DATA PROCESSING REGULATION
ENSURING LAWFUL DATA PROCESSING
- Data processing based on data subject’s consent
(1) In case the Company intends to carry out data processing based on consent, the data subject’s consent to the processing of his/her personal data shall be requested by means of a data request form, providing content and information as presented in Annex 1.
(2) Consent shall also be deemed to be given if the data subject ticks a box when browsing the Company’s website, makes the relevant technical settings when using specific services of the information society, or makes any other statement or takes any other action which, in the relevant context, the data subject clearly indicates his/her consent to the intended processing of their personal data. Therefore, silence, ticking a box in advance or inaction shall not be considered as consent.
(3) Consent covers all processing activities carried out for the same purpose or purposes. If the data processing serves several purposes at the same time, consent must be given for each purpose for which the data are processed.
(4) In case the data subject gives his/her consent in a written declaration which relates to other matters, such as the conclusion of a sales, service agreement, the request for consent must be presented in a way that it is clearly distinct from these other matters, in a clear and easily accessible form, using clear and plain language. Any part of a statement containing data subject’s consent which is in breach of the Regulation shall not be binding.
(5) The Company may not make the conclusion or performance of a contract conditional on the granting of consent to the processing of personal data which are not necessary for the performance of the contract.
(6) Withdrawal of consent shall be possible in the same, simple way as giving consent.
(7) If the personal data have been collected with the consent of the data subject, the person carrying out the data processing may process the collected data for the purposes of complying with the relevant legal obligation to which the data subject is subject, unless otherwise provided by law, without further specific consent and even after the withdrawal of the data subject’s consent.
- Data processing based on the performance of a legal obligation
(1) In the case of data processing based on a legal obligation, the scope of the data to be processed, the purpose of the processing, the data storage period and the recipients are subject to the provisions of the relevant statute.
(2) Data processing based on the ground of the performance of a legal obligation shall not dependent of the data subject’s consent, as data processing is governed by law. In this case, the data subject must be informed before the processing starts that the processing is mandatory, furthermore, the data subject must be given clear and detailed information about all the facts relating to the processing of his/ her data, in particular the purposes and legal basis of the processing, the person entitled to handle and process the data, the duration of the processing, if the data processor processes the data subject’s personal data on the ground of a legal obligation, and he/she shall also be informed about who may access their personal data. The information should also cover the rights and remedies that the data subject may exercise in relation to the processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the aforementioned information.
- The Company’s Information Notice on Data Processing
(1) The Company’s General Information Notice on Data Processing is set out in Annex 2.
(2) The Company shall ensure that data subjects may exercise their rights in all data processing processes.
DATA PROCESSING IN RELATION WITH CONTRACTS
- Processing data of contracting parties – customer, supplier registries
(1) With respect to the legal title of performing a contract, the Company shall process the name, name at birth, date of birth, mother’s name, address, tax identification number, the self-employed person’s, primary producer’s identity card number, address, address of registered office, address of premises, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (customer, supplier list, frequent buyer lists).of the natural person entering into a contract with the Company as a buyer or supplier for the purpose of the conclusion, performance, termination of a contract or granting of a contractual discount. The data processing is considered to be lawful in case it is carried out in order to take steps as requested by the data subject prior to the conclusion of the contract. Recipients of personal data: employees of the Company performing customer service tasks, employees performing accounting and tax related tasks and data processing. Storage period of personal data: 5 years after termination of the contract.
(2) Before the data processing starts, the natural person concerned must be informed that the processing is based on the performance of a contract, and this may be stated in the contract, as well. The data subject shall be informed of the transfer of his/her personal data to a person processing the data. The text of the data processing clause relating to the contract made with the natural person is set out in Annex 6 to the present Regulation.
15.§ Contact details of natural persons acting as representatives of customers, buyers, suppliers that are legal persons
(1) The scope of the personal data that may be processed: name, address, telephone number, e-mail address, online identifier of the natural person.
(2) Purpose of the processing of personal data: performance of a contract made with a partner of the Company that is a legal entity, business relations, legal basis of data procesing: data subject’s consent.
Recipients or categories of recipients of personal data: employees of the Company performing customer service related tasks.
(4) Storage period of personal data: 5 years following the end of the business relationship or the data subject’s capacity as a representative.
(5) A model for the data record sheet is set out in Annex 7 to this Regulation. This statement must be presented to the person concerned by the employee who is in contact with the customer, buyer or supplier and the employee must sign the statement to obtain consent to the processing of the personal data of the person concerned. The declaration must be kept for the duration of the data processing.
§ Processing visitors’ data on the Company’s website – Information about the use of cookies
(1) A cookie is a piece of data that the visited website sends to the visitor’s browser (in the form of a variable name value) so that browser can store it and later load its content on the same website.
(2) Data may be stored or accessed on a user’s electronic communications terminal equipment solely on the basis of the clear and full consent of the user concerned, including the purposes for which the data are stored, and solely after consent was granted by user (item 4 of section 155 of Act C of the year 2003). On this basis of the above, a brief summary of the use of cookies should be provided to the visitor on the Company’s website upon the first visit, and a link should also be provided to give access to all the information (Information Notice on Data Processing – Annex 2). By means of this information, the Company ensures that the visitor of the website can find out, at any time before and during the use of the information society services of the website, which types of data are processed by the Company and for which data processing purposes, including the processing of data that cannot be related directly to the user.
