The operator of www.bidcage.com (here in after Bidcage) website as data controller describes below how to protect and handle your privacy data, regardless of the place of their storage. Present statement provides full range of information for users about data processing purposes of the operator of Bidcage website and data controllers are listed in statement. Moreover, the operator of Bidcage website considers the purposes, principles and expectations of present statement compulsory for himself and fully complies with its content. Present privacy statement complies with the effective laws and regulations of Hungary and the European Economic Area.
If you have any question that arises during the reading of present Privacy Statement, please make contact with our customer service
or write an e-mail for us to the firstname.lastname@example.org e-mail address.
The operator of the Bidcage website reserves the right to change the present statement at any time with notice to users.
2. Glossarypersonal data:
any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.data subject:
a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.data processing:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;data controller:
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for his nomination may be provided for by Union or Member State law. data processor:
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;consent:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; relevant and reasoned objection:
an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union; data erasure:
also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data;data blocking:
the freezing of data by the controller in a given moment for a specific period of time. Access to the data blocked is limited only to the competent people;data retention:
it refers to all obligations on the part of controllers to retain personal data for certain purposes;disclosing:
if the data is getting available for a specified third party; third party:
a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;third country:
a country which has not adopted a national law for the implementation of Directive 95/46/EC - as opposed to the Member States of the EU and the three European Economic Area countries Norway, Liechtenstein and Iceland;personal data breach:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;data security:
the data controller shall implement appropriate technical and organisational measures to ensure an appropriate level of security in relation to the risks represented by the processing and the nature of the personal data to be protected. Such measures provide for the prevention of any unauthorised disclosure or access, accidental or unlawful destruction or accidental loss, or alteration and any other unlawful form of processing.Info law:
the Hungarian 2011. CXII. Law about the information freedom and information self-determination right that is harmonised with the regulations of the European Union.
3. Principles of data processing and general informations
According to Info law 5. § and 6. § data can be processed if
a) the data subject has given consent to the processing, or
b) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
c) processing is necessary for compliance with a legal obligation to which the controller is subject, or
d) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or
e) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
By the registration and online trading of the data subject has given consent to the processing of his or her personal data as described in present privacy statement.
Personal data can be processed for a specific purpose, in order to exercise right or to perform an obligation. Every stage of the data processing must be comply with its purpose. The data controller processes the personal data only to the extent and up to the duration that is necessary to attain the processing purpose.
The data controller keeps the data processing purposes separately and provides information about them as described in section 5.
The data controller ensures data accuracy, completeness and - if necessary for the purpose of a given data processing – up-to-dateness and ensures that the data subject can only be identified for the duration of the data processing purpose.
The data subject consent is necessary for the transmission or the linking of the personal data or it must be allowed by the law and the criteria of data processing must be fulfilled for all personal data.
4. Data storage and general information about data processors
The data controller ensures security during the data processing operations for the data subjects that complies with the Info law and other regulations related to data processing.
The data controller chooses his information technology and devices of the data storage during the service providing that they ensure adequate protection against unauthorized access, modification, transmission, disclosure, erasing or damaging. Moreover the data controller provides for the data subject, he or she can access his or her own data at any time.
The data controller chooses his security support activities and solutions in such way that those are providing the highest quality from the available opportunities if those do not cause disproportionately great difficulty or costs for the data controller.
Nonetheless, we must have to draw the attention of the data subject, the data are transmitted through the Internet, regardless of the transmission channel, can be vulnerable against such threats which lead to unfair activity, disclosure or modification of the information. The data controller is taking all required steps against the listed threats, ie. the operation of his systems is monitored so that he can provide adequate evidence of possible security incidents and to monitor the effectiveness of the precautionary measures.
The data controller uses data processors to perform certain data processing operations. The data processor does not make any substantive decision on data processing, he processes only and exclusively the data according to the data controller instructions, he does not process data for his own purposes and he keeps and stores personal information in accordance with the instructions of the data controller or the law commitments. The data controller is responsible for the legality of the instructions provided by the data controller.
