ABOUT THE RIGHTS OF THE CONCERNED NATURAL PERSON
IN RELATION TO THE PROCESSING OF THEIR PERSONAL DATA
About the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the 95/46/EK directive: THE EUROPEAN PARLIAMENT AND THE COUNCIL (EU) 2016/679 REGULATION (hereinafter referred to as the “Regulation”) requires the data Controller to take appropriate measures to provide the data subject with concise, transparent, intelligible and easily accessible information in a clear and plain language regarding the processing of their personal data, and to facilitate the exercise of the data subject’s rights.
The obligation to inform the data subject in advance is also provided for in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information. The following information is provided to comply with this legal obligation.
The information shall be published on the company’s website or sent to the person concerned upon request.
IDENTIFICATION OF THE DATA CONTROLLER
The publisher of this information is the Data Controller:
Company name: Wozify Engineering Group Ltd.
Registered office: 42 Berda József Street, 1043 Budapest, Hungary
(Hereinafter referred to as the “Company”)
Contact details of the Data Controller:
E-mail: [email protected]
IDENTIFICATION OF DATA PROCESSORS
Data Processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller (Regulation Article 4(8)).
The data subject’s prior consent is not required for the use of a data processor, but information must be provided. Accordingly, we provide the following information:
Name of IT hosting provider data processor
Registered office: 101 Avenue of the Americas, 2nd Floor New York, NY 10013
Other IT service providers
Google LLC (nem minősül 3. országba továbbításnak a EU-U.S. Privacy Shield Framework-ben való részvétel miatt)
Address: 1600 Amphitheatre Parkway, Mountain View, California 94043
Microsoft Corporation (does not qualify as a transfer to a third country due to its participation in the EU-U.S. Privacy Shield Framework)
Address: One Microsoft Way, Redmond, WA 98052-7329, USA
Name of data processor performing postal, courier, and logistics tasks
COMPANY NAME: Magyar Posta Zrt.
REGISTERED OFFICE: 2-6 Dunavirág Street, Budapest 1138, Hungary
EMAIL ADDRESS: [email protected]
PHONE NUMBER: +36 (1) 767 8282
ENSURING THE LAWFULNESS OF DATA PROCESSING
Data processing based on the consent of the data subject
1.1. If the Company intends to carry out data processing based on the consent of the data subject, the consent of the data subject to the processing of their personal data must be obtained with the content and information specified in the data request form in the data processing policy.
1.2. Consent may also be given by the data subject by ticking a box on the Company’s website during viewing, by performing technical settings for this purpose during the use of information society services, or by any other statement or action that clearly indicates the data subject’s consent to the intended processing of their personal data in the given context. Silence, pre-ticked boxes or inactivity are not considered as consent.
1.3. The consent shall extend to all data processing activities carried out for the same purpose or purposes. If the data processing serves several purposes at the same time, the consent shall be given for all data processing purposes.
1.4. If the data subject provides consent through a written statement that also relates to other matters, such as the conclusion of a sales or service contract, the request for consent shall be presented in a way that is clearly distinguishable from those other matters, in an understandable and easily accessible form, in clear and plain language. Any part of such a statement containing the data subject’s consent that violates the Regulation shall have no binding force.
1.5. The Company may not make the conclusion or performance of a contract dependent on the provision of consent for the processing of personal data that is not necessary for the performance of the contract.
1.6. The withdrawal of consent must be made possible in the same easy way as giving consent.
1.7. If personal data has been collected with the consent of the data subject, the data controller may process the collected data for the purpose of fulfilling their legal obligation without further separate consent, as long as there is no provision to the contrary, and even after the withdrawal of the data subject’s consent.
Data processing based on legal obligation
2.1. In case of data processing based on legal obligation, the scope of processable data, the purpose of data processing, the duration of data storage, and the addressees shall be determined by the provisions of the underlying legislation.
2.2. Data processing based on the fulfillment of legal obligation is independent of the consent of the data subject, as the processing is determined by law. In this case, the data subject must be informed before the start of data processing that the processing is mandatory, and the data subject must be clearly and comprehensively informed about all the facts related to the processing of their data, in particular the purpose and legal basis of data processing, the person authorized to process and access the data, the duration of data processing, whether the data controller processes the personal data of the data subject based on their legal obligation, and who may have access to the data. The information must also cover the data subject’s rights and remedies related to data processing. In case of mandatory data processing, the information may be provided by reference to the relevant legislative provisions containing the above-mentioned information.
