12.000 forinttól olcsóbban, 18.000 forinttól INGYEN szállítunk!

DATA MANAGEMENT NOTIFICATION

Introduction

Cibi Újraszalvéta Kft. (registered seat: H-2094 Nagykovácsi, Kossuth u. 2., tax number: 14074543-2-13, company registration number: 13-09-194260)(hereinafter referred to as Service Provider, data controller) shall be bound by the following notification.

In accordance with Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following notification.

The present data protection notification regulates the data management of the following websites: www.cibi.hu

www.ujraszalveta.hu www.ujratasak.hu www.ujraszatyor.hu

The data management notification is available on the following website: www.cibi.hu/adatvedelem

The modifications of the notifications shall enter into effect upon publication at the above address.

 

The contract information of the Data Controller:

Name: Cibi Újraszalvéta Kft.

Registered seat: H-2094 Nagykovácsi, Kossuth u. 2

E-mail: hello@cibi.hu

Telephone: 06702763406

Definitions

 

  1. “personal data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  2. “data management”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  3. “data controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  4. “data processor”: means a natural or legal person, public authority, agency or other body which manages personal data on behalf of the controller;

  5. “recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the management of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the data management;

  6. “consent of the data subject”: means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the management of personal data relating to him or her;

  7. “personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise managed.

 

 

The principles applicable to the management of personal data

 

Personal data shall be:

 

  1. managed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

The data controller shall be responsible for, and be able to demonstrate compliance with, the above (‘accountability’).

 

 

Data managements

 

Data management related to the operation of the online store

 

The fact of the data collection, the scope of the data managed and the purpose of the data management:

 

Personal data

Purpose of the data management

Family name and given name

Necessary for establishing contact, the purchase and for issuing the proper invoice.

E-mail address

Telephone number

Correspondence, the more efficient discussion of issues related to invoicing or the delivery.

Invoicing name and address

The issuance of the proper invoice, and the conclusion of the contract, determination and modification of the content thereof, follow-up of the fulfilment of the contract, invoicing the fees arising from the contract, and the enforcement of the claims related thereto.

Delivery name and address

Enabling delivery.

Date of purchase

Execution of technical operations.

IP address on the date of purchase

Execution of technical operations.

 

E-mail addresses are not required to contain personal data.

 

Scope of data subjects: All data subjects purchasing on the website of the online store.

 

The duration of data management, the deadline for the erasure of data: Immediately upon the completion of the purchase. The data controller shall notify the data subject of the erasure of any of the personal data in accordance with Article 19 of the GDPR, via electronic means. If the request for erasure of the data subject extends also to the e-mail address provided by the data subject, then the data controller shall erase the e-mail address as well after the notification. Except in case of accounting documents, since according to Subsection (2) Section 169 of Act C of 2000 on Accounting, these data shall be retained for 8 years.

 

The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for minimum 8 years, shall be legible and retrievable by means of the code of reference indicated in the accounting records.

 

The identity of the possible data controllers entitled to access the data, the recipients of the personal data: The personal data may be managed by the sales and marketing employees of the data controller, while observing the above principles.

 

 

Information on the rights of the data subjects related to the data management:

 

The data subject may request access to the personal data related to the data subject, the rectification, erasure or the restriction of the management of such data from the data controller, and

the data subject may object to the management of such personal data, as well as

the right to data portability of the data subject, and the right to withdraw the consent at any time.

 

The data subject may initiate access to his/her personal data, the erasure, modification or restriction of the management of his/her personal data, the portability of the data, and the objection to the data management in the following manners:

by mail at the address at H-2094 Nagykovácsi, Kossuth u. 2,

via e-mail at the address hello@cibi.hu e-mail,

by telephone, via telephone number 06702763406.

 

The legal basis of the data management:

 

GDPR Article 6 (1) (b),

 

Subsection (3) Section 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services (hereinafter referred to as E-Commerce Act):

 

The service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons. Should other conditions be identical, the service provider shall select and operate the means applied in the course of providing information society service at all times, so that personal data be processed only if it is absolutely indispensable for providing the service or achieving other objectives stipulated in this Act, and only to the required extent and duration.

 

Regarding the issuance of invoices compliant with the accounting laws, Point c) Subsection (1) Section 6.

 

Regarding the enforcement of claims arising from the contract, 5 years according to Section 6:21 of Act V of 2013 on the Civil Code.

 

Section 6:22 [Statute of limitations]

(1) Unless otherwise provided for in this Act, claims shall lapse after five years.

