Data Protection Guidelines
Thank You for visiting the All in Packaging website (www.allinpackaging.ro, hereinafter as: „Website”) operated by Nordtek Packaging Ltd. (seat: 6-9 Trinity Street, Dublin 2, D02EY47, Ireland, registration number: 08430887, represented by: István Berta and Attila Nádor directors individually, phone: +40 316 302 395, e-mail: [email protected]
) hereinafter as: „Service Provider”). We do respect your privacy and protect Your personal data. In order to get more information on how we do this please read the below data protection guidelines.
When creating our guidelines we have taken special consideration of the provisions of Regulation 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing(“General Data Protection Regulation” or “GDPR”) and Act CXII of 2011 on Informational Self-determination and Freedom of Information (“Privacy Act”), Act V of 2013 on the Civil Code (“Civil Code”) and furthermore Act XLVIII on Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“CA Act”).
The data protection guideline describes how we collect, use and (in certain cases) forward personal data. Present guideline also describe the measures we take in order to protect the personal data of our users. The guideline also contains our possibilities regarding the collection, use and publishing of personal information.
Present data protection guideline is published on the All in Packaging website. This guideline is not necessarily applicable for the collection of personal data offline. For details on data managed offline you can find details later below.
We can not take responsibility for the content of websites that are not operated by the Service Provider but has a link on the Website or for those websites that are directing to the All in Packaging websites.
“personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
„processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
„sensitive data” means personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life, personal data concerning health, pathological addictions, or criminal record (definition of the Privacy Act)
“genetic data” means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
„biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
„personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
The above definitions are used by GDPR. The text of GDPR can be reached at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG
The above list is incomplete, so should You need any further information do not hesitate to contact us.
Information, collection and use of data
1. Collecting information and data
We collect the data of our users in different ways in order to provide the most effective and personalized service for the users.
For example: we use the personal data of our users to:
· make the use of our sites easier for the users by having them submit their data only once
· to quickly find information on our products and services
· to deliver such content that is the most relevant for our users
· to notify our users about news and information regarding our products and services
We inform our users that in the course of processing we do not collect, store or forward any sensitive, genetic or biometric data of our users by any means.
Details of data processor (hosting provider) used for processing:
Rackforest Informatikai Kereskedelmi Szolgáltató és Tanácsadó Kft.
Registered seat: 1116 Budapest, Sáfrány u. 6.
Mailing address: 1132 Budapest, Victor Hugo u. 18-22.
Company registration number: 01-09-914549
Tax number: 14671858-2-43
Phone: +36 70 362 4785
Represented by: Atiyeh Nabil managing director individually
(a) Registration and Order
Registration on the Website is optional, the users are able to place an order without registration, however registration can make the following orders of the users more easier and faster. For registration we only request the e-mail address of the users and setting of a password is necessary and that is all we need from our users to set up a personal account for the user. After registration we send an e-mail for our users to the given address with which the registration may be and shall be confirmed. In order to ensure that only the user can access the content of his/her account, we need to be able to identify him/her clearly during a visit to the site, therefore sending an e-mail after the registration is intended prevent unauthorized users from creating a user account on behalf of another person. Our obligation under GDPR also dictates that we shall not collect other personal data from the user for registration than the user’s e-mail address.
After registration within the personal account there is a feature with which the user is able to enter and save his/her personal data in order to facilitate or accelerate later orders, thus we fill in these data for the user automatically during subsequent orders. The data that may be optionally saved and the data required for the orders are the same which are the following: surname and given name of the user, delivery and billing address, phone number and e-mail address. We use the e-mail address of the user given at the registration for contact regarding the delivery of the order therefore we do not request it twice. We use these information to be able to issue invoices and to complete the orders, communicate with the users regarding the orders and also for internal marketing purposes. If there is a problem when executing an order we use these personal information to contact the user.
If the user provided his/her data within the personal account we process the data as controller by the consent of the user until the consent is withdrawn namely they are deleted within the account. Shall the user withdraw his/her consent we immediately delete the data unrecognizably and make them unrecoverable. An exemption from the deletion is when there is an ongoing order from the user in which case the data is still processed after the delivery of the order until the expiry of the warranty period regarding the ordered product under the title that processing is necessary for the performance of a contract.
The provisions of the GDPR does not make it possible for us to process data of children under the age of 16 under their own consent. Because we do not have neither the technical possibility nor the possibility under the GDPR to check the age of our users, it is only possible to filter by requesting the declaration of our users at the registration when they need to tick a checkbox and declare that they are over the age of 16. Making of this declaration is the responsibility of the user we can not take responsibility for its validity. We kindly request the users under the age of 16 who would like to use our services to turn to their parents or other legal guardians for help.
