Data Protection Notice
This Policy contains the internal rules of the data processing activities of VAVAVIN Limited Liability Company (6724 Szeged, Pacsirta utca 1., tax number: 32682957-2-06) / hereinafter referred to as VAVAVIN Ltd. / – in order to comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation) – and Act XXXIV of 2019.
I.
GENERAL PROVISIONS
§ 1 Introduction
VAVAVIN Kft. declares that it carries out its data processing activities – by adopting appropriate internal rules, technical and organizational measures – in such a way that it complies under all circumstances with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the Regulation) – as well as with the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter referred to as the Infotv.).
§ 2 Purpose of the Regulations
The purpose of the Regulations is to establish internal rules that ensure that the data processing activities of VAVAVIN Kft. comply with the provisions of the Regulation and the Information Act.
§ 3 Scope of the Regulations
The scope of this Policy covers the processing of personal data of natural persons by VAVAVIN Kft.
Sole proprietors, sole proprietorships, primary producers, customers, buyers, and suppliers shall be considered natural persons for the purposes of this Policy.
The scope of the Regulation does not cover the processing of personal data relating to legal persons, and in particular to undertakings established as legal persons, including the name and form of the legal person and the contact details of the legal person.
§ 4 Definitions
The governing definitions are contained in Article 4 of the Regulation and Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
1./ “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2./ “data processing”: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3./ “restriction of processing”: marking of stored personal data with the aim of restricting their future processing;
4./ “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5./ “pseudonymisation”: the processing of personal data in such a way that the personal data can no longer be identified without the use of additional information, provided that such additional information is stored separately and technical and organisational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person;
6./ “filing system”: a file of personal data structured in any way – centralized, decentralized or according to functional or geographical aspects – which is accessible based on specific criteria;
7./ "data controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
8./ “data processor” means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller;
9./ "recipient" means the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not it is a third party. Public authorities which may have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing;
10./ “third party”: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data;
11./ "consent of the data subject": any freely given, specific, adequately informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her;
12./ “data security incident”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed;
13./ “genetic data”: any personal data relating to the inherited or acquired genetic characteristics of a natural person, which contain unique information concerning the physiology or health of that person and which results primarily from the analysis of a biological sample taken from that natural person;
14./ “biometric data”: any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical processes which allow or confirm the unique identification of the natural person, such as facial image or dactyloscopic data;
15./ “electronic commerce service”: an information society-related service whose purpose is the commercial sale, purchase, exchange or other use of a tradable movable thing - including money and securities, as well as natural forces that can be used as a thing -, services, real estate, or property rights (hereinafter collectively referred to as: goods);
16./ "electronic means": the use of wired, radio, optical or other electromagnetic devices for electronic data processing, storage or transmission.
17./ “information society service”: a service provided electronically, to remote parties, usually for consideration, to which the user of the service has individual access;
18./ “Service provided from the territory of Hungary”: an information society service provided by a service provider carrying out actual activities related to the given information society service at its registered office, establishment or place of residence in the territory of Hungary.
§ 5 Main applicable legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (General Data Protection Regulation)
Act V of 2013 on the Civil Code
Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society
Act CXII of 2011 on the right to informational self-determination and freedom of information
Act C of 2000 on Accounting
II.
RIGHTS OF THE DATA SUBJECT
§ 6 Rights of the data subject
Right to prior information
The data subject has the right to be informed about the facts and information related to data processing before the start of data processing.
(Articles 13-14 of the Regulation)
The data subject's right of access
The data subject has the right to receive feedback from the Data Controller as to whether his or her personal data is being processed and, if such processing is taking place, has the right to access the personal data and related information as specified in the Regulation.
(Article 15 of the Regulation)
The right to rectification
The data subject shall have the right to obtain from the Controller, at his/her request, the rectification of inaccurate personal data concerning him/her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
(Article 16 of the Regulation)
The right to erasure (“the right to be forgotten”)
The data subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the data subject without undue delay if one of the reasons specified in the Regulation applies.
(Article 17 of the Regulation)
Right to restriction of data processing
The data subject has the right to request that the Data Controller restrict data processing if the conditions specified in the Regulation are met.
(Article 18 of the Regulation)
Notification obligation related to the rectification or erasure of personal data or the restriction of data processing
The Data Controller shall inform any recipient to whom the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.
(Article 19 of the Regulation)
The right to data portability
Under the conditions set out in the Regulation, the data subject has the right to receive the personal data concerning him or her and provided to VAVAVIN Kft. in a structured, commonly used and machine-readable format, and has the right to transmit these data to another Data Controller without hindrance from the Data Controller to whom the personal data have been provided.
(Article 20 of the Regulation)
The right to protest
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) of Article 6(1) of the Regulation, where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or point (f) of Article 6(1) of the Regulation, where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(Article 21 of the Regulation)
Automated decision-making in individual cases, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(Article 22 of the Regulation)
Restrictions
Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the scope of the rights and obligations set out in Articles 12 to 22 and Article 34, and in relation to the rights and obligations set out in Articles 12 to 22, the scope of the rights and obligations set out in Article 5, where the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defence, public safety, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, etc.
(Article 23 of the Regulation)
Informing the data subject about the data protection incident
If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, VAVAVIN Kft. will inform the data subject about the data protection incident without undue delay.
(Article 34 of the Regulation)
Right to lodge a complaint with a supervisory authority (right to a judicial remedy) The data subject has the right to lodge a complaint with a supervisory authority – in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement – if the data subject considers that the processing of personal data concerning him or her infringes the Regulation.