(2) The period of limitation commences upon the due date of the claim.

(3) An agreement for changing the limitation period shall be executed in writing.

(4) Any agreement excluding prescription shall be null and void.

 

You are hereby informed that

 

the data management is necessary for the fulfilment of the contract.

you are obliged to provide the personal data in order to allow us to fulfil your order.

the failure to provide data results in that we will be unable to process your order.

 

The data processors employed

 

Delivery

 

The activity performed by the data processor: The delivery of the products, shipment

 

Name and contact details of the data processor:

 

MPL Magyar Posta Logisztika Kft.

H-1138 Budapest, Dunavirág utca 2-6.

ugyfelszolgalat@posta.hu

Telephone: (06-1) 333-7777

GTC: https://www.posta.hu/ugyfelszolgalat/aszf

Data management notification: https://www.posta.hu/adatkezelesi_tajekoztato

 

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

2351 Alsónémedi, GLS Európa utca 2.

adatvedelem@gls-hungary.com

Telephon: (06-29) 88-66-70

GTC: https://gls-group.eu/HU/hu/altalanos-uzleti-feltetelek

Data management notification: https://gls-group.eu/HU/hu/adatvedelmi-szabalyzat

 

 

The fact of the data management, the scope of the data managed: Delivery name, delivery address, telephone number, e-mail address.

 

The scope of data subjects: All data subjects who request delivery.

 

The purpose of the data management: The delivery of the product ordered.

 

The duration of data management, the deadline for the erasure of data: Lasts until the completion of the delivery.

 

Legal basis of the data management: Article 6 (1)(c).

Online payment

 

The activity performed by the data processor: Online payment

 

Name and contact details of the data processor:

 

GraingerChambers

3-5 Hood Street

Newcastle uponTyne

NE1 6JQUK

Phone: +49 (0) 89 / 4424 - 2000

Fax: +49 (0) 89 / 4424 - 2100

 

The fact of the data management, the scope of the data managed: Invoicing name, invoicing address, e-mail address.

 

Scope of data subjects: All data subjects who requested online purchase.

 

The purpose of the data management: Completion of the online payment, the confirmation of the transaction and the fraud-monitoring carried out in the interest of the users.

 

The duration of data management, the deadline for the erasure of data: Lasts until the completion of the online payment.

 

Legal basis of the data management: Article 6 (1) c), and Subsection (3) Section 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services.

Web-hosting service provider

 

The activity performed by the data processor: Web-hosting service

 

Name and contact details of the data processor:

 

Wix.com Ltd

Email:

Web:

Telephone: 1-415-639-9034

Registered seat: PO box 40190 San Francisco, CA United States

 

The fact of the data management, the scope of the data managed: All personal data provided by the data subject.

 

Scope of data subjects: All data subjects using the website.

 

The purpose of the data management: Making the website available, the proper operation of the website.

 

The duration of data management, the deadline for the erasure of data: The data management shall continue until the termination of the agreement between the data controller and the web-hosting service provider, or until the request for erasure of the data subject made to the web-hosting service provider.

 

Legal basis of the data management: Article 6 (1) c) and f), and Subsection (3) Section 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services.

 

 

Management of cookies

 

The cookies typical for online stores are the so-called “cookie used for password-protected session”, the “cookies necessary for the shopping cart” and the “security cookies”, the use of which does not require requesting prior consent from the data subjects.

 

The fact of the data management, the scope of the data managed: Unique identification number, dated, times

 

Scope of data subjects: All data subjects visiting the website.

 

The purpose of the data management: The identification of the users, the registration of the “shopping cart” and the monitoring of the visitors.

 

The duration of data management, the deadline for the erasure of data:

 

Types of cookie: Session cookies

Legal basis of data management:

Section 13/A of Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services (E-Commerce Act)

Duration of data management:

The period lasting until the conclusion of the visitor session concerned

Scope of the data managed:

connect.sid

 

 

The identity of the possible data controllers entitled to access the data: The data controller does not manage personal data through the use of the cookies.

 

Information on the rights of the data subjects related to the data management: The data subjects may delete the cookies in the Tools/Settings menu of the browsers, usually under the settings of the Data Privacy menu item.

 

The legal basis of the data management: The consent of the data subject is not required if the exclusive purpose of the use of the cookies is carrying out the transmission of a communication over an electronic communication network, or if the data are indispensable for the service provider for the provision of the information society service explicitly requested by the subscriber or user.

