I. The Data Management service provider
Service provider name:
Helix Művek Kft.
Headquarters and postal address:
1052 Budapest Szervita tér 3. 4/11
Metropolitan Court of Registration
Company register number:
Customer service e-mail address:
Contact details for complaint handling:
Hosting provider name:
Address of hosting provider:
151 O'Connor Street, Ground floor, Ottawa, ON, K2P 2L8
II. Data protection guidelines applied by the Company
1. As a data controller, the Service Provider undertakes to ensure that all data processing related to its activities complies with the requirements set out in these regulations and in the applicable national legislation, as well as in the legal acts of the European Union.
2. Information about the Service Provider's data management is continuously available in the footer of the start page of the www.helixgoods.com website operated by the Service Provider.
3. The Service Provider is entitled to unilaterally modify the Data Management information. In case of changes to the Data Management Information, the Service Provider will notify the user by publishing the changes on www.helixgoods.com. By using the service after the amendment enters into force, the user accepts the amended Data Management Information.
4. The Service Provider is committed to protecting the personal data of its customers and partners, and considers it of utmost importance to respect its customers' right to informational self-determination. The Service Provider treats personal data confidentially and takes all security, technical and organizational measures that guarantee data security. The data management practice of the Service Provider is contained in this data management information.
5. The data management principles of the Service Provider are in accordance with the applicable legislation on data protection, in particular with the following:
- CXII of 2011. Act - on the right to self-determination of information and freedom of information (Infotv.); - Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) - on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation, GDPR);
- Act V of 2013 - on the Civil Code (Ptk.);
- Act C of 2000 - on accounting (Accounting Act);
- CXXXVI of 2007 Act - on the prevention and prevention of money laundering and terrorist financing (Pmt.);
- CVIII of 2001 Act - on certain issues of electronic commercial services and services related to the information society (Eker. tv.);
- XLVIII of 2008 Act - on the basic conditions and certain limitations of economic advertising activity (Grt.).
6. The Service Provider uses personal data on the basis of the legal basis included in the GDPR and only for specific purposes.
7. The Service Provider undertakes to publish a clear, attention-grabbing and unequivocal statement before recording, recording and processing any of its users' Personal Data, in which it informs them of the method, purpose and principles of data collection. In the case of mandatory data provision, the legislation ordering Data Management must also be indicated. The data subject must be informed about the purpose of Data Management and who will handle and process the Personal Data.
8. In all cases, if the Company intends to use the provided Personal Data for a purpose other than the purpose of the original data collection, it shall inform the User of this and obtain their prior, express consent, or provide them with the opportunity to prohibit the use.
III. Legal basis of data management, purpose and scope of managed data, duration of data management, persons entitled to access personal data
1. The data management of the Service Provider is based on the following legal bases (GDPR Article 6 (1)):
a) the data subject has given his consent to the processing of his personal data for one or more specific purposes (voluntary consent);
b) data processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract (performance of the contract);
c) data management is necessary to fulfill the legal obligation of the data controller (legal obligation);
d) data management is necessary to enforce the legitimate interests of the data controller or a third party (legitimate interest).
2. In the case of data management based on voluntary consent, the data subjects may withdraw their consent at any stage of the data management.
3. Incapacitated and limited minors may not use services through the Service Provider's system.
4. In certain cases, the management, storage, and transmission of a range of the provided data is made mandatory by law, of which we will notify users separately.
5. We draw the attention of data informants to the Service Provider that if they do not provide their own personal data, the data informant must obtain the consent of the data subject.
6. Personal data may only be processed for specific purposes. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal. Only personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose can be processed. Personal data can only be processed to the extent and for the time necessary to achieve the purpose. The Service Provider does not use personal data for purposes other than those indicated.
7. Online webshop service
The purpose of the data management is to ensure the provision of the webshop service on the website, the order, its service, the documentation of the purchase and payment, and the fulfillment of accounting obligations. The purpose of data management is also the identification of the user as a customer, the fulfillment of the ordered product, the sending of related notifications, the possibility of processing the payment with the help of the payment service provider, the registration and differentiation of users, and the fulfillment of the contract.
Legal basis for data management: performance of the contract, Article 6 (1) GDPR. point b).
Scope of processed data: Phone number (optional, if provided by the customer to receive notifications), e-mail address, password provided during pre-registration, delivery address provided if home delivery is requested, transaction number, date and time, customer code, gift voucher number, billing address. If a legal dispute arises in connection with the purchase transaction, the Service Provider will retain the data for the duration of the legal dispute, the legal basis for this is the legitimate interest of the Service Provider, Article 6 (1) GDPR. point f).
