This Prospectus is data management on the Website operated by Zconcept Kft. (Registered office: 2094 Nagykovácsi, Kalász utca 16.), data controller (hereinafter: the Company), as the owner and operator of the https://zconcept.hu/ website (hereinafter the Website). Regulation (EU) 2016/679 (2016) of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data of 27 April 2011) (hereinafter: the Decree) and Decree CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: Infotv.).
The establishment and amendment of the Prospectus is the responsibility of the Chief Executive Officer.
Date: Budapest, May 25, 2018
Zconcept Kft.
Table of contents
1. INTRODUCTION
2. NAME OF THE COMPANY (DATA CONTROLLER)
3. NAME OF DATA PROCESSORS
3.1.1. The concept of data processing
3.1.2. Data Processor for the maintenance and management of the Website
4. LEGAL BASIS FOR DATA MANAGEMENT
4.1.1. Data management with the consent of the data subject
4.1.2. Data management for contract fulfillment
4.1.3. Fulfillment of a legal obligation to the Company or protection of the vital interests of the person concerned or another natural person
4.1.4. Enforcing the legitimate interests of the Company or a third party
4.1.5. The range of persons entitled to access the data
5. RIGHTS OF THE PERSON CONCERNED
5.1.1. Right to information
5.1.2. The data subject’s right of access
5.1.3. Right to rectification
5.1.4. Right of cancellation (“right to forget”)
5.1.5. Right to restrict data processing
5.1.6. Obligation to notify in connection with the rectification or erasure of personal data or restrictions on data processing
5.1.7. The right to data portability
5.1.8. Right to protest
5.1.9. Right to be exempted from automated decision-making
5.1.10. The right of the data subject to lodge a complaint and to seek redress
5.1.11. Information on the data protection incident
5.1.12. Procedure to be followed at the request of the data subject
6. CONTRACT – RELATED DATA PROCESSES
6.1.1. Data management activities related to the performance of the contract.
6.1.2. Contact details of natural person representatives of legal entity customers, buyers, suppliers
6.1.3. Make a voice recording by telephone by customer service
7. DATA MANAGEMENT RELATED TO THE WEBSITE OPERATED BY THE COMPANY
7.1.1. User data management on the Company’s website – Information on the use of cookies
7.1.2. Registration on the Company’s website
7.1.3. Newsletter service related data management
7.1.4. On a contact or request for quotation data management website
7.1.5. Data management related to the web store operated by the Company
7.1.6. Data management related to direct marketing activities
7.1.7. Data management related to the organization of gift draws
8. DATA SECURITY MEASURES
8.1.1. Data security measures
9. DATA PROTECTION INCIDENTS
9.1.1. The concept of a data protection incident
9.1.2. Treatment and remediation of data protection incidents
9.1.3. Record privacy incidents
10. CHANGES TO THE CONTENT OF THE WEBSITE AND PRIVACY INFORMATION
INTRODUCTION
The Company handles information that does not qualify as personal data on the Website, as well as personal data voluntarily provided by the data subject. Infotv. and the Regulation defines personal data as “data which may be contacted by the data subject, in particular his or her name, identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities” and the conclusion which may be drawn from the data subject . ” The Company does not handle specific data (data on racial origin, nationality, political opinion or party affiliation, religious or other worldview, health status, etc.).
NAME OF THE COMPANY (DATA CONTROLLER)
The Company informs the data subject that it qualifies as a data controller in the management of its personal data.
COMPANY NAME: Zconcept Kft.
HEADQUARTERS: 2094 Nagykovácsi, Kalász utca 16.
COMPANY REGISTRATION NUMBER: 13-09-128270
TAX NUMBER: 14739008-2-13
PHONE: +36 ………… ..
NAME OF REPRESENTATIVE: Zoltán Seprenyi managing director
E-MAIL: info@zconcept.hu
NAME OF DATA PROCESSORS
The concept of data processing
The Company uses an external data processor entrusted with the personal data managed by it on the basis of its voluntary consent for the purpose of operating and maintaining the Website.
