SAMPLE SAMPLE SAMPLE SAMPLE
1) The purpose of this Privacy and Data Protection Notice (the "Notice") is to inform you as the data subject:
(a) compliance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 (GDPR - hereinafter: the Regulation) and Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (Infotv.)].
(b) ensuring the concrete implementation of the principles of legality, fairness and transparency, purpose limitation, data minimisation, accuracy, limited storage, integrity and confidentiality, accountability, as set out in Article 5 of the Regulation.
2) The date at the bottom of the page indicates the validity (period of validity) of the Prospectus. The Data Controller reserves the right to modify this Notice at any time and to publish a new Notice on its website. When a new version comes into force, the previous version will expire.
3) Terms and definitions used in the Prospectus:
Person concerned (you)(an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person);
Personal data: any information relating to the data subject;
Data management: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data Controller: the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data;
Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process the personal data;
Data protection incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1. Who is the Data Controller and who are the data processors?
The Data Controller:
Name: ___________________(Your company name)
Tax number: ___________________
Located at: ___________________
e-mail address: ___________________
Website: ___________________
telefonszáma: ___________________
Data processors:
1) Web service provider:
Name: ___________________
represented by: ___________________
Tax number: ___________________
Located at: ___________________
Website: ___________________
the operation carried out by: the person responsible for the security of the website of your web address: the implementation of the website, webshop, the maintenance, control and security operations necessary for its operation.
Whether you use an additional data processor: ______
2) Storage provider:
Name: ___________________
Tax number: ___________________
Located at: ___________________
e-mail address: ___________________
Website: ___________________
the operation it performs: hosting, storage of personal data.
3) Mailing system provider
name: ___________________
Website: ___________________
Tax number: ___________________
Located at: ___________________
e-mail address: ___________________
the operation it performs: providing the system for sending newsletters.
Whether you use an additional data processor: ______
4) Accountant
Name: ___________________
Tax number: ___________________
Located at: ___________________
the operation it carries out.
carrying out accounting tasks in accordance with the legislation, using the data specified in the legislation.
Whether you use an additional data processor: ____
5) Billing service provider
name: (e.g., IF FOR YOU, CHANGE THE DATA) KBOSS.hu Ltd.
website: https://www.szamlazz.hu/
Tax number: 13421739-2-41
head office: 1031 Budapest, Záhony utca 7.
e-mail address: info@szamlazz.hu
the operation it performs: issuing invoices.
Whether you use an additional data processor: NO.
6) Postal and parcel services
Name: ___________________
Tax number: ___________________
Located at: ___________________
the operation it performs: delivery of products.
Whether you use an additional data processor: _______
The Data Processor may also use the services of available parcel delivery service providers for its activities as necessary, based on urgency and availability, in particular,
but not exclusively the services of the Hungarian Post, MPL Logistics Service Provider, GLS General Logistics Systems Hungary Kft.
7) Social networking site provider
Name: Facebook Ireland Ltd.
location: 4 Grand Canal Square
Grand Canal Harbour
Dublin 2 Ireland
website: https://www.facebook.com/about/privacy
2. Do we process data that falls under a special category of personal data?
The Data Controller does not request or process data falling under special categories of personal data (such as: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data and biometric data for the purpose of uniquely identifying natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons), except for certain data required by law in the case of employment relationships.
Any such data brought to the attention of the Data Controller by any means or coming to the attention of the Data Controller shall not be recorded by the Data Controller. If such data has entered into any of the Controller's systems without the Controller's knowledge, the Controller shall delete it from its systems immediately upon its detection.
3. How do we assess the lawfulness of data processing?
1) The Data Controller examines the lawfulness of data processing at all stages of its activities, and only processes data for which it can justify the purpose and legal basis. In the event that the conditions of a legal basis cease to apply, the processing may only be resumed if the Data Controller can demonstrate an adequate alternative legal basis.
2) The legal grounds for processing, in the order determined by the Data Controller:
(a) processing is necessary for the performance of a contractual obligation to which the data subject is party; [Article 6(1)(b)]
(b) processing is necessary for compliance with a legal obligation to which the controller is subject; [Article 6(1)(c)]
(c) the processing is necessary for the purposes of the legitimate interests pursued by the controller, justified on the basis of a legitimate interest test; [Article 6(1)(f)]
(d) the data subject has given his or her consent to the processing of his or her personal data; [Article 6(1)(a)]
3) As a general rule, the method of proving a legal basis is in writing, but even in the case of a legal basis established by implied conduct, it must be examined whether it can be clearly proved ex post. In case of doubt, in the interests of reasonableness and economy, efforts should be made to confirm in writing that the processing was carried out by means of imputability.
