• en
  • hu

Data Protection and Data Security Policy.

1. GENERAL SECTION

1.1. Data of Controller

Name: Shopguard Kereskedelmi Kft.

Short name: Shopguard Kft.

Headquarters: 1037 Budapest, Szépvölgyi út 41.

Company Registration Number: Cg. 01-09-364727

Name of the court of registration: Court of Registration of the Metropolitan Court Budapest

VAT number: 10975394-2-41

Phone number: + 36-1-250-2590

E-mail: info@shopguard.com

1.2. Purpose of the Policy

The purpose of this Data Protection and Data Security Policy (hereinafter: Policy) is to ensure that the data of the customers of Shopguard Kft. (hereinafter: Controller), as well as of any other natural persons entering into a relationship with it, is processed within legal parameters, in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: Regulation) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Information Act).

1.3. Organisational scope of the Policy

The effect of this Policy shall extend to the Controller and to any such persons whose data is included in the data processing procedures falling under the effect of this Policy as well as to those natural persons whose rights or legitimate interests are affected by the data processing.

1.4. Material and territorial scope of the Policy

The material scope of the Policy extends to any case of data processing of the Controller that:

a) includes the data of persons who are in a customer relationship with the Controller,

b) includes the data of persons who were in a customer relationship with the Controller,

c) includes the data of persons who intend to enter into a customer relationship with the Controller,

d) includes the data of persons who are related to the customers of the Controller in such manner as the processing of their personal data is required for providing the service,

e) is required for compliance with the legal obligation of the Controller.

Territorial scope of this Policy extends

a) to data processing activities conducted solely in Hungary,

b) cross-border data processing conducted by the Controller, and

c) data processing activities where the main establishment is Hungary.

1.5. Legislative background

a) REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the Regulation or GDPR),

b) Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Hungarian Data Protection law) (hereinafter: Info tv.),

and any such legal regulations as contain obligatorily applicable data processing provisions.

1.6. Definitions

When applying this Policy, the following terms shall be understood in accordance with the definitions set out below.

a. ‘personal data’ means any information relating to an identified or identifiable natural person (hereinafter: ‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

b. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

c.  ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

d. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

e. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

f. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

g. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

h. ‘processor’ a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller or another Controller.

i. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

j. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

k. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

l. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

m. ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

n. ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

o. ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

p. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

q. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to the provisions of the Regulation; in Hungary, the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: NAIH);

r. ’supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:

ra) the controller or processor is established on the territory of the Member State of that supervisory authority;

rb) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or

rc)a complaint has been lodged with that supervisory authority;

s. ‘cross-border processing of personal data’:

sa) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

sb) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;

t. ‘information society service’: a service as defined in paragraph (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.

2. PRINCIPLES OF DATA PROCESSING

The Controller shall proceed in good faith and in accordance with the requirements of integrity, in cooperation with the Data Subjects. The Controller shall exercise its rights and shall fulfil its obligations in accordance with the intended purpose of such.

The data processing must be performed in a manner which is transparent for the Data Subjects; thus, it must be clear for them how their personal data is collected, processed, used and accessed.

Personal data shall, in the course of data processing, retain its nature as such for as long as its link to the Data Subject can be established. The link to the Data Subject shall be establishable if the Controller possesses the technical conditions required for such establishment. The use of pseudonyms shall not affect the nature of the data as personal data.

In the course of data processing, the Controller shall ensure the accuracy and completeness of the data and – if necessary for the purpose of the data processing – that it is up-to-date, and that the Data Subject can only be identified for the time necessary for the purpose of the data processing.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the Controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the Regulation and protect the rights of data subjects.

The Controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

3. PURPOSE OF THE DATA PROCESSING

The Controller shall only process personal data for a specified purpose, in the interests of exercising a right or fulfilling an obligation. The data processing shall, in all its phases, comply with the purpose of the data processing. The data must be recorded and processed in a fair and lawful manner. The Controller shall ensure that only such personal data is processed that is indispensable for realising the purpose of the data processing, and that is suitable for achieving this purpose. The personal data may only be processed to the extent and for the period of time required for the realisation of such purpose.

