Weboldalunk használatával jóváhagyja a cookie-k használatát a Cookie-kkal kapcsolatos irányelv értelmében.
Modify settings Elfogadom
+36 70 905 3232
webshop@juditpolgar.com
hu
en
Polgár Judit Webshop

Data processing Policy

 

 

 

JPF World Szolgáltató Korlátolt Felelősségű Társaság

 

Data Controller: JPF World Szolgáltató Korlátolt Felelősségű Társaság

Address: 1016 Budapest, Orom utca 20/B.

Represented by: Polgár Judit

e-mail: webshop@polgarjudit.hu

 

 

 

 

 

 

 

 

 

 

DATA PROCESSING POLICY

Effective Date: September 15, 2020

         

Contents

 

I.        Data of Data Controller 3

II.       Definitions. 3

III.      Purpose, effect and principle of the Policy. 5

IV.          Data processing implemented by Data Controller 6

IV/A. Data processing carried out in connection with the registration to the online webshop. 7

IV/B. Data processing carried out in connection with the purchase and delivery from the webshop. 8

IV/C. Data processing related to online visitors ................................................................................................... 9

IV/D. Usage of "Cookies"........................................................................................................................................... 10

V.      Rights of the personal data holders. 11

V/A. Right to being informed. 11

V/B. Right to rectification. 12

V/C. Right to access. 12

V/D. Right to erasure. 12

V/E. Right to restriction of processing. 13

V/F. Right to data portability. 13

V/G. Right to object 13

VI.          Data Processing Officer 14

VII.         Data security and the regime of data storage. 15

VIII.        Data forwarding regime. 16

IX.     Protocol to be followed in the case of a data protection incident 17

X.      Legal remedy. 19

XI.     Closing provisions. 19


The JPF World Szolgáltató Korlátolt Felelősségű Társaság (hereinafter referred to as: Data Controller)

 

for the purpose of being compliant with Regulation (EU) 2016/679 of the European Parliament and of the Council applicable starting with the day of May 25, 2018 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR [General Data Protection Regulation]), and 

 

for the purpose of being compliant with Act CXII of year 2011 on the right to Informational self-determination and freedom of information (hereinafter: “Privacy Act”), and

 

Act V of 2013 (hereinafter: “Code Civil”), and

 

Act C of 2000 (hereinafter: “Szvtv.”), and

 

Act CLV of 1997 (hereinafter: “Fogyvéd tv.”), and

 

Act XLVIII of 2008 (hereinafter: “Grt.”), and

 

Act CVIII of 2001 (hereinafter: “Eker.”)

 

for the purpose of enhanced protection of the online webshop (hereinafter: Webshop) organised by Data Controller and through this of the personal data of the natural persons that will get into contact with Data Controller, and the lawful, fair and transparent processing of these personal data, and determining the method of their use, and

 

for the purpose of adaptation to the changing legal environment and sustaining the commitment of Data Controller in respect of data protection and together with this sustaining the trust that exists towards the participants

 

DECLARES THE FOLLOWNG POLICY:

 

I.Data of Data Controller

Company name of Data Controller: JPF World Szolgáltató Korlátolt Felelősségű Társaság

Registered seat of Data Controller: 1016 Budapest, Orom utca 20/B.

Registration number of Data Controller: 01-09-197016

Tax number of Data Controller: 25053328-2-41

Phone number of Data Controller: 0670/9053232

Electronic contact address of Data Controller: webshop@polgarjudit.hu

Represented by: Polgár Judit managing director

 

II.Definitions

In this Policy the following terms will have the following meanings:

 

Data Subject: any natural person, who is identified or who may be identified (directly or indirectly) based on access to his/her personal data – e.g. name, residential address, personal identification code, etc – or based on his/her one or more known characteristics, which may be the physical, physiological, economic, cultural or social identification characteristics of the given natural person.

 

Personal Data: any information referring to the data subject – especially the name, the personal identifier of the data subject or one or more information concerning his/her physical, physiological or mental, economic cultural or social characteristics – and any conclusion that may be drown in connection with the data subject from information  and data of this kind.

 

Sensitive Data: personal information concerning race, ethnical origin, political views or political party membership, religious belief, world view, memberships in special organisations, sexual life, health condition, pathological tendencies, and criminal registers.

 

Data Controller: a natural person, legal person, or an organisation without legal personality, which alone or together with others determines the purposes and means of processing the personal data, makes the decisions concerning the processes of data processing, executes or have data processors execute these processes, and who is liable for their lawfulness.

 

Data Processing by Data Processor: all the data processing operations done by the data processor, who acts upon the assignment or order issued by data controller.

 

Data Processor: a natural person, legal person or an organisation without legal personality, who upon the assignment or order issued by data controller implements data processing operations and who processes personal data.

 

Data Processing: any operation or the combination of operations done involving personal data  with or without automated procedures, including collection, evaluation, classification structuring, saving, blocking, searching, use, granting access, distribution, grouping or compilation, destruction, erasure or any other form of destruction. The processing of personal data covers photo, audio and visual registers and recording any physical property in such a manner that may be used for identifying persons and saving into one registration list the contact keeping data of a natural person.

 

Consent: the voluntary, express, unambiguous agreement of a data subject- given based on being appropriately informed - to the processing and using of his/her personal data for general purposes or for a specific operation.

