Effective from: 28 December 2025.
This notice provides information on the processing of personal data carried out during visits to the online shop (pharmarosa.com) and purchases made in the online shop, pursuant to Articles 13–14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
Quick navigation
1. Data of the Controller
2. Processors and recipients
3. Applicable legal provisions
4. Details of data processing
5. Data transfers outside the EU
6. Automated decision-making
7. Data subject rights
8. Legal remedies (supervisory authority)
9. Data security
10. Amendment of this notice
1. Data of the Controller
Company name PharmaRosa Kft.
Registered office 1188 Budapest, Ültetvény utca 8.
Company registration number 01-09-717479
Tax number 13075314-2-43
Online shop pharmarosa.com
E-mail (data protection contact) [email protected]
Telephone +36 1 287 6380
Advance bank transfer (IBAN) HU81 1171 8000 2990 1254 0000 0000
PharmaRosa Kft. is generally not obliged to appoint a Data Protection Officer (Article 37 GDPR), provided that the statutory conditions are not met. For data protection queries, please contact us via the above contact details.
2. Processors and recipients
For the operation of the online shop and the performance of the contract, PharmaRosa Kft. may engage processors, and certain service providers may act as independent controllers within the scope of their own activities. Data transfers are in all cases limited to the data necessary (Article 5 (1) (c) GDPR – data minimisation).
2.1. Hosting provider (processor)
NETTESZT Informatikai Kft.
Address: 2013 Pomáz, Katona József utca 17. d. ép.
Company registration number: 13-09-135413
Tax number: 12437164-2-13
2.2. Invoicing (processor)
Számlázz.hu (service provider of the invoicing system: KBOSS.hu Kft.)
Registered office: 1031 Budapest, Záhony utca 7.
Company registration number: 01-09-303201
Tax number: 13421739-2-41
2.3. Delivery (processor / recipient)
GLS – GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
Registered office: 2351 Alsónémedi, GLS Európa u. 2.
Company registration number: 13-09-111755
Tax number: 12369410-2-44
2.4. Payment (typically independent controllers)
In the course of card payments and online payments, the payment service providers process the data necessary for the execution of the payment under their own data protection terms, typically as independent controllers. PharmaRosa Kft. does not store and does not have access to card data.
Worldline – service provider of card payment (Worldline service)
PayPal – PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg
3. Applicable legal provisions
Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.)
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services (Eker. tv.)
Act V of 2013 on the Civil Code (Ptk.)
Act C of 2000 on Accounting (in particular retention obligations)
4. Details of data processing
Below we describe, for each processing activity, its purpose, legal basis, categories of data processed, recipients, and the retention period (or the criteria for its determination).
4.1. Visiting the website (server logs, technical data)
Data processed IP address, date and time of visit, browser and device information (user agent), technical identifiers, log data.
Purpose Operation of the website, security, prevention of abuse, error detection, ensuring the quality of the service.
Legal basis Article 6 (1) (f) GDPR – legitimate interest (ensuring IT security and operation).
Retention For the period necessary for IT security and error detection purposes, and for the duration of incident investigation.
Recipients Hosting provider (NETTESZT Informatikai Kft.), and employees/partners of PharmaRosa Kft. authorised for this purpose.
4.2. Placing an order and performance of the contract
Data processed Name, billing address, delivery address, e-mail address, telephone number, order contents, order ID, contents of correspondence.
Purpose Processing the order, confirmation, performance, communication, providing information to customers.
Legal basis Article 6 (1) (b) GDPR – conclusion and performance of the contract.
Retention For the period necessary for the performance of the contract and for the period required for the enforcement of civil law claims, as well as for the period specified by accounting obligations (for invoice data, see section 4.3).
Recipients Delivery service provider (GLS) to the extent of the data necessary for delivery; invoicing system (Számlázz.hu) to the extent of the data necessary for issuing the invoice.
4.3. Invoicing and accounting
Data processed Name, billing address, purchase data, invoice and voucher data.
Purpose Issuing invoices, fulfilling accounting and tax obligations.
Legal basis Article 6 (1) (c) GDPR – fulfilment of a legal obligation (in particular accounting rules).
Retention Retention of accounting documents: at least 8 years in accordance with the relevant rules.
Recipients Invoicing system provider (Számlázz.hu / KBOSS.hu Kft.), accountant (if engaged).
4.4. Processing of payments (Worldline, PayPal)
Data processed Transaction identifiers, payment status, order-level data relating to the payment. PharmaRosa Kft. does not process card data.
Purpose Execution of the payment, confirmation, refunds, financial administration.
Legal basis Article 6 (1) (b) GDPR – performance of the contract; Article 6 (1) (c) GDPR – legal obligations.
Retention For the period necessary for financial and accounting obligations and for the handling of legal claims.
Recipients Worldline and/or PayPal (depending on the chosen method of payment), to the extent of the data necessary for the execution of the payment.
4.5. Delivery and parcel shipment
Data processed Name, delivery address, telephone number, e-mail address, parcel data.