Data can be transmitted to a data controller or a data processor into a third country - applies to personal or any other data – if the data subject expressly provided his or her consent or the laws allow it and the adequate data protection and processing are ensured in the third country. The transmission of data between the member states of the European Economic Area must be regarded as it happened within that Member State.
The data controller solves the support of his own information technology and the storage of personal data using a data processor (hereinafter "technology partner").
Technology partner name: W5 Informatikai Ltd.
Technology partner address: EU Hungary, H-7634 Pécs, Magyarürögi Road 33/1.
Technology partner availability: email@example.com
Technology partner web address: https://w5labs.com
The data controller solves the invoicing of his incomings using a data processor (hereinafter "invoicing partner").
Invoicing partner name: KBOSS.hu Ltd.
Invoicing partner address: EU Hungary, H-1031 Budapest, Záhony Street 7.
Invoicing partner availability: firstname.lastname@example.org
Invoicing partner web address: https://www.szamlazz.hu
5. Data processing purposes, pretences, durations and related personal data
5.1 Visitors data of the website and managing of cookies
The data controller processes the visitors’ (as data subjects) IP address, visit date, and the web address of the visited web page for the purpose of creating statistics and for technical reasons. The data that are processed by the data controller are stored in an anonymized and non-interlinkable way with the registered data of the user up to three-month period. The legal basis of data processing is the legitimate interests pursued by the data controller.
5.2 Third parties' services
The data controller also uses web site applications of third parties that come from or are directed to the third party servers.
Google Analytics supports the independent auditing of the website attendance and other web analytic data. The data controller set Google Analytics to anonymize the data subject's IP address and this anonymized IP address is stored in log files. You can obtain detailed information about Google Analytics through the following link: https://www.google.com/analytics/terms/gb.html
Third party service providers have no access to personal data are processed by the data controller, only the aggregated, non-personal data access are provided for them.
5.3 Registered user related data processing
The data controller is processing the data subject’s username, password (in encoded form), e-mail address, first and last name, address, time zone, phone number, invoicing and shipping name and address, the European Union community value added tax number, and the registered e-mail address, first and last name at the secure payment service provider. The listed date are absolutely necessary for the purpose of identifying, contacting, secure participation in trading transactions, handling the trading transactions, leaving feedbacks and invoicing. Most of the listed data can be modified or erased by the data subject through the user interface of web page from the user profile or pages that are accessible starting from it. Registered but not activated user profiles will automatically be erased according to the way and timeframe are specified in the General Terms and Conditions. The legal basis of the data processing is the data subject consent according to the Info law 5. § (1) section a) point and the performance of the General Terms and Conditions.
Data erasing will only perform under the procedure specified in the General Terms and Conditions if the data subject’s every transaction, feedback-leaving, debt to the data controller was settled and closed and the user profile of the data subject is not under a temporary or definitive exclusion from the usage of the web site. In these cases, the legal basis for the extended processing of data is the legitimate interests pursued by the data controller, the protection of third parties or the enforcing of the laws.
The system of the data controller will occasionally send e-mail messages to the data subject about the processing of his or her registered data and the status changing of his or her user profile.
The data processor is the technology partner of the data controller.
5.4 Group buy related data processing
From the group buy related databases, only the data of data subjects who finally became the first place seller and sure buyers in the active group buy will be transferred into the feedbacks database and the downloadable file that contains the buyer data for the first place seller. It is important to note, at the closing of group buys, the system of data controller does not send any personal data about the participating parties to ensure the security of the data therefore, unauthorized third parties cannot access them (e.g.: data subject’s e-mail provider). Further details about feedbacks and transaction handling will be expounded in point 5.5.
If the data subject participate in group buy as a seller, his or her registered e-mail address of the secure payment service provider which is stored in registered user database will automatically be transferred into the offer database for the purpose of retaining if this data will have been erased from the registered user database at the closing of group buy, then its transferring into feedbacks database can be solvable. Furthermore, sellers’ username, received and left feedbacks will be disclosed and those can be viewed for anyone.