Data Processor: a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the Company.
The use of a data processor does not require the prior consent of the data subject, but requires his or her information. Accordingly, the Company provides the following information:
Data Processor for the maintenance and management of the Website
The Company uses a data processor to maintain and manage the Website and, within this framework, handles the personal data provided on the Website for the duration of the existing service contract. The operation performed by the data processor is the storage of personal data on the server.
Data processor used to maintain and manage the Website:
Company name: MakeIt Online Kft.
Headquarters: 1138 Népfürdő utca 3 / A
Representative: Ádám Galgóczi managing director
Phone number: +36 (20) 368-0574
E-mail address: adam.galgoczi@makeitonline.hu
LEGAL BASIS FOR DATA MANAGEMENT
- Data management with the consent of the data subject
- The lawfulness of the processing of personal data must be based on the consent of the data subject or have some other legal basis established by law. Consent must be voluntary, specific, well-informed and clear.
- In the case of data processing based on the data subject’s consent, the data subject may give his or her consent to the processing of his or her personal data in the following form:
- a) in writing, in the form of a statement giving consent to the processing of personal data,
- b) by electronic means, by the express behavior of the Company’s website https://zconcept.hu/, by filling in a check box, or if you make technical adjustments in connection with the use of information society services, as well as by any other statement or action , which clearly indicates in the context the data subject ‘s consent to the intended processing of his or her personal data.
Silence, a pre-ticked box, or inaction do not constitute consent.
- The consent covers all data processing activities carried out for the same purpose or purposes. If the data management serves several purposes at the same time, the Company will request the consent for all data management purposes. If the consent of the data subject is given after the electronic request of the Company, the request of the Company shall in all cases be clear, concise and shall not unnecessarily impede the use of the service in respect of which the Company requests the consent.
- The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal. The Company shall inform the data subject before giving consent. Withdrawal of consent is made possible by the Company in as simple a manner as it is.
- If the personal data has been collected with the consent of the data subject, the Company may process the collected data for the purpose of fulfilling the legal obligation applicable to it without further consent, and after the withdrawal of the data subject’s consent, unless otherwise provided by law.
- Data management to fulfill the contract
- Data processing is considered lawful if it is necessary for the performance of a contract in which the data subject is one of the parties or to take steps at the request of the data subject prior to the conclusion of the contract.
- The Company does not enter into the conclusion or performance of a contract to consent to the processing of personal data that is not necessary for the performance of the contract.
- Fulfillment of a legal obligation to the Company or protection of the vital interests of the person concerned or another natural person
- In the case of data management based on a legal obligation, the provisions of the underlying legislation apply to the range of data that can be managed, the purpose of data processing, the duration of data storage and the recipients.
- Data processing based on the fulfillment of a legal obligation is independent of the data subject’s consent, as the data processing is defined by law. Prior to the commencement of data processing, the Company informs the data subject that data processing is mandatory and informs the data subject clearly and in detail about all facts related to data processing, in particular the purpose and legal basis of data processing, the person authorized the duration of the data processing, whether the personal data of the data subject are processed by the data controller on the basis of the legal obligation applicable to him or her, and who can get acquainted with the data. The information shall also cover the data subject’s rights and remedies. In the case of mandatory data management, the information may also be provided by publishing a reference to the legal provisions containing the former information.
- The Company lawfully handles personal data even if the data processing is necessary to protect the vital interests of the data subject or another natural person.
- Enforcing the legitimate interests of the Company or a third party
- The legitimate interest of the Company or a third party may provide a legal basis for data processing (Article 6 (1) (f) of the Regulation), provided that the interests, fundamental rights and freedoms of the data subject do not take precedence, taking into account the relationship with the Company. reasonable expectations of the person concerned. Such a legitimate interest may arise, for example, where there is a relevant and appropriate relationship between the data subject and the Company, for example, in cases where the data subject is a customer of the Company or is employed by it.
