orders and for its documentation.
Bagaboo Bt. as data controller offers the Customers the possibility to store their data for the next purchase order so that they would not have to be provided every single time again. If the Customer does not avail itself of this opportunity, it might initiate the complete deletion of its data after having placed its purchase order.
The date controller transmits the personal data provided in relation to the given purchase order to its contracted logistics partners, who in this respect also qualify as data processors. Transmission of the personal data is aiming the fulfilment of the delivery of the purchase order.
Data retention period: if a purchase order was placed through the website, the personal data may be processed up to one year, or until the withdrawal of consent of the data subject. Bagaboo offers guarantee for its products for one year. In order to apply guarantee and the potential reproduction of the product we store the data related to the purchase order and to the Customer, as well as parameters of the product.
In case of individual purchase orders, where the demand of the Customer is different from the products to be designed under “custom items – design your own” at the bagaboo-bags.com website, the purchase order and therefore the product may be linked to the Customer (and to its personal data) in order to enable reproduction and may be stored until the withdrawal of consent by the data subject.
Excluded of the foregoing are the data of the accounting documents, which may be stored in compliance with national law.
Bagaboo Bt. guarantees that the data management follows the legal requirements in force. The rights of the data subject concerning the data management and the rules of judicial remedies are being stated in the Act CXII of 2011 on informational self-determination and freedom of information (‘InfoAct’) and Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Based on the legislations above the Customer may request the rectification of its personal data, restriction of the data processing, deletion of the data processed, or further supply of information on the data processing. It may oppose to third parties’ interest in processing its personal data (e.g. surveys).
Data subject is entitled to receive the personal data related to it in a typed, legible form, and to transmit those data to another data controller or processor, if the data management is being carried out on a consent and in an automated way.
If the Customer wishes to delete or amend its data in the database, it may express its intention at any times, without any restriction or justification, free of charge at firstname.lastname@example.org or by sending a postal item to the data controller, in both cases with the subject indicated “Modification of processing personal data”.
Customer takes note that deletion of its personal data does not automatically mean the deletion of the purchase order already placed. In regard to the withdrawal from the order there shall be point 5 of the GCC (General Contractual Conditions) indicative.
Cookies are small text files stored on the user’s computer that help us monitor the website-using habits of the Customer, so that when visiting the webpage later, the page may read the information stored in the cookies. Cookies on the one hand are needed to enable all the functions of the website to operate properly, on the other hand facilitate a better regular use of the website: the data stored in the cookies upon the first visit shall not be provided again: language settings, content of the cart or user name. Therefore, the webpage is to a certain extent adapted to the individual needs of the user, provided that the Customer uses the same device when logging back in to the site.
Our website contains of the following types of cookies:
„PHPSESSID” (an individual identification number of the workflow to identify the website-usage of our visitors (Session ID))
„wccart_hash#” (stores the content of the cart until a purchase order is placed (or until the change of the language settings on the webpage))
wcfragments# – stores settings related to the webshop
_icl_current_language; _icl_visitor_lang_js; wpml_browser_redirect_test
(stores the language used when browsing the website (English/Hungarian))
wpml_referer_url (is needed for the maintenance of the language settings of the webpage)
In the interest of the advertisements and statistics appearing on the website of the data controller while browsing its website, third parties (e.g. Google, Youtube, Facebook) may as well place cookies on to your computer. Purpose of this is to let advertisement appear that might interest you, or to make statistics on visitors of the website and on their websurfing habits.
Cookies used by our website by external providers:
Google’s AdWords service,
Google’s Analytics service,
Data controller guarantees that the research may be in compliance with all the provisions set out in the Law No. CXIX of 1995 on processing name and address-related data in the interest of research and direct marketing.
Customer has the right to object the processing of its personal data. Data controller shall examine this request within the shortest time possible, but maximum within 15 days, shall take a decision on its reasonable justification and inform the petitioner about its decision in a written form.
The right of the data subject to legal remedy: shall the data subject not agree with the decision taken by the data controller, it may be going to court within 30 days after the communication.
Legal remedies or complaints may be filed with the National Agency for Data Protection:
Name: National Agency for Data Protection
Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Phone number: +36 (1) 391-1400
Privacy incident: a security breach that may result in accidental or illegal annulment, lost, change or unauthorized disclosure of the transmitted, stored or in other ways processed data or facilitates an unauthorized access to them;
Any privacy incident shall be reported to the responsible authorities (National Agency for Data Protection) without an unreasonable delay – within 72 hours – unless the incident is unlikely to risk any rights of natural persons. Should the incident be likely to carry high risks in regard to the rights and freedoms of natural persons, data controller shall inform the data subject about the incident without undue delay.
In the event of a difference in the interpretation or a language difficulty, the Hungarian version shall be determinative.
Contact data controller
Name of data controller: bagaboo Bt. (‘data controller’)
Seat: 2030 Érd, Zrínyi u. 24.
Trade registry number: 13-06-055477
Tax number: 22215965-2-13
Phone number: +36 20 362 80 59
Budapest, 14th August 2019