Data Management Policy of the processing of personal data of natural persons

DATA MANAGEMENT CLAUSE TO NATURAL PERSONAL CONTRACT

1. The data controller informs the contracting part (hereinafter referred to as “person concerned”) that he / she treats the personal data provided in the contract for the performance of the contract.
2. Personal data are addressed to: the employees and partners of the Company who perform tasks related to customer service, accounting, taxation, and data processors.
3. The duration of the storage of personal data is 8 years after termination of the contract.
4. Personal data shall be handed over for tax purposes to the accountancy office entrusted to the company, for postal delivery to the Hungarian Post, in the case of statutory obligation to the public authorities.
5. Information about the rights of the natural person and the data processor can be found in the Privacy Policy available on the Company’s website.

 

CONTENT
  • INTRODUCTION
  • CHAPTER I. – THE DATABASE MANAGER
  • CHAPTER II. – DATABASE PROCESSORS
    • Our IT Service Provider
  • CHAPTER III. – INSURANCE OF LEGALITY OF DATA MANAGEMENT
    • Data management based on the consent of the person concerned
    • Data management based on the fulfillment of a legal obligation
    • Facilitating the Rights of the person concerned
  • CHAPTER IV. – VISITOR’S DATA MANAGEMENT ON THE WEBSITE – APPLICATION OF COOKIE
  • CHAPTER V. – INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED

 

INTRODUCTION

REGULATION (EU) No 2016/67 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (“the Regulation”), concerning the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation 95/46 /, provides that the Data Controller shall take appropriate measures to provide personal data management information in a concise, transparent, comprehensible and easily accessible form, clearly and concisely, and that the Data Controller shall facilitate the exercise of the rights of the data subject.

The obligation to inform the person concerned in advance provides in CXII. Law about the right to information self-determination and the freedom of information.

By the following informations we comply with this statutory obligation.

The information shall be published on the company’s website or sent to the person concerned upon request.

 

CHAPTER I.
THE DATABASE MANAGER

The publisher of this information, at the same time the Data Manager:
Company name: Pocket Car Hungary Ltd.
Head office: Hungary 1182 Budapest Somlókert street 17/A
Business Registration Number: 01 09 263859
Tax number: 10838851243

(hereinafter referred to as “the Company”)

 

CHAPTER II.
DATA PROCESSORS

“Data Processor” means any natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data controller; (Regulation Article 4/8)
The use of the data processor does not require the prior consent of the person concerned, but it is necessary to inform him / her. Accordingly, we provide the following information:

1. Our IT Service Provider

Our Company uses a data processor to maintain and manage our website, which provides IT services (hosting services) and – in the framework of this contract keeps – manages the personal data provided on the website, its operation is to store personal information on the server.

This data processor is named as follows:
Company Name: Webmillers Kft.
Company details: http://crefoweb.kesmarki.com/cr9319102149_EN

 

CHAPTER III.
INSURANCE OF LEGALITY OF DATA MANAGEMENT

1. Data management based on the consent of the person concerned

(1) If the Company wishes to perform data management based on consent, the consent of the person concerned for handling his or her personal data shall be requested by the content and information contained in the data request form specified in the data management rules.

(2) A consent shall also be deemed to be given when the person concerned checked a box when viewing the Company’s Internet site, making technical adjustments to the use of information society services, and any other statement or action that is relevant to that context the consent of the person concerned is clearly indicated for the intended treatment of his / her personal data. Silence, the foreground square or non-action is therefore not a consent.

(3) Contribution shall cover all data management activities for the same purpose or purposes. If data management serves multiple purposes at a time, the consent must be given for all data management purposes.

(4) If the person concerned provides the consent in the context of a written statement that applies to other matters – for example, concluding a sales and service agreement – the request for consent must be presented in a clearly distinct way from these other cases, in a clear and easily accessible form, with simple language. Any part of such a declaration containing the consent of the person concerned that violates the Decree shall not have binding force.

(5) The Company may not conclude a contract to fulfill that personal data which are not necessary for the performance of the contract.

