PRIVACY POLICY AND NOTICE
1. General Provisions
(1) GB Europont Vállalkozásfejlesztési és Befektetési Korlátolt Felelősségű Társaság, as the Data Controller, acts in accordance with this Data Processing Policy and Notice in relation to all processing of the personal data of natural person users in connection with the services provided through the website http://www.profiforditas.hu
operated by it and the websites available at the other addresses specified there (hereinafter: the “website”).
By entering and using the website, the User accepts the provisions of this Data Processing Policy as binding upon them.
Data Controller for the purposes of this Policy:
a) Data Controller: GB Europont Vállalkozásfejlesztési és Befektetési Korlátolt Felelősségű Társaság
b) Registered office: 4611 Jéke, Dózsa György utca 29.
c) Postal address: 4400 Nyíregyháza, Mányoki Ádám u. 4.
d) Electronic mail (email) address: [megrendeles@forditas.hu](mailto:megrendeles@forditas.hu)
e) Registering court: Court of Registration of the Szabolcs-Szatmár-Bereg County Court
f) Company registration number: 15-09-071177
g) Tax number: 13866738-2-15
(2) Az adatvédelmi tájékoztató célja, hogy meghatározza az Adatkezelő által kezelt személyes adatok körét, az adatkezelés módját, valamint biztosítsa az adatvédelem alkotmányos elveinek, az adatbiztonság követelményeinek érvényesülését, s megakadályozza az adatokhoz való jogosulatlan hozzáférést, az adatok megváltoztatását és jogosulatlan nyilvánosságra hozatalát, vagy felhasználását, annak érdekében, hogy a felhasználó természetes személyek magánszférájának a tiszteletben tartása megvalósuljon.
(3) Adatkezelő az (2) bekezdésben megfogalmazott cél érdekében a felhasználó személyes adatait bizalmasan, a hatályos jogszabályi előírásokkal összhangban kezeli, gondoskodik azok biztonságáról, megteszi azokat a technikai és szervezési intézkedéseket, valamint kialakítja azokat az eljárási szabályokat, amelyek a vonatkozó jogszabályi rendelkezések és más ajánlások érvényre juttatásához szükségesek.
2. Legal Framework
The Data Controller is required to comply with all legal requirements regarding the processing of personal data at every stage of the data processing. The data processing carried out by the Data Controller is primarily governed by the provisions set forth in the following laws:
- Section 2:43(e) of Act V of 2013 on the Civil Code
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Data Protection Act”);
- Act CVIII of 2001 on Certain Issues Concerning Electronic Commerce Services and Information Society Services (“E-Commerce Act”);
- Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities (“Commercial Advertising Act”)
- Act VI of 1998 on the promulgation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg on January 28, 1981;
- Act CXIX of 1995 on the Processing of Name and Address Data for Research and Direct Marketing Purposes (“Katv.”)
3. Definitions
(1) data subject: any natural person who is identified or identifiable, directly or indirectly, on the basis of specific personal data;
(2) personal data: any data that can be associated with the data subject — in particular the data subject’s name, identification mark, and one or more items of information characteristic of their physical, physiological, mental, economic, cultural, or social identity — as well as any conclusion concerning the data subject that can be drawn from the data;
(3) consent: the voluntary and explicit expression of the data subject’s wishes, based on adequate information, by which they give their unambiguous consent to the processing of personal data concerning them, either fully or in relation to specific operations;
(4) objection: a statement by the data subject objecting to the processing of their personal data and requesting the termination of the data processing and/or the deletion of the processed data
(5) data processing: any operation or set of operations performed on personal data, regardless of the procedure applied, including in particular collection, recording, registration, organization, storage, alteration, use, transmission, disclosure, alignment or combination, blocking, deletion and destruction, as well as the prevention of further use of the data, the taking of photographs, audio or video recordings, and the recording of physical characteristics suitable for identifying a person, such as fingerprints, palm prints, DNA samples, or iris images
(6) data processing operations: the performance of technical tasks related to data processing operations, regardless of the method and means used to carry out the operations and the place of application, provided that the technical task is performed on the data.
(7) data transfer: making data accessible to a specific third party.
(8) disclosure: making data accessible to anyone.
(9) data controller: the natural or legal person, or organization without legal personality, who or which, alone or jointly with others, determines the purpose of the processing of personal data, makes and implements decisions concerning data processing, including the means used, or has them implemented by a data processor commissioned by them.