The legal ground for processing data in case of voluntarily providing data within the personal account is the consent of the user (GDPR Article 6. Section (1) Point a)) and in connection with the order is the performance of a contract (GDPR Article 6. Section (1) Point b))
(b) E-mail addresses:
On our website we provide several opportunity for the users to give us their e-mail address for purposes that include but not limited to the registration on the Website and requesting notification about new products, special deals, sending of newsletters and notification about other special deals.
The ground for processing e-mail address is in most cases (subscribing to newsletter, requesting marketing or informational e-mails) is the consent of the user, which is always asked separately and related to each purpose case by case generally by ticking a checkbox. If the ground for processing e-mail address is the consent of the user (processing the e-mail address related to the order is not that case) then the user is entitled to withdraw his/her consent by clicking on the “unsubscribe” button at the end of the e-mail sent to the user or the user may notify us about such request at [email protected]
(c) Cookies and other technical methods
On a website several type of cookies can be found and each serve a different purpose. The following cookie-types can be distinguished:
Necessary cookies: these are usually small data packages that are stored on the users device and that help the operation of the websites. These are required to provide a fast, modern and user-friendly Website for our users. Without these the Website would be slower or even would not function at all.
Statistical and marketing cookies: these are used to know different user habits. These help the web-developers better understand what works and what is not so they can develop the Website accordingly to meet the needs of the users. It also helps to find out why and advertisement or communication is effective and another is not. It shows the time spent on the sites or that how the user got to a site. With knowing these the structure, operation of the Website can be developed so they help to further develop the website which is even better suited to visitor habits and is even more convenient to use. It gives us a picture on what kind of devices the users use, from which geographical location intensity of the Website views according to the time of day and how the how the re-visiting trends develop, from which pages are the users directed to the Website.
In addition to the above we can distinguish between cookies that are for one session only and temporary cookies. One-session cookies are stored only until the user closes the browser. Temporary cookies stored after that, they are not deleted automatically at the time of closing the browser. But why they remain there, what is good in it? Well, such temporary cookies are the ones that helps to make a site quicker or the ones that remember the settings set by the user on the Website.
How is it possible o delete cookies and to how to disable them:
For the most popular browsers the method of disabling cookies can be found below:
Google Chrome: https://support.google.com/chrome/answer/95647?hl=hu-hu&p=cpn_cookies
(i) cookies are pieces of information that are stored by the browser in written form on the hard drive of the device. Most browsers generally set to automatically accept cookies. The user has the possibility to set his/her browser to refuse the automatic acceptance of cookies or to delete the cookies from the hard drive but if the user do it so he/she will not be able to access certain parts of the Website.
(ii) Data capture signals deliver cookies and help to determine that whether the Website has been visited and if yes how many times. Example: an electronic picture on the site such as a banner may function as data capture signal
(iv) For example Facebook collects certain information with the help of cookies and data capture signals that determines which pages have been visited or which items have been purchased. Please take note that the information collected by Facebook’s cookies and data capture signals are not related to the personal data and information collected by us.
(d) Log files:
As it is true to most of the websites the server of the Website automatically recognize the Web URL from which the user gains access to the site. The IP address, the internet provider and date/place stamp may be logged by our system for administrative purposes to check the status of an order or to support our internal marketing activity and to operate system troubleshooting. (IP address may indicate the location of the device on the internet)
On the Website the users have the opportunity to ask questions from us through live conversation (chat) regarding the operation and use of the Website, general information on orders shipping or other relevant circumstances. We would like to draw the attention of the users that this platform is only for answering general questions so we kindly request the users to do not provide any personal data or information to our employees this way. Though we do not log or store the personal data provided by the user in the chat window however if the user provides personal data he/she does it at his/her own risk we can not take responsibility for this.
We would like to inform our users that the chat service on Website is provided for us by a third party service provider: www.tawk.to, tawk.to (SMS SIA) #6 - 8 Tirgoņu iela Riga, Latvia, LV-1050, [email protected]
We would like to draw the attention of our users that because we have no impact on the validity and accuracy of the personal data shared with us for these the users shall be responsible. If the user has given false or inaccurate data then we exclude our responsibility for any delay or damage arising thereof. Shall the user notice that he/she has provided inaccurate personal data the user has the possibility to correct or modify such data. If the user notices the latter then the data may be corrected within the personal account or if the data was provided in connection with an order then the user shall immediately notify us at any of our contact so we can correct or modify the given data as soon as possible or (if applicable) in order to let us provide the corrected data to our partner (e.g. courier) performing the order/delivery.
Furthermore we would like to draw the attention of our users that if the user provides additional personal data in any way that was never requested by us, we immediately and irrevocably delete such data and make it unrecognizable and we exclude our responsibility regarding such data that was shared with us by user voluntarily and without our request.