Instances of data processing falling under the effect of this Policy shall in all cases be related to a service provided by the Controller, which service is used or has been used by the Data Subject as a customer, or where for the purpose of using such service the Data Subject has contacted the Controller, or which service the Controller provides to a third party in collaboration with the personal involvement of the Data Subject (e.g. the representative or the proxy of a natural-person Data Subject).

The instances of data processing falling under the effect of this Policy may serve the following purposes:

a) preparation, conclusion and implementation of the contract with the Controller,

b) if there is specific consent for such, contact initiated by the Controller for the purposes of direct marketing or market research (by mail, telephone or by electronic or other means of communication),

c) enabling the Controller to directly assess the needs of the Data Subjects, for the purpose of providing them with higher-level services (statistics preparation),

d) risk management (analysis, evaluation, mitigation and the observance of the provisions on prudent operation, risk assumption),

e) prevention, investigation and detection of abuses related to the products and services provided by the Controller,

f) following the termination of the contract, the exercising of rights and fulfilment of obligations originating from the contract, thus in particular the enforcement of any outstanding claims based on the contract.

4. LEGAL BASIS FOR THE DATA PROCESSING

The Controller shall only process personal data if the processing has a legitimate legal basis, thus:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the Controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where, according to the balancing of interest test conducted, such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

4.1. Consent of the data subject

If the data processing is not required for the performance of the contract, and the data may not be processed based on other legal grounds either, the Controller may only process the data if it is provided voluntarily by the Data Subject.

If the Data Subject has initiated a matter (thus, particularly, if he or she has contacted the Controller with the intention of concluding a contract), the Controller shall deem the Data Subject’s consent to have been given in respect of the processing of the data provided by the Data Subject.

In the obtaining of such consent, the Controller shall always choose a solution based on which the legality of the consent can be subsequently proven. Therefore, in the case of paper-based data processing, the consent must be obtained in writing, while in the course of electronic data processing, the Controller’s services involving data processing may only be usable subject to registration.

Prior to giving his or her consent, the Data Subject must be informed about all the essential circumstances concerning the processing (in particular, the identity, registered office and contact information of the controllers or processors, the scope of the data processed, the legal basis, purpose and duration of processing for each category of data, information about data transfer, advice on the legal remedies available), and must be ensured the right to withdraw such consent any time. The withdrawal of consent shall not affect the lawfulness of any processing that was conducted based on the consent prior to its withdrawal.

4.2. Statutory provisions

If the processing of personal data is stipulated by a legal regulation, the data processing is compulsory.

The Controller shall inform the Data Subject of this. If the legal regulation is valid and applicable, the Controller is obliged to execute it in accordance with the provisions of the legal regulation, and it may not examine the appropriateness, professionalism or constitutionality of the legal regulation.

4.3. Performance of a contract

Personal data may be processed also where it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. This legal basis must be strictly interpreted, and thus it may only be applied if there is a direct and objective relationship between the data processing and the performance of the contract. The legal basis extends to data processing performed prior to the concluding of the contract and to the precontract relationships, provided that such processing was initiated by the Data Subject.

4.4. Legitimate interest

Data processing is legitimate also if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

To establish the existence of a legitimate interest, a balancing-of-interest test must be conducted, as part of which careful assessment is needed, including as to whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing for such override the interest of the Controller if the personal data are processed in circumstances where the data subjects do not reasonably expect further processing.

Steps of the balancing-of-interest test:

(i) definition of the purpose of data processing,

(ii) assessment of the legality of data processing,

(iii) definition and classification of the data whose processing is planned,

(iv) assessment of the legal basis of data processing,

(v) identification of impediments to the data processing,

(vi) definition of the interest relating to the data processing,

(vii) determination of the legitimacy of the controller’s interests,

(viii) assessment of the necessity and inevitability of the data processing,

(ix) evaluation of the Controller’s interest,

(x) evaluation of the impact of data processing on the data subjects,

(xi) any additional guarantees applied, (x) final balancing.

