Adatkezelési tájékoztató

BerényiSoftware Consulting and Service Ltd. Data Management Information

Privacy Policy

BerényiSoftware Consulting and Service Ltd. (hereinafter referred to as the Service Provider, Data Controller) adheres to the following information notice.

According to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the following information is provided.

This data management information notice governs the data management of the following pages:

The data management information notice is available from the following page: link

Amendments to the notice come into effect upon their publication at the above address.

Data Controller and contact details:

Name: BerényiSoftware Consulting and Service Ltd.

Headquarters: 6726 Szeged, Alsó kikötő sor 11. D. bldg.

Email: imre.berenyi@berenyisoft.com

Phone: +36-30-7777-529

Tax number: 26320353-2-06

Company registration number: 06-09-024347

Data Protection Officer’s contact details:

Name: Imre Berényi

Headquarters: 6726 Szeged, Alsó kikötő sor 11. D. bldg.

Email:  imre.berenyi@berenyisoft.com

Phone: +36-30-7777-529

Definitions

1.  “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

2. “data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3. “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

4. “processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

5. “recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

6. “consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

7. “data protection incident”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to the processing of personal data

Personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

The controller is responsible for, and must be able to demonstrate compliance with, the principles mentioned above (“accountability”).

Data Management Procedures

Website Operation-Related Data Management

1. Facts of data collection, the scope of managed data, and the purpose of data management:

Neither the username nor the email address needs to contain personal data.

2. Scope of Affected Parties: All individuals registered on the website.

3. Duration of data management, deadlines for deleting data: Immediately upon deletion of registration. The data controller informs the affected party electronically, based on Article 19 of the GDPR, about the deletion of any personal data provided by the affected party. If the affected party’s deletion request includes their provided email address, then the data controller deletes the email address following the notification. Except in the case of accounting documents, as according to Article 169(2) of the Act on Accounting of 2000, these records must be kept for 8 years.
   
   
   In the case of the Lightning Letter service, all data (content of the letter, recipient list) are deleted within 24 hours after successful delivery.

The accounting document supporting the accounting directly and indirectly (including the general ledger accounts, the analytical, and detailed registers) must be preserved in a legible form, searchable based on the accounting records references, for at least 8 years.

4. Persons authorized to know the data, recipients of personal data: Personal data may be managed by the data controller’s sales and marketing staff, respecting the principles stated above. In the case of the Lightning Letter service, the recipient data provided by the orderer are transferred to the partner courier service, necessary for the delivery of the letter shipment.

5. Rights of the affected parties concerning data management:

• The affected party may request from the data controller access to, correction of, deletion of, or restriction of processing of personal data relating to them, and
• may object to the processing of such personal data, and
• the affected party has the right to data portability, as well as to withdraw consent at any time.

6. The affected party can initiate access to personal data, their deletion, modification, or restriction of processing, data portability, and object to data processing in the following ways:

• by mail at 6726 Szeged, Alsó kikötő sor 11. D. bldg.,
• by email at imre.berenyi@berenyisoft.com,
• by phone at +36-30-7777-529.

7. Legal basis for data management:

1. Article 6(1)(b) of the GDPR,

1. Paragraph 3 of Article 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services:

The service provider may manage personal data necessary technically for the provision of the service. The service provider must select and operate the tools used for the provision of information society services in such a way that personal data can only be processed if it is strictly necessary for the provision of services and for fulfilling other objectives specified in this law, but even in this case, only to the necessary extent and duration.

1. For issuing an invoice that complies with accounting laws, Article 6(1)(c).

1. For enforcing claims arising from contracts, according to Section 6:21 of the Civil Code of 2013, for 5 years.

Section 6:22 [Limitation]

(1) Unless otherwise provided by this law, claims expire after five years.

(2) The limitation period begins when the claim becomes due.

(3) An agreement aimed at changing the limitation period must be made in writing.

(4) An agreement excluding limitation is void.oid.

8. Please be informed that:

• Data management is necessary for the performance of the contract.
  
• You are obliged to provide personal data in order for us to fulfill your order.
  
• Failure to provide data will result in our inability to process your order.

