Effective from December 5, 2022

Service providers who maintain the Palm Leaves brand pay particular attention to the lawful, transparent and secure processing of your personal data within the framework of their activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as: GDPR), Act CXII of 2011 (hereinafter referred to as: Infotv.).

The purpose of this data protection notice is to provide you with the most complete information possible about what personal data we process within the framework of our activities, what is the purpose of this data processing, with whom we share your personal data and what rights you have in relation to the processing of your personal data.

1. Which data is considered personal data?

All information that relates to an identifiable or identified natural person, i.e. the data subject, is considered personal data. Such information includes, but is not limited to, the name, place and date of birth of the data subject, his/her maiden name, his/her address, the online identifier used by him/her.

2. What is meant by data processing?

Any operation or set of operations which is performed upon personal data or upon sets of data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

3. Who processes your personal data?

Your personal data is processed by the following individual entrepreneurs as joint data controllers:

Company name: Sorsközpont Kft.
Registered office: 1036 Budapest, Kolosy tér 1/B, 4/1, Hungary
VAT: 32144439-2-13
E-mail: [email protected]
Telephone number: +36 70 598 0751

Lukács Zoltán Gábor
Registered office: 1036 Budapest, Kolosy tér 1/B 4/1
TAX ID: 77038625-1-41
Registration number: 39562926
E-mail: [email protected]
Telephone number: +36 70 598 0751

The data controllers do not have a responsible person.

4. Whose personal data do we process?

The following table shows which personal data we typically process as part of our activities, for what purpose and on what legal basis:

The meaning of the individual legal bases:

• Article 6(1)(a): processing based on the data subject’s consent,
• Article 6(1)(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract,
• Article 6(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject,
• Article 6(1)(f): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (in short: legitimate interests of the controller).
• Article 9(2)(a): in the case of sensitive data (such as data relating to your diet or food allergies), we will only process your data based on your explicit consent.

Please note that in our opinion, a gender-neutral thumbprint to be used in the context of the fortune-telling service we provide does not qualify as special (biometric) data, as it is not used to uniquely identify the data subject within the scope of the service we provide, and neither we nor our contractual partners have the means to perform a unique identification based on this data.

We process your e-mail address based on your consent if you are not our customer but have subscribed to our advertising newsletter. You can unsubscribe from our newsletter at any time without consequences.

If you are our customer, we will process your e-mail address in addition to the performance of the contract, for the purpose of sending the advertising newsletter, the legal basis of which is our legitimate interest. You can object to this data processing at any time without consequences.

If you have unsubscribed from our newsletter, we will process your e-mail address and, if your e-mail address also contains your name, for the purpose of blocking the sending of letters to your e-mail address in the e-mail sending software that we manage. The legal basis for this data processing is our legitimate interest, which aims to protect ourselves from the legal consequences resulting from the sending of unsolicited e-mails. You can object to this data processing at any time without any consequences. In this case, we will delete your e-mail address from our newsletter database. However, in this case, we cannot guarantee that your e-mail address will not return to our database when you make a new purchase.

We process data in connection with billing in order to fulfill our obligation to issue invoices pursuant to Section 159 para. 1 of the VAT Act and to provide a true picture of our economic events and operations in accordance with the principle of documentary evidence and documentary discipline pursuant to Section 165, Sections 1 and 2 of Act C of 2000 on Accounting (hereinafter referred to as the “Act”) and in this context to ensure the retention of individual accounting documents in accordance with Section 169 of the Act. We also retain payment data in order to provide a true picture of our economic events and operations.

Further data processing:

If you join a Facebook event in any way related to one of our Facebook events, your name, profile picture and posts published within the event may become visible to us and other participants and you may receive notifications about the event via Facebook. This data processing is based on Article 6(1)(a) GDPR, i.e. on your consent, which you have given us by joining the Facebook event.

If you contact us in connection with the exercise of your data protection rights, we will usually process your name, email address, postal address and other personal data provided in your request – depending on the way you do so – in order to be able to respond to your request. This data processing is based on Article 6(1)(c) GDPR, as we are legally obliged to respond to your request in a substantive manner.

If you contact us in relation to our products, services or activities, we will usually process your name, email address, postal address and other personal data provided in your request, depending on the method used, in order to be able to respond to your request. This data processing is based on Article 6(1)(b) GDPR, as in this case, responding to your request constitutes an act carried out at your request prior to the conclusion of a contract.

If we have a claim against you or you have a claim against us for any legal reason, we will usually process your name, delivery address, billing address, email address and telephone number for the purpose of exercising the claim and, in addition, we will process any personal data that you or a person acting on your behalf has obtained in connection with the exercise of the claim. This data processing is based on Article 6(1)(f) GDPR.

