A Kulcspatikák Zártkörűen Működő Részvénytársaság
Privacy Notice

1. Introduction

The purpose of this notice is to set out the data protection and privacy policy applied by

Kulcspatikák Zártkörűen Működő Részvénytársaság

Registered office: H-1117 Budapest, Alíz utca 3. 1. emelet

Telephone: +36-1-444-9090

Electronic contact: office@kulcspatika.hu

Website: www.kulcspatikak.hu

Represented by: dr. KŐHALMI Ákos president of the board of directors

(hereinafter: Data Controller) to ensure that individuals who are subject to data processing, visitors to the www.kulcspatikak.hu website, users of certain services and our other partners are properly informed about the processing of their personal data.

The Data Controller is committed to fully comply with the following statutory requirements for the processing of personal data in its activities.

This privacy notice is available on the website www.kulcspatikak.hu and at the Data Controller's registered office.

In formulating these rules, the Data Controller has taken particular account of

• the Fundamental Law;
• the Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Information Act);
• the Act V of 2013 on the Civil Code (hereinafter: Civil Code);
• the Act No VI of 1998 on the promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, done at Strasbourg on 28 January 1981;
• the Regulation 2016/679 of the European Parliament and of the Council (GDPR Regulation);

2. Definitions used in the notice

Data processing: the performance of technical tasks related to data processing operations.

Processing of data: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular collection, recording, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment or combination, blocking, erasure and destruction, as well as prevention of further use of the data, taking of photographs, audio or video recordings.

Data Controller: a natural or legal person or a company with legal personality who, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or implements them through a processor on whose behalf the data are processed.

Transfer of data: making data available to a specified third party.

Data erasure: the rendering of data unrecognisable in such a way that it cannot be recovered.

Personal Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Pseudonymisation: processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no association with an identified or identifiable natural person is possible.

eDM (electronic Direct Mail): a direct marketing tool, letter advertising, marketing message. Following the Data Subject's prior consent, the Data Controller sends advertising and marketing messages by e-mail to the Data Subject's e-mail inbox. The Data Controller's offer is received by the Data Subject in a personalised form.

Health data: personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person which contain information about the health of the natural person.

Data subject: the natural person whose personal data are affected by the processing.

Third party: a natural or legal person or any other body other than the Data Subject, the Data Controller, the data processor or the persons who, under the direct authority of the Data Controller or the Data Processor, are authorised to process personal data.

Consent: a voluntary and explicit expression of the data subject's wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations.

Joint processing: where the purposes and means of processing are jointly determined by two or more data controllers, they are considered joint controllers.

Personal data: data that can be associated with a specific natural person, in particular his or her name, identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and any inference that can be drawn from the data concerning that person, which is not in the public interest or in the public domain. Personal data include, among others, name, address and e-mail address.

Objection: a statement by the Data Subject objecting to the processing of his or her personal data and requesting the cessation of processing or the erasure of the processed data.

Trade secret: According to the Act V of 2013 on the Civil Code, a trade secret is any fact, information, other data and any compilation thereof relating to an economic activity which is not publicly known or not easily accessible to the persons performing the economic activity concerned, the acquisition, use, disclosure or disclosure of which by unauthorised persons would harm or jeopardise the legitimate financial, economic or market interests of the rightholder, provided that the rightholder who is lawfully entitled to it is not culpable for the protection of the secret.

3.         Principles of data processing

The processing carried out by the Data Controller complies with the data processing principles of the GDPR, which are:

The principles of lawfulness, fairness and transparency: Personal data shall be processed lawfully and fairly and in a transparent manner for the data subject.

Purpose limitation principle: Personal data shall be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes.

Data minimisation principle: Personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Principle of accuracy: Personal data shall be accurate and, where necessary, kept up to date; all reasonable steps shall be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay.

Principle of limited retention period: Personal data shall be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed.

Principle of integrity and confidentiality: Personal data shall be processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.

Principle of accountability: The Data Controller is responsible for compliance with the principles and shall be able to demonstrate such compliance.

In addition to the principles of data processing, the requirement of adequate information can be identified as a common requirement, as the Data Controller shall inform Data Subjects of the processing in the case of any legal basis for processing.

4.         The activities involved in each processing operation, the definition of the data processed, the basis and purpose of the processing and the duration of the processing

4.1.    Contacting

The Data Controller provides the possibility for the Data Subject to contact the Data Controller by email or telephone via the contact details on its website.