 

The use of Google Adwords conversion tracking

 

The data controller uses the online advertisement programme “Google AdWords”, and in the frameworks thereof the data controller uses the conversion tracking service of Google. The Google conversion tracking is the analysis service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).

 

When the User reaches a website through a Google advertisement, then a cookie necessary for conversion tracking is placed on the user’s computer. The validity of these cookies is restricted and they do not contain any personal data, therefore the User cannot be identified through such cookies.

 

When the User is browsing certain sites of the websites and if the cookie has not expired yet then both Google and the data controller may see that the User clicked on the advertisement.

 

All Google AdWords clients receive a different cookie, therefore those cannot be tracked through the websites of the clients of AdWords.

 

The purpose of the information – which had been obtained with the help of the conversion tracking cookies – is to prepare conversion statistics for the client who chose the AdWords conversion tracking. The clients may get information in this way on the number of users who clicked on their advertisement and who had been forwarded to the site affixed with conversion tracking tag. However, the clients cannot access information with which any of the users could be identified.

 

If you do not want to participate in the conversion tracking, then you may reject it by blocking the option to install cookies in your browser. Afterwards you will not be included in the conversion tracking statistics.

 

Further information and the privacy statement of Google are available at the following site:  www.google.de/policies/privacy/

 

The use of Google Analytics

 

This website uses the Google Analytics application, which is the web analysis of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files, which are saved to your computer, thereby they facilitate the analysis of the use of the website visited by the User.

 

The pieces of information created with the cookies related to the website used by the User are usually transferred to and stored at one of the servers of Google in the USA. Through the activating the IP anonymization on the website, Google shortens the IP address of the User in advance within the members states of the European Union or in other member states of the agreement on the European Economic Area.

 

The entire IP address is forwarded to Google’s server in the USA and is shortened there only in exceptional cases. Upon the assignment given by the operator of the present website, Google will use these pieces of information for assessing how the User used the website, as well as to prepare reports for the operator of the website related to the activity of the website, and to provide further services related to the website and internet use.

 

Google does not compile the IP address forwarded by the browser of the User in the framework of Google Analytics with other data of Google. The User may prevent the storing of the cookies through the appropriate settings of its browser, however, please note that in this case it may happen that not all functions of this website will be functional completely. You may also prevent Google from collecting and processing the User’s data related to the website use and collected through the cookies (including the IP address as well), if you download and install the browser plugin available at the following link. https://tools.google.com/dlpage/gaoptout?hl=hu

 

Newsletter, DM activity

 

Pursuant to Section 6 of Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising Activity, the User may grant its preliminary and express consent to that the User be contacted by the Service Provider with its advertisement offers, other consignments through the contact information provided by User upon the registration.

 

In addition, taking into consideration the provisions of the present notification, the Client may grant its consent to that his/her personal data necessary for sending advertisement offers be managed by the Service Provider.

 

Service Provider shall not send unwanted advertisement messages, and the User may unsubscribe from the sending of offers subject to no restrictions and reasoning, free of charge. In this case the Service Provider shall erase all personal data of User – necessary to send advertisement messages – from its records and the Service Provider will no longer contact the User with its further advertisement offers. User may unsubscribe from the advertisements by clicking on the link to be found in the message.

 

The fact of the data collection, the scope of the data managed and the purpose of the data management:

 

Personal data: / The purpose of the data management

Name, e-mail address. /Identification, enabling subscription to the newsletter.

The date and time of the subscription/Execution of technical operation.

The IP address at the time of subscription/Execution of technical operation.

Scope of data subjects: All data subjects who subscribe to the newsletter.

 

The purpose of the data management: sending electronic messages containing advertisement (e-mail, SMS, push message) to the data subject, notification about current information, products, promotions, new functions, etc.

 

The duration of data management, the deadline for the erasure of data: the data management continues until the withdrawal of the statement of consent, i.e. until unsubscribing.

 

The identity of the possible data controllers entitled to access the data, the recipients of the personal data: The personal data may be managed by the sales and marketing employees of the data controller, while observing the above principles.

 

Information on the rights of the data subjects related to the data management:

 

The data subject may request access to the personal data related to the data subject, the rectification, erasure or the restriction of the management of such data from the data controller, and

the data subject may object to the management of such personal data, as well as

the right to data portability of the data subject, and the right to withdraw the consent at any time.

 

The data subject may initiate access to his/her personal data, the erasure, modification or restriction of the management of his/her personal data, the portability of the data, and the objection to the data management in the following manners:

by mail at the address at H-2094 Nagykovácsi, Kossuth u. 2,

via e-mail at the address hello@cibi.hu e-mail,

by telephone, via telephone number 06702763406.

