1 GENERAL SECTION
1.1 Data of Controller
Name: Shopguard Kereskedelmi Kft.
Short name: Shopguard Kft.
Headquarters: 1037 Budapest, Szépvölgyi út 41.
Company Registration Number: Cg. 01-09-364727
Name of the court of registration: Court of Registration of the Metropolitan Court Budapest
VAT number: 10975394-2-41
Phone number: + 36-1-250-2590
1.2 Legislative background
a) REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the Regulation or GDPR),
b) Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Hungarian Data Protection law) (hereinafter: Info tv.),
and any such legal regulations as contain obligatorily applicable data processing provisions.
When applying this Policy, the following terms shall be understood in accordance with the definitions set out below.
a. ‘personal data’ means any information relating to an identified or identifiable natural person (hereinafter: ‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
b. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
c. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
d. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
e. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
f. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
g. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
h. ‘processor’ a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller or another Controller.
i. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
j. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
k. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
l. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
m. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
n. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
o. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
p. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
q. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to the provisions of the Regulation; in Hungary, the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NAIH);
r. ’supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
ra) the controller or processor is established on the territory of the Member State of that supervisory authority;
rb) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
rc)a complaint has been lodged with that supervisory authority;
s. ‘cross-border processing of personal data’:
sa) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
sb) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
2 PRINCIPLES OF DATA PROCESSING
The Controller shall proceed in good faith and in accordance with the requirements of integrity, in cooperation with the Data Subjects. The Controller shall exercise its rights and shall fulfil its obligations in accordance with the intended purpose of such.
The data processing must be performed in a manner which is transparent for the Data Subjects; thus, it must be clear for them how their personal data is collected, processed, used and accessed.
In the course of data processing personal data shall retain its nature as such for as long as its link to the Data Subject can be re-established. The link to the Data Subject shall be re-established if the Controller possesses the technical conditions required for such re-establishment.
In the course of data processing, the Controller shall ensure the accuracy and completeness of the data and – if necessary for the purpose of the data processing – that it is up-to-date, and that the Data Subject can only be identified for the time necessary for the purpose of the data processing.
The Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.
3 PURPOSE OF THE DATA PROCESSING
The Controller shall only process personal data for a specified purpose, in the interests of exercising a right or fulfilling an obligation. The data processing shall, in all its phases, comply with the purpose of the data processing. The data must be recorded and processed in a fair and lawful manner. The Controller shall ensure that only such personal data is processed that is indispensable for realising the purpose of the data processing, and that is suitable for achieving this purpose. The personal data may only be processed to the extent and for the period of time required for the realisation of such purpose.
4 LEGAL BASIS FOR THE DATA PROCESSING
The Controller shall only process personal data if the processing has a legitimate legal basis, thus:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the Controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where, according to the balancing of interest test conducted, such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
4.1 Consent of the data subject
In the obtaining of Data Subject’s consent, the Controller shall always choose a solution based on which the legality of the consent can be subsequently proven. Therefore, in the case of paper-based data processing, the consent must be obtained in writing, while in the course of electronic data processing, the Controller’s services involving data processing may only be usable subject to registration.
Prior to giving his or her consent, the Data Subject must be informed about all the essential circumstances concerning the processing (in particular, the identity, registered office and contact information of the controllers or processors, the scope of the data processed, the legal basis, purpose and duration of processing for each category of data, information about data transfer, advice on the legal remedies available), and must be ensured the right to withdraw such consent any time. The withdrawal of consent shall not affect the lawfulness of any processing that was conducted based on the consent prior to its withdrawal.
If the Data Subject has initiated a matter (thus, particularly, if he or she has contacted the Controller with the intention of concluding a contract), the Controller shall deem the Data Subject’s consent to have been given in respect of the processing of the data provided by the Data Subject.
4.2 Statutory provisions
If the processing of personal data is stipulated by a legal regulation, the data processing is compulsory.
The Controller shall inform the Data Subject of this. If the legal regulation is valid and applicable, the Controller is obliged to execute it in accordance with the provisions of the legal regulation, and it may not examine the appropriateness, professionalism or constitutionality of the legal regulation.
4.3 Performance of a contract
Personal data may be processed also where it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis must be strictly interpreted, and thus it may only be applied if there is a direct and objective relationship between the data processing and the performance of the contract. The legal basis extends to data processing performed prior to the concluding of the contract and to the precontract relationships, provided that such processing was initiated by the Data Subject.
4.4 Legitimate interest
Data processing is legitimate also if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
To establish the existence of a legitimate interest, a balancing-of-interest test must be conducted, as part of which careful assessment is needed, including as to whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data.
5 SCOPE AND PROCESSING OF THE DATA
a) Natural persons’ identification data: the purpose of processing this data is to be able to clearly identify the Data Subject and maintain contact with him or her. The Controller processes the following data of the Data Subject: name, name at birth, mother’s maiden name, place and date of birth, residential address, postal address, and in the case of mandatory data processing, it also processes, as required by the law.