 

Objection: the statement of data subject declaring that data subject objects to the processing of his/her personal data and he/she demands the restriction of the processing of his/her personal data or he/she demands the erasure of the stored data.

 

Restriction of data processing: blocking the stored personal data by marking it with the aim of limiting their processing in the future

 

Profiling: automated processing of personal data in any form for the purpose of using the results for the evaluation of several personal aspects connected to a natural person and, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements

 

Pseudonymisation: processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information that is stored separately and which is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

 

Collection of Personal Data: a methodical procedure, or a combination of processes with the aim to collect personal information to be stored on devices for the purpose of immediate and/or future processing.

 

Storing of Personal Data: preserving the data in a form that makes their further processing possible.

 

Destruction of Personal Data: total physical destruction of the equipment that contains the personal data.

 

Biometric Data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

 

Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

 

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

Data forwarding: making the data accessible to a specific third person.

 

Publishing: making the data accessible to anybody.

 

Erasure of the Data: a procedure for ensuring that the data will become uninterpretable in order to make their restoration or recapturing impossible.

 

Authority: National Authority for Data Protection and Freedom of Information (NAIH)

 

III.Purpose, effect and principle of the Policy

  1. The purpose of this Policy is to define and ensure the lawful regime of registering the personal data processed by Data Controller in respect of the guests, as natural persons, during the purchase and the delivery from the online webshop (including online shopping, return, exchange, delivery, product delivery, advertising, purchase price refund ) to ensure that Data Controller processes, stores the data of the involved natural persons according to the prevailing legal conditions, and to ensure that the right of these natural persons to the protection of personal data will not be violated. Data Controller shall observe above all the provisions of the GDPR, of the Privacy Act and of this Policy during processing the personal data of the Data Subjects.

 

  1. This policy shall be applied in all those cases, when Data Controller processes the personal data of natural persons partially or entirely in an automated manner, and in those cases as well, when the non-automated data processing of the personal data is a part of a registration system, or they wish to integrate it into a registration system of this type.

 

  1. Data Controller shall observe during the processing of the personal data the following principles that are defined in the legislation referring to data processing (GDPR, Sections 5 (1)  of the GDPR and Section 4 of the Privacy Act):

 

  1. In the interest of lawfulness, fairness and transparency, Data Controller shall process the personal data in line with the legal provisions, and it shall inform the data subjects in a transparent, proper and comprehensive manner about the extent of data processing and its consequences
  2. personal data may be exclusively processed for clearly defined and lawful purposes, for exercising a right and/or obligation, exclusively in a manner that is in harmony with the above purposes, and data processing in each of its phase has to correspond to the purpose of data processing
  3. data minimising – the personal data has to be adapted to the purpose of data processing, therefore, only those personal data may be processed, which are indispensable for realising the purposes of data processing, which are suitable for achieving the purpose, and personal data may be processed only up to the extent and for the period that is needed for realising the purpose
  4. the personal data have to be accurate, complete and up-to-date
  5. limitation of preserving the data – it is allowed to preserve the personal data in a form that allows the identification of the data subjects until it is needed in connection with achieving the given purposes of the data processing
  6. a personal data preserves during data processing its suitability for identifying the national person while its connection to the data subject may be restored. the connection with the data subject may be restored if Data Controller has those technical conditions, which are needed for restoration
  7. integrity and confidentiality – establishing the technical and organisational measures required has to be ensured in the interest of the necessary protection of the personal data processed
  8. intervention into the private life of those persons have to be minimised, the personal data of whom are being processes and their rights, interests and freedoms protected by law have to be observed
  9. during processing and storing the personal data their misuse, their loss, their unauthorised destruction and implementing with them any other unauthorised activities have to prevented
  10. confidentiality has to be ensured during the data processing in respect of the connections between the employees of the Data Controller, its clients and the contractual partners of Data Controller.

 

IV.Data processing implemented by Data Controller

  1. All data processing implemented by Data Controller belongs under the effect of data protection. Data Controller is entitled to data processing in respect of personal data only if it has a legal title to do so.

 

  1. Data Controller is entitled to carry out data processing of personal data, get acquainted with, collect, or use personal data (it has a legal title to do so) only if,

 

  1. data processing is ordered by the law or – based on the authorisation given by law, within the scope defined therein, and in the case of data that are not classified as sensitive data or criminal personal data – it is ordered by the regulation of the local government for a purpose that is based on public interest
  2. processing the data is needed for performing a contract in which the personal data holder is one of the parties, or if it is needed for taking the steps upon the request of the personal data holder prior to signing the contract
  3. data processing is needed for performing a legal obligation that refers to the Data Controller
  4. data subject consented to the processing of his/her personal data for one or more specific purposes

 

  1. Data Controller implements its data processing activity without the involvement of a Data Processor. Data Controller shall not process any sensitive data and it shall not forward any data to any third person inland or abroad.

 

  1. During the data processing, the data controller is obliged to inform the owner of the personal data (data subject, customer) prior to the establishment of the legal relationship to be established with the owner of the personal data - at the same time as the first contact with the customer.