- In determining the existence of a legitimate interest, the Company carefully examines whether the data subject can reasonably expect, at the time of and in connection with the collection of personal data, that data processing may take place for the given purpose.
- The interests and fundamental rights of the data subject may take precedence over the interests of the Company if he handles personal data in circumstances in which the data subjects do not expect further data processing.
- The range of persons entitled to access the data
- Personal data may be disclosed to employees of the Company with access rights related to the relevant data management purpose or to persons and organizations performing data processing activities on the basis of service contracts for the Company, to the extent and to the extent necessary for the performance of their activities.
RIGHTS OF THE PERSON CONCERNED
- Right to information
- The data subject has the right to receive information from the Company about the information related to data management before starting the activity of data management.
- When collecting personal data, the Company provides the following information to the data subject:
- the name and contact details of the Company and its representative;
- the purpose of the intended processing of personal data and the legal basis for the processing;
- in the case of data processing based on a legitimate interest, an indication of the legitimate interests of the Company or a third party;
- where applicable, the recipients or categories of recipients of the personal data;
- the fact that the Company wishes to transfer personal data to a third country or an international organization
- Section 1.2. In addition to the information referred to in point 1, the Company shall, at the time of obtaining the personal data, in order to ensure fair and transparent data management, inform the data subject of the following additional information:
- the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
- the data subject’s right to request from the Company access to, rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data and the data subject’s right to data portability;
- in the case of data processing based on the data subject’s consent, the right to withdraw the consent at any time, without prejudice to the lawfulness of the data processing carried out prior to the withdrawal;
- the right to lodge a complaint to the supervisory authority;
- whether the provision of personal data is based on a law or a contractual obligation or a precondition for concluding a contract, whether the data subject is obliged to provide personal data and the possible consequences of not providing the data;
- the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and at least in these cases the logic used and the information that can be understood about the importance of such data processing and the data subject what are the expected consequences.
- If the Company wishes to perform further data processing on personal data for a purpose other than the purpose of their acquisition, it shall inform the data subject of this different purpose prior to the further data processing, or in accordance with Section 1.2. and 1.3. all relevant additional information referred to.
- The data subject’s right of access
- The data subject has the right to receive feedback from the Company as to whether the processing of his / her personal data is in progress and, if such data processing is in progress, he / she has the right to access the personal data and the following information (Article 15 of the Regulation):
- the purposes of data management;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be communicated by the Company, including in particular third country recipients or international organizations;
- where applicable, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
- the right of the data subject to request the Company to rectify, delete or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
- the right to lodge a complaint with a supervisory authority;
- if the data were not collected from the data subject by the Company, all available information on their source;
- the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in these cases, comprehensible information on the logic used and the significance of such data processing and the data subject; the expected consequences.
- If personal data are transferred to a third country or to an international organization, the data subject is entitled to be informed of the appropriate guarantees for the transfer under Article 46.
- The Company provides the data subject with a copy of the personal data that is the subject of data processing. The Company may charge a reasonable fee based on administrative costs for additional copies requested by the data subject. If the data subject has submitted the request electronically, the information shall be made available to the Company in a widely used electronic format, unless the data subject requests otherwise.
- Right to rectification
- The data subject has the right to have inaccurate personal data concerning him / her corrected at his / her request without undue delay.
- Taking into account the purpose of the data processing, the data subject has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary declaration.
- Right of cancellation (“right to forget”)
- The data subject has the right to delete personal data concerning him / her without undue delay at his / her request, and the Company is obliged to delete personal data concerning him / her without undue delay if:
- personal data are no longer required for the purpose for which they were collected or otherwise processed by the Company;
- the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to his or her processing and there is no overriding legitimate reason for the processing;
- personal data has been unlawfully processed by the Company;
- personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the Company;
- personal data have been collected in connection with the provision of information society services referred to in Article 8 (1) of the Regulation.