Data processing based on legitimate interest
3.1. The Company or a third party’s legitimate interest can provide a legal basis for data processing, provided that the interests, fundamental rights, and freedoms of the data subject do not take precedence. The reasonable expectations of the data subject based on their relationship with the data controller must be taken into account, such as the processing of personal data for communication or even direct marketing purposes, which can be considered as based on legitimate interest.
Data processing based on contractual interest
4.1. Data processing may also be based on contractual interest if it is necessary for the performance of a contract in which the data subject is a party or for taking steps at the request of the data subject prior to entering into a contract.
Data processing based on the protection of vital interests of the data subject or other natural persons
5.1. The protection of the life or other vital interests of the data subject or other natural persons may also serve as a legal basis for data processing. Such a case arises in the case of a natural person if they use healthcare services or if data processing is carried out to stop the spread of epidemics.
Promoting the rights of data subjects
6.1. The Company is obliged to ensure the exercise of the data subject’s rights in all data processing.
General information about cookies
2.1. A cookie is a data that a visited website sends to the visitor’s browser (in name-value pairs) to store and later allow the website to load its content. The cookie can have a validity period that can be until the browser is closed or even unlimited. In subsequent HTTP(S) requests, the browser sends this data to the server, thus modifying the data on the user’s computer.
2.2. Modern website services inherently require cookies, whose function is to identify a user (e.g., that they have logged into the site) and manage them accordingly in the future, even if they return later. The danger is that not all users are aware of this, and it may be used to track users by the website operator or other service providers whose content is embedded in the site (e.g., Facebook, Google Analytics), creating a profile about them. In this case, the content of the cookie can be considered personal data.
2.3. Types of cookies:
2.3.1. Technically necessary session cookies: Without these, the website simply would not function properly. These cookies are necessary for user identification, such as managing whether the user is logged in, what items are in their shopping cart, and so on. This is typically a stored session ID, the rest of the data is stored on the server, which is more secure. If the session cookie value is not generated properly, there is a risk of session hijacking attacks, which is why it is essential that these values are generated correctly. Other terminologies refer to all cookies that are deleted when the browser is closed as session cookies (a session is a browser usage from startup to logout).
2.3.2. Functionality cookies: These are cookies that remember user choices, such as how the user wants to view the website. These types of cookies essentially mean the settings data stored in the cookie.
2.3.3. Performance cookies: Although they have little to do with “performance,” these cookies are generally called cookies that collect information about the user’s behavior, time spent on the visited web page, clicks, and so on. Typically, these are third-party applications (such as Google Analytics, AdWords, or Yandex.ru cookies). They are used to create a user profile.
You can find out more about Google Analytics cookies here:
You can find out about Google AdWords cookies here:
2.4. Accepting and enabling cookies is not mandatory. You can reset your browser settings to reject all cookies or to notify you when a cookie is being sent. Most browsers automatically accept cookies by default, but these settings can usually be changed to prevent automatic acceptance.
You can find information about cookie settings of the most popular browsers on the following links:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/hu-hu/HT201265
However, please note that certain website features or services may not function properly without cookies.
Information about the cookies used on the Company’s website and the data generated during the visit
3.1. Data processed during the visit: Our company’s website may record and process the following data about the visitor and the device used for browsing during the use of the website:
IP address used by the visitor,
characteristics of the operating system of the device used for browsing (language settings),
time of visit,
visited (sub)page, function or service
We retain this data for a maximum of 90 days and can use it primarily for investigating security incidents.
3.2. Cookies used on this website
3.2.1. Technically necessary session cookies:
Purpose of data processing: ensuring the proper functioning of the website. These cookies are necessary for visitors to browse the website, use its functions smoothly and completely, access services available on the website, and – among other things – remember actions performed by the visitor on specific pages or identify logged-in users during a visit. The duration of data processing for these cookies is limited to the current visit only, and this type of cookie is automatically deleted from the visitor’s computer when the session ends or the browser is closed.
The legal basis for this data processing is Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, which allows service providers to process personal data that are technically essential for the provision of the service. If the other conditions are identical, the service provider must choose and operate the tools used in the provision of information society services in a way that personal data is processed only if it is absolutely necessary for the provision of the service and the fulfillment of other purposes specified in this Act, but even in this case, only to the necessary extent and for a limited period of time.
3.2.2. Functional cookies:
These remember the user’s choices, such as what form the user wants to see the page. These types of cookies are essentially the setting data stored in the cookie.
The legal basis for processing is the visitor’s consent.
Purpose of the data processing: Increasing the efficiency of the service, improving the user experience, making the use of the website more convenient.
This data is typically stored on the user’s computer, the website only accesses and recognizes the visitor.
