- Governing legislation
This Notice is intended to set out the privacy and data protection policies and principles of Body & Soul Wellness, Inc.
In drafting the provisions of this Notice, the Company has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), the provisions of the 2011 EU Regulation on the Right to Information Self-Determination and Freedom of Information. Act CXII of 2013 on the Information and Data Protection Act, Act V of 2013 on the Civil Code (“Civil Code”) and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities.
- Data Controller’s data
Body & Soul Wellness, Inc.
Data Protection Officer: Marianna Jackson
Body & Soul Wellness, Inc., registered in the State of Nevada (USA).
The Controller operates the https://bnswellness.com Website, which is designed to provide information about the services of Body & Soul Wellness, Inc.
Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller: the person, as defined in point 2, who, alone or jointly with others, determines the purposes and means of the processing.
Data Processor: a service provider who processes personal data on behalf of the Controller.
Personal Data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
User: a natural person over the age of 20 who, as a Buyer or Interested Party, provides the data listed in the following points on the Website.
External service provider: not used.
- Principles, methods of data processing, applicable law
4.1 The Controller shall process only the data specified by law or provided by Users for the purposes set out below.
4.2 In all cases where the Data Controller intends to use the Personal Data for purposes other than those for which they were originally collected, the Data Controller shall inform the User thereof and obtain his or her prior and explicit consent or provide the User with the opportunity to prohibit such use.
4.3 The Controller does not control the Personal Data provided to it. The Controller shall not verify the accuracy of the Personal Data provided.
4.4 The Personal Data of a person under the age of 16 may be processed only with the consent of the person who is the legal guardian of the person concerned. The Data Controller is not in a position to verify the eligibility of the person giving consent or the content of the consent, so the User or the person who is the legal guardian of the person concerned guarantees that the consent is in accordance with the law. In the absence of a declaration of consent, the Data Controller shall not collect Personal Data relating to a data subject under the age of 16.
4.5 The Data Controller shall not transfer Personal Data processed by it to third parties other than the Data Processors specified in this Notice and, in certain cases referred to in this Notice, to External Service Providers. An exception to the provisions of this clause is the use of data in aggregate statistical form, which shall not include any other form of data that can identify the User concerned and shall therefore not constitute Processing or transfer. The Data Processors of the Data Controller listed in this Privacy Notice and the External Service Providers shall, after 25 May 2018, record, process or process Personal Data transmitted to them by the Data Controller and processed or processed by them in accordance with the provisions of the GDPR and shall provide a declaration to the Data Controller to that effect.
4.6 In view of the relevant provisions of the GDPR, the Data Controller is not obliged to appoint a Data Protection Officer, as the Data Controller is not a public authority or a body with public responsibilities, the activities of the Data Controller do not involve operations that require systematic and systematic large-scale monitoring of Users, and the Data Controller does not process sensitive data or personal data relating to criminal convictions and offences.
4.7 The Data Controller shall process personal data in accordance with applicable law.
The legislation governing the processing of personal data includes in particular:
- Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (hereinafter referred to as “GRTV.”);
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;
- Article 169 of Act C of 2000 on Accounting (concerning the retention of supporting documents).
- Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter “INFOTV.”);
- Regulation 2016/679 of the European Parliament and of the Council
- Purpose of the processing
The Data Controller processes personal data solely for specific purposes, for the exercise of rights and the performance of obligations. At all stages of processing, the purpose of the processing is fulfilled. The Data Controller shall endeavor to process only personal data that is necessary for the purpose of the processing and is adequate for the purpose. Personal data shall be processed only to the extent and for the duration necessary for the purposes for which they are processed. The purpose of the processing is primarily the operation of the Website and the provision of the Controller’s services.
The purpose of the processing is based on the above:
- The User requests information about the service;
- Identification of the User, contacting the User;
- Providing information to the User, to contact the Service Provider, to identify the Service Provider, to contact the User, to provide the Service Provider with information about the Service;
- Analysis, statistics, improvement of the services – for this purpose, the data controller uses only anonymized data, aggregated data that cannot be personally identified.
- Source of data
The Data Controller processes only the personal data provided by Users and does not collect data from any other source. The data is provided during the voluntary registration of the User. The User provides his/her name and e-mail address during registration.