 

  1. Name, contact details and representative of the data controller;
  2. that the data subject also contributes to the processing of the data subject,
  3. the exact purpose, legal basis and specific scope of data processing;
  4. the planned time for storing personal data;
  5. the rights of the holder of the personal data;
  6. the possibility of lodging a complaint or a judicial remedy with the Authority.

 

5. The data controller is obliged to provide the information to the customer in a concise and comprehensible manner. In addition to providing the information, the Data Controller is obliged to make these Regulations available to the customer, to send them electronically to the customer's electronic delivery address upon request.

 

6. The Data Controller is obliged to delete from all its records the personal data with which the legal relationship has been terminated for any reason, unless the retention of personal data is required by law by the Data Controller.

 

IV/A. Data processing carried out in connection with the registration on the online webshop

 

  1. The purpose of data processing corresponding to this subsection is to registrate through the online webshop, so that by storing the data provided during registration, the Data Controller can provide a more convenient service to the Data Subject (eg: the data of the data subject does not have to be provided when making another purchase).

 

  1. Data processing corresponding to this subsection is lawful only if Data Controller has an appropriate legal title to implement it.

 

  1. The legal basis of data processing according to Section 6 (1) a) of the GDPR is the consent of the data subject.

 

4. The data subject's consent is lawful if it is

 

  1. voluntary;
  2. based on adequate information; and
  3. a clear declaration of will.

 

The range of processed data, which is absolutely necessary for registration and the easier purchase for both the Data Subject and the Data Controller:

 

a.  Surname and forenames of the data subject

b. E-mail address of the data subject

c. Telephone number of the data subject

d. Address / delivery address of the data subject (if different)

e. Tax number of the data subject (only for legal entities)

f. Name of contact person (if different from the Data Subject)

 

  1. The User is solely responsible for not making the name and password of the user used to access the website operated by the Data Controller available to an unauthorized third party, for not communicating, destroying or losing it to such a person. The Data Controller shall not be liable if the User's username and password or other data provided on the website are handled, made available to an unauthorized third party, disclosed to such a person, destroyed, lost, and there is a direct or indirect risk of it being disadvantaged.

 

  1. The consent of the Data Subject during registration may be revoked at any time. The revocation of the consent is effective regardless of the Data Controller's acknowledgment, and after the revocation the Data Controller is not entitled to provide the newsletter service in respect of the given User.

 

  1. The Data Controller is entitled to handle the personal data provided through the website until the User cancels the service. Cancellation / revocation does not prevent the use of other services on the website.

 

 

IV/B. Data processing carried out on connection with the purchase and the delivery from the online webshop

 

  1. The purpose of data processing according to this subsection is to carry out purchases, trial purchases, and the delivery and invoicing of the purchased product through the Webshop, during which a contractual relationship (sales contract) is established between the Data Subject and the Data Controller.

 

  1. Data processing corresponding to this subsection is lawful only if Data Controller has an appropriate legal title to implement it.

 

  1. The legal basis of data processing according to Section 6 (1) b) of the GDPR is performance of a contract. During the purchase, according to the Civil Code 6: 215. §, a sales contract is concluded between the parties, during which the Data Controller sells the product purchased in the Webshop to the Data Subject, who pays the purchase price. Furthermore, based on the Civil Code 6: 229. §, the Data Subject has the opportunity to purchase the product for trial, in which case, after testing the product which is the subject of the sales contract, he/she may state whether he/she wishes to purchase it permanently. Furthermore, according to the sales contract, the Data Controller undertakes to deliver the purchased / tested products to your home.

 

  1. In order to fulfill the above contractual conditions and obligations, the Data Controller process the following personal data of the Data Subject during the purchase:

 

a.  Surname and forenames of the data subject

b. E-mail address of the data subject

c. Telephone number of the data subject

d. Address / delivery address of the data subject (if different)

e. Bank account of the data subject (for payment, repayment)

f. Name of contact person (if different from the Data Subject)

 

 

  1. Another legal basis for data processing is fulfillment of the Data Controller's post-sale invoicing obligation based on the Szvtv., and as defined in Article 6 of the GDPR. (1) c) fulfillment of the legal obligation of the Data Controller.

 

 

  1. In order to fulfill the above law conditions and obligations, the Data Controller process the following personal data of the Data Subject during the purchase:
    1. Surname and forenames of the data subject/ name of the legal entity
    2. Bank account of the data subject
    3. Tax number of the data subject (only for legal entities)
    4. Address of data subject

 

7. Duration of data processing under this subsection: 5 years after the termination of the legal relationship, starting from the provision of personal data.

 

8. Method of data processing according to this subsection: keeping an electronic register.

 

  1. The data controller is obliged to provide the information to the customer in a concise and comprehensible manner. In addition to providing the information, the Data Controller is obliged to make these Regulations available to the customer, to send them electronically to the customer's electronic delivery address upon request.

 

  1. The owner of the personal data has the right to voluntarily decide after the information whether he / she wishes to establish a contractual relationship.

 

  1. If the owner of the personal data does not wish to establish a legal relationship, the Data Controller shall not establish a legal relationship with the natural person concerned and shall not process his or his/ her data.

 

  1. The Data Controller is obliged to delete from all its records the personal data with which the legal relationship with the holder has been terminated for any reason, unless the retention of personal data is required by law (eg. tax legal relationship) for the Data Controller.