 

The data subject may unsubscribe from the newsletter at any time free of charge.

 

The data processor employed by the data controller:

 

Wix.com Ltd

Email:

Web:

Telephone: 1-415-639-9034

Registered seat: PO box 40190 San Francisco, CA United States

 

The legal basis of the data management: the consent of the data subject, Article 6 (1) a) and f), and Subsection (5) Section 6 of Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising Activity:

 

Advertisers, advertising service providers and publishers of advertising – within the scope specified in the consent - shall maintain records on the personal data of persons who provided the statement of consent. The data contained in the aforesaid records - relating to the person to whom the advertisement is addressed - may be processed only for the purpose defined in the statement of consent, until withdrawn, and may be disclosed to third persons subject to the express prior consent of the person affected.

 

 

Please be informed that

 

the data management is based on your consent.

you are obliged to provide the personal data if you want to receive newsletters from us.

the failure to provide the data results in that we will be unable to send you newsletters.

 

 

 

Complaint management

 

The fact of the data collection, the scope of the data managed and the purpose of the data management:

 

Personal data/The purpose of the data management

Family name and given name/Identification, correspondence.

E-mail address/correspondence

Telephone number/correspondence

Invoicing name and address/Identification, management of the quality objections, questions and issues occurring related to the products ordered.

 

Scope of data subjects: All data subjects who made any purchase on the online store website and who make quality objections or complaints.

 

The duration of data management, the deadline for the erasure of data: According to Subsection (7) Section 17/A of Act CLV of 1997 on Consumer Protection, the copies of the report prepared on the complaint recorded, the transcript and the reply given to the complaint shall be retained for 5 years.

 

The identity of the possible data controllers entitled to access the data, the recipients of the personal data: The personal data may be managed by the sales and marketing employees of the data controller, while observing the above principles.

 

Information on the rights of the data subjects related to the data management:

 

The data subject may request access to the personal data related to the data subject, the rectification, erasure or the restriction of the management of such data from the data controller, and

the data subject may object to the management of such personal data, as well as

the data subject has right to data portability, and the right to withdraw the consent at any time.

 

The data subject may initiate access to his/her personal data, the erasure, modification or restriction of the management of his/her personal data, the portability of the data, and the objection to the data management in the following manners:

by mail at the address at H-2094 Nagykovácsi, Kossuth u. 2,

via e-mail at the address hello@cibi.hu e-mail,

by telephone, via telephone number 06702763406.

 

The legal basis of the data management: Article 6 (1) (c) and Subsection (7) Section 17/A of Act CLV of 1997 on Consumer Protection.

 

Please be informed that

 

the provision of personal data is based on contractual obligation.

the management of the personal data is a prerequisite of the conclusion of the contract.

you are obliged to provide your personal data for us to be able to manage your complaint.

the failure to provide data results in that we will be unable to manage the complaint that we received.

 

 

Social networking sites

 

The fact of the data collection, the scope of the data managed: The name registered on the social networking sites Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc., and the public profile picture of the user.

 

Scope of data subjects: All data subjects who had registered on the Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc. social networking sites and had “liked” the website.

 

The purpose of the data collection: the sharing or “liking”, promotion of certain elements of content, products, promotions of the website or the website itself.

 

The duration of data management, the deadline for the erasure of data, the identity of the possible data controllers entitled to access the data, and the information on the rights of the data subjects related to the data management: The data subject main access information in the source of the data, the management thereof, as well as the manner and legal basis of transmitting on the social networking site concerned. The data management is executed on the social networking sites, therefore the policy of the social networking site concerned shall be applicable to the duration and manner of data management, and the options for erasing and modifying the data.

 

The legal basis of the data management: the voluntary consent of the data subject to the management of his/her personal data on the social sites.

 

Client relations and other data managements

 

Should the data subject have any questions in course of the use of the services of the data controller, or should the data subject have any problems, then the data subject may contact the data controller in the ways specified on the website (telephone, e-mail, social networking sites, etc.).

 

The e-mails and messages received, and the data provided via telephone, on Facebook, etc., together with the name and address of the interested party, as well as other personal data provided voluntarily shall be erased by the data controller after the expiry of 2 years after the data provision at the latest.

 

We shall notify you of any data management not listed in the present notification upon the recording of the data.

 

Upon exceptional request of any authority, or upon the authorization of law, upon the request of other entities, the Service Provider is obliged to provide information, to disclose and transmit data, or to provide documents.

