1. Purpose, scope and applicable law of the Privacy Notice
When drafting the provisions of the Information Notice, the organisation has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), the 2011 Act on the Right to Information Self-Determination and Freedom of Information (the “Act”), the 2011 Act on the Right to Information Privacy and Freedom of Information (the “Act”) and the 2011 Act on the Right to Information on the Right to Information and Freedom of Information (the “Act”). CXII of 2013 (“Information Act”), Act V of 2013 on the Civil Code (“Civil Code”) and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (“Act XLVIII of 2008”).
The scope of this Privacy Notice covers the processing of data related to the website available at https://ggki.hu (hereinafter referred to as the “Website”). This Privacy Notice is valid until revoked.
The purpose of the Privacy Notice is to harmonise the provisions of the other internal policies of the organisation with regard to data processing activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the adequate treatment of personal data.
Furthermore, an important purpose of issuing the Privacy Notice is to ensure that by knowing and complying with it, the organisation is able to lawfully process the data of natural persons.
Company registration number of the controller: 01-09-288623
Registered office: 1025 Budapest, Napsugár utca 4
Data Protection Officer: Júlia Mészöly
Data Controller is registered in Hungary.
3. The GDPR (General Data Protection Regulation) is the European Union’s new Data Protection Regulation.
The General Data Protection Regulation (GDPR).General Data Protection Regulation (GDPR) is the General Data Protection Regulation. Where the purposes and means of the processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be determined by Union or Member State law.
processing:any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
personal data:any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
data subject’s consent: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her.
restriction of processing:the marking of stored personal data for the purpose of limiting their future processing.
erasure: rendering data unrecognisable in such a way that it is no longer possible to retrieve them.
data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The laws of the Member States shall govern.
4. Principles of data management
- be processed lawfully and fairly and in a transparent manner (“lawfulness, fairness and transparency”)
- be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitation’)
they must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimisation’)
- be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay (‘accuracy’)
- be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of data subjects (‘limited storage’)
it must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (‘integrity and confidentiality’), by implementing appropriate technical or organisational measures
The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).
5. Purpose of the processing
The Controller shall process personal data only for specified purposes. The data shall be collected and processed fairly and lawfully. The Data Controller shall endeavour to process only personal data that is necessary for the purpose of the processing and is adequate for the purpose. Personal data shall only be processed to the extent and for the duration necessary to achieve the purpose.
6. Scope of the data processed
CONTACT, CONTACT FORM
Purpose of processing: to contact, to keep in contact, to communicate information, to request information.
Legal basis for processing: voluntary consent of the data subject, Article 6(1)(a) GDPR.
Data processed: name, e-mail address, telephone number
Deadline for deletion of data: 2 years from the last contact
You can request the deletion or modification of your personal data in the following ways:
by post to WYGEN Kft, 1025 Budapest, Napsugár utca 4
by e-mail: firstname.lastname@example.org
The website of the data controller can be visited by anyone without the need to provide any personal data beyond the technically automatic processing.
7. The Data Controller stores the data subject’s data on its own servers and temporarily on the Data Controller’s computers.
The processing of the personal data of data subjects shall be carried out exclusively by the Controller.
In any case, the provision of data is voluntary, i.e. the data subject is free to decide whether or not to provide the requested personal data. If the data subject consents, the Data Controller will process the data in accordance with the law in force and within the limits of the data subjects’ consent.
In order to prevent unauthorised use and misuse of the personal data processed, the Data Controller applies extensive technical and operational security measures. Our security procedures are regularly reviewed and improved in line with technological developments.
8. Processing of technical data and cookies
Since natural persons can be associated with online identifiers, such as IP addresses and cookie identifiers, provided by the devices, applications, tools and protocols they use, this data, combined with other information, can and may be used to create a profile of a natural person and to identify that person.
Cookies are also able to remember preferences so that the user does not have to re-enter them when entering a new page, remember previously entered data so that it does not have to be re-entered, analyse the use of the website to ensure that improvements are made using the information obtained to ensure that it works as well as possible according to the user’s expectations, make it easy for the user to find the information they are looking for and monitor the effectiveness of our advertising.