If the data subject participate in group buy as a buyer, his or her registered e-mail address, first and last name at the secure payment service provider which are stored in registered user database will automatically be transferred into the joining database for the purpose of if these data will have been erased from the registered user database at the closing of group buy, then their transferring into feedbacks database can be solvable. Moreover, the shipping/recipient name, e-mail address, phone number, address and notice, the invoicing name, address, tax number and notice are provided by the data subject on the joining form will also be stored in the joining database for the purpose of the payment, shipping and invoicing data of sure buyers will be accessible for the first place seller in aggregated downloadable file format. Furthermore the storing of the above listed data are reasonable because if the data subject is participating as a buyer, the address and phone number data are not necessary to be provided for adequate operation of non-group buy systems of the data controller and the data subject can also enter data which are other than the stored ones in registered user database.
The purpose of downloadable file which contains the payment, shipping and invoicing data of the sure buyers is the first place seller does not have to contact each buyer one by one to obtain the above listed data and to support the adequate operation of the feedback and transaction handling system as well. We would like to draw the attention of sellers, they will also become data controllers regarding to the data of the downloaded file and the seller as a data controller is responsible for to ensure the adequate processing of the data in accordance with the General Terms and Conditions, present privacy statement and the Data Protection Act as well. The seller must have to process the downloaded data according to their purposes (i.e. to identify payment of products and to support the shipping and invoicing processes) and after the performance of purposes (i.e. the closing of payment identification, shipping and invoicing processes) he or she must have to totally erase all downloaded data.
In case of group buys closed with inactive status, the personal data of sellers and buyers will be erased from the group buy related databases after 30 days following the closing of the group buy. The downloadable file which contains the buyer data will be erased and become inaccessible after 90 days following the closing of the group buy. The stored non-personal data in group buy related databases will be retained for 5 years for the purpose of proving and to create anonym statistics.
The system of the data controller will occasionally send e-mail messages about the progression of group buy to the participating data subjects.
The legal basis of the processing of data listed in point 5.4 is the data subject consent according to the Info law 5. § (1) section a) point, the performance of the General Terms and Conditions and the legitimate interests pursued by the data controller.
The data processor is the technology partner of the data controller.
5.5 Feedback and transaction handling related data processing
Data subjects do not have to provide any additional personal data besides those are listed in points 5.3 and 5.4. The data controller processes the personal data of the data subjects who participated in a transaction as follows:
a) The data subject as the buyer
Buyer related data from the feedbacks database: the country based on shipping address, payment mode, payment identifier (registered e-mail address at the secure payment service provider) and payment first and last name (registered first and last name at the secure payment service provider). The purpose of the listed data is the proving of the shipping country provided by the buyer in controversial cases and to support the adequate operation of the feedback and transaction handling system for the sellers.
Buyer related data from the registered user database: the username, e-mai address, first and last name and phone number. The purpose of the listed data is to provide the opportunity for the seller to contact the buyer.
Listed data are accessible for the seller up to 90 days that follows the date of shipping related to the transaction.
b) The data subject as the seller
Seller related data from the feedbacks database: payment identifier (registered e-mail address at the secure payment service provider). The purpose of the listed data is to facilitate the payment of product price in order to make faster transaction without contacting the seller.
Seller related data from the registered user database: the username, e-mai address, first and last name and phone number. The purpose of the listed data is to provide the opportunity for the buyer to contact the seller in case of problems and to support the buyer’s consumer protection rights (return of the product, warranty).
Listed data are accessible for the buyer up to 90 days that follows the date of shipping related to the transaction.
You can read more about the buyer data file that can be downloaded for the seller in point 5.4.
Listed personal data in point 5.5 can only and exclusively be used in relation with the legitimate activities of the transaction, until their final closing and by the parties participated in the transaction.
Moreover, the feedbacks and related responses left by the participants of transactions are processed in the feedbacks database and made accessible for the visitors of system by the data controller. Feedbacks, responses and their calculated average values can be viewed up to 1 year back.
For the purpose of proving, the data controller retains the data that are stored in the feedbacks database for 5 years.
The system of the data controller will occasionally send e-mail messages about the feedbacks and handling of transaction to the participating data subjects.
The legal basis of the processing of listed data in point 5.5 is the data subject consent according to the Info law 5. § (1) section a) point, the performance of the General Terms and Conditions and the legitimate interests pursued by the data controller.
