GC Group Kft. (the “Company” or “Controller”) is processing the personal data of individuals visiting the Bloominggrape.com websites (the “Blooming Grape Websites”) in connection with the provision of the functions and services of the sites and with the marketing activities of the Company on Blooming Grape Websites.
The aim of this privacy notice (the “Privacy Notice”) is to provide you, as the subject of the data processing with information about processing of your personal data and about your data privacy rights in connection with such processing activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”) and according to Act CXII of 2011 on Informational Self-determination and Freedom of Information (the “Data Protection Act”).
The Company conducts data processing activities for various purposes, each of them having different characteristics. The general part of this Privacy Notice serves to provide general information of when the Company processes your personal data. The specific information (purpose of the data processing activity, legal ground of processing, scope of processed personal data, retention time, etc.) relating to each data processing activity is included in annex 1 of this Privacy Notice.
Because the contents of this Privacy Notice may change from time to time, the Company will make sure to notify you whenever such changes take place. Before reviewing the information about a data processing activity and exercising your data privacy rights (see Section 2 below), please always access the up-to-date version of this Privacy Notice, which is always available at https://wordpress.bloominggrape.com/privacy.
- DETAILS OF THE DATA CONTROLLER AND THE DATA PROTECTION OFFICER
The controller of the personal data is GC Group Kft (“Blooming Grape”) (seat: 212 Széchenyi promenade, Majosháza, 2339, Hungary.; registration number: 13 09 192407).
The contact person designated for managing and responding to inquiries and requests by data subjects is: info@bloominggrape.com
You may contact the Controller directly via the above contact persons to exercise your data privacy rights.
- DATA PRIVACY RIGHTS
With any comment, question, complaint and any other request in connection with the processing of your personal data, we encourage you to contact the Controller directly. The Company will give a substantive response to your request without delay, but no later than one month after receipt of your request. If the complexity of your request or the number of requests justifies it, the deadline for replying may be extended by another two months, of which you will be notified by the Controller within the original deadline.
You have certain rights in connection with the processing of your personal data (i.e., data privacy rights), basically determined by the legal basis for processing. In annex 1 you can find a general description of data privacy rights you can exercise, and at the end of each table in annex 1 a more detailed description on whether you are entitled to exercise such rights in the context of the data processing activity concerning your personal data. Please note that the GDPR and in some cases the Data Protection Act, as well as other relevant laws might set further conditions and/or limitations in connection with exercising these rights. Therefore, we advise you to closely study this Privacy Notice, the GDPR and the applicable laws before filing a request. If you need any help in connection with the applicable laws, please get in contact with us via the contact methods indicated in section 1 above.
(a) Withdrawal of consent (subsection (3) of Article 7 of the GDPR)
You have the right to withdraw your consent granted for a specific data processing activity any time. Please note that the withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.
(b) Access (Article 15 of the GDPR)
You have the right to request confirmation from the Controller as to whether or not personal data concerning you are being processed, and where that is the case, access to the personal data and certain information determined in Article 15 of the GDPR.
(c) Rectification (Article 16 of the GDPR)
You have the right to request the Controller to rectify any inaccurate personal data concerning you without any undue delay. Considering the purpose of the processing, you have the right to have the incomplete personal data completed, including by means of providing a supplementary statement.
(d) Right to erasure (“right to be forgotten”) (Article 17 of the GDPR)
You have the right to request the erasure of your personal data if any of the circumstances set out under Article 17(1) of the GDPR apply. If the exceptions in Article 17(3) of the GDPR do not apply and/or the Controller does not have any legal ground to further process your personal data, then it will execute the request for deletion without undue delay.
(e) Restriction of processing (Article 18 of the GDPR)
You have the right to request the restriction of processing where the grounds determined in Article 18 of the GDPR apply.
(f) Data portability (Article 20 of the GDPR)
You have the right to receive your personal data provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller, if the processing is based on consent [point (a) of Article 6(1) or point (a) of Article 9(2)] or is conducted for the performance of a contract to which You are a party [point (b) of Article 6(1)] and the processing is carried out by automated means. In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
(g) Objection (Article 21 of the GDPR)
If the data processing is based on the legitimate interest of the Controller: You have the right to object (on grounds relating to your particular situation) at any time against processing of your personal data based on legitimate interest, including also profiling. The Controller will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing, which override your interests, rights and freedoms or if the data processing is necessary for the establishment, assertion or defense of legal claims.