Purpose Home delivery, parcel tracking, delivery notifications.
Legal basis Article 6 (1) (b) GDPR – performance of the contract.
Retention Until completion of delivery, and for the period necessary for related administration/enforcement of rights.
Recipients GLS to the extent of the data necessary for delivery.
4.6. Customer service, complaint handling, quality claim, warranty administration
Data processed Name, contact details, contents of the complaint/claim, order ID or invoice data, photos provided by the data subject (e.g. of the condition of the plant, label, packaging), bank account data necessary for refunds.
Purpose Investigation of complaints, handling of quality claims, administration of statutory/voluntary warranty, enforcement or defence of legal claims.
Legal basis Article 6 (1) (b) GDPR – performance of the contract (administration);
Article 6 (1) (c) GDPR – legal obligation (if applicable);
Article 6 (1) (f) GDPR – legitimate interest (enforcement of rights, prevention of abuse).
Retention As a general rule, for 1 year, except where a longer retention period is required by law or for the enforcement/defence of legal claims.
Recipients Employees/partners of PharmaRosa Kft. authorised for this purpose; where necessary, accountant/legal representative.
4.7. Newsletter and direct marketing (if you subscribe)
Data processed Name (if provided), e-mail address, fact and date of subscription, fact of unsubscription.
Purpose Sending marketing messages and information to the subscriber.
Legal basis Article 6 (1) (a) GDPR – consent. Consent may be withdrawn at any time (unsubscription).
Retention Until withdrawal of consent (unsubscription).
Recipients [If a newsletter service is used: TO BE COMPLETED – name of service provider, as processor].
4.8. Cookies and similar technologies
The website may use cookies necessary for its operation and – depending on the settings – cookies for statistical and marketing purposes as well. The website requests consent for the use of non-essential cookies (Article 6 (1) (a) GDPR).
Necessary cookies: for the basic operation of the website (legal basis: legitimate interest / provision of the service).
Preference cookies: remembering settings (legal basis: consent, if not necessary).
Statistical cookies: measurement of visitor traffic (legal basis: consent).
Marketing cookies: targeted advertising (legal basis: consent).
The lifetime of cookies depends on their type (until the end of the session or for a specified period). You may change your settings at any time via the cookie management interface on the website.
4.9. Mandatory provision of data
Without providing the data necessary for the performance of the contract (in particular name, delivery and billing details, contact details), PharmaRosa Kft. is unable to fulfil the order.
5. Data transfers outside the EU
PharmaRosa Kft. primarily processes personal data within the European Economic Area (EEA). However, due to the nature of their operations, certain service providers (in particular online payment service providers) may also transfer data to countries outside the EEA. In such cases, the service providers may apply appropriate safeguards (e.g. adequacy decision, standard contractual clauses) in accordance with Chapter V of the GDPR.
6. Automated decision-making and profiling
In the operation of the online shop, PharmaRosa Kft. does not carry out decision-making based solely on automated processing which would produce legal effects concerning the data subject or similarly significantly affect them (Article 22 GDPR).
7. Data subject rights
Under the GDPR, data subjects have in particular the following rights:
Right of access (Article 15 GDPR)
Right to rectification (Article 16 GDPR)
Right to erasure – “right to be forgotten” (Article 17 GDPR)
Right to restriction of processing (Article 18 GDPR)
Right to data portability (Article 20 GDPR)
Right to object (Article 21 GDPR)
Withdrawal of consent (where processing is based on consent)
You may submit your request to PharmaRosa Kft. at the following contact address: [email protected]. PharmaRosa Kft. shall provide information on the action taken on your request without undue delay and in any event within one month of receipt of the request (Article 12 (3) GDPR).
8. Legal remedies, supervisory authority
If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
Data Protection Commission (local supervisory authority in Ireland)
Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Telephone: +353 1 765 0100 / 1800 437 737
E-mail: [email protected]
Online contact form: https://forms.dataprotection.ie/contact
Website: https://www.dataprotection.ie
Alternative Dispute Resolution (consumer dispute resolution in Ireland)
Competition and Consumer Protection Commission – Consumer Dispute Resolution / consumer complaints
Address: Bloom House, Railway Street, Dublin 1, D01 C576, Ireland
Telephone (consumer helpline): +353 1 402 5555
Freephone (within Ireland): 01 402 5555 or 0818 07 3000
E-mail (general consumer complaint/dispute resolution): [email protected]
Online complaint/dispute resolution form: on the CCPC website (section “Make a complaint” / “Consumer complaints”)
Website: https://www.ccpc.ie
9. Data security
PharmaRosa Kft. takes appropriate technical and organisational measures to ensure the security of personal data (in particular against unauthorised access, alteration, disclosure, destruction, loss). Access is restricted to those persons for whom it is necessary; the protection and operation of the systems are supported by the hosting and IT service providers.
10. Amendment of this notice
PharmaRosa Kft. is entitled to unilaterally amend this notice. The amendment shall become effective upon publication on the website. Please review this notice from time to time.