4) In relation to the contractor of an existing valid contract, the Data Controller shall continue to process the data of the contracting party pursuant to Article 6(1)(b) of the Regulation after the entry into force of the Regulation until the termination of the contract.
5) After the termination of the contract, the Data Controller shall continue to process the data in order to enforce the legal obligation or the legitimate interest of the Data Controller until its justifiable existence.
4. About our data processing necessary for the performance of a contractual obligation
This point details the conditions of processing necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into such a contract. [Article 6(1)(b) of the Regulation]
4.1. Processing of data of a natural person as a contracting customer
1) Purpose of the processing: to provide the data subject with appropriate information and assistance and to communicate with him or her in order to prepare (e.g. request for a proposal, submission of a proposal, negotiation on the basis of the proposal, acceptance of the proposal), maintain, perform and terminate the contract properly.
2) Legal basis for processing: If the request for information is for the establishment, maintenance, modification or preparation for termination of a contract, the legal basis for processing is the contract. If the request for information is for a purpose other than contractual, the processing is based on voluntary consent.
3) Recipients of personal data, categories of recipients: Employees of the Data Controller involved in the provision of information, preparation of contracts, performance of contracts.
4) Scope and purpose of the data processed: name - identification; e-mail address - contact, clarification, information; telephone number - contact, clarification, information; content of the question/request - input data for the response.
5) Who is affected: Any natural person who contacts the Data Controller and requests contract-related information/offers from the Data Controller by providing personal data.
6) Duration of processing: Until the existence of the contract or, after its termination, until the expiry of the limitation period of the rights arising from the contract on the basis of the legitimate interest of the controller and the period of record keeping according to accounting rules.
7) Process of data processing:
(a) the data subject contacts the Data Controller by any means of his or her choice (in person, by telephone, e-mail, other means) to request information/recommendation.
b) the Data Controller shall clarify the request with the data subject as necessary.
c) the Data Controller provides the requested information/offer in the manner in which it was received or agreed with the data subject.
d) the contractual relationship is established by acceptance of the offer or by the conclusion of a written or implied contract.
4.2. Data processing related to the use of the Data Controller's webshop
1) Purpose of the processing: to create, define the content of, modify, monitor the performance of, invoice the fees arising from, and enforce the claims related to the contract for the purchase in the Webshop, in accordance with the applicable and currently in force legislation. In particular, such legislation is the legislation in force at the time of the entry into force of this document:
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Eker tv.), in particular § 13/A;
- Government Decree 45/2014 (II. 26.) on the detailed rules of contracts between consumers and businesses.
2) Legal basis for processing: Performance of obligations arising from a contract between the parties.
3) Recipients of personal data, categories of recipients: the employees of the Data Controller acting in the performance of the contract and the data processors involved (courier service, billing service, IT service provider for hosting, accounting, tax and bookkeeping service).
4) Scope and purpose of the data processed: name - identification; email address - contact; telephone number - contact; address/shipping address/billing address - for fulfilment; details of the order - basis for fulfilment; bank details (e.g. bank account number, credit card details, etc.) - to pay the order.
5) Who is affected: Any natural person who makes a purchase in an online shop.
6) Duration of processing: For 5 years after the termination of the contract or business relationship.
7) Process of data processing:
a) the customer enters the Data Controller's webshop;
b) become familiar with the terms and conditions, data protection provisions and process of shopping in the online shop;
c) if he/she decides to leave the application or, after having accessed the documents available on the service provider's link, makes a declaration in relation to this access in the relevant, unchecked checkbox, or by marking a so-called push button;
d) provide the data requested by the system for the purchase;
e) carry out the steps in the online store purchase process;
f) meet the payment obligations of the customer;
(g) the operator of the online shop fulfils its obligations.
8) The Data Controller may also place other information, advertisements, various services available with consent (newsletter/DM mail subscription area, lottery draws, etc.) on the webshop's IT interface. The legal basis for the use of these services is the consent of the data subject, in accordance with the specific rules applicable to the use of the website (see the section of this document entitled "Processing with the consent of the data subject").