3.2.3. Performance cookies:
They collect information about the user’s behaviour, time spent on the website visited, clicks.
Legal basis for data processing: consent of the data subject.
Purpose of data processing: to analyse the website, to send advertising offers.
INFORMATION ABOUT THE RIGHTS OF THE PERSON CONCERNED
Summary of the data subject’s rights:
Transparent information, communication, and facilitation of the exercise of the data subject’s rights
Right to prior information – if personal data is collected from the data subject
Information to be provided to the data subject and the right to know if personal data was not obtained from the data subject
Right of access by the data subject
Right to rectification
Right to erasure (“right to be forgotten”)
Right to restriction of processing
Obligation to notify regarding rectification or erasure of personal data or restriction of processing
Right to data portability
Right to object
Automated individual decision-making, including profiling
Informing the data subject of the personal data breach
Right to lodge a complaint with the supervisory authority (right to an administrative remedy)
Right to an effective judicial remedy against the supervisory authority
Right to an effective judicial remedy against the data controller or processor
The rights of the data subject in detail:
1. Transparent information, communication, and facilitation of the exercise of the data subject’s rights
1.1. The data controller must provide the data subject with all information and any communication regarding the processing of personal data in a concise, transparent, understandable, and easily accessible form, clearly and in plain language, especially in the case of information addressed to children. The information must be provided in writing or by other means, including electronic means if appropriate. Upon request, verbal information may also be provided, on condition that the data subject’s identity has been verified by other means.
1.2. The data controller must facilitate the exercise of the data subject’s rights.
1.3. Without undue delay, but in any case, within one month of receipt of the request, the data controller shall inform the data subject of the measures taken in response to any request to exercise his or her rights. This period may be extended by two further months where necessary, of which the data subject shall be informed.
1.4. Where the data controller does not take action on the request of the data subject, the data controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
1.5. The controller shall provide the information and communication relating to the exercise of the rights of the data subject and the measures taken in response to the exercise of those rights free of charge. However, a fee may be charged in the cases provided in the Regulation.
The detailed rules are set out in Article 12 of the Regulation.
2. Right to prior information – if personal data is collected from the data subject
2.1. The data subject has the right to be informed about the facts and information related to the data processing before the start of the processing. In this context, the data subject must be informed of:
a) the identity and contact details of the data controller and their representative,
b) the contact details of the data protection officer (if any),
c) the purpose of the intended processing of personal data, as well as the legal basis for the processing,
d) in case of data processing based on legitimate interests, the legitimate interests pursued by the data controller or a third party,
e) the recipients of the personal data – to whom the personal data are disclosed – and the categories of recipients, if any;
f) where applicable, the fact that the data controller intends to transfer the personal data to a third country or international organization.
2.2. In order to ensure fair and transparent data processing, the data controller must inform the data subject of the following additional information:
a) the duration of the storage of personal data or, if this is not possible, the criteria used to determine that period;
b) the data subject’s right to request access to, rectification, erasure or restriction of processing of his or her personal data, as well as the right to object to such processing, and the right to data portability;
c) in case the processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
f) information on automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2.3. If the controller intends to further process personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.
The detailed rules on the right to prior information are laid down in Article 13 of the Regulation.
3. Informing the data subject and providing information if the personal data was not obtained from the data subject by the data controller
3.1. If the controller did not obtain the personal data from the data subject, the controller shall inform the data subject no later than one month after obtaining the personal data, or at the time of the first communication with the data subject if the personal data is to be used for communication with the data subject. If the personal data is expected to be disclosed to other recipients, the data subject shall be informed of the information and facts described in point 2 above, as well as the categories of personal data concerned, the source of the personal data, and whether the data originates from publicly accessible sources, no later than the first occasion of such disclosure.
3.2. The additional rules are those set out in section 2 (Right to prior information) above.
The detailed rules for providing such information are contained in Article 14 of the Regulation.
4. The data subject’s right of access
4.1. The data subject shall have the right to obtain from the controller confirmation as to whether or not his or her personal data are being processed, and, where that is the case, access to the personal data and the information referred to in the preceding points 2 and 3. (Article 15 of the Regulation)
4.2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.
4.3. The controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
The detailed rules regarding the right of access by the data subject are laid down in Article 15 of the Regulation.
5. Right to rectification
5.1. The data subject is entitled to request the Controller to rectify without undue delay any inaccurate personal data concerning him or her.
5.2. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
These rules are contained in Article 16 of the Regulation.