4.5. Protection of vital interests

Personal data may be processed also if processing is necessary in order to protect the vital interests of the data subject or of another natural person.

The Controller shall inform the Data Subject about the interest to be protected that gives grounds for the data processing. The provision of information based on this section shall take place at the time that contact between the Controller and the Data Subject is established. Contact may take place subsequently, as well.

6. SCOPE AND PROCESSING OF THE DATA

a) Natural persons’ identification data: the purpose of processing this data is to be able to clearly identify the Data Subject and maintain contact with him or her. The Controller processes the following data of the Data Subject: name, name at birth, mother’s maiden name, place and date of birth, residential address, postal address, and in the case of mandatory data processing, it also processes, as required by the law.

The legal basis for the data processing shall be the consent of the Data Subject – primarily the consent granted in the contract – and the statutory provisions.

b) Telephone numbers and other contact information required for maintaining contact with the Data Subject: If provided by the Data Subject, the Controller shall process his or her telephone numbers and email address required for maintaining contact.

c) Copies and data of documents: The Controller prepares copies of the individual data-verifying documents in order to establish the correctness of the data, based on the Data Subject’s consent or a binding provision of law. If the Data Subject does not wish to give his or her consent, instead of the copy, the document presented for verification of the authenticity of the customer’s data must be recorded among the customer’s data, besides the fact that verification has been performed.

d) Data necessary for the conclusion of the contract for the service used or intended to be used, or for making a decision on whether to conclude such a contract: If the Data Subject wishes to conclude a contract with the Controller for a service, the Controller may, prior to contract conclusion – in accordance with the relevant contractual conditions – examine whether such contract can be concluded with the Customer or other Data Subject. If the contracting party is not the Customer, the data of the Data Subject may be processed in relation to the preparation of the contract and to the decision on whether to conclude the contract.

f) Data generated in relation to the provision and use of the service: The Controller processes the data generated in relation to the service provided under the contract in accordance with the stipulations set forth in the relevant contractual conditions and legal regulations (data related to invoices, receivables, account operations, transactions, etc.).

g) Data related to rights and obligations established in relation to the provision and use of the service: During the performance of the contract concluded between the Controller and the Customer, the parties may exercise their rights and must fulfil their obligations under the contract. The Controller may process the data related to this (e.g. data related to interest claims or breaches of contract).

h) Data related to claims, and to the assertion of claims, arising from any existing or terminated contract between the Controller and the Customers: According to the applicable laws, claims may arise from contracts already terminated; the Controller processes the data relating to this, which is necessary for enforcing any claims, as well as the data that must be retained based on the law.

7. DURATION OF DATA PROCESSING

Personal data may be processed in a manner that permits identification of the data subject solely for the time required to achieve the purposes of processing.

The Controller retains the personal data available to it in line with the various purposes of processing and legal bases, in the case of a legal requirement, in accordance therewith. The retention period may be, in particular

a) in the case of processing based on the data subject’s consent, the time until the withdrawal of the consent statement,

b) following the termination of the contractual relationship between the Controller and the Data Subject, the time until the end of the limitation period (unless otherwise stipulated by law),

c) in the case of statutory mandatory processing, until expiry of the statutory time limit; e.g. in connection with taxation, 5 years, in connection with accounting, as a general rule, 8 years.

The personal data of the Data Subject may be processed for direct marketing and research purposes until the date specified in the Data Subject’s consent, but in any case no longer than until the withdrawal of the Data Subject’s consent or notification of the Data Subject’s objection.

The Controller erases the data if it is obvious that such data will not be used in the future, that is, if the purpose of data processing has ceased.

8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

8.1. Data protection impact assessment

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

The Controller shall seek the advice of the data protection officer, when carrying out a data protection impact assessment.

