Book an appointment

Book an appointment

Our colourists can help you with anything!

Privacy policy

To download the Privacy Policy as a document, click HERE

I. INTRODUCTION

 

1.1. Webshop
Tomán Lifestyle Kft. (registered seat: H-1126 Budapest, Szendrő utca 57/B., Cg. 01-09-202790,
hereinafter referred to as the “Company”) operates a Hungarian language webshop (hereinafter referred to
as the “Webshop”) under the domain name www.lipbar.hu (hereinafter referred to as the “Homepage”).
The Webshop is a catalogue of products available on the Company's Homepage, which offers for sale the
products distributed by the Company (hereinafter referred to as the “Product”). By placing an electronic
order in the Webshop, a sales contract is concluded between the natural person placing the order as the
buyer (hereinafter referred to as the “Customer”) and the Company as the seller.


II. GENERAL PROVISIONS

 

2.1. Purpose of the Notice
The purpose of this Privacy Notice (hereinafter referred to as the “Notice”) is to provide information
about the data processing activities followed and applied by the Company.
2.2. Scope of the Notice
The Company confirms that this privacy notice
[1] applies to the data processing activities pursued and used by the Company and [2] to the natural
persons concerned by these data processing activities (Customer collectively: Data Subject). The Company
carries out data processing through the Webshop operated by the Company.
2.3. How to access the Notice
This Notice, in its current version, is available at all times at the Company's (1) registered seat as set out in
section 1.1 and (2) Homepage www.lipbar.hu.
2.4. Amendment of the Notice
The Company reserves the right to amend the Notice unilaterally at any time, as necessary, without prior
notice, with effect from the date of the amendment, and will provide general information on such
amendment. The Company is entitled to modify the content and subject matter of the Program without
prior notice, which may affect the purpose of and consent to the processing of data contained in this
Notice, in which case the Company shall act in accordance with the provisions of this Notice.
2.5. Governing legislation
The Company declares that its data processing in relation to its activities complies with this Notice and the
applicable laws [including in particular, but not limited to, Regulation (EU) 2016/679 of the European
Parliament and of the Council (hereinafter referred to as “GDPR”) and Act CXII of 2011 on the Right to
Information Self-Determination and Freedom of Information (hereinafter referred to as “the Act on
Information”).
Capitalized terms used in this Notice have the meaning given to them in the above-mentioned laws. For
the purposes of this Notice, the term “Data Subject” means the Customer.
2.6. The truthfulness and accuracy of the personal data provided.

The Data Subject (Customer) is solely responsible for the truthfulness and accuracy of the personal data
provided, disclosed and made available to the Company, with the exception of personal data measured by
the Company. The Company shall not be liable for any omissions in the data provided or for any
consequences arising from incorrectly provided data, and expressly excludes its liability in this respect.
2.7. Lack of data provision
The Data Subject acknowledges that the provision of certain personal (special) data for the purchase is
voluntary and that the Data Subject will provide this service. If the Data Subject chooses not to provide
the requested personal (special) data, even partially, he/she acknowledges and accepts that the Company's
contact with him/her will not be effective.
2.8. Data security
The Company treats personal data confidentially and takes all security, technical and organizational
measures to ensure the security of the data.

 

III. CERTAIN DATA PROCESSING

 

The individual data processing activities carried out by the Company are presented in a separate table.
Each table contains only the facts relating to the data processing as set out in point 1 of the tables.