(6) The withdrawal of consent should be allowed in the same simple way as the granting of the consent.

(7) If the personal data has been collected with the consent of the data subject, the data controller may handle the data recorded in the absence of a different provision of the law without the need for a separate legal contribution to fulfill its legal obligation and after the withdrawal of the consent of the person concerned too.

 

2. Data management based on the fulfillment of a legal obligation

(1) In the case of data processing based on a legal obligation, the provisions of the applicable law shall govern the scope of the manageable data, the purpose of data management, the length of the data storage, and the addressees.

(2) Data management based on the fulfillment of a legal obligation is independent of the consent of person concerned, as data management is defined by law. Before the data has been processed the person concerned must be informed that data management is compulsory and before the data has been processed the person concerned must be informed clearly and thoroughly of all the facts related to his or her data management, including the purpose and legal basis of data management, data handling and data processing persons, the duration of the data handling, and if the data processors handle the personal data of the person concerned on the basis of the legal obligation that he or she is responsible for, and on who will know the data.
The information should include the rights and remedies relating to data management involved.
In the case of mandatory data handling, communication may also be disclosed by making public the reference to the legal provisions containing the foregoing information.

 

3. Facilitating the Rights of the person concerned

In all data management the Company must ensure the exercise of the rights of the person concerned.

 

CHAPTER IV.
VISITOR’S DATA MANAGEMENT ON THE WEBSITE – APPLICATION OF COOKIE

1. The website visitor must be informed of the application of the cookies on the website and, with the exception of technically indispensable sessions (cookies), and must be requested consent.

 

2. General information about cookies

2.1. Cookie is a data that the visited website sends to the visitor’s browser (in variable name value format) to store it and later the same website can fill its contents. Cookies can have validation, valid until the browser closes, but for an unlimited period of time too. Later on all HTTP (S) requests will also send this information to the server. This changes the data on the user’s laptop.

2.2. The essence of the cookie is that by web site services naturally need to designate a user (eg entering the page) and can handle it accordingly with the following. The risk in the fact is that the user is not always aware of it and may be able to follow the user by the website operator or other service provider whose content is built into the site (such as Facebook, Google Analytics), resulting in a profile and in this case the contents of the cookie can be considered as personal information.

2.3. Types of Cookies:

2.3.1. Technically indispensable session cookie (s): without this the page simply would not work functionally, they would be used to identify the user, it needs to be handled if you have entered a site, what you did in the basket, etc. This typically stores a session-id; other data is stored on the server, making it safer. There is a security aspect when the session cookie value is not generated well, there is a risk of session hijacking, so it is imperative that these values are generated properly. Other terminology is called session cookie for each cookie that is deleted at the time of exit from the browser (a session is a browser usage from start to exit).

2.3.2. Cookies are providing usage: that cookies’ name which note the user’s choices, such as how the user want to see the page. These types of cookies are essentially the setting data stored in the cookie.

2.3.3. Cookies are providing performance: Although they do not have much to do with ‘performance’, they usually call cookies that gather information about the user’s behavior, and time spent, and clicks on the site. These are typically third-party apps (such as Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for making the visitor profiling.

  • To learn more about Google Analytics cookies, please visit https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
  • To learn more about Google AdWords cookies, please visit: https://support.google.com/adwords/answer/2407785

2.4. Accepting or enabling cookies is optional. You can reset your browser settings to reject all cookies or to indicate when a cookie is just being sent. Most browsers accept cookies automatically as default, but they can usually be changed to prevent automatic acceptance and offer options every time. See the links below for the most popular browser cookie settings

  • Google Chrome: https://support.google.com/accounts/answer/61416
  • Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
  • Microsoft Internet Explorer 11: http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-11
  • Microsoft Internet Explorer 10: http://windows.microsoft.com/ en-gb /internet-explorer/delete-manage-cookies#ie=ie-10-win-7
  • Microsoft Internet Explorer 9: http://windows.microsoft.com/ en-gb /internet-explorer/delete-manage-cookies#ie=ie-9
  • Microsoft Internet Explorer 8: http://windows.microsoft.com/ en-gb /internet-explorer/delete-manage-cookies#ie=ie-8
  • Microsoft Edge: http://windows.microsoft.com/ en-gb /windows-10/edge-privacy-faq
  • Safari: https://support.apple.com/en-gb/HT201265