A data protection impact assessment shall in particular be required in the following cases:

a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

b) a systematic monitoring of a publicly accessible area on a large scale.

The assessment shall contain at least:

a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

c) an assessment of the risks to the rights and freedoms of data subjects; and

d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

Compliance with approved codes of conduct referred to in the Regulation by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.

Where appropriate, the Controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

Where necessary, the Controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

8.2. Prior consultation

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

When consulting the supervisory authority, the Controller shall provide the supervisory authority with:

a) where applicable, the respective responsibilities of the Controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;

b) the purposes and means of the intended processing;

c) the measures and safeguards provided to protect the rights and freedoms of data subjects  pursuant to this Policy;

d) where applicable, the contact details of the data protection officer;

e) the data protection impact assessment; and

f) any other information requested by the supervisory authority.

9. DATA TRANSFER

The transfer of data may in all cases take place only on the basis of appropriate legal grounds.

The Controller fulfils regular data reporting tasks to the organisations specified in the law, at the intervals and with the content specified in the law. The Controller only transfers personal data if the legal grounds for doing so are clear, and if the purpose of such transfer and the recipient of the transferred data are precisely defined. The Controller always documents the data transfer, ensuring that the procedure and legitimacy of the transfer may be proven. Appropriately and officially issued documents containing the request for data provision and those providing for the fulfilment of such request are primarily used for documentation purposes.

The Controller is obliged to perform any data transfer that is stipulated by law.

In addition to the above, personal data may only be transferred if the Data Subject has expressly consented to it. In order to ensure that such consent can be subsequently verified, it must, if at all possible, be made in writing. The requirement to have such consent in writing may be ignored if the data transfer is of little consequence as regards the recipient, the purpose of the transfer or the type of data involved. If the data transfer is subject to the consent of the Data Subjects, the Data Subject shall only give his/her consent if he/she is aware of the recipient and the purpose of the data transfer.

The above bans and limitations shall also apply after the end of the customer relationship.

10. PROCESSING OF DATA FILES

The Controller shall ensure that the manner and data content of the records always complies with the latest effective legal regulations. The types of data processing that are based on the legal regulations are mandatory, and the Data Subjects may request information on these. The Controller shall provide for the appropriate logical and if necessary, physical separation of the various types of data processing with different purposes.

The Controller processes the electronic and paper-based records based on uniform principles, with due regard to the characteristics resulting from the differences between data carriers within the records. The principles and obligations under this Policy are equally applied to both electronic and paper-based records.

The record containing the customer data and the record related to the services provided by the Controller are articulated in order to ensure that the data processing systems that can be separated by legal basis and purpose are indeed separated from each other. By defining the structure of the recordkeeping system and the authorisations and through other organisational measures the Controller ensures that data in the records is only available to those employees and other persons acting within the Controller’s sphere of interest who need this for their job and for the performance of their tasks.

The Controller ensures access to its records, subject to the fulfilment of the data security requirements, to those third parties collaborating as data processors who provide the Controller with services related to data processing.

The Controller’s electronic records comply with the requirements of data security, and the records ensure that only persons who specifically need it for the performance of their tasks have access to the data, and only in relation to a specific purpose.

The Controller ensures that the principle of data minimisation is enforced.

The Controller shall maintain a record of processing activities under its responsibility. That record shall contain the essential circumstances of processing, in particular the following information:

a) the name and contact details of the controller and the joint controller, the controller’s representative and the data protection officer;

b) the purposes of data processing;

c) a description of the categories of data subjects and of the categories of personal data;

d) the categories of recipients to whom the personal data have been or will be disclosed including

recipients in third countries or international organisations;

e) where applicable, transfers of personal data to a third country or an international organisation,

including the identification of that third country or international organisation and, in the case

of transfers, the documentation of suitable safeguards;

f) where possible, the envisaged time limits for erasure of the different categories of data;

g) where possible, a general description of the technical and organisational security measures.