If the purpose of the data processing is direct marketing: You have the right at any time to object (on grounds relating to Your particular situation) against processing of your personal data if the purpose of the data processing is direct marketing, including also profiling if it is related to direct marketing. The Controller will no longer process the personal data in case you submit such objection against processing of your personal data for direct marketing purposes.
- LEGAL REMEDIES
If you deem that your personal data are processed unlawfully and/or any of your data privacy rights have been violated you are entitled to seek the following legal remedies:
(a) You have the right to contact the Controller directly via the contact details in section 1 of this Privacy Notice, and address you concerns beforehand.
(b) You have the right to lodge a complaint with the national supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (seat: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf.: 9.; e-mail: ugyfelszolgalat@naih.hu; telephone number: +36 (1) 391-1400; web: www.naih.hu)
(c) You are entitled to file a claim with your local court having jurisdiction in the case against the Controller or – in relation to processing activities covered by the scope of activities of the processor – the processor, if you deem that your personal data is processed unlawfully and/or any of your data privacy rights have been violated. Subject to your own decision, the claim can be filed before the court of your home address or place of abode. More information on courts’ jurisdiction and contact details is available at the following website: www.birosag.hu.
- DATA RETENTION TIMES, EXECUTION OF DATA ERASURE
The retention time of the processing of each personal data is included in annex 1.
Upon expiration of the data processing period, and if the Data Controller decides to delete personal data on its own authority or upon request, the personal data will be irrevocably removed from the server of the Blooming Grape Websites within 30 days.
- IMPLEMENTED DATA SECURITY MEASURES
This section contains the general data security measures applied by the Controller. If the Controller applies different data security measures in connection with a given data processing activity, those are described at the given data processing activity in Annex 1.
The Controller handles personal data confidentially and takes all security, technical and organizational measures that guarantee the security of the data. The Controller will ensure the protection of the security of data processing with technical, organizational and organizational measures that provide a level of protection appropriate to the risks related to data processing.
With respect to personal data processed on the Company’s servers, the following data security measures are applied:
- Protection against viruses.
- Software firewall.
- Central set of rules to prevent unauthorized access.
- Protection and filtering against spam and malware.
- Daily backup of servers to a geographically isolated location.
- Uninterruptible operation of surge protection systems.
- Restrict external access and protection against external attacks with a physical firewall device.
The Controller also ensures that personal data is accessed only by reasonable personnel within the organization and, if personal data is processed on hard copies, the proper storage and protection of such materials.
- VERSION DETAILS
The Privacy Notice was issued on 1 June 2023. This text is version 1 of the Privacy Notice.
ANNEX 1
– on the processing of personal data on Blooming Grape Websites –
GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY
| Title of the data processing purpose: | Sending newsletters |
| Description of the purpose of processing: | The Controller is processing the personal data for the below purposes:
(i) Contact information (e-mail address), to get in touch with the subscribers; (ii) Name, gender to address the subscribers; (iii) Month and day of birth to send birthday wishes; (iv) Country, city, interest and gender to segment the subscribers and send only relevant information. |
| Processed personal data categories: | The Controller is processing the below categories of personal data:
(i) Contact information (e-mail address), to get in touch with the subscribers; (ii) Name, gender to address the subscribers; (iii) Month and day of birth to send birthday wishes; (iv) Country, city, interest and gender to segment the subscribers and send only relevant information. |
| Legal ground for processing: | Your voluntary consent according to Article 6(1)a) and 7 of the GDPR
Giving your consent is voluntary and you have the right to withdraw it at any time. Withdrawal of consent shall not affect the lawfulness of any previous processing of data with your consent. You are entitled to exercise your right to object against data processing activities aimed at direct marketing. |
| Consequences of not providing the personal data: | The Controller cannot send you newsletters and personalized offers. |
| Data processing period: | Until you unsubscribe from the newsletter or otherwise withdraw your consent to the data processing. |
| Data subjects: | Individuals subscribing to the Controller’s newsletter. |
| Source of personal data: | Directly from the data subjects, by online registration, or offline subscription in the stores. |
| Is the provision of the personal data a pre-condition for concluding the contract (Yes/No) | No. |
| Is the data subject obliged to provide the personal data? (Yes/No) | No. |
| Is profiling done as part of the data processing activity? (Yes/No) | No. |
DATA SECURITY MEASURES
| Description of data security measure | The list of subscribers is saved in the Controller’s protected and closed system. |
| People having access to personal data | Personnel of the Controller’s marketing department. |
TRANSFER OF PERSONAL DATA
| Recipients | 1.) Webshippy Kft.
