Datenschutzerklärung

This external data protection rules and information on data processing (hereinafter as: Rules) is the inseparable annex of General Terms and Conditions, according to Point 10 of the GTC.

1. General Provisions

1.1. For Fa Elefánt Kft. ((Registered office: 8200 Veszprém Budapest út 54., Registration Court: Veszprém megyei Cégbíróság, Tax ID: adószám: 13164029-2-19, E-mail address: info@woodmaster.at, a hereinafter as: Operator) a particularly important goal is to protect the personal data provided by visitors of the website www.woodmaster.at (hereinafter as: Website) operated by Operator, the individuals who order and register on the Website, furthermore the visitors of the retail premises of Operator (hereinafter: Users) during their registration / order process / User’s digital information request / retail premises visit, as well as to ensure the Users’ right for informational self-determination, which is provided by Operator according to this Rules.

The Operator manages and processes the data received when identifying the Users in order to execute the orders made by them. The Operator manages all the data which is considered as being personal and is uploaded by the Users during their visits of the Website or while using the Website’s services.

Operator provides its services and manages Users’ personal data in full compliance with the relevant effective regulations and ensures the Users’ security during their Website online session.

Operator manages and processes the personal data of the Users confidential in accordance with the effective legal requirements – in particular with the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information („Information Act”), as well as the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016; hereinafter as: GDPR) – ensures their security, takes all the necessary technical and organizational measures, furthermore establishes the procedural rules, which are necessary to comply with the relevant legal provisions and other recommendations.

1.2. This Rules summarize those principles, determine the policy and daily practice of Operator regarding the protection of personal data, as well as identifies the services, which require the Users personal data. Furthermore in this Rules Operator declares the purpose for the data procession and the way it uses this data, as well as how it ensures the safety and protection of the personal data.

1.3. While creating this Rules the Operator took into consideration the effective relevant regulation and the important international recommendations, namely:

Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information;

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Act VI of 1998 on Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Strasbourg, 28 January 1981;

Act CXIX of 1995 on managing name and address data for the purposes of research and direct business acquisition

Act C of 2003 on electronic communications;

Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities;

The recommendations and resolutions of the Data Protection Commissioner and the relevant data protection practice.

1.4. Upon the Users’ request Operator is ready in every case to provide full information on the personal data processed, the purpose, reason and duration of the processing, as well as on its activities relating to data processing.

The Operator processes and stores only the personal data which is required to asses and quantify the frequency of Website visits, to ensure the execution of the User’s right and Operators obligations, to communicate with Users, furthermore to execute business transaction with Users.

2. The main definitions and principles regarding managing personal data

2.1. Definitions

2.1.1. Data management: shall mean any operation or set of operations that is performed with data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or making available otherwise, alignment or combination, blocking, erasure or destruction, and prevention of further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);

2.1.2. Disclosure by transmission: shall mean making data available to a specific third party;

2.1.3. Data manager: shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purpose of the data processing, makes decisions regarding data processing (including about the means) and implements such decisions itself or engages a data processor to execute them;

2.1.4. Data subject: shall mean a natural person who has been identified with the help of his specific personal data, or who can be identified, directly or indirectly

2.1.5. Personal data: shall mean any information relating to the data subject, in particular his name, identification number or to the details of his physical, physiological, mental, economic, cultural or social identity, as well as any reference which can be deducted from such information pertaining to the data subject;

2.1.6. Data protection incident: unlawful management or processing of personal data, especially unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as accidental deletion or damage.

2.1.7. Profiling: shall mean any form of automated processing of personal data which uses personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

2.1.8. Pseudonymization: shall mean the processing of personal data in such a way that this personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

2.2. Principles

2.2.1. Lawfulness, fairness and transparency

Personal data may be processed only for specified purposes, for the implementation of certain rights or obligations. The recording of personal data shall be done under the principle of lawfulness and fairness.

Personal data may be processed when the data subject has given his consent or when processing is necessary as determined by a law or by a local authority to serve the public interest (hereinafter as “mandatory processing”).

2.2.2. Purpose limitation

At all stages of the data management the purpose of processing and storing this data should correspond to the initial and lawful reasons of such data management.

2.2.3. Data minimization

The personal data managed must be essential and serving the purpose of the data management, as well as suitable to achieve that purpose.