The data processors used

Hosting Provider

1. Activity performed by the data processor: Hosting services

2. Name and contact of the data processor:

          Data Controller Name: ICON MÉDIA Ltd.

          Address: 6000 Kecskemét, Csóka u. 26.

          Phone: 06-70 / 518-1943

          Email: info@webdigital.hu

3. Facts of data management, the scope of managed data: All personal data provided by the affected party.

4. Scope of affected parties: All users of the website.

5. Purpose of data management: To make the website available and ensure its proper operation.

6. Duration of data management, deadlines for deletion of data: Data management lasts until the termination of the agreement between the data controller and the hosting provider, or until the affected party requests deletion from the hosting provider.

7. Legal basis for data processing: Article 6(1)(c) and (f), and Paragraph 3 of Article 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.

8. Rights of the Affected Parties:

1. You can inquire about the circumstances of data management,
2. You are entitled to receive feedback from the data controller on whether your personal data is being processed, and access all information related to data management.
3. You are entitled to receive your personal data in a structured, widely used, machine-readable format.
4. You are entitled to have the data controller correct your inaccurate personal data without undue delay.

Management of Cookies (Cookies)

1. Typical website cookies such as “session cookies used for password-protected sessions,” “shopping cart cookies,” and “security cookies” do not require prior consent from the affected parties.

2. Facts of data management, the scope of managed data: Unique identifier number, dates, times.

3. Scope of affected parties: All visitors to the website.

4. Purpose of data management: Identification of users, management of the “shopping cart,” and tracking of visitors.

5. Duration of data management, deadlines for deletion of data:

6. Persons authorized to access the data: The data controller does not manage personal data through the use of cookies.

7. Rights of the affected parties regarding data management: The affected parties have the opportunity to delete cookies typically under the Privacy settings in the Tools/Settings menu of browsers.

8. Legal basis for data management: Consent from the affected party is not required if the sole purpose of using cookies is to carry out the transmission of communications over an electronic communications network or if it is strictly necessary for the provider to provide a service specifically requested by the subscriber or user related to information society services.

Using Google AdWords Conversion Tracking

1. The data controller uses an online advertising program called “Google AdWords,” which includes Google’s conversion tracking service. Google conversion tracking is an analytical service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).

2. When a user accesses a website through a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, thus the user cannot be identified by them.

3. When the user browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the user clicked on the ad.

4. Each Google AdWords client receives a different cookie, so they cannot be tracked through the websites of AdWords clients.

5. The information gathered through the conversion tracking cookies is used to generate conversion statistics for AdWords clients who have opted for conversion tracking. This allows clients to learn the number of users who have clicked on their advertisement and were redirected to a page tagged with a conversion tracking tag. However, they do not receive any information that can personally identify users.

6. If you do not wish to participate in the tracking, you can opt out by disabling the cookie installation from your browser settings. This will exclude you from the conversion tracking statistics.

7. For more information and Google’s privacy statement, visit:  www.google.de/policies/privacy/

Using Google Analytics

1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies,” which are text files placed on your computer, to help analyze how users use the site.

2. The information generated by the cookies about your use of the website (including your IP address) will typically be transmitted to and stored by Google on servers in the United States. If IP anonymization is activated on the website, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area.

3. Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA. On behalf of the website provider, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services relating to website activity and internet usage to the website provider.

4. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore, you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under. //tools.google.com/dlpage/gaoptout?hl=hu

Newsletter and Direct Marketing (DM) Activity

1. Under Article 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activity, users can give prior explicit consent to being contacted by the service provider with promotional offers and other mailings at the contacts provided at registration.

2. Furthermore, considering the provisions of this information notice, the client may consent to the service provider handling personal data necessary for sending promotional offers.

3. The service provider does not send unsolicited advertising messages, and the user can unsubscribe from such offers without restriction or justification, free of charge. In such cases, the service provider will delete all personal data required for sending the advertising messages from its records and will no longer contact the user with further promotional offers. Users can unsubscribe from advertisements by clicking on the link in the message.

4. The facts of data collection, the scope of data managed, and the purpose of data management:
   
   

5. Scope of Affected Parties: All individuals subscribed to the newsletter.

6. Purpose of Data Processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the individuals, providing information about current news, products, promotions, new features, etc.