(10) data processor: the natural or legal person, or organization without legal personality, who or which processes data on the basis of a contract, including a contract concluded pursuant to a provision of law.
(11) deletion of data: rendering data unrecognizable in such a way that their restoration is no longer possible.
(12) data file: the totality of data processed in a single register.
(13) third party: any natural or legal person, or organization without legal personality, who or which is not identical to the data subject, the data controller, or the data processor;
4. Legal basis for data processing
The Data Controller processes the data of the Data Subjects in accordance with the applicable data protection legislation, on the basis of their consent, and/or
– pursuant to Section 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services,
– pursuant to Section 6 of Act XLVIII of 2008 on the basic conditions and certain restrictions of commercial advertising activities.
5. Scope of the data processed, purpose of data processing, and duration of processing
(1) This Privacy Policy applies exclusively to the processing of data relating to natural persons, given that personal data can only be interpreted in relation to natural persons.
Anonymous information collected by the Data Controller in a manner that excludes personal identification and cannot be associated with a natural person does not qualify as personal data, nor do demographic data qualify as personal data if collected without linking them to the personal data of identifiable persons, thereby making it impossible to establish a connection with a natural person.
Requesting a quote, sending an online message:
On the website, it is possible to request a quote or other information in connection with the services provided by the Service Provider, during which the following personal data must be provided:
– email address
– name
– telephone number
The purpose of data processing: personalized service for the Data Subjects and sending a quote at the request of the Data Subjects.
Anonymous user identifier (cookie)
The Data Controller places an anonymous user identifier (cookie) on the Data Subject’s computer, which in itself is in no way capable of identifying the Data Subject and is only suitable for recognizing the Data Subject’s device. No name, email address, or any other personal information needs to be provided, since when this solution is used, the User does not provide personal data to the Data Controller; data exchange takes place solely and exclusively between the machines.
The Data Controller processes cookies in order to learn more about the information usage habits of the Data Subjects and thereby improve the quality of its services, as well as to display customized pages and marketing/advertising materials during visits to the Portal.
The Data Subject has the option to prevent the placement of the unique identifier (cookie) on their computer by changing their browser settings. The Data Subject acknowledges that if cookies are disabled, certain services will not function properly.
Use of social plugins (Facebook, Twitter, LinkedIn)
On the Portal, plugins are disabled by default. Plugins are enabled only if the Data Subject clicks the designated button. By enabling the plugin, the Data Subject establishes a connection with the social networking site and consents to the transfer of their data to Facebook/Twitter/LinkedIn.
If the Data Subject is logged in to Facebook/Twitter/LinkedIn, the respective social network may associate their visit with the Data Subject’s social media account.
If the Data Subject clicks the relevant button, their browser transmits the relevant information directly to the respective social network, where it is stored.
Information on the scope and purpose of data collection, the further processing and use of the data by Facebook/Twitter/LinkedIn, and the rights and settings available for protecting personal data can be found in the privacy statement of Facebook/Twitter/LinkedIn.
Remarketing codes
On the Portal, the Service Provider uses Google AdWords and Facebook remarketing codes. The remarketing code uses cookies to tag visitors to the Portal.
The installed cookie helps ensure that advertisements related to the Service Provider’s products and services appear on other websites within the Google Display Network, as well as on Facebook, which the Portal visitor subsequently visits.
The User may disable cookies at any time and personalize advertisements on the Google Ads settings interface.
Log files
In order to use the services, the system automatically logs the following data:
– the dynamic IP address of the user’s computer
– depending on the settings of the user’s computer, the type of browser and operating system used by the user
– the user’s activity related to the website
The use of these data serves, on the one hand, technical purposes, such as analyzing and subsequently checking the secure operation of the servers, and, on the other hand, the Data Controller uses these data to prepare website usage statistics and analyze user needs in order to improve the quality of the services.
The above data are not suitable for identifying the user and are not linked by the Data Controller with other personal data.
(3) The Data Controller may process personal data relating to the Data Subject for any purpose other than those specified above — in particular for improving the efficiency of its services or for market research purposes — only with the prior determination of the purpose of data processing and on the basis of the Data Subject’s consent.
These data may not be linked to the Data Subject’s identifying data and may not be transferred to any third party without their consent.
The Data Controller is obliged to delete these data if the purpose of data processing has ceased or if the Data Subject so requests.
(4) The Data Controller ensures that the user may, before using the service and at any time during its use, learn which types of data are processed by the Data Controller for which data processing purposes, including the processing of data that cannot be directly associated with the user.