(Article 77 of the Regulation)
You can file a complaint with the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1055 Budapest, Falk Miksa Street 9-11.
Mailing address: 1363 Budapest, P.O. Box 9.
Phone: +36 (30) 683-5969 +36 (30) 549-6838 +36 (1) 391 1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
Right to an effective judicial remedy against the supervisory authority
Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her, or if the supervisory authority does not deal with the complaint or does not inform the data subject within 3 (three) months of the procedural developments or the outcome of the complaint submitted.
(Article 78 of the Regulation)
Right to an effective judicial remedy against the controller or processor
Every data subject has the right to an effective judicial remedy if, in their opinion, their rights under the Regulation have been infringed as a result of the improper processing of their personal data.
(Article 79 of the Regulation)
§ 7 Detailed information on the rights of the data subject
Right to prior information
The data subject has the right to be informed about the facts and information related to data processing before the start of data processing.
Information to be provided when personal data are collected from the data subject
1./ If personal data concerning the data subject are collected from the data subject, the data controller shall provide the data subject with all of the following information at the time the personal data are obtained:
a.) the identity and contact details of the data controller and – if any – the data controller's representative;
b.) contact details of the data protection officer, if any;
c.) the purpose of the planned processing of personal data and the legal basis for the processing;
d.) in the case of data processing based on Article 6(1)(f) of the Regulation (legitimate interests), the legitimate interests of the controller or a third party;
e.) where applicable, the recipients of the personal data and the categories of recipients, if any;
f.) where applicable, the fact that the controller intends to transfer the personal data to a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards, as well as a reference to the means of obtaining a copy of them or their availability.
2./ In addition to the information referred to in point 1./, the data controller shall, at the time of obtaining the personal data, inform the data subject of the following additional information in order to ensure fair and transparent data processing:
a.) the period for which the personal data will be stored, or, if this is not possible, the criteria for determining this period;
b.) the right of the data subject to request from the data controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the right of the data subject to data portability;
c.) in the case of processing based on Article 6(1)(a) (the data subject's consent) or Article 9(2)(a) (the data subject's consent) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal;
d.) the right to submit a complaint to the supervisory authority;
e.) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for concluding a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide the data;
the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
3./ If VAVAVIN Kft. intends to further process personal data for purposes other than those for which they were collected, it must inform the data subject of this different purpose and of all relevant additional information referred to in paragraph (2) prior to further processing.
4./ Points 1-3 do not apply if and to the extent that the data subject already has the information.
(Article 13 of the Regulation)
Information to be provided if personal data were not obtained from the data subject
1./ If the personal data were not obtained from the data subject, the data controller shall provide the data subject with the following information:
a.) the identity and contact details of the data controller and – if any – the data controller's representative;
b.) contact details of the data protection officer, if any;
c.) the purpose of the planned processing of personal data and the legal basis for the processing;
d.) the categories of personal data concerned;
e.) the recipients of the personal data and the categories of recipients, if any;
f.) where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation, as well as the existence or absence of an adequacy decision by the Commission or the reasons referred to in Article 46 of the Regulation,
In the case of transfers referred to in Article 47 or the second subparagraph of Article 49(1), an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of them or their availability.
2./ In addition to the information referred to in point 1./, the data controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data processing for the data subject:
a.) the period for which the personal data will be stored, or if this is not possible, the criteria for determining this period;
b.) if the processing is based on Article 6(1)(f) of the Regulation (legitimate interest), the legitimate interests of the controller or a third party;
c.) the right of the data subject to request from the data controller access to personal data concerning him or her, rectification, erasure or restriction of processing, and to object to the processing of personal data, as well as the right of the data subject to data portability;
d.) in the case of processing based on Article 6(1)(a) (the data subject's consent) or Article 9(2)(a) (the data subject's consent) of the Regulation, the right to withdraw consent at any time, without affecting the lawfulness of the processing carried out on the basis of consent before its withdrawal;
e.) the right to lodge a complaint with a supervisory authority;
f.) the source of the personal data and, where applicable, whether the data originate from publicly available sources; and
the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
3./ The data controller shall provide the information referred to in points 1./ and 2./ as follows:
a.) taking into account the specific circumstances of the processing of personal data, within a reasonable period of time from the date of obtaining the personal data, but no later than one month;
b.) if the personal data are used for the purpose of communicating with the data subject, at least upon initial contact with the data subject; or
c.) if the data is expected to be communicated to other recipients, at the latest upon the first disclosure of the personal data.
4./ If the data controller intends to further process personal data for a purpose other than that for which they were collected, it must inform the data subject of this different purpose and of any relevant additional information referred to in point 2./ prior to further processing.
5./ Points 1-5./ shall not apply if and to the extent that:
a.) the data subject already has the information;
b.) providing the information in question proves impossible or would involve a disproportionate effort, in particular for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, in the case of processing carried out subject to the conditions and safeguards referred to in Article 89(1) of the Regulation, or where the obligation referred to in Article 89(1) is likely to render impossible or seriously jeopardise the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including making the information publicly available;
c.) the collection or disclosure of the data is expressly required by Union or Member State law applicable to the controller, which provides for appropriate measures to protect the legitimate interests of the data subject; or
d.) personal data must remain confidential pursuant to an obligation of professional secrecy laid down in Union or Member State law, including a statutory obligation of confidentiality.