The data processor is the technology partner of the data controller.
5.6 Invoicing and payment related data processing
Data subjects do not have to provide any additional personal data besides those are listed in point 5.3. The required personal data for invoicing will be transferred from the registered user database of the data controller onto the invoices issued to the data subject.
If the data subject requires value added tax free invoices by the specifying of his or her European Union community tax number (in accordance with the fee regulations and effective laws), the data controller will check the specified tax number validity by the official checking system of the European Union (VIES) as official data processor.
The payment data that were used for invoices and transmitted by the payment service provider will be stored in accordance with effective laws (details in the Fee Regulation
). The controlled personal data are the registered first and last name and email address at the payment service provider.
The system of the data controller will occasionally send e-mail messages about the creation of invoices, payment deadlines and reminders, possible debt collection and handling of user account to the data subjects.
The legal basis of the processing of data listed in point 5.6 is the performance of the General Terms and Conditions and the legitimate interests pursued by the data controller. Furthermore, the data controller will compulsory retain the data subject’s invoices, invoicing and payment related data for 8 years according to the Hungarian 2000. C. Law 169. § (2) section.
The statutory electronic invoices of the data controller are created by the invoicing partner of the data controller as a data processor. Furthermore, the technology partner of the data controller provides the adequate storage of invoices as a data processor.
5.7 Product and price watching related data processing
Visitors of the system of the data controller as data subjects can request e-mail notification about the changing of progresses of a listed product according to the specified options.
The data controller processes the data subject’s e-mail address in the product and price watching related database for the purpose of to send notification e-mail to the data subject if the data subject's conditions are met.
Personal data are processed in the database related to product and price watching will be erased immediately after the related product has disappeared from listings and the data subject's conditions have been met.
The legal basis of the processing of data listed in point 5.7 is the data subject consent according to the Info law 5. § (1) section a) point.
The data processor is the technology partner of the data controller.
5.8 Contact making and communication related data processing
Visitors of the system of the data controller as data subjects can make contact with the data controller through his web site or by sending an e-mail.
The data controller processes the data subject's name and e-mail address in the messages and communication related database for the purpose of to keep contact with the data subject and to make adequate actions in accordance with the legitimate request.
Messages and communication related data will be retained for the purpose of proving up to 5 years after the final closure of the case.
The legal basis of the processing of data listed in point 5.8 is the data subject consent according to the Info law 5. § (1) section a) point, the performance of the General Terms and Conditions and the legitimate interests pursued by the data controller.
The data processor is the technology partner of the data controller.
6. Contact details of the data controller
Name: Bidcage Online Marketplace
E-mail address: email@example.com
Customer service: https://bidcage.com/customer-service
7. Legal possibilities of the data subject
7.1 General information
The data subject can make a request about the processing, duration, source, purpose, legal basis, possible transmission, its legal basis and recipient of his or her data, an accidental security incident, its circumstances, impacts and measures taken for resolving and all activities related to data processing including the name, address and activities of the data processor.
The information is free of charge if the requester has not filed an information request about the same scope to the data controller in the current year yet. In other cases, the data controller sets a cost reimbursement and will provide the information after payment of the cost reimbursement.
About the subject of the information request, the data controller will inform the data subject no later than 15 days after the submission of the request.
Any request or complaint addressed to the data controller can be submitted by the data subject in the following languages:
If a request or complaint has been not submitted in one of the specified languages, the data controller has the right to ignore it and to consider it void.
The data subject can submit any request to the data controller through the contact details are specified in point 6.
The data controller can only and exclusively reply in written, postal correspondence form to the data subject if the data subject has provided his or her valid and correct postal mailing address. If the data subject refuses to provide his or her postal mailing address on the request of data controller, then the data subject automatically agrees that the data controller sends electronic response to him or her. If the postal mailing address has been provided by the data subject is invalid or incorrect and therefore, he or she cannot receive the postal response of the data controller, then the data controller cannot be held responsible for and will not take legal or financial liability.
7.2 Data correction, erasing and retaining
The data subject can request the correction of his or her personal if the personal data does not correspond to reality based on the inquiries of data controller and the data controller can access to the data subject’s personal data which are necessary to the correction.
