Data Controlling
  1. Whose data is being controlled?

Every registered User, regardless of being a natural or a legal person, is a subject to data controlling. A User can either a B2B Customer or a Distributor.

Persons who are not registered count as Visitors. A Visitor need share no personal data, therefore the only part of the Privacy Policy concerns them are Cookies (see the corresponding section).

  1. What sort of Personal Data is being controlled?
  • Name (first name, surname, company name, department name)
  • EU VAT number
  • Address (referring to a definite location, including but not limited to house number, postal code (zip code), city and country)
  • Telephone number
  • Email address
  • Bank account number
  • Data for identifying a debit/credit card, and/or bank account

The Data Controller has the rights of using data available at third parties to examine the legal and financial background of the Users.

  1. What sort of other Data is being controlled?

Data concerning purchasing, delivering, warranty, returning and refunding products.

  1. What is legal basis of collecting and controlling Personal Data?

The consent of Users.

  1. What is the duration of Data Controlling?

Personal Data controlling ends instantly in case of a personal withdrawal of a consent, a request of deleting or destroying.

Data concerning purchases made by Users are stored for 5 years.

  1. What is the purpose of Data Collecting and Controlling?

Making offers for the Users on request.

Serving and processing the orders made by the Users.

Maintaining contact with and supporting the Users, including answering inquries, resolving complaints, giving information e.g. on offers they may find relevant.

The easy and efficient use of the Webshop for the Users.

Visitors and Users may receive newsletters about new products and offers if an explicit consent is given by them for that purpose.

  1. Who can access to the data?

Any User can access to their own data.

No Visitor, User or unappointed third party can access to any other data.

The staff of the Webstore can access all data, however, they are not allowed to use them for any other purpose than described above, nor transfer or sell them to any unappointed third parties.

Appointed third parties that are able to access to the data are described in the following section.

  1. Whom is data transferred to?

In case of debit/credit card payment, data describing financial information (e.g. bank account number) are transferred to Simplepay online payment service ( After the payment has been completed data are transferred to Novitax accounting service (

In case of money transfer payment, data describing financial information are transferred to Novitax accounting service (

Data describing information essential for the delivery of the products are transferred to Thor store management software, and to the warehouse of the Webshop (59. Lőrinci út, 2220 Vecsés, Hungary).

Any data have to be transferred to third parties if they are required for investigating and/or examining criminal cases or cases of natural security. If this happens, the third party who requires the data must define what data they need and name the exact purpose of data controlling, too.

Apart from the cases described above, no data can be transferred to any other third parties without the consent of the User.

  1. What happens if Personal Data are not shared or if a person ceases to share it?

No User is obligated to share any Personal Data, visiting the webpage is possible without doing so (or after withdrawing a consent to Data Controlling). In this case, however, Users may have limited access to our services (e.g. they cannot receive offers, make purchases).

Since a Visitor needs share no Personal Data (whereas a User must do so), a missing or a withdrawn consent of a Visitor cannot be interpreted.

Data protection

The Data Controller makes every effort (that can be expected rationally) so that the principles of the safety of data can prevail. This can be summarized in the following way.

  1. Availability

Those who have the right to access the necessary data are able to do so at any time.

  1. Confidentiality

Every piece of data is available only for those who are authorized to control and process it.

  1. Authenticity and Integrity

During the process of data storing and controlling the data itself remains unchanged.

While the data is being stored, the Data Controller performs every measures of protection and precaution (that can be expected rationally) so that the data shall be protected against stealing, unauthorized accessing, becoming damaged, corrupted, deleted, destroyed and published (regardless of a result of an intentional or unintentional act), failures of electronic or any other forms (including natural disasters).

Data Breach and its Handling

In case of data breach of high risk, the Data Controller informs the persons who are involved (due to their rights and freedom) with no delay.

By doing so the Data Controller explains clearly and in a legible form

– the nature of the breach

– the probable consequences of the breach

– the actions planned or performed to handle the breach, including the actions which are to lessen the possible negative consequences

– provides the contact of the data protection officer, or if he/she is not available at that time, of a person who is able to give ample amount of information about the situation.

The Data Controller need not inform the persons who are involved if

– the Data Collector performed actions which made the data affected by the breach incomprehensible (eg. by using encryption on the data)

– informing the persons who are involved would require actions of unproportional effort (in this case information shall be provided in another form, e.g. publishing)

– due to the actions performed by the Data Collector the high risk does not exist anymore.