(Article 14 of the Regulation)
The data subject's right of access
1./ The data subject has the right to receive feedback from the Data Controller as to whether his/her personal data is being processed and, if such processing is taking place, he/she has the right to access the personal data and the following information:
a.) the purposes of data processing;
b.) the categories of personal data concerned;
c.) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
d.) where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
e.) the right of the data subject to request from the Data Controller the rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data;
the right to lodge a complaint with a supervisory authority;
g.) if the data were not collected from the data subject, all available information on their source; h.) the fact of automated decision-making referred to in Article 22(1) and (4) of the Regulation, including profiling, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
2./ If personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards regarding the transfer pursuant to Article 46 of the Regulation.
3./ VAVAVIN Kft. shall provide the data subject with a copy of the personal data subject to data processing. For further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.
(Article 15 of the Regulation)
The right to erasure (“the right to be forgotten”)
1./ The data subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the data subject without undue delay if one of the following reasons applies:
a.) the personal data are no longer necessary for the purposes for which they were collected or
treated differently;
b.) the data subject withdraws his or her consent which was the basis for the processing pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation and there is no other legal basis for the processing;
c.) the data subject objects to the processing of his or her data pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d.) personal data has been processed unlawfully;
e.) the personal data must be erased to comply with a legal obligation under EU or Member State law applicable to the Controller;
f.) the personal data were collected in connection with the provision of information society services referred to in Article 8(1) of the Regulation.
2./ If VAVAVIN Kft. has made the personal data public and is obliged to erase them pursuant to point 1./ above, it shall take reasonable steps, taking into account available technology and the cost of implementation, to inform the Data Controllers processing the data that the data subject has requested the erasure of links to the personal data in question or of copies or replications of such personal data.
3./ Points 1./ and 2./ shall not apply if the data processing is necessary:
a.) for the purpose of exercising the right to freedom of expression and information;
b.) for the purpose of fulfilling an obligation under Union or Member State law to which the Controller is subject to the processing of personal data, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
on grounds of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3) of the Regulation;
d.) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in point 1 is likely to render impossible or seriously jeopardise such processing; or
e.) to assert, enforce or defend legal claims.
(Article 17 of the Regulation)
Right to restriction of data processing
1./ The data subject has the right to request that VAVAVIN Kft. restrict data processing if one of the following applies:
a.) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time that allows the Data Controller to verify the accuracy of the personal data;
b.) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;
c.) the Data Controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defense of legal claims; or
d.) the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.
2./ If processing is restricted pursuant to point 1./, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or of a Member State.
3./ The Data Controller shall inform the data subject, at whose request data processing has been restricted pursuant to point 1./, in advance of the lifting of the restriction on data processing.
(Article 18 of the Regulation)
The right to data portability
1./ The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data have been provided, if:
a.) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, or on a contract pursuant to point (b) of Article 6(1) of the Regulation; and
b.) data processing is carried out in an automated manner.
2./ When exercising the right to data portability pursuant to point 1./, the data subject has the right to request the direct transmission of personal data between Data Controllers, if technically feasible.
The exercise of this right shall be without prejudice to Article 17 of the Regulation. The said right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
4./ The right referred to in point 1./ may not adversely affect the rights and freedoms of others.
(Article 20 of the Regulation)
The right to protest
1./ The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) of Article 6(1) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller) or point (f) of Article 6(1) of the Regulation (processing is necessary for the exercise of the legitimate interests pursued by the Controller or by a third party), including profiling based on those provisions. In such a case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
2./ If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for this purpose, including profiling, if it is related to direct marketing.
3./ If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.
4./ The right referred to in points 1./ and 2./ must be expressly brought to the attention of the data subject at the latest during the first contact, and the relevant information must be displayed clearly and separately from all other information.
5./ In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may also exercise the right to object by automated means based on technical specifications.
6./ Where personal data are processed for scientific and historical research purposes or for statistical purposes pursuant to Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
(Article 21 of the Regulation)
Automated decision-making in individual cases, including profiling
1./ The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would produce legal effects concerning him or her or similarly significantly affect him or her.
2./ Point 1./ shall not apply if the decision:
a.) necessary for the conclusion or performance of a contract between the data subject and the Data Controller;
is permitted by Union or Member State law applicable to the Controller, which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or
c.) is based on the explicit consent of the data subject.
3./ In the cases referred to in points a) and c) of point 2./, the Data Controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Data Controller, to express his or her point of view and to object to the decision.
4./ The decisions referred to in point 2./ shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject.
(Article 22 of the Regulation)
Restrictions
1./ Union or Member State law applicable to the Controller or the Processor may, by means of legislative measures, restrict the scope of the rights and obligations set out in Article 5 of the Regulation in respect of the provisions set out in Articles 12 to 22 and Article 34 and in accordance with the rights and obligations set out in Articles 12 to 22, if the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to protect:
a.) national security;
b.) national defense;
c.) public safety;
d.) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e.) other important objectives of general public interest of the Union or of a Member State, in particular the important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
f.) protection of judicial independence and judicial proceedings;
g.) in the case of regulated professions, the prevention, investigation, detection of ethical violations and the conduct of related proceedings;
h.) in the cases referred to in points a) - e) and g) – even occasionally – control, investigation or regulatory activities related to the performance of public authority tasks;
i.) the protection of the data subject or the rights and freedoms of others;
j.) enforcement of civil law claims.
2./ The legislative measures referred to in point 1./ shall, where appropriate, contain detailed provisions on at least:
a.) the purposes of data processing or the categories of data processing,
b.) categories of personal data,
c.) the scope of the restrictions introduced,
d.) guarantees aimed at preventing misuse or unauthorized access or transmission,
e.) to define the Data Controller or to define the categories of Data Controllers,
the duration of data storage and the applicable safeguards, taking into account the nature, scope and purposes of the data processing or categories of data processing,
g.) risks to the rights and freedoms of data subjects, and
h.) the right of data subjects to be informed about the restriction, unless this may adversely affect the purpose of the restriction.