1. Direct marketing and sales enquiries with advertising content (e-DM, newsletter)
(Table 1)
1. Description of data processing:
Pursuant to Section 6 (1) of Act XLVIII of 2008 on the Basic Conditions and Certain Limits of
Economic Advertising Activities (hereinafter: Act on Advertising), the Company shall communicate
advertising (hereinafter: Newsletter) to the Customer as the recipient of the advertising by means of
direct contact, in particular by electronic mail or other equivalent means of individual communication,
provided that the Customer gives his/her prior, clear and express consent. The Customer gives his/her
consent in writing by ticking the yes blank box on the Consent Forms and then signing the Consent
Forms or by ticking the checkbox under the “NEWSLETTER” menu on the Homepage.
2. Personal data processed:
1. name
2. address (postcode, town, street, house number)
3. delivery address (postcode, town, street, house number)
4. phone number
5. email address
6. billing information (name and address of the person to whom the invoice is issued)
3. Purpose of data processing:
Sending direct solicitation or marketing enquiries with advertising content by electronic mail or other
equivalent means of individual communication (e-DM): newsletters containing the Company's own
offers, services, products, anonymously processed statistical data questionnaires, satisfaction
questionnaires… etc. If the Company sends the given type of request to the Customer with targeted
content, it will provide information about this in the request.

3

4. Legal basis for data processing:
The processing of the data takes place on the legal basis pursuant to Article 6(1)(a) of the GDPR, i.e.
with the consent of the Customer.
The Customer has the right to withdraw his/her consent at any time. However, the withdrawal of
consent does not affect the lawfulness of data processing based on consent prior to its withdrawal. The
Customer may withdraw consent by clicking on the “UNSUBSCRIBE” link in the Newsletter or by
sending a free text request in writing to one of the Company's contact details specified in Chapter V of
this Notice. Withdrawal of consent shall become effective upon the Company's knowledge of the
withdrawal.
5. Duration of data processing:
Until 36 months from the date of giving consent or until withdrawal of consent (unsubscribe from the
newsletter, hereinafter referred to as “UNSUBSCRIPTION”). The fact and date of the Unsubscription
will be recorded in such a way that, for the sake of evidence, the previous data cannot be retrieved, but
the Unsubscription can be proved if specific data is provided. Unsubscriptions communicated in the
Newsletter will take effect immediately, while unsubscriptions communicated by telephone or other
means of contact will take effect after 5 working days at the latest.
6. Customer rights:
Rights under Chapter V
7. Enforcing customer rights:
According to Chapter VI
8. Data processor:
WD-Artech Kft., H-6050 Lajosmizse, Ybl Miklós u. 11.
Bence Basa, sole entrepreneur
2. Camera surveillance (Table 2)
1. Description of data processing:
The Company uses an electronic surveillance system (hereinafter referred to as the “Camera”) in the
business premises operated by it (hereinafter referred to as the “Store”), which allows for image
recording (hereinafter referred to as “Recording”) in order to protect assets and trade secrets. The
purpose of using the camera is to detect infringements, to catch possible perpetrators in the act, to
prevent infringing acts and to prove them.
2. Personal data concerned by Recording:
The entire content of the Recording, in particular, but not limited to, the image and behavior of the
Data Subject.
3. Purpose of data processing:
Protection of assets and trade secrets.
4. Legal basis for data processing:
[GDPR Article 6(1)(f)] Protection of the legitimate interests of the Company

4

On the premises of the Store, there is stock for sale, valuable machinery, equipment, cash and
documents containing trade secrets and sensitive personal data, the protection of which is in the
interest of both the Company and the Data Subjects.
5. Place of storage of the Recording:
The Company's central server.
6. Duration of storage of the Recording:
The Company will destroy or delete the Recordings if they are not used within 3 working days of their
recording. Use means the use of the Recording as evidence in judicial or other official proceedings.
7. Data security measures related to the storage of the Recording:
The central server is located in a locked room, to which only the managing director has access.
8. Person authorised to access the Recording:
Managing Director of the company.
9. Transfer of the recording:
The Company will only transfer the Recordings to persons specified by law in order to fulfil a legal
obligation.
10. Purpose of using the Recording:
The Company uses the Recordings solely for the purpose of fulfilling its legal obligation as defined by
law.
11. The Data Subject's rights in relation to the Recording:
Rights under Chapter V
12. Enforcing the rights of the Data Subject:
According to Chapter VI
13. Data processor
WD-Artech Kft., H-6050 Lajosmizse, Ybl Miklós u. 11.
Bence Basa, sole entrepreneur
14. Rules for checking (reviewing) Recordings:
The Company only checks and reviews the Recordings if it suspects that a specific infringing event or
act has occurred. The Company shall introduce a staged system of checks during the review
(inspection) of the Recordings, taking into account the principle of gradualness, with the aim of
ensuring that the monitoring does not, or as little as possible, affect the privacy of the Data Subjects.
As a first step in the review, the administrator determines (i) a time period during which the event
giving rise to the review is likely to have occurred, and (ii) the specific area or (iii) camera angle of view
within which the event giving rise to the review is likely to have occurred. The administrator may set a
time limit of up to 12 hours as a first step of the inspection. If the objective of the inspection is
achieved on the basis of the criteria set out in the first step, the Company will complete the inspection

