Privacy Bulletin Privacy Bulletin
I. Purpose and scope of the Bulletin
1.1.The purpose of this Bulletin is to set out the terms and conditions of the POLYTECH INDUSTRIE Korlátolt Felelősségű Társaság, which operates www.polytech.hu (registered office: 9444 Fertőszentmiklós, Mező utca 43., tax ID: 10482168-2-08, Company Registration Number: 08-09-001585) and the Company's Privacy and Data Protection Policy, which the Company as a Company accepts as binding on itself.
1.2 This Bulletin sets out the principles for the processing of Personal Data provided by Customers. This Policy/Policy governs the processing of personal data relating to the customer (hereinafter referred to as the "Customer") using the website www.polytech.hu (hereinafter referred to as the "Website"), which the Company becomes aware of in the course of using the Website.
1.3.The Company reserves the right to unilaterally amend this Bulletin, which shall enter into force upon their publication on the website.
1.4 The Company will process the personal data relating to the Customer referred to above in compliance with the provisions of this Statement, Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR"), the 2011 Act on the Right to Information Self-Determination and Freedom of Information. CXII of 2013 ("Infotv."), Act V of 2013 on the Civil Code ("Civil Code") and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities ("Grtv.").
II. Definitions
2.1 Data processing: regardless of the process used, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.2 Company: who determines, alone or jointly with others, the purposes and means of the Processing.
2.3 Personal data or information: any data or information that allows a natural person to identify a Customer, directly or indirectly.
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
2.4 Website: the website www.polytech.hu operated by the Company,
2.5 Service(s): the services operated by the Company and provided by the Company which are available on the Website.
2.6. Customer: the natural person who registers for the Services and, in doing so, provides the data listed in Section III below.
2.7. Data Processor : The Company may use an external data processor for the operation and maintenance of its website, which processes personal data on behalf of the Company, for the purposes of the processing of personal data processed by the Company on the basis of its voluntary consent.
2.8 Bulletin: this privacy bulletin of the Company.
2.9 Limitation of processing: marking of personal data stored for the purpose of limiting their processing in the future;
2.10. Profiling: any form of automated processing of personal data whereby personal data are used to evaluate or predict certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of a natural person;
2.11. Renaming: the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without the use of additional information, provided that such additional information is stored separately and technical and organisational measures are taken to ensure that no link can be established between the personal data and identified or identifiable natural persons;
2.12.Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she gives his or her consent to the processing of personal data concerning him or her;
2.13. Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
III. Scope of the Personal Data processed
Scope of personal data processed by the Company, purpose and duration of processing
3.1.The data processed by the Company include the data provided by the Customer for the purpose of using the website, during registration and for the purpose of using the services provided on the website (sending newsletters, using webshop services):
• the Customer's name, Customer Account Name and password;
• their address or registered office, other contact details (telephone number, e-mail address, contact person, if any); their mother's name, tax identification number and identity card number
• billing and delivery address
The provision of the data listed in this section to the Company is essential for the use of the website and the services offered on the website, and for sending newsletters, and the Company will use them - with the exception of the e-mail address provided during registration - solely for the purpose of providing the services offered on the website.
The Company processes the natural personal data necessary to identify the Customer and the Customer's address solely for the purpose of providing the newsletter service.
The Company may also use the electronic mail address provided by the Customer for the purpose of sending electronic advertisements or other addressed content to the Customer, upon the Customer's express request, provided that the Customer requests the sending of newsletters or notifications during the registration process. By requesting such use, the Customer's consent to the processing of his electronic mail address for the purposes just described shall be deemed to have been given. The Customer has the option to unsubscribe from receiving newsletters or notifications as specified therein, and by unsubscribing, the Customer's consent to the processing of his/her e-mail address for the purposes specified in this paragraph shall also be deemed to be withdrawn.
By accepting this Bulletin, the Client expressly consents to the Company processing the data specified in this clause until the Client's registration is terminated.
3.2 Data provided by the Customer for the purpose of communication between the Customer and the Company, which are not a condition for using the website and the services offered on the website:
• data provided by the Customer when requesting information, making comments or exercising his/her rights in relation to the data processed by the Company.
The data referred to in this clause are processed by the Company for the purposes of providing customer contact and support, improving its services and ensuring the exercise of the Customer's rights in relation to the data processed by the Company.