The legal basis for the data processing shall be the consent of the Data Subject – primarily the consent granted in the contract – and the statutory provisions.
b) Telephone numbers and other contact information required for maintaining contact with the Data Subject: If provided by the Data Subject, the Controller shall process his or her telephone numbers and email address required for maintaining contact.
c) Data of documents: the document presented for verification of the authenticity of the customer's data must be recorded among the customer's data, besides the fact that verification has been performed.
d) Data necessary for the conclusion of the contract for the service used or intended to be used, or for making a decision on whether to conclude such a contract: If the Data Subject wishes to conclude a contract with the Controller for a service, the Controller may, prior to contract conclusion – in accordance with the relevant contractual conditions – examine whether such contract can be concluded with the Customer or other Data Subject. If the contracting party is not the Customer, the data of the Data Subject may be processed in relation to the preparation of the contract and to the decision on whether to conclude the contract.
e) Data generated in relation to the provision and use of the service: The Controller processes the data generated in relation to the service provided under the contract in accordance with the stipulations set forth in the relevant contractual conditions and legal regulations.
f) Data related to rights and obligations established in relation to the provision and use of the service: During the performance of the contract concluded between the Controller and the Customer, the parties may exercise their rights and must fulfil their obligations under the contract. The Controller may process the data related to this (e.g. data related breaches of contract).
g) Data related to claims, and to the assertion of claims, arising from any existing or terminated contract between the Controller and the Customers: According to the applicable laws, claims may arise from contracts already terminated; the Controller processes the data relating to this, which is necessary for enforcing any claims, as well as the data that must be retained based on the law.
6 DURATION OF DATA PROCESSING
Personal data may be processed in a manner that permits identification of the data subject solely for the time required to achieve the purposes of processing.
The Controller retains the personal data available to it in line with the various purposes of processing and legal bases, in the case of a legal requirement, in accordance therewith. The retention period may be, in particular
a) in the case of processing based on the data subject’s consent, the time until the withdrawal of the consent statement,
b) following the termination of the contractual relationship between the Controller and the Data Subject, the time until the end of the limitation period (unless otherwise stipulated by law),
c) in the case of statutory mandatory processing, until expiry of the statutory time limit; e.g. in connection with taxation, 5 years, in connection with accounting, as a general rule, 8 years.
The Controller erases the data if it is obvious that such data will not be used in the future, that is, if the purpose of data processing has ceased.
7 RIGHTS OF DATA SUBJECTS AND THE ENFORCEMENT THEREOF
7.1 Right to receive information
In accordance with the principle of fair and transparent processing of personal data, the Controller shall make the information specified in the law available to the Data Subjects prior to entering on processing.
7.2 Right of access by the Data Subject
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The Controller shall provide the Data Subject with a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
7.3 Right to rectification
The Data Subject may request the Data Controller to rectify one or more items of personal data that have been indicated incorrectly. Where regular data provision takes place on the basis of the data to be rectified, where necessary the Controller shall inform the recipient of the data about the rectification, and shall remind the Data Subject that the Data Subject must also initiate the rectification at other controllers.
7.4 Right to erasure (‘right to be forgotten’)
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the Data Subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;
c) the Data Subject objects to the processing, and there are no overriding legitimate grounds for the processing, or, without any investigation into whether such grounds exist, the Data Subject objects to the processing with regard to processing conducted for the purpose of direct marketing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased to comply with a legal obligation, prescribed by a European Union or Hungarian law, to which the Controller is subject;
f) the personal data have been collected in connection with the offer of information society services relating to a person who is a minor.
Where the Controller has made the personal data public and is under an obligation to erase the personal data, the Controller, taking into consideration the available technology and the cost of implementation, must take reasonable steps – including technical measures – to notify the controllers who are processing the personal data of the fact that the data subject has requested the erasure, by such controllers, of any links to, or copies or reproductions of, the personal data in question.
The right of erasure shall not apply insofar as the processing is necessary:
a) for compliance with a legal obligation that stipulates the processing of personal data, applicable under European Union or Hungarian laws to which the Controller is subject;
b) for the establishment, exercise or defence of legal claims.
7.5. Right to object
The Data Subject shall have the right to object at any time, on grounds relating to his or her particular situation to the processing of personal data concerning him or her which is necessary for the pursuit of a legitimate interest of the Controller or a third party, including profiling based on the above mentioned provisions. In this event, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercising or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the Data Subject objects to processing of the personal data for direct marketing purposes, the personal data shall no longer be processed for the purpose of profiling.
7.6 Right to restriction of processing
The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
d) the Data Subject has objected to processing in accordance with the provisions of the first paragraph of section 7.5 above; in this case, the restriction shall apply until it is determined whether the legitimate grounds of the Controller override the legitimate interests of the Data Subject.