The webpage uses cookies for its operation. The purpose of the cookies can be summarized in the following way:

– they enable the webpage to recognize and store the preferences of the Visitors and Users (e.g. the language of the page)

– they are to authenticate the Visitors and Users so as to protect their personal data and prevent the abuse of these data

– they make the navigation between sub-pages easier

– they store the most frequently pages so that they can load faster

– they help the Data Controller collect information about the using of the webpage and its parts so the Data Collector can optimize and develop the page taking account of the activities of the Visitors and Users.

These Cookies work automatically.

A Visitor, however, can disable them either together, or one by one. The exact way of doing so depends on the browser the Visitor uses: in most case the corresponding option can be found in the browser’s settings menu.

If the cookies are disabled, certain parts of the webpage might not work or might work improperly.

According to the law a webpage can use certain types of cookies without having a consent for doing so. On the Webshop the following cookies belong to this group:

– authenticication cookies – they identify a User who is logged in until he/she logs out (and the cookies become deleted)

– user-input cookies – these store and trace data given by the User eg. on a form or a questionnaire, they are being deleted in a couple of hours after the corresponding data has been given

– user-interface customisation cookies – these cookies record the preferences of a Visitor (eg. the language used by the webpage) and are being deleted when the page has been left or in short time afterwards.

None of these cookies are stored for a long time and their main purpose is to make the visit efficient for the Visitors and the Users.

The Visitors’ and Users’ Rights 

Every Visitor and User has right for the following actions which can be enforced by sending an e-mail to the following address or by sending a message on the Support sub-page of the Webshop.

These rights are the following:

  1. The right to be informed forehand

Every person has the right to be informed about all the facts related to data controlling and processing, in a clear and legible form. This right exists even if the data controlling has not begun.

  1. The right to access

Every person has the right to receive a feedback about the process how his/her data is being controlled, including the nature of the data, the purpose and duration of controlling and the fact if his/her data is being transferred to a third person. Every person has the right to be informed about their rights related to data controlling and processing.

Certain services of the Webshop might not be available if the User does not allow that certain data are being transferred to third parties elaborated in the corresponding section of Data Controlling.

  1. The right to rectification

Every User has the right to ask the Data Controller to correct his/her personal data. (The Users may be asked to provide some additional data if it is missing.) Every User can modify his/her personal data: this can be done having logged in on the Profile sub-page.

Every natural or legal person whom the corrected data (of any nature) has been transferred shall be informed about the correction unless it is impossible or unproportional effort is required.

  1. The right to erasure and to be forgotten

Without any further notice or request the data of a User is to be deleted in the following cases:

– the data collected and processed before is not used in the future

– the only legal basis of data controlling was the User’s consent, which has been withdrawn

– it has been proved that the data controlling has been illicit.

Should any data of a User have been published (followed by a formerly expressed consent) and it must be deleted (due to the User’s right to erasure), every other data collector involved in the situation are attempted to be informed that the User requested the deletion of his/her data. The particular amount of effort taken depends on the available time, technology and the estimated costs of the action. Approved third parties are informed about the User’s request in all cases.

  1. The right to restrict

Should a User consider our methods of data controlling inappropriate he/she can request us to restrict the processing of their data.

If it becomes proven that the User’s or Visitor’s data has been illicit, restricting data instead of deleting it can be requested, too. In this case the Data Collector stores the data in question but does not process it.

Due to data restriction certain services of the Webpage might become restricted.

  1. Right to object

Any affected person has the right to object against controlling his/her Personal Data due to any reason related to his/her situation at any time; regardless of the Data Controlling is carried out in the public interest, in the exercise of an official authority vested in the controller, or controlling is carried out due to the need of exercising the legal claims of a third party.

In the cases above the Data Controller shall not control the related Personal Data any more unless it is proven by the Data Controller that doing so is a necessity based on legal reasons which override the interests, rights and freedom of the affected person or are in direct connection with proposing, exercising or protecting legal claims.

If the controlling of Personal Data happens for direct solicitation, the affected person has the right to object against controlling his/her Personal Data for this particular purpose. If an objection happens due to this reason, the related Personal Data shall not be controlled for this purpose in the future.

No Personal Data are being collected for research or statistic purposes in a form which enables the identification of any User; all collected data for these purposes are anonymized. Therefore, the affected person may object to control anonymized data only before collecting the described data takes place. Special attention has to be called to the right to object when or before the first contact between the Data Controller and the Visitor established, the related information has to be announced in a clear and unambiguous form, separated from any other pieces of information.