7. Duration of Data Processing, Deadline for Data Deletion: Until the withdrawal of consent, i.e., until unsubscription.

8. Persons Authorized to Access the Data, Recipients of Personal Data: The personal data are managed by the data controller’s sales and marketing staff, respecting the above principles.

9. Rights of the Data Subjects Related to Data Processing:
   

• The data subject may request from the data controller access to their personal data, as well as their rectification, deletion, or restriction of processing, and
• may object to the processing of such personal data, and
• the data subject has the right to data portability, as well as to withdraw consent at any time.

10. The access to personal data, their deletion, modification, or restriction of processing, the portability of data, and objections to data processing can be initiated by the data subject in the following ways:

• by mail at 6726 Szeged, Alsó kikötő sor 11. D. ép.,
• by email at imre.berenyi@berenyisoft.com,
• by phone at +36-30-7777-529.

11. The data subject can unsubscribe from the newsletter at any time for free.

12. Legal Basis for Data Processing: The data subject’s consent, Article 6(1)(a) and (f) of the GDPR, and Section 6(5) of Act XLVIII of 2008 on the Essential Conditions and Certain Limitations of Economic Advertising Activity:

The advertiser, the advertising service provider, and the publisher of the advertisement keep a record of the personal data of individuals who have given their consent within the specified scope. Data recorded in this registry – related to the recipient of the advertisement – can only be processed in accordance with the contents of the consent declaration until its withdrawal, and may only be transferred to a third party with the prior consent of the affected individual.

13. Please note that:

• the data processing is based on your consent.
  
• you are required to provide personal data if you wish to receive our newsletter.
  
• failure to provide data will result in our inability to send you the newsletter.

14. By accepting this data processing statement, you consent to our company using your phone number for marketing purposes.

Complaint Handling

1. Fact of Data Collection, Scope of Data Managed, and Purpose of Data Processing:

2. Data Subjects: All individuals who shop on the website and submit complaints or quality issues.

3. Duration of Data Processing and Deadline for Data Deletion: The minutes, transcripts, and copies of responses related to the complaints must be retained for 5 years as per Section 17/A (7) of the Consumer Protection Act of 1997.

4. Persons Authorized to Access the Data, and the Recipients of Personal Data: The personal data is managed by the data controller’s sales and marketing staff, adhering to the above principles.

5. Rights Related to Data Processing of Individuals:

• The data subject may request access to personal data concerning them from the data controller, request the correction, deletion, or restriction of processing of their data, and
• may object to the processing of such personal data, as well as
• have the right to data portability, and to withdraw consent at any time.

6. The methods by which the data subject can initiate access to their personal data, its deletion, modification, or restriction of processing, data portability, and object to data processing are as follows:
   

• by post at 6726 Szeged, Alsó kikötő sor 11. D. building,
• by email at imre.berenyi@berenyisoft.com,
• by phone at +36-30-7777-529.

7. Legal Basis for Data Processing: Article 6(1)(c) of the GDPR, and Section 17/A (7) of the Consumer Protection Act of 1997.

8. Please be informed that:

• the provision of personal data is based on a contractual obligation.
• the conclusion of the contract is conditional upon the processing of personal data.
• you are required to provide personal data so that we can handle your complaint.
• failure to provide data results in our inability to process your complaint.

Social Media

1. Data Collection Facts, Scope of Data Handled: Names registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and the user’s public profile picture.

2. Data Subjects: All individuals registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., who have ‘liked’ the website.

3. Purpose of Data Collection: To share and promote the website’s various content elements, products, promotions, or the website itself on social media platforms.

4. Duration of Data Processing, Deadline for Data Deletion, Persons Authorized to Access the Data, and Rights of the Data Subjects Regarding Data Processing: Information about the source of data, its management, method of transfer, and legal basis can be found on the respective social media platform. Data processing is carried out on social media platforms, hence the duration, method, and options for data deletion or modification are governed by the regulations of the respective social media platform.

5. Legal Basis for Data Processing: The voluntary consent of the data subject for the processing of their personal data on social media platforms.