Possible consequences of failure to provide data: failure of the purchase transaction.
Purpose of data management: By entering a password during pre-registration, it is possible for the User to enter their data only once and not during each purchase. Certain services on the website are only available to registered Users. As part of the convenience service, the user can edit his personal data in the account that opens as a personal menu item on the website.
Legal basis for data management: voluntary consent of the data subject, Article 6 (1) GDPR. the dot.
The range of processed data: e-mail address, password and all personal data provided by the User during the purchase or in the account: address, billing address, telephone contact information. The processed data may include the products purchased by the User during his orders, the date of the purchases, and the invoice. Data deletion deadline: The Service Provider manages the data provided until the User prohibits the use of the data for this purpose - by unsubscribing.
Possible consequences of failure to provide data: the user cannot use the convenience functions and services of the website.
The purpose of the data management: the issuance of the accounting documents for purchase transactions and their preservation within the time limit specified in the legislation. Legal basis for the data management: fulfillment of a legal obligation, Article 6 (1) GDPR. point c). Scope of processed data: surname and first name, billing address provided for issuing the invoice, transaction number, date and time, content of the receipt, tax number in the case of an invoice (if provided by the customer). The deadline for the deletion of data, the duration of data management: 8 years, or the period defined in the applicable tax law and accounting legislation at all times. Possible consequences of failure to provide data: failure of the purchase.
10. Electronic newsletter
Purpose of data management: Sending e-mail newsletters containing advertising to interested parties. If the user subscribes to the newsletter, the Service Provider can send him a newsletter with a frequency according to his own decision. Legal basis for data management: voluntary consent of the data subject, Article 6 (1) GDPR. the dot. The range of processed data: name, e-mail address, zip code, telephone number. Deadline for data deletion: The Service Provider will process the data provided until the User prohibits the use of the data for this purpose by unsubscribing. You can cancel the newsletter by clicking the Unsubscribe link at the bottom of the newsletter. Personal data will be deleted within 10 working days from the receipt of the request.
11. Cookie management («Cookie»)
With the help of information sent by cookies, Internet browsers can be recognized more easily, so Users can receive relevant and "personalized" content. Cookies make browsing more convenient, including requests related to online data security and relevant advertising. With the help of cookies, the Service Provider can also create anonymous statistics about the habits of site visitors, so that we can customize the look and content of the site even more. The Service Provider's website uses two types of cookies:
- Temporary cookies - session-id cookies that are essential for using the site. Their use is essential for navigating the website and for the functionality of the website's functions. Without accepting them, the website or some of its parts will not be displayed, browsing will be hindered, products cannot be placed in the basket or bank payments can be made properly.
- Permanent cookies that remain on the device for a longer time or until the User deletes them, depending on the settings of the web browser. Within these, we can talk about internal or external cookies. If the Service Provider's web server installs the cookie and the data is transferred to its own database, then we are talking about an internal cookie. If the cookie is installed by the Service Provider's web server, but the data is transferred to an external service provider, then we are talking about an external cookie. Third-party cookies are also such external cookies, which are placed by a third party in the User's browser (Google Analytics, Facebook Pixel). These are placed in the browser if the visited website uses services provided by third parties. The purpose of permanent cookies is to ensure the highest possible level of operation of the given page in order to increase the user experience.
When visiting the website, the User can give his consent to the permanent cookies being stored on the User's computer and the Service Provider can access them by clicking the button on the cookie warning on the login page.
The purpose of data management is: conducting payment transactions with the payment service provider, identifying and distinguishing users from each other, identifying the current session of users, storing the data entered during that session, preventing data loss, identifying and tracking users, web analytics measurements.
Legal basis for data management: voluntary consent of the data subject, Article 6 (1) GDPR. the dot.
Scope of managed data: ID number, date, time, and previously visited page.
Duration of data management: temporary cookies are stored until all of the user's browsers of the given type are closed. Permanent cookies are stored on the user's computer for 1 year or until the User deletes them.
Possible consequences of failure to provide data: incomplete use of website services, failure of payment transactions, inaccuracy of analytical measurements.
12. Statistical data The data controller may use the data for statistical purposes. The use of the data in a statistically aggregated form may not include the name of the concerned user or other identifiable information in any form.
