Privacy Policy
Data Processing Notice
Introduction
Introduction:
Minitoys Ltd. (Registered seat: 3281 Karácsond, Hársfa Street 23, Tax number: 14360194-2-10, Company registration number: 10-09-028436, https://minitoys.hu) (hereinafter: Service Provider, Data Controller) processes personal data made available to it in accordance with this Data Processing Notice.
Amendments to the notice enter into force by publication at the above address.
Data Controller and Contact Information:
Name: Ákos Hajdrik
Registered seat: 3281 Karácsond, Hársfa Street 23.
E-mail: [email protected]
Phone: +36 30 8279256
Data Protection Officer Contact:
Name: Gábor Czupy
Registered seat: 3281 Karácsond, Hársfa Street 23.
E-mail: [email protected]
Phone: +36 30 3709088
Definitions
“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
“Recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
“Data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Legal background of data processing:
The data processing of the Data Controller is based on voluntary consent and statutory authorization. In the case of processing based on voluntary consent, data subjects may withdraw their consent at any time during data processing.
In certain cases, the processing, storage, and transmission of certain provided data is required by law, and we will notify our customers separately.
We would like to draw the attention of informants to the Data Controller that if they do not provide their own personal data, it is the duty of the informant to obtain the consent of the data subject.
The principles of our data processing are in line with current data protection legislation, in particular with:
– Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
– Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info Act)
– Act V of 2013 on the Civil Code (Civil Code)
– Act C of 2000 on Accounting (Accounting Act)
– Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing
– Act CLV of 1997 on Consumer Protection
– Act CLXV of 2013 on Complaints and Public Interest Disclosures
– Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
Purpose, method and legal basis of data processing:
General data processing guidelines:
The data processing of the Data Controller's activities is based on voluntary consent or legal authorization. In the case of data processing based on voluntary consent, data subjects may withdraw their consent at any time during the processing. In certain cases, the processing, storage, and transmission of a range of provided data is required by law, which we will notify our customers separately.
We draw the attention of data providers to ensure that if they are not providing their own personal data, they must obtain the consent of the data subject.
The Data Controller does not verify the personal data provided. The person providing the data is solely responsible for its accuracy. Any data subject providing their email address also accepts responsibility for ensuring that only they use the service from that email address.
The Data Controller shall take all technical and organizational measures necessary to ensure the security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.
Rights of the data subjects and remedies:
The data subject may request information about the processing of their personal data, request the correction, deletion, restriction of processing, and object to the processing of such personal data.
The data subject may submit their request to the Data Controller by post or electronically at the contacts provided above.
Legal remedy options:
The data subject may file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or initiate legal proceedings.
Contact of NAIH:
Hungarian National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
Phone: +36 (1) 391-1400
E-mail: [email protected]
Website: https://naih.hu
Handling of personal data collected through the Amazon platform:
Our company processes only those customer data necessary for the fulfillment of orders placed on the Amazon marketplace, using the Selling Partner API (SP-API) provided by Amazon. The scope of personal data transmitted by Amazon, the purpose and duration of data processing, and our security measures are as follows:
Processed personal data | Purpose of data processing:
Customer name | Identification of the buyer, processing orders, lawful invoicing and delivery.
|
Processed Personal Data: |
Purpose of Data Processing: |
|---|---|
|
Shipping name and address |
Delivery of the ordered product, transfer to courier service solely for delivery purposes. |
|
Billing name and address |
Issuance and archiving of invoices in compliance with accounting obligations. |
|
Email address |
Order status confirmation, customer service communication, delivery coordination. |
|
Phone number |
Coordination of delivery, handling customer inquiries, resolving delivery issues. |
|
Order ID, technical identifiers |
Logging and processing orders, internal administrative and accounting tasks. |
Legal basis of data processing: Fulfillment of sales contracts as an Amazon partner (GDPR Article 6(1)(b)), and compliance with legal obligations regarding accounting and taxation (GDPR Article 6(1)(c)).
Data retention period:
In accordance with Amazon’s Data Protection Policy, customer personal data is stored in the active system for no more than 30 days. After this period, data is either deleted or archived in a segregated, encrypted system (e.g., for 8 years of statutory invoice retention). Archived data is accessible only to authorized personnel through documented and logged access.
Access control:
Personal data provided via SP-API can only be accessed by employees whose job responsibilities require it. Access is managed through Role-Based Access Control (RBAC), secured with Two-Factor Authentication (2FA), and all access is logged. Access is granted based on the principle of least privilege.
Security measures:
- Data is stored encrypted (AES-256 standard),
- Access is protected within a VPN-secured, VPC-based infrastructure,
- Copying data or transferring it to public devices is technically restricted,
- We conduct regular vulnerability scans and fix security issues based on severity: critical within 72 hours, high within 7 days, medium by the next release cycle, all documented accordingly.
Data sharing:
Amazon data is shared only with the following processors when essential for order fulfillment:
- Courier services (GLS, DPD, Trans-o-flex): shipping name and address only,
- Accounting firm (EM-Audit Bt.): invoicing data for statutory archiving purposes.
All data transfers occur over encrypted channels and are governed by data processing agreements.
Limitation of data usage:
Amazon-sourced personal data is under no circumstances used for marketing, newsletters, remarketing, or analytics. It is used exclusively for order fulfillment and compliance with legal obligations.