5. About our processing of data to comply with legal obligations
5.1. Data processing in connection with the fulfilment of tax and accounting obligations
1) Purpose of the processing: The processing of documents (invoices, delivery notes, etc.) containing personal data of natural persons and natural person representatives of legal persons who are in contact with the Data Controller in their capacity as buyer-supplier, in accordance with the relevant and applicable legislation in force at the time. Such legislation shall, in particular, at the time of entry into force of the Rules:
- Act CL of 2017 on the Rules of Taxation (hereinafter referred to as the "CL Act"), and in particular Article 50 thereof;
- Act CXXVII of 2007 on Value Added Tax (hereinafter: VAT Act), and in particular Section 169 thereof;
- Act C of 2000 on Accounting (hereinafter referred to as "Act C of 2000 on Accounting"), and in particular Article 167 thereof.
2) Legal basis for processing: to comply with a legal obligation to which the Data Controller is subject.
3) The recipients of personal data, categories of recipients: Employees of the Data Controller performing tax and accounting administration and/or data processors providing such services, the head of the employer's payment voucher, the employee performing the relevant checks (e.g. internal auditor) or data processor.
4) The scope and purpose of the data processed: the data content required by law and the mandatory documents and notification forms used to comply with it, in order to fulfil the legal obligation.
5) Who is affected: All customers and suppliers who come into contact with the controller.
6) Duration of processing: 8 years after the economic event.
6. About our processing necessary to pursue our legitimate interests
6.1. Processing of data relating to natural person representatives of legal person clients
1) Purpose of the processing: The cooperation of the Data Controller with the persons designated by the partner of the legal person and the general business relations with them.
2) Legal basis for processing: Performance of obligations arising from a contract between the parties.
3) The recipients of personal data, categories of recipients: Employees of the Data Controller acting in the performance of the contract.
4) Scope and purpose of the data processed: name - identification; e-mail address - contact; telephone number - contact.
5) Who is affected: Any natural person appointed by a legal person contracted with the Data Controller as a representative, contact person or agent for the performance of the contract.
6) Duration of processing: 5 years after the termination of the contract or business relationship.
7) Process of data processing:
a) the parties shall specify in the contract the persons designated by each of them as representatives, contact persons and persons acting in performance of the contract;
(b) the parties concerned perform the tasks assigned to them by the contract, cooperating as necessary;
c) document, as necessary, the events of their cooperation (memos, notes, minutes, etc.), and archive documents relevant to the performance of the contract.
7. About our processing based on the data subject's consent
7.1. Customer service in person, by telephone, e-mail
1) The Data Controller carries out customer service activities in person, by telephone, email. If, in person or during a telephone conversation, the data subject receives appropriate service in relation to all his/her queries and the data subject's personal data are not recorded, no processing takes place. Where the service is only provided by the data subject calling back or giving information by e-mail and the data provided by the data subject is recorded by the Data Controller in a paper-based call log or electronic interface (hereinafter referred to as "Call Log"), processing is carried out and is performed by the Data Controller in accordance with this point.
2) Purpose of the processing: Providing information to data subjects in person, by telephone, e-mail.
3) Legal basis for processing: Consent of the data subject. Consent shall be deemed to be given if the data subject himself/herself dictates the data necessary for the recall to the Data Controller and if he/she contacts the Data Controller by e-mail.
4) Recipients of personal data, categories of recipients: Employees of the Data Controller who provide information.
5) The scope of the data processed: name - identification; telephone number - contact; e-mail address - contact; date, hour, minute - identification.
6) Who is affected: All natural persons who contact the employees of the Data Controller who are responsible for customer service activities by telephone or e-mail.
7) Duration of processing: For 3 months from the date of the reply.
8) Process of data processing:
(a) the data subject contacts the controller in person, by telephone or by e-mail;
b) an employee of the Data Controller who is responsible for customer service listens to the data subject and interprets the e-mail sent;
c) clarify the request or need with the person concerned as necessary.
d) either provide the answer or offer to call back after informing the data subject on the matter, in which case it will specify the optimal time for the call back, or, in the case of e-mail, indicate when the answer is expected to be provided;
(e) record the data of the person concerned in the call log in the event of a question or telephone call not immediately answered.
f) the employee performing the customer service activity shall review the data recorded in the call log every 3 months, and delete the data from the register in cases closed without a complaint from the data subject.
7.2. Access to content on the Controller's website subject to registration, creation of a "User Account"
1) The Data Controller makes available on its website content that is accessible to anyone without providing any personal data. For more information on this, please refer to the section of this Policy entitled "Information to Website Visitors on the use of cookies".