2.2.4. Accuracy

The data manager shall carry out the measures in order to secure the accuracy (correctness) of the managed data.

2.2..5. Storage limitation

Personal data can be managed to the extent and for the duration necessary to achieve the purpose of data management.

Personal data shall be erased if the its management or processing is unlawful, if requested by the data subject, if it is incomplete or inaccurate and cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision, if the purpose of processing no longer exists or if the legal time limit for data storage has expired, if instructed so by a court decision or by National Authority for Data Protection and Freedom of Information (hereinafter as: NAIH).

2.2.6. Integrity and confidentiality

Data must be protected by appropriate means and measures against the unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as against damage and accidental loss. Operator needs to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes or modification of the applied technique.

If the User provides personal information to Operator, the latter shall take all the necessary steps to ensure the security of these data - both during network communication (i.e. online data management) and during storing the data (i.e. offline data management).

2.2.7. Accountability

The data subject may request from the data manager i) information when its personal data has been processed, ii) the rectification of its personal data, and iii) the erasure or blocking of its personal data, with the exception of the cases of the mandatory processing.

2.2.8. Operator declares as a general principle, that every time it requests the Users’ personal information, the Users are entitled to decide freely whether or not to provide the requested information after reading and interpreting the obligatory notification. However, it should be clearly stated that if the User does not provide the personal information, that User will not be able to enjoy the Website’s service accessible only to registered users.

Operator respects the principles of data management and always aims to enforce.

3. The legal basis of the data management

Operator manages the data set out in Chapter 5 based on reference to the legal basis below.

3.1. The legal basis of the data management: Paragraph 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce activities and information society services and Article 6 Section (1) Point c) of GDPR (name, delivery address, billing address).

The legal basis of the data management Regarding Point 4.: the voluntary consent of the concerned person (Article 6. Section (1) Point a) of GDPR), the lawful interest of the User and Operator (Article 6. Section (1) Points d) and f) of GDPR; image and sound recording), contractual data management (Article 6 Section (1) Point b) of GDPR; name, delivery address, billing address), Paragraph 6. § (5) of Grt. (Article 6 Section (1) Point c) of GDPR, name, e-mail address), furthermore in case of User’s request for information by an e-mail - the Article 6. Section (1) Points b) and f) of GDPR (name, e-mail address).

The Operator declares that in the event of default the legal basis for data processing under Article 6 Section (1) Point b) of GDPR (contractual) is converted into the legal basis under Article 6 (1) (b) and (f) of the GDPR (lawful interest).

3.2. The Operator manages the data of the User set out at Point 5. according to the Point 5. § (1) a) of the Information Act and on the basis of the voluntary consent of the concerned person (Article 6 Section (1) Point a) of GDPR) and contractual obligation (Article 6 Section (1) Point b) of GDPR; name, delivery address, billing address), furthermore in accordance of the provisions of Act CVIII of 2001 on certain issues of electronic commerce activities and information society services.

The User gives the consent personally or electronically by using the Website and by signing the Data Management Declaration / checking the box during the process of the registration/ making orders/ Users’ information request. The User is entitled to withdraw the consent anytime and at the same time to request the deletion of its data or to modify the contributed data. In case of the pending order the withdrawal of the consent is considered as the cancellation of the order, which should be communicated to Users by Operator together with the response to its request for data deletion as Article 6. Section (1) Point f) of GDPR provides that Operator is entitled to manage the data of User until parties do not settle the contractual obligation. According to  the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management in the past.

3.3. Operator manages the User’s personal data set out in Point 5 (image recordings) for the purposes related to quality assurance, security of property, prevention and investigation of crime in accordance with the Paragraph 6. § Section (1) Point b) of Information Act and Article 6 Section (1) Point f) of GDPR with the proportional limitation of the right to protect personal data in order to enforce the legitimate interests of Operator and third parties.