However, we also note that certain site features or services may not function properly without

 

3. Information on the cookies used on the Company’s website and on the data generated during the visit

3.1. The data set handled during the visit: The website of our Company may record and manage the following information about the visitor and the device of the browses:

  • the IP address used by the visitor,
  • browser type,
  • features of the operating system of the device used for browsing (set language),
  • visit date,
  • the (sub) page, function or service you have visited,
  • click.

These data are kept for up to 26 months and can be used primarily to test security incidents.

By accepting the Data Management Policy, the user agrees to receive the IP address for the purpose of performing the service, this information will not be forward to third parties.

 

3.2. Cookies on the website

3.2.1. Technically indispensable session cookie
The purpose of data management is to ensure the proper functioning of the website. These cookies are needed to allow visitors to browse the website, seamlessly and fully utilize its features, services available through the website, including – in particular – a note by a visitor on a particular site or the identity of a logged in user during a visit. The duration of this cookie’s data management is limited to the visitor’s current visit, this type of cookies will automatically be deleted from your computer when the session is completed or when the browser is closed.

The legal basis for this data management is the 2001 CVIII., on e-commerce services and information society services, Law 13 / A. § (3), according to the service provider may treat the personal data necessary for the provision of the service for the purpose of providing the service technically.
If the other conditions are identical, the service provider must choose and always operate the tools used to provide the information society service in such a way that personal data is processed only if it is strictly necessary for the provision of the service and for the fulfillment of other purposes set out in the law, but in this case also to the extent and time required.

3.2.2. Cookies are providing usage
They note the user’s choices, for example, in what form the user wants to see the page. These types of cookies are essentially the setting data stored in the cookie.
The legal basis for data handling is the visitor’s consent.
The purpose of the data management is to increase the efficiency of the service, increase user experience and make the use of the site more convenient.
This data is rather on the user’s computer, the website only accesses and recognizes the visitor (s).

3.2.3. Cookies are providing performance: Although
Collect information about the user’s behavior, time spent, and clicks on the site. These are typically third party applications (eg Google Analytics, AdWords).
The legal basis for data management: contribution of the contributor.
The purpose of the data management is to analyze the website and send promotional offers.

 

CHAPTER V
INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED

I. The rights of the person concerned briefly summarized:
1. To promote transparent information, communication and the exercise of the relevant case law
2. Right to prior information – where personal data are collected from the person concerned
3. Information to the person concerned and information to be made available if personal data are not obtained from the data processor
4. Right of access to the person concerned
5. Right to rectification
6. The right to cancel (“the right to be forgiven”)
7. Right to restrict data management
8. The obligation to notify of correcting or deleting personal data or limiting data handling
9. Right to data portability
10. Right to protest
11. Automated decision-making in individual cases, including profiling
12. Restrictions
13. Informing the person concerned about the privacy incident
14. Right to complain to a supervisory authority (right to an administrative remedy)
15. Right to an effective remedy against a supervisory authority
16. Right to an effective remedy against data controller or data processor

 

II. Rights of the data subject in detail:

1. To promote transparent information, communication and the exercise of the relevant case law

1.1. The data processor shall provide to person concerned all information about the management of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner, in particular for any information addressed to children. The information shall be provided in writing or otherwise, including, where appropriate, the electronic path. Oral information may be provided at the request of the person concerned, if the identity of the person concerned has been verified otherwise.

1.2. The data processor must facilitate the exercise of the rights of the person concerned

1.3. The data processor shall inform the person undue delay, but in any event within one month of the receipt of the request, of the measures taken on his or her application for the exercise of his rights. This time limit may be extended by two additional months under the terms of the Regulation about that the person concerned should be informed.

1.4. If the data processor fails to take measures in response to his request, he shall inform the person concerned without delay but within one month of the receipt of the request for reasons of non-action and whether he or she may file a complaint to a supervisory authority and exercise his right of judicial redress.