11. DATA SECURITY

The Controller shall provide for the security of the data. To this end, it shall take all the necessary technical and organisational measures with regard to data stored on either IT devices or on traditional paper-based data carriers. To protect the data files processed electronically in various records, it must be ensured via appropriate technical solutions that the data stored in the records – unless permitted by law – cannot be directly linked and associated with the data subject.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

a) the pseudonymisation and encryption of personal data;

b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of

processing systems and services;

c) the ability to restore the availability and access to personal data in a timely manner in the

event of a physical or technical incident;

d) a process for regularly testing, assessing and evaluating the effectiveness of technical and

organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The Controller shall take steps to ensure that any natural person acting under the authority of the Controller or the processor who has access to personal data only processes them in accordance with the Controller’s instructions and the principle of purpose limitation. The Controller’s records must ensure that only persons who specifically need it for the performance of their tasks have access to the data, and only in relation to a specific purpose.

The Controller provides for the enforcement of the rules on data security by way of separate policies, procedures and procedural rules. In order to fulfil the conditions of data security, it provides for the appropriate instruction of the employees concerned.

11.1. Protection of IT records

As part of its tasks related to IT security, the Controller primarily provides for the following:

a) Measures ensuring protection against any unauthorised access, including the protection of software and hardware devices, and physical protection (access protection, network protection);

-b) Measures ensuring the possibility of recovery of the data files, including the preparation of regular backups and the separated, secure management of copies (mirroring, security backups);

c) Protection of data files against viruses (virus protection);

d) Physical protection of data and the related data carrier devices, including damage caused by fire, flood, lightning and other natural disasters, and providing for the possibility of recovery following instances of damage caused by the above events (archiving, fire protection).

11.2. Protection of paper-based records

The Controller takes all measures necessary for the protection of paper-based records, particularly with regard to physical security and fire protection.

Employees and other persons acting on behalf of the Controller shall be obliged to keep safe those data carriers used or possessed by them that also contain personal data, regardless of the method of data recording, and to protect the data against unauthorised access, change, transfer, publication, deletion or destruction and against involuntary destruction or damage.

11.3. Regulation of data security

The Controller provides for the enforcement of the data security requirements by way of separate policies and procedures. Its employees as well as the persons acting within the Controller’s sphere of interest shall always act in accordance with the rules ensuring high-level enforcement of data security set out in separate policies and procedures.

12. PERSONAL DATA BREACH

In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

The notification must at least:

a) describe the nature of the personal data breach including where possible, the categories and

approximate number of data subjects concerned and the categories and approximate number

of personal data records concerned;

b) communicate the name and contact details of the data protection officer or other contact point

where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal

data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures included in the notification to the supervisory authority.

The communication to the data subject shall not be required if any of the following conditions are met:

a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

b) the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

13. DATA PROCESSOR

The Controller may employ data processors in its activities, based on permanent or one-off mandates.

Permanent data processing functions may primarily take place for the purpose of fulfilling administrative tasks related to customer service, service provision and the maintenance of the IT system.

The Controller shall, upon request, inform the Data Subjects of the details of the data processing activity, including in particular the executed operations and the instructions given to the data processor.

The data processor’s rights and obligations regarding the processing of personal data are defined by the Controller, in accordance with the legal regulations. Responsibility for the lawfulness of the instructions related to data processing operations shall be borne by the Controller.

Within the scope of its activity and within the parameters defined by the Controller, the data processor is responsible for the processing, modification, erasure, transfer and publication of personal data. The processor may only use other processors according to the Controller’s instructions.

The data processor may not make any specific decisions related to data processing; he/she may only process the personal data that comes to his/her knowledge in accordance with the Controller’s instructions, he/she may not perform any data processing for his/her own purposes, and he/she must store and keep the personal data in accordance with the Controller’s instructions.

The Controller ensures, by establishing appropriate contractual conditions and taking organisational and technical measures, that during the data processor’s activity the rights of the Data Subjects may not be harmed or compromised, and that the data processor can only obtain any personal data if this is indispensable for the fulfilment of its duties.