2. Use of information and forwarding of data
(a( Internal use
We use the personal data of the users to fulfil the order and to provide customer service for our users. Furthermore, we can use internally to improve the content and layout of our pages and to develop our marketing activity (promotion of our products and services) and to determine the placement of general information for our customers on the marketplace. In order to make such use easier and the use that is described in point 2 of present section we may share these information with affiliated companies and subsidiaries under the control and supervision Nordtek Packaging. However, data may only be forwarded by the prior expressed consent of the user.
(b) Communication with users
We also use personal data to communicate with our users in connection the Website, their orders or delivery of orders. We may send a confirmation e-mail about the registration. In rare cases we may send news or statements regarding our services (e.g. when our services are temporarily suspended or when system maintenance is due).
We may request the e-mail address of the user when registering to our websites or if the user requests for a notification about new products or subscribes to our newsletter or would like to receive information on our other special offers. If the user shares his/her e-mail address with us we use it to provide information to him/her.
We give the opportunity to our users in every case to unsubscribe from our future e-mails. (see: opt-out unsubscription part below).
Because sometimes we need to communicate with the users related to the orders unsubscription from e-mails related to the order is not possible.
(c) External use
We strive to provide excellent and a broad variety of services for our users. We do not sell, lease or otherwise trade or publish the personal data and financial information of our users. Only the Service Provider and the subsidiary company of the Service Provider, Nordtek Imexco Kft. (seat: 2161 Csomád, Verebeshegy utca 11., company registration nr.: 13-09-163449, VAT nr.: 12244692-2-13, represented by : Nádor Attila and Berta István directors individually, email: [email protected]
, phone: +36 1 363 1447, +36 1 256 1952, fax: +36 1 363 06 66) has access to such data.
(i) As most web merchants in some cases we also turn to others to provide us certain services related to different tasks. When we forward personal data to such service providers we do it to let them properly fulfil their tasks. E.g.: to deliver the ordered product to our customers we have to share some information. We cooperate with third parties (such as DHL, UPS, FedEx) to ensure the delivery of the packages or to receive feedback on our services and the quality of the partner’s service. For example when using couriers we give them certain information that is necessary to recognize our users and to fulfil delivery such as name, delivery address, e-mail address and phone number. We inform our users about the person and contact information of our partner who carries out delivery and therefore to whom will the user’s data be forwarded in order to perform the contract.
(ii) To help our customer's purchase products and to provide customer service sometimes the users need to provide their bank card or other payment information to financial service providers and bank card processors and issuers. When the user initiates a payment online we redirect him/her to the site of the financial service provider and the user gives his/her payment information directly to the financial service provider (we use PayPal and Wirecard) so we do not store or process such data. Further information on payment will be detailed below.
(iii) Sharing of personal data may occur by the request of law enforcement authorities in order to perform investigations or by a subpoena or warrant or any other case we are legally bound to share personal data. Personal data may be shared when need to defend our rights or we need to enforce the obligations of the user under our General Terms and Conditions (GTC) or we need to protect ourselves from others. E.g.: we may share information in order to decrease the risk of fraud or if someone use or try to use such information for illegal or otherwise fraudulent activities.
(iv) We will not sale (nor otherwise trade or lease)personal data to companies. However, it may happen that we acquire other companies or merge with other companies in which case we need share all our assets including data. In such case sharing information with other companies shall be in accordance with the applicable laws on data protection and our data protection guidelines.
(v) Other non-personal information (such as number of daily visitors to the site or gross quantity of orders on a given date) may be shared with other third parties for example with an advertising company. Sharing such information however does not make it possible to indentify a certain user.
(vi) Users may view and edit their personal data after logging in to our websites after clicking on My Profile menu. If the user requests the deletion of his/her personal data it shall be requested by sending an e-mail to [email protected]
. After that the data will be deleted from our system about which the user will receive a feedback in e-mail.
We inform our users that payment is possibl in three ways:
· Bank transfer
Whichever payment method the user chooses as a main rule we do not store and process payment information. Processing of payment information may occur in one case only when by any reason we need to initiate repayment for the user. In such case we process payment information (bank account number) only with the prior consent of the user, which is necessary to make refunds. After the refund we finally and irrevocably delete such data.
We use PayPal(company name: PayPal Holdings Inc., seat: 2211 North First Street, San Jose, CA 95131, United States of America, registration number: C3842984, phone: 1-408-967-7400, fax: 1-302-655-5049, web: www.paypal.com, represented by: Daniel H. Schulman as director) and Wirecard (company name: Wirecard Central Eastern Europe GmbH, seat: Reininghausstraße 13a, 8020 Graz, Austria, registration number: FN 195599, represented by: Roland Toch, Michael Santner, Curt Chadha as managing directors, phone: +43 316 813681-1400, fax: +43 316 813681-1203, e-mail: [email protected]
, web: www.wirecard.hu).
