Privacy Policy
PÁSTI EDINA
IMPLICABLE: FROM 01.01.2021
Contractor’s name: Pásti Edina individual entrepreneur
Headquarters: 9700 Szombathely, Bertalan Árpád utca 8.
Tax number: 56753718-1-38
Registration number: 55439664
Phone number: 0620/544 5457
E-mail: hello@edinapasti.hu
- The purpose of this document:
The controller acknowledges that it is bound by the contents of this legal notice. This Privacy Notice is intended to inform your customers, partners and clients about the processing of their personal data. The Data Controller shall process personal data only in accordance with the provisions of applicable law and in strict compliance with the provisions of the data management and data protection regulations, taking into account the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and limited storage.
The data controller shall take all technical and organisational measures to ensure that the personal data of its partners are processed in a secure manner as required by Regulation (EU) 2016/679 of the European Parliament and of the Council.Az adatkezelő fentieknek megfelelve alakította ki hétköznapi tevékenységét, dolgozta ki szabályzatait, nyilvántartásait, iratmintáit, tájékoztatóit.
The data protection policies relating to the data processing of the controller are permanently available on the website of the controller. The controller reserves the right to change this policy at any time. It will of course inform its audience of any changes in due time.
The data controller is committed to protecting the personal data of its customers and partners, and attaches great importance to respecting the right to information self-determination of its customers. The data controller treats personal data confidentially and takes all security, technical and organisational measures to guarantee the security of the data. The controller describes its data management practices below.
- The personal, material and temporal scope of the Privacy Notice:
The personal scope of this Privacy Notice extends to the controller and to the natural persons whose data are included in the processing covered by this Notice, as well as to persons whose rights or legitimate interests are affected by the processing.
The scope of this Notice covers all processing that occurs in the course of the controller’s activities.
This Policy shall enter into force on the date of approval and shall remain in force indefinitely until further notice.
- Important definitions:
Personal data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data: any data that fall within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.
Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction or destruction.
Controller: a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.Controller: a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Joint controllers: where the purposes and means of processing are jointly determined by two or more controllers, they are considered to be joint controllers.
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject: a voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation.
Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Lawful processing by the controller:
Personal data are processed by the controller only in the following cases:
- where the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes,
- processing is necessary for the performance of a contract to which the data subject is a party,
- processing is necessary for compliance with a legal obligation to which the controller is subject,
- processing is necessary in order to protect the vital interests of the data subject or of another natural person,
- processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party.
The controller examines the lawfulness of data processing at all stages of its activities, and only processes data for which it can justify the purpose and legal basis. In the event that the conditions of a legal basis cease to apply, the processing may only be resumed if the controller can demonstrate an adequate alternative legal basis.
As a general rule, the way of proving the legal basis is in writing, but even in the case of a legal basis created by implied conduct, it must be examined whether it can be clearly proved ex post. In case of doubt, for reasons of reasonableness and economy, written confirmation of the imputability should be sought.
In the case of consent-based processing, the data subject gives his or her written consent to the processing of his or her personal data. Consent is not formally required, but subsequent evidence requires written consent on paper or in electronic form.
Processing based on a legal basis to fulfil a legal obligation is independent of the data subject’s consent, as the processing is defined by law.
Irrespective of the mandatory nature of the processing, the private individual concerned must be informed before the processing starts that the processing is mandatory and cannot be avoided, and must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the processing starts.
According to the GDPR (General Data Protection Regulation), personal data may also be processed if the processing is necessary for the performance of a contract to which the individual concerned is a party or if the processing is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract. The controller may process personal data for the purposes of the conclusion, performance or termination of the contract on the basis of the legal basis for performance of the contract.
- Processing of personal data by the controller:
The data controller is engaged in website and webshop development and maintenance. In addition, it provides virtual assistance services, in the framework of which it offers administrative activities to its customers. In the course of these activities, the controller comes into contact with personal data of natural persons. It carries out the following processing activities:
- The contractual partners of the controller may be both individuals and legal persons. The conclusion of a contract is preceded by a request for a proposal, by telephone, e-mail, a message on the social networking site or by using the contact form on the website (www.edinapasti.hu). The applicant provides his/her name, telephone number and e-mail address to which the controller sends his/her offer. If the offer is rejected, the personal data of the interested party will be deleted without delay and at the latest within 3 working days. The legal basis for the processing of personal data is the establishment of a contract (Article 6(1)(b) of the General Data Protection Regulation). If the data subject orders the offered service, a contract is concluded. When the contracts are concluded, the controller will have access to additional personal data of individuals (partners and contacts). The legal basis for the processing is the performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), and in the case of a contact person of a legal person, the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The controller issues an invoice for the services provided. The invoice shall contain the name, address and, where applicable, the tax number of the data subject. The issuing of the invoice is a legal obligation of the controller. The legal basis for the processing of personal data on the invoice is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). With regard to the storage of personal data on the invoice, the controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and on Small Business Tax and shall store them for a period of 5 years.