2.) Printosh Advertising Kft. 3.) The Rocket Science Group LLC (MailChimp) 4.) ELIN.HU Informatikai Szolgáltató és Tanácsadó Kft. 5.) DHL, FedEx, GLS, UPS |
| Status of the recipient | 1.) Data processor
2.) Data processor 3.) Data processor |
| Purpose of the data transfer | 1.) Website operation – bloominggrape.com
2.) Website hosting – elin.hu 3.) Management of newsletter database |
| Transfer to third country | United States of America |
DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of GC Group Kft. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)
| Withdrawal of consent | Y | Access | Y | Rectification | Y | Erasure | Cond. |
| Restriction of processing | Cond. | Data portability | Y | Objection | Y | Complaint (with the Controller) | Y |
| Complaint (with the supervisory authority) | Y | Filing a claim (before court) | Y |
GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY
| Title of the data processing purpose: | Online purchase orders |
| Description of the purpose of processing: | The Controller is processing the personal data for the below purposes:
(i) Contact information (e-mail address and phone number) to get in touch with the customers; (ii) Name to address the customers; (iii) Order details (delivery address, billing address, payment method) to deliver the product. |
| Processed personal data categories: | The Controller is processing the below categories of personal data:
(i) Contact information (e-mail address and phone number) to get in touch with the customers; (ii) Name to address the customers; (iii) Order details (delivery address, billing address, payment method) to deliver the product. |
| Legal ground for processing: | Processing is necessary for the performance of a contract according to Article 6(1)(b) GDPR. |
| Consequences of not providing the personal data: | The Controller cannot send you the product that you have purchased or send you reminders on unfinished orders. |
| Data processing period: | 5 years |
| Data subjects: | Individuals who purchased a product on Blooming Grape Websites. |
| Source of personal data: | Directly from the data subjects by placing their orders online. |
| Is the provision of the personal data a pre-condition for concluding the contract? (Yes/No) | Yes. |
| Is the data subject obliged to provide the personal data?(Yes/No) | No. |
| Is profiling done as part of the data processing activity?(Yes/No) | No. |
DATA SECURITY MEASURES
| Description of data security measure | All transactions are processed through a gateway provider and are not stored or processed on the Company’s servers. All sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. |
| People having access to personal data | Personal data is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems, and are required to keep the personal data confidential. |
TRANSFER OF PERSONAL DATA
| Recipients | 1.) Webshippy Kft.
2.) Printosh Advertising Kft. 3.) The Rocket Science Group LLC (MailChimp) 4.) ELIN.HU Informatikai Szolgáltató és Tanácsadó Kft. 5.) DHL, FedEx, GLS, UPS |
| Status of the recipient | 1.) Data processors 2.) Data processor 3.) Data processor |
| Purpose of the data transfer | 1.) Shipping companies 2.) Webshop operation and website operation – Bloominggrape.com 3.) Website hosting – elin.hu |
| Transfer to third country | No. |
DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of GC Group Kft. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)
| Withdrawal of consent | Y | Access | Y | Rectification | Y | Erasure | Cond. |
| Restriction of processing | Cond. | Data portability | Y | Objection | N | Complaint (with the Controller) | Y |
| Complaint (with the supervisory authority) | Y | Filing a claim (before court) | Y |
GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY
| Title of the data processing purpose: | Account creation |
| Description of the purpose of processing: | The Controller is processing the personal data for the below purposes: (i) Title (Mr., Ms. or Mrs.), name, password and e-mail address to create and to activate the account; (ii) Date of birth and country of residence for the personalization of the account; (iii) Contact information (phone number) to get in touch with the registrant. |
| Processed personal data categories: | The Controller is processing the below categories of personal data: (i) Title (Mr., Ms. or Mrs.), name, password and e-mail address to create and to activate the account; (ii) Date of birth and country of residence for the personalization of the account; (iii) Contact information (phone number) to get in touch with the registrant. |
| Legal ground for processing: | Your voluntary consent according to Article 6(1)a) and 7 of the GDPR Giving your consent is voluntary and you have the right to withdraw it at any time. Withdrawal of consent shall not affect the lawfulness of any previous processing of data with your consent. |
| Consequences of not providing the personal data: | You cannot create an account. |
| Data processing period: | Until you delete your account or otherwise withdraw your consent to the data processing. |
| Data subjects: | Individuals creating accounts on Blooming Grape Websites. |
| Source of personal data: | Directly from the data subjects by online registration. |
| Is the provision of the personal data a pre-condition for concluding the contract? (Yes/No) | No. |
| Is the data subject obliged to provide the personal data? (Yes/No) | No. |
| Is profiling done as part of the data processing activity? (Yes/No) | No. |
DATA SECURITY MEASURES
| Description of data security measure | All transactions are processed through a gateway provider and are not stored or processed on the Company’s servers. All sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. |
| People having access to personal data | Personal data is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems, and are required to keep the personal data confidential. |
TRANSFER OF PERSONAL DATA
| Recipients | 1.) Webshippy Kft.