13. Technically recorded data during the operation of the system
Technically recorded data are the data of the User's logged-in computer, which are generated during the use of the service and which are logged by the data management system as an automatic result of technical processes (e.g. IP address, session ID). Due to the operation of the Internet, the data recorded automatically is automatically logged by the system without the User's special declaration or action - using the Internet. The Internet cannot function without these automatic server-client communications. These data cannot be combined with other User personal data - except in cases made mandatory by law. Only the Data Controller has access to the data. The log files that are automatically and technically recorded during the operation of the system are stored in the system for a reasonable period of time in terms of ensuring the operation of the system.
14. The Service Provider's customer correspondence (email)
If you would like to contact us, you can contact the Service Provider at the contact details provided in this information sheet or on the website. The Service Provider deletes all received e-mails with the sender's name, e-mail address, date and time data and other personal data provided in the message after a maximum of five years from the date of communication.
15.Web analytics measurements
Google Analytics, as an external service provider, supports the independent measurement of website traffic and other web analytics data. Detailed information on the management of measurement data can be found at the following link: http://www.google.com/analytics. The Service Provider uses Google Analytics data exclusively for statistical purposes, to optimize the operation of the site.
16. Other data management
We provide information on data management not listed in this information when the data is collected. We inform our customers that the court, the prosecutor, the investigative authority, the infringement authority, the public administrative authority, the National Data Protection and Freedom of Information Authority, the Hungarian National Bank, or other bodies based on the authorization of the law, provide information, communicate data, transfer documents, or they can contact the Service Provider to make it available. The Service Provider only discloses personal data to the authorities - if the authority has indicated the exact purpose and the scope of the data - to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.
17. The Data Controller does not check the personal data provided to him. The person providing the data is solely responsible for the adequacy of the data provided. When entering an e-mail address, any user assumes responsibility for the fact that only he/she uses the service from the given e-mail address. In view of this responsibility, all kinds of responsibility related to logins to a specified e-mail address are borne solely by the user who registered the given e-mail address. If the user does not provide his own personal data, he is obliged to obtain the consent of the person concerned.
18. The right to access personal data is employees who have an employment or contract relationship with the Service Provider, employees of the courier service involved in the delivery of the products (if the delivery was requested by the customer), as well as the Data Processors.
ARC. Transmission of data, designation of Data Processors
In the case of home delivery, the Service Provider may hand it over to Magyar Posta Zrt or GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
A. Method of storing personal data, security of data management
1. The Service Provider's computer systems and other data storage locations are located at its headquarters and data processors.
2. The Service Provider selects and operates the IT tools used for the management of personal data during the provision of the service in such a way that the managed data:
a) is accessible to those authorized to do so (availability);
b) its authenticity and authentication are ensured (authenticity of data management);
c) its immutability can be verified (data integrity); d) be protected against unauthorized access (data confidentiality).
3. The Service Provider protects the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility resulting from changes in the technology used.
4. In order to protect the data files managed electronically in its various records, the Service Provider ensures with an appropriate technical solution that the stored data cannot be directly linked and assigned to the data subject, unless permitted by law.
5. In view of the current state of technology, the Service Provider ensures the protection of the security of data management with technical, organizational and organizational measures that provide a level of protection corresponding to the risks associated with data management.
6. The Service Provider preserves the data during data management
a) confidentiality: protect the information so that only those who are authorized to do so can access it;
b) integrity: protects the accuracy and completeness of the information and the method of processing;
c) availability: it ensures that when the authorized user needs it, he can really access the desired information and that the related tools are available.
7. The IT system and network of the Service Provider and its partners are both protected against computer-supported fraud, espionage, sabotage, vandalism, fire and flood, as well as against computer viruses, computer intrusions and other attacks. The operator ensures security with server-level and application-level protection procedures.
8. During the automated processing of personal data, the Service Provider provides additional measures
a) preventing unauthorized data entry;
b) preventing the use of automatic data processing systems by unauthorized persons using data transmission equipment;
c) the verifiability and ascertainability of which bodies the personal data have been or may be transmitted using data transmission equipment;
d) the verifiability and ascertainability of which personal data was entered into the automatic data processing systems when and by whom;
e) the restoreability of the installed systems in the event of a malfunction and
f) that a report is prepared on errors occurring during automated processing.
9. When determining and applying measures for data security, the Service Provider takes into account the state of the art at all times. Among several possible data management solutions, the one that ensures a higher level of protection of personal data must be chosen, unless it would represent a disproportionate difficulty.