- In the course of the virtual assistant’s activities, the data controller may become aware of the personal data of the employees, partners and customers of the principals. In this respect, the data controller is a data processor, as it processes personal data for the purposes specified by the principal (as data controller). The data controller shall in any case conclude a so-called data processing contract with the principal, in which it declares that it will fully comply with Regulation (EU) 2016/679 of the European Parliament and of the Council and will not process the personal data of the principal and its partners for purposes other than those documented in the contract of engagement with the principal, unless such processing is required by the applicable legislation in force. The controller shall take reasonable steps to ensure the confidentiality of any person who may have access to the principal’s personal data and shall ensure that such access is limited to those persons who have a strictly necessary need to know or have access to the principal’s personal data for the purposes of the mandate. The controller shall sign an appropriate confidentiality agreement with each such person. The controller shall keep business secrets disclosed to it in the course of its activities and essential information concerning the principal and its clients and their operations. The data, procedures, methods, documents, records or other information relating to the principal and clients shall be used by the controller only for the performance of its tasks and shall not be disclosed to unauthorised persons or organisations, nor shall they be disclosed to third parties or otherwise misused. Information, documents and analyses provided by the principal shall be treated confidentially and shall not be made available to third parties. If the contractual relationship with the principal is terminated, the controller shall hand over all documents to the principal.
- In the performance of its tasks, the data controller processes the e-mail addresses and telephone numbers of its partners and clients in the performance of its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) or on the basis of their individual consent (Article 6(1)(a) of the General Data Protection Regulation).
- The controller may also have contractual relationships with subcontractors, suppliers and service providers in the course of its work, which also provide a basis for the processing of personal data. In this case, the legal basis for the processing of personal data is (in the case of an individual or sole trader) the performance of a contractual obligation (Article 6(1)(b) GDPR), and in the case of personal data of a contact of a legal person, the explicit, prior informed consent of the data subject (Article 6(1)(a) GDPR).
- Natural persons applying to the controller may submit a CV to the company. Personal data in the CV will also be processed. The legal basis for processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
- The data controller presents its activities mainly on its website (www.edinapasti.hu). The website informs visitors about the content and availability of the services of the controller. The website operates using cookies, which also collect personal data about visitors. The legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation).
- On the website, the visitor of the site has the possibility to contact the data controller by means of a contact form. In the form, the name and e-mail address of the interested party must be provided. The purpose of processing personal data is to contact the site visitor and the person interested in the services of the controller. If, after the contact, the service is not ordered, the personal data of the interested party will be deleted immediately, but within 3 working days at the latest. The controller processes the personal data for the purposes of the contract and on this legal basis (Article 6(1)(b) of the General Data Protection Regulation). By filling in the form, the data subject declares that he or she has read and accepted the Data Controller’s Privacy Notice.
- The website contains the views of some former customers on the services provided by the data controller. The reviews include full name, company name, occupation and a photo. The full name, image (or other personal data) and opinion of the reviewer will only be displayed on the website if the reviewer has given his or her written informed consent (Article 6(1)(a) of the General Data Protection Regulation).
- The data controller also offers the possibility to subscribe to a newsletter by providing your name and e-mail address. By subscribing to the newsletter, the data subject declares that he/she has read the Data Controller’s Privacy Policy and gives his/her consent to the processing of his/her personal data for marketing purposes. The data subject shall have the rights set out in the Data Protection Notice and shall be able to exercise those rights in the manner and at the places indicated therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter is the explicit and written informed consent of the subscriber (Article 6(1)(a) of the General Data Protection Regulation).
- The data controller also operates social networking sites to present its activities and services for marketing purposes. Here, too, the data of the followers of the pages are processed. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
- The purpose of data processing in the course of complaint handling in relation to the activities of the data controller is to enable the communication of the complaint, to identify the data subject and his/her complaint, to record the data required by law to be recorded, to investigate the complaint and to maintain contact in connection with its resolution.
In case of a complaint, the processing of the complaint and thus of personal data is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for processing personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
The Data Controller shall keep a record of the processing described above. The register shall also include the time limits for the deletion of personal data. The register is annexed to this Privacy Notice.