 

IV/C. Data processing related to online visitors

 

  1. Data controller by using the website created for the operation of the Webshop (webshop.jpchess.com), by registering on it, during the purchase, or only by visiting the website - for the relevant voluntary, pre-defined (newsletter service, marketing inquiries) data management with the consent of - is entitled to manage certain personal data of the persons visiting the website (hereinafter in this subsection: the User).

 

  1. The primary purpose of data management is to inform the Stakeholders, the Data Controller advertises the products of the Webshop with personalized content during the use of the newsletter service, notifies about current promotions, coupons, discounts or sweepstakes, and possibly collects statistical data. data. A further purpose of data management is to identify the Users, to correct the errors indicated during the use of the website, to inform the Users about the rights and obligations of the Users from these Regulations, and to handle possible disputes related to the use of the website.

 

  1. Data controller only with the prior consent of the User (Article 6 (1) (a) of the GDPR, Info tv. Section 5 (1), Grt. Section 6 (1) - (2)) is entitled to use the personal data provided through the website for marketing purposes. If the User consents to the processing of his / her personal data, such data processing is valid until the consent is revoked. The data subject may withdraw his or her consent at any time by submitting a statement to the Data Controller's representative on paper, by post or electronically to the email address websop@polgarjudit.hu .

 

  1. The website allows the User to subscribe to the newsletter at his / her own discretion, if he / she wishes to send it. The data subject can unsubscribe at any time.

 

  1. The data subject's consent is lawful if it is

 

  1. voluntary;
  2. refers to the use of the newsletter service.
  3. based on adequate information; and
  4. a clear declaration of will.

 

  1. The scope of data processed on the basis of the above, which is necessary for the search for marketing purposes and can only be managed on the basis of the data subject's consent:

 

a. the surname and first name of the User;

b. the email address managed by the User.

 

  1. The Data Controller reserves the right to terminate the newsletter service in respect of a given User at any time if it discovers that the Newsletter service is used by the User for a purpose other than its intended purpose, in particular to damage the Data Controller's reputation.

 

  1. The User's consent to use the newsletter service may be revoked at any time. The revocation of the consent is valid regardless of the Data Controller's acknowledgment, and after the revocation the Data Controller is not entitled to provide the newsletter service in respect of the given User.

 

  1. The Data Controller is entitled to handle the personal data provided through the website (necessary for the use of the newsletter service) until the User cancels the newsletter service. Cancellation / revocation does not prevent the use of other services on the website.

 

IV/D. Usage of "Cookies"

 

  1. Due to the fact of visiting the website managed by the Data Controller (Webshop.jpchess.com), the User may use data storage and data management in the User's terminal equipment to identify the User, facilitate further visits by the User, targeted advertising and other targeted for content delivery and market research. In all cases, the User must give his / her consent to the use of cookies in addition to the information text “This website uses cookies” on the website, by activating the icon provided to express this consent.

 

  1. The User's consent to the use of cookies is not mandatory in order to visit the Website, however, without such consent, the Website or some of its sub-pages may not function properly or the User may be denied access to certain data.

 

  1. When using the website, certain user data is automatically processed by the Data Controller. These are the following data:

 

a. Certain data of a user's device for connecting to an open network via a website;

b. IP address used by the user.

 

  1. The sole purpose of the processing of this data is to enable the Data Controller to obtain website traffic data and to be able to properly detect and log any errors that may occur in connection with the website, as well as attempted attacks. The legal basis for such data management is, on the one hand, the consent of the User and, on the other hand, the protection of the legitimate interests of the Data Controller. The Data Controller fulfills the information on data management by publishing the content of this subsection on the website, and gives the User's acknowledgment and consent in this area to the Data Controller by visiting the website as an implied behavior.

 

  1. The User is solely responsible for not making the name and password of the user used to access the website operated by the Data Controller available to an unauthorized third party, for not communicating, destroying or losing it to such a person. The Data Controller shall not be liable if the User's username and password or other data provided on the website are handled, made available to an unauthorized third party, disclosed to such a person, destroyed, lost, and there is a direct or indirect risk of it being disadvantaged.

 

V.Rights of the personal data holders

 

  1. In respect of data processing the following rights are due – based on the GDPR and the Privacy Act - to those natural persons, whose personal data are processed by Data Controller due to any reason:

 

  1. right to being informed
  2. right to rectification
  3. right to access
  4. right to erasure
  5. right to limit data processing
  6. right to data portability
  7. right to object.

 

  1. The personal data holder may present its request electronically, on paper through regular post, or on paper at the registered seat of Data Processor by handing it over to a leading officer entitled to represent Data Controller.

 

  1. The person entitled to accept the request shall forward the request without any delay after its receipt to the data processing officer of Data Controller for the purpose of administering it. The data processing officer shall examine the request without any delay after receiving it and if he/she concludes that it is obviously unfounded or it was received from an unauthorised person, he/she will refuse its substantive investigation. If the request is not obviously unfounded and/or it was submitted by a person entitled to do so, the data processing officer will substantively investigate the request. The data processing officer shall inform the submitter of the request at the latest within 30 days after the receipt of the request about the judgement of the request (about the refusal of the request or about the performance of the request),and about the measures that were taken or initiated.