5

without delay. If the former cannot be established beyond reasonable doubt and further verification is
necessary, the administrator is entitled, as a second step, to establish broader criteria than those set out
in the first step.
3. Webshop (Table 3)
1. Description of data processing:
The Customer can place an order for the products selected in the Webshop (1) by logging in after
registration or (2) without registration. In both cases, the Customer records the personal data specified
in point 2, without the provision of which the performance of the contract is not possible.
2. Personal data processed:
1. name
2. address (postcode, town, street, house number)
3. delivery address (postcode, town, street, house number)
4. phone number
5. email address
6. billing information (name and address of the person to whom the invoice is issued)
3. Purpose of data processing:
Selling the Product to the Customer through the Webshop and delivering the Product to the Customer,
fulfilling accounting obligations.
4. Legal basis for data processing:
The data processing is based on Article 6(1)(b) of the GDPR, i.e. the data processing is necessary for
the establishment and performance of a sales contract.
The data processing is based on the legal basis pursuant to Article 6(1)(c) of the GDPR, i.e. the data
processing is necessary for the fulfilment of a legal obligation (tax and accounting obligations) to which
the Company is subject.
5. Duration of data processing:
The Company processes the Data Subject's personal data during the contractual relationship and for a
limited period thereafter in compliance with the applicable legal obligations.
6. Customer rights:
Rights under Chapter V
7. Enforcing customer rights:
According to Chapter VI
8. Data processor:
WD-Artech Kft., H-6050 Lajosmizse, Ybl Miklós u. 11.
TNT and GLS courier services
4. Data processing for billing purposes (Table 4)
1. Description of data processing:

6

The Company will issue and keep an invoice for the products sold and services used as set out in the
tables above. Data processing for billing purposes is closely related to, and forms part of, data
processing for the performance of a contract, but on a different legal basis.
2. Personal data processed:
Pursuant to Section 169 and Section 202 of Act CXXVII of 2017 on Value Added Tax:
1. name
2. address
Based on Section 167 of Act C of 2000 on Accounting:
1. name
2. address
3. Purpose of data processing:
Issuing invoices for products sold and services used, keeping them, and fulfilling tax and accounting
obligations.
4. Legal basis for data processing:
The data processing is based on the legal basis pursuant to Article 6(1)(c) of the GDPR, i.e. the data
processing is necessary for the fulfilment of a legal obligation (tax and accounting obligations) to which
the Company is subject.
5. Duration of data processing:
The issued invoice as an accounting document shall be kept until the deadline pursuant to Section 169
of Act C of 2000 on Accounting (currently 8 years), until 31 December 2017 pursuant to Section 47(3)
and Section 164 of Act XCII of 2003 on the Rules of Taxation (old Act on Taxation), and after 1
January 2018 until the tax statute of limitations pursuant to Section 78(3) and Section 202 of Act CL of
2017 on the Rules of Taxation (new Act on Taxation).