- Processors connected to the controller:
Where the processing is carried out on behalf of the controller, the controller may only use processors that offer adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects.
The Data Controller hereby declares that in the course of its work, it will only deal with data processors that have adequate guarantees of compliance with the GDPR Regulation and that they implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects. The relevant declarations of the data processors are available to you.
By reading and acknowledging this Privacy Notice, data subjects accept that the controller transfers their personal data to the processors and joint controllers listed below.
- The data processor is the accounting firm employed by the data controller:
- Szalai Ildikó EV
- Cím: 9797 NÁRAI, TULIPÁN UTCA 2
- szalaiesszalai@gmail.com
- The data controller’s partner for issuing invoices:
- KBOSS.hu Kft.
- 1031 Budapest, Záhony u. 7.
- info@szamlazz.hu
- The company that hosts the website of the data controller is also a data processor:
- Rackhost Zrt.
- 6722 Szeged, Tisza Lajos körút 41
- info@rackhost.hu
- The server of the controller’s mail system is also a data processor:
- Rackhost Zrt.
- 6722 Szeged, Tisza Lajos körút 41
- info@rackhost.hu
- Additional data processor in connection with the sending of the newsletter:
- Mailerlite
- When storing data in a cloud-based online database, the service provider is considered a data processor:
- Google Ireland Limited
- Gordon House, Barrow Street, Dublin 4, Írország
- Data processor due to the use of the Google Analytics service on the controller’s website:
- Google Ireland Limited
- Gordon House, Barrow Street, Dublin 4, Írország
- A data processing and joint data controller partner due to the use of social networking sites and social plug-ins built into the website:
- Facebook Ireland Ltd.
- 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Írország
- Pinterest Europe Ltd.
- Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Írország
- Cooperating subcontractors involved in the processing of personal data provided by the controller’s customers:
- ………………………………………
- ………………………………………
- ………………………………………
- The data controller also transfers personal data of its customers to the National Tax and Customs Administration.
The contracted data processing and data management partners will process the personal data of partners only on the basis of instructions given by the data controller (except where required by law) and under an obligation of confidentiality.
- Processing of data relating to contracts concluded by the controller:
Customer contracts:
The contractual partners of the controller may be both individuals and legal persons. The conclusion of a contract is preceded by a request for a proposal, by telephone, e-mail, a message on the social networking site or by using the contact form on the website (www.edinapasti.hu). The applicant provides his/her name, telephone number and e-mail address to which the controller sends his/her offer. If the offer is rejected, the personal data of the interested party will be deleted without delay and at the latest within 3 working days. The legal basis for the processing of personal data is the establishment of a contract (Article 6(1)(b) of the General Data Protection Regulation). If the data subject orders the offered service, a contract is concluded. When the contracts are concluded, the controller will have access to additional personal data of individuals (partners and contacts). The legal basis for the processing is the performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), and in the case of a contact person of a legal person, the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The controller issues an invoice for the services provided. The invoice shall contain the name, address and, where applicable, the tax number of the data subject. The issuing of the invoice is a legal obligation of the controller. The legal basis for the processing of personal data on the invoice is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). With regard to the storage of personal data on the invoice, the controller shall act in accordance with the provisions of Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and on Small Business Tax and shall store them for a period of 5 years.
Personal data processing of clients’ customers, employees:
In the course of the virtual assistant’s activities, the data controller may become aware of the personal data of employees, partners and customers of the principals. In this respect, the data controller is a data processor, as it processes personal data for the purposes specified by the principal (as data controller). The data controller shall in any case conclude a so-called data processing contract with the principal, in which it declares that it will fully comply with Regulation (EU) 2016/679 of the European Parliament and of the Council and will not process the personal data of the principal and its partners for purposes other than those documented in the contract of engagement with the principal, unless such processing is required by the applicable legislation in force. The controller shall take reasonable steps to ensure the confidentiality of any person who may have access to the principal’s personal data and shall ensure that such access is limited to those persons who have a strictly necessary need to know or have access to the principal’s personal data for the purposes of the mandate. The controller shall sign an appropriate confidentiality agreement with each such person. The controller shall keep business secrets disclosed to it in the course of its activities and essential information concerning the principal and its clients and their operations. The data, procedures, methods, documents, records or other information relating to the principal and clients shall be used by the controller only for the performance of its tasks and shall not be disclosed to unauthorised persons or organisations, nor shall they be disclosed to third parties or otherwise misused. Information, documents and analyses provided by the principal shall be treated confidentially and shall not be made available to third parties. If the contractual relationship with the principal is terminated, the controller shall hand over all documents to the principal.