10. The Service Provider ensures the protection of the security of data management with technical, organizational and organizational measures that provide a level of protection corresponding to the risks associated with data management.
11. Regardless of the protocol (e-mail, web, ftp, etc.), electronic messages transmitted on the Internet are vulnerable to network threats that may lead to dishonest activity or the disclosure or modification of information. To protect against such threats, the Service Provider takes all necessary precautions. Monitors systems to capture any security discrepancies and provide evidence for any security incidents. In addition, system monitoring also makes it possible to check the effectiveness of the precautions used. However, the Internet is not 100% secure, as is well known to Users. The Service Provider is not responsible for any damage caused by undefended attacks that take place despite the greatest care that can be expected.
VI. Rights of data subjects
1. The data subject may request information about the processing of his personal data, and may request the correction of his personal data, or - with the exception of mandatory data processing - deletion or withdrawal, he may use his right to data portability and protest in the manner indicated when the data was collected, or by the Service Provider in point I of this Data Management Information written in his contact information. A change in personal data or a request for the deletion of personal data can be communicated by means of a written statement to the registered e-mail address or in a private document with full evidential force sent by post. Some personal data can also be modified by modifying the personal profile page.
2. Right to information: The Service Provider takes appropriate measures in order to provide the data subjects with all the information mentioned in Articles 13 and 14 of the GDPR and Articles 15-22 regarding the processing of personal data. and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded. The right to obtain information can be exercised in writing via the contact details listed in point I of this Data Management Information. At the request of the person concerned, information can also be provided orally after proof of identity.
3. The data subject's right to access: The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed, and if such data processing is in progress, he is entitled to receive access to the personal data and the following information : - the purposes of data management; - categories of personal data concerned; - the recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients in third countries and international organizations; - the planned period of storage of personal data; - the right to correct, delete or limit data processing and to protest; - the right to submit a complaint to the supervisory authority; - information about data sources; - the fact of automated decision-making, including profiling, as well as comprehensible information about the applied logic and the significance of such data management and the expected consequences for the data subject. A request for information sent by e-mail - unless the data subject identifies himself in another way related to credit - is considered authentic by the Data Controller only if it is sent from the User's registered e-mail address. Requests for information should be sent by email to email@example.com.
4. In the case of personal data being transferred to a third country or an international organization, the data subject is entitled to receive information about the appropriate guarantees for the transfer.
5. The Service Provider provides a copy of the personal data that is the subject of data management to the data subject. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Service Provider provides the information in electronic form. The data controller shall provide the information within a maximum of one month from the date of submission of the request.
6. Right to rectification: The data subject may request the correction of inaccurate personal data concerning him or her managed by the Service Provider and the addition of incomplete data. If the personal data does not correspond to the reality, and the personal data corresponding to the reality is available to the data controller, the personal data will be corrected by the data controller.
7. Right to erasure: If one of the following reasons exists, the data subject has the right to request that the Service Provider delete the personal data relating to him without undue delay: - personal data are no longer needed for the purpose for which they were collected or otherwise processed; - the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management; - the data subject objects to the data processing and there is no overriding legal reason for the data processing; - personal data were handled illegally; - personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller; - the collection of personal data took place in connection with the offering of services related to the information society. Once a request to delete or modify personal data has been fulfilled, the previous (deleted) data can no longer be restored.
8. Data deletion may not be initiated if data management is necessary for one of the following reasons: fulfillment of an obligation under EU or member state law applicable to the data controller, which prescribes the management of personal data, or it is necessary for the presentation, enforcement and protection of the legal claims of the Service Provider.
9. The right to limit data processing: At the request of the data subject, the Service Provider limits data processing if one of the following conditions is met: - the data subject disputes the accuracy of the personal data, in this case the restriction applies to the period that allows the accuracy of the personal data control; - the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use; - the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to submit, enforce or defend legal claims; or - the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.
10. If data management is subject to restrictions, personal data may only be processed with the consent of the data subject, with the exception of storage, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of other natural or legal persons. The Service Provider informs the data subject in advance of the lifting of restrictions on data management.
11. Right to data portability: The data subject has the right to receive the personal data concerning him/her provided to the data controller in a segmented, widely used, machine-readable format, and to transmit this data to another data controller.