 

V/A. Right to being informed

  1. Data Controller shall make available to data subject without any delay the following data prior to starting the data processing operation it will execute or at the latest prior to starting the first data processing operation:

 

  1. the personal identification data of data controller, including the following data: name/company name, company register number, information that refers to being recorded in authentic registers and the contact keeping data
  2. the purpose of the planned processing of personal data, and the fact that if Data Controller will receive data in the future for any other purpose that is other than the purpose of original data collection, then Data Controller shall inform the data subject and will offer him/her the option of refusal;
  3. about the rights that are due to the data subject based on the Privacy Act and the GDPR, and the method through which these rights may be enforced
  4. about the duration of processing and retaining the personal data, about the aspects based on which this period was defined
  5. about the legal basis of processing the personal data, including references to the provisions of law, information on the scope and result of data processing,
  6. about the  forwarding of the personal data to a third country (in this case information has to be provided about the appropriate measures that refer to the secure forwarding to the third country)

 

  1. Upon the request of data subject, Data Controller shall confirm whether the data provided are processed or not, and if it is applicable it has to allow data subject to access the personal data processed.

 

  1. Data Controller, upon request, shall inform data subject as follows about all those personal data of data subject, which it collected from other sources:

 

  1. exactly what personal data are processed by Data Controller
  2. the source of the personal data, and whether the data were obtained from sources that are available to the public or not
  3. the purpose of processing the personal data
  4. the legal basis based on which the personal data are processed, with reference to the relevant legal provisions
  5. the scope and results of the given data processing.

 

V/B. Right to rectification

  1. If Data Controller processes inaccurately or deficiently any personal data of the personal data holder, the data subject may request Data Controller to rectify without any delay the personal data that is processed inaccurately or to supplement without any delay the deficiently processed personal data based on the data that are provided and certified by the holder.

 

V/C. Right to access

  1. Data Subject is entitled to receive information and confirmation on whether the processing of his/her personal data was done or not. Data Controller shall provide this kind of information, including the confirmation as well.

 

  1. Data subject is entitled to request a copy of the personal data processed. The first copy shall be provided free of charge. For the additional copies a fee will be charged. The information that refers to a third person have to be recorded in the copies provided in a manner that is unsuitable for identification in the interest of protecting the rights of the third persons, since requesting a copy may not have a disadvantageous impact on the rights and freedoms of others. If this kind of anonymisation is not possible in the interest of protecting the rights of third persons, the data processing officer may not provide a copy.

 

V/D. Right to erasure

  1. The personal data holder is entitled to request the erasure of his/her personal data from all the registers of Data Controller. Data Controller shall erase without any delay after the receipt of the request the personal data requested to be erased, if any of the following reasons exists:

 

  1. the personal data is not needed for the purpose, which was the basis of data processing
  2. data processing has no legal basis
  3. it is proven that the Data Controller processed the personal data in an unlawful manner
  4. Data Controller is obliged to erase the personal data due to its obligation stipulated by law.

 

V/E. Right to restriction of processing

  1. The personal data holder may request from Data Controller to restrict data processing concerning its personal data, if:

 

  1. the personal data holder questions the accuracy of its personal data collected and stored by Data Controller, for the period of investigating the accuracy of these data; or
  2. data processing done by Data Controller is unlawful, and the personal data holder objects to the erasure of its collected and stored personal data; or
  3. the purpose of data processing terminated, and Data Controller does not need any more the collected and stored data, but the personal data holder requests the further (restricted) processing of the data in the interest of enforcing its legal demand or its protection; or
  4. the personal data holder exercises its right to object, for the period of investigating the lawfulness of the right to object

 

  1. Data Controller is entitled exclusively to store the restricted personal data. Data Controller may implement data processing of restricted personal data exclusively with the preliminary written consent of the holder, or in the interest of presenting, enforcing or protecting the holder’s legal interests, and from important public interests of the European Union or one of its member states.

 

  1. If the conditions of restricting the processing of the personal data do not exist, Data Controller shall release the restriction, and it shall inform the personal data holder about this in advance.

 

V/F. Right to data portability

  1. Data subject is entitled to receive the personal data referring to him/her that were made available by it to a data controller, in an articulated format that is widely used and which is readable by machine.

 

  1. When data subject exercises its right to data portability, the person responsible for the processing of the given personal data shall examine the request without any delay.

 

  1. Portable data have to be ensured in a generally used format that is readable by machine, and they may not be of a format that cannot be edited. Moving the personal data have to be executed in a secure manner.

 

  1. Data subject may request that his/her personal data be personally delivered to him/her, or it may request them to be delivered to another data controller, whom data subject names in his/her portability related request.

 

  1. The request of data subject may not be performed in the following cases:

 

  1. forwarding is technically impossible, because the relevant technology does not fulfil the technical requirements that may be considered to be sufficient for the secure forwarding of the personal data, or
  2. performing the request would violate the rights of third persons.

 

  1. After refusing the request, the data subject shall be notified about the decision, including the reasons of refusal.

 

V/G. Right to object

  1. Data subject is entitled to object against a specific data processing even if the processing of the data is needed due to public interest or for the execution of a task that is implemented in the framework of exercising a public authority right and data controller is assigned to implement it, or if data processing is needed for the enforcement of the lawful interests or rights of the data controller or of a third party.