Supplier contracts:
The data controller may also process the contact details of suppliers (name, e-mail address, telephone number) and may also contact service providers and subcontractors. In these cases, personal data (personal data of the contact person or of the individual or sole trader) may also be processed in order to contact partners. The legal basis for the processing of personal data is the performance of a contractual obligation (Article 6(1)(b) GDPR) or the consent of the contact person (Article 6(1)(a) GDPR).
The data controller will fill in a consent form with the contact persons of the companies, informing them of their rights in relation to personal data and asking for their consent to process their data. In such cases, the legal basis for the processing of personal data is the explicit, written and duly informed consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). If the contract with the partner has been terminated and the legal obligation to keep data and documents no longer applies, the telephone numbers and e-mail addresses will be deleted. The personal data contained in the contract and the invoice shall be stored by the controller for a period of 5 years, in compliance with the retention obligation laid down in Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and on Small Business Tax.
- Processing of invoices issued to customers and the personal data contained therein:
The data controller issues an invoice for the services provided. The invoice shall contain the name, address and, where applicable, the tax number of the data subject. The issuing of the invoice is a legal obligation of the controller. The legal basis for processing the personal data on the invoice is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The personal data recorded in this way are stored by the controller for a period of 5 years in accordance with the retention obligation laid down in Act CXLVII of 2012 on the Itemised Tax on Small Taxable Enterprises and on Small Business Tax.
- Children’s data, processing of special categories of personal data:
The data controller intends to provide its services to persons over the age of 18.
The data subject declares on the website of the data controller that he or she is over 16 years of age in relation to the subscription to the newsletter and the consent to the functioning of the cookies used by the website. A person under 16 years of age may not subscribe to the newsletter in this way and may not consent to the collection of data by the cookies used by the website, given that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of his/her declaration of consent to the processing of personal data requires the consent of his/her legal representative. The controller is not in a position to verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided is accurate.
Special data brought to the attention of the controller or which have come to the attention of the controller shall not be recorded by the controller. If such data has been entered into any of the controller’s systems without the controller’s knowledge, the controller shall delete it from the system immediately upon its detection.
- Procedure for the retention of e-mail addresses, telephone numbers:
In the course of its activities, the data controller also obtains the e-mail addresses and telephone numbers of its partners, clients and customers. The personal data thus entered into its system is processed primarily for the purpose of fulfilling its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation). If the contract with the partner has been terminated and the legal obligation to keep the data and documents no longer applies, the telephone numbers and e-mail addresses will be deleted. In some cases, the data controller will still have a legitimate interest in retaining the data and will request the explicit and written consent of the data subject to the retention of his or her personal data (Article 6(1)(a) of the General Data Protection Regulation).
- Processing of applications and CVs received by the data controller:
Natural persons applying to the controller may submit a CV to the company. If the CV is submitted because the controller is looking for an employee and has advertised the job, the CV may only be used in relation to that job.
If the candidate does not meet the conditions for the vacancy and another candidate is selected, the CV will be immediately destroyed. The controller may only retain the application on the basis of the explicit, unambiguous and voluntary consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation), provided that its retention is necessary for the purposes of the processing.
The data controller does not post “anonymous” job advertisements (job advertisements in which the employer does not disclose its name, so that at the time of sending the job application, applicants may not be aware of the employer to which they are applying for the job), as this is contrary to the requirement of prior information about the identity of the data controller. In any case, the controller shall inform the data subjects of his identity when advertising a job.
If the applicant has voluntarily sent a CV to the controller without an advertisement, he/she declares whether he/she consents to the controller’s processing of his/her personal data. Submitting a CV does not imply that the data subject consents to the controller keeping his/her application file. It is also important to note that the controller may use the CV only in relation to vacancies indicated by the job applicant. As a general rule, CVs will be kept for 3 months, unless the data subject specifies a longer period in his/her consent.
The data controller will only check and obtain information from the applicant’s profile page on the social networking site when assessing the job application if it has informed the data subjects beforehand. Even in such cases, only public data are consulted and only information that is relevant to the job application or the job is taken into account in the selection process. Under no circumstances will the job applicant’s profile page be saved or stored and transmitted to third parties.
If the data subject is not selected for the job in question, the controller will inform him or her of this and of the reasons for the refusal.
- The website of the data controller:
The controller presents its activities mainly on its website (www.edinapasti.hu). The website informs visitors about the contact details and services of the controller.