1.5. The data processor provides information and action about the information and rights of the user free of charge, but fees may be charged in the cases described in the Regulation.

The detailed rules are contained in Article 12 of the Regulation.

 

2. Right to prior information – if personal data are collected from the person concerned

2.1. The person concerned has the right to be informed about the facts and information related to data management before the processing of data. In this context, the person concerned should be informed about:
(a) the identity and contact details of the data processor and his representative,
b) contact details of the data protection officer (if have),
(c) the purpose of the planned treatment of personal data and the legal basis for data processing,
d) in the case of data handling based on the validation of a legitimate interest, on the legitimate interests of the data processor or third party,
(e) the addressees of personal data with whom personal data are communicated, and the categories of recipients, if any;
(e) where applicable, the fact that the data controller wishes to transmit personal data to a third country or to an international organization.

2.2. In order to ensure fair and transparent data management, the data processor must inform the person concerned of the following additional information:
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
(b) the right of the person concerned to request the data processor to access, correct, delete or restrict the personal data, and protest against the handling of such personal data and the right of data portability
(c) in the case of data handling based on the consent of the person concerned, the right to withdraw the consent at any time without prejudice to the lawfulness of the data processing carried out on the basis of the consent prior to the withdrawal;
(d) the right to lodge a complaint addressed to the supervisory authority;
e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite of a contract and whether the person concerned is obliged to provide personal data and the possible consequences of the lack of data provision;
(f) the existence of automated decision-making, including profiling, and at least in such cases the logic employed and information about the significance of such data management and the likely consequences for the person concerned.

2.3. If the data processor wishes to perform further data processing for personal data in other than the purpose, he / she must inform the person concerned of this different purpose and any relevant additional information prior to further processing.

The detailed rules are contained in Article 13 of the Regulation.

 

3. Information to the person concerned and information to be made available if personal data are not obtained from the data processor

3.1. If the data processor has not obtained the personal data from the person concerned, the data processor must, within no more than one month after the personal data has been obtained; where personal data are used for contact with person concerned, at least the first contacting with the person concerned; or if it is expected to communicate the data with other addressees, notify about the facts and information referred to in paragraph 2 above, the categories of personal data concerned, the source of personal data and, where applicable, the data comes from publicly available sources at latest when communicating personal information for the first time.

3.2. Further rules are set out in Section 2 (Right to prior information).

The detailed rules are contained in Article 14 of the Regulation.

 

4. Right of access to the person concerned

4.1. The person concerned has the right to be informed by the data processor about whether his personal data is being processed and, if such data is being processed, he has the right to receive access to personal information and to related information in 2-3 section. (Article 15 of the Regulation).

4.2. If personal data will transfer to a third country or to an international organization, the person concerned shall have the right to be informed of the corresponding guarantees provided for in Article 46 of the Regulation.

4.3. The data processor shall provide a copy of the personal data subject to data handling for the person concerned. For additional copies requested by him/her, the data processor may charge a reasonable fee based on administrative costs.

The detailed rules are contained in Article 15 of the Regulation.

 

5. Right to rectification

5.1. The person concerned shall have the right to rectify any inaccurate personal data that he or she is entitled by the data processor without undue delay.

5.2. Considering the purpose of data management, the person concerned has the right to request the addition of incomplete personal data, including by means of a supplementary statement.

The detailed rules are contained in Article 16 of the Regulation.