Where processing has been restricted on the basis of the above, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or a Member State.
A Data Subject who has obtained restriction of processing on the basis of the above shall be informed by the Controller in advance of the lifting of the restriction on processing.
7.7 Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the Data Subject about such recipients at the request of the Data Subject.
7.8 Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:
a) the processing takes place for one or more specific purposes or is based on the express consent of the Data Subject, or is necessary for the conclusion of a contract with the Data Subject, or the subsequent performance thereof; and
b) the processing is carried out by automated means.
In exercising his or her right to data portability in accordance with the above, the Data Subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.
The exercise of the right to data portability shall be without prejudice to the right to erasure (“right to be forgotten”). That right shall not apply in cases where the processing is necessary for the performance of a task carried out in the public interest or in the course of exercising official authority vested in the Controller.
The right to data portability shall not adversely affect the rights and freedoms of others.
8 DATA TRANSFER
The transfer of data may in all cases take place only on appropriate legal grounds. The Controller is obliged to perform any data transfer that is stipulated by law.
The Controller fulfils regular data reporting tasks to the organisations specified in the law, at the intervals and with the content specified in the law. The Controller only transfers personal data if the legal grounds for doing so are clear, and if the purpose of such transfer and the recipient of the transferred data are precisely defined. The Controller always documents the data transfer, ensuring that the procedure and legitimacy of the transfer may be proven. Appropriately and officially issued documents containing the request for data provision and those providing for the fulfilment of such request are primarily used for documentation purposes.
If the Data Subject gives the Controller such order on the basis of which the data transfer is necessary, the Controller may transfer the data for the purpose of executing the order, to the extent required for this purpose, and in this respect the Data Subject exempts the Controller from its obligation of confidentiality.
To fulfil obligations of reporting data to authorities and the court, the Controller transfers the data requested by the authority or the court.
9 DATA PROCESSOR
The Controller may employ data processors in its activities, based on permanent or one-off mandates.
Permanent data processing functions may primarily take place for the purpose of fulfilling administrative tasks related to customer service, service provision and the maintenance of the IT system.
The Controller shall, upon request, inform the Data Subjects of the details of the data processing activity, including in particular the executed operations and the instructions given to the data processor.
The data processor’s rights and obligations regarding the processing of personal data are defined by the Controller, in accordance with the legal regulations. Responsibility for the lawfulness of the instructions related to data processing operations shall be borne by the Controller.
Within the scope of its activity and within the parameters defined by the Controller, the data processor is responsible for the processing, modification, erasure, transfer and publication of personal data. The processor may only use other processors according to the Controller’s instructions.
The data processor may not make any specific decisions related to data processing; he/she may only process the personal data that comes to his/her knowledge in accordance with the Controller’s instructions, he/she may not perform any data processing for his/her own purposes, and he/she must store and keep the personal data in accordance with the Controller’s instructions.
The Controller ensures, by establishing appropriate contractual conditions and taking organisational and technical measures, that during the data processor’s activity the rights of the Data Subjects may not be harmed or compromised, and that the data processor can only obtain any personal data if this is indispensable for the fulfilment of its duties.
Where a processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the contract or other legal act between the Controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Hungarian law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of legal regulations. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the Controller for the performance of that other processor's obligations.
Data processors employed by the Controller:
11 DATA SECURITY
The Controller shall provide for the security of the data. To this end, it shall take all the necessary technical and organisational measures with regard to data stored on either IT devices or on traditional paper-based data carriers. To protect the data files processed electronically in various records, it must be ensured via appropriate technical solutions that the data stored in the records – unless permitted by law – cannot be directly linked and associated with the data subject.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
12.1 The Data Subject may lodge a complaint with the data protection authority
If the Data subject considers that the processing of personal data concerning him or her is contrary to the provisions of the Data Protection Regulation, he or she is entitled to complain to the National Data Protection and Freedom of Information Authority (NAIH).
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1055 Budapest, Falk Miksa u. 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: + 36-1-391-1400
Fax: + 36-1-391-1410
12.2 The Data Subject apply to the court concerned
If the Data Subject considers that the processing of personal data concerning him or her is contrary to the provisions of the Regulation and thereby violates his or her rights under the Regulation, he or she shall have the right to apply to the court against the Controller.
At the choice of the Data Subject, the lawsuit may be instituted before the court in the place where the Data Subject is domiciled or habitually resident. A person who does not otherwise have legal capacity may also be a party to the lawsuit. The Authority (NAIH) may intervene in the proceedings in order to bring the proceedings to an end.
If the Data Controller causes damage to the Data Subject by unlawful processing or violates the data subject's privacy, the Controller may be charged damages. The controller shall be exempt from liability for damages and payment of damages if he proves that the damage or the violation of the privacy of the Data Subject was caused by an unavoidable cause outside the scope of the data management.