If the User registers for a promotion organized by the Data Controller and provides his/her data, he/she consents to the processing of his/her personal data in accordance with the terms and conditions of the promotion. In this case, the Data Controller will only process the data provided during the promotion.
- Data processors
The server service is provided by WordPress.
- Other data controllers
The companies operating social networking sites are separate data controllers:
Facebook and Instagram (Facebook Ireland Ltd. (registered office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland: https://www.facebook.com/privacy/explanation;https://www.facebook.com/help/instagram/155833707900388/)
- Legal basis for processing
9.1. 5 (1) (a)) and, in the case of profiling, the User’s appropriate information in accordance with the provisions of the GDPR, as well as Article 6 (1) (f) of the GDPR. The Users voluntarily contact the Data Controller, register voluntarily and use the services of the Data Controller. In the absence of the Users’ consent, the Data Controller shall process data only if expressly authorized to do so by law.
9.2 The User has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.
9.3 Transfers of Data to Processors as defined in this Policy may be made without the User’s consent. Unless otherwise provided by law, the disclosure of personal data to third parties or public authorities shall only be possible on the basis of a final decision by a public authority or with the prior express consent of the User.
9.4 When providing any User’s e-mail address and the data provided during registration (e.g. user name, ID, password, etc.), the User also assumes responsibility for the fact that only the User will use the service from the e-mail address provided and using the data provided. In view of this assumption of responsibility, any liability for accessing the service from an e-mail address and/or using the data provided shall be borne solely by the User who registered the e-mail address and provided the data.
9.5 The main legal provisions that also provide for data processing are those set out in section 4.8 The data contained in the receipt issued by the Data Controller is processed by the Data Controller in accordance with the provisions of the Accounting Act.
- Scope of the data processed
The Data Controller processes only the personal data provided by Users. The data processed are the following: surname, first name, e-mail address, mobile phone number.
- Description of the data processing process
The source of the data is the User who provides the data when entering the Website. Providing the data in the registration form is mandatory, unless explicitly indicated otherwise.
The User enters the data independently, the Data Controller does not give any binding guidelines or content requirements in this respect. The User expressly consents to the processing of the data provided by him.
In addition to the data requested by the Data Controller, the User is entitled to provide other data in his/her profile, the legal basis for the processing of the data in this case is also the voluntary consent of the User.
By registering on the Website, the User consents to the storage, processing and use of the (personal) data provided during registration by firstname.lastname@example.org for the purposes of contacting, market research, direct marketing and/or advertising in accordance with the legal provisions in force at the time.
- Processing for advertising purposes, sending newsletters
If the User consents, the Data Controller will contact the User using the contact details provided and send him/her advertising by direct mail. The advertising may be sent by post or e-mail. In all cases, the advertising shall be subject to the User’s consent. The User may withdraw his consent at any time without giving any reason.
- Transmission of data
The Data Controller shall only transfer personal data to third parties if the User has given his/her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorized by law.
The Data Controller is entitled and obliged to transmit to the competent authorities any Personal Data at its disposal and stored by it in accordance with the law, which Personal Data it is obliged to transmit by law or by a final and binding obligation of a public authority. The Controller shall not be held liable for such transfers and the consequences thereof
The Controller shall in any case document the transfers and keep records of the transfers.
- Data security
The Data Controller shall ensure the security of the data, take the technical and organizational measures and establish the procedural rules necessary to enforce the applicable laws, data protection and confidentiality rules. The Data Controller shall take appropriate measures to protect the data against unauthorized access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.
The Data Controller shall keep records of the data processed by it in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting in the interests of the Data Controller (data processors) who need to know the data in order to perform their job or task.
The Data Controller shall take into account the state of the art when defining and applying measures for data security. The Data Controller shall choose among several possible data processing solutions the one which ensures a higher level of protection of personal data, unless this would involve a disproportionate effort.
The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
- measures to protect against unauthorized access, including the protection of software and hardware devices and physical protection (access protection, network protection);
- measures to ensure the possibility of recovery of data files, including regular back-ups and the separate and secure management of copies (back-up);
- Protection of data files against viruses (virus protection);
- Physical protection of data files and the media on which they are stored (archiving, fire protection, alarms).
Employees and other persons acting on behalf of the Data Controller shall keep secure the data carriers they use or have in their possession, including personal data, regardless of the means of recording, and shall protect them against unauthorized access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage.