IV. RIGHTS OF THE DATA SUBJECT

The Data Subject has the following rights in relation to the above data processing activities.
4.1. Right to information
The Data Subject has the right to be informed of the facts relating to the processing of his or her personal
data processed by the Company before the processing starts. Given the fact that the Data Subject
provides the Company with his or her personal data, the Company fulfils its obligation to provide
information pursuant to Article 13 of the GDPR by means of this Notice.
4.2. Right of access (GDPR Article 15 )
The Data Subject has the right to request at any time information about the exact personal data
concerning him or her are processed by the Company. Upon request, the Company will also provide
information on the purposes, legal basis, duration of the processing of the Data Subject's data, as well as
on who is receiving or has received his/her data and for what purposes (including in particular recipients
in third countries and international organizations, if any). The Data Subject is entitled to have access at
any time to the right to request the Company to rectify, erase or restrict the processing of personal data
concerning him or her and to object to the processing of such personal data. The Data Subject is entitled
to receive information at any time that he or she may lodge a complaint with the supervisory authority. In
the event that data is obtained by the Company from a source other than the Data Subject, the Data

7

Subject may at any time request information about the source of the data. Where the Company transfers
personal data to a third country or an international organization, the Company will also inform the Data
Subject of the appropriate safeguards for the transfer in accordance with Article 46 of the GDPR.
The Company shall provide the Data Subject with a first copy of the personal data processed free of
charge. The Company may charge a reasonable fee for additional copies, based on administrative costs
and in proportion to the volume of data, the amount of which will be communicated to the Data Subject
by the Company in advance. If the Data Subject has submitted a request for information/access
electronically, the Company will provide the information to the Data Subject in a commonly used
electronic format, unless the Data Subject requests otherwise. The right to obtain a copy shall not
adversely affect the rights and freedoms of others.
4.3. Right to rectify, supplement or amend (GDPR Article 16)
The Data Subject has the right to request the Company to correct inaccurate or erroneously recorded
personal data. If the data is incomplete, taking into account the purpose of the processing, the Data
Subject may request that it be completed. If the information requested to be corrected or completed is
contained in an official identity and address document or other public record, the correction or
completion also requires the presentation of this document.
4.4. Right to erasure of personal data ("right to be forgotten") (GDPR Article 17)
The Data Subject may at any time request the Company to erase his or her personal data, which the
Company is obliged to comply with if one of the following grounds applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise
processed by the Company;
b) the Data Subject has withdrawn the consent on which the processing is based and there is no other
legal basis for the processing;
c) the Data Subject objects to the Company's data processing based on the public interest or legitimate
interest pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the data
processing, or objects to the processing of data for direct marketing purposes pursuant to Article 21(2) of
the GDPR;
d) the personal data were unlawfully processed by the Company;
e) the personal data must be erased in order to comply with a legal obligation under Union or Member
State law applicable to the Company;
f) the personal data were collected in connection with the provision of information society services
referred to in Article 8(1) of the GDPR.
If the Company has disclosed the personal data and is obliged to delete it, it will take all reasonable steps
to inform the other data controllers of the obligation to delete the data.
The data do not have to be deleted if the processing is necessary:
a) to exercise the right to freedom of expression and information;
b) to comply with an obligation under the law applicable to the Company (e.g. tax and accounting
obligations) that requires the processing of personal data, or to carry out a task in the public interest or in
the exercise of official authority vested in the Company;
c) on grounds of public interest in the field of public health pursuant to Article 9(2)(h) and (i) and Article
9(3) of the GDPR;
d) for archiving purposes in the public interest, scientific and historical research purposes or statistical
purposes in accordance with Article 89(1) of the GDPR, where the right of erasure would be likely to
render such data processing impossible or seriously jeopardize it; or
e) to bring, enforce or defend legal claims.
4.5. Right to restriction of processing (GDPR Article 18)