We would like to inform you that if you like or follow our Facebook or Instagram page or other social media platforms (e.g. Youtube, Twitter, etc.), Facebook, Instagram or the respective social media service provider may collect data about your activities on these pages, based on which these pages can, for example, show you personalized advertisements. We publish offers, information about products and services on these pages. If you like or follow the above-mentioned pages, your name, username or profile picture that you use, your comments and likes may become visible, trackable and commentable to us and other users on these pages and you may receive notifications about developments related to the pages. This data processing is based on Article 6(1)(a) GDPR, i.e. on your consent.

We would like to point out that in all cases where you use our social media platforms in connection with our activities, the service provider operating the platform in question acts as an independent data controller. For information about data processing practices, please refer to the data protection materials published by these service providers.

5. When is data processing based on the consent of the data subject, i.e. your consent, lawful?

Data processing based on the consent of the data subject, i.e. your consent, is lawful if you have given your consent to the data processing freely and unambiguously after specific and adequate information.

Please note that you have the right to withdraw your consent to the data processing at any time!

We would like to inform you that the withdrawal of consent does not mean that the data processing carried out before the withdrawal of consent is unlawful. You can withdraw your consent in writing, by sending a statement to one of the contact details listed in point 3, or in the case of newsletters, by clicking on the “unsubscribe” link at the bottom of the emails we send you.

If, in addition to your consent, we process any of your personal data on another legal basis as set out in point 4, the withdrawal of consent does not mean that the processing of data related to the data processed on another legal basis and for a purpose is unlawful. For example, if you prohibit the sending of newsletters, but we also process your name and email address to fulfill our contractual obligations, we will continue to process this data lawfully despite the withdrawal of consent, provided that we no longer send you newsletters.

6. Data processing based on legitimate interest

For each data processing operation where the data processing is based on our legitimate interest, we have carried out a balancing test regarding the legitimacy of the data processing. Data subjects can view these tests at the following link: balancing test

Data subjects have the right to object to data processing based on legitimate interest. Data subjects can exercise their right to object by sending written statements to the contact details in point 3 by e-mail or post. In the case of an e-mail newsletter, you can prevent the future sending of newsletters at any time by clicking on the “unsubscribe” link at the bottom of the e-mails and you can also prevent the processing of your e-mail address so that the software we use prevents the sending of newsletters to your address in the event of an unsubscribe.

In the event of an objection by the data subject, we may continue to process personal data processed on this legal basis only if we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

7. Data processing period

We process your personal data for the duration of the contract concluded between you and us and until its performance. For the purposes of this data protection notice, a contract is considered to be fulfilled when all parties have fulfilled their contractual obligations.

Images and audio recordings from our events that have not been published on our platforms for marketing purposes will be deleted within sixty days of the date of the events. We will delete published images and audio recordings from our records after your objection.

Images and audio recordings from fortune telling and other ceremonies will be recorded via Skype, these recordings will be stored in the Skype system for thirty days, after which these recordings will be deleted, they will not be stored or retained by us or our contractual partners.

In the event that you or we have any legal claim arising from a contract or for any other reason, we will process your personal data specified in the contract and your personal data obtained in the course of debt collection until the debt is settled, in the event of debt settlement or until the settlement is fulfilled based on a final decision of a court or authority, or if this has not happened, until the final termination of the enforcement proceedings initiated based on this decision. We will process your personal data – in order to be able to collect our claims without hindrance or to protect our interests – until the general limitation period has expired (the limitation period is usually 5 years), even if no debt collection proceedings are ongoing – whether official, judicial or otherwise. The limitation period starts to run from the date on which the claim falls due.

In the case of sending newsletters based on legitimate interest, we will process your e-mail address for this purpose until your objection is received.

We will process your personal data, the processing of which is based on your consent, until you withdraw your consent to the processing, unless the data can no longer be processed on the basis of another legal title and purpose.

We process your personal data that we need to process to fulfill our obligations under the Data Protection Act for eight years from the start of the data processing in accordance with Section 169 of the Data Protection Act.

We process your personal data that you have provided to us in your questions and requests regarding your rights regarding data processing, as well as our products, services and activities, until the question or request has been fully processed.

After the legal basis and purpose of the data processing cease to exist, we will delete your personal data from our records within thirty days or, if this is not possible, make this data inaccessible or anonymize it.