 

6. The right to cancel (“the right to be forgiven”)

6.1. The person concerned shall have the right to delete the personal data relating to him without undue delay, and the data processor shall be required to delete the personal data of the data subject without undue delay if

(a) personal data is no longer required for the purpose from which they have been collected or otherwise handled;
(b) the person concerned withdraws the consent of the data processing and does not have any other legal basis for data processing;
c) the person concerned objects to his or her data handling and has no prior legitimate reason for data handling,
(d) the personal data has been unlawfully handled;
(e) the personal data have to be delete in order to comply with the legal obligation imposed on the data processor in the Union or Member States’ law;
(f) for the collection of personal data society-related services offered directly to children

6.2. The right to cancel can’t be enforced if data management is required
(a) to exercise the right to freedom of expression and information;
(b) the performance of a task under the law of the Union or of a Member State applicable to the data processor, or for the purpose of carrying out a task carried out in the exercise of a public authority exercised on the data processor;
(c) on grounds of public interest in the field of public health;
(d) for purposes of public archiving, for scientific and historical research or for statistical purposes, provided that the right to cancel would be likely to render impossible or seriously undermine this data management; or
e) filing, enforcing or protecting legal claims.

Detailed rules on the right to cancel are contained in Article 17 of the Regulation.

 

7. Right to restrict data management

7.1. In the case of limitation of data processing, such personal data may only be managed, with the exception of storage, with the consent of the person concerned, with the submission, validation or protection of legal claims or in the protection of the rights of a natural or legal person, or in the public interest of the Union or of a Member State.

7.2. The person concerned shall have the right to request that the data processor to restrict the processing of data if one of the following conditions is met:
(a) the person concerned disputes the accuracy of the personal data; in this case, the restriction refers to the period of time in that the data processor may check the accuracy of the personal data;
(b) data manipulation is unlawful and the person concerned is opposed to the deletion of the data and, instead, requests that they be restricted;
c) the data processor no longer needs personal data for data processing, but the person concerned requires them to submit, enforce, or protect legal claims; or
(d) the person concerned objected to the data handling; in this case, the restriction applies to the duration of determining whether the data processor’s legitimate reasons prevail over the legitimate grounds of the person concerned.

7.3. The person concerned must be informed in advance of the discontinuation of the data handling.

The detailed rules are contained in Article 18 of the Regulation.

 

8. The obligation to notify of correcting or deleting personal data or limiting data handling

The data processor informs all addressees of any rectification, deletion or data limitation with whom or with which personal information has been communicated, unless this proves impossible or requires disproportionate effort. At the request of the person, the data processor shall inform the addressees thereof.

The detailed rules are contained in Article 19 of the Regulation.

 

9. The right to data portability

9.1. Subject to the conditions set out in this Regulation, the person concerned shall have the right to receive the personal information provided to him by a data processor in a fragmented, widely used machine-readable format and shall be entitled to transmit this data to another data controller without the data controller obstructs this who has provided the personal data if he / she is
(a) the processing of data is based on a contribution or on a contract; and
(b) the data processing is done in an automated way.

9.2. The person concerned may also request the direct transfer of personal data between data controllers.

9.3. The exercise of the right to data portability shall not be in breach of Article 17 of the Regulation (Right of Cancellation). The right is not applicable in the case when the data processing is in the public interest or required to complete a task under the powers conferred on the public authorities to exercise a controller. This law should not adversely affect the rights and freedoms of others.

The detailed rules are contained in Article 20 of the Regulation.

 

10. Right to Protest

10.1. The person concerned has the right to object at any time to the processing of personal data in the public interest, the performance of a public task (Article 6 (1) (e)) or legitimate interest (Article 6 (f)), including profiling based on those provisions too. In this case, the data processor may not manage the personal data further unless the data controller proves that the data processing is justified by legitimate reasons of compelling power which have priority over the interests, rights and freedoms of the person, or which are related to the submission, validation or protection of legal claims.
10.2. If your personal data is handled for direct business, the person is entitled to object to the handling of personal data relating to that purpose at any time, including profiling, if it is related to direct business acquisition. If a person objects to the personal data being handled for direct business purposes, personal data may no longer be handled for that purpose.

10.3. At the latest these rights must be explicitly mentioned in the time of first contact, and the relevant information must be give clearly and completely separate from any other information.

10.4. The right to protest can also be exercised by automated tools based on technical specifications.

10.5. If the personal data are handled for scientific and historical research purposes or for statistical purposes, the person concerned is entitled to object to the processing of personal data relating to his / her own personal situation, unless the data processing is necessary for the performance of a task for public interest purposes.