12. Right to object: The data subject has the right to object at any time for reasons related to his own situation against the processing of his personal data necessary to enforce the legitimate interests of the data controller or a third party, including profiling based on the aforementioned provisions. In the event of a protest, the data controller may no longer process the personal data, unless it is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are related to the presentation, enforcement or defense of legal claims. If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including profiling, if it is related to direct business acquisition. In case of objection to the processing of personal data for the purpose of direct business acquisition, the data cannot be processed for this purpose.
13. Automated decision-making in individual cases, including profiling: The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have legal effects on him or similarly significantly affect him. The above authorization cannot be applied if the data management
- necessary in order to conclude or fulfill the contract between the data subject and the data controller;
- its implementation is made possible by EU or Member State law applicable to the data controller, which also establishes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; obsession
- is based on the express consent of the data subject.
14. Right of withdrawal: The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.
15.Procedural rules: The Service Provider shall inform the data subject without undue delay, but in any case within one month of receipt of the request, in accordance with Articles 15-22 of the GDPR. on measures taken following a request pursuant to Art. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The Service Provider shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the date of receipt of the request. If the data subject submitted the request electronically, the information will be provided electronically, unless the data subject requests otherwise.
16. If the Service Provider does not take measures following the data subject's request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, and of the fact that the data subject may file a complaint with a supervisory authority and seek legal remedies. with his right.
17. The Service Provider provides the requested information and information free of charge. If the data subject's request is clearly unfounded or - especially due to its repeated nature - excessive, the Service Provider may charge a reasonable fee or refuse to take action based on the request, taking into account the administrative costs associated with providing the requested information or information or taking the requested action.
18. The Service Provider informs all recipients of all corrections, deletions or data management restrictions made by it, to whom or to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the Service Provider informs them about these recipients.
19. The Service Provider provides a copy of the personal data that is the subject of data management to the data subject. For additional copies requested by the data subject, the Service Provider may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information will be provided in electronic format, unless the data subject requests otherwise.
20. Compensation and damages: All persons who have suffered material or non-material damage as a result of a violation of the data protection regulation are entitled to compensation from the data manager or data processor for the damage suffered. The data processor is only liable for damages caused by data processing if it has not complied with the obligations specified in the law, which are specifically imposed on data processors, or if it has ignored or acted contrary to the legal instructions of the data controller. If several data managers or data processors or both data managers and data processors are involved in the same data management and are liable for damages caused by data management, each data manager or data processor is jointly and severally liable for the entire damage. The data manager or the data processor is exempted from liability if it proves that it is not responsible in any way for the event that caused the damage.
VII. Legal enforcement options:
1. With your questions or comments, contact the Data Protection Officer at the contact details detailed in Section I of this Data Management Information.
2. Right to go to court: In the event of a violation of their rights, the data subject may go to court against the data controller. The court acts out of sequence in the case.
3. Data protection official procedure: Complaints can be made to the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5. Telephone: 06.1.391.1400 Fax: 06.1.391.1410 E-mail: firstname.lastname@example.org
1. personal data: any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
2. data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;
3. restriction of data management: marking of stored personal data for the purpose of limiting their future processing;
4.profiling: any form of automated processing of personal data, during which personal data is used to evaluate certain personal characteristics of a natural person, in particular work performance, economic situation, state of health, personal preferences, interests, reliability, behavior, location or movement used to analyze or predict related characteristics;
5.data controller: the legal entity that determines the purposes and means of processing personal data independently or together with others;
6. data processor: the legal entity that manages personal data on behalf of the data controller;
7. recipient: the natural or legal person, public authority, agency or any other body to whom or with whom the personal data is communicated, regardless of whether it is a third party;
8. third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or those persons who, under the direct control of the data controller or data processor, are authorized to process personal data they got;
9. the consent of the data subject: the voluntary, concrete, and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;
10. data processing: performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;
11. data deletion: rendering the data unrecognizable in such a way that their recovery is no longer possible;
12.EEA state: a member state of the European Union and another state party to the Agreement on the European Economic Area, as well as the state whose citizen is the European Union and its member states, and on the basis of an international treaty concluded between a state that is not a party to the Agreement on the European Economic Area, the enjoys the same legal status as a citizen of a state party to the Agreement on the European Economic Area;
13. data subject: any natural person identified or - directly or indirectly - identified on the basis of personal data;
14. user: the natural person who registers on the website of the Service Provider or purchases without registration;
15. third country: any state that is not an EEA state;
16. disclosure: making personal data available to anyone;