PRIVACY NOTICE TO DATA SUBJECTS ABOUT THEIR RIGHTS RELATING TO THE HANDLING OF PERSONAL DATA
Pursuant to EU Regulation No. 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (hereinafter referred to as “the Regulation” or “GDPR”), any Data Controller shall take appropriate measures to provide Data Subjects with information on personal data management in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner, and the Data Controller shall facilitate the exercise of the rights of the Data Subjects.
The obligation to inform the Data Subject in advance is also required by Hungary’s Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. We comply with this statutory obligation by providing the following information. The information will be published at the Company’s website or sent to the Data Subject upon request.
I. THE DATA CONTROLLER’S IDENTITY
The publisher of this Notice and at the same time the Data Controller is:
Company name: QUANTRAX Ipari, Kereskedelmi és Szolgáltató Kft.
Official seat: 6726 Szeged, Fülemüle utca 34.
Company registration number: 06-09-002787
Tax ID: 11089854-2-06
Represented by: Gábor Dobó, Managing Director
Telephone: +36 62 423 133
E-mail: [email protected]
(hereinafter: “the Company”)
II. WHAT INFORMATION DO WE COLLECT AND FOR WHAT PURPOSES?
Data handling for contractual partners – customers and vendors
(1) The Company collects and manages personal data – name, birth name, birth date, mother’s name, address, tax identification number, entrepreneur’s or agricultural producer’s ID number, identity card number, residential address, official seat and representative office, phone number, email address, website address, bank account number, customer ID (client number or purchase order number), online ID (buyer and vendor lists, frequent buyer lists) – of the natural persons interacting with it as customers or vendors, upon a contractual legal basis, with the purposes of concluding, performing, terminating contracts or providing contractual benefits. This type of data handling is legitimate even when it is necessary before executing a contract to be able to take the necessary steps requested by the concerned party. The recipients of such personal data are the Company’s employees who perform tasks relating to client services, as well as the Company’s employees and data processors who perform accounting and tax-related tasks. The retention period of such personal data is 5 years from the termination of contracts.
(2) Data Subjects must be informed in advance that the performance of contracts is the legal basis of data handling. This information may be included in the contract.
(3) Data Subjects must be informed about the forwarding of their data to a data processor.
Data handling of the data of natural persons acting as contact persons (but not data processors) of legal entity vendors
(1) The types of personal data collected are the natural person’s name, address, phone number, email address, online ID and capacity.
(2) The purpose of data handling is the performance of the contract concluded between the Company and its legal entity partner, and keeping contact with partners. The legal basis of such data handling is the consent of the Data Subject.
(3) The recipients of such personal data are the employees of the Company who perform tasks relating to client services.
(4) Such personal data shall be retained for 5 years from the termination of the contract or from the end of the Data Subject’s acting as a representative of the legal entity.
Data handling of visitors to our website, message on the Company’s website
(1) Our Company’s website features a Message Sender which may only be used after informing visitors that their data will be solely managed and stored for the purposes and to the extent of preparing the quote, and, in the case of a purchase order, for the performance of the contract and for sending them information on the basis of the Company’s legitimate interests.
(2) The persons sending meessages via our website can give their consent to the handling of their personal data by ticking the relevant checkbox. It is forbidden to tick the checkbox by default.
(3) The scope of the personal data handled is as follows: the natural person’s name (first name and family name), address, phone number, email address and online ID.
(4) The purposes of handling personal data are as follows:
a. Providing the services listed on the website.
b. Contacting customers digitally, phone, text messages or mail.
c. Providing information on the Company’s products and services, terms and conditions and special offers.
d. Sending advertising material digitally or by mail.
e. Analyzing the website statistics.
(5) The legal basis of such data handling is the Data Subject’s consent.
(6) The recipients of the personal data and their categories are the following: the Company’s employees who perform tasks relating to client services, marketing activities, as well as the employees in charge of hosting at the Company’s IT service partners acting as data processors.
(7) The retention period of such personal data is the duration of the registration or the service, or until the Data Subject’s revocation of consent (data erasure request).
(2) Our Company website collects and handles the following data about visitors and the device they use:
• visitors’ IP addresses;
• browser type;
• the features of the operating system of the device used for browsing (configured language);
• the date and time of the visit;
• the visited (sub)pages, features or services.