The user do not provide his/her payment information to us but directly to PayPal or Wirecard through a built in software module (plugin) on the Website or after redirecting to the payment service provider’s site. More information on operation and data protection of PayPal and Wirecard can be found at www.paypal.com and www.wirecard.hu.
Our Website includes physical, electronic and administrative methods and processes in order to ensure the safety and confidentiality of personal data for example SSL encryption to protect payments initiated through our site. We also use SSL encryption to protect the personal data of our users online and take many efforts to keep the data protected n our facilities.
Access to the personal data of our users is restricted. Only those of our employees gain access to them whose work and tasks needs it.
To protect our computers and other hardwares we rely on a third party. We believe that our safety protocols are appropriate. E.g.: when the user visits one of our sites he/she gains access to such servers that are located in a safe physical environment in a closed room and which software is protected with firewalls.
Despite we make every effort meeting the industrial standards in order to protect personal data we can not guarantee full protection. 100% effective security unfortunately does not exist neither in online nor offline environment.
Deletion/correction of user data, user rights
Duration of processing data and deadline of deletion: By the principles laid down by GDPR we process the personal data of the users for the shortest possible term. In case of placing an order we store personal data until the expiry of the warranty period prescribed by law related to the ordered product, in case of newsletter subscription until unsubscription and in case of registration until the deletion of the user account by the user.
By request we a) correct, update personal data b) do not send e-mails to users and/or c) we disable the users account so no purchase may be initiated through it d) if the user requests the deletion of his/her personal date he/she can request it by sending an e-mail to [email protected]
. We notify You in e-mail when we fulfilled Your request.
The users have the opportunity to make such request by phone or e-mail at: phone: +44 14 03 887 124 or email: [email protected]
(Besides these contacts requests may be initiated at the contacts [e-mail or phone] can be found on other national sites.)
Please do not send Your bank card details or other sensitive data to us by e-mail.
The user among others has the following – also mentioned by GDPR – rights regarding the process of their personal data:
right to withdraw consent: the consent given by the user to process his/her personal data may be withdrawn at any time, however, it does not affect legality of the processing made before withdrawal;
access to personal data: the users are entitled to get feedback from us regarding that whether their data is being processed by us and furthermore to request information on the facts detailed in Article 15 Section (1) of the GDPR;
Right of rectification: the users are entitled to right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him/her and also to have incomplete data completed;
right of erasure: the users are entitled to obtain from the controller the erasure of personal data concerning him/her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds detailed in Article 17 Section (1) of the GDPR applies;
right to restriction of processing: the users are also entitled to obtain from the controller restriction of processing where one of the grounds detailed in Article 18 Section (1) of the GDPR applies;
right to data portability: the users are entitled to receive the personal data concerning him or her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
The Service Provider requests its users to not exercise the above rights contrary to their intent but only if it has valid ground or one of the condition prescribed by GDPR actually exists.
Collecting data offline, using, publishing and forwarding
As it is expected from us we collect most data through our Website. Present guideline is applicable primarily to personal data collected online. However, we may collect personal data offline e.g.: when someone is calling us. In such case we maximally trying to protect personal data. If someone is willing to place on order or ask a question on phone we only request for such personal data that we really need to maximally fulfil our duty.
When we need to store data or information (such as information on an order) we register it to our database through SSL channels (for further information see: Data Protection part)
When we receive data or information through facsimile the received document is stored in a lockable cabinet and if we do not need it anymore shred it with a shredder. Data may be sent to and received by us in many offline ways (e.g.: someone writes a letter to us, which contains the returning address), but this guideline cannot regulate and not willing to predict all possible ways. We are trying to make offline data processing, using, publishing and forwarding to be the same as our online practice.
Handling of personal data breach
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
We report the breach of personal data to the competent authority without any causeless delay and if possible within 72 hours after we became aware of a personal data breach.
If the personal data breach possibly carries high risk regarding the rights and freedoms of natural persons we also notify the customers about the personal data breach without causeless delay.
We are glad to answer Your questions regarding data processing and data protection. For further information regarding data protection our users may also contact the following authority
National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, Hungary
· Mailing address: 1530 Budapest, PO box: 5.
· Phone: +36-1/39-11-400
· Web: www.naih.hu
Updating of the data protection guidelines
In case we make any changes or updates in our data protection guidelines we communicate this on our websites to make our users up to date regarding the processing, use, publishing and forwarding of personal data. Besides that we also recommend to read through the guideline from time to time to be aware of the possible changes and the actualities of the guideline.
Present data protection guideline is available in several languages, if there is any discrepancy between the texts the English version shall prevail.
Should You have any question arising regarding present data protection guidelines please contact us by phone at +44 14 03 887 124 or in e-mail at [email protected]
(Besides these contacts requests may be initiated at the contacts [e-mail or phone] can be found on other national sites.)