8. Your rights

You have the following rights in relation to the processing of your data that we carry out:

1. Right of access – GDPR. Article 15

2. Right to rectification – Article 16 GDPR

3. Right to erasure (“right to be forgotten”) – Article 17 GDPR

4. Right to restriction of processing – Article 18 GDPR

5. Right to data portability – Article 20 GDPR

6. Right to object – Article 21 GDPR

8.1 Right of access

You have the right to obtain information as to whether or not your personal data are being processed and, where such processing is being carried out, to have access to the personal data and to the following information:

the purposes of the processing,

the categories of personal data concerned,

the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations,

where relevant, the envisaged period for which the personal data will be stored or, where that is not possible, the criteria for determining that period,
the right of the data subject to obtain from the controller rectification, erasure or restriction of processing of his or her personal data and to object to the processing of such personal data,
the right to lodge a complaint with a supervisory authority,
where the data have not been obtained from the data subject, all available information on their source,
the existence of automated decision-making pursuant to Article 22(1) and (4) of the GDPR, including profiling, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the GDPR. If we transfer personal data to a third country or an international organisation, we will always ensure that the data protection practices and regulations of the third country or international organisation have been approved by the European Commission by an adequacy decision or, in the absence of such a decision, the controller, processor and international organisation in the third country provide appropriate safeguards for their data processing activities in accordance with Article 46 of the GDPR.

Upon request, we will provide you with a copy of the personal data that are the subject of the processing. For any additional copies you request, we may charge you a reasonable fee based on administrative costs.

If you have made a request for information electronically when exercising this right, we will provide you with the information in a commonly used electronic format (e.g. Word document, PDF file), unless you request otherwise.

Please note that the right to request a copy must not adversely affect the rights and freedoms of others!

8.2 Right to rectification

You have the right to request that we rectify inaccurate personal data concerning you without undue delay. Having regard to the purpose of the data processing, you also have the right to request that incomplete personal data be completed.

8.3 Right to erasure

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase personal data concerning you without undue delay if one of the following reasons applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,

you withdraw your consent on which the processing is based and there is no other legal basis for the processing,

you object to the processing of your data on the basis of Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing on the basis of Article 21(1) of the GDPR. 2 GDPR,

your personal data are processed unlawfully,

your personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or Member State law.

8.4 Right to restriction

You have the right to obtain from the controller restriction of processing of your data where one of the following applies:

You contest the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data,
the processing is unlawful and you object to the erasure of the data and request the restriction of their use instead,
the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims,
you object to processing pursuant to Article 21(1); in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override your legitimate grounds.

Where processing is subject to a restriction, the personal data subject to the restriction may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

If the processing restriction is lifted, we will inform you in advance.

8.5 Right to data portability

You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance from us. This right applies to processing based on consent pursuant to Article 6(1)(a) GDPR and on a contract pursuant to Article 6(1)(b) GDPR.

If technically feasible, you may request us to transmit your personal data, which can be transmitted in accordance with the previous paragraph, directly to a controller designated by you.

Please note that we are not responsible for the activities of a controller to whom the personal data processed by us have been transmitted on the basis of this right.

8.6 Right to object

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for this purpose.

Direct marketing is defined as a set of information activities and complementary services carried out through direct demand, the purpose of which is the transmission of commercial advertising directly related to the sale, provision or promotion of products or services to customers (for example, sending newsletters containing advertising).

9. How can you exercise your rights related to data processing?

You can exercise your rights related to data processing by submitting a written request. You can send this request to us by email or by post to the email address specified in point 3 of this notice, as well as to the address of the registered office of any of the data controllers.

We will inform you of the measures taken in response to your request within one month of its receipt. If your request is complex and the number of requests we receive is high, this period may be extended by a further two months. We will inform you of the extension of the period within one month of its receipt, stating the reasons for the delay.

If your request is not unfounded or disproportionate, we are obliged to process your request free of charge. We are obliged to demonstrate that the request is unfounded and disproportionate.

If we do not take any action based on your request, we will inform you without delay, but no later than one month from receipt of the request, of the reasons for the inaction, your right to complain and the available legal remedies.

10. Automated decision-making, profiling

We would like to inform you that if you subscribe to our newsletter, we will use the newsletter sending software we use to perform profiling and automated decision-making in order to send you discounted offers.

In practice, this means that your email address is entered into a database within the software used and the software used subsequently creates a profile of your activity and preferences based on your response to the emails sent to you. The software takes into account whether you open the emails sent, what products you order using your email address in the database, which links in the opened emails you clicked on, which pages related to us you visited based on the email and, on this basis, places you in predefined categories on the basis of which we send you our further offers.

Please note that you have the right to object at any time to the use of your personal data for direct marketing purposes, including profiling and automated decision-making. If you object, your personal data will no longer be used for this purpose.