The controller uses cookies in the operation of its website. The legal basis for the processing of personal data obtained from them is the consent of the visitor (Article 6(1)(a) of the General Data Protection Regulation).
The www.edinapasti.hu website uses the following cookies:
- _fbp
- Duration: 2 Month
- típus: ……………………..
- _ga
- Duration: 2 Month
- típus: ……………………..
- _ga_B7NRV2G605
- Duration: 2 Month
- típus: ……………………..
- cookie_notice_accepted
- Duration: 2 Month
- típus: ……………………..
Cookies (cookies):
What cookies do:
- collect information about visitors and their devices;
- remember visitors’ individual preferences, which are (are) used;
- make the website easier to use;
- provide a quality user experience.
In order to provide a personalised service, a small piece of data called a cookie is placed on the user’s computer and read back during a subsequent visit. When the browser returns a previously saved cookie, the cookie provider has the possibility to link the user’s current visit to previous visits, but only in relation to its own content.
Session cookies are strictly necessary:
The purpose of these cookies is to allow visitors to browse the website, use its features and services fully and smoothly. This type of cookie is valid until the end of the session (browsing) and is automatically deleted from the computer or other browsing device when the browser is closed.
The data subject’s choice about the cookie:
Web browser cookies:
In the browser settings, the data subject can accept or reject new cookies and delete existing cookies. You can also set your browser to notify you each time a new cookie is placed on your computer or other device. You can find more information on how to manage cookies in the “help” function of your browser.
If the visitor chooses to disable some or all cookies, he or she will not be able to use all the features of the website.
Third party cookies (analytics, statistics, marketing):
Google Analytics:
The website of the data controller also uses Google Analytics as a third party cookie. By using Google Analytics, a web analytics service for statistical purposes, the controller collects information about how visitors use the website. The data is used to improve the website and the user experience. These cookies will also remain on the visitor’s computer or other browsing device, their browser until they expire or until they are deleted by the visitor.
When websites or apps use Google Analytics in combination with other Google advertising products, such as Google Ads, they may also collect other advertising identifiers. Users can turn off this service or change their cookie settings in their Ad Settings.
Google Analytics collects users’ IP addresses in order to protect the security of the service and to allow website owners to get a picture of which country, state or city their visitors are coming from (also known as “IP geolocation”). Google Analytics offers the possibility to mask the collected IP addresses, but website owners can still see users’ IP addresses even if they do not use Google Analytics.
In the context of Google Analytics, the IP address transmitted by the visitor’s browser is not merged with other Google data. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.
In addition, the visitor can prevent the collection of data (including his IP address) generated by cookies and relating to the use of the website by the visitor and the processing of this data by Google by downloading and installing the browser plug-in under the link below.
The current link is http://www.google.com/policies/privacy/ads/.
Google acts as a data processor for Google Analytics and therefore as the data controller.
Under the provisions of the General Data Protection Regulation (GDPR), Google Analytics is the data processor because Google Analytics collects and processes data on behalf of its clients (such as the data controller), under the instructions of those clients. Google may only use the data in accordance with the terms of the contracts with Google Analytics customers and the settings provided by the customers in the interface of its products.
Google Analytics collects internal cookies, device/browser information, IP addresses and website/app activity. This data is collected so that it can be used to measure and statistically report on the actions taken by users on websites and/or applications that use Google Analytics. Customers can customize the cookies and the scope of data collected through features such as Cookie Settings, User ID, Import Data and Measurement Protocol.
For customers using the SDK for Google Analytics applications, Google collects an application instance identifier. This is a number generated randomly by the system when a user installs an application for the first time.
Google Analytics uses IP addresses to determine the geographical location of visitors and to protect the service and its customers. Clients can enable a feature called IP masking, which allows Google Analytics to use only a subset of the IP address instead of the entire IP address collected. In addition, customers can also override IP addresses on demand using the IP override feature.
Google uses the data processed in Google Analytics to provide the Google Analytics measurement service to its customers. It uses identifiers, such as cookies and application instance identifiers, to measure what actions users take on customers’ websites and/or applications. It uses IP addresses to keep the service secure and to give website owners an overview of where their users come from around the world.
Use of social plug-ins:
The controller’s website also uses embedded content from social networking sites. In these cases, the processing is carried out jointly with the operator of the social networking site. The legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation), which he or she gives by accepting the information on the collection of data on cookies and by consenting to the collection of data.