 

  1. After Data Controller accepting the objecting statement, Data Controller shall be not entitled to process the personal data involved in the interest of enforcing the lawful interest of Data Controller or of a third party, except if Data Controller proves that the processing of the data is certified by such a coercive lawful reason, that enjoys priority compared to the rights and freedoms of the interests of the data subject, or it is connected to the presentation, enforcement or protection of legal claims.

 

VI.Data Processing Officer

  1. All those leading officers, employees or other persons having an employment targeting legal relationship with Data Controller, who implement data processing involving personal data (e.g. administration) shall observe the provisions of this Policy, and of the legal provisions that refer to data processing.

 

  1. The person of Data Controller, who is responsible and authorised to observe the data processing provisions (hereinafter referred to as the: Data Processing Officer) shall ensure and inspect that the data processing provisions defined in this Policy and in the legal provisions are observed by the leading officer, employees of, and other persons having an employment targeting legal relationship with the Data Controller.

 

  1. The Data Processing Officer of the Company: Polgár Judit managing director.

 

  1. The Data Processing Officer is elected by the primary organisation of the Data Controller from among its leading officers, employees and other persons having an employment targeting legal relationship with Data Controller; the duration of the legal relationship of the Data Processing Officer is adapted to the leading officer’s legal relationship, to the employment relationship or to the other legal relationships directed at employment. The legal relationship of the Data Processing Officer will be terminated if:

 

  1. the leading officer’s legal relationship, the employment relationship, or the other legal relationship directed at employment is terminated
  2. he/she renounces his/her office
  3. he/she dies
  4. the primary organisation of Data Controller recalls him/her from his/her post
  5. the primary organisation of Data Controller removes him/her from his/he post (due to serious obligation violation).

 

  1. Data Controller is not obliged to elect a Data Protection Officer defined in Sections 37-39 of the GDPR.

 

  1. Data Processing Officer shall fill in his/her post by the time he/she accepts being appointed to this post, or if it takes place later, then starting with the date that is defined in the appointment. The Data Processing Officer simultaneously with accepting the appointment shall undertake confidentiality in respect of personal data he/she learns in connection with being in this post.

 

  1. Task scopes of the Data Processing Officer:

 

  1. Data Processing Officer shall regularly inspect whether the persons obliged to do so observe the provision of this Policy during the everyday operation of Data Controller
  2. Data Processing Officer shall investigate the requests addressed to Data Controller – received from the personal data holders – and in the case of obviously not unfounded requests submitted by persons entitled to do so he/she shall to take the necessary steps.
  3. Data Processing Officer shall keep contact and co-operate with the Authority, and – if needed with the data protection authority
  4. Data Processing Officer in the case of the occurrence of the possibility of a data protection incident shall investigate it and in the case of a well-founded possibility to prevent the risks represented by the incident or to mitigate them, and/or to eliminate the violation of security
  5. Data Processing Officer shall report the incident to the authority or – if needed to other member state data protection authorities the data protection incident that represents a risk from the aspect of the rights and freedoms of a natural person; in the case of a high risk it shall report it to the Authority or – if needed – to the other member state data protection authorities and/or to inform the personal data holder;
  6. Data Processing Officer is entitled to present proposals to the primary organisation of Data Controller concerning the modification of its data processing practice
  7. Data Processing Officer is entitled to introduce into this Policy the legislative modifications that are connected to this Policy and to compile and publish the effective version of this Policy laid in a consolidated structure including the changes.

 

VII.Data security and the regime of data storage

  1. Data Controller during implementing data processing of personal data in each case shall fulfil the principles of lawfulness, fair procedures, transparency, being tied to the purpose, data minimising, accuracy, restricted storage, accountability and integrity and the confidential character of the data.

 

  1. Data Controller shall implement such appropriate technical and organising measures during defining the method of data processing and in the course of data processing – with taking into consideration the current status of science and technology, the costs of implementation, the character, the scope, the circumstances and objectives of data processing, and the risk of varying probability and severity involving the rights and freedoms of the personal data holders – the purpose of which is on one hand the realisation of the data protection principles, and on the other hand the integration of the guarantees that are needed for protecting the rights of the data subjects into the process of data processing.

 

  1. Data Controller shall place paper based documents in a well lockable room equipped with fire protection and asset protection equipment and he/she shall ensure that only the authorised administrators participating in active data processing and the leader of the Data Controller will have access to the documents. Data Controller shall implement the archiving of the paper-based documents. Data Controller shall preserve the archived documents for 8 years.

 

  1. Data Controller shall ensure that in the course of the electronic processing and storing, and forwarding of the personal data it will take all those technical and organisational measures that are needed for allowing the Data Controller to select that technical solution at the prevailing development status of technology, which guarantees the higher level protection of the personal data.

 

  1. Data Controller shall protect the personal data processed or stored by it, especially from unauthorised access, unauthorised changes, unauthorised forwarding, unauthorised publication, unauthorised erasure or unauthorised destruction, accidental destruction or damage, and against becoming inaccessible due to the changing of the applied technology.

 

  1. Data Controller shall carry out data processing in such a manner that it shall observe – in addition to observing the GDPR and the other data protection legal provisions – the basic rights of the personal data holders to family and private life, their other rights and freedoms.