The employment of a data processor is only possible on the basis of a written contract.

The contract must contain at least the following elements:

a) name of the controller and the processor;

b) subject, duration, type and purpose of the data processing;

c) categories of data subjects;

d) description of the data processing activity;

e) type and scope of personal data to be handed over;

f) in the case of automated data processing, the method used and its essence;

g) obligations and rights of the Controller and the processor;

h) the Controller’s guarantee to the effect that the database and personal data handed over are

processed legally;

i) representations of the data processor to the effect that it

ia) processes the personal data only on documented instructions from the controller, including

with regard to transfers of personal data to a third country or an international organisation,

unless required to do so by Union or Member State law to which the processor is subject;

in such a case, the processor shall inform the controller of that legal requirement before

processing, unless that law prohibits such information on important grounds of public

interest;

ib) ensures that persons authorised to process the personal data have committed themselves to

confidentiality or are under an appropriate statutory obligation of confidentiality;

ic) shall take the data security measures that arise within the scope of its activity;

id) taking into account the nature of the processing, assists the controller by appropriate

technical and organisational measures, insofar as this is possible, for the fulfilment of the

controller’s obligation to respond to requests for exercising the data subject’s rights;

(ie) assists the controller in ensuring compliance with its obligations, taking into account the

nature of processing and the information available to the processor;

if) at the choice of the controller, deletes or returns all the personal data to the controller after

the end of the provision of services relating to processing, and deletes existing copies

unless the Hungarian law requires storage of the personal data;

ig) the processor’s statement to the effect that it makes available to the controller all information

necessary to demonstrate compliance with the obligations laid down in Article 28 of the

Regulation, and allow for and contribute to audits, including inspections, conducted by the

controller or another auditor mandated by the controller;

j) prohibition of the use of data by the processor for its own purposes and purposes different than

those specified in the contract;

k) the requirement that the processor, in the course of performing its activity shall not be permitted to use other processors without the consent of the data controller;

l) the processor’s commitment to comply with data security rules;

m) the specification that the processor shall immediately inform the Controller if, in its opinion, an

instruction infringes the Regulation or other Union or Member State data protection provisions.

Where a processor engages another processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in the contract or other legal act between the Controller and the processor shall be imposed on that other processor by way of a  contract or other legal act under Union or Hungarian law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of legal regulations. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the Controller for the performance of that other processor’s obligations.

Data processors employed by the Controller:

Activity Company name Seat
Server hosting Magyar Hosting Kft. 1132 Budapest,
Victor Hugo u. 18-22.
Website operation Viacom Informatikai Kereskedelmi és Szolgáltató Kft. Seated: 2360 Gyál, Deák Ferenc utca 17. Mailing address: 2225 Üllő, Gyár utca 8.
Bookkeeping, accountancy Adó-fix Kft.                1148 Budapest, Kerepesi út 78/F.

18. RIGHTS OF DATA SUBJECTS AND THE ENFORCEMENT THEREOF

18.1. Right to receive information

18.1.1. Information to be provided where personal data are collected from the Data Subject

18.1.1.1. Where personal data relating to a Data Subject are collected from the Data Subject, the Controller shall, at the time of obtaining the personal data (concurrently with the data collection, at the latest), provide the Data Subject with all of the following items of information:

a) the identity and the contact details of the Controller and, where applicable, of the Controller’s representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d) where the processing is based on a legitimate interest, the legitimate interests pursued by the Controller or by a third party;

e) the recipients or categories of recipients of the personal data, if any;

f) where applicable, the fact that the Controller intends to transfer the personal data to a third country or international organisation, and the existence or absence of an adequacy decision by the European Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or to where they have been made available.