2) In addition to the content published without providing personal data and accessible to anyone, the Data Controller may also allow access to content that can only be used after prior registration and after "Login". This may include, in particular, the "User Account", which facilitates multiple purchases in the online store and allows the User to make a faster purchase and track the status of the order by providing less data.
3) Purpose of the processing: Registering users, identifying registered users, checking their access rights.
4) Legal basis for processing: Consent of the data subject.
5) The recipients of personal data, categories of recipients: The Data Controller's data processors providing IT services or hosting services.
6) Scope and purpose of the data processed: name - identification; e-mail address - contact; ID/password - access rights, phone number - contact (optional).
7) Who is affected: Any natural person who uses the registration-related content of the Data Controller's website.
8) Duration of processing: For 5 years after the expiry of the registration.
9) Process of data processing:
a) the Data Controller shall provide information on the registration content of the website and the steps of registration on its website, in its newsletter, advertisement or otherwise;
b) the data subject, depending on his/her choice, completes the registration process by providing the required data, makes a declaration of his/her consent to the disclosure by ticking the relevant unchecked box or so-called "push button";
(c) after confirmation of the e-mail sent to the e-mail address provided by the data subject, the data subject enters the content of the website between registration and access with the identifier of his/her choice.
7.3. Sending a newsletter and/or advertising (direct marketing letter)
1) Purpose of the processing: The purpose of the processing of data related to the sending of newsletters and/or advertising (direct marketing - DM - mail) is to inform the recipient in a general or personalized way about the latest news, promotions (including in particular services and discounts offered only to persons subscribed to the Newsletter), events, news, notification of changes or cancellations of services on the website of the Data Controller in accordance with the applicable and valid legislation. At the time of the entry into force of the Rules, such legislation is in particular Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (Act XLVIII of 2008), and in particular Article 6 thereof.
2) Legal basis for processing: Subscription to the newsletter and/or DM mailing is based on voluntary consent.
3) The recipients of personal data, categories of recipients: The Data Controller's employees performing customer service and marketing activities, data processors providing IT services, sending newsletters and hosting services.
4) Scope and purpose of the data processed: name - identification; e-mail address - newsletter.
5) Who is affected: Any natural person who wishes to be regularly informed about news, promotions and discounts of the Data Controller and therefore subscribes to the newsletter or DM-letter service by providing his/her personal data. The subscription may be confirmed by ticking the relevant unchecked box or so-called "push button".
6) Duration of processing: Until cancellation (unsubscription) at the request of the data subject or until the newsletter service is discontinued.
7) The data subject may unsubscribe from the newsletter, DM-letter at any time,
a) by using the "unsubscribe" link at the bottom of the email (unsubscribe immediately), or;
b) a ________________(E-MAIL ADDRESS) by e-mail, preferably with the word LEIRATKOZÁS in the subject line of the e-mail, or;
c) by post to ________________(POSTACÍMED/SZÉKHELYED) by sending an unsubscribe request to.
The data subject wishing to unsubscribe should be aware that only unsubscribing under (a) of this point constitutes immediate unsubscription, unsubscribing under (b) to (c) may involve a lead time of a few days, in view of which it is not against the rules if the system still sends a newsletter to the data subject during this period.
The Data Controller also draws your attention to the fact that a newsletter sent at the same or almost the same time and an immediate unsubscribe request under this subsection a) may technically overlap, therefore a newsletter received after unsubscribing does not mean that the unsubscribe request will not be taken into account.
7.4. Use of an electronic questionnaire to manage feedback and evaluation
1) Purpose of the processing: Measuring and improving the quality of the product/service, liaising with stakeholders where feedback/assessment is not anonymous.
2) Legal basis for processing: The completion of the electronic feedback questionnaire is based on voluntary consent. In the case of anonymous feedback, where the identity of the person providing the feedback cannot be identified, no personal data are processed.
3) Recipients of personal data, categories of recipients: the Data Controller's employees who process the evaluation, data processors providing IT services or hosting services.
4) The scope and purpose of the data processed: name - identification; e-mail address - to enable contact and clarification; telephone number - to enable contact and clarification; service used - identification; rating - input data for response.
5) Who is affected: Any natural person who has used the services of the Data Controller and provides an evaluation in response to a request for an evaluation.
6) Duration of processing: Until the goal is achieved.
7) Process of data processing:
a) the data subject fills in the electronic form and sends it to the Data Controller.