- The right to delete cannot be enforced if data management is required:
- for the purpose of exercising the right to freedom of expression and information;
- fulfillment of an obligation under EU or Hungarian law applicable to the Company requiring the processing of personal data, or in the public interest;
- on grounds of public interest in the field of public health;
- for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, where the right of erasure would be likely to make it impossible or seriously jeopardize such processing; obsession
- to submit, enforce or defend legal claims.
- Right to restrict data processing
- Where data processing is restricted, such personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the Union or a Member State.
- The data subject has the right to restrict the data processing at the request of the Company if any of the following is met:
- the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period of time that allows the Company to verify the accuracy of the personal data;
- the Company’s data processing is illegal and the data subject opposes the deletion of the data and instead requests a restriction on their use;
- the Company no longer needs personal data for the purpose of data processing, but the data subject requests it in order to submit, enforce or protect legal claims; obsession
- the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Company take precedence over the legitimate reasons of the person concerned.
- The Company informs the data subject in advance about the lifting of the data processing restriction.
- Obligation to notify in connection with the rectification or erasure of personal data or restrictions on data processing
- The Company will inform any recipient to whom or with whom the personal data has been communicated of the rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort.
- The right to data portability
- The data subject has the right to receive personal data concerning him / her made available to the Company in a structured, widely used, machine-readable format, and to transfer this data to another data controller without the Company preventing it, if :
- the processing is based on consent or contract; and
- data management is automated.
- The right to data portability 7.1. In exercising this right, the data subject shall have the right, if technically feasible, to request the direct transfer of personal data between data controllers.
- The exercise of the right to data portability must not infringe Article 17 of the Regulation (right of cancellation). The right to data portability does not apply if the processing is in the public interest. This right must not adversely affect the rights and freedoms of others.
- Right to protest
- The data subject has the right to object at any time for reasons related to his / her situation to the processing of his / her personal data in the exercise of a public interest or public authority or to the processing of data necessary for the legitimate interests of the Company or a third party (Article 6 (1) of the Regulation). ) or (f), including profiling based on those provisions. In this case, the Company may not further process the personal data, unless the Company demonstrates that the processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which are necessary to bring, enforce or defend legal claims. are related.
- If the processing of personal data is carried out by the Company for the purpose of direct business acquisition, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including profiling, if it is related to direct business acquisition. If the data subject objects to the processing of personal data for the purpose of direct business acquisition, the personal data will no longer be processed by the Company for this purpose.
- A 8.1. and 8.2. The Company shall draw attention to the right referred to in points 1 to 4 at the latest during the first contact with the data subject, separately from other information.
- The data subject may also exercise the right to object by automated means based on technical specifications.
- If personal data are processed for scientific and historical research or statistical purposes in accordance with Article 89 (1) of the Regulation, the data subject has the right to object to the processing of personal data concerning him or her on grounds relating to his or her situation, unless data processing is necessary for the performance of a task performed in the public interest.
- Right to be exempted from automated decision-making
- The data subject has the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects on him or her or would be similarly significant.
- A 9.1. shall not apply if the decision:
- necessary for the conclusion or performance of a contract between the data subject and the Company;
- it is made possible by EU or Hungarian law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; obsession
- is based on the express consent of the data subject.
- A 9.2. In the cases referred to in points a) and c), the Company shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, thus ensuring that the data subject requests human intervention, expresses his or her views and objects to the decision.
- A 9.2. The decisions referred to in paragraph 1 may not be based on the specific categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies and the protection of data subjects’ rights, freedoms and legitimate interests. appropriate measures have been taken to.
- The right of the data subject to lodge a complaint and to seek redress
- Right to complain to the supervisory authority: Under Article 77 of the Regulation, the data subject has the right to complain to the supervisory authority if he considers that the processing of personal data concerning him infringes the Regulation. The supervisory authority to which the complaint has been lodged shall inform the customer of the progress of the complaint and of the outcome thereof, including the right of the customer to seek judicial redress under Article 78 of the Regulation.