4. The purpose of the data management

Operator manages and processes the data set out in Chapter 5. in order to serve the following purposes:

4.1. The purposes of the Data management: i) making orders (name, delivery address); ii) controlling the execution of the service (name, phone number, e-mail address); iii) preventing the abuses (name, phone number, e-mail address); iv) identification of Users and differentiating between them (name, phone number, delivery address, billing address, e-mail address, password); v) contact (name, phone number, e-mail address); vi) presenting statistics (pseudonymisation) vii) direct marketing (name, e-mail); viii) exercising rights regarding the legal relationship with users (clients) (name, billing address, phone number, e-mail address) ix) fulfilling the obligations (name, billing address, delivery address, phone number, e-mail address); x) issuing invoices (name, billing address); xi) monitoring and recording consumer preferences in order to recommend customized Website’s advertisements to the Users (profiling: name and order data); xii) security of property, investigation and prevention of unlawful acts (image recording).

4.2. The Users can give their consent personally or electronically by using the Website1 and signing up for the newsletter / checking the box2 during the process of the registration/ making orders/ User’s information request to contact them for the purpose of direct marketing or electronic advertisement (newsletter, e-mail, SMS, etc.) using the provided contacts. The consent can be withdrawn anytime without any charges, limitations and justification, furthermore the consent can be withdrawn in a way which is set out in the electronic advertisement.  The consent can be also withdrawn via a declaration posted to the registered office of the Operator. In the case of pending order the withdrawal of the consent set out in this Point (regarding the newsletters) does not affect the execution of the order. According to the Article 7. Section (3) and the Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management and processing in the past.

4.3. In every case when Operator intends to use the provided personal data for other purposes than the original purpose of the recording he needs to inform the User and receive his prior direct consent, furthermore to provide the User a possibility to prohibit the use of his personal data.

5. The subject of the data management

5.1. For not registered users:

Name

Delivery address

Billing address

Phone number

E-mail

User name

Password

 – if necessary

The scope of the managed and processed data is determined by the execution of the order (name, delivery address), the contact (name, phone number, e-mail) and the issuing the invoice (name, billing address).

5.2. For registered users:

Name

Delivery address

Billing address

Phone number

E-mail

User name

Password

– if necessary

The scope of the managed data is determined by the execution of the order (name, delivery address), the contact (name, phone number, e-mail) and the issuing the invoice (name, billing address).

5.3. Providing the personal data is based on legal provisions and contractual obligations, it is the prior condition of concluding the agreement in respect of the order. The user shall provide his personal data if he intends to shop online. The lack of data makes the ordering online impossible.

5.4. Users under age of 16

To manage and process the personal data of users under the age of 16 as well as to get their legal declarations the prior parental consent is necessary.

The User under the age of 16 needs to have his parent or legal representative provided his consent for to the order.

5.5. The Operator does not collect sensitive data under any circumstances, which refers to personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs, health, pathological addictions, or criminal record.

5.6. The personal and other data provided by Users is not combined with or linked to other data or information from other sources by Operator.

5.7. The Operator performs camera recording in the retail premises for security, crime detection and crime prevention purposes, which is stored for up to 30 business days. Regarding the fact of the image recording the User is warned by Operator by a sign placed at visible place in the retail premises. User consents to the recording of the image by entering to the business premises and by signing the Data Management Declaration / checking the box. If the User does not consent to the image recording according to Point 3.3 User can make online orders and use other customer service (chat, e-mail). Otherwise the legal basis for the data management and processing is Article 6 Section (1) Points d) and f) of GDPR.

5.8. A few data of the User, other traffic data, and behavioral data are recorded in order to quantify the number of visitors of the Website and to identify the potential errors and incidents that may occur. These data are managed by Operator only for the necessary time-frame and are not linked to those data which are required to check the identity of the User (pseudonymisation). The managing and processing of the data can be performed on third-parties’ servers.

6. The duration of the data management

6.1. The duration of the data management:

6.1.1. In case of not registered users (see 5.1.) - 3 years starting from the achievement of the data management goal (delivery of the order, issuing an invoice) or to the date determined by law.

The billing information (name, billing address) are retained for 8 years starting from the issue of the invoice according to the 169. § (2) of accounting act.

6.1.2. In case of registered users (see 5.2.) 3 years stating from the deletion of the profile or execution of the last order in case if the order was placed prior to the deletion which was not delivered before the date of the deletion for the date set out in Point 6.1.1.

The billing information (name, billing address) are retained for 8 years starting from the issue of the invoice according to the 169. § (2) of the accounting act.

