- PURPOSE OF THIS POLICY
The purpose of this Policy is to lay down the data protection and data processing principles of Közlekedési Műszergyártó Zrt. (court of registration: Company Registry Court of Budapest-Capital Regional Court; company registration number: 01-10-042-412; registered seat: H-1139 Budapest, Teve u. 62.; tax identification number: 10895924-2-41; email address: firstname.lastname@example.org) (hereinafter referred to as Company), which the Company recognises as binding on itself.
In establishing these rules, the Company paid special regard to the requirements of
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as Privacy Act),
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services (hereinafter referred to as Electronic Commerce Act),
- Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing,
- Act VI of 1998 on the Ratification of Strasbourg Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data,
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities,
- and Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
The purpose of this Policy is to ensure the functioning of statutory data-protection requirements in all fields of production, sales, and services performed by the Company, for all persons, regardless of their place of residence. In performing its activities, the Company shall respect the fundamental freedoms of users, especially their privacy rights, in machine-processing personal data (data protection).
The purpose of data processing is to ensure the implementation of obligations assumed in the contracts concluded with the users of our services (Article 6(1)(b) of the GDPR), including the fulfilment of orders, investigation of complaints and protests, and the fulfilment of our legal obligations.
Personal data: data which can be associated with the defined natural person (hereinafter referred to as data subject), especially the data subject’s name, identification mark as well as characteristic information about one or more physical, physiological, mental, economic, cultural or social identity and the conclusions that may be drawn from the data in relation to the data subject. Within the scope of data processing, personal data shall retain this feature until its relation to the data subject may be restored;
Dataset: the entirety of data managed in one record;
Data management: any or all of the procedures implemented on data regardless of the method applied, including in particular the collection, recording, saving, sorting, storage, change, utilisation, query, transmission, publication, coordination or combination, blocking, deletion and destruction, as well as the prevention of any further use of personal data;
Data processing: the implementation of data management transactions and technical tasks, regardless of the method and means or the place of the implementation of the transactions, provided that the technical task is implemented on the data;
Data destruction: complete physical destruction of the data carrier containing the data;
Data transfer: making personal data accessible to defined third persons;
Disclosure: making personal data accessible to anybody;
Data processor: the natural person or legal entity or unincorporated organisation which processes personal data on the basis of a contract with the data controller;
Erasure: the rendering of data unrecognisable in such a way as to make restoration impossible;
Automated dataset: a series of data that is automatically processed;
Machine processing: includes the following operations, if these are performed using automated equipment either partially or entirely: data storage, logic and arithmetic operations with the data, alteration, deletion, retrieval, and dissemination of data;
User: the individual purchasing on the Company’s website.
III. SCOPE OF PERSONAL DATA PROCESSED
- Data provided by the user at his/her decision: email address, phone number, name, home address/place of residence, the product category the user orders, the mode of receipt and payment and the item-level totals of the purchases of the user.
- Technically recorded data during the system operation: data of the login computer of the user, generated during the use of the services and recorded by the system of the data controller as an automatic result of the technical processes. The system automatically logs the automatically recorded data upon logging in and logging out, without any separate declaration or action of the user. This data may not be linked to other personal data of the user, except in those cases defined as mandatory by the law. Only the data controller has access to the data.
- THE LEGAL BASIS, PURPOSE, AND METHOD OF DATA PROCESSING
- 1. Data processing takes place based on the voluntary, appropriate information of the users of the online contents found on the www.kmgy.hu website; such a declaration shall contain the expressed consent of the user to the use of their personal data they provide while using the website. The legal basis for the processing is the voluntary consent of the data subject under Point (a) of Paragraph (1) of Section 5 of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
- The purpose of processing is to ensure the provision of the services available on the following website:
www.kmgy.hu (web-shop and parcel delivery service).
The personal data necessary for the use of these services is included in the description of the relevant services
- The following companies deliver the ordered products to the users:
DPD Hungária Kft.