Scope of data processed	the name, telephone number and email address of the Data Subject and any other personal data voluntarily provided by the Data Subject
Purpose of data processing	establishing contact between the Data Subject and the Data Controller
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	until the Data Subject's request for erasure or the general limitation period of 5 years under the provisions of the Civil Code

 

4.2.    Newsletter service

The Data Subject may subscribe to the Data Controller's newsletter through the website www.kulcspatikak.hu operated by the Data Controller:

Scope of data processed	the name and email address of the Data Subject
Purpose of data processing	the Data Subject may receive information about current promotions and offers through the newsletter, and about the prize draws
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	The Data Controller sends the newsletters to the Data Subjects until the Data Subjects unsubscribe or request the deletion of their data and the cessation of data processing. If the Data Subject no longer wishes to receive the newsletter, he/she may unsubscribe or request the deletion of his/her personal data at any time. In case of unsubscription and deletion requests, the processing will be terminated.

 

4.3.    Cookies

A cookie is a small text file that is stored on the hard drive of the Data Subject's computer or mobile device for the expiry period set in the cookie and is reactivated on subsequent visits. Its purpose is to record information about the visit and personal preferences, but it is not personally identifiable information. It helps to design a user-friendly website and mobile application and to enhance the online experience of the Data Subject. If the Data Subject does not consent to the Data Controller using cookies when the Data Subject browses the website or uses the mobile application, the website and mobile application may not function fully.

Scope of data processed	The Data Controller stores all analytical information without name or other personal data
Purpose of data processing	Storing the data subject's personal preferences
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	The data subjects may delete cookies stored on their computer or mobile phone at any time through their browser settings

 

4.4.    Social media presence

The Data Controller operates the following social media sites:

• the Kulcs Pharmacies page on Facebook;
• the Kulcs Pharmacies page on Instagram;
• the Kulcs Pharmacies page on LinkedIn

Scope of data processed	name and image of the Data Subject
Purpose of data processing	information on current information and news concerning the Data Controller
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	The Data Subject may voluntarily unsubscribe from the pages or use the message board settings to delete unwanted messages on the message board.

 

4.5.    Data processing during concluding and performing a contract

Where a contract is concluded between the Data Controller and a partner, the parties shall (may) indicate in the contract the contact individuals and their contact details.

Scope of data processed	Name, telephone number, position and email address of the Data Subject
Purpose of data processing	Keeping contacts between businesses, performing the terms of contracts
Legal basis for processing	The processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract (Article 6 (b) of the GDPR Regulation)
Duration of data processing	On the basis of the contractual relationship between the Data Controller and the Data Subject, the Data Controller shall be entitled to use the data for a period of eight (8) years from the termination of the legal obligation

 

4.6.    Operation of a camera system

The Data Controller operates a camera system at its branch located at H-1117 Budapest, Hunyadi János út 16. for the protection of human life and limb and for the protection of property. The location of each camera is indicated in the camera information notice posted at the branch.

Scope of data processed	Image of the Data Subject
Purpose of data processing	the protection of human life and limb and the protection of property
Legal basis for processing	the legitimate interest of the Data Controller to ensure the protection of persons and property at its headquarters (Article 6 (1) (f) GDPR).
Duration of data processing	The Data Controller shall destroy the image and sound recordings recorded on after a maximum of 3 weeks from the date of recording, unless further retention is justified by a security incident.

 

4.7.    Job advertisements

The Data Controller will not post anonymous job advertisements and will delete unsolicited job applications without delay if their further processing is no longer justified. If the applicant is recruited, the Data Controller shall seek the applicant's consent for further data processing. In the event of an unsuccessful application, the Data Controller may, with the specific consent of the applicants, retain individual applications for the purpose of subsequently contacting the applicants with a job offer.

Scope of data processed	Name, telephone number, email address, home address, languages spoken, education, previous jobs and personal data voluntarily provided in the CV
Purpose of data processing	Establishing contact between the data subject and the Data Controller, establishment of the employment relationship
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	If the further processing of the CVs received is no longer justified, without delay, but for a maximum period of 6 months, or, in the case of an unsuccessful application, with the consent of the applicant, until the general limitation period of 5 years under the Civil Code or until the request for deletion by the person concerned

 

4.8.    Prize draws

The Data Subjects have the possibility to participate in prize draws advertised by the Data Controller on social media platforms, on the website or in the promotional magazine.

Scope of data processed	Name, address, telephone number, email address of the Data Subject
Purpose of data processing	the Data Subject's participation in the prize draw
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	delete them without delay if their further processing is no longer justified

 

4.9.    Participation in loyalty programmes

The loyalty programmes advertised by the Data Controller are schemes in which participants can receive an immediate % discount on certain products when making purchases at the member pharmacies of Kulcs Pharmacies or at the Data Controller's partners. The Data Controller stipulates that it will not obtain any information about the products purchased by the Data Subject in the member shops and therefore will not process any health data.