The data subject may exercise his / her right to complain at the following contact details:
National Data Protection and Freedom of Information Authority
address: 1125 Budapest, Szilágyi Erzsébet avenue 22 / c.
Phone: +36 (1) 391-1400;
Fax: +36 (1) 391-1410
Website: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
- Right to an effective judicial remedy against the supervisory authority: without prejudice to other administrative or non-judicial remedies, all natural and legal persons have the right to an effective judicial remedy against a legally binding decision of the supervisory authority. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the person concerned within three months of any procedural developments under Article 77 of the Regulation. its outcome. Proceedings against the supervisory authority shall be brought before a court of the Member State in which the supervisory authority has its seat.
- Right to an effective judicial remedy against the controller or processor: without prejudice to available administrative or non-judicial remedies, including the right to complain to the supervisory authority under Article 77, all persons concerned shall have the right to an effective judicial remedy if they consider according to which his personal rights under the Regulation have been violated as a result of improper handling of his personal data. Proceedings against the controller or the processor shall be brought before the courts of the Member State in which the controller or the processor is established. Such proceedings may also be instituted before a court of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.
- Information on the data protection incident
- If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Company will inform the data subject of the data protection incident without undue delay.
- A 11.1. In the information provided to the data subject referred to in point 1, the Company shall clearly and intelligibly describe the nature of the data protection incident and state at least the following:
- the name of the Data Protection Officer or other contact person for further information;
- the likely consequences of the data protection incident;
- measures taken or planned by the Company to remedy the data protection incident, including, where appropriate, measures to mitigate any adverse consequences arising from the data protection incident.
- The Company will not inform the data subject if any of the following conditions are met:
- the Company has implemented appropriate technical and organizational security measures and has applied these measures to the data affected by the data protection incident, in particular those measures, such as the application of encryption, which make it incomprehensible to persons not authorized to access personal data make the data;
- the Company has taken further measures following the data protection incident to ensure that the data subject’s rights and freedoms have been reported in accordance with Section 11.1. the high risk referred to in point (a) is unlikely to materialize in the future;
- the information would require a disproportionate effort. In such cases, the Company shall inform the parties concerned through publicly available information or take a similar measure to ensure that the parties are informed in an equally effective manner.
- Procedure to be followed at the request of the data subject
- The Company facilitates the exercise of the data subject’s rights, and may not refuse to comply with the data subject’s request to exercise the rights set forth in these Regulations, unless it proves that the data subject cannot be identified.
The data subject may send a request or question concerning data processing to the following address:
by post to the address at 1694 Nagykovácsi, Kalász utca 16
electronically to info@zconcept.hu
The Company shall send its reply without delay, but not later than within 30 days, to the address specified by the person concerned.
- The Company shall, without undue delay, but in any case within one month from the receipt of the request, inform the data subject of the action taken on the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Company shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.
- If the data subject has submitted the application electronically, the information will be provided electronically by the Company, unless the data subject requests otherwise.
- If the Company does not take action at the request of the data subject, without delay, but no later than within one month from the receipt of the request, inform the data subject of the reasons for non-action and that the data subject may file a complaint with the supervisory authority and have legal remedies .
- The Company shall provide the information specified in these Regulations in accordance with Articles 13 and 14 of the Decree and Articles 15–22 of the Decree. and 34 (feedback on the processing of personal data, access to processed data, rectification, supplementation, deletion, restriction of data processing, data portability, protest against data processing, information on the data protection incident) shall be provided to the data subject free of charge.
- If the request of the data subject is clearly unfounded or – especially due to its repetitive nature – excessive, the Company, taking into account the administrative costs of providing the requested information or action or taking the requested action: may charge a fee of HUF 5,000 or refuse to accept the request. measure.
The burden of proving that the application is manifestly unfounded or excessive is on the Company.
- If the Company has reasonable doubts about the provisions of Articles 15–21 of the Decree. With regard to the identity of the natural person submitting the application under Article
CONTRACT – RELATED DATA PROCESSES
- Data management activities related to the performance of the contract.