The detailed rules are contained in Article 21 of the Regulation.

 

11. Automated decision-making in individual cases, including profiling

11.1. The person concerned has the right that it does not cover that scope of a decision based solely on automated data management, including profiling, which would have a bearing on him or would have a significant effect on him.

11.2. This right shall not apply if the decision:
(a) is necessary for the conclusion and performance of the contract between the person concerned and the data processor;
(b) be made available by means of Union or Member State law which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the person; or
(c) is based on the explicit consent of the person concerned.

11.3. In the cases referred to in points (a) and (c), the data processor shall take appropriate measures to protect the rights, freedoms and legitimate interests of the person, including at least the right of him to request a human intervention from the data controller, express his views and submit an objection to the decision.

The detailed rules are contained in Article 22 of the Regulation.

 

12. Restrictions

The law of the Union or of the Member States applicable to a data controller or data processor may restrict the scope of rights and obligations (Articles 12 to 22, Article 34 and Article 5) by means of legislative measures if the restriction respects the essential content of fundamental rights and freedoms.

The detailed rules are contained in Article 23 of the Regulation.

 

13. Informing the person concerned about the privacy incident

13.1. If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller must inform the person of the data protection incident without undue delay. This information must clearly and easily explain the nature of the privacy incident and provide at least the following information:

(a) the name and contact details of the Data Protection Officer or other contact person;
(c) the likely consequences of a data protection incident;
(d) measures to be taken or planned by the data controller to remedy a data protection incident, including, where appropriate, measures to mitigate any adverse consequences resulting from a data protection incident.

13.2. The person need not be informed if any of the following conditions are met:
(a) the data controller has implemented adequate technical and organizational protection measures and applies those measures to the data covered by the data protection incident, in particular that measures, such as the use of encryption, which render the data inadmissible to unauthorized persons;
b) after the data protection incident, the data controller has taken further measures to ensure that high risk for the rights and freedoms of the person concerned is no longer to be realized;
(c) the information would require a disproportionate effort. In such cases, the person concerned shall be informed by publicly information or a similar measure shall be taken to ensure equally effective information.

The detailed rules are contained in Article 34 of the Regulation.

 

14. Right to complain to a supervisory authority (right to an administrative remedy)

The person concerned has the right to lodge a complaint to a supervisory authority, in particular in the Member State where he or she is habitually resident, the workplace or in the suspected breach, if the person concerned considers that the processing of personal data relating to him violates the Regulation. The supervisory authority to which the complaint has been filed shall inform the client about the procedural developments and the outcome of the complaint, including if the client is entitled to seek judicial redress.

The detailed rules are contained in Article 77 of the Regulation.

 

15. Right to an effective remedy against a supervisory authority

15.1. Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall be entitled to effective judicial remedies against the legally binding decision of the supervisory authority.

15.2. Without prejudice to other administrative or non-judicial remedies, all person concerned shall be entitled to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or within three months shall not inform the person concerned of the procedural developments or results of the complaint submitted.

15.3. The procedure against the supervisory authority shall be initiated at the courts of the Member State in which the supervisory authority is situated.

15.4. If the person launches a process against the decision of the supervisory authority, for which the Board had previously issued an opinion in the framework of the unity mechanism or made a decision, the supervisory authority shall send that opinion or decision to the court.

The detailed rules are contained in Article 78 of the Regulation.

 

16. Right to an effective remedy against data controller or data processor

16.1. Without prejudice to any available administrative or non-judicial remedies, including the right to complain to the supervisory authority, all concerned shall be entitled to an effective judicial remedy if it considers that their rights hurt under this Regulation as a result of the non-compliance of their personal data with this Regulation.

16.2. The process against the data controller or processor shall be initiated before the court of the Member State in which the data controller or the processor is established. Such proceedings may be instituted before the courts of the Member State in which the person concerned is habitually resident, if the data controller or data processor in a Member State acting as a public authority powers of public authorities.

The detailed rules are contained in Article 79 of the Regulation.

 

 

Date: Budapest, 25th May 2018.
Pocket Car Hungary Ltd.