If the Data Controller displays various content on the Website through external web services, this may result in the storage of some cookies that are not under the control of the Data Controller, and therefore it has no control over the data collected by these websites or external domains. Information about these cookies is provided in the policies for the specific service. The user can set their web browser to accept all cookies, reject all cookies or notify the user when a cookie is received. The setting options can usually be found in the “Options” or “Settings” menu of the browser. The detailed information on the English website www.aboutcookies.org also helps you with the settings in different browsers.
Cookies used by the website:
- Session cookies:These are essential for navigating our website, for the operation of key features of our website and for accessing protected content. These cookies store the information you need to fill in the forms and sometimes the language you choose, and do not collect any information about you that could be used to identify you, be used for marketing purposes or remember what other websites you have visited. Once the website is closed, these cookies are automatically deleted and the session is terminated.
- Functional cookies:These cookies are used to improve your user experience by detecting the device you use to access our website, remembering your previous usage choices (such as your username, password, language, region, whether you logged in during a previous session, changes you made to text size, font or other customisable elements of the website) so that we can offer you better and more personalised features. These cookies do not track your activity on other websites and we do not use them to send you advertising through other sites.
Cookies necessary for the use of the Website
|NAME||COOKIE||FUNKTION||DATE / DEADLINE FOR CANCELLATION|
|wordpress_||Session configuration||Contains session settings, ensures that the session/cookie is unique on a machine/browser.||When the browsing process ends|
|autoptimize_feed||A cookie to optimise the loading speed of the Website||The associated application improves the speed of loading the Website.||365 Days|
Cookies used by third parties
|NAME||COOKIE||FUNKTION||DATE / DEADLINE FOR CANCELLATION|
|_ga, _gat, _gid||Google Remarketing||Cookies created by Google to control how ads are displayed to the user.||maximum 365 Day,When the browsing process ends|
9. Data transmission
The Data Controller shall only transfer personal data to third parties if the data subject has given his or her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorised by law. The Data Controller shall in all cases document the transfers and keep records of the transfers.
10. Processing of data
The Data Controller shall be entitled to use a data processor to carry out its activities. Processors shall not take independent decisions and shall be entitled to act only in accordance with the contract concluded with the Controller and the instructions received. The Controller shall monitor the work of the processors. Processors shall be entitled to engage an additional processor only with the consent of the Controller.
The data processors used by the Controller:
DATA PROCESSING ACTIVITIES RELATED TO THE WEB HOSTING SERVICE
The data processor is Magyar Hosting Kft.
The data processor’s registered office is located at 18-22 Victor Hugo u. Victor Hugo u. 18-22 H-1132 Budapest.
Tax number: 23495919-2-41
Telephone number of the data processor: +36 (1) 700 2323
E-mail address of the data processor: email@example.com
The data processor is the data controller at the following address:
Duration of processing, deadline for deletion of data.
Legal basis for data processing. Article 5(1), Article 6(1)(a) GDPR and Article 13/A(3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services
GOOGLE ANALYTICS AGGREGATED DATA ANALYTICS DATA PROCESSING ACTIVITIES
Google, Mountain View, California, USA
Data processor’s registered office: 4 Barrow Street, Dublin, Ireland
Data Processor’s email address: –
The Data Processor uses Google Analytics, a service provided by the Data Processor under contract with the Data Controller, to help both the Data Controller and the Data Processor to gain a more accurate picture of their visitors’ activities.
DATA PROCESSING ACTIVITIES RELATED TO THE OPERATION OF THE WEBSITE
The name of the data processor is Proprimo Marketing Kft.
The Data Processor is located at 13 Malompatak Street, 9400 Sopron, Hungary.
Tax number of the data processor: 22486169-1-08
Telephone number of the data processor: +36 (99) 788 174
E-mail address of the data processor: firstname.lastname@example.org
The Data Processor maintains the Website on the basis of a written contract with the Data Controller at certain intervals, backing up its database for security reasons
In the operation of the Website, the Data Controller shall use external service providers with which the Data Controller shall cooperate.
The personal data processed in the systems of the external service providers shall be governed by the respective privacy policies of the external service providers. The Data Controller will use its best efforts to ensure that the external service provider processes the personal data transferred to it in accordance with the law and uses it only for the purposes specified by the User or as set out in this notice.
The Data Controller shall inform Users about the transfer of data to external service providers in the context of this Notice.
