Privacy Notice – Nanushka

– on the processing of personal data on Vanguards Websites –

Vanguards Group Zrt. (the “Company” or “Controller”) is processing the personal data of individuals visiting the vanguards.com and nanushka.com websites (the “Vanguards Websites”) in connection with the provision of the functions and services of the sites and with the marketing activities of the Company on Vanguards Websites.

The aim of this privacy notice (the “Privacy Notice”) is to provide you, as the subject of the data processing with information about processing of your personal data and about your data privacy rights in connection with such processing activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and according to Act CXII of 2011 on Informational Self-determination and Freedom of Information (the “Data Protection Act”).

The Company conducts data processing activities for various purposes, each of them having different characteristics. The general part of this Privacy Notice serves to provide general information of when the Company processes your personal data. The specific information (purpose of the data processing activity, legal ground of processing, scope of processed personal data, retention time, etc.) relating to each data processing activity is included in annex 1 of this Privacy Notice.

Because the contents of this Privacy Notice may change from time to time, the Company will make sure to notify you whenever such changes take place. Before reviewing the information about a data processing activity and exercising your data privacy rights (see Section 2 below), please always access the up-to-date version of this Privacy Notice, which is always available at https://www.nanushka.com/customer-support/privacy

1. DETAILS OF THE DATA CONTROLLER AND THE DATA PROTECTION OFFICER

The controller of the personal data is Vanguards Fashion Group Zártkörűen Működő Részvénytársaság (seat: 1051 Budapest, Dorottya utca 1.; registration number: 01-10-140603).

The contact person designated for managing and responding to inquiries and requests by data subjects is: dataprotection@vanguards.com

You may contact the Controller directly via the above contact persons to exercise your data privacy rights.

2. DATA PRIVACY RIGHTS

With any comment, question, complaint and any other request in connection with the processing of your personal data, we encourage you to contact the Controller directly. The Company will give a substantive response to your request without delay, but no later than one month after receipt of your request. If the complexity of your request or the number of requests justifies it, the deadline for replying may be extended by another two months, of which you will be notified by the Controller within the original deadline.

You have certain rights in connection with the processing of your personal data (i.e., data privacy rights), basically determined by the legal basis for processing. In annex 1 you can find a general description of data privacy rights you can exercise, and at the end of each table in annex 1 a more detailed description on whether you are entitled to exercise such rights in the context of the data processing activity concerning your personal data. Please note that the GDPR and in some cases the Data Protection Act, as well as other relevant laws might set further conditions and/or limitations in connection with exercising these rights. Therefore, we advise you to closely study this Privacy Notice, the GDPR and the applicable laws before filing a request. If you need any help in connection with the applicable laws, please get in contact with us via the contact methods indicated in section 1 above.

(a) Withdrawal of consent (subsection (3) of Article 7 of the GDPR)

You have the right to withdraw your consent granted for a specific data processing activity any time. Please note that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

(b) Access (Article 15 of the GDPR)

You have the right to request confirmation from the Controller as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data and certain information determined in Article 15 of the GDPR.

(c) Rectification (Article 16 of the GDPR)

You have the right to request the Controller to rectify any inaccurate personal data concerning you without any undue delay. Considering the purpose of the processing, you have the right to have the incomplete personal data completed, including by means of providing a supplementary statement.

(d) Right to erasure (“right to be forgotten”) (Article 17 of the GDPR)

You have the right to request the erasure of your personal data if any of the circumstances set out under Article 17(1) of the GDPR apply. If the exceptions in Article 17(3) of the GDPR do not apply and/or the Controller does not have any legal ground to further process your personal data, then it will execute the request for deletion without undue delay.

(e) Restriction of processing (Article 18 of the GDPR)

You have the right to request the restriction of processing where the grounds determined in Article 18 of the GDPR apply.