6. Right to erasure (“right to be forgotten”)
6.1. The data subject shall have the right to request the Controller to erase without undue delay personal data concerning him or her, and the Controller shall be obliged to erase the personal data concerning the data subject without undue delay if:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation under Union or Member State law to which the Controller is subject;
f) the personal data have been collected in relation to the offer of information society services directly to children.
6.2. The right to erasure shall not apply where processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defense of legal claims.
Detailed rules on the right to erasure are set out in Article 17 of the Regulation.
7. Right to restriction of processing
7.1. In the event of a restriction on processing, such personal data may only be processed with the consent of the data subject, or for the purpose of presenting, enforcing, or defending legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State, except for storage.
The data subject shall have the right to request the Data Controller to restrict the processing of personal data if one of the following applies:
a) the accuracy of the personal data is contested by the data subject; in which case the restriction shall be for a period enabling the Data Controller to verify the accuracy of the personal data;
b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests instead the restriction of their use;
c) the Data Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defense of legal claims; or
d) the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject.
7.3. The data subject shall be informed in advance of the lifting of the restriction on processing.
The relevant rules are set out in Article 18 of the Regulation.
8. Obligation to notify regarding rectification or erasure of personal data or restriction of processing
The controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.
These rules can be found under Article 19 of the Regulation.
9. Right to data portability
9.1. With the conditions set out in the Regulation, the data subject is entitled to receive their personal data, which they have provided to a data controller, in a structured, widely used, machine-readable format, and is entitled to transmit these data to another data controller without hindrance from the data controller to which the personal data were provided, if:
a) the processing is based on consent or a contract; and
b) the processing is carried out by automated means.
9.2. The data subject may also request the direct transfer of personal data between controllers.
9.3. The exercise of the right to data portability shall be without prejudice to Article 17 of the Regulation (Right to erasure (“right to be forgotten”). The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.
The detailed rules are set out in Article 20 of the Regulation.
10. Right to object
10.1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the public interest, the performance of a public task (Article 6(1)(e)) or a legitimate interest (Article 6(f)), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.
10.3. These rights shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information shall be clearly displayed and separated from any other information.
10.4. The data subject may exercise the right to object by automated means based on technical specifications.
10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The relevant rules are set out in Article 21 of the Regulation.
11. Automated individual decision-making, including profiling
11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
11.2. This right does not apply if the decision:
a) necessary for the conclusion or performance of a contract between the data subject and the controller;
b) is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
c) based on the explicit consent of the data subject.
11.3. In the cases referred to in points (a) and (c) above, the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.
Further rules are set out in Article 22 of the Regulation.
Union or Member State law applicable to a controller or processor may limit the scope of rights and obligations (Articles 12 to 22, 34, 5 of the Regulation) by legislative measures, provided that the limitation respects the essential content of fundamental rights and freedoms.
The conditions for this restriction are set out in Article 23 of the Regulation.
13. Informing the data subject of the personal data breach
13.1. If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. The information provided to the data subject shall describe the nature of the personal data breach in clear and plain language, and shall include at least the following:
a) The name and contact details of the data protection officer or other contact point providing further information;
c) a description of the likely consequences of the personal data breach;
d) a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
13.2. The data subject need not be informed if any of the following conditions are met:
a) the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorized to access the personal data;
b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
c) disclosure would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure which ensures that the data subjects are informed in an equally effective manner.
Further rules are set out in Article 34 of the Regulation.
14. Right to lodge a complaint with the supervisory authority (right to an administrative remedy)
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation. The supervisory authority with which the complaint has been lodged must inform the data subject of the procedural developments and the outcome of the complaint, including the right of the data subject to judicial remedy.
These rules are set out in Article 77 of the Regulation.
The supervisory authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság
Location: 22/c Szilágyi Erzsébet fasor, 1125 Budapest, Hungary
Postal address: 1530 Budapest, PO Box 5.
Phone number: +36 (1) 391-1400
Central e-mail address: [email protected]
15. Right to an effective judicial remedy against the supervisory authority
15.1. Without prejudice to other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
15.2. Without prejudice to other administrative or non-judicial remedies, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
15.4. If proceedings are brought against a decision of the supervisory authority that relates to an opinion issued or decision taken by the Board in the consistency mechanism, the supervisory authority shall be required to transmit that opinion or decision to the court.
These rules are laid down in Article 78 of the Regulation.
16. Right to an effective judicial remedy against the data controller or processor
16.1. Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.
16.2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.
These rules are set out in Article 79 of the Regulation.
Dated: Budapest, 25 May 2018
Wozify Engineering Group Ltd.
Slezák Balázs Managing Director