18.1.1.2. In addition to providing the information referred to above, the Controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

b) the existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

c) in the case of processing performed on the basis of consent, the existence of the right to withdraw consent at any time, which does not affect the lawfulness of processing based on consent before its withdrawal;

d) the right to lodge a complaint with a supervisory authority;

e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

f) the existence of automated decision-making, including profiling, and, at least in those cases, comprehensible information about the logic applied, as well as the significance and the envisaged consequences of such processing for the data subject.

Where the Controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the Controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in section 18.1.1.2.

The obligation to provide information shall not apply where and insofar as the Data Subject already has the information.

18.1.2. Information to be provided where personal data have not been obtained from the Data Subject

18.1.2.1. Where personal data have not been obtained from the Data Subject, the Controller shall provide the Data Subject with the following information:

a) the identity and the contact details of the Controller and, where applicable, of the Controller’s representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal

basis for the processing;

d) the categories of personal data concerned;

e) the recipients or categories of recipients of the personal data, if any;

f) where applicable, the fact that the Controller intends to transfer personal data to a recipient in

a third country or international organisation, and of the existence or absence of an adequacy

decision by the Commission, and a reference to the appropriate or suitable safeguards and

the means to obtain a copy of them or where they have been made available.

18.1.2.2. In addition to the information, the Controller shall provide the Data Subject with the following information necessary to ensure fair and transparent processing in respect of the Data Subject:

a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

b) where the processing is based on the Controller’s legitimate interest, the legitimate interests pursued by the Controller or by a third party;

c) the existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject and to object to processing as well as the right to data portability;

d) where the processing is based on the granting of consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

e) the right to lodge a complaint with a supervisory authority;

f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

g) the existence of automated decision-making, including profiling, and, at least in those cases, comprehensible information about the logic applied, as well as the significance and the envisaged consequences of such processing for the Data Subject.

18.1.2.3. The Controller shall provide the information referred to in sections 18.1.2.1. and 18.1.2.2 as follows:

a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

b) if the personal data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or

c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the Data Subject, prior to such further processing, with information on that other purpose and with any relevant further information.

18.1.2.4. The information does not have to be provided where and insofar as:

a) the Data Subject already has the information;

b) obtaining or disclosure is expressly laid down by Hungarian law to which the Controller is

subject and which provides appropriate measures to protect the data subject’s legitimate

interests; or

c) the personal data must remain confidential subject to an obligation of professional secrecy

regulated by European Union or Hungarian law (e.g. Controllering secrecy), including a statutory

obligation of secrecy.

18.1.3. Right of access by the Data Subject

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of data processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be

disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not

possible, the criteria used to determine that period;

e) the existence of the right to request from the Controller rectification or erasure of personal

data or restriction of processing of personal data concerning the Data Subject or to object to

such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the Data Subject, any available information as

to their source;

h) the existence of automated decision-making, including profiling, and, at least in those cases,

comprehensible information about the logic applied, as well as the significance and the

envisaged consequences of such processing for the Data Subject.

Where personal data are transferred to a third country or to an international organisation, the Data Subject shall have the right to be informed of the safeguards relating to the data transfer.

The Controller shall provide the Data Subject with a copy of the personal data undergoing processing.

For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs, as set out in a separate policy. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

18.2. Right to rectification

The Data Subject may request the Data Controller to rectify one or more items of personal data that have been indicated incorrectly. Where regular data provision takes place on the basis of the data to be rectified, where necessary the Controller shall inform the recipient of the data about the rectification, and  shall remind the Data Subject that the Data Subject must also initiate the rectification at other controllers.

18.3. Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the Data Subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;

c) the Data Subject objects to the processing, and there are no overriding legitimate grounds for the processing, or, without any investigation into whether such grounds exist, the Data Subject objects to the processing with regard to processing conducted for the purpose of direct marketing;

d) the personal data have been unlawfully processed;

e) the personal data have to be erased to comply with a legal obligation, prescribed by a

European Union or Hungarian law, to which the Controller is subject;

f) the personal data have been collected in connection with the offer of information society

services relating to a person who is a minor.