Facebook-Pixel (Facebook-Cookie):
A Facebook pixel is a code that allows the website to report conversions, create audiences and provide the site owner with detailed analytics on how visitors use the site. The Facebook pixel is used to display personalised offers and ads to website visitors on the Facebook interface. The Facebook pixel is used by the website of the data controller. The legal basis for the processing is the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation), which he or she gives by accepting the information on the collection of data on cookies and by consenting to the collection of data.
On the website of the controller, the data subject declares that he or she has reached the age of 16 years in relation to the acceptance of the use of cookies. A person under the age of 16 may not make a declaration of acceptance or refusal of the cookies used by the website, given that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of his/her declaration of consent to the processing requires the consent of his/her legal representative. The controller is not in a position to verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided are accurate.
Processing of personal data when using the contact form:
On the website, the visitor of the site has the possibility to contact the data controller by means of a contact form. In the form, the name and e-mail address of the interested party must be provided. The purpose of processing personal data is to contact the site visitor and the person interested in the services of the controller. If, after the contact, the service is not ordered, the personal data of the interested party will be deleted immediately, but within 3 working days at the latest. The controller processes the personal data for the purposes of the contract and on this legal basis (Article 6(1)(b) of the General Data Protection Regulation). By filling in the form, the data subject declares that he or she has read and accepted the Controller’s Privacy Notice.
Personal data processing in relation to the “Reviews” on the website:
The website contains the views of some former customers on the services provided by the data controller. The reviews include full name, company name, occupation and a photo. The full name, image (or other personal data) and opinion of the reviewer will only be displayed on the website if the reviewer has given his or her written informed consent (Article 6(1)(a) of the General Data Protection Regulation). The controller will process the personal data until the data subject’s consent is withdrawn.
- Subscribe to the newsletter:
The data controller also offers the possibility to subscribe to a newsletter. By subscribing to the newsletter, the data subject declares that he or she has read the Data Controller’s Privacy Policy and that he or she gives his or her consent to the processing of his or her personal data for marketing purposes (sending the newsletter). The data subject shall have the rights set out in the Data Protection Notice and shall be able to exercise those rights in the manner and at the places indicated therein. Accordingly, the legal basis for the processing of personal data in the course of sending the newsletter is the explicit and written consent of the subscriber (Article 6(1)(a) of the General Data Protection Regulation).
The purpose of data processing in connection with the sending of newsletters is to provide the recipient with complete general or personalized information about the latest news and news items published by the controller, in accordance with the applicable and valid legislation. The subscription to the newsletter and/or the sending of the newsletter for DM purposes is based on voluntary consent, the controller will of course give the data subject the opportunity to withdraw his or her consent and unsubscribe from the newsletter at any time.
The data subject declares on the website that he or she is over 16 years of age when subscribing to the newsletter. A person under the age of 16 may not subscribe to the newsletter in this way, given that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of his/her declaration of consent to data processing requires the consent of his/her legal representative. The controller is not in a position to verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided are accurate.
- Social networking sites of the controller:
The data controller also operates a Facebook page, where personal data are also processed. The data controller also promotes its activities and services on Facebook. This page is used by the controller for marketing purposes.
The controller also provides comprehensive personal support through Facebook. If you ask a question via Facebook, we will try to answer it as soon as possible. You will use the data you receive on Facebook only to answer your question and not for any other promotional purposes.
The purpose of using the Facebook page is to advertise and provide information on social media. Facebook may also use the data for its own purposes, including profiling and targeting the data subject with advertising.
In order to contact the controller via Facebook, you must be logged in. To do this, Facebook may also request, store and process personal data. The controller has no control over the type, scope and processing of this data and does not receive personal data from the Facebook operator. For more information on this, please visit the Facebook page.
The personal data of Facebook page followers are processed by the data controller on the basis of their consent (Article 6 (1) (a) of the General Data Protection Regulation), which is deemed to be given by the fact that the person concerned likes, follows or comments on the page and its posts.
The data controller is also present on the Instagram social networking site with the following profile:
Personal data of followers are processed on the Instagram page. The processing is based on the consent given by the follower (Article 6(1)(a) of the General Data Protection Regulation).
Other community pages of the controller where the legal basis for processing is also the data subject’s consent (Article 6(1)(a) of the General Data Protection Regulation):
……………………………………………………….
- Personal data processing in the use of cloud-based applications:
The data controller mainly uses cloud-based services for storing, backing up and sharing documents. A common feature of such services is that they are not provided by the user’s computer, but by a remote server, a server centre located anywhere in the world. Such services are also provided by online hosting. A major advantage of cloud applications is that they provide a highly secure, flexible and scalable IT storage and processing capacity, essentially independent of geographical location.