  1. The right to data portability

If the claim of Data Controlling is the consent of a Visitor or based on a contract, the User has the right to obtain all data related to him/her in a legible form that is viewable with a computer or any other similar digital device. The format of the data shall be a widespread one. Assuming it is attainable, the User may request that his/her data shall be transferred to another Data Controller.

Exercising the right to data portability may not affect disadvantageously the rights and freedom of other persons.

  1. Automated decision systems

The User is able to enter the specifications of the products they wish to order. As a result of this process, the Webshop automatically determines and displays certain parameters (such weight or price).

In certain cases, (e.g. ordering of customized products) the Webshop may offer sub-pages with relevant information or forms, or automatically direct the User to such a page.

The purpose of these automated activities of the Webshop is to make the service more effective and convenient for the Users.

Moreover, the Webshop may send emails containing news or offers that may relevant for a certain User. During this process (e.g. by selecting the email addresses or the content of the emails) the Webshop may perform automated decisions so that the probability of sending information a User may be interested in can be the highest. Emails are sent to a User only if a consent from the User is given for that priorly.

  1. The right to legal remedy

If a Visitor or User presumes that the data controlling happens improperly or in an illicit way, they have the rights to contact us by using the following email address or the Support page of

Any complaints related to controlling Personal Data can be addressed to Hungarian National Authority for Data Protection and Freedom of Information (NAIH; Nemzeti Adatvédelmi és Információszabadsági Hatóság), whose address is the following: 22/C Szilágyi Erzsébet Fasor, 1125 Budapest, Hungary, Europe; postal address: Post Office Box 5, 1530, Budapest, Hungary, Europe.

The Visitor or User has the rights to exercise their rights in the form of a lawsuit at a civil court. Assessing the legal action is at the sphere of action of the court of justice. The plaint has to be submitted to the court corresponding to the Visitor’s living place. Further information about the Hungarian courts can be found at the following webpage:

The name and contact of our Data Protection officer:

Terms and Definitions

Administrator – The person or persons, who are responsible for maintaining the Webshop.

B2B Customer – Aka. Business-to-business Customer, a type of User who is able to purchase Products for their company.

Consent – An express from the side of a Visitor which has been performed voluntarily, clearly and definitely based on an adequate form of informing, in which he/she agrees that their Personal Data can be controlled by the Data Controller. A Consent can be of a form of declaration, or any form of action that refers to the expression of will.

Data Breach – aka. Breach; an incident which leads to security issues, which means the loss, alteration or destruction of data (accidentally or illicit), and/or the illicit publishing or accessing to data.

Data Controller HBS Medical Kft.

Data Controlling – Any automatized or manually performed process applied to data. The term includes collecting, recording, systematization, conversion, query, publishing, applying, noticing, providing, spreading, harmonizing, restricting, deleting and destroying.

Data Deleting aka. Erasure; making data unrecognizable in a way which guarantees that the particular data cannot be recovered in the future.

Data Processing – Any task executed on data, related to Data Controlling; regardless of its place, manner, used tools and methods.

Data Processor – A natural or legal person, or an organization without a legal personality who is assigned by the Data Controller to the task of processing data.

Data Transferring – Making data available for a certain third party.

Distributor – A type of User who is able to purchase and re-sell Products.

Info. Act – The 2011/CXII. Act, which describes the right to self-determination and the freedom of information.

Personal Data – Any information which refers to an identified natural or legal person or enables the identification of them. A person is identifiable if this process can be done by either directly or indirectly using one or more types of Personal Data, eg. name, number (telephone or the number of documents like an ID card), online name, or data referring to physical, physiological, genetic, cultural, social, economical identity.

Personally Identifiable Financial Information – Aka. PIFI, any information provided by a consumer that would not be available otherwise publicly. It enables the unique and/or focused searching, identification and validation of a person’s financial information. PIFI include (but not limited to) the following sorts of information: name, company name, contact details, bank account number, credit card number, tax number.

Protest – A notice given by a person so that they express an objection to the controlling of their personal data, or they express a request of ceasing of Data Controlling, or deleting their data.

Registration – The process which enables Visitors to become Users. It includes sharing personal data and giving consent for Data Controlling. Registered Visitors can be B2B Customers (Business-to-Business Customers) or Distributors.

User – Any person who is registered to the Webshop, either as a B2B Customer or a Distributor.

Visitor – A person who is visiting the Webshop without being registered. Visitors need give no personal data for this action (see Registration, User). Any User who has not shared the necessary personal data or who has withdrawn their consent for Data Controlling counts a Visitor automatically.

Webshop –