Where the Controller has made the personal data public and is under an obligation to erase the personal data, the Controller, taking into consideration the available technology and the cost of implementation, must take reasonable steps – including technical measures – to notify the controllers who are processing the personal data of the fact that the data subject has requested the erasure, by such controllers, of any links to, or copies or reproductions of, the personal data in question.

The right of erasure shall not apply insofar as the processing is necessary:

a) for compliance with a legal obligation that stipulates the processing of the personal data,

applicable under European Union or Hungarian laws to which the Controller is subject;

b) for the establishment, exercise or defence of legal claims.

18.4. Right to object

The Data Subject shall have the right to object at any time, on grounds relating to his or her particular situation to the processing of personal data concerning him or her which is necessary for the pursuit of a legitimate interest of the Controller or a third party, including profiling based on the above mentioned provisions. In this event, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the Data Subject, or which are related to the establishment, exercising or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the Data Subject objects to processing of the personal data for direct marketing purposes, the personal data shall no longer be processed for the purpose of profiling.

No later than at the time of the first contact with the Data Subject, the right referred to above shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information. In the context of the use of information society services, the data subject may exercise his or her right to object by automated means based on the appropriate technical specifications.

18.5. Right to restriction of processing

The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;

d) the Data Subject has objected to processing in accordance with the provisions of the first paragraph of section 18.3.2.; in this case, the restriction shall apply until it is determined whether the legitimate grounds of the Controller override the legitimate interests of the Data Subject.

Where processing has been restricted on the basis of the above, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or a Member State.

A Data Subject who has obtained restriction of processing on the basis of the above shall be informed by the Controller in advance of the lifting of the restriction on processing.

18.6. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with sections 18.3.1-18.3.3. to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the Data Subject about such recipients at the request of the Data Subject.

18.7. Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:

a) the processing takes place for one or more specific purposes or is based on the express consent of the Data Subject, or is necessary for the conclusion of a contract with the Data Subject, or the subsequent performance thereof; and

b) the processing is carried out by automated means.

In exercising his or her right to data portability in accordance with the above, the Data Subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.

The exercise of the right to data portability shall be without prejudice to the right to erasure (“right to be forgotten”). That right shall not apply in cases where the processing is necessary for the performance of a task carried out in the public interest or in the course of exercising official authority vested in the Controller.

The right to data portability shall not adversely affect the rights and freedoms of others.

The Controller shall support the data protection officer in performing the tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.

The Controller shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the Controller for performing his tasks. The data protection officer shall directly report to the highest management level of the Controller.

Data Subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.

The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Hungarian law.

The data protection officer may fulfil other tasks and duties. The Controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.

19. REMEDIES

19.1. The Data Subject may lodge a complaint with the data protection authority

If the Data subject considers that the processing of personal data concerning him or her is contrary to the provisions of the Data Protection Regulation, he or she is entitled to complain to the National Data Protection and Freedom of Information Authority (NAIH).

Name: National Data Protection and Freedom of Information Authority

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22 / C.

Mailing address: 1530 Budapest, Pf .: 5.

Phone: + 36-1-391-1400

Fax: + 36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

19.2. The Data Subject apply to the court concerned

If the Data Subject considers that the processing of personal data concerning him or her is contrary to the provisions of the Regulation and thereby violates his or her rights under the Regulation, he or she shall have the right to apply to the court against the Controller.

At the choice of the Data Subject, the lawsuit may be instituted before the court in the place where the Data Subject is domiciled or habitually resident. A person who does not otherwise have legal capacity may also be a party to the lawsuit. The Authority (NAIH) may intervene in the proceedings in order to bring the proceedings to an end.

19.3. Damages

If the Data Controller causes damage to the Data Subject by unlawful processing or violates the data subject’s privacy, the Controller may be charged damages. The controller shall be exempt from liability for damages and payment of damages if he proves that the damage or the violation of the privacy of the Data Subject was caused by an unavoidable cause outside the scope of the data management.

SHOPGUARD KFT.

Back to Top