(b) if the evaluation receives either an explicit complaint or an evaluation that may be considered as a complaint on its merits, the further action shall be conducted in accordance with the subsection "Complaints Handling" of these Rules.
c) the Data Controller processes the assessment.
(d) the conclusions of the evaluation are used by the Data Controller to improve its product/service.
7.5. Social media presence and marketing
1) Purpose of the processing: Sharing the content of the Data Controller's website on social networking sites, raising awareness, marketing.
2) Legal basis for processing: The processing of data related to the profile of the Data Controller on the social networking site(s) is based on voluntary consent.
3) The recipients of personal data, categories of recipients: The Data Controller's employees supporting social marketing, data processors providing IT services or hosting services.
4) Scope and purpose of the data processed: name - identification; photo used - identification; comment - expressing opinion, comment; rating - expressing opinion, sentiment; question/question content - input data for answering.
5) Who is affected: All natural persons who visit, follow, like/dislike, comment on or share the content of the social networking sites of the Data Controller, in whole or in part, with their own friends.
6) Duration of processing: Until unsubscription or until the operation of the Data Controller's social networking site.
7) The Data Controller does not process personal data posted by visitors and commentators on the Facebook and Instagram pages of the Data Controller. In the case of any unlawful, offensive content, the Data Controller is entitled to delete the content in question. For further information:
a) https://www.facebook.com/legal/terms/update
b) https://www.facebook.com/help/instagram/155833707900388/
7.6. Processing of banking data
1) Purpose of the processing: to facilitate financial compliance by the data subject.
2) Legal basis for processing: The provision of bank transfer data is based on voluntary consent.
3) Recipients of personal data, categories of recipients: Employees of the Data Controller who perform accounting tasks, data processors providing accounting services.
4) The scope and purpose of the data processed: name (of account holder) - identification; e-mail address (postal address) - required for sending the fee request and invoice; bank account number - identification; communication - identification; amount - required for payment.
5) Who is affected: Any natural person who wishes to pay by bank transfer.
6) Duration of processing: In accordance with the accounting rules in force.
7) Process of data processing:
a) the Data Controller sends a fee request/invoice to the e-mail (postal) address of the data subject.
b) the data subject transfers the corresponding amount to the bank account of the Data Controller.
c) the Data Controller shall verify the transfer.
d) the data relating to the transfer are entered into the accounting system of the Data Controller, to which only employees of the Data Controller who are engaged in accounting tasks and accountants who have a contractual relationship with the Data Controller as data processors in this regard may have access.
7.7. Complaints handling
1) Purpose of the processing enabling the communication of the complaint, the identification of the data subject and his/her complaint, the recording of data required by law to be recorded, and the contact necessary for the investigation and resolution of the complaint.
2) Legal basis for processing: The lodging of a complaint is based on voluntary consent, but in the case of a complaint lodged, it is obligatory under Act CLV of 1997 on Consumer Protection (hereinafter: the Act on Consumer Protection).
3) The recipients of personal data, categories of recipients: Employees of the Data Controller dealing with complaints.
4) The scope and purpose of the data processed: Identification of the complaint - identification; name - identification; date of receipt of the complaint - identification; telephone number - contact; time of the call - identification; personal data provided during the conversation - identification; billing/mailing/e-mail address - contact; product/service/behaviour complained about - investigate complaint; documents attached - investigate complaint; reason for complaint - investigate complaint; complaint itself - investigate complaint.
5) Who is affected: Any natural person who wishes to make a complaint orally or in writing about a service/product ordered or used and/or about the conduct, activity or omission of the Data Controller.
6) Duration of processing: the Data Controller shall keep the record of the complaint and a copy of the reply for 5 years from the date of their recording, in accordance with the relevant and applicable paragraph 17/A (7) of the Act on the Protection of Personal Data (Fgytv.).
7) Complaints may be sent to the Data Controller:
a) a ________________(E-MAIL ADDRESS) by e-mail, preferably with the word PANASZ in the subject line of the e-mail, or;
b) by post to ________________(POSTACÍMED/SZÉKHELYED) in the letter you sent.
A record must be kept of complaints made orally or in person.
8) In accordance with the provisions of the Act, the Data Controller is obliged to respond to the written complaint in writing within thirty days of receipt of the complaint or, if the law sets a shorter deadline, by the expiry of the deadline, and to take measures to communicate the complaint. The Data Controller shall state the reasons for its rejection of the complaint.