- The Company handles the personal data of the natural person partners contracting with it in connection with the contractual relationship, including the conclusion, performance and termination of the contract. The Company informs the data subject about the handling of personal data in the contract.
- Stakeholders: all natural persons, sole proprietors, primary producers who establish a contractual relationship with the Company.
- The legal basis of data management is the performance of a contract, the purpose of data management is to maintain contact, enforce claims arising from the contract, and ensure compliance with contractual obligations.
- Recipients of personal data: the senior official of the Company, as well as the employees and data processors of the Company performing customer service and accounting tasks on the basis of their job.
- Scope of personal data processed: name, address, billing address, mailing address, registered office, telephone number, e-mail address, tax number, tax identification number, bank account number, business card number, primary producer card number, mother’s name.
- Duration of data management: 5 years from the termination of the contract.
- The data processing according to this point 1 is considered lawful even if the data processing is necessary to take steps (offers) at the request of the data subject before concluding the contract. The legal basis of data management in the case of a request for quotation is the consent of the data subject, the purpose of data management: making an offer, keeping in touch. Recipients of personal data: employees of the Company performing customer service-related tasks, as well as employees performing accounting and tax tasks, and data processors. Duration of storage of personal data: 30 days after the offer is made.
- Contact details of the representatives and contacts of the natural person of the legal entity partners
- The Company manages the data of the natural person representatives and contact persons of the legal entity partners contracting with it in connection with the contractual relationship, such as the conclusion, performance and termination of the contract.
- Stakeholders: all natural persons who are indicated in the contract as the partner’s representative and contact person of the legal entity concluding the contract with the Company.
- The legal basis of data management is the consent of the data subject, the purpose of data management is business relations.
The Company’s legal entity partner is responsible for obtaining the consent of the natural person prior to the conclusion of the contract and for making it available to the Company for the processing of the data indicated in the contract concluded with the Company in accordance with this clause.
- Recipients of personal data: the senior official of the Company, as well as the employees and data processors of the Company performing customer service tasks on the basis of their job.
- Scope of personal data processed: name, address, telephone number, e-mail address of the natural person.
- Duration of storage of personal data: 5 years after the existence of the business relationship or the status of the representative concerned.
- Make a voice recording by telephone by customer service
- The Company does not operate a telephone customer service, so it does not handle personal data in this connection.
DATA MANAGEMENT RELATED TO THE WEBSITE OPERATED BY THE COMPANY
- User data management on the Company’s website – Information on the use of cookies
- It is possible for anyone to view the Website without providing any personal information. During visits to the Website, a small file, called a “cookie” (hereinafter referred to as “Cookie”), is stored on the user’s computer (or other Internet-enabled device such as a smartphone or tablet), through which the user’s browser can be uniquely identified. , provided that the user has given his / her express (active) consent to this by his / her behavior by further browsing the website after clear and unambiguous information. By visiting (browsing) the Website, the data subject consents to the Company handling and recording non-personal information. Personal data does not include data of a technical nature from which the person concerned cannot be identified, so they do not fall within the scope of Info tv. This information includes, in particular, the IP address, the date of the visit to the Website, the type of computer operating system, the address of another website that directed the person to the Website, etc. This non-personal information will be processed in an automated form for statistical and development purposes up to a maximum of 60 days after the visit.
- Cookies are essential for the proper functioning of the Website and collect information about the use of the Website in order to improve the user experience, ie to make the Website even more convenient and useful. Some Cookies are stored only temporarily (created for a period of time until the browser is closed), while other Cookies remain on your computer for a longer period of time.
- Data managed during the visit to the website: records and manages the following information about the visitor and the device he browses when using the Website: the IP address used by the visitor, the type of browser, the operating system characteristics of the device used to browse (set language) , date of visit, page (s), feature or service visited, click. The cookies used on the website do not store personally identifiable information, and the Company does not process personal data in this regard.