In these cases, the cloud service provider can be considered as a data processor, processing the personal data on behalf of the data controller. Cloud service providers are obliged to keep personal data confidential and may only process personal data on the instructions of the controller.
The data controller selects its cloud service partners with the utmost care, takes all measures that are generally expected to ensure that the contract with them is based on the data security interests of its clients and customers, that their data management principles are transparent to them and that data security is regularly monitored.
Cloud storage is password protected and only the data controller has access to the data stored there.
The data controller’s partners expressly consent to the transfer of data necessary for the use of cloud-based applications by accepting this Privacy Notice. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation).
- Complaints handling regarding the controller’s activities:
The purpose of data management in the course of complaint handling in relation to the activities of the data controller is to enable the communication of the complaint, to identify the data subject and his/her complaint, to record the data required by law to be recorded, to investigate the complaint and to maintain contact in connection with its resolution.
In case of a complaint, the processing of the complaint and thus of personal data is mandatory under Act CLV of 1997 on Consumer Protection. The legal basis for processing personal data is therefore the fulfilment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation).
The data controller will keep the record of the complaint and a copy of the response for 5 years, and will also process the personal data on that basis for that period.
- Security of data processing:
The data controller undertakes to ensure the security of the data, to take technical and organisational measures and to maintain procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require any third party to whom it transfers or discloses the data to comply with the requirements of data security.
The controller shall ensure that the data processed cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The data processed may only be accessed by the data controller and its data processor(s) and shall not be disclosed to third parties not entitled to access the data.
The data controller takes great care to ensure the security of the personal data of its partners, clients and customers. It acts in full compliance with the legal provisions and requires all its partners to do the same. Personal data protection includes physical data protection (storage of documents in a lockable room protected by an alarm) and IT protection (firewall, password protection).
The controller shall store the personal data provided by the data subject primarily on the servers of the data processor(s) specified in this Privacy Notice, equipped with the usual protection systems, and partly on its own IT equipment, or, in the case of paper media, at its headquarters, in an appropriately locked manner.
The data subjects acknowledge and accept that, if they provide their personal data, the data protection cannot be fully guaranteed on the Internet and in the computer system. In the event of unauthorised access or disclosure, despite the efforts of the controller, it is necessary to proceed as described in this notice.
- Rights of data subjects:
- Transparent information:
The purpose of this Privacy Notice is also to provide clear, concise, transparent and understandable information about the processing activities of the controller.
- Right of access:
The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:
- az adatkezelés célja,
- az érintett személyes adatok kategóriái,
- azon címzettek, akikkel a személyes adatokat közölték,
- Right to rectification:
The data subject shall have the right to obtain from the controller, at his or her request, the rectification of inaccurate personal data relating to him or her.
- Right to erasure:
The data subject shall have the right to obtain, at his or her request, the erasure of personal data relating to him or her. The controller shall, on the basis of such a request, erase the personal data if one of the following grounds applies:
- a személyes adatokra már nincs szükség abból a célból, amelyből azokat gyűjtötték,
- az érintett visszavonja korábban adott hozzájárulását és az adatkezelésnek nincs más jogalapja,
- az érintett tiltakozik az adatkezelés ellen és nincs elsőbbséget élvező jogszerű ok az adatkezelésre,
- a személyes adatokat jogellenesen kezelték,
- Right to restriction of processing:
The data subject has the right to request the controller to restrict processing, in particular if:
- disputes the accuracy of the data,
The controller hereby informs you that it will respond to your request within 30 days. Information requests sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.
- Right to data portability:
The data subject has the right to receive personal data concerning him or her in a structured, commonly used, machine-readable format and the right to transmit such data to another controller.
The controller hereby informs you that it will respond to your request within 30 days. Information requests sent by post will be answered by post, requests sent by e-mail will be answered by e-mail.
- Right to object:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data, as provided for in Article 21 of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Az adatkezelő ezúton tájékoztatja Önt, hogy megkeresésére 30 napon belül válaszol. A postai úton küldött tájékoztatási kérelmekre postai úton, az e-mailen küldött kérelmekre, e-mail útján válaszol az érintetteknek.
- Right of the data subject in the event of automated decision-making:
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her. Automated decision-making is any process or methodology whereby a technical automatism evaluates personal aspects relating to the data subject and which produces legal effects concerning him or her or significantly affects him or her. The controller shall not use IT automated mechanisms, including profiling, which produce legal effects concerning the rights of the data subject.