9) Process of data processing:
a) the data subject communicates the complaint to the Data Controller in the manner of his or her choice.
b) in the event of a verbal complaint, the Data Controller shall take a record of the complaint.
(c) the Data Controller shall examine all the circumstances of the complaint and, on the basis of those circumstances, respond to the complaint within a time limit.
d) the Data Controller shall endeavour to resolve the complaint in a manner that is satisfactory to the complainant.
8. What do you need to know as a visitor to our website about the use of cookies?
1) The content published on the website of the Data Controller is accessible to anyone without providing personal data. The website automatically records the following data about visitors: the IP address of the visitor, the time of the visit, the sub-pages and content viewed on the website. This data is used by the data controller solely for the purpose of analysing the website and monitoring the secure operation of the website.
2) The website, like the vast majority of other websites available, uses so-called "cookies" to store information about your use of the website. These allow you to use the services of Google Analytics. The purpose of processing the data stored in cookies is to enhance the user experience and improve the online services of the website. The cookies used on the website do not store personally identifiable information.
3) The user can remove cookies placed on his/her computer at any time during the visit of the website or disable the use of cookies in his/her browser. For more information on how to do this https://www.google.com/intl/hu/policies/privacy/partners/ and the https://policies.google.com/technologies/cookies?hl=hu available in Hungarian on the following pages.
4) The website also contains so-called Facebook pixels, which allow Facebook to collect or receive data from the site using cookies, data collection signals and similar data storage technologies, and to use this data to provide measurement services and display targeted advertisements to those who have previously visited the Controller's website. A visitor to the website may at any time choose not to have the data collected and used for the purpose of targeting advertisements. For more information on this, please consult the https://www.facebook.com/about/privacy available in Hungarian on the website.
5) The data controller through the website, typically through the "Contact me here!" link, will be used and stored for the purpose of improving processes, products and services. The provision of the data in this regard is voluntary, and the consent to the processing for the above purposes is deemed to have been given by the data controller when the e-mail is sent. The e-mails containing ideas, opinions and comments are kept by the data controller for a maximum of 1 year, and if the purpose of the processing ceases to exist before this period, the e-mail is deleted.
9. Who has access to the data?
1) The personal data provided by the data subject may be accessed by the Data Controller and the Data Processors described in point 2 and in the description of each processing operation, in order to perform their tasks. The processing of personal data is essentially carried out by the Data Controller or, in relation to certain outsourced activities, by the Data Processors. In this case, the Data Controller transfers data to the processors, or the processors may have access to data due to the nature of their activities. The Data Controller is responsible for the activities of the processors.
2) The lawyer representing the Data Controller may also obtain access to the personal data of the data subject in the event of legal proceedings initiated on the basis of the data subject's application.
3) The Data Controller shall, in exceptional cases, transfer your personal data to other public bodies.
Where
(a) the Data Controller transfers the case containing the personal data of the data subject to the Archives in accordance with the legislation and internal rules on archiving,
(b) judicial proceedings concerning the data subject are instituted and the court seised needs to be provided with documents containing the data subject's personal data,
(c) the police contact the Authority and request the transmission of documents containing the personal data concerned for the purposes of the investigation.
10. Do we perform any processing activities for other data controllers?
We do not process data for others.
11. What data security measures do we take?
1) The Data Controller shall store the personal data provided by the data subject primarily on the servers of the data processor(s) indicated at the beginning of this Privacy and Data Protection Notice, equipped with the usual protection systems, and partly on its own IT equipment, or, in the case of paper data carriers, in a duly locked manner at its registered office or place of business. The Controller shall not use the services of any other intermediary for the storage of personal data.
2) The Controller shall take reasonable steps to protect personal data against, inter alia, unauthorised access or unauthorised alteration.
3) In order to ensure the security of access to data stored in electronic form, in files, in the cloud, the Data Controller shall establish strong password protection providing sufficient security and update it with sufficient frequency.
4) The Data Controller shall ensure that accesses to its systems are logged and shall regularly analyse the log data. In the event of any indication of an anomaly, the Data Controller shall take the necessary preventive or incident management measures.
5) The Data Controller shall ensure that passwords are linked to the user when using the tools and systems in use and shall regularly monitor their use as required. In particular, such as the prohibition of the use of passwords by several users, the storage of passwords in a way inaccessible to others, the technical impossibility of disabling password protection, or, failing that, the prohibition of its use.