(3) Pursuant to item (3) of section 13/A of Act CVIII of 2001 (referred to as ’Elkertv.’) on certain aspects of electronic commerce services and information society services, the service provider may process personal data that are technically indispensable for the provision of the service.
The provider must, provided other conditions are not altered, choose and in any case operate the means used for providing the information society service in such a way that personal data are processed only to the extent which is strictly necessary for providing the service and for the fulfilment of the other purposes laid down in this Act, but even in such a case solely to the necessary extent and for the necessary duration.
§ Registering on the Company’s website
- The natural person registering on the website can give his/her consent to the processing of his/her personal data by ticking the relevant box. It is forbidden to tick the box in advance.
- The scope of the personal data processed: the name (first name, surname), address, telephone number, e-mail address, online identifier, billing name, mailing name and address of the natural person.
(3) Purpose of handling the personal data:
- Performance of the services provided on the website.
- Contact by electronic, telephone, SMS, and postal means.
- Information on the Company’s products, services, terms and conditions, promotions.
- Promotional mailings may be sent electronically and by post.
- Analysis of the use of the website.
(4) The legal basis for data processing is the data subject’s consent.
(5) Recipients and categories of recipients of personal data: employees of the Company performing tasks related to customer service and marketing activities, employees of the Company’s IT service provider providing hosting services, acting as data processors.
(6) Storage period of personal data: as long as the registration/service is active or until the data subject’s consent is withdrawn (request for erasure).
§ Data processing related to the newsletter service
(1) The natural person who registers for the newsletter service on the website can give his/her consent to the processing of his/her personal data by ticking the relevant box. It is forbidden to tick the box in advance. Upon subscription a link to the Information Notice on Data Processing (Annex 2) must be made available. The data subject may unsubscribe from the newsletter at any time by using the “Unsubscribe” application or by making a written or e-mail declaration, which shall constitute a withdrawal of consent. In such a case, all data of the user who requests to unsubscribe shall be deleted immediately.
(2) The scope of personal data that may be processed: the name of the natural person (surname, first name), e-mail address.
(3) Purpose of the processing of personal data:
- Sending newsletters about the Company’s products and services
- Sending promotional material
(4) Legal basis for data processing: data subject’s consent.
(5) Recipients and categories of recipients of personal data: employees of the Company performing tasks related to customer service and marketing activities, employees of the Company’s IT service provider who work as data processors in order to provide hosting services.
(6) Storage period of personal data: until the newsletter service is maintained or until withdrawal of data subject’s consent (request for deletion).
§ Data processing in the Company’s webshop
(1) Pursuant to item (3) of section 13/A of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services and the government decree 45/2014. (II.26.) on the detailed rules regulating the contracts concluded between the consumer and the enterprise, a purchase in the webshop operated by the Company constitutes a contract. In the case of a purchase in a webshop, the contract constitutes the legal basis for the data processing.
(2) In accordance with item (1) of section 13/A of Act CVIII of 2001, for the purposes of creating, defining the content of, amending, monitoring the performance of, invoicing the fees arising from, and enforcing claims related to the service contract concluded for services falling within the category of information society service, the Company may process the personal identification data of natural persons acting as a customer who registers in the webshop. For title of consent, the Company may also process the telephone number, e-mail address, bank account number, online identifier of the customer registering in the webshop.
(3) Pursuant to item (2) of section 13/A of Act CVIII of 2001, for the purpose of invoicing and in relation with the use of information society services, the Company may process the personal identification data of natural persons, the address, delivery address, as well as the data with respect to the date, the duration and the location of the use of the service.
(4) Recipients and categories of recipients of personal data: employees of the Company performing tasks related to customer service, payment, transportation, marketing activities; employees of the Company’s subcontractors performing tax related and accounting services for the purpose of fulfilling tax and accounting obligations, acting as data processors, employees of the Company’s IT service provider in order to provide hosting services; employees of the courier service with respect to delivery data (name, address, telephone number).
(5) Duration of personal data processing: until the registration/service is maintained or until withdrawal of the data subject’s consent (request for deletion), in case of purchase, until the end of a term of 6 years following the year of purchase.
(6) In case of shopping in the online shop, the Data Processing Notice (Annex 1) must be available via a link.
§ Data processing for direct marketing purposes
(1) Unless otherwise provided by a separate law, advertising may be communicated to a natural person as the recipient of the advertising by means of direct solicitation, in particular by electronic mail or other equivalent means of individual communication, except for cases stipulated by Act XLVIII of 2008, solely if the recipient of the advertising has given his/her prior, clear and express consent.
(2) The scope of personal data that the Company may process for the purpose of advertising recipient enquiries: the name, address, telephone number, e-mail address, online identifier of the natural person.
(3) The purpose of the processing of personal data is to carry out direct marketing activities related to the Company’s activities, i.e. sending advertising brochures, newsletters, offers in printed (postal) or electronic form (e-mail) on a regular basis or intermittently, to the contact details specified at the time of registration.
(4) Legal basis for data processing: consent by data subject.
(5) Recipients or categories of recipients of personal data: employees of the Company performing customer service tasks, employees of the Company’s IT service provider performing server services, acting as data processors, employees of the Postal Service in case of mail delivery.
(6) Personal data storage period: until withdrawal of consent.
(7) For granting consent to data processing for direct marketing purposes, use the data request form in Annex 2 to the present Regulation.