 

  1. The provisions defined in this Policy concerning the storing of personal data equally refer to those personal data that are stored on paper-based or electronic format, which are a part of the registration system and/or which are processed by Data Controller partially or fully in an automated manner. Data Controller uses assets that are owned by it for electronically storing personal data, and it records the paper-based registers in real estates that are either owned or used by it, which are used by Data Controller either as registered seat, premises or branch offices

 

  1. The personal data that are collected and stored in the interest of data processing done by Data Controller may be processed exclusively for the purpose that is defined in this policy or by law, under an appropriate legal title. 

 

  1. The personal data collected and stored by Data Controller have to be retained during the duration of data processing, which will prevent unauthorised persons getting access to them. Data Controller shall ensure the following in respect of the collected and stored data:

 

a)          unauthorised third persons will not get access to them

  1. they will be not be subjects of unauthorised data processing
  2. unauthorised persons will not be able to change, forward, publish, erase them
  3. unauthorised persons will not modify them, and they will not be destroyed, erased or made inaccessible accidentally or without authorisation
  4. it will protect them from being lost or damaged.

 

  1. Data Controller in the course of its data processing or related organising activity shall take into consideration the prevailing status and the development of science and technology. It shall make efforts, in the interest of sustaining data security for applying the securest technology possible, which guarantees data security that corresponds to the extent of the existing risk, in the interest of protecting the personal rights and freedoms of natural persons.

 

  1. The processed personal data may be learnt exclusively by the employees of Data Controller and persons having another employment targeting legal relationship with Data Controller up to the extent that is absolutely necessary for performing their job-related obligations.

 

  1. All those persons that are employed by Data Controller and all those persons having an employment targeting relationship with Data Controller, who process personal data during performing their job related obligation shall – by observing always this Policy and the relevant legal provisions – protect and retain the personal data and prevent unauthorised access to them, and ensure that the personal data will be exclusively used for the purpose that is set in advance.

 

VIII.Data forwarding regime

  1. Data Controller is not entitled to forward the personal data processed or stored by it or make it accessible to any other person, except the funding organisation, court, police, prosecution, local government, public administration organisation, national security service or if the forwarding of the data is stipulated by law and the involved court, authority or other organisation - as the addressee of the data forwarding - delivers its official request to Data Controller.

 

  1. Data Controller - in case it is required to forward the data - shall inform the personal data holder of the following

 

  1. the name and contact data of the addressee of data forwarding and/or its representative
  2. about the fact that it consents to getting acquainted with the information concerning data forwarding and to the data forwarding
  3. about the exact purpose and specific scope of data forwarding
  4. the rights that are due to the personal data holder
  5. the possibility of addressing a complaint to the Authority or presenting a court legal remedy.

 

  1. If data forwarding is targeting a state of the European Economic Area – other than Hungary, Data Controller shall investigate the level of protection that is ensured by the relevant legal provisions of the given state concerning the protection of personal data. If data forwarding is targeting a state that is other than the states of the European Economic Area, then it shall investigate whether the conditions defined by law of data forwarding exist in this state or not and it shall inform the data subjects about the potential security risks of data forwarding implemented to outside the area of the EEA, and the data subjects have to expressly give their consent to this kind of data forwarding.

 

7.      Data Controller shall ensure in the case of data forwarding for statistical purpose of personal data that the it will not be possible to match the personal data holder and the data sent for statistical purposes.

 

IX.Protocol to be followed in the case of a data protection incident

  1. A data protection incident is a violation of security which leads to the accidental or unlawful destruction, loss, changing, unauthorised communication of, or unauthorised access to the personal data forwarded, stored or processed in another manner by Data Controller.

 

  1. In the case of a data protection incident, the Data Controller at the latest 72 hours after it learns of the data protection incident shall report it to the National Authority for Data Protection and Freedom of Information, except if the data protection incident does not involve any risk in respect of the rights and freedoms of the personal data holder.

 

  1. The report has to contain the following:

 

  1. the character of the data protection incident, the categories and the approximate numbers of the data subjects and of the data involved
  2. the data and contact data of Data Controller
  3. the probable consequences that may arise from the data protection incident
  4. introduction of the measures made or planned for the remedying of the data protection incident for the mitigation of its consequences.

 

  1. If the data protection incident probably will involve a high risk from the aspect of the rights and freedoms of the personal data holder, Data Controller shall inform the data subject about the data protection incident without any delay.

 

  1. If the leading officer, employee of Data Controller or another person having a legal relationship with Data Controller targeting employment experiences that in respect of the personal data collected and stored by Data Controller the possibility of security violation may exist, he/she shall inform the Data Processing Officer about this without any delay (hereinafter referred to as: Warning). The violation of security means all those circumstances as a result of which a damage occurs in the system and/or registrations of Data Controller, contrary to the data security provisions. The violation of security does not necessarily mean the fact of the occurrence of a data protection incident.

 

  1. The Data Processing Officer shall investigate and evaluate the situation without any delay after the issuing of the warning. The investigation has to cover all the elements of the circumstance indicated as a possibility of the violation of security, and the investigation of all the registers involved in the Warning, and thus the investigation of the situation of the personal data.