6) The Data Controller shall also use the password-protected document protection solutions available for the given document in the case of electronic data (e.g. excel spreadsheets, word documents, databases hosted in the cloud, etc.) transferred to its data processor, thus ensuring that the data of the document are not accessible to unauthorized persons.
7) Physical security must also be ensured for data stored in analogue form on paper media by designing lockable containers and by keeping keys secure.
8) Reasonable measures must be taken to ensure that the data stored on paper media is not accessible to others (e.g. by using a cover sheet, folder, folding the document, etc.).
9) At the end of the day, the Data Controller must allow sufficient time for the documents generated during the day to be locked away and inaccessible to unauthorised persons. The Data Controller shall regularly check that this is maintained.
10) The Data Controller shall ensure a high level of human resources necessary to establish and maintain data security through regular training. The education should include a high level of responsibility of users and should include good practices to make data security part of the daily routine (e.g. not leaving laptops and phones containing personal data in the car, not leaving them unattended, ensuring that they are locked in a safe in a hotel, etc.)
11) The user shall report any abnormal operation to the Data Controller at the slightest sign of abnormal operation.
12) The Data Controller shall, in the framework of its cooperation with the Data Processor, mutually ensure that persons with appropriate training, authorisation and privileges, who know each other's contact details, are available to take measures concerning data security, to prevent data breaches and, if they occur, to take effective measures to mitigate their effects.
12. What do we do in the event of a data breach?
12.1 Obligations relating to the prevention of a personal data breach
1) A data breach (a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed) must be prevented by all reasonable and available means.
2) In the event of an indication of a data breach, the Data Controller shall investigate the data breach immediately upon becoming aware of it and determine whether or not a data breach has occurred.
3) Even in cases that do not constitute a personal data breach, if conclusions can be drawn from them for the sake of future safer operation, the events must be documented and the Data Controller will take the necessary measures on this basis.
12.2. Notification of a personal data breach to the supervisory authority
(1) The controller shall notify the data protection incident to the supervisory authority competent under Article 55 without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay
2) The processor shall notify the controller of the personal data breach without undue delay after becoming aware of it.
3) In the data breach notification, at least:
(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
(b) the name and contact details of the Data Protection Officer or other contact person who can provide further information;
(c) describe the likely consequences of the data breach;
(d) describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
4) If and to the extent that it is not possible to provide the information at the same time, it may be provided in instalments at a later date without further undue delay.
5) The data controller shall keep a record of the data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to monitor compliance with the requirements of this Article.
12.3. Informing the data subject of the personal data breach
1) If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.
2) The data breach notification must clearly and plainly state:
(a) the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
(b) the name and contact details of the Data Protection Officer or other contact person who can provide further information;
(c) describe the likely consequences of the data breach;
(d) describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
3) The data subject need not be informed if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
(b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
c) the information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.
4) If the data subject has not yet been notified of the personal data breach by the controller, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed or determine that one of the conditions for exemption from notification is met.
13. What are your rights as a data subject?
13.1 General rules on the procedure for the exercise of data subjects' rights
1) The Data Controller shall provide the data subject with information and any particulars relating to the processing of personal data by or on the basis of this Privacy and Data Protection Notice, drawn up on the basis of the Privacy and Data Processing Policy, with a view to providing it in a concise, transparent, intelligible and easily accessible form, in clear and plain language. For any extract, reference should be made to the full Privacy and Data Protection Notice document (by attaching it or making it available via a link).
2) Information concerning the data subject shall be provided only to the data subject. If the person requesting the information cannot be identified as the data subject beyond reasonable doubt, the information shall be refused. In such a case, the person acting on behalf of the Data Controller shall keep a record of the facts, which may serve as a basic document for the handling of any complaint.
3) Identification shall also be carried out in accordance with the principles of Article 5 of the Regulation (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, limited storage, integrity and confidentiality, accountability) and in accordance with the necessary and sufficient principle (e.g. no further identification is required in the case of a request from the data subject's e-mail address held by the controller).
4) If the data subject has made the request by electronic means, the information shall be provided by electronic means, where possible, unless the data subject requests otherwise.
5) Oral information may be provided at the request of the data subject, provided that he or she has duly proven his or her identity.
6) The Data Controller shall inform the data subject of the action taken on the request within one month of receipt of the request at the latest. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request.
7) If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.
8) The Data Controller shall inform each recipient of any rectification, erasure or restriction of processing to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the data subject of these recipients.