(Article 23 of the Regulation)
Informing the data subject about the data protection incident
1./ If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the data breach without undue delay.
2./ The information provided to the data subject referred to in point 1./ shall clearly and intelligibly describe the nature of the data protection incident and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.
3./ The data subject does not need to be informed as referred to in point 1./ if any of the following conditions are met:
a.) the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures – such as the use of encryption – that make the data unintelligible to persons not authorized to access the personal data;
b.) the Data Controller has taken additional measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject referred to in point 1 is no longer likely to materialise;
c.) providing information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly published information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.
d.) If the Data Controller has not yet notified the data subject of the data breach, the supervisory authority, after considering whether the data breach is likely to involve a high risk, may order the data subject to be informed or may determine that one of the conditions referred to in point 3 is met.
(Article 34 of the Regulation)
Right to lodge a complaint with a supervisory authority
1./ Without prejudice to other administrative or judicial remedies, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes the Regulation.
2./ The supervisory authority to which the complaint has been submitted shall inform the customer of the procedural developments related to the complaint and its outcome, including the fact that the customer has the right to a judicial remedy pursuant to Article 78 of the Regulation.
(Article 77 of the Regulation)
Right to an effective judicial remedy against the supervisory authority
Without prejudice to other administrative or non-judicial remedies, every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.
2./ Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy if the supervisory authority competent pursuant to Articles 55 or 56 of the Regulation does not deal with the complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged pursuant to Article 77.
3./ Proceedings against the supervisory authority shall be brought before the court of the Member State in which the supervisory authority is established.
4./ Where proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall be obliged to send that opinion or decision to the court. (Article 78 of the Regulation)
Right to an effective judicial remedy against the controller or processor
1./ Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy if, in their opinion, their rights under the Regulation have been infringed as a result of the processing of their personal data not complying with the Regulation.
2./ Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.
(Article 79 of the Regulation)
III.
MEASURES BASED ON THE REQUEST OF THE PARTY CONCERNED
§ 8 Data Protection Officer
Person responsible for data protection: Vanessza Vivien Vas
The data subject may contact the person responsible for data protection at hello@vavavin.com in order to enforce his or her rights.
§ 9 Measures based on the request of the data subject
VAVAVIN Kft. shall inform the data subject without undue delay, but in any case within 1 (one) month from the receipt of the request, of the measures taken in response to the request to exercise his/her rights. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further 2 (two) months. VAVAVIN Kft. shall inform the data subject of the extension of the deadline within 1 (one) month from the receipt of the request, indicating the reasons for the delay.
If the data subject has submitted the request electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise. If VAVAVIN Kft. does not take action on the data subject's request, it shall inform the data subject without delay, but at the latest within 1 (one) month from the date of receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his/her right to a judicial remedy. VAVAVIN Kft. shall provide the information pursuant to Articles 13 and 14 of the Regulation and information on the data subject's rights – Articles 15-22 and 34 of the Regulation – and the action free of charge.
If the data subject's request is clearly unfounded or excessive, in particular due to its repetitive nature, the Data Controller may charge a fee for the administrative costs of providing the requested information or communication or taking the requested action, or may refuse to take action based on the request.
The Data Controller shall bear the burden of proving that the request is clearly unfounded or excessive. If VAVAVIN Kft. has reasonable doubts regarding the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the data subject.
ARC.
ENSURING THE LAWFULNESS OF DATA PROCESSING
§ 10 Lawfulness of data processing
The processing of personal data is only lawful if and to the extent that at least one of the following is met:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering into a contract;
the processing is necessary for compliance with a legal obligation to which the controller is subject;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the data processing is in the public interest or the data controller is authorised by public authorities
necessary for the performance of a task performed in the context of its practice;
the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
§ 11 Data processing based on the consent of the data subject
In the case of data processing based on consent, the data subject's consent must be requested in the form of a consent statement. The consent covers all data processing activities carried out for the same purpose or purposes. If the data processing serves multiple purposes at the same time, the consent must be given for all data processing purposes.
Where the data subject gives his/her consent in the form of a written statement which also applies to other matters – e.g. the conclusion of a sales or service contract – the request for consent shall be presented in a manner that is clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a statement containing the data subject's consent which infringes the Regulation shall not be binding.
The withdrawal of consent must be made as easy as the granting of it. If the personal data were collected with the consent of the data subject, the data controller may, unless otherwise provided by law, process the collected data for the purpose of fulfilling a legal obligation to which it is subject without further specific consent and even after the data subject has withdrawn his consent.
§ 12 Data processing based on compliance with a legal obligation
Data processing based on the legal obligation is independent of the data subject's consent, as the data processing is determined by law.
The data subject must be informed before the start of data processing that the data processing is mandatory, and the data subject must be clearly and in detail informed before the start of data processing about all facts related to the processing of his or her data, in particular about the purpose and legal basis of the data processing, the person authorized to process and process the data, the duration of the data processing, whether the data controller processes the data subject's personal data based on a legal obligation applicable to him or her, and who may have access to the data. The information must also include the data subject's rights and legal remedies in relation to the data processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the above information.