1158 Budapest, Késmárk u. 14/b.
Activity: courier service
TNT Express Hungary Kft.
1097 Budapest, Ecseri út 14.
Activity: courier service
- The purpose of the automatic recording of data (see Clause 3.2) is to ensure the provision of the services available via the Company’s website, display customised content and advertisements, statistics, technical development of the IT system, and to protect the rights of the users. The controller may use the data made available by the user in his/her use of the services to create user groups and to display targeted content and/or advertisements for the user groups on the Company’s website.
- The controller may not use the personal data provided for purposes other than those described in these Clauses. Personal data may be disclosed to third parties or the authorities only at the prior expressed consent of the user, unless bindingly and mandatorily provided for otherwise by the law.
- The controller shall not verify the personal data provided to them. The person providing the data shall be exclusively responsible for the correctness of the data. Any user shall, by providing his/her email address, assume the responsibility that it is only him/her that uses the services using that email address. Regarding this assumption of responsibility, all responsibility related to the logins with a given email address shall exclusively rest with the user who registered that email address.
- DATA-PROCESSING PRINCIPLES
- Personal data may be obtained in a fair and legal way only.
- Personal data may be stored for specific and lawful purposes, any other use shall not be allowed.
- Personal data shall be proportionate to the purpose of its storage and they must comply with that purpose and not overreach that.
- The storage of personal data shall allow for the identification of the data subject only during the period necessary for the purpose of storage.
- The necessary security measures to protect personal data stored in the automated datasets must be taken in order to prevent accidental or unauthorised destruction, accidental loss, unauthorised access, alteration or dissemination.
- Personal data is processed automatically /including the form of customer profiling/; this, however, does not entail any legal consequences to you and does not affect your position.
- DATA-PROTECTION GUIDELINES OF THE COMPANY
- The Company shall use personal data that is key for the use of the services of Közlekedési Műszergyártó Zrt. based on the approval of the data subjects and for specific purposes only.
- The Company, as the data controller, shall undertake to process personal data it gains possession of according to the provisions of the Privacy Act and the data-protection principles laid down in this Policy, and shall not disclose it to third parties. Regarding the transfer of data, the use of data in a statistically aggregated form—not including the username and any other data suitable for the identification of the data subject in any form—shall be an exemption from the provision in this Clause.
- In certain cases—due to a court procedure, a tax authority procedure, a police request, a conflict with the interests of the Company, jeopardising of the provision of its services, etc.—the Company shall make the available data of the user concerned available.
- The system of Közlekedési Műszergyártó Zrt. may collect data on the activity of the users; such data shall not be linked to the personal data the users provide upon registration, or data generated during the use of other websites or services.
- The Company shall assume the obligation to disclose a clear, awareness-raising, and unambiguous communication before the recording and processing of any personal data of the user, and it shall inform the user about the method, purpose, and principles of data recording in that communication. In addition, in any case in which data recording and processing are not legally required, the Company shall draw the attention of the user to the voluntary nature of data disclosure. In the event of obligatory data provision, the piece of legislation requiring processing must also be referred to. The data subject must be informed of the purpose of processing and about the persons who will process the personal data. Information on processing shall also take place with the legislative provision on the recording of data by forwarding or linking from existing processing.
- In all cases in which the Company wishes to use personal data provided for purposes other than that of the original data recording, the Company shall inform the user of this intention, obtain his/her prior expressed consent and ensure the option to prevent the use.
- In recording and processing data, Közlekedési Műszergyártó Zrt., as controller, shall always comply with the legislative limitations and inform the data subject of their activities as he/she requires, by way of email. The Company shall assume the obligation not to enforce any sanctions against users who refuse the non-obligatory data provision.