The Customer may contact the Company with questions, comments and possible complaints using the contact details indicated in this Bulletin. By contacting the Company, the Customer authorises the Company to process the data provided by him/her.
3.3.The so-called traffic data collected when you contact the website, which are a technical condition for using the services offered on the website:
• information about the Customer's computer and internet connection (e.g. IP address, web browser type)
• traffic and other web analytics data (such as time of visit, length of visit; number of sub-pages viewed, website traffic and traffic originating from the website)
The Company processes the above-mentioned data in accordance with Section 13/A (3)-(4) of the Act, in addition to providing the services it offers, for the purpose of conducting surveys and statistics related to the website and developing services tailored to the needs of individual customers. The publication of statements on website traffic is made only in a form that does not allow the individual identification of each customer.
3.4 If the Customer chooses to link his/her Facebook account to the Company's account, the Company may process the following Personal Data of the Customer in addition to those referred to above: facebook profile name, facebook profile URL, facebook profile ID, facebook profile picture, facebook email address, facebook address, facebook gender, birthday, profile profile and website URL.
3.5. Other personal data
In the event of a possible request for additional data outside the scope of the data referred to in Sections 3.1, 3.2 and 3.3, 3.4 of this Bulletin, the Company shall inform the Customer of all facts related to the data processing prior to the collection of the data.
IV. Other data processed by the Company
4.1 The Company may place a small data packet (a "cookie") on the Customer's computer in order to provide a personalised service. The purpose of the cookie is to ensure the highest possible quality of the operation of the site, to provide personalised services and to enhance the user experience. The Customer can delete the cookie from his/her computer or set his/her browser to disable the use of cookies. By disabling the use of cookies, the Customer acknowledges that without a cookie, the functionality of the site is not fully functional.
4.2 In providing personalized services, the Company may process the following Personal Data through the use of cookies: demographic data, as well as interest information, habits, preferences (based on browsing history).
4.3 Data technically recorded in the course of the operation of the systems: the data of the Customer's computer logging in, which are generated during the use of the Service and which are recorded by the Company's system as an automatic result of technical processes. The automatically recorded data are automatically logged by the system upon login or logout, without any special declaration or action by the Customer.
4. Transfer of Customer's personal data to third parties
The Company may transfer the Customer's data to its subcontractors or agents involved in the provision of the services offered on the website to the extent necessary for the provision of the services. The Company is also entitled to transfer the data if this is necessary to protect or safeguard the Company's rights and legitimate interests. In all other cases, with the exception of cases where the Customer is required by law to provide data, the Customer's data may only be transferred with the Customer's specific consent. The Company shall keep a record of the data it transfers.
IV. Security of processing of personal data
4.1 The servers serving the website are located at the data processor's headquarters.
The Company uses various technologies, technical and organisational solutions and measures to protect the personal data it processes, to prevent unauthorised access, disclosure, use, destruction, alteration, accidental destruction or damage, inaccessibility due to changes in the technology used and to meet the security requirements for the protection of personal data, taking into account the risks associated with the processing.
V. Purpose and legal basis of the processing
5.1 Purpose of data processing by the Company:
a) online content delivery;
b) identification of the Customer, contact with the Customer;
c) the identification of the Customer's entitlements (the services that the Customer may use);
d) facilitating the customization of the services and advertisements used by the Customer, and the use of convenience features;
e) processing and handling individual customer requests;
f) producing statistics and analyses;
g) direct marketing or sales enquiries (e.g. newsletter, eDM, etc.)
h) protect the rights of the Customer;
(i) to protect the legitimate interests of the Company.
The Company may process Personal Data for any of the purposes described above,
VI. LEGAL BASIS FOR PROCESSING
6.1. Consent of the data subject
(1) The lawfulness of the processing of personal data must be based on the consent of the data subject or on some other lawful basis laid down by law.
(2) Where processing is based on the data subject's consent, the data subject may give his or her consent to the processing of his or her personal data in the following form:
a) in writing, in the form of a declaration of consent to personal data processing,
b) electronically, by express conduct on the Company's website, by ticking a box or by making technical settings when using information society services, as well as any other statement or action which, in the relevant context, clearly indicates the data subject's consent to the intended processing of his or her personal data.
(3) Silence, ticking a box or inaction shall therefore not constitute consent.
(4) Consent covers all processing activities carried out for the same purpose or purposes.