(3) Accepting or enabling cookies is optional. You can reset your browser settings to reject all cookies or to notify you when a cookie is being sent. Most browsers accept cookies automatically as default, however, that setting can usually be changed to prevent automatic acceptance, and to propose it each time as an option. Please note, however, that some website functionalities and services may not work properly without cookies.
(4) Cookies on their own do not make it possible the user’s identification.
(5) The cookies used at the Company website are the following:
- a. Technically essential “session” cookies
These cookies are needed to allow visitors to browse the website and to seamlessly and fully utilize its features and services, including – among other things – remembering the actions performed by a visitor in the pages during their visit. The duration of data handling by these cookies is limited to the visitor’s given visit; this type of cookie is automatically deleted from your computer when your session ends or when your browser is closed.
Scope of the managed data: AVChatUserId, JSESSIONID, portal_referer.
The legal basis for this type of data handling is Subsection (3) of Section 13/A of Hungary’s Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
The purpose of such data handling is to ensure the proper functioning of the website.
- b. Cookies requiring consent
These allow the Company website to remember the choices users made. Visitors can disable this data management any time before or during their use of the service. This type of data shall not be mapped to the individual user’s identifying data and must not be transferred to a third party without the user’s consent.
b.1. Cookies facilitating use:
The legal basis for data handling is the visitor’s consent.
The purpose of data handling is the enhanced performance of services, an enhanced user experience and easier use of the website.
The data retention period is 6 months.
b.2. Performance cookies
Google Analytics cookies – please refer to the information below:
Google AdWords cookies – please refer to the information below:
You can have more information about the settings of the cookies of the most popular web browser sin the following links:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Microsoft Internet Explorer 11: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies#ie=ie-8
• Microsoft Edge: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy
• Safari: https://support.apple.com/en-gb/HT201265
Social media policy / Data handling at the Company’s Facebook site
(1) The Company maintains a Facebook page in order to provide information on its products and services and to advertise them.
(2) Questions raised on the Company’s Facebook page are not considered official enquiries or claims.
(3) Personal data disclosed on the Company’s Facebook page are not handled by the Company.
(4) Visitors are subject to Facebook’s Terms and Conditions of data protection.
(5) In the case of posting illegal or offensive content, the Company may disable the affected person at its Facebook page or delete his/her post without prior notice.
(6) The Company is not responsible for illegal content and comments posted by Facebook users, nor is it responsible for any error, system failure or problem arising from Facebook’s operation or its modification.
Contests and related data handling
(1) If the Company organizes a prize draw (as defined in Act XXXIV of 1991, Section 23), it may handle the personal data (name, address, phone number, email address, online ID) of participating natural persons upon consent. Participating in contests is voluntary.
(2) The purpose of data handling is to determine the winners of the contest, to contact the winners and to deliver the prize to them. The legal basis of data handling is the Data Subject’s consent.
(3) The recipients of the personal data and their categories are the following: the Company’s employees who perform tasks relating to client services, as well as those employees in charge of hosting at the Company’s IT service partner and the employees of the courier company, as data processors.
(4) Retention period of the personal data: until the end of the prize draw.
Data handling with the purpose of direct marketing
(1) If not stipulated otherwise by the applicable law, advertisement addressed directly to natural persons as advertisement recipients (direct business marketing), especially via electronic mail or any equivalent communicational methods may only be sent with the recipient’s prior, unambiguous and expressed consent, with the exceptions listed in Act XLVIII of 2008.
(2) Categories of personal data that could be handled by the Company for the purpose of direct marketing are the Data Subject’s name, address, telephone number, email address and online ID.
(3) The purpose of data handling is to perform direct marketing activities relating to the Company’s operation, namely sending advertising material, newsletters and special offers to the addresses specified upon registration in a printed form (by mail) or digitally (by email), regularly or occasionally.
(4) The legal basis of data handling is the Data Subject’s consent.
(5) The recipients of the personal data and their categories are the following: employees of the Company who perform tasks relating to client services, as well as employees in charge of hosting at the Company’s IT service partner and the employees of the courier company, as data processors.
(6) The retention period of such personal data lasts until the revocation of the Data Subject’s consent.
III. GENERAL INFORMATION ON THE RIGHTS OF DATA SUBJECTS
This chapter outlines the Data Subjects’ rights in a short form for the purpose of transparency and understandability. Detailed information on such rights can be found in the respective parts of the Regulation.