§ 13 Data processing based on legitimate interest
The legitimate interests of the controller, including the controller to whom the personal data may be disclosed, or of a third party, may constitute a legal basis for processing, provided that the interests, fundamental rights and freedoms of the data subject are not overridden, taking into account the reasonable expectations of the data subject in the context of his or her relationship with the controller. Such a legitimate interest may exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example where the data subject is a client of the controller or is employed by the controller. In order to determine whether a legitimate interest exists, it is necessary to carefully examine, inter alia, whether the data subject can reasonably expect, at the time and in the context of the collection of the personal data, that the data may be processed for that purpose. The interests and fundamental rights of the data subject may prevail over the interests of the controller if the personal data are processed in circumstances in which the data subject does not expect further processing. Since it is the task of the legislator to determine in law the legal basis on which public authorities may process personal data, the legal basis supporting the legitimate interest of the data controller cannot be applied to data processing carried out by public authorities in the performance of their tasks.
The processing of personal data strictly necessary for the prevention of fraud is also considered to be a legitimate interest of the data controller. The processing of personal data for direct marketing purposes is also considered to be based on a legitimate interest.
Sun.
DATA PROCESSING RELATED TO CUSTOMERS / BUSINESS PARTNERS
VAVAVIN Ltd. operates the website https://vavavin.com/.
With regard to Section 13/A of Act CVIII of 2001 on electronic commerce services and certain issues of information society services, and Government Decree 45/2014 (II. 26.) on the detailed rules of contracts between consumers and businesses, purchases made on the website operated by VAVAVIN Kft. are considered to be a contract concluded between the data subject and VAVAVIN Kft. VAVAVIN Kft. may process the personal identification data and address necessary for the identification of the buyer registering in the web store under the legal title of Section 13/A (1) of Act CVIII of 2001, as well as his/her telephone number, e-mail address, bank account number, and online identifier under the legal title of consent.
VAVAVIN Kft. may process personal identification data, address and data relating to the use of information society services for billing purposes, pursuant to Section 13/A.§ (2) of Act CVIII of 2001. VAVAVIN Kft. may process personal data which are technically indispensable for the provision of the service for the purpose of providing the service. All other conditions being the same, VAVAVIN Kft. must select and in all cases operate the means used in the provision of information society services in such a way that personal data are processed only if this is absolutely necessary for the provision of the service and for the fulfilment of other purposes specified in this Act, but even in this case only to the extent and for the period necessary.
§ 14 Processing of data of natural person customers/business partners
Legal basis for data processing:
performance of contract
voluntary contribution
fulfillment of legal obligations
Data processing is also considered lawful if the data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract. The data subject (as well as the sole proprietor) must be informed before the start of data processing that the data processing is based on the legal basis of the performance of the contract, the information may also be provided in the contract.
Recipients of personal data:
VAVAVIN Ltd.
possibly: courier (data processor)
accountant
The purpose of data processing is:
performance of the contract
keeping in touch
invoicing
The data processed:
name
address (billing/shipping address)
email address
phone number
any data necessary for the performance of the contract
Duration of storage of personal data:
for 10 (ten) years from the date of order
In the event of a request for deletion, data not subject to Act C of 2000 on Accounting will be deleted immediately. Data subject to Act C of 2000 on Accounting will be deleted for 8 (eight) years from the date of issue of the invoice.
VAVAVIN Ltd. carries out the following general data processing process with regard to natural person customers / business partners:
Data processing process
VAVAVIN Ltd.
contract performance
VAVAVIN Ltd.
invoicing
VAVAVIN Ltd.
possibly: delivery
data processor: courier
complaint handling
VAVAVIN Ltd.
§ 15. Processed data of legal entity customers/business partners
Legal basis for data processing:
performance of contract
voluntary contribution
fulfillment of legal obligations
Data processing is also considered lawful if the processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract.
Recipients of personal data:
VAVAVIN Ltd.
possibly: courier (data processor)
accountant
Purpose of data processing:
performance of the contract
keeping in touch
invoicing
The data processed:
company name
headquarters
tax number
phone number
email address
any data necessary for the performance of the contract
Duration of storage of personal data:
for 10 (ten) years from the date of order
In the event of a request for deletion, data not covered by Act C of 2000 on Accounting will be deleted immediately.
data subject to Act C of 2000 on Accounting for 8 (eight) years from the date of issue of the invoice
VAVAVIN Ltd. carries out the following general data processing process with regard to legal entity clients/business partners:
Data processing process
VAVAVIN Ltd.
performance of contract
VAVAVIN Ltd.
invoicing
VAVAVIN Ltd.
possibly: delivery
data processor: courier
complaint handling
VAVAVIN Ltd.
§ 16. Data processing related to purchases on the website operated by VAVAVIN Kft.
Legal basis for data processing:
performance of the contract
fulfillment of legal obligations
Recipients of personal data:
VAVAVIN Ltd.
Purpose of data processing:
payment of purchase price
Duration of storage of personal data:
data subject to Act C of 2000 on Accounting for 8 (eight) years from the date of issue of the invoice
for other data, 10 (ten) years from the date of purchase
VAVAVIN Ltd. uses the credit card payment service of Stripe (510 Townsend Street San Francisco, CA 94103, USA). Credit card payments are made through Stripe's secure electronic payment interface.
The website does not access or store the bank card details used for payment, however, VAVAVIN Kft. can view the following data on the admin interface provided by Stripe:
the last 4 characters of the bank card
expiration date
bank card type
bank card issuer
name on bank card
email address
title
phone number
You can access payment transaction information on the following website:
https://stripe.com/en-hu/privacy
The data subject is responsible for the correctness of the bank card details provided. VAVAVIN Kft. draws the data subject's attention to the fact that he/she must manually enter the bank card details in the system and always check the feedback received to his/her e-mail address. The proper processing of the payment transaction, the management of the bank card details, the encryption of the data and the security of the process are carried out and ensured by Stripe.