(f) Data portability (Article 20 of the GDPR)

You have the right to receive your personal data provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller, if the processing is based on consent [point (a) of Article 6(1) or point (a) of Article 9(2)] or is conducted for the performance of a contract to which You are a party [point (b) of Article 6(1)] and the processing is carried out by automated means. In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(g) Objection (Article 21 of the GDPR)

If the data processing is based on the legitimate interest of the Controller: You have the right to object (on grounds relating to your particular situation) at any time against processing of your personal data based on legitimate interest, including also profiling. The Controller will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms or if the data processing is necessary for the establishment, assertion or defense of legal claims.

If the purpose of the data processing is direct marketing: You have the right at any time to object (on grounds relating to Your particular situation) against processing of your personal data if the purpose of the data processing is direct marketing, including also profiling if it is related to direct marketing. The Controller will no longer process the personal data in case you submit such objection against processing of your personal data for direct marketing purposes.

3. LEGAL REMEDIES

If you deem that your personal data are processed unlawfully and/or any of your data privacy rights have been violated you are entitled to seek the following legal remedies:

(a) You have the right to contact the Controller directly via the contact details in section 1 of this Privacy Notice, and address you concerns beforehand.

(b) You have the right to lodge a complaint with the national supervisory authority: 

Hungarian National Authority for Data Protection and Freedom of Information (seat: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf.: 9.; e-mail: ugyfelszolgalat@naih.hu; telephone number: +36 (1) 391-1400; web: www.naih.hu) 

(c) You are entitled to file a claim with your local court having jurisdiction in the case against the Controller or – in relation to processing activities covered by the scope of activities of the processor – the processor, if you deem that your personal data is processed unlawfully and/or any of your data privacy rights have been violated. Subject to your own decision, the claim can be filed before the court of your home address or place of abode. More information on courts’ jurisdiction and contact details is available at the following website: www.birosag.hu.

4. DATA RETENTION TIMES, EXECUTION OF DATA ERASURE 

The retention time of the processing of each personal data is included in annex 1.

Upon expiration of the data processing period, and if the Data Controller decides to delete personal data on its own authority or upon request, the personal data will be irrevocably removed from the server of the Vanguards Websites within 30 days.

5. IMPLEMENTED DATA SECURITY MEASURES

This section contains the general data security measures applied by the Controller. If the Controller applies different data security measures in connection with a given data processing activity, those are described at the given data processing activity in Annex 1.

The Controller handles personal data confidentially and takes all security, technical and organizational measures that guarantee the security of the data. The Controller will ensure the protection of the security of data processing with technical, organizational and organizational measures that provide a level of protection appropriate to the risks related to data processing.

With respect to personal data processed on the Company's servers, the following data security measures are applied:

· Protection against viruses.

· Software firewall.

· Central set of rules to prevent unauthorized access.

· Protection and filtering against spam and malware.

· Daily backup of servers to a geographically isolated location.

· Uninterruptible operation of surge protection systems.

· Restrict external access and protection against external attacks with a physical firewall device.

The Controller also ensures that personal data is accessed only by reasonable personnel within the organization and, if personal data is processed on hard copies, the proper storage and protection of such materials.

6. VERSION DETAILS

The Privacy Notice was issued on 10 December 2021. This text is version 1 of the Privacy Notice.

ANNEX 1

- on the processing of personal data on Vanguards Websites - 

GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY

Title of the data processing purpose: Sending newsletters
Description of the purpose of processing: The Controller is processing the personal data for the below purposes: 
(i) Contact information (e-mail address), to get in touch with the subscribers;
(ii) Name, gender to address the subscribers;
(iii) Month and day of birth to send birthday wishes;
(iv) Country, city, interest ("womenswear" or "menswear")
and gender to segment the subscribers and send only relevant information.
Processed personal data categories: The Controller is processing the below categories of personal data:
(i) Contact information (e-mail address), to get in touch with the subscribers;
(ii) Name, gender to address the subscribers;
(iii) Month and day of birth to send birthday wishes;
(iv) Country, city, interest ("womenswear" or "menswear")
and gender to segment the subscribers and send only relevant information.
Legal ground for processing: Your voluntary consent according to Article 6(1)a) and 7 of the GDPR
Giving your consent is voluntary and you have the right to withdraw it at any time.
Withdrawal of consent shall not affect the lawfulness of any previous processing of data with your consent.
You are entitled to exercise your right to object against data processing activities aimed at direct marketing.
Consequences of not providing the personal data: The Controller cannot send you newsletters and personalized offers.
Data processing period: Until you unsubscribe from the newsletter or otherwise withdraw your consent to the data processing.
Data subjects: Individuals subscribing to the Controller's newsletter.
Source of personal data: Directly from the data subjects, by online registration, or offline subscription in the stores.
Is the provision of the personal data
a pre-condition for concluding the contract?
(Yes/No)
No.
 Is the data subject obliged
to provide the personal data? 
(Yes/No)
No.
Is profiling done as part of
the data processing activity?
(Yes/No)
No.