If the inadequacy or inaccuracy of the personal data can not be clearly decided, the personal data are processed by the data controller will be marked.
Based on the data subject’s request, the data controller will retain or erase the data subject’s personal data according to the erasing / deletion procedure described in the General Terms and Conditions.
In case of erasing, the personal data go through a procedure by which their reclamation will no longer be possible.
The data controller can retain the data subject’s personal data instead of erasing if he or she presumably violates the legitimate interests of the data controller, or due to statutory obligation of the data controller or purpose of proving, the data retention is necessary or compulsory. Retained data can be processed as long as the specified data processing purpose exists which excludes the erasing of data. The data controller will mark the personal data in a clearly identifiable way in order to permanently or temporarily retain the data.
The data controller erases the personal data of the data subject beyond his or her request if
- the processing of data is illegal,
- the data is incomplete or incorrect (if the status can not be legally changed) and erasing is not excluded by law,
- the data processing purpose has ceased or the statutory storage obligation has expired,
- erasing is ordered by the court or the data protection authority.
The data controller will perform the correction, the retaining of the personal data and the initiation of the erasing procedure within 30 days. The data controller notifies the data subject about the correction, retaining or erasing of the data, as well as those, the data have previously been transmitted for data processing. The notification can be left if it does not violate the legitimate interests of the data subject in point of the purpose of data processing.
If the data controller will not perform the correction, retaining or erasing within 15 days, he will inform the data subject in written, postal correspondence form or with the consent of data subject in electronic form about the factual or legal grounds of the rejecting of the request.
7.3 Take objection to data processing and compensation
Data subject can take objection to his or her data processing if
- the processing or transmission of personal data is necessary solely for the performance of a legal obligation or to enforce the data controller, a data recipient or a third party legitimate interest, except the compulsory data processing;
- the use or transmission of personal data is occurred for direct business, gallup poll or scientific research purpose
- the exercise of the right to take objection is allowed by the law.
The data controller will examine the legal grounding of the objection request within the shortest time, but within a maximum of 15 days from the receiving, will make a decision and inform the applicant in writing about the decision. If the objection is well founded, the data controller finishes the data processing, data gathering and data transmission, the data are retained and blocked and notifies all those for who the personal data involved in the objection have previously been transmitted and who are obliged to take action to enforce the right of the objection. If the data processing has been ordered by law, the data controller cannot erased the data subject’s data. The data will not be transmitted to the data recipient if the data controller agrees with the objection or the justness of the objection is established by the court.
The data controller reimburses the harm is suffered by the data subject if those are resulted from the unlawful processing or the breach of the data security requirements that violates the privacy of the data subject’s personal data. The data controller also assumes the responsibility for the data subject’s personality right harms, which are caused by the data processor.
If the data controller proves that the data subject’s damage or personality right harm is caused by an unavoidable cause beyond the data processing, the data controller will be exempt from the liability and compensation for the damages or harms. Moreover, the data controller will be exempt from the liability and compensation for the damages or harms if the violations of law were caused by the data subject’s intentional or recklessly careless behaviour.
7.4 Enforcement of the right
a) Please feel free to make contact with the data controller through the contact details provided in section 6 for any unlawful processing of your personal data or breach of data security requirements. The data controller replies the received complaints within a maximum of 15 days of receipt.
b) If the reply of the data controller does not reach you within the specified 15-day deadline or you do not agree with its content, you can also apply to the National Data Protection and Information Freedom Authority acting on data processing:
Headquarter: EU Hungary 1125, Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: Hungary H-1530, Budapest, Pf.: 5.
Phone: +36 (1) 391-14-00
Telefax: +36 (1) 391-14-10
E-mail address: firstname.lastname@example.org
c) In the last resort, the data subject can turn to the court against the data recipient or the data controller as well. In addition, the data subject can be entitled to a legal remedy against the National Data Protection and Information Freedom Authority if the data protection authority fails to address the complaint or does not inform the data subject on procedural developments or the outcome of the complaint within three months. The proceeding against the data protection authority must be initiated before the court of the Member State where the data protection authority is established.