Középülettervező Zrt. (hereinafter: Controller), as the operator of the website accessible at the domain name of www.kozti.hu (hereinafter: Website) hereby publishes the information relevant to the Web Site and to data controlled in conjunction with the services related to the Website.
1) Data of the controller
Controller’s name: Középülettervező Zártkörűen Működő Részvénytársaság
Registered office: 1023 Budapest, Lublói utca 2.
E-mail address: firstname.lastname@example.org
2) Scope of the data processed
The User can provide his or her data on the page specifically designed for the purpose so that he or she can contact the Controller and receive information about the Controller’s products and services. The following personal data are requested (data marked by * are obligatory):
- E-mail address*;
Only persons at least 18 years of age are entitled to provide data.
3) The purpose and legal basis of processing
The purpose of data processing is to enable the Controller to provide information on its services and activities, to contact Users that are interested in the Controller’s services, to provide general information to Users, and to handle comments regarding the Controller’s activities.
Personal data are processed whilst the purpose of processing prevails; in cases of contacting, data are controlled up to no more than 30 days from the termination of bilateral communication between the Controller and the User or until such time that the User requests erasure of his or her data or revoke his or her consent to the control of his or her personal data.
Once the purpose of data controlling ceases or when the User so requests, the personal data will be erased without delay.
4) Legal ground of personal data control
After contact has been made, the User consents for the Controller to control the User’s personal data as described in this Guide. The legal basis for the controlling of personal data is the User’s voluntary consent given in awareness of the information provided in this Guide.
The User may only provide his or her own personal data. In case the User provides data other than his or her own, it is the duty of the data provider to obtain the consent of the person concerned.
5) Persons entitled to access user’s personal data; data processing
The Controller is entitled to access Users’ personal data in accordance with the relevant effective statutory provisions.
The Controller retains the right to involve a data processor in future and shall inform Users to that effect by modifying this Guide.
Unless expressly provided otherwise by law, the Controller may only transfer data suitable for personal identification with the User’s express consent.
6) Rights of the user
Right of access to personal data
The User has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- purpose of data processing;
- The categories of personal data concerned;
- if the User’s personal data are transferred, legal grounds and recipient(s) of the transfer;
- the envisioned period for which the data are processed;
- the rights of the User to rectification or erasure of personal data or restriction of processing of personal data concerning the User or to object to such processing;
- The right to lodge a complaint with a competent authority;
- data sources;
- important information about profiling;
- the name and address of data processors, and their activity related to data processing.
The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the User, the Controller may charge a reasonable fee based on administrative costs. Where the User makes the request by electronic means, and unless otherwise requested by the User, the information shall be provided in a commonly used electronic form.
The Controller shall provide the User with information, in an easy-to-understand format, without undue delay and in any event within one month from submitting the application. The User can submit his or her application for access at the contact addresses specified in Point 1.) above.
Rectification of processed data
The User may submit a request, at the contact addresses specified in Point 1.) above, that the Controller rectify the User’s incorrect or incomplete personal data, taking the purpose of data processing into consideration. The Controller shall make the rectification without undue delay.
Right to erasure (right ‘to be forgotten’)
The User is entitled to request the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the User withdraws the consent on which the processing is based and there is no other legal ground for the processing;
- the User objects to the processing of his or her personal data;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in EU or member state law to which the Controller is subject;
- the personal data consented to have been collected in relation to the offer of information society services to children.
Where the Controller has made the personal data public and is obliged pursuant to the above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the User has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.
Personal data do not have to be erased to the extent that processing is necessary:
- for exercise the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing by EU or member state law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Restriction of processing
The User is entitled to obtain from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the User, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the User opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims; or
- the User objected to the processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Controller override those of the User.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the User's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a member state.
A User who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the User about those recipients if the User so requests.
Right to object
The data subject shall have the right to object to processing of personal data concerning him or her if processing is
- necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- necessary for the purposes of the legitimate interests pursued by the controller or by a third party; or
- based on profiling.
In cases where the User objects, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims.
The Controller’s action in response to the User’s request
The Controller shall provide information on action taken in response to the User’s request regarding access, rectification, erasure, restriction, objection or transfer without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the User of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the User submitted the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the User.
If the Controller does not take action on the request of the data subject, the Controller shall inform the User without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Information requested by Users and any communication and any actions taken in response must be provided free of charge. Where requests from a User are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
7) Notification and handling of a personal data breach
Any event leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the Controller constitutes a personal data breach.
The controller should notify the personal data breach to the National Authority for Data Protection and Freedom of Information without undue delay but not later than 72 hours after having become aware of it, unless the Controller is able to demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay. Notifications to the National Authority for Data Protection and Freedom of Information must include at least the following information:
- the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of personal data records concerned;
- name and contact details of the Controller;
- the likely consequences of the personal data breach;
- the measures taken or proposed to be taken by the Controller to address and control the breach and to mitigate its possible adverse effects.
When the personal data breach is likely to result in a high risk, the Controller shall communicate, through its Website, the personal data breach to the User within 72 hours from becoming aware of the breach. The notification must include at least the details listed herein
The Controller shall keep records of any and all personal data breach in order to ensure supervision of the measures taken and to inform those concerned. The record must contain the following data:
- categories of personal data processed;
- categories and number of persons concerned;
- date and time of the personal data breach;
- circumstances and possible effects of the personal data breach; and
- troubleshooting measures taken.
The Controller shall keep the data of the personal data breach on record for five years from becoming aware of the breach.
8) Security of personal data
The Controller undertakes to ensure the security of personal data, and shall implement appropriate technical and organisational measures and shall develop appropriate procedures to ensure the security of the personal data recorded, stored and processed, and to prevent their destruction and unauthorised use and alteration. The controller also undertakes to call on third parties to whom personal data are transferred or who are involved in processing based on Users’ consent to comply with the requirements of the security of personal data.
The controller shall ensure that the data processes are not subject to access, disclosure, transfer, alteration or modification and erasure by unauthorised persons. The data processed shall be known only to the Controller, the Controller’s employees, and the data processors involved by the Controller, and shall not be transferred to third parties who are not authorised to know such data.
The Controller shall do its best to avoid accidental damage or destruction of the data processed. The Controller shall require its employees involved in data processing to comply with the above obligation.
The User understands and accepts that while Controller implements up-to-date security technology and means to prevent unauthorised access, interception and penetration, the security of personal data provided via the Website cannot be fully guaranteed. If despite all of the Controller’s efforts unauthorised interception of or access to personal data occurs, the Controller shall not be liable for any damage suffered by the User from such access or interception. Furthermore, it is also possible that the User gives his or her personal data to third parties that may use such data in an unlawful manner or for unlawful purposes.
The controller shall do its best to process personal data in compliance with the law; however, if despite the Controller’s best efforts the User feels that the Controller is not in compliance, the User is free to make a complaint using the contact details provided in Point 1.) above.
If the User feels that his or her right to privacy and the protection of personal data have been violated, the User may seek remedy from the competent authorities as provided for by the governing law:
- the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., or
- the court having jurisdiction.
10) Miscellaneous provisions
This Guide is governed by the Hungarian law, specifically Act CXII of 2011 on the right to informational self-determination and on the freedom of information, and Regulation (EU) of the 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Budapest, 9 March 2020