8

The Data Subject may request the Company to restrict the processing of certain of his or her personal
data if one of the following conditions is met:
a) the Data Subject contests the accuracy of the personal data, in which case the restriction applies for the
period of time that allows the Company to verify the accuracy of the personal data;
b) the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead
the restriction of their use;
c) the Company no longer needs the personal data for the purposes of processing, but the Data Subject
requires them for the establishment, exercise or defense of legal claims;
d) the Data Subject has objected to the data processing on the basis of Article 21(1) GDPR and time is
necessary to assess whether there are overriding legitimate grounds for the processing. In such a case, the
restriction shall apply for the period until it is established whether there is a legitimate ground for data
processing which takes precedence, i.e. whether the Company's legitimate grounds for retaining and
processing the data take precedence over the Data Subject's legitimate grounds for deleting the data.
During the period of restriction, the Company will only store the data and will not perform any other
processing operation on it, unless (i) the Data Subject consents to further processing or (ii) the
processing is necessary for the establishment, exercise or defense of legal claims, (iii) the processing is
necessary to protect the rights of another natural or legal person, or (iv) the processing is necessary for
important public interests of the Union or of a Member State.
In the event of restriction of processing, the Company shall inform the Data Subject in advance of the
lifting of the restriction in the form and manner in which the Data Subject has requested the restriction of
processing.
The Company shall inform any recipient to whom or with which it has disclosed the personal data of the
rectification, erasure or restriction of processing requested by the Data Subject and carried out by the
Company, unless this proves impossible or involves a disproportionate effort. Upon the Data Subject's
request, the Company shall inform the Data Subject of the identity of the recipients to whom it has
provided the information referred to above.
4.6. Right to object (GDPR Article 21)
The Data Subject has the right to object at any time, on grounds relating to his or her particular situation,
to the processing of his or her personal data on grounds of public interest or necessary for the purposes
of the legitimate interests pursued by the Company or a third party (Article 6(1)(e) and (f) of the GDPR),
including profiling based on the aforementioned provisions. In such a case, the Company may no longer
process the personal data unless it can demonstrate compelling legitimate grounds for the processing
which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or
defense of legal claims.
The Data Subject has the right to object at any time to the processing of personal data concerning the
Data Subject for the purposes of direct marketing, including profiling (if used by the Company, but duly
informed), where it is related to direct marketing. In case of objection, the personal data will no longer be
processed by the Company for direct marketing purposes.
In the case of data processing for statistical purposes, the Data Subject has the right to object, on grounds
relating to his or her particular situation, to the processing of personal data concerning him or her for
such purposes, unless the processing is necessary for the performance of a task carried out for reasons of
public interest.
4.7. Right to data portability (GDPR Article 20)
In view of the fact that the Company also stores the Data Subject's data in an electronic database, the
Data Subject has the right to receive the personal data concerning him/her provided to the Company in a

9

structured, commonly used, machine-readable format and to transmit such data to another controller
without the Company's hindrance. The right to data portability applies to data which are processed based
on the Data Subject's consent (Article 6(1)(a) or 9(2)(a) GDPR) or on the performance of a contract
(Article 6(1)(b) GDPR). If the Data Subject requests the direct transfer of personal data between
controllers, the Company will indicate whether this is technically feasible.
4.8. Right to lodge a complaint with a supervisory authority (GDPR Article 77)
Without prejudice to any other administrative or judicial remedies, the Data Subject has the right to lodge
a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence,
place of work or place of the alleged infringement, if the Data Subject considers that the processing of
personal data relating to him or her infringes the provisions of the GDPR.
In Hungary, the supervisory authority is the National Authority for Data Protection and Freedom of
Information (H-1024 Budapest, Szilágyi Erzsébet fasor 22/C., e-mail: ugyfelszolgalat@naih.hu, +36-1-
3911400, President: dr. Attila Péterfalvi, www.naih.hu).
The supervisory authority with which the Data Subject has lodged the complaint is obliged to inform the
Data Subject as a customer of the procedural developments concerning the complaint and its outcome,
including the right of the Data Subject to seek judicial remedy under Article 78 of the GDPR.
4.9. Right to an effective judicial remedy against the supervisory authority (GDPR Article 78)
Without prejudice to other administrative or non-judicial remedies, the Data Subject shall have the right to
an effective judicial remedy against a legally binding decision of the supervisory authority (in Hungary, the
National Authority for Data Protection and Freedom of Information) concerning him or her. Without
prejudice to any other administrative or non-judicial remedies, the Data Subject shall have the right to an
effective judicial remedy if the supervisory authority competent under Articles 55 or 56 of the GDPR does
not deal with the complaint or does not inform the Data Subject within three months of the procedural
developments concerning the complaint lodged under Article 77 or of the outcome of the complaint.
Proceedings against the supervisory authority must be brought before the courts of the Member State
where the supervisory authority is established (in Hungary, the Administrative and Labor Court of
Budapest has jurisdiction and competence to hear proceedings against the National Authority for Data
Protection and Freedom of Information).
4.10. Right to an effective judicial remedy against the Company or the data processor (GDPR
Article 79)
Without prejudice to the available administrative or non-judicial remedies, including the right to lodge a
complaint with a supervisory authority under Clause 4.8, the Data Subject has the right to bring a legal
action before a court if he or she considers that the Company has not processed his or her personal data
in accordance with the GDPR and has therefore infringed his or her rights under the GDPR.
The proceedings must be brought before the courts of the Member State where the Company is
established, i.e. Hungary. Proceedings may also be brought in the courts of the Member State of the Data
Subject's habitual residence (if different from Hungary).
4.11. Informing the Data Subject about data breach (GDPR Article 34)
If the personal data breach is likely to result in a high risk to the rights and freedoms of the Data Subject,
the Company will inform the Data Subject of the personal data breach without undue delay. This
information must clearly and plainly describe the nature of the data breach and include at least the
following information and measures:
a) the name and contact details of any contact person who can provide further information;
b) explain the likely consequences of the data breach;