6.1.3. Regarding the image recordings at Operator’s retail premises in accordance with the Point V.6., the duration of the data management and processing is 30 days.  If the storage of the recordings is not necessary during this period, the recordings will be deleted. If justified (for example if it becomes aware that the content might be used as an evidence in official proceeding) Operator processes the image capture until the achievement of the goal (pending final decision).

6.2. User is entitled to withdraw the consent to the data processing and management and to request the deletion of his data or to modify his data. In case of the pending order the withdrawal of consent to data management is considered as cancellation of the order which fact is brought to Users attention by Operator as according to Article 6. Section (1) Point f) of GDPR Operator is entitled to manage the data of User until parties do not restore the original state. According to the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management in the past.

6.3. If personal data were recorded based on the User’s consent, the Operator shall - unless otherwise provided for by law - be able to process the data recorded where this is necessary:

1. a) for compliance with a legal obligation pertaining to the Operator, or


2. b) for the purposes of legitimate interests pursued by the Operator or by a third party, if enforcing these interests is considered proportionate to the limitation of the right for the protection of personal data,

without the data subject’s further consent, or after the data subject having withdrawn his consent.

7. Exercising the rights of the data subject

7.1. In case if any User in accordance with Point 7.2., requests the Operator to delete his personal data from the registry, Operator performs this deletion of the data provided by User in the past without any delay.

7.2. The request to delete the data / to be forgotten can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises of the Operator. The orally communicated requests to delete the data / to be forgotten shall be confirmed by Operator via e-mail.

In case of the request to delete the information (withdrawal of the consent to data management) the data stored by the Operator cannot be managed and processed starting from the day when the request was received.

In case of the request to be forgotten the Operator shall delete from the registry all the links to the lawfully processed data which were provided prior to receiving the request, the profile of the User and his automatic decisions.

7.3. If there were changes in the data provided in the past, the User is entitled to request the modification of his data in the database. The request for modification can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises of the Operator. The orally communicated requests for data modifications shall be confirmed by Operator via e-mail.

7.4. Personal data shall be blocked instead of deletion by Operator if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the User. Blocked data shall be processed only for the purpose which prevented its erasure. Restricted data may be handled only with the consent of the User or for the submission, validation or protection of legal claims, or the protection of other rights of a natural or legal person, or in the public interest (Right to Restriction of Data Management).

7.5. If the Operator refuses to comply with the User’s request for rectification, blocking or deletion, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within the 25 days starting from the request. If rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or filing a complaint with the authority.

7.6. The User shall have the right to object the processing and management of the related data:

1. a) if processing or disclosure is carried out solely for the purpose of discharging the Operators’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;


2. b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and


3. c) in all other cases prescribed by law.

In the event of a User's objection, the Operator shall not be entitled to further data management unless it proves that data management is justified by compelling legitimate reasons that prevail over the interests and rights of the User or are related to the submission, validation or protection of legal claims.

Regarding the data managed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest) instead of request to delete the data / to be forgotten User is entitled to object the processing and management of its data.

In the event of objection, the Operator shall investigate the cause of objection within the shortest possible time inside a 15 days timeframe, make a decision if to satisfy the objection and notify the User in writing of its decision.

7.7. Users are entitled to request for information regarding the management of their personal data. The request for information can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises. The orally communicated requests for information shall be confirmed by Operator via an e-mail.

Upon the User’s request the Operator shall provide him the information about the data regarding him, the sources from where they were obtained, the purpose, grounds and duration of the management, the name and address of the recipients and every activity regarding the data management.

Operator shall respond to the requests for information without any delay, and provide the information requested in an intelligible form in a suitable for the User format as early as possible but not later than in 30 days.

The information regarding the concerned person shall be provided free of charge for any category of data once a year. Additional information concerning the same category of data may be subject to a charge. The amount of such charge may be fixed in an agreement between the parties. If any payment is made in connection with the data that was processed unlawfully by Operator, or if the request led to rectification, the payment shall be refunded.

The Operator may refuse to provide information to the data subject in the cases defined by Information Act. If the provision of information is refused, the Operator shall inform the User in writing about the legal reasons for refusal. If the provision of information is refused, the Operator shall inform the data subject about the possibilities for seeking judicial remedy or filing a complaint with the National Authority for Data Protection and Freedom of Information. Operator shall notify the Authority about refused requests once a year, by 31 January of the following year.