Right to prior information
The Data Subject has the right to be informed about facts and information related to data handling prior to the commencement of data processing (Articles 13-14 of the Regulation).
Right of access by the Data Subject
The Data Subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed from the Data Controller, and, where that is the case, access to the personal data and the related information specified in the Regulation (Article 15).
Right to rectification
Data Subjects shall have the right to obtain from the Data Controller, without undue delay, the rectification of their inaccurate personal data. Taking into account the purposes of the data processing, Data Subjects shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Article 16 of the Regulation).
Right to erasure (“right to be forgotten”)
Data Subjects shall have the right to obtain from the Data Controller the erasure of their personal data without undue delay, and the Data Controller has the obligation to erase personal data without undue delay wherever one of the grounds specified in the Regulation applies (Article 17).
Right to restriction of processing
Data Subjects have the right to obtain restriction of processing from the Data Controller wherever one of the grounds specified in the Regulation applies (Article 18).
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom such personal data have been disclosed, unless that proves impossible or if it would involve disproportionate effort. The Controller shall inform Data Subjects about those recipients if they request it (Article 19 of the Regulation).
Right to data portability
With certain conditions specified in the Regulation, Data Subjects have the right to receive their personal data which he or she has provided to a Controller in a structured, commonly used and machine-readable format, and they have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided (Article 20 of the Regulation).
Right to object
Data Subjects have the right to object, on grounds relating to their particular situations, at any time, to the processing of their personal data, based on Paragraph (e) or (f) of Article 6 Subsection (1), including objections to profiling based on those provisions.
Automated individual decision-making, including profiling
Data Subjects have the right not to be subjects to decisions based solely on automated processing, including profiling, which produces legal effects concerning them or which significantly affects them similarly (Article 22 of the Regulation).
Union or Member State laws to which the Data Controller or Processor is subject may restrict by legislative measures the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as in Article 5, in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 (Article 23 of the Regulation).
Communication of a personal data breach to the data subject
When the personal data breach is likely to result with a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the Data Subject without undue delay (Article 34 of the Regulation).
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of their personal data infringes upon the Regulation (Article 77).
Right to effective judicial remedy against a supervisory authority
Without prejudice to any other administrative or non-judicial remedy, each natural person or legal entity shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or where the competent supervisory authority fails to handle a complaint or to inform the Data Subject within three months on the progress or outcome of the complaint lodged (Article 78 of the Regulation).
Right to an effective judicial remedy against a controller or processor
Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of processing his or her personal data in non-compliance with the Regulation (Article 79).
IV. FILING A REQUEST BY THE DATA SUBJECT, ACTIONS TO BE TAKEN BY THE DATA CONTROLLER
1. The Data Controller shall, without undue delay, but in any case, within one month of receipt of the request, inform Data Subjects of any action taken in connection with their claim to exercise their rights.
2. If necessary, taking into account the complexity of the request and the number of requests, that deadline may be extended by two additional months. The Data Controller shall inform the Data Subject within one month of receiving the request about the extension of the deadline along with the indication of the reasons for the delay.
3. If the request is submitted electronically by the Data Subject, the information should be provided electronically, if possible, unless otherwise requested by the Data Subject.
4. If the Data Controller fails to take action upon the Data Subject’s request, it shall inform the Data Subject without delay and within one month of the request’s receipt about the reasons of failing to act and whether the Data Subject may file a complaint with a supervisory authority and exercise his/her right of judicial remedy.
5. The Data Controller shall provide information specified in Articles 13 and 14 of the Regulation as well as information about the rights and obligations of the Data Subject (Articles 15-22 and 34 of the Regulation) and measures free of charge. If the request is clearly unfounded or excessive – in particular if redundant –, the Data Controller, considering the costs of provision of the requested information and the administrative costs of the measures taken,
(a) may charge a fee; or
(b) may refuse to take action under the request.
It is the Data Controller’s responsibility to prove the clearly unfounded or excessive nature of the request.
6. If the Data Controller has reasonable doubts as to the identity of the natural person who submits the request, it may request further information necessary to confirm the Data Subject’s identity.
Quantrax Kft., May 18th, 2018
representative: Gábor Dobó, managing director