(5) The legal basis for data processing carried out by the Data Controller is in all cases the consent of the Data Subject.
(6) Duration of data processing:
Data processed on the basis of the Data Subject’s consent may be processed until such consent is modified or withdrawn. Upon expiry of the data processing period, the Data Controller is obliged to delete the Data Subject’s personal data.
The Data Controller stores data relating to orders until the expiry of the general limitation period, i.e. for 5 (five) years, in order to provide evidence in the event of possible legal disputes.
The Data Controller processes data relating to invoicing for 8 (eight) years in order to comply with accounting obligations, pursuant to Section 169 of Act C of 2000, and/or until the limitation period specified in Act XCII of 2003 on the Rules of Taxation.
(7) It may occur that, for the full provision of the services, the Data Controller transfers certain personal data of the Data Subject to a third party — on a temporary basis and, where necessary, with the required consent — for the purpose of data processing or data management, in particular:
– if online payment takes place through the website, the Data Controller forwards the credit card/debit card number required for payment to the financial service provider without retaining it.
– if products ordered on the website are delivered, the Data Controller transfers the product to be delivered and the data necessary for delivery, namely the delivery name and address, to the partner company contracted for delivery. The delivery partner qualifies as a data processor in relation to the transferred delivery data and may not use these data for any purpose other than completing the delivery.
(8) In order to obtain independent visitor traffic and other web analytics data for the website, the Service Provider uses Google Analytics software; therefore, Google Inc. acts as a data processor in relation to these data. The Privacy Policy of Google Inc. is available at [http://www.google.com/intl/hu](http://www.google.com/intl/hu) ALL/privacypolicy.html.
The user of the website’s services acknowledges that, by using the website, they have given their consent to the processing of their data by Google.
(9) In the case of services where the User must send personal data online in order to use the service — such as a bank card number in the case of online payment — the Data Controller provides an appropriately protected channel for such messages, namely an SSL-based connection.
(10) If certain services and pages of the website are operated by the Service Provider together with a company with which it has a business relationship, the Service Provider’s operating partner collects personal data on behalf of and in representation of the Service Provider and for the benefit of the Service Provider; such data processing is also governed by the provisions of this Privacy Policy.
(11) If the website maintains a joint service with any content partner, the right to use the personal data is joint; however, the provisions of this Data Processing Policy shall also apply in such cases, in accordance with the rules of identical content regarding data processing prescribed in the contractual relationship with the partner.
(12) In the case of the data processing activities referred to in paragraphs (7)–(11), the identity of the data controller and/or the data processor shall be clearly indicated during data provision or data processing.
The Service Provider reserves the right to use additional data processors besides those listed above, provided that the Service Provider publishes the names and addresses of such additional data processors in a manner accessible to the Data Subjects no later than the start of data processing.
6. Rights of Data Subjects
(1) The Data Subject may submit a request to the Data Controller
a) information on the processing of their personal data,
b) rectification of their personal data, and
c) deletion or blocking of their personal data, except in the case of mandatory data processing.
(2) At the request of the Data Subject, the Data Controller shall provide written information, no later than within 30 days from the submission of the request, on the data of the Data Subject processed by it or processed by a data processor commissioned by it or on its instruction, the source of such data, the purpose, legal basis and duration of the data processing, the name and address of the data processor and its activities related to the data processing, and — in the event of the transfer of the Data Subject’s personal data — the legal basis and recipient of the data transfer.
The information shall be free of charge if the person requesting the information has not yet submitted a request for information concerning the same area to the Data Controller in the current year. In other cases, the Data Controller shall determine reimbursement of costs, provided that any reimbursement already paid must be refunded if the data were processed unlawfully or if the request for information led to rectification.
(3) For the purpose of verifying the lawfulness of data transfers and informing the Data Subject, the Data Controller shall keep a data transfer register, which contains the date of transfer of the personal data processed by it, the legal basis and recipient of the data transfer, the definition of the scope of the personal data transferred, and any other data specified in the legislation requiring the data processing.
(4) If the personal data do not correspond to reality and the personal data corresponding to reality are available to the Data Controller, the Data Controller shall rectify the personal data.
(5) Personal data must be deleted if
a) their processing is unlawful;
b) the Data Subject requests it, except in the case of mandatory data processing;
c) they are incomplete or incorrect, and this situation cannot lawfully be remedied, provided that deletion is not excluded by law;
d) the purpose of data processing has ceased, or the statutory deadline for storing the data has expired;
e) it has been ordered by a court or the Authority.