- By using the Website, the user consents to the website’s use of Cookies as described in this section 1. By default, most Internet browsers allow cookies to be stored without any user intervention and / or notification. If the user does not agree to the use of Cookies, he must set his browser accordingly. The user can change the default settings of the browser by blocking Cookies or request a warning about what cookies the visited website uses. For more information or to change settings, see the user’s help.
- Registration on the Company’s website
- The Company does not provide the opportunity to register on the Website, therefore it does not handle personal data in this connection.
- Data management related to newsletter service
- The legal basis for data processing is the data subject’s consent, which the data subject uses on the Website to “subscribe to our newsletters first!” by checking the box next to the text after entering information about how to handle your data.
- Stakeholder: any natural person who subscribes to the Company’s newsletter and consents to the processing of his or her personal data.
- Scope of personal data processed: name and e-mail address of the natural person.
- The purpose of the processing of personal data: to inform the data subject about the services and products of the Company, the changes that have taken place in them, to inform them about news and events.
- Recipients of personal data and categories of recipients: a senior official of the Company, employees performing tasks related to customer service and marketing activities, employees of a service provider performing the operation of the Company’s website as a data processor.
- Duration of storage of personal data: until the existence of the newsletter service or the withdrawal of the data subject’s consent. Unsubscribing from the newsletter may be unsubscribed at any time by clicking on the link in the footer of the e-mails sent to the data subject or by a written or e-mail statement, which means the withdrawal of consent. In such a case, all data of the data subject shall be deleted by the Company without delay.
- On a contact or request for quotation data management website
- The use of certain services available on the Website (sending a message, requesting a quote) is conditional on the person concerned voluntarily providing personal data. Accordingly, the provision of data during the sending of the message to the Company means the voluntary acceptance of the provisions of these Regulations and the consent to the data management.
- The legal basis of the data processing is the consent given by the data subject on a voluntary basis, which the data subject gives on the Company’s website by ticking the box in the “Contact” or “Request a quote” section after informing about the processing of his data.
- Stakeholders: any natural person who consents to the processing of his or her personal data on the Company’s website.
- Scope of managed data in case of order: name, e-mail address, telephone number of the natural person.
- The purpose of the processing of personal data: the performance of the services provided.
- Recipients of personal data and categories of recipients: a senior official of the Company, employees performing tasks related to customer service and marketing activities, employees of a service provider performing the operation of the Company’s website as a data processor.
- Duration of storage of personal data: until the order or request for quotation is fulfilled or the data subject’s consent is revoked (until deleted at the data subject’s request).
- Data management related to the web store operated by the Company
- The Company’s Website does not allow for the conclusion (purchase) of contracts (purchases) online and electronically, so it does not handle personal data in this connection.
- Data management related to direct marketing activities
o The Company does not perform data management for direct marketing purposes.
- Data management related to the organization of gift draws
- The Company does not organize a gift draw, so it does not handle personal data in this connection.
DATA SECURITY MEASURES
- Data security measures
- The Company may process personal data only in connection with the activities specified in these Regulations only for the purpose of data management.
- The Company ensures the security of data, in this context it undertakes to take all technical and organizational measures that are essential for the enforcement of data security legislation, data and confidentiality rules, and to establish the procedural rules necessary for the enforcement of the legislation specified above.
- The Company shall protect the data by appropriate measures against accidental or unlawful destruction, loss, alteration, transmission, damage, unauthorized disclosure or unauthorized access to them, as well as becoming inaccessible due to changes in the technology used. The technical and organizational measures to be implemented by the Company are aimed at:
- pseudonymisation and encryption of personal data;
- ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
- in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
- the application of a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures taken to ensure the security of data processing.
The Company ensures that the personal data managed by it can be disclosed only to those employees or persons acting in the interests of the Company who actually need it in order to perform their job or duties.
- The Company stores the personal data provided during each data management activity separately from other data, provided that – in accordance with the above provision – the separated data files can be accessed only by employees with the appropriate access rights.