2.) Printosh Advertising Kft. 3.) The Rocket Science Group LLC (MailChimp) 4.) ELIN.HU Informatikai Szolgáltató és Tanácsadó Kft. 5.) DHL, FedEx, GLS, UPS |
| Status of the recipient | 1.) Data processor 2.) Data processor |
| Purpose of the data transfer | 1.) Website operation 2.) Website hosting – elin.hu |
| Transfer to third country | No. |
DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of GC Group Kft. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)
| Withdrawal of consent | Y | Access | Y | Rectification | Y | Erasure | Cond. |
| Restriction of processing | Cond. | Data portability | Y | Objection | N | Complaint (with the Controller) | Y |
| Complaint (with the supervisory authority) | Y | Filing a claim (before court) | Y |
GENERAL PROPERTIES OF THE DATA PROCESSING ACTIVITY
| Title of the data processing purpose: | Cookies |
| Description of the purpose of processing: | The Controller is processing the personal data for the below purposes: (i) Previous preferences to provide custom, personalized advertisements, content, and information; (ii) Products visited to remember the choices made on the Blooming Grape Website; (iii) Advertising to monitor the effectiveness of marketing campaigns and to inform users about current promotions; (iv) Affiliates to help the Controller see through which affiliate you found Blooming Grape Websites; (v) Third-party software to offer you services and functions provided by these third-parties. |
| Processed personal data categories: | The Controller is processing the below categories of personal data: (i) Previous preferences to provide custom, personalized advertisements, content, and information; (ii) Products visited to remember the choices made on the Blooming Grape Website; (iii) Advertising to monitor the effectiveness of marketing campaigns and to inform users about current promotions; (iv) Affiliates to help the Controller see through which affiliate you found Blooming Grape Websites; (v) Third-party software to offer you services and functions provided by these third-parties. |
| Legal ground for processing: | Your voluntary consent according to Article 6(1)a) and 7 of the GDPR Giving your consent is voluntary and you have the right to withdraw it at any time. Withdrawal of consent shall not affect the lawfulness of any previous processing of data with your consent. You are entitled to exercise your right to object against data processing activities aimed at direct marketing. |
| Consequences of not providing the personal data: | You will not able to use the full services of Blooming Grape Websites. |
| Data processing period: | Please find specific periods for each cookie below. |
| Data subjects: | Individuals visiting the Blooming Grape Websites. |
| Source of personal data: | Directly from the data subjects by accepting the use of cookies online. |
| Is the provision of the personal data a pre-condition for concluding the contract? (Yes/No) | No. |
| Is the data subject obliged to provide the personal data? (Yes/No) | No. |
| Is profiling done as part of the data processing activity? (Yes/No) | No. |
DATA SECURITY MEASURES
| Description of data security measure | All transactions are processed through a gateway provider and are not stored or processed on our servers. All sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. |
| People having access to personal data | Personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the personal data confidential. |
TRANSFER OF PERSONAL DATA
| Recipients | 1.) Webshippy Kft.