(5) Where the processing is intended for more than one purpose, consent must be given for all the purposes for which the processing is intended. Where the data subject gives his or her consent following an electronic request, the request shall be clear and concise and shall not unnecessarily impede the use of the service for which consent is sought.
(6) The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject shall be informed before consent is given. The withdrawal of consent shall be made possible in the same simple manner as the giving of consent.
6.2. Performance of the contract
(1) Processing is lawful where it is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into the contract.
(2) The consent of the data subject to the processing of personal data not necessary for the performance of the contract shall not be a condition for the conclusion of the contract.
6.3. To comply with a legal obligation to which the Company is subject or to protect the vital interests of the data subject or of another natural person
(1) The legal basis for processing is determined by law in the case of the performance of a legal obligation, so the data subject's consent is not required for the processing of their personal data.
(2) The Company is obliged to inform the data subject about the purpose, legal basis, duration of the processing, the identity of the Company, the data subject's rights and remedies.
(3) The Company is entitled to process the data necessary to comply with a legal obligation to which it is subject, following the withdrawal of the data subject's consent.
6.4. To perform a task carried out in the public interest or in the exercise of official authority vested in the Company, or to enforce the legitimate interests of the Company or a third party.
(1) The legitimate interests of the Company, including the Company with which the personal data may be disclosed, or of a third party may provide a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject do not prevail, taking into account the reasonable expectations of the data subject in his or her relationship with the Company. Such a legitimate interest may, for example, be the case where there is a relevant and appropriate relationship between the data subject and the Company, such as in cases where the data subject is a customer of or employed by the Company.
(2) In order to establish the existence of a legitimate interest, it is necessary to carefully assess, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of personal data, that processing for the purposes in question would take place.
(3) The interests and fundamental rights of the data subject may prevail over the interests of the Company if the personal data are processed in circumstances in which the data subjects do not expect further processing.
VII. Principles and methods of data processing
7.1 The Company will process Personal Data in accordance with the principles of good faith and fairness and transparency, as well as the provisions of applicable law and this Bulletin.
7.2 The Company will use Personal Data that is necessary for the use of the Services on the basis of the consent of the Customer concerned and only for the purpose for which it is collected.
7.3 The Company will process Personal Data only for the purposes set out in this Bulletin and in applicable law. The scope of the Personal Data processed shall be proportionate to the purpose of the processing and shall not go beyond that purpose. In any case where the Company intends to use the Personal Data for a purpose other than that for which it was originally collected, the Company shall inform the Customer and obtain his/her prior explicit consent or provide him/her with the opportunity to object to such use.
7.4 The Company does not verify the Personal Data provided. The person providing the Personal Data is solely responsible for the accuracy of the Personal Data provided.
7.5 The Personal Data of a person under the age of 16 may be processed only with the consent of the person who is the legal guardian of the person concerned. The Company is not in a position to verify the eligibility of the person giving consent or the content of the consent, so the Customer or the person who is the legal guardian of the person concerned warrants that the consent is in accordance with the law. In the absence of a declaration of consent, the Company does not collect Personal Data relating to a data subject under the age of 16, except for the IP address used to use the Service, which is automatically recorded due to the nature of the Internet services.
7.6 The Company will not transfer the Personal Data it processes to any third party other than the Processor specified in this Bulletin. An exception to the provisions of this clause is the use of data in aggregate statistical form, which shall not include any other form of data that can identify the Customer concerned and shall therefore not constitute Processing or transfer. In certain cases, the Company may make available to third parties the Personal Data of the Customer concerned that is available to them, in response to a formal judicial or police request, legal proceedings for infringement or reasonable suspicion of infringement of copyright, property rights or other rights, or for the purpose of prejudicing the interests of the Company, endangering the provision of the Services, etc.
7.7 The Company's system may collect data about the Client's activity, which cannot be linked to other data provided by the Client at the time of registration, nor to data generated by the use of other websites or services.
7.8 The Company shall notify the Customer concerned of the rectification, restriction or deletion of the Personal Data processed by it, as well as all those to whom the Personal Data was previously disclosed for processing purposes. The notification may be omitted if this does not prejudice the legitimate interests of the data subject in relation to the purposes of the processing.
7.9 The Company shall ensure the security of Personal Data and shall take technical and organisational measures and establish procedural rules to ensure that the Personal Data collected, stored and processed are protected and to prevent accidental loss, unlawful destruction, unauthorised access, unauthorised use, unauthorised alteration and unauthorised disclosure. The Company invites all third parties to whom it transfers Personal Data to comply with this obligation.