- Közlekedési Műszergyártó Zrt. shall assume the obligation to ensure the security of personal data. It shall also take the technical and organisational measures and establish the procedural rules that ensure the protection of recorded, stored, and processed personal data, and shall prevent its destruction, unauthorised use, and unauthorised alteration. It shall also assume the obligation to call on every third party to whom it might forward or transfer the personal data to fulfil such obligations.
- If the personal data is incorrect and the correct personal data is also available to the data controller, then the data controller shall correct the personal data.
- The Company, as the data controller, shall erase the personal data if
- its processing is unlawful;
- the user requests the deletion of his/her personal data;
- the personal data is incomplete or inaccurate and cannot be lawfully rectified, provided that deletion is not ruled out by the law;
- the purpose of data processing no longer exists or the statutory retention period of the personal data has expired;
- a court or an authority has ordered the deletion of personal data.
- Instead of erasing, the data controller must block personal data if the data subject so requests or if, based on the available information, it is reasonably assumed that such deletion would harm the data subject’s lawful interests. The personal data so blocked can be managed only as long as the original data-processing purpose exists, which ruled out the deletion of such personal data.
- The data subject and all parties to whom the personal data were previously transmitted for the purposes of data management shall be notified of the correction or blocking or deletion of data. The controller may omit such notice if the action to be notified does not harm the user’s lawful interest in view of the purpose of the data management.
- If the Company, as controller, fails to fulfil the rectification, blocking or erasure request of the data subject, then it shall inform the data subject within 30 days of the receipt of the request about the factual and legal reasons for rejecting the rectification, blocking or deletion request and the fact that the data subject may challenge the decision of the data controller at a court or the National Authority for Data Protection and Freedom of Information.
VII. DURATION OF DATA PROCESSING
- Data automatically and technically recorded during system operation shall be stored in the system from its generation for a period justified for the ensuring of system operation. The Company shall ensure that this automatically recorded data is not linkable to other personal data of the user, except in legally required cases. If the user has removed his/her consent to the processing of his/her personal data or he/she has unsubscribed from the services, then his/her identity will not be identifiable based on the technical data.
- Personal data shall be stored until the date on which the contractual obligation no longer applies and/or it shall be stored afterwards as follows:
- concerning contract data: until the lapse of court actions related to the contract;
- As required by law, e.g. during the period of obligatory retention of bookkeeping, invoicing, etc. documents;
- The Company stores documents related to warranty claims and complaints until the end of the warranty period and for one year following the settlement of any complaint, respectively.
VIII. DISPOSITION OVER PERSONAL DATA
- Any change of personal data or any request to erase personal data may be communicated in an expressed, written statement sent as a message via the internal mailing system of the service. Newsletters can be unsubscribed from by changing the settings of the user interface on the site.
- After the fulfilment of any request to erase or modify personal data, previous (erased) data is not restorable.
- DATA PROCESSING
- The Company may engage a processor to ensure the continuous and appropriate operation of the website, to fulfil orders, and to perform any activity closely related to the services of the website.
- The Company’s employee responsible for processing: Lívia DELI
If the chief executive officer of the Company considers it necessary and justified, he/she may authorise another person, either an individual or a legal entity, to discharge the data-protection and data-processing responsibilities of the Company. Such an authorisation shall be valid until withdrawal. Such an authorisation shall be made in writing. Such an authorisation shall state that the agent is familiar with and recognises the requirements of the data-protection and data processing policy of the Company as binding on himself/herself/itself. Such an authorisation shall also include a confidentiality obligation.
- THE OPTION OF DATA FORWARDING
- The Company, as the data controller, shall have the right and obligation to forward any personal data available to it and compliantly stored by it to the appropriate authorities, if it is legally obliged to such forwarding of data or based on a non-appealable order of any authority. The data controller may not be held liable for any such data forwarding and the consequences thereof.
Data may be forwarded to other legal entities which process data in their own name, such as:
– legal entities performing mailing or courier services;
– public bodies or other legal entities authorised by the law;
– persons operating the tele-information systems of our Company, or IT service providers;
– organisations performing bookkeeping, taxation or consultancy activities.