(6) Instead of deletion, the Data Controller shall block the personal data if the Data Subject so requests, or if, on the basis of the information available to it, it may be presumed that deletion would infringe the legitimate interests of the Data Subject. Personal data blocked in this way may be processed only for as long as the data processing purpose that excluded the deletion of the personal data continues to exist.
(7) The Data Controller shall mark the personal data processed by it if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.
(8) The Data Subject, as well as all those to whom the data were previously transferred for the purpose of data processing, must be notified of rectification, blocking, marking, and deletion. Notification may be omitted if this does not infringe the legitimate interest of the Data Subject, having regard to the purpose of the data processing.
(9) If the Data Controller does not comply with the Data Subject’s request for rectification, blocking, or deletion, it shall communicate in writing, within 30 days of receipt of the request, the factual and legal reasons for rejecting the request for rectification, blocking, or deletion. In the event of rejection of a request for rectification, deletion, or blocking, the Data Controller shall inform the Data Subject of the possibility of judicial remedy and of contacting the Authority.
(10) The Data Subject may object to the processing of their personal data if
a) the processing or transfer of personal data is necessary solely for the fulfilment of a legal obligation applicable to the Data Controller, or for the enforcement of the legitimate interest of the Data Controller, the data recipient, or a third party, except in the case of mandatory data processing;
b) the personal data are used or transferred for the purposes of direct marketing, public opinion polling, or scientific research; and
c) in other cases specified by law.
The Data Controller shall examine the objection — while simultaneously suspending data processing — within the shortest possible time from the submission of the request, but no later than within 15 days, and shall inform the applicant in writing of the result. If the objection is justified, the Data Controller shall terminate the data processing, including any further data collection and data transfer, and shall block the data, as well as notify all those to whom the personal data affected by the objection were previously transferred of the objection and of the measures taken on the basis thereof, and who are obliged to take measures in order to enforce the right to object.
If the Data Subject does not agree with the decision of the Data Controller, or if the Data Controller fails to meet the 15-day deadline, the Data Subject may apply to the court against the decision within 30 days from its notification or from the last day of the deadline.
(11) The rights of the Data Subject specified in this Section 5 may be restricted by law in the interests of the external and internal security of the state, including national defence, national security, the prevention or prosecution of criminal offences, and the security of penal enforcement, as well as in the economic or financial interests of the state or a local government, the significant economic or financial interests of the European Union, and for the purpose of preventing and detecting disciplinary and ethical breaches related to the exercise of professions, and breaches of labour law and occupational safety obligations — including, in all cases, inspection and supervision — and also for the protection of the rights of the Data Subject or others.
7. Remedies
(1) In the event of a violation of their rights, the Data Subject may seek redress by:
a) to the Office of the Data Protection Commissioner (1051 Budapest, Nádor u. 22.),
b) to the National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, P.O. Box 5.
Telephone: 06-1-391-1400
Fax: 06-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
c) to the Regional Court having jurisdiction according to the Data Subject’s place of residence or place of stay.
The court shall proceed in the case as a matter of priority. The lawfulness of data processing shall be proven by the Data Controller, and the lawfulness of data receipt shall be proven by the data recipient.
If the court grants the request, it shall order the Data Controller to provide the information, rectify, block, or delete the data, annul the decision made by automated data processing, take into account the Data Subject’s right to object, and/or disclose the data requested by the data recipient specified in Section 21 of the Info Act.
If, in the cases specified in Section 21 of the Info Act, the court rejects the request of the data recipient, the Data Controller shall delete the Data Subject’s personal data within 3 days from the notification of the judgment.
The Data Controller shall also delete the data if the data recipient does not apply to the court within the deadline specified in Section 21(5) or (6) of the Info Act.
The court may order the publication of its judgment — including the publication of the Data Controller’s identifying data — if required by the interests of data protection and by the rights of a large number of Data Subjects protected by this Act.
(2) The Data Controller shall compensate any damage caused to others by the unlawful processing of the Data Subject’s data or by a breach of data security requirements. The Data Controller shall also be liable to the Data Subject for any damage caused by the data processor. The Data Controller shall be exempt from liability if it proves that the damage was caused by an unavoidable event beyond the scope of data processing.
No compensation shall be payable to the extent that the damage resulted from the intentional or grossly negligent conduct of the injured party.