- Data protection incident:
A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the event of a data breach, the level of data breach must be at a serious risk level, i.e. the breach must be of a degree that personal data:
- megsemmisülésével,
- elvesztésével,
- megváltoztatásával,
- jogosulatlan közlésével vagy
- jogosulatlan hozzáférésével jár együtt.
An incident is considered to occur if any one of the above occurs, but this does not exclude that more than one of the above may occur at the same time. This includes not only intentional malicious conduct but also negligent injuries. An incident therefore occurs when it is caused by an accidental or unlawful act.
Examples of data breaches include:
- személyes adatok dokumentumon, hordozható eszközön, adathordozón vagy informatikai rendszeren (pl. levelezéssel) történő illegális továbbítása,
- illetéktelen hozzáférések személyes adatokat kezelő informatikai rendszerhez vagy alkalmazáshoz,
- személyes adatokat tartalmazó adatbázis részének vagy egészének sérülése, vagy elvesztése,
A data breach may cause physical, pecuniary or non-pecuniary damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft, if not addressed in an appropriate and timely manner, or misuse of identity, financial loss, unauthorised impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantages suffered by the natural persons concerned.
In the event of a potential data breach (unless the data breach is unlikely to pose a risk to the rights and freedoms of natural persons), the controller shall immediately notify the National Authority for Data Protection and Freedom of Information. As soon as the controller becomes aware of the incident, it shall notify it without undue delay and, if possible, no later than 72 hours after becoming aware of the personal data breach. If the notification cannot be made within 72 hours, the notification shall state the reason for the delay and provide the required information in detail without further undue delay.
The National Authority for Data Protection and Freedom of Information operates a dedicated system on its website for the notification of data breaches, through which notifications can be made electronically.
The data controller shall keep a record of the data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. The controller shall keep records of the data relating to the incidents, including the causes, the events and the personal data involved. In addition, the record should also include the effects and consequences of the incidents and the measures taken to remedy them, and the conclusions of the controller (for example, why it thinks the incident is not reportable, or if the notification is delayed, the reason for the delay).
An incident that is unlikely to pose a risk to the rights and freedoms of natural persons does not need to be notified to the supervisory authority.
If the data breach is likely to result in a high risk to the rights and freedoms of the data controller’s partners, clients, customers, we will inform the partner concerned without delay. The information provided to the data subject shall clearly and plainly describe the nature of the personal data breach and shall include the most relevant information and measures.
The data subject need not be informed as described above if any of the following conditions are met:
- az adatkezelő megfelelő technikai és szervezési védelmi intézkedéseket hajtott végre és ezeket az intézkedéseket az adatvédelmi incidens által érintett adatok tekintetében alkalmazták, különösen azokat az intézkedéseket, amelyek a személyes adatokhoz való hozzáférésre fel nem jogosított személyek számára értelmezhetetlenné teszik az adatokat;
- az adatkezelő az adatvédelmi incidenst követően olyan további intézkedéseket tett, amelyek biztosítják, hogy az érintett jogaira és szabadságaira jelentett magas kockázat a továbbiakban valószínűsíthetően nem valósul meg;
- Information on the main relevant legislation:
- 2011. évi CXII. törvény – az információs önrendelkezési jogról és az információ-szabadságról (Info. tv.);
- Az Európai Parlament és a Tanács (EU) 2016/679 rendelete (2016. április 27.) – a természetes személyeknek a személyes adatok kezelése tekintetében történő védelméről és az ilyen adatok szabad áramlásáról, valamint a 95/46/EK rendelet hatályon kívül helyezéséről (általános adatvédelmi rendelet, GDPR);
- 2013. évi V. törvény – a Polgári Törvénykönyvről (Ptk.);
- Right to apply to the courts:
The data subject may take the controller to court if his or her rights are infringed. The court shall rule on the case out of turn.
- Data Protection Authority procedure:
You can lodge a complaint with the National Authority for Data Protection and Freedom of Information:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Headquarters: 1055 Budapest, Falk Miksa u. 9-11.
Address for correspondence: 1363 Budapest, Pf. 9.
Phone: 0613911400
Fax: 0613911410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
- Other:
The data controller shall provide information on data processing not listed in this notice at the time of recording the data. In such cases, the provisions of the applicable legislation shall prevail.
The data controller hereby informs its customers that the court, the prosecutor, the investigating authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary, or other bodies authorized by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents. The controller shall disclose to the authorities – if the authority has indicated the precise purpose and scope of the data – personal data only to the extent and to the extent strictly necessary for the purpose of the request.
The website of the Data Protection Authority contains further information on the data protection rights referred to in this Privacy Notice.
Szombathely, 2021. 01.01
Pásti Edina