External Service Providers:
Facebook Limited., 4 Grand Canal Square, Dublin Ireland (marketing, social communications, Facebook)
Google, Mountain View, California, United States (Google Analytics aggregated data analysis, Google Adwords online advertising, use of Youtube social interfaces, etc.)
12. Data security, access to data
The Data Controller shall ensure the security of the data, take the technical and organisational measures and establish the procedural rules necessary to enforce the applicable laws, data protection and confidentiality rules. The Data Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage and against inaccessibility resulting from changes in the technology used.
The Data Controller shall keep records of the data it processes in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting in the interests of the Data Controller (data processors) who need to know the data in order to perform their job or task. The data may only be accessed within the employee’s organisation if they are logged. The employees of the data controller shall only carry out individual searches and operations on the data at the request of the User or if this is necessary for the provision of the service.
3. Duration of data processing
The Controller shall delete the personal data if.
processing is unlawful:If it is found that the data are processed unlawfully, the Controller shall carry out the erasure without delay.
The data subject may request the erasure of data processed on the basis of the data subject’s voluntary consent. In this case, the Controller shall erase the data.
The data are incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that erasure is not excluded by law.
the purpose of the processing has ceased to exist or the time limit for the storage of the data laid down by law has expired. Since the Data Controller provides a continuous service to the data subject, the relationship between the parties is not time-barred. Therefore, unless the data subject requests otherwise, the Controller shall process the data for as long as the relationship between the Controller and the data subject exists and for as long as the Controller is able to provide the data subject with the service. All other data shall be deleted by the Controller if it is evident that the data will no longer be used, i.e. the purpose of the processing has ceased to exist.
If a court or the National Authority for Data Protection and Freedom of Information has ordered the erasure of the data, the erasure shall be carried out by the Controller. Instead of erasure, the Data Controller shall, after informing the data subject, block the personal data if the data subject so requests or if, on the basis of the information available to him or her, it is likely that erasure would harm the data subject’s legitimate interests. Personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists. The Controller shall mark the personal data that it processes where the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established. In the case of processing required by law, the deletion of data shall be governed by the law. In case of erasure, the Controller shall render the data unidentifiable. Where required by law, the Controller shall destroy the storage medium containing the personal data.
If the data controller has any questions or problems with the use of our services, the data subject may contact the data controller by the means indicated on the website (telephone, e-mail, social networking sites, etc.).
The data controller will delete the received e-mails, messages, data provided by telephone, Facebook, etc., together with the name and e-mail address of the interested party and other personal data voluntarily provided by the interested party, after a maximum of 2 years from the date of the communication.
Any processing not listed in this notice will be notified at the time the data is collected.
In exceptional cases, the Service Provider is obliged to provide information, data or documents in response to a request from a public authority or other bodies authorised by law.
In such cases, the Service Provider shall only disclose personal data to the requesting party – provided that the latter has indicated the precise purpose and scope of the data – to the extent and to the extent that is indispensable for the purpose of the request.
15. Rights in relation to data processing
The right to request information: any person may request, through the contact details provided, information on what data the organisation processes, on what legal basis, for what purpose, from what source and for how long. The request will be answered promptly, but within 30 days at the latest, by sending information to the contact details provided.
Right to rectification. Any person who wishes to exercise his or her right to rectify his or her personal data may request the rectification of his or her personal data without undue delay and within 30 days at the latest.
Right to erasure: Any person may request the erasure of his or her data by contacting the contact details provided. Any person who wishes to have his or her data deleted may have the right to have it deleted.
Data that we are required to retain for legal, statutory or contractual obligations to maintain commercial records will be blocked instead of erased to prevent their use for other purposes.
Right to blocking, restriction: any person may request the blocking of their data through the contact details provided. The blocking lasts as long as the reason stated makes it necessary to store the data. Upon request, this must be done promptly and within a maximum of 30 days and information must be sent to the contact details provided.
The right to object: any person may object to the processing of their personal data using the contact details provided. The objection shall be examined and a decision shall be taken on the merits within the shortest possible time from the date of the request, but not later than 15 days, and the decision shall be communicated to the contact details provided.
16. Enforcement possibilities in relation to data processing
National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, PO Box 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (at) naih.hu
Questions not covered by this leaflet
In matters not covered by this information notice, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv) shall apply