§ 17. About visitor data management
Cookies are short data files that are placed on the user's computer by the website being visited. The purpose of a cookie is to make the given infocommunication and internet service easier and more convenient. According to the European Commission's guidelines, cookies (unless they are absolutely necessary for the use of the given service) can only be placed on the user's device with the user's permission. In the case of cookies that do not require the user's consent, information must be provided during the first visit to the website.
When visiting the website https://vavavin.com/, the user can accept with one click that the website uses cookies that are not suitable for identifying individuals. If the user blocks the installation of cookies on their computer in their own browser or deletes them, this may limit the usability of the website (or certain parts of it), and the settings previously specified on the given website may be lost.
Essential cookies:
These cookies are necessary to enable the user to navigate between pages and subpages, and to access protected content (e.g. only accessible to registered users).
Functional cookies:
These cookies are necessary for VAVAVIN Ltd. to collect information about the user's website usage habits (e.g. language used, automatic form completion). VAVAVIN Ltd. ensures that the visitor can learn at any time before and during the use of the website's information society-related services which types of data VAVAVIN Ltd. processes for which data processing purposes, including the processing of data that cannot be directly linked to the user.
The cookies used by VAVAVIN Ltd. do not remember any visitor ID or password.
Further information:
www.allaboutcookies.org
www.aboutcookies.org
§ 18 Use of Google Analytics
VAVAVIN Kft.'s website ( https://vavavin.com/ ) uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on the data subject's computer, thus facilitating the analysis of the use of the website visited by the User.
The information generated by the cookie about the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google will shorten the User's IP address beforehand within member states of the European Union or in other states party to the Agreement on the European Economic Area.
The full IP address will only be transmitted to a Google server in the USA and shortened there in exceptional cases. On behalf of the website operator, Google will use this information to evaluate how the user uses the website, to compile reports on website activity for the website operator and to provide other services relating to website and internet usage.
Within the framework of Google Analytics, the IP address transmitted by the User's browser is not linked to other Google data. The User can prevent the storage of cookies by setting their browser accordingly, however, in this case it is possible that not all functions of the website will be fully usable.
The data subject may also prevent Google from collecting and processing the data generated by cookies and relating to the User's use of the website (including the IP address) by downloading and installing the browser plugin available at the following link:
https://tools.google.com/dlpage/gaoptout?hl=en
§ 19 Application of Google Ads
VAVAVIN Kft.'s website https://vavavin.com/ uses Google Ads, a search marketing service provided by Google Inc. ("Google"). Google Ads primarily offers advertising opportunities on a PPC (Pay Per Click) basis.
Google Privacy Policy and Terms of Service:
https://policies.google.com/privacy?hl=hu&gl=hu
§ 20. Data processing related to newsletter service
The data subject registering for the newsletter service on the website may give his/her voluntary consent to the processing of his/her personal data and to subscribe to the newsletter by checking the relevant box. The data subject may unsubscribe from the newsletter at any time by using the “Unsubscribe” application of the newsletter, or by making a written or e-mail statement, which constitutes the withdrawal of consent. In such a case, all data of the unsubscriber must be deleted immediately.
The scope of personal data that can be processed:
the user's name
the user's email address
The purpose of processing personal data is:
send newsletter about VAVAVIN Kft. products / services
Promotion of VAVAVIN Kft.'s products/services in the subject
Legal basis for data processing:
the consent of the data subject
Recipients of personal data:
VAVAVIN Ltd.
Duration of storage of personal data:
until the registration/service is in place
until the data subject withdraws their consent
§ 21. Data processing on the Facebook page operated by VAVAVIN Kft.
VAVAVIN Kft. maintains a Facebook page to introduce and promote its services. A question asked on the VAVAVIN Kft. Facebook page does not qualify as an officially submitted complaint. VAVAVIN Kft. does not process personal data published by visitors on the VAVAVIN Kft. Facebook page.
Visitors are subject to Facebook's Privacy and Terms of Service. Facebook's Terms of Use can be found at the following link:
https://www.facebook.com/legal/terms
In the event of the publication of illegal or offensive content, VAVAVIN Ltd. may exclude the person concerned from membership or delete their comment without prior notice.
Facebook's Privacy Policy is available at the following link:
https://www.facebook.com/privacy/explanation
VAVAVIN Ltd. is not responsible for any illegal data content or comments published by Facebook users. VAVAVIN Ltd. is not responsible for any errors, malfunctions or problems arising from changes to the operation of Facebook.
§ 22. Data processing on the Instagram page operated by VAVAVIN Kft.
VAVAVIN Kft. maintains an Instagram page to introduce and promote its services. A question asked on the VAVAVIN Kft. Instagram page does not constitute an officially submitted complaint. VAVAVIN Kft. does not process personal data published by visitors on the VAVAVIN Kft. Instagram page.
Visitors are subject to Instagram's Privacy and Terms of Service. The Instagram Terms of Use can be found at the following link:
https://help.instagram.com/581066165581870
In the event of the publication of illegal or offensive content, VAVAVIN Ltd. may exclude the person concerned from membership or delete their comment without prior notice.
Instagram's Privacy Policy is available at the following link:
https://help.instagram.com/519522125107875
VAVAVIN Ltd. is not responsible for any illegal data content or comments published by Instagram users. VAVAVIN Ltd. is not responsible for any errors, malfunctions or problems arising from changes to the operation of Instagram.