 

In these cases, the Service Provider shall disclose personal data to the requesting party – provided that such party had specified the exact purpose and the scope of the data – only in the amount and to the extent which is indispensable to the realization of the purpose of the request.

 

The rights of the data subjects

 

Right of access

 

You shall have the right to obtain confirmation from the data controller as to whether or not personal data concerning you are being managed, and, where that is the case, access to the personal data and the information listed in the regulation.

 

Right to rectification

 

You shall have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the data management, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

 

Right to erasure

 

You shall have the right to obtain from the data controller the erasure of personal data concerning you without undue delay, while the data controller shall have the obligation to erase personal data without undue delay where specific conditions are fulfilled.

 

The right to be forgotten

 

Where the data controller has made the personal data public and is obliged to erase the personal data, the data controller - taking into account the available technology and the cost of implementation - shall take reasonable steps, including technical measures, to inform data controllers which are managing the personal data that you have requested the erasure by such data controllers of any links to, or copy or replication of, those personal data.

 

The right to restrict data management

 

You shall have the right to – upon your request – have the data controller restrict the data management, where one of the following applies

 

you contest the accuracy of the personal data, in this case the restriction shall apply to a period enabling the data controller to verify the accuracy of the personal data;

the data management is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead

the data controller no longer needs the personal data for the purposes of the data management, but they are required by you for the establishment, exercise or defence of legal claims;

you have objected to the data management; in this case the restriction shall apply to a period until it is established whether the legitimate grounds of the data controller enjoy priority over your legitimate grounds.

 

The right to data portability

 

You shall have the right to receive the personal data concerning you, which you have provided to the data controller, in a structured, commonly used and machine-readable format; in addition, you shall have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided (...)

 

The right to object

 

You shall have the right to object, on grounds relating to your particular situation, at any time to the managing of personal data concerning you (…), including profiling based on these provisions mentioned above as well.

 

Objection in case of direct marketing

 

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to management of personal data concerning you for such purpose, which includes profiling to the extent that it is related to such direct marketing. If you objects to management of the personal data for direct marketing purposes, then the personal data shall no longer be managed for such purposes.

 

Automated individual decision-making, including profiling

 

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision

is necessary for entering into, or performance of, a contract between you and the data controller;

is authorised by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

is based on your explicit consent.

 

Deadline for taking action

 

The data controller shall provide information on action taken upon any of the requests above to you without undue delay and in any event within 1 month of the receipt of the request.

 

That period may be extended by an additional 2 months where necessary. The data controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

 

If the data controller does not take action upon your request, then the data controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

 

Security of data management

 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and the data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

 

the pseudonymisation and encryption of personal data;

 

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

 

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

 

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the data management.

 

 

Communication of a personal data breach to the data subject

 

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall communicate the personal data breach to the data subject without undue delay.

 

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; and describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The data subject shall not be notified if any of the following conditions are met:

the data controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

the data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

the notification would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the data controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require data controller to notify the data subject.

 

Notification of a personal data breach to the supervisory authority

 

In the case of a personal data breach, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

 

Opportunities to make complaints

 

In case of the possible infringement of the data controller, complaints may be lodged at the Hungarian National Authority for Data Protection and Freedom of Information:

 

Hungarian National Authority for Data Protection and Freedom of Information

H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: H-1530 Budapest, Postafiók: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

 

Afterword

 

In course of the preparation of the notification, we took the following laws into consideration:

 

  • Regulation (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

  • Act CXII of 2011 – on Informational Self-determination and the freedom of information (hereinafter referred to as Privacy Act)

  • Act CVIII of 2001 – on Certain Issues of Electronic Commerce Activities and Information Society Services (primarily Section 13/A)

  • Act XLVII of 2008 – on the Prohibition of Unfair Commercial Practices against Consumers;

  • Act XLVIII of 2008 - on Essential Conditions of and Certain Limitations to Business Advertising Activity (especially Section 6)

  • Act XC of 2005 on Electronic freedom of information

  • Act C of 2003 on Electronic Communication (expressly Section 155)

  • Opinion No. 16/2011 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising

  • The recommendation of the Hungarian National Authority for Data Protection and the Freedom of Information on the data protection requirements of the prior notification

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Nagykovácsi 2019.05.21.

 

INFO

 

TERMS

PRIVACY POLICY

SHIPPING

PAYMENT

COPYRIGHT

© 2016-2019  Cibi.hu -  All rights reserved!