VIII. Duration of data processing
8.1 The Company stores the automatically recorded IP addresses for a maximum of 7 days after their recording.
8.2 In the case of e-mails sent by the Customer, if the Customer is not otherwise registered, the Company will delete the e-mail address 90 days after the closure of the case referred to in the request, unless in a specific case the Company has a legitimate interest in the continued processing of the Personal Data, until the Company's legitimate interest has been established.
8.3 The processing of personal data provided by the Customer will continue until the Customer unsubscribes from the Service or otherwise requests the deletion of the personal data. In this case, the personal data will be deleted from the Company's systems. The personal data provided by the Customer, even if the Customer does not unsubscribe from the Service or has only terminated the access by cancelling his/her registration, may be processed by the Company until the Customer expressly requests in writing that the processing of such data be terminated. The Customer's right to use the service is not affected by the Customer's request to cease processing without unsubscribing from the service, but the Customer may not be able to use certain services due to the absence of personal data.
8.4 In the event of unlawful or fraudulent use of personal data or in the event of a criminal offence or system attack committed by the Customer, the Company is entitled to delete the personal data immediately upon termination of the Customer's registration, but in the event of suspected criminal offences or civil liability, the Company is also entitled to retain the personal data for the duration of the proceedings.
8.5 Data that are automatically, technically recorded during the operation of the system are stored in the system for a period of time from the moment they are generated that is reasonable to ensure the operation of the system. The processor shall ensure that these automatically recorded data cannot be linked to other personal data, except in cases required by law. If the Customer has withdrawn his consent to the processing of his personal data or has unsubscribed from the service, his identity will no longer be identifiable from the technical data, except for investigative authorities or their experts.
8.6 If a court or public authority has issued a final order for the deletion of the personal data, the Company will carry out the deletion. Instead of deletion, the Company shall, after informing the Client, restrict the use of the personal data if the Client so requests or if, on the basis of the information available to it, it is likely that deletion would harm the legitimate interests of the Client. The Company will not delete the personal data as long as the processing purpose which precluded the deletion of the personal data is still valid.
IX. Rights of the Customer and how to enforce them
9.1 The Company provides the following brief information on the rights of the data subject:
The data subject has the right:
a) to be informed before the processing starts,
b) to receive feedback from the Company as to whether or not their personal data is being processed and, if such processing is taking place, to have access to the personal data and the following information,
c) request the correction or deletion of his/her data, to receive notification from the Company that this has been done,
d) to request the restriction of processing, to be notified by the Company of the restriction,
e) for data portability,
f) to object if their personal data are processed for purposes of public interest or on the basis of the legitimate interests of the Company.
g) be exempt from automated decision-making, including profiling,
h) to lodge a complaint with the supervisory authority. The data subject may exercise his or her right to lodge a complaint by contacting: National Authority for Data Protection and Freedom of Information, Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400;Fax:+36(1)391-1410.,www:http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu
i) an effective judicial remedy against the supervisory authority,
j) for an effective judicial remedy against the Company or the data processor
k) to be informed of a data breach.
9.2 In addition to the information referred to in paragraph 1, the Company shall, at the time of obtaining the personal data, in order to ensure fair and transparent processing, provide the data subject with the following additional information:
a. the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
b. the data subject's right to request the Company to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, as well as the data subject's right to data portability;
c. in the case of processing based on Article 6(1)(a) or Article 9(2)(a) of the Regulation, the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
d. the right to lodge a complaint with a supervisory authority;
e. whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data;
f. the fact of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, clear information on the logic used and the significance of such processing and its likely consequences for the data subject.
9.3. Right of access of the data subject
(1) The data subject shall have the right to obtain from the Company feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information:
a. the purposes of the processing;
b. the categories of personal data concerned;
c. the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
d. where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;
e. the right of the data subject to request the Company to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
f. the right to lodge a complaint with a supervisory authority;
g. if the data were not collected from the data subject, any available information on their source;
h. the fact of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
(2) Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46.
(3) The Company shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. If the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.