In order to ensure the enforcement of the above right, we ensure that you can unsubscribe from our mailing list at any time and also provide the possibility to object only to profiling and automated decision-making by means of a statement addressed to us. In such a case, we will only send you our general, non-targeted offers after receiving your objection.

11. Liability for the inaccuracy of the personal data you have provided to us.

Please note that we do not assume any liability if you have provided us with inaccurate personal data.

12. Who has access to the personal data we process?

Our employees, persons in other legal relationships with us, including our external contractual partners, are entitled to access the personal data we process.

Please note that in the case of fortune telling and ordering ceremonies, personal data is shared with our contractual partner operating in India.

The European Commission has not adopted an adequacy decision with respect to India as a third country, but we have concluded a contract with this partner that guarantees the protection of your rights and freedoms. We will only provide you with the contractual provisions regarding data protection upon request.

The transfer of data is necessary for the fortune telling and ceremonies that can be ordered, as the fortune telling is located in Indian libraries and the ceremonies are performed by Indian masters based on personal data. If you have any concerns regarding this issue, please contact us for further information. If you still have reservations after receiving our information, please carefully consider whether you want to order our services that require the transfer of data to India.

We use Skype software to perform and record online fortune telling and ceremonies. Call participants can download the recorded recording from Skype for thirty days. Our contractual partners participating in the Skype call and data controllers do not download the recording from Skype and do not store the recordings. After thirty days, the recordings are deleted from Skype. Information on Skype’s data processing practices can be found at the following link: https://www.skype.com/hu/legal/.

For online credit card payments, we use the Barion system. The service provider, Barion Payment Zrt., is an institution supervised by the Hungarian National Bank with license number: H-EN-I-1064/2013. Information on Barion’s data protection can be found at the following link: https://www.barion.com/hu/adatvedelmi-tajekoztato/.

We use the services of FoxPost Zrt. (registered office: 3200 Gyöngyös, Batsányi János utca 9., company ID: 10-10-020309) to deliver the ordered products. The data management policy of Foxpost Zrt. is available at the following link: https://foxpost.hu/uploads/documents/hu/adatkezelesi_szabalyzat.pdf. The data management statement of Foxpost Zrt. is available at the following link: https://foxpost.hu/uploads/documents/hu/foxpost_adatkezeles.pdf.

We would like to inform you that the personal data provided in the invoices issued will be forwarded to the person who manages our accounting.

The person who manages our internal administrative system and our website has access to the personal data we process, but is not authorized to use them.

The employees of our contractual partners also have access to the personal data we process to the extent necessary. We have concluded contracts with our contractual partners that guarantee the protection of your data.

We would like to inform you that we are obliged to transfer the personal data we process to the requesting authority or court in the manner and to the extent provided for by law upon official or judicial subpoena.

Please note that the National Tax and Customs Office will have direct access to your personal data contained in the invoices we issue from July 1, 2020, as from this date all invoices issued must be reported to the tax office based on legal requirements.

In the context of enforcing our legitimate claims or exercising claims against us, we will provide personal data to our legal representative acting on our behalf, as well as the data will be provided to the acting authority and court in the event of the initiation of official or judicial proceedings or participation in such proceedings.

In connection with our events, your personal data (photographic and video recordings, audio recordings) is also processed by the supplier entrusted with the photographic and video production as a data processor. We may use external event management companies to organize our events, to whom the names of participants will be provided.

13. How we collect data

We do not collect personal data from publicly accessible databases or other registers, we only obtain it through voluntary provision of data.

14. What is a data breach and how do we deal with it?

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In accordance with Article 33(1) of the GDPR, we will notify any data breach to the supervisory authority without undue delay and, where possible, not later than 72 hours after becoming aware of the data breach.

The notification must include the nature of the data breach, including – where possible – the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident, the name and contact details of the contact person for further information, the likely consequences of the data breach and the measures taken or planned by the controller to remedy the data breach, including any measures to mitigate any adverse consequences resulting from the data breach.

If the data breach is likely to result in a high risk to your rights and freedoms, we will notify you of the data breach without undue delay.

We are obliged to keep records of data breaches.

15. Cookies

We would like to inform you that our websites use so-called cookies. Detailed information about them can be found at the following link: https://info.sorslevelek.hu/cookie_tajekoztato.pdf

16. Legal Redress

If you have a complaint regarding our data processing practices, you may submit it directly to the National Office for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11..; telephone: +36-1-391-1400; e-mail: [email protected]; website: www.naih.hu).

If we infringe your rights related to data processing, you may file a lawsuit. The lawsuit falls within the jurisdiction of the court. The lawsuit may also be filed with the court of your place of residence or permanent residence, at your choice. We will provide you with detailed information on the possibilities and methods of legal redress upon request.