Section 23 Information on data processors
VAVAVIN Ltd. may transfer the personal data of customers to a data processor in order to fulfill the legal obligations arising from the contractual relationship and the contract, as defined by law.
The data controller uses the following data processor for the purpose of performing courier activities:
Name of the data processor:
GLS General Logistics Systems Hungary Parcel Logistics Limited Liability Company
The data processor's registered office is:
2351 Alsónémedi, GLS Europe Street 2.
Data processor's Cg. number:
01 10 049225
Tax ID number of the data processor:
12369410-2-44
The data controller uses the following data processor for the purpose of performing online payment activities:
Name of the data processor:
Stripe
The data processor's registered office is:
510 Townsend Street San Francisco, CA 94103, USA
VI.
VAVAVIN Ltd.
DATA PROCESSING ACTIVITIES
§ 24 Data processing activities
VAVAVIN Ltd. carries out data processing in relation to the following activities:
marketing activity
graphic design activity
§ 25. Provision of guarantees by the data processor
VAVAVIN Kft. as a data processor guarantees – in particular in terms of expertise, reliability and resources – that it implements technical and organizational measures to ensure compliance with the requirements of the Regulation, including the security of data processing. VAVAVIN Kft. ensures in the course of its activities that persons authorized to access the personal data concerned – if they are not otherwise subject to an appropriate confidentiality obligation based on law – undertake a confidentiality obligation with respect to the personal data they have become aware of.
VAVAVIN Ltd. has appropriate hardware and software tools and undertakes to implement technical and organizational measures suitable for ensuring the legality of data processing and the protection of the rights of data subjects.
VAVAVIN Ltd. undertakes to provide the client data controller with all information necessary to demonstrate compliance with the legal provisions regarding the use of the data processor.
§ 26 Obligations and rights of VAVAVIN Ltd.
Right to instruct:
VAVAVIN Kft. acts exclusively on the written instructions of the Data Controller.
Confidentiality:
VAVAVIN Kft. ensures during its activities that persons authorized to access the personal data concerned – if they are not otherwise subject to an appropriate confidentiality obligation based on law – undertake a confidentiality obligation with regard to the personal data they have become aware of.
Data security:
VAVAVIN Ltd. implements appropriate technical and organizational measures in order to guarantee a level of data security appropriate to the degree of risk, taking into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and purposes of data processing, and the risk of varying likelihood and severity to the rights and freedoms of natural persons.
VAVAVIN Kft. takes measures to ensure that natural persons acting under its control and having access to personal data may only process the said data in accordance with the instructions of the data controller, unless they are obliged to deviate from this by EU or Member State law. VAVAVIN Kft. ensures that only authorized persons have access to the stored data through an internal system or by direct access, and solely in connection with the purpose of the data processing. VAVAVIN Kft. ensures the necessary, regular maintenance and development of the devices used. It places the device storing the data in a closed room with appropriate physical protection and ensures its physical protection. VAVAVIN Kft. is obliged to use persons with appropriate knowledge and experience in order to perform the tasks specified in the contract. It is also obliged to ensure the training of the persons it uses.
§ 27 Use of additional data processors
VAVAVIN Kft. undertakes to use additional data processors only if the conditions specified in the Regulation and the Info. tv are met. The data controller grants VAVAVIN Kft. a general authorization to use additional data processors (subcontractors).
VAVAVIN Kft. shall inform the data controller about the identity of the further data processor and the planned tasks to be performed by the further data processor before using the further data processor. If the data controller objects to the use of the further data processor on the basis of this information, the data processor shall be entitled to use the further data processor only if the conditions specified in the objection are met. If the data processor also uses the services of a further data processor for certain specific data processing activities performed on behalf of the data controller, it shall conclude a written contract for this purpose and shall impose the same data protection obligations on the further data processor as those set out in the contract concluded between the data controller and the data processor, in particular by providing appropriate guarantees for the implementation of appropriate technical and organizational measures and thereby ensuring that the data processing complies with the requirements of the Regulation. If the subprocessor fails to comply with its data protection obligations, the subprocessor that commissioned it shall be fully liable to the controller for the subprocessor's compliance with its obligations.
§ 28 Cooperation with the Data Controller
VAVAVIN Kft. assists the Data Controller with all appropriate means in the course of its activities to facilitate the enforcement of the rights of the data subjects and to fulfill its obligations in this regard. VAVAVIN Kft. assists the Data Controller in fulfilling the obligations under Articles 32 - 36 of the Regulation, taking into account the nature of the data processing and the information available to the data processor.
VAVAVIN Kft. shall provide the controller with all information necessary to demonstrate compliance with the obligations set out in Article 28 of the Regulation and to enable and facilitate audits, including on-site inspections, carried out by the controller or by another controller commissioned by it. VAVAVIN Kft. shall immediately inform the controller if it considers that any of its instructions infringe this Regulation or national or EU data protection provisions. VAVAVIN Kft. shall conclude a written contract with the client for the data processing activity.
VII.
DATA PROCESSING BASED ON LEGAL OBLIGATIONS
Section 29 Data processing for the purpose of fulfilling tax and accounting obligations
VAVAVIN Ltd. processes the data of natural persons (also legal entities) entering into business relations with it on a legal basis for the purpose of fulfilling legal obligations and fulfilling tax and accounting obligations prescribed by law (accounting, taxation).