9.4.The data subject's right to rectification and erasure
The right to rectification
(1) The data subject shall have the right to obtain from the Company, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
The right to erasure
(1) The data subject shall have the right to obtain from the Company, upon his or her request, the erasure of personal data relating to him or her without undue delay, and the Company shall be obliged to erase personal data relating to the data subject without undue delay, if one of the following grounds applies:
a. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b. the data subject withdraws his or her consent pursuant to Article 6(1)(a) of the Regulation (consent to the processing of personal data) or Article 9(2)(a) of the Regulation (explicit consent) and there is no other legal basis for the processing;
c. the data subject objects to the processing on the basis of Article 21(1) of the Regulation (right to object) and there is no overriding legitimate ground for the processing, or the data subject objects to the processing on the basis of Article 21(2) of the Regulation (objection to processing for commercial purposes);
d. the personal data have been unlawfully processed;
e. personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Company;
f. personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
(2) If the Company has disclosed the personal data and is obliged to delete it at the request of the data subject, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the Companies that process the data that the data subject has requested the deletion of the links to the personal data in question or of a copy or duplicate of such personal data.
(3) Paragraphs (1) and (2) shall not apply where the processing is necessary:
a. to exercise the right to freedom of expression and information;
b. for the purposes of complying with an obligation under Union or Member State law to which the Company is subject to which the processing of personal data is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
c. on grounds of public interest in the field of public health pursuant to Article 9(2)(h) and (i) of the Regulation and Article 9(3) of the Regulation;
d. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in paragraph 1 would be likely to render such processing impossible or seriously impair it; or
e. to bring, enforce or defend legal claims.
9.5. Right to restriction of processing
(1) The data subject shall have the right to obtain, at his or her request, restriction of processing by the Company if one of the following conditions is met:
a. the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the Company to verify the accuracy of the personal data;
b. the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
c. the Company no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
d. the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the Company prevail over the legitimate grounds of the data subject.
(2) Where processing is restricted pursuant to paragraph 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
(3) The Company shall inform in advance the data subject at whose request the processing has been restricted pursuant to paragraph (1) of the lifting of the restriction of processing.
9.6 Obligation to notify the rectification or erasure of personal data or the restriction of processing
(1) The Company shall inform all recipients to whom or with whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.
(2) The Company shall inform the data subject, at his or her request, of these recipients.
9.7. Right to data portability
(1) The data subject shall have the right to receive the personal data concerning him or her which he or she has provided to the Company in a structured, commonly used, machine-readable format and the right to transmit such data to another Company without hindrance from the Company to which he or she has provided the personal data, if:
a. the processing is based on consent pursuant to Article 6(1)(a) of the Regulation (consent to the processing of personal data) or Article 9(2)(a) of the Regulation (explicit consent to processing) or on a contract pursuant to Article 6(1)(b); and
b. the processing is carried out by automated means.
(2) In exercising the right to data portability under paragraph (1), the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.
(3) The exercise of the right referred to in paragraph (1) of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company.
(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
9.7 Right to object
1) The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data carried out in the public interest or in the exercise of official authority or to processing necessary for the purposes of the legitimate interests pursued by the Company or by a third party (processing based on Article 6(1)(e) or (f) of the Regulation), including profiling based on those provisions. In such a case, the Company may no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.
(3) Where the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for those purposes.
(4) The right referred to in paragraphs (1) and (2) shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information shall be clearly displayed separately from any other information.
(5) In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
9.8 Right to exemption from automated decision-making
(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2) Paragraph (1) shall not apply where the decision:
a. necessary for the conclusion or performance of a contract between the data subject and the Company;
b. is permitted by Union or Member State law applicable to the Company which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
c. is based on the explicit consent of the data subject.
(3) In the cases referred to in paragraph (2)(a) and (c), the Company shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to request human intervention by the Company, to express his or her point of view and to object to the decision.
(4) The decisions referred to in paragraph (2) shall not be based on the special categories of personal data referred to in Article 9(1) of the Regulation, unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject.
9.9 Right of the data subject to lodge a complaint and seek redress
The right to lodge a complaint with a supervisory authority.
(1) The data subject shall have the right to lodge a complaint with the supervisory authority pursuant to Article 77 of the Regulation if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
(2) The data subject may exercise his or her right to lodge a complaint by contacting:
National Authority for Data Protection and Freedom of Information Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu
(3) The supervisory authority with which the complaint has been lodged shall inform the client of the procedural developments concerning the complaint and of the outcome thereof, including the right of the client to seek judicial remedy pursuant to Article 78 of the Regulation.