10

c) describe the measures taken or envisaged by the data controller to remedy the personal data breach,
including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
The Data Subject need not be informed of a personal data breach if any of the following conditions are
met:
a) the Company has implemented appropriate technical and organizational protection measures and these
measures have been applied to the data affected by the personal data breach, in particular measures such
as the use of encryption, which render the data unintelligible to persons not authorized to access the
personal data;
b) the Company has taken additional measures following the personal data breach to ensure that the high
risk to the rights and freedoms of the data subject is no longer likely to materialize;
c) providing information would require a disproportionate effort.
In the above cases, the Data Subject shall be informed by means of publicly disclosed information or by
means of a similar measure which ensures that the Data Subject is informed in a similarly effective
manner.

V. ENFORCING THE RIGHTS OF THE DATA SUBJECT,
SUBMISSION OF APPLICATION, CONTACTING THE COMPANY

In order to enforce his/her rights, the Data Subject should preferably i) send his/her request in writing by
post ii) deliver it in person to the registered seat of the Company or iii) send it by e-mail to the Company's
e-mail address.
Data and contact details of the Company/Data Controller:
Postal address: H-1126 Budapest, Szendrő utca 57/B
Phone: +36-20-4869149
Homepage address: www.lipbar.hu
Email: lipbar@bytoman.hu
If there is any doubt about the identity of the Data Subject or if the data provided are insufficient for
identification, the Company is entitled to request from the Data Subject additional identification data
necessary and appropriate to confirm the identity.
If the person making the request cannot prove his/her identity beyond reasonable doubt and cannot
therefore be identified, the Company may refuse to process the request.

The Company shall inform the Data Subject of the measures taken in response to the request without
undue delay and in any event within one month of receipt of the request. If necessary, taking into account
the complexity of the request and the number of requests, this deadline may be extended by a further two
months. The Company shall inform the Data Subject of the extension of the deadline within one month
of receipt of the request, stating the reasons for the delay.
If the Data Subject has submitted the request by electronic means, the information shall be provided by
electronic means where possible, unless the Data Subject requests otherwise.
If the Company fails to take action on the Data Subject's request, it shall inform the Data Subject without
delay, but no later than one month after receipt of the request, of the reasons for the failure to take action
and of the possibility for the Data Subject to lodge a complaint with a supervisory authority and to
exercise his or her right to judicial remedy.
The information pursuant to Articles 13 and 14 of the GDPR and the information and action pursuant to
Articles 15 to 22 and 34 of the GDPR shall be provided by the Company free of charge. If a request is

11

manifestly unfounded or excessive, in particular because of its repetitive nature, taking into account the
administrative costs of providing the information or