7.8. Data portability

According to 20. § of GDPR the User shall have the right to receive the provided data regarding him in a structured, commonly used and machine-readable format and have the right to transmit those data to another data processor.

In exercising his or her right to data portability in accordance with the paragraph 1, the User shall have the right to transmit his personal data to another data processor, if it is technically feasible.

The request about data portability can be filed in electronic way via an e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises. The orally communicated requests about data portability shall be confirmed by Operator via the e-mail.

If the Operator refuses to comply with the User’s request on data portability, the factual or legal reasons behind the decision for refusing the request shall be communicated in writing within the 30 days starting from the receipt of the request. Where portability is refused, the data controller shall inform the data subject about the possibilities for seeking judicial remedy or filing a complaint with the authority.

User is not entitled to the data portability for the data managed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest).

8. Additional provisions on the camera system operating in the retail premises

8.1. Operator applies the image recording at the retail premises.

The purpose of the recording is to protect the lives, bodily integrity, personal liberty of persons residing and working in the retail premises, and the protection of the property / goods placed in the retail premises. Prevention, interruption and proof of the possible infringements cannot be ensured by any other means

8.2. In order to inform the Users concerned the Operator shall place information and alert notice on the operation of the camera system in a visible place within the retail premises and nearby the retail premises visible to the persons who intend to enter.

8.3. The cameras have been installed within the retail premises as indicated in the following table:

Shop / Postal Code City Street / Number of cameras

 Fa Elefánt Kft / 8200 Veszprém Budapest út 54. / 1

8.4. Reviewing and saving the recorded images can be performed exclusively in order to detect, prove the violations furthermore to take the necessary measures against the violations. The reviewing of the recordings and the saving the recordings should be documented describing the purpose and date of the review and the saving, the data of the person undertaking the review, as well as every necessary measure taken. The images can be reviewed in the course of occasional test of the system’s operation, from which Operator takes the recordings.

8.5. Anyone whose right or legitimate interest is being concerned by the image has the right to request the Operator not to destroy or delete the image (request about saving) within the 3 days starting from the capturing of the image by claiming the concerned right or legitimate interest.

The request on saving can be filed in electronic way via the e-mail address of the customer service or in paper format posted to the registered office of the Operator, furthermore orally via the call center or at the retail premises. The orally communicated request on saving shall be confirmed by Operator via an e-mail.

9. Voice recordings can be made on phone logs. The data provided by the User during the administration (primarily email address, order identifier, name, delivery / billing address) and voice recording may be retained for a period of 5 years for the purpose of proving in case of possible disputes.


10. Data storage, processing and forwarding

10.1. Data storage

Operator stores the managed data on a storage based on cloud / physical server.

Name of the server provider: Trust-IT Kft.

Address of the server provider: 1203 Budapest, Közműhelytelep utca 28/A

E-mail address of the server provider: info@trustit.hu

10.2. Data processors

Operator shall use the data processor and here are the main points.

Scope of the data to be processed: Users’ personal data provided to Operator while making an online order, registering an account on the Website, subscribing to the newsletters or visiting the Website

Purpose of the data processing:  Data is stored with the purpose of informing the Operators clients about the newest offers, improving their online shopping experience by offering them the most suitable products, execution of the placed orders and improving the service performed to the clients by Operator.

Contact of Data processors:

Magyar Posta Zrt.

Tel: 06-1-767-8282

E-mail: ugyfelszolgalat@posta.hu

Budapest X. ker. Üllői út 114-116.

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

H-2351 Alsónémedi, GLS Európa u. 2.

Tel: (+36 29) 88 66 70

E-mail: info@gls-hungary.com

Donev Zsaklin e.v.

8200 Veszprém, Budapest út 54.

E-mail: info@woodmaster.hu

10.3. Data forwarding

The User gives the consent to data forwarding personally or electronically by the usage of the Website by signing the Data Management Declaration / checking the box during the process of the registration/ making orders by User. The User is entitled to withdraw the consent anytime. In case of pending order the withdrawal of the consent to data forwarding is considered as the cancellation of the order which fact is brought to Users attention by Operator as according to the Article 6. Section (1) Point f) of GDPR Operator is entitled to manage the data of User until parties do not restore the original state. According to the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management and processing in the past.