2.) Printosh Advertising Kft. 3.) The Rocket Science Group LLC (MailChimp) 4.) ELIN.HU Informatikai Szolgáltató és Tanácsadó Kft. 5.) DHL, FedEx, GLS, UPS |
| Status of the recipient | 1.) Data processor 2.) Data processor |
| Purpose of the data transfer | 1.) Website operation 2.) Website hosting – elin.hu |
| Transfer to third country | No. |
DATA PRIVACY RIGHTS OF THE DATA SUBJECTS
(Descriptions and methods of exercising the specific rights are specified in the Privacy Notice of GC Group Kft. Abbreviations: Y=yes / N=no / “Cond.” =according to the conditions of the GDPR)
| Withdrawal of consent | Y | Access | Y | Rectification | Y | Erasure | Cond. |
| Restriction of processing | Cond. | Data portability | Y | Objection | N, Y, in respect of direct marketing activities | Complaint (with the Controller) | Y |
| Complaint (with the supervisory authority) | Y | Filing a claim (before court) | Y |
COOKIES
Bloominggrape.com and aeron.com
| Domain | Name | Description | Expiration |
| Bloominggrape.com | _fbp | Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers. | 90 days |
| Bloominggrape.com | JSESSIONID | Used for session management. | 5 days |
| Bloominggrape.com | JSESSIONID | Used for session management. | 5 days |
| Bloominggrape.com | JSESSIONID | Used for session management. | 5 days |
| Bloominggrape.com | _skala__cookie_accepted | Memorizing the choice of your response at the cookie popup. | Session |
| Bloominggrape.com | _skala__preferred_country_code | Country code preference. | Session |
| Bloominggrape.com | _skala__webp_support | Image format preference. | Session |
| google.com | DV | This cookie is used to save the user’s preferences and other information. | 1 day |
| google.com | NID | The NID cookie contains a unique ID Google uses to remember your preferences and other information, such as your preferred language. | 6 months |
| google.com | OGPC | This cookie enables the functionality of Google Maps. | 60 days |
| google.com | 1P_JAR | This cookie collects website statistics and measures conversions according to the google.com. | 1 month |
| google.com | CONSENT | Cookie consent indicator. | 2 years |
| Name | Goal | Type | Expiration | recipient of data transfer | Service provider |
| r/collect | This cookie is used by Google Analytics to collect information about the visitor’s device and behaviour. To do this, it tracks the visitor across devices and marketing channels. | Pixel | End of session | Google LLC. (USA) | doubleclick.net |
| act,
m_pixel_ratio, presence, x-referer |
It displays relevant and useful ads to the user, optimizing Facebook impressions.
Features: remarketing (reaching users who have already visited the site), conversion measurement (measuring and reaching users who have clicked on an ad served by Facebook) |
http | End of session | Facebook, Inc. (USA) | facebook.com |
| drp,
wd |
It displays relevant and useful ads to the user, optimizing Facebook impressions.
Features: remarketing (reaching users who have already visited the site), conversion measurement (measuring and reaching users who have clicked on an ad served by Facebook) |
http | 1 week | Facebook, Inc. (USA) | facebook.com |
| fr | It displays relevant and useful ads to the user, optimizing Facebook impressions.
Features: remarketing (reaching users who have already visited the site), conversion measurement (measuring and reaching users who have clicked on an ad served by Facebook). |
http | 90 days | Facebook, Inc. (USA) | facebook.com |
| datr,
sb |
It displays relevant and useful ads to the user, optimizing Facebook impressions.
Features: remarketing (reaching users who have already visited the site), conversion measurement (measuring and reaching users who have clicked on an ad served by Facebook) |
http | 200 days | Facebook, Inc. (USA) | facebook.com |
| c_user,
xs |
It displays relevant and useful ads to the user, optimizing Facebook impressions.
Features: remarketing (reaching users who have already visited the site), conversion measurement (measuring and reaching users who have clicked on an ad served by Facebook) |
http | 1 year | Facebook, Inc. (USA) | facebook.com |
Facebook Pixel
We use Facebook Pixel on our websites – it allows us to show you advertisements about our products that match your interests whenever you visit Facebook or other websites that also use this tool. This means you may also see customised ads designed to make sure that our Site and our offerings are relevant to you and reflect your needs as closely as possible. With this kind of data, we can measure the effectiveness of personalised advertising and draw conclusions from our content. The data is collected anonymously and the identity of the user is not revealed during the process. The data is processed by Facebook, which also allows the linking to the corresponding user profile. Facebook uses this type of data for advertising purposes. To learn more about the protection of your personal data, please visit the relevant Facebook sub-page: https://www.facebook.com/about/privacy/. You can also deactivate the “individual audiences” marketing function yourself in the advertising settings. To do this, you must first log in to your account.
Using Google Analytics
- This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site you have visited.
- The information generated by the cookie about the website you use is usually transmitted to and stored by Google on servers in the United States. By activating the IP anonymisation on the website, Google will previously shorten the User’s IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.
- Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website activity and internet usage.
- The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other data held by Google. The storage of cookies may be prevented by the User by means of the appropriate browser settings, but please note that in this case not all functions of this website may be fully functional. You may also prevent Google from collecting and processing information about your use of the website (including your IP address) by means of cookies by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=hu
- We also use Google Analytics to analyse the traffic on our website for system development purposes. In this case we do not collect any personal data. Such data will be shared with other Google services for development purposes.
- Google Analytics will also be used for marketing purposes with your consent.