Right to an effective judicial remedy against the supervisory authority
(1) Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him.
(2) Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the person concerned within three months of the procedural developments concerning the complaint lodged pursuant to Article 77 of the Regulation or of the outcome of the complaint.
(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
(4) If proceedings are brought against a decision of a supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall send that opinion or decision to the court.
9.10. Information about the data breach
(1) If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall inform the data subject of the personal data breach without undue delay.
(2) The information referred to in paragraph (1) provided to the data subject shall clearly and prominently describe the nature of the personal data breach and shall include at least the name and contact details of the data protection officer or other contact person who will provide further information, the likely consequences of the personal data breach, the measures taken or envisaged by the Company to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
(3) The data subject need not be informed as referred to in paragraph 1 if any of the following conditions are met:
a. the Company has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
b. the Company has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is no longer likely to materialise;
c. information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.
(4) Where the data subject has not yet been notified of the personal data breach by the Company, the supervisory authority may, after having considered whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the conditions referred to in paragraph 3 is met.
X. THE PROCEDURE TO BE FOLLOWED IN THE EVENT OF A REQUEST BY THE DATA SUBJECT
(1) The Company shall facilitate the exercise of the rights of the data subject, and shall not refuse to comply with a request to exercise the data subject's rights set out in this privacy notice, unless it proves that it is not possible to identify the data subject.
(2) The Company shall inform the data subject of the measures taken in response to the request without undue delay and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Company shall inform the person concerned of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay.
(3) If the data subject has submitted the request by electronic means, the information shall be provided by electronic means, where possible, unless the data subject requests otherwise.
(4) If the Company fails to take action on the request of the data subject, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the possibility for the data subject to lodge a complaint with the supervisory authority and to exercise his or her right of judicial remedy.
(5) The Company shall provide the data subject, free of charge, with the following information and measures: feedback on the processing of personal data, access to the processed data, rectification, integration, erasure, restriction of processing, data portability, objection to processing, information on the data breach.
(6) If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Company may, taking into account the administrative costs of providing the requested information or taking the requested action, charge a fee of HUF 5,000 or refuse to act on the request.
(7) The burden of proving that the request is manifestly unfounded or excessive shall lie with the Company.
(8) Without prejudice to Article 11 of the Regulation, where the Company has reasonable doubts as to the identity of the natural person making a request pursuant to Articles 15 to 21 of the Regulation, it may request the provision of further information necessary to confirm the identity of the person concerned.
XI. PROCEDURE APPLICABLE IN THE EVENT OF A DATA BREACH
(1) A personal data breach is a breach of security within the meaning of the Regulation that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
(2) The loss or theft of a device (laptop, mobile phone) containing personal data, as well as the loss or loss of the code used by the Company to decrypt encrypted data, or the loss of access to such data, shall be considered a data protection incident, infection by ransomware (ransomware virus) which renders the data managed by the Company inaccessible until the payment of the ransom, attack on the IT system, disclosure of an e-mail or address list containing personal data sent in error, etc.
(3) In case of detection of a personal data breach, the Company representative shall immediately conduct an investigation to identify the personal data breach and its possible consequences. The necessary measures shall be taken to remedy the damage.
(4) The data protection incident shall be notified to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by the reasons justifying the delay.
(5) The data processor shall notify the Company of the personal data breach without undue delay after becoming aware of it.
(6) The notification referred to in paragraph 3 shall include at least:
a. describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
b. the name and contact details of the Data Protection Officer or other contact person who can provide further information;
c. explain the likely consequences of the data breach;
d. describe the measures taken or envisaged by the Company to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
(7) If and to the extent that it is not possible to communicate the information at the same time, it may be communicated in instalments at a later date without further undue delay.
(8) The Company shall keep records of data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.
XII. Possibility of data transfer
12.1 The Company shall be entitled and obliged to transmit to the competent authorities any personal data available to it and stored by it in accordance with the law, which personal data it is obliged to transmit by law or by a final and binding obligation of a public authority. The Company shall not be held liable for any such transfer and the consequences thereof.