13.2. Your right to prior information
1) The Data Controller shall provide the data subject, at the time of obtaining the data subject's personal data, with a Privacy and Data Protection Notice containing the information required by Articles 13 and 14 of the Regulation.
2) The Data Protection and Privacy Notice shall be placed by the Data Controller in the footer of its website in an electronically downloadable format and shall also be displayed on paper in a place accessible to data subjects.
13.3. Your right of access
1) The data subject may request information in writing from the Data Controller, through the contact details provided by the Data Controller under point 2, to inform the Data Controller whether and if so, how the personal data are processed:
a) the purposes for which the data are processed,
b) what personal data is processed,
(c) to which recipients it has been or is being communicated,
(d) how long the Data Controller intends to store it,
(e) where not collected from the data subject: any information relating to their source,
(f) whether it has been transferred to a third country or to an international organisation and, if so, with what guarantees (Article 46),
2) The information shall also include information on the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data relating to him or her, to object to the processing of such personal data and to lodge a complaint with the supervisory authority.
3) The Data Controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The right to request a copy should not adversely affect the rights and freedoms of others.
13.4. Your right to rectification
The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.
13.5 Your right to erasure ("right to be forgotten")
1. The data subject may request the erasure of his or her personal data in writing to the Data Controller via the contact details provided by the Data Controller in point 2, if:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
(c) the data subject objects to the processing on the basis of Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing on the basis of Article 21(2);
d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data were collected in connection with the provision of information society services referred to in Article 8(1).
2.If the Controller has disclosed the personal data and is obliged to delete it, the Controller shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.
3. The Controller may refuse erasure where the processing is necessary for the establishment, exercise or defence of legal claims or in other cases pursuant to Article 17(3) of the Regulation.
13.6 Your right to restriction of processing
1. The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead that the data be
restrictions on the use of;
(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to the processing pursuant to Article 21(1); in this case, the restriction shall apply for the period until it is established whether the controller's legitimate grounds prevail over the data subject's legitimate grounds.
2.Where processing is restricted pursuant to paragraph 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
3. The Data Controller shall inform the data subject at whose request the processing has been restricted pursuant to paragraph (1) in advance of the lifting of the restriction.
13.7. Your right to data portability
1. The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, if:
(a) the processing is based on the data subject's consent or on a contract between the data subject and the Controller as contracting parties; and
(b) the processing is carried out by automated means.
2. In exercising the right to data portability, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.
The exercise of the right to data portability shall be without prejudice to the provisions of the Regulation on the "Right to Erasure".This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right to data portability must not adversely affect the rights and freedoms of others.
13.8. Your right to object
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) or (f), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.
3. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.
4. The right to object must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information must be clearly displayed separately from any other information.
5. In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1), the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
13.9 Automated decision-making in individual cases, including profiling
1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph (1) shall not apply where the decision:
(a) necessary for the conclusion or performance of a contract between the data subject and the controller;
(b) permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
(c) based on the explicit consent of the data subject.
In the cases referred to in paragraph 2(a) and (c), the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.
4. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject.
13.10. Restrictions
Union or Member State law applicable to a controller or processor may, by legislative measures, limit the scope of the rights and obligations set out in Article 5 in respect of its provisions in Articles 12 to 22 and Article 34 and in accordance with the rights and obligations set out in Articles 12 to 22, if the limitation respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard the rights and freedoms set out in Article 23.
14. What can you do if you cannot exercise your rights as described here?
1. The Data Controller shall endeavour to ensure that the data subject's rights in relation to data processing can be exercised in accordance with the law and that all cases are concluded to his or her satisfaction.
2. If the data subject's objections, complaints or requests regarding his or her personal data have not been satisfactorily resolved by our Company, or if the data subject considers at any time that a violation of rights has occurred or is imminent in relation to the processing of his or her personal data, he or she has the right to file a complaint with the National Authority for Data Protection and Freedom of Information.
Contact details of the National Authority for Data Protection and Freedom of Information
Head office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, Pf. 5
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Web: https://www.naih.hu/
15. Where can you exercise your rights in relation to data processing?
In the event of unlawful processing by the data subject, he or she may bring a civil action against the Controller. The court shall have jurisdiction to rule on the action. The lawsuit may also be brought, at the data subject's option, before the court of his or her place of residence (for a list of courts and their contact details, please click on the link below: http://birosag.hu/Tornadoes.
Proportional from __________________________ to withdrawal.