The Data Controller shall operate the electronic register by means of an IT program which meets the requirements of data security. The program shall ensure that access to the data is limited to the persons who need it for the performance of their tasks, for the purposes for which it is intended and under controlled conditions.
- Duration of processing
The Controller shall delete personal data where:
- a) its processing is unlawful; If it is found that the processing is unlawful, the Controller shall carry out the erasure without undue delay.
- b) the User requests it (except for processing based on law);
The erasure of data processed on the basis of the User’s voluntary consent may be requested by the User. In this case, the Data Controller shall delete the data. Deletion may only be refused if the processing of the data is authorized by law.
Newsletters sent by the Data Controller may be cancelled by means of an e-mail reply. In the event of unsubscription, the Controller shall delete the User’s Personal Data in the newsletter database.
As the Data Controller provides a continuous service to the User, the relationship between the parties is not time-limited. Therefore, unless the User requests otherwise, the Data Controller shall process the data for as long as the relationship between the Data Controller and the User exists and for as long as the Data Controller is able to provide the User with the service.
All other data shall be deleted by the Controller if it is clear that the data will no longer be used, i.e. the purpose of the processing has ceased to exist.
c)ordered by a court or the National Authority for Data Protection and Freedom of Information
If a court or the National Authority for Data Protection and Freedom of Information has issued a final order for the deletion of the data, the Data Controller shall carry out the deletion.
Instead of deletion, the Data Controller shall block the personal data, after informing the User, if the User so requests or if the information available to the Data Controller indicates that deletion would be prejudicial to the legitimate interests of the User. The personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists. The Data Controller shall mark the personal data it processes if the User contests the accuracy or correctness of the personal data, but the incorrectness or inaccuracy of the contested personal data cannot be clearly established.
In the case of processing required by law, the erasure of data shall be governed by the law.
In the event of erasure, the Controller shall render the data unidentifiable. Where required by law, the Controller shall destroy the storage medium containing the personal data.
- Rights of Users and their enforcement
The Data Controller shall inform the User of the processing of the data at the time of contacting the User. The User shall also have the right to request information on the processing at any time.
Upon the User’s request, the Data Controller shall provide information on the data processed by the User or by a data processor appointed by the User or under its instructions, on the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and its activities related to the processing, the circumstances and effects of the data breach and the measures taken to remedy the data breach, and, in the event of the transfer of the User’s personal data, the legal basis and the recipient of the data transfer.
The User may request the correction of his/her data by the Data Controller. In the event that the data to be corrected is regularly provided, the Data Controller shall, if necessary, inform the recipient of the data of the correction and shall draw the User’s attention to the fact that the correction must be initiated with another data controller.
The User may request the erasure of his/her personal data, except for processing required by law. The Controller shall inform the User of the deletion.
The User may submit a request for information, rectification or erasure in writing, by letter addressed to the registered office or place of business of the Data Controller or by e-mail to the Data Controller at email@example.com.
The User may request that the Controller restrict the processing of his/her Personal Data if the User contests the accuracy of the Personal Data processed. In this case, the restriction shall apply for the period of time that allows the Controller to verify the accuracy of the Personal Data.
The User may also request the restriction of the processing of his/her Personal Data by the Controller if the purpose of the processing has been achieved, but the User requires the processing of his/her Personal Data by the Controller for the establishment, exercise or defense of legal claims.
The User may request the Controller to transfer Personal Data provided by the User and processed by the User in an automated way to the User in a structured, commonly used, machine-readable format and/or to another controller.
If the Data Controller does not comply with the User’s request for rectification, blocking or erasure, it shall, within 25 days of receipt of the request, communicate in writing the reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the User of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information.
The User may make the above declarations concerning the exercise of his/her rights at the contact details of the Controller provided in point 2.
- Amendments to the Privacy Notice
The Data Controller reserves the right to amend this Notice at any time by unilateral decision. The Data Controller may (but is not obliged to) inform Users of any amendment to this Notice by sending a system message. On the basis of the information contained in the notification, the User shall be entitled to exercise his/her rights in relation to data management as provided for in this Policy and in the applicable legislation.
By registering, the User accepts the provisions of this Notice in force, without the need to obtain the consent of the individual User.