Scope of data processed	Mandatory data: name, email address, date of birth, gender, postal code of the Data Subjects. Optional data: phone number, place of birth, place of residence of the Data Subjects.
Purpose of data processing	the Data Subject's participation in loyalty programmes
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	until the Data Subject's request for erasure

 

4.10. Data processing related to the mobile application

By using the Mobile application, the Data Subject can get information about the promotions announced by the Data Controller and about the Key Pharmacy closest to his or her location. A prerequisite for using the application is participation in the loyalty program.

Scope of data processed	Mandatory data: name, email address, date of birth, gender, postal code and the current location of the Data Subjects. Optional data: phone number, place of birth, place of residence of the Data Subjects.
Purpose of data processing	the Data Subject's participation in loyalty programmes
Legal basis for processing	The Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes - Article 6 (1) (a) GDPR
Duration of data processing	until the Data Subject's request for erasure

 

5. Data processors

Certain categories of personal data may be accessed by data processors as necessary, subject to the relevant data processing principles. The Controller uses the following processors to process personal data:

Name of the data processor	Contact	Tasks
Bér-Vill Group Kft.	H-2030 Érd, Badacsonyi utca 69.	payroll
Meta Platforms Ireland Limited	Ireland, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2.	Facebook, Instagram
Google Ireland Limited	Ireland, Gordon House, Barrow Street Dublin 4.	Google Analytics
SHT Audit Kft.	H-2100 Gödöllő, Damjanich János utca 113.	auditing
Media Exchange Kft.	H-1132 Budapest, Victor-Hugo utca 11-15. 4. em. 04004.	web hosting
ANDOCSEK Informatika Zártkörűen Működő Részvénytársaság	H-1024 Budapest, Buday L utca 12.	IT service provider
Futurion Kft.	H-1087 Budapest, Könyves Kálmán krt. 76.	system development
Premium Support Kft.	H-8097 Nadap, Vörösmarty utca 11.	system operation
Microsoft Clarity		cookies
Sziklai & Andrejszki Law Office	H-1052 Budapest, Petőfi Sándor utca 11.	legal service, data protection officer
Kulcs Pharmacies’ member pharmacies as data processors	For contact details of Kulcs Pharmacies’ member pharmacies as data processors see www.kulcspatikak.hu/patikakereso.

 

5.1.    The activity of Data Processors in relation to data processing is the provision of technical support. Data Processors may not take any substantive decisions regarding the processing, may process personal data of which they become aware only in accordance with the provisions of the Data Controller, may not perform data processing for their own purposes and shall store and retain personal data in accordance with the provisions of the Data Controller.

5.2.    In the course of the services provided by the Data Controller, the doctors contracted by it shall act as data processors. The doctors are not allowed to take decisions regarding the processing of data, they only provide advice and consultation to the Data Subjects as patients.

For contact details of Kulcs Pharmacies’ member pharmacies as data processors see www.kulcspatikak.hu/patikakereso.

5.3.    The collection of privacy notices of other data processors:

Facebook's data management policy can be found at the link below:
https://www.facebook.com/privacy/explanation

Instagram's Privacy Policy can be found at the link below:
https://help.instagram.com/519522125107875   

Microsoft Clarity privacy notice can be found at the link below:
https://privacy.microsoft.com/hu-hu/privacystatement

The privacy notice of Sziklai & Andrejszki Law Office can be found at the link below:
https://www.drsziklai.hu/assets/adatkezelesi-tajekoztato-sziklai-andrejszki-ugyvedi-iroda.pdf

6. Transfer of data

As a general rule, the Data Controller shall not disclose personal data obtained by the Data Controller to third parties in any way without the prior consent of the Data Subject.

7. Data security

The Data Controller shall store the personal data mentioned above at its registered office, in its own IT system and on the servers of the Data Processors responsible for hosting.

The Data Controllers undertake to ensure the security of the data in accordance with the GDPR and the Information Act, by taking into account the rights of the Data Subjects.

They keep a record of any data protection incidents and, if necessary, inform the Data Subject and, if necessary, the National Authority for Data Protection and Freedom of Information (NAIH) of the incidents that occur.

Access to personal data shall be granted to persons acting in the interest of the Data Controller, in particular agents and employees, who need it for the performance of their activities and who are aware of and have knowledge of the obligations relating to the processing of the data.

The Data Controller shall take all necessary measures to ensure the secure and damage-free processing of data and the establishment and operation of the necessary data processing systems. The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons.

The Data Controller undertakes to ensure the security of the data using the most up-to-date and appropriate equipment and security rules, in particular to ensure that the data are not accessed by unauthorised persons or unlawfully disclosed, deleted or destroyed. It shall take all reasonable steps to ensure that data are not accidentally damaged or destroyed. The above commitment shall also be imposed on the employees of the Data Controller involved in the processing activities.