 

  1. Data Processing Officer in the course of his/her investigation shall primarily establish whether the violation of security did actually occur or not. If Data Processing Officer establishes that the security was not violated, it shall terminate his/her procedure and it shall prepare a report on the result of his/her investigation for the management of Data Controller, and he/she will register this report.

 

  1. If Data Processing Officer will establish that security was violated, then secondarily it shall investigate whether a data protection incident occurred or not. If Data Processing Officer establishes that there was no data protection incident, he/she shall introduce all those measures that are required for restoring security, and it shall terminate his/her procedure and he/she shall prepare a report on the result of the investigation for the management of Data Processor, and he/she will register this report.

 

  1. If Data Processing Officer will establish that simultaneously with the violation of security a data protection incident also occurred, it shall thirdly investigate whether the data protection incident means any risk in respect of the rights and freedoms of the personal data holder involved or not. If he/she establishes that the data protection incident does not involve any risk of this type, it shall introduce all those measures that are needed for restoring security, and he/she shall terminate his/her procedure and he/she will prepare a report on the result of the investigation for the management of Data Processor, and he/she will register this report.

 

  1. If Data Processing Officer establishes that simultaneously with the violation of data security a data protection incident represent a risk in respect of the rights and freedoms of the personal data holders involved, Data Processing Officer shall investigate the extent of this risk. If the data protection incident means a risk in respect of the rights and freedoms of the personal data holders involved, he/she shall prepare a report on the results of his/her investigation for the management of Data Processor, and he/she shall register this report, and shall report it to the Authority or – as required – to other member state data protection authorities.

 

  1. If the investigation of the Data Processing Office establishes that the data protection incident represents a high risk in respect of the rights and freedoms of the personal data holders involved, he/she shall prepare a report on the result of his/her investigation for the management of Data Controller and he/she shall register this report, and he/she shall report it to the Authority or – if required – to the other member state data protection authorities, moreover he/she shall inform the personal data holders involved about the data protection incident.

 

  1. Data Processing Officer shall not report the incident, in case the data protection incident probably does not involve a risk from the aspect of the rights and freedoms of natural persons. Data Processing Officer shall prepare the evaluation that refers to the existence of any risk with taking into consideration all the circumstances of the case. He/she shall prove and include in a report the condition that the data protection incident does not involve any risk concerning the rights and freedoms of natural persons, and he/she shall introduce those steps that are required for restoring security.

Data Processing Officer shall inform the personal data holders about the following:

 

  1. the fact and character of the data protection incident
  2. the name and contact data of the Data Processing Officer
  3. the possible consequences of the data protection incident
  4. the means data controller used for mitigating the high risk that occurred as a result of the data protection incident and for restoring the status that existed prior to the incident.

 

  1. Data Processing Officer shall provide the information in a relevant language understood by the personal data holders and with simple phrasing, and without any delay through a communication channel through which according to the evaluation of the Data Processing Officer it will arrive to the personal data holders the soonest. Data Processing Officer may also use simultaneously several communication channels for the purpose of performing the information providing obligation.

 

  1. Data Processing Officer may disregard the provision of information to the personal data holders, if

 

  1. the data protection incident does not mean a high risk concerning the rights and freedoms of the personal data holders, because for example the unauthorised third person to whom the personal data were told is unable to access this personal data (due to encoding), and a copy of the personal data involved is in the possession of data controller;
  2. as a result of the steps that were taken without any delay after learning of the possibility of a data protection incident the possibility of a high risk did not even occur
  3. the risk caused as a result of the data protection incident cannot be considered to be high due to another reason.

 

  1. Data Processing Officer simultaneously with his/her reporting and information providing obligation, after the learning of the result of his/her investigation shall immediately take all those steps, which will terminate the violation of security and the data protection incident. In the framework of this, Data Processing Officer – depending on his/her possibilities and the circumstances – shall restore the integrity, accessibility and confidentiality of the personal data involved in the data protection incident. Data Processing Officer shall prepare a report on the steps he/she has taken for the leading officer of the Data Controller.

 

X.Legal remedy

  1. If the personal data holder experiences in respect of the processing of his/her personal data that Data controller violates the contents of the data protection legal provisions, in the interest of protecting his/her rights he/she may turn to the court of regional jurisdiction, or to the National Authority for Data Protection and Freedom of Information.

 

  1. Contact data of the National Authority for Data Protection and Freedom of Information:

 

Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Electronic contact data: ugyfelszolgalat@naih.hu

Website: http://naih-hu

 

XI.Closing provisions

  1. This Policy will come into effect by being approved by the representative of Data Controller.

 

  1. This Policy shall be applied to all the legal relationships that exist on or that will be created after its effective date.

 

Budapest, September 15, 2020

 

 

 

                                                                       ..........................................................................................................

     JPF World Szolgáltató Korlátolt Felelősségű Társaság

represented by: Polgár Judit managing director
 

 

kulcsszavak szószedete

személyes adat jogosultja

personal data holder

adatkezelő

data controller

adatfeldolgozó

data processor

adatkezelés

data processing

adatfeldolgozás

data processing by data processor

adatkezelési felelős

data processing officer

érintett

data subject

 

 

© 2012 - 2024 - Polgár Judit Webshop - +36 70 433 1464 - webshop@juditpolgar.com