- The Company classifies and treats personal data as confidential. The Company imposes an obligation of confidentiality on the handling of personal data by employees who handle personal data in the course of their duties. The Company restricts access to personal data by specifying authorization levels.
- The Company will take the following necessary measures for the implementation of data security with regard to its IT records:
- Provides permanent protection against data viruses managed by it (uses real-time anti-virus software).
- Ensures the physical protection of the hardware devices of the IT system, including protection against elemental damage,
- Ensures the protection of the IT system against unauthorized access, both in terms of software and hardware devices,
- It shall take all measures necessary to restore the files, carry out regular backups and manage the backups separately and securely.
The Company will take the necessary measures to protect the paper records, in particular with regard to physical security and fire protection. The Company’s manager, employees and other persons acting on behalf of the Company are obliged to securely store and protect the data carriers they use or in their possession, including personal data, regardless of the method of recording the data, against unauthorized access, alteration, transmission, disclosure. , deletion or destruction, and accidental destruction and damage.
- During the automated processing of personal data, the Company ensures:
- prevent unauthorized data entry;
- prevent the use of automatic data-processing systems by unauthorized persons using data communication equipment;
- the controllability and traceability of the bodies to which personal data have been or may be transmitted using data communication equipment;
- the controllability and traceability of which personal data have been entered into automatic data-processing systems, when and by whom;
- the resilience of installed systems in the event of a breakdown, and
- that errors in automated processing be reported.
- In order to protect personal data, the Company ensures the control of incoming and outgoing electronic communications.
- The Company does not allow the sharing of personal data managed by the Company on the Internet, just like visiting sites offering file download, game, chat and sexual services. It is also forbidden to use unauthorized programs received or downloaded from external sources.
- Only competent employees have access to the documents in progress and being processed, the Company ensures that the documents containing personnel, wage and labor and other personal data are kept securely closed. The Company ensures the adequate physical protection of the data, the devices carrying them, the hardware devices of the IT system and the documents.
DATA PROTECTION INCIDENTS
- The concept of a data protection incident
- A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise handled; (Article 4 (12) of the Regulation)
- Loss of a device containing a personal data (laptop, mobile phone), insecure storage of personal data (eg labor papers thrown in the trash) are considered data protection incidents; insecure transmission of data, unauthorized copying, transmission, disclosure of customer and customer partner lists, attack on the IT system, e-mail containing incorrectly sent personal data.
- Treatment and remediation of data protection incidents
- The prevention and management of data protection incidents and the observance of the relevant legal regulations are the responsibility of the Company’s senior official.
- If a data protection incident is detected, the Company’s senior executive will immediately conduct an investigation to identify the data protection incident and determine its possible consequences. In this context, the Company examines and determines:
- the date and place of the incident,
- a description of the incident, its circumstances, effects,
- the scope and number of data compromised during the incident,
- the range of persons affected by the compromised data,
- a description of the measures taken to deal with the incident,
- a description of the measures taken to prevent, remedy and reduce the damage.
- In the event of a data protection incident, the Company shall delimit, segregate and ensure the collection and preservation of evidence supporting the occurrence of the affected systems, persons and data. Thereafter, the Company will begin to repair the damages and restore legal operation.
- The Company shall report the data protection incident to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is not likely to endanger the rights and freedoms of natural persons.
- Record privacy incidents
- The Company maintains a record of data protection incidents, which includes:
- the scope of the personal data concerned,
- the number and number of people involved in the data protection incident,
- the date of the data protection incident,
- the circumstances and effects of the data protection incident,
- the measures taken to remedy the data protection incident,
- other data specified in the legislation prescribing data management.
- The Company will keep the data on the registered data protection incidents for 5 years.
CHANGES TO THE CONTENT OF THE WEBSITE AND PRIVACY INFORMATION
The Company expressly reserves the right to unilaterally change the current content of the Website operated by it and this Data Management Information without restriction, without notice, as well as to terminate or suspend any service.
Törökbálint, May 25, 2018