Under no circumstances will the Data Controller collect sensitive data, i.e. data concerning racial or ethnic origin, membership of national or ethnic minorities, political opinions or party affiliations, religious beliefs or convictions, membership of representative associations, health, pathological addiction, sex life or criminal records.

8. Data Protection Officer

The Data Protection Officer shall provide the Data Controller with professional advice on data protection, monitor the activities related to data processing and assist the Data Controller in its operations by liaising with the competent authority and the Data Subjects.

Name: Sziklai & Andrejszki Law Office

Contact: dpo@drsziklai.hu

Data Subjects may contact the Data Protection Officer for all matters relating to the processing of their personal data and the exercise of their rights. The Data Protection Officer is bound by confidentiality obligation or the obligation on the confidential processing of data in the performance of his or her duties.

9. Rights of the Data Subject in the course of data processing

During the period of data processing, the Data Subject shall have the following rights:

Right to information

The Data Controller shall provide information in an appropriate manner, in simple and accessible language that is easy to find (online or offline), on the material aspects of the data processing. At the time of obtaining the personal data, or if the Data Subject subsequently requests information, the Data Subject shall be provided with the Privacy Notice and be asked to sign a declaration on taking knowledge of, understanding and accepting the information contained therein.

The Data Subject may request information at any time about the personal data concerning him or her processed by the Data Controller. The information may also be requested by e-mail to the e-mail address indicated in the information notice on the processing in question or by post. The Data Controller shall provide the requested information within 30 days of the request.

Right to erasure

The Data Subject may obtain from the Data Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Data Controller shall erase personal data relating to the Data Subject without undue delay. Where the Data Controller has given third parties access to the data requested to be erased, it shall inform all those to whom it has disclosed the data concerned to delete all references and the personal data stored by them. The purpose of this is to ensure that, in the absence of any legal or reasonable impediment, the data concerned “disappear” from the available databases.

The erasure need not be carried out if the processing is

• necessary for the exercise the right to freedom of expression or the right to information;
• necessary for the establishment, exercise or defence of legal claims;
• necessary to comply with a legal obligation;
• necessary for archiving purposes in the public interest, scientific or historical research, statistical purposes and the deletion of the data would make it impossible or seriously jeopardise the purpose of the processing.

The Data Controller shall also delete personal data contained in its records relating to the Data Subject if the purpose for which the personal data were processed has ceased to exist. In the case of paper-based documentations, their destruction shall be recorded in minutes for the reason that it may be subsequently proved to the competent authority.

Rectification of data

The Data Subject may indicate that the data processed are inaccurate and request that they be replaced by new data. The Data Controller is responsible for the accuracy of the data and it is therefore necessary to check data accuracy from time to time.

Right to restriction of processing:

The Data Subject may request the Controller to restrict the processing of his or her personal data, for example in the event of an unclear, disputed situation. Where data processing is subject to restriction, such personal data may only be processed, except for storage, with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or a Member State.

Right to data portability:

The Data Subject may request to receive the data processed concerning him or her in a structured, commonly used, machine-readable format (e.g. .doc, .pdf, etc.) and may transfer these data to another Data Controller without hindrance from the original Data Controller. This makes it easier for the data subject affected by the processing to transfer his or her personal data from one Data Controller to another.

Right to object

The Data Subject may object at any time to the processing of his or her personal data for a specified reason, if he or she has not given consent to the processing of the data.

If the Data Subject wishes to exercise his or her rights, he or she will be identified and the Data Controller will necessarily contact the Data Subject, therefore, the provision of personal data will be required for identification purposes, and the Data Subject's complaints about the processing of data will be available in the e-mail account within the time period indicated in this notice in relation to complaints. The Data Controller shall respond to complaints about the processing without delay and at the latest within 30 days.

10. Legal remedies

The Data Subject may lodge a complaint with NAIH (H-1055 Budapest, Falk Miksa u. 9-11.; www.naih.hu, Telephone: +36 (1) 391-1400, Fax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu) or enforce his/her rights concerning the processing of personal data before the Court having jurisdiction and competence pursuant to the Act CXXX of 2016 on the Civil Procedure.

11. Closing provisions

If the Data Controller intends to carry out further processing of personal data for a purpose other than the purpose set out in this notice, the Data Controller shall inform the Data Subject of the new purpose of data processing prior to the further data processing. Data processing for the new purpose may only start - if the legal basis for the processing is consent - after the Data Subject has provided consent to the processing in addition to the information notice.

The privacy notice is valid until revoked and its personal scope shall apply to all organisational units, data processors, staff, officers, employees and contracted agents of the Data Controller.

The privacy notice shall be reviewed annually or when Community or national legislation changes. Only the Data Controller is entitled to amend the privacy notice.

This Privacy Notice is valid from 14 January 2025.

Kulcspatikák Zrt.

KŐHALMI Ákos president of the board of directors