 

DATA SECURITY MEASURES

Description of data security measure The list of subscribers is saved in the Controller’s protected and closed system.
People having access to personal data Personnel of the Controller's marketing department.

 

TRANSFER OF PERSONAL DATA

Recipients 1.) Skala Technology Zrt.
2.) Amazon Web Services
3.) The Rocket Science Group LLC (MailChimp)
Status of the recipient 1.) Data processor
2.) Data processor
3.) Data processor
Purpose of the data transfer 1.) Website operation – nanushka.com
2.) Website hosting – aeron.com
3.) Management of newsletter database
Transfer to third country United States of America

 

DATA PRIVACY RIGHTS OF THE DATA SUBJECTS

(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of Vanguards Group Zrt. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR) 

​
Withdrawal of consent Y Access Y Rectification Y Erasure Cond.
Restriction of processing Cond. Data portability Y Objection Y Complaint (with the Controller) Y
Complaint (with the supervisory authority) Y Filing a claim (before court) Y

 

GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY

Title of the data processing purpose: Online purchase orders
Description of the purpose of processing: The Controller is processing the personal data for the below purposes:
(i) Contact information (e-mail address and phone number) to get in touch with the customers;
(ii) Name to address the customers;
(iii) Order details (delivery address, billing address, payment method) to deliver the product.
Processed personal data categories: The Controller is processing the below categories of personal data:
(i) Contact information (e-mail address and phone number) to get in touch with the customers;
(ii) Name to address the customers;
(iii) Order details (delivery address, billing address, payment method) to deliver the product.
Legal ground for processing: Processing is necessary for the performance of a contract according to Article 6(1)(b) GDPR.
Consequences of not providing the personal data: The Controller cannot send you the product that you have purchased or send you reminders on unfinished orders.
Data processing period: 5 years
Data subjects: Individuals who purchased a product on Vanguards Websites.
Source of personal data: Directly from the data subjects by placing their orders online.
Is the provision of the personal data
a pre-condition for concluding the contract?
(Yes/No)
Yes.
Is the data subject obliged to
provide the personal data?
(Yes/No)
No.
Is profiling done as part of
the data processing activity?
(Yes/No)
No.

 

DATA SECURITY MEASURES

Description of data security measure All transactions are processed through a gateway provider and are not stored or processed on the Company’s servers. All sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.
People having access to personal data Personal data is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems, and are required to keep the personal data confidential.

 

TRANSFER OF PERSONAL DATA

Recipients 1.) DHL, FedEx, GLS, UPS 2.) Skala Technology Zrt. 3.) Amazon Web Services
Status of the recipient 1.) Data processors 2.) Data processor 3.) Data processor
Purpose of the data transfer 1.) Shipping companies 2.) Webshop operation and website operation – nanushka.com 3.) Website hosting – aeron.com
Transfer to third country No.