- With a view to check the lawfulness of the data forwarding and to inform the data subject, the Company shall keep records of the data forwarding, which shall include the date and time of the forwarding of personal data it processes, the legal basis and recipient of the data forwarding, the definition of the scope of personal data forwarded, and any other data specified by the piece of legislation requiring the processing.
- MODIFICATION OF THE DATA-PROCESSING POLICY
- Közlekedési Műszergyártó Zrt. shall reserve the right to modify this Data-processing Policy at its unilateral decision at any time. After the modification of the Data-processing Policy, all users shall be duly (in a newsletter or a pop-up window upon logging in) informed. By continuing to use the services, the users shall acknowledge the modified data-processing rules; no further consent shall be required from them.
XII. USER RIGHTS IN RELATION TO THEIR PERSONAL DATA PROCESSED BY THE CONTROLLER
The users shall have the right to access their data, the right to modify, rectify and erase it, the right to be forgotten, and to data portability, the right to object, the right to limit processing and the right to forward data, the right to raise objections, and the right to withdraw their declaration of consent to the processing at any time, regardless of the existence of the legal basis underlying the processing preceding the withdrawal of the declaration of consent, if the processing in question is based on the consent.
- The users may request information regarding the processing of their personal data from the Company, as the data controller, in writing, by sending a registered letter or a registered letter with return receipt to the address of the controller (H-1139 Budapest, Teve u. 62.) or an email to the email@example.com email address. The data controller shall regard any request for information received via e-mail as authentic only if it was sent from the registered email address of the user. The information so requested may include the data of the user processed by the controller, the source of such data, the purpose, legal basis, duration of data processing, the names and addresses of potential data controllers, the activities related to data processing, and the recipients and the purpose of sending them the data of the user if the personal data is forwarded.
- The controller shall provide information in writing to the question concerning data processing within the shortest possible time from the receipt, but within 30 days at the latest. In case of emails, the date of receipt shall be the first working day following the sending.
- The user concerned and all persons to whom the data was previously forwarded to for processing shall be informed about the rectification, blocking, and deletion of the personal data processed. Such notice can be omitted if the action to be notified does not harm the data subject’s lawful interest in view of the purpose of the data management.
- The user may object to the processing of his/her personal data
- if processing or transmission of personal data is carried out solely for the purpose of meeting the controller’s statutory obligation or for enforcing the rights and legitimate interests of the data controller, the recipient of the personal data or a third party;
- if personal data is used or disclosed for the purpose of direct marketing, public opinion polling or scientific research; and
- in any other cases prescribed by the law.
The Company, as the data controller, shall examine the objection within the shortest possible time as from its receipt, but within 15 days at the latest. It shall decide whether the objection is well founded, and notify the user of its decision in writing.
If the Company finds the objection well founded, the data controller shall stop data processing, including any further recording and transmission of data, block the personal data concerned, and notify the objection as well as the action taken to all parties to whom the personal data concerned was previously transmitted and who shall take the action necessary for enforcing the data subject’s right of objection. If the user does not accept the data controller’s decision or the data controller fails to meet the deadline specified in this Clause, then it may start an action at court within 30 days after receiving the decision or the expiry of the said deadline.
XIII. MEANS OF REDRESS
According to the Privacy Act and Act V of 2013 (hereinafter referred to as the Civil Code), the user may exploit his/her means of redress before the court of competent jurisdiction and he/she may also request the help of the National Authority for Data Protection and Freedom of Information (H-1125 Budapest, Szilágyi Erzsébet fasor 22/C; mailing address: H-1530 Budapest, Pf. 5.). The employees of the data controller are also happy to help with any data-processing issues, remarks at the firstname.lastname@example.org email address.
Place and date: Budapest, 25 May 2018
Közlekedési Műszergyártó Zrt.