12.2 In the event that the Company transfers the operation or use of the content service and hosting service on the Services' pages to a third party, in whole or in part, the personal data processed by the Company may be transferred to such third party, in whole or in part, without the need to obtain the Customer's consent, but with the Customer's prior appropriate information, provided that such transfer shall not place the Customer in a less favourable position than the data processing rules set out in the current version of this Bulletin. In the event of a transfer under this Clause, the Company shall give the Customer the opportunity to object to the transfer prior to the transfer. In the event of an objection, the transfer of the Customer's data pursuant to this Clause shall not be possible.
12.3 The Company shall keep a record of data transfers for the purpose of verifying the lawfulness of data transfers and providing information to the Customer.
XIII. PROVISIONS ON DATA SECURITY
13.1 The Company may process personal data only in accordance with the activities set out in this Bulletin and for the purposes for which it is processed.
13.2 The Company shall ensure the security of the data, and in this regard undertakes to take all technical and organizational measures that are indispensable to enforce the laws on data security, data protection and confidentiality rules, and to establish the procedural rules necessary to enforce the above-mentioned laws.
13.3 The Company shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, transmission, disclosure, deletion or destruction, accidental destruction or damage, and against inaccessibility due to changes in the technology used.
13.4 The technical and organisational measures to be implemented by the Company to ensure data security are set out in the Company's Privacy Bulletin.
13.5 When determining and applying data security measures, the Company shall take into account the state of the art and, in the event of several possible data processing solutions, shall choose the solution that ensures a higher level of protection of personal data, unless this would involve a disproportionate level of difficulty.
XIV. RULES ON DATA PROCESSING
14.1 The rights and obligations of the data processor used by the Company in relation to the processing of personal data shall be determined by the Company within the limits of the law and the specific laws applicable to data processing.
14.2 The Company declares that the data processor has no competence to make any substantive decision on data processing in the course of its activities, may process personal data that come to its knowledge only in accordance with the provisions of the Company, may not process personal data for its own purposes, and shall store and retain personal data in accordance with the provisions of the Company.
14.3 The Company shall be responsible for the lawfulness of the instructions given to the processor in relation to the processing operations.
14.4 The Company is obliged to inform the data subjects about the identity of the data processor and the place of processing.
14.5 The Company does not authorise the processor to use any other processor.
14.6 The contract for data processing must be in writing. The processing must not be entrusted to an entity which is interested in the personal data to be processed for the purposes of the Client's business.
XV. Amendments to the Privacy Bulletin
15.1 The Company reserves the right to amend this Bulletin at any time by unilateral decision.
15.2 The Customer accepts the provisions of the Bulletin in force at the time of his/her subsequent access, without the need to obtain the consent of individual Clients.
XVI. Legal remedies
16.1 Any questions or comments regarding data processing can also be addressed to the Company's staff at info@polytech.hu and to the Company's Data Protection Officer, Rita Kelemen email: rita.kelemen@polytech.hu, tel: +36 30 549 2055
16.2 The Customer may directly contact the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu) with any complaint regarding the Data Processing.
16.3 The Customer may take legal action in case of violation of his/her rights. The court of law shall have jurisdiction to hear the case. The action may also be brought before the court of the place of residence or domicile of the person concerned, at the choice of the person concerned. The Company shall inform the Customer, upon request, of the possibilities and means of legal remedy
Website: http://naih.hu
In the event of unlawful processing or processing of personal data ( data protection incident ), there is an obligation to notify the supervisory authority. The Company shall notify the supervisory authority without undue delay, if possible no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.
XVII. Liability
17.1 The Company's liability for the processing of the Customer's personal data shall, subject to the exceptions set out in this Chapter, be governed by the applicable legal provisions.
17.2 The Company shall take all reasonable and necessary measures to ensure the security of the data transmitted by the Customer, however, in view of the known risks inherent in the transmission of data via the Internet, the Company shall not be liable for any damage resulting from the transmission of data via the Internet.
17.3 The Customer is obliged to ensure that the password provided during registration on the website is not accessible to unauthorized persons. The Customer shall bear any damages resulting from the loss of the password and its acquisition or use by unauthorized persons.
17.4. The Customer shall provide the Company with accurate and complete information that is true and correct. The Company shall not be liable for any damages resulting from the fact that the data provided by the Customer is incorrect, inaccurate, incomplete or not kept up to date by the Customer.
17.5. The website may contain links to other websites for the purpose of informing customers. As the Company has no control over the operation of these websites and the design and application of their privacy policies, the Company shall not be liable for any damages arising from their use.
Fetőszentmiklós, 1st March 2024