 

DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of Vanguards Group Zrt. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)

​
Withdrawal of consent Y Access Y Rectification Y Erasure Cond.
Restriction of processing Cond. Data portability Y Objection N Complaint (with the Controller) Y
Complaint (with the supervisory authority) Y Filing a claim (before court) Y

 

GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY

Title of the data processing purpose: Account creation
Description of the purpose of processing: The Controller is processing the personal data for the below purposes: (i) Title (Mr., Ms. or Mrs.), name, password and e-mail address to create and to activate the account; (ii) Date of birth and country of residence for the personalization of the account; (iii) Contact information (phone number) to get in touch with the registrant.
Processed personal data categories: The Controller is processing the below categories of personal data: (i) Title (Mr., Ms. or Mrs.), name, password and e-mail address to create and to activate the account; (ii) Date of birth and country of residence for the personalization of the account; (iii) Contact information (phone number) to get in touch with the registrant. 
Legal ground for processing: Your voluntary consent according to Article 6(1)a) and 7 of the GDPR  Giving your consent is voluntary and you have the right to withdraw it at any time. Withdrawal of consent shall not affect the lawfulness of any previous processing of data with your consent.
Consequences of not providing the personal data: You cannot create an account.
Data processing period: Until you delete your account or otherwise withdraw your consent to the data processing.
Data subjects: Individuals creating accounts on Vanguards Websites.
Source of personal data: Directly from the data subjects by online registration.
Is the provision of the personal data a pre-condition for concluding the contract?  (Yes/No) No.
Is the data subject obliged to provide the personal data?  (Yes/No) No.
Is profiling done as part of the data processing activity? (Yes/No) No.

 

DATA SECURITY MEASURES

Description of data security measure All transactions are processed through a gateway provider and are not stored or processed on the Company’s servers. All sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.
People having access to personal data Personal data is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems, and are required to keep the personal data confidential.

 

TRANSFER OF PERSONAL DATA

Recipients 1.) Skala Technology Zrt. 2.) Amazon Web Services
Status of the recipient 1.) Data processor 2.) Data processor
Purpose of the data transfer 1.) Website operation 2.) Website hosting – aeron.com
Transfer to third country No.

 

DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of Vanguards Group Zrt. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)

​
Withdrawal of consent Y Access Y Rectification Y Erasure Cond.
Restriction of processing Cond. Data portability Y Objection N  Complaint (with the Controller) Y
Complaint (with the supervisory authority) Y Filing a claim (before court) Y

 

DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of Vanguards Group Zrt. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)

​
Withdrawal of consent Y Access Y Rectification Y Erasure Cond.
Restriction of processing Cond. Data portability Y Objection N  Complaint (with the Controller) Y
Complaint (with the supervisory authority) Y Filing a claim (before court) Y

 

DATA SECURITY MEASURES

Description of data security measure All transactions are processed through a gateway provider and are not stored or processed on our servers. All sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology.
People having access to personal data Personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the personal data confidential.

 

TRANSFER OF PERSONAL DATA

Recipients 1.) Skala Technology Zrt. 2.) Amazon Web Services
Status of the recipient 1.) Data processor 2.) Data processor
Purpose of the data transfer 1.) Website operation 2.) Website hosting – aeron.com
Transfer to third country No.

 

DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of Vanguards Group Zrt. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)

​
Withdrawal of consent Y Access Y Rectification Y Erasure Cond.
Restriction of processing Cond. Data portability Y Objection N, Y, in respect of direct marketing activities Complaint (with the Controller) Y
Complaint (with the supervisory authority) Y Filing a claim (before court) Y

 

COOKIES

nanushka.com and aeron.com

Domain Name Description Expiration
nanushka.com _fbp Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. 90 days
nanushka.com JSESSIONID Used for session management. 5 days
nanushka.com JSESSIONID Used for session management. 5 days
nanushka.com JSESSIONID Used for session management. 5 days
nanushka.com _skala__cookie_accepted Memorizing the choice of your response at the cookie popup. Session
nanushka.com _skala__preferred_country_code Country code preference. Session
nanushka.com _skala__webp_support Image format preference. Session
google.com DV This cookie is used to save the user's preferences and other information. 1 day
google.com NID The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language. 6 months
google.com OGPC This cookie enables the functionality of Google Maps. 60 days
google.com 1P_JAR This cookie collects website statistics and measures conversions according to the google.com. 1 month
google.com CONSENT Cookie consent indicator. 2 years

K8072330/0.6/29 Sep 2021