10.4. Safeguards provided by the Operator

The Operator has an unconditional and irrevocable obligation to ensure the protection of the personal data of the User. The Operator is responsible for ensuring the compliance of the partners involved in the further controlling and processing of the personal data, thereby ensuring the required protection of personal data.

11. Data security measures, Data Protection Officer

11.1. Data security measures

Regarding the managing and storing of personal data provided by Users, the Operator shall act with utmost care. In the field of IT security, the Operator uses the most effective, most modern tools and procedures reasonably available.

Operator plans and implements the data management operations to protect the privacy of the affected Users. Operator ensures the security of the data, and takes the technical and organizational measures and establishes the procedural rules to enforce the provisions of Information Act and other privacy and data protection rules.

11.1.1. Operator shall protect the data using suitable means against any unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction or damage, furthermore the unavailability originated from the change of the technology used.

11.1.2. In order to protect electronically managed data in several registries Operator ensures using the means of an appropriate technical solution that the data stored in the registry cannot be directly linked and assigned to the concerned User unless this is permitted by law.

11.1.3. Operator has chosen the IT tools for  personal data management while providing the service and operates them in order to make the managed data

1. a) available to the entitled persons (availability);


2. b) checkable for authenticity and certification (authenticity of data management);


3. c) certifiable for lack of alteration (integrity of data)


4. d) protected from unauthorized access (data privacy).

11.1.4. The Operator ensures the security of the data management by means of technical and organizational measures that provide the necessary security level adequate to the data management risks.

11.1.5. The IT system and network of Operator are protected against IT related fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer burglaries, and denial-of-service attacks.

11.1.6. Electronic messages transmitted over the Internet independently from protocols (e-mail, web, ftp, etc.) are vulnerable to network threats that may lead to fraudulent activity or disclosure or modification of information. In order to protect such threats, the Operator shall take all precautionary measures that may be expected from him. Operator monitors the systems in order to capture all security dangers and provide evidence of any security incident. However, it is obvious that Internet is not 100 percent secure. The Operator shall not be liable for any damages caused by the unavoidable attacks carried out despite the expected maximum care.

11.2. Data Protection Officer

Operator declares being not obliged to have a data protection officer, therefore Operator does not have a data protection officer.

12. Pseudonymisation, statistics

12.1. Operator may use the data for statistical purposes only after a pseudonymisation. The aggregated, statistical use of the data cannot contain in any form the name of the User concerned, or any other identifiable data of the User.

13. Automatic decision making and profiling

The User gives the consent to automatic decision making and profiling personally or electronically by the usage of the Website by signing the Data Management Declaration / checking the box1 during the process of the registration/ making orders2 by User. The User is entitled to withdraw the consent anytime. In case of the pending order the withdrawal of the consent is considered as the cancellation of the order which fact is brought to Users attention by Operator as according to the Article 6. Section (1) Point f) of GDPR Operator is entitled to manage the data of User until parties do not restore the original state. According the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the lawfulness of the data management and processing in the past.

14. Consumer complaints

14.1. The customer service of Operator receives requests and user inquiries related to the data privacy and data protection on the e-mail address info@woodmaster.at and on the phone number +36 88 404 519.

14.2. The complainant User may ask for legal remedy at the territorial competent court or at National Authority for Data Protection and Freedom of Information (NAIH): 1024 Budapest, Szilágyi Erzsébet fasor 22 / C. (www.naih.hu)

15. Execution of requests

15.1. The Operator may be contacted by court, public prosecutor, investigating authority, offense authority, administrative authority, data protection commissioner or other authorities authorized by law in subjects of information request, disclosure and handing over of data, furthermore providing documents.

15.2. The Operator - provided the authority has declared the exact purpose and the scope of the data – provides personal data only to the extent that it is indispensable to achieve the purpose of the request.

In case if you do not agree with the above, please do not use the Website.

If you have additional questions regarding data protection, please contact our colleagues.

These Rules are public and available at the Website and effective from the date below.

Veszprém, 25th of May 2018