Customer Relations and Other Data Processing

1. If any issues or questions arise during the use of our services, the data subject can contact the data controller via the methods provided on the website (phone, email, social media, etc.).

2. The data controller will delete received emails, messages, and data provided via phone, Facebook, etc., including the inquirer’s name and email address, along with any other voluntarily provided personal data, within a maximum of 2 years from the date of communication.

3. Information on data processing not listed in this notification will be provided at the time of data collection.

4. In exceptional cases of legal authority or law enforcement inquiries, the Service Provider is obligated to provide information, communicate data, transfer, or make documents available.

5. In such cases, the Service Provider will release personal data to the inquirer only to the extent and in the measure that is absolutely necessary to achieve the purpose of the inquiry, provided that the inquirer has specified the precise purpose and scope of the data requested.

Rights of Data Subjects

1. Right of Access

You have the right to obtain confirmation from the data controller as to whether or not your personal data is being processed, and if such processing is occurring, to access the personal data and the information listed in the regulation.

2. Right to Rectification
   

You have the right to have the data controller rectify any inaccurate personal data concerning you without undue delay. Considering the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to Erasure

You have the right to have the data controller erase your personal data without undue delay upon request, and the data controller is obliged to erase your personal data without undue delay under certain conditions.

4. Right to be Forgotten

If the data controller has made the personal data public and is obliged to erase it, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that you have requested the erasure of any links to, or copy or replication of, that personal data.

5. Right to Restriction of Processing

You have the right to request the data controller to restrict processing if one of the following applies:

• You contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise, or defense of legal claims.
• You have objected to processing pending the verification whether the legitimate grounds of the controller override your reasons.

6. Right to Data Portability
   

You have the right to receive your personal data, which you have provided to a controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

7. Right to Object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data, including profiling based on those provisions.

8. Objection to Direct Marketing

If the processing of personal data is for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, then the personal data shall no longer be processed for such purposes.

9. Automated Decision-Making in Individual Cases, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The above paragraph does not apply if the decision:

• Is necessary for entering into, or performance of, a contract between you and the data controller;
• Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• Is based on your explicit consent.

Time Limits for Action

The data controller shall inform you about the actions taken on your requests without undue delay and in any event within one month of receipt of the request.

This period may be extended by two months if necessary. The data controller will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the data controller does not take action on your request, they will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action, and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

Data Processing Security

The data controller and processor implement appropriate technical and organizational measures in accordance with the state of science and technology, the costs of implementation, and the nature, scope, circumstances, and purposes of data processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk. This includes, where applicable:

1. Pseudonymization and encryption of personal data;

2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing.

Notification of a Data Breach to the Data Subject

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the data breach to the data subject without undue delay.

The communication to the data subject shall clearly and plainly describe the nature of the data breach and provide the name and contact details of the data protection officer or other contact point where more information can be obtained. It should describe the likely consequences of the data breach and the measures the controller has taken or proposes to take to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The data subject need not be informed if any of the following conditions are met:

• The data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the data affected by the data breach, particularly those that render the data unintelligible to any person who is not authorized to access it, such as encryption;
• The data controller has taken subsequent measures which ensure that the high risk to the data subject’s rights and freedoms is unlikely to materialize;
• Providing information would involve disproportionate effort. In such cases, the data subjects should be informed through publicly available information, or a similar measure that ensures equally effective communication.

If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to involve a high risk, may order the data subject to be informed.

Notification of a Data Breach to the Authority

The data controller must report any data breach to the competent supervisory authority under Article 55 without undue delay and, if feasible, no later than 72 hours after having become aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, reasons for the delay must be provided.

Review in Case of Mandatory Data Processing

If the duration or the necessity of mandatory data processing is not defined by law, local government regulation, or a binding act of the European Union, the data controller must review at least every three years from the start of processing whether the personal data processing by itself or its processor is still necessary for the purpose of the data processing.

The data controller must document the circumstances and results of this review, keep this documentation for ten years after the review, and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) upon request.

Option to File a Complaint

In case of any alleged infringement by the data controller, a complaint can be filed with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, P.O. Box: 5.

Phone: +36-1-391-1400

Fax: +36-1-391-1410

Email:  ugyfelszolgalat@naih.hu