The data processed are, in particular, based on Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax:
name
tax number
address (headquarters)
tax status
The data processed, in particular, pursuant to Section 167 of Act C of 2000 on Accounting:
name
tax number
address (headquarters)
identification of the person or organization ordering the economic transaction
the person who issues the order and certifies the execution of the order
inspector's signature
signature of the recipient and the payer
VAVAVIN Kft. – in general – is obliged to keep the report prepared for the business year, the business report, and the supporting inventory, valuation, general ledger extract, as well as the journal ledger or other records that meet the requirements of the law in a legible form for at least 8 (eight) years, in accordance with Section 169 (1) and (3) of Act C of 2000 on Accounting.
Accounting documents (including general ledger accounts, analytical and detailed records) that directly and indirectly support accounting records must be preserved in a legible form for at least 8 (eight) years, in a manner that can be retrieved by reference to the accounting records. The retention obligation also applies to damaged copies of strict accounting documents.
Recipients of personal data:
VAVAVIN Ltd.
accountant
Section 30: Data management concerning documents of lasting value according to the Archives Act
VAVAVIN Ltd. manages its documents that are considered to be of permanent value according to Act LXVI of 1995 on public documents, public archives and the protection of private archival material (Archives Act) in order to fulfill its legal obligation, with the aim of ensuring that the permanent value of VAVAVIN Ltd.'s archival material remains intact and usable for future generations.
Data storage period:
until transfer to the public archives
VIII.
DATA SECURITY MEASURES
§ 31 Data security measures
VAVAVIN Kft. is obliged to take the technical and organizational measures and establish the procedural rules necessary for the enforcement of the Regulation and the Infotv. in order to ensure the security of personal data in relation to all its data processing for all purposes and based on rights. VAVAVIN Kft. protects the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access to them.
VAVAVIN Ltd. classifies and manages personal data as confidential data. VAVAVIN Ltd. processes and records data electronically and on paper using a computer program. VAVAVIN Ltd. processes and records data in accordance with data security requirements. VAVAVIN Ltd. protects its IT systems with a firewall and provides virus protection. The electronic program ensures that only those persons who need it to perform their duties have access to the data for a specific purpose and under controlled circumstances.
VAVAVIN Ltd. ensures the control of incoming and outgoing electronic communication in order to protect personal data. Paper-based documents - especially those containing personnel, payroll and labor and other personal data - are stored by VAVAVIN Ltd. in a lockable place so that only those persons who need it to perform their duties have access to them.
During the automated processing of personal data, the data controller and the data processor shall take additional measures to ensure:
a.) preventing unauthorized data entry;
b.) preventing the use of automatic data processing systems by unauthorized persons using data transmission equipment;
c.) the ability to verify and establish to which bodies the personal data have been or may be transmitted using data transmission equipment;
d.) the ability to verify and establish which personal data were entered into automatic data processing systems, when and by whom;
e.) the restoreability of installed systems in the event of a malfunction and
f.) that a report be prepared on errors occurring during automated processing.
Adequate physical protection of data and the devices and documents that carry it must be ensured.
IX.
HANDLING DATA PROTECTION INCIDENTS
§ 32. Definition of data protection incident
Data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed.
(Regulation Article 4, paragraph 12)
§ 33. Handling of data protection incidents
VAVAVIN Ltd. is responsible for preventing and handling data protection incidents and complying with the relevant legal requirements. Accesses and access attempts must be logged on IT systems and these must be continuously analyzed. If VAVAVIN Ltd. detects a data protection incident in the course of performing its tasks, it must immediately investigate it and in the process identify the incident and decide whether it is a real incident or a false alarm.
It is necessary to examine and determine:
a.) the time and place of the incident,
b.) description of the incident, its circumstances and effects,
c.) the scope and quantity of data compromised during the incident,
d.) the range of persons affected by the compromised data,
e.) a description of the measures taken to address the incident,
f.) a description of the measures taken to prevent, remedy and reduce the damage.
In the event of a data breach, the affected systems, people, and data must be isolated and isolated, and evidence supporting the incident must be collected and preserved. Only then can the damage be repaired and lawful operations restored.
§ 34. Registration of data protection incidents
A record of data protection incidents must be kept, which includes:
a.) the scope of the personal data concerned,
b.) the scope and number of those affected by the data protection incident,
c.) the date of the data protection incident,
d.) the circumstances and effects of the data protection incident,
e.) the measures taken to remedy the data protection incident,
f.) other data specified in the legislation prescribing data processing.
§ 35 Levels of data protection incidents
Low level: unauthorized transmission, alteration, disclosure, intentional or accidental destruction of a negligible amount of personal data or other unlawful data processing.
Medium level: unauthorized transmission, alteration, disclosure, intentional or accidental destruction of a small number of personal data or other unlawful data processing.
High level: unauthorized transmission, alteration, disclosure, intentional or accidental destruction of a wide range of personal data or other unlawful data processing, or any case where the incident is likely to have an adverse impact on the data subject or the occurrence of an adverse consequence is certain.
Data relating to data protection incidents included in the register must be retained for 5 (five) years.
X.
FINAL PROVISIONS
§ 36 Establishment and amendment of the Regulations
VAVAVIN Ltd. is entitled to establish and amend the Regulations.
§ 37 Entry into force of the Regulations
These Regulations will be announced and communicated locally at VAVAVIN Kft. in the usual manner, with which communication the Regulations automatically enter into force.
§ 38. Measures to make the Regulations known
The provisions of this Policy must be made known to all business partners (customers) of VAVAVIN Kft., and in all places where partners have business relations with VAVAVIN Kft., it must be stipulated that compliance with and enforcement of this Policy is a material obligation of every business partner (customer).