I. Data Controller
WebMedic Hungary Ltd.
- Registered office: 14-18 Szép Juhászné út, F2 Building F, 1021 Budapest
- Company registration No.: 01-09-372820
- Tax No.: 28760432-2-41
- E-mail: email@example.com
- Phone: +36 30 513 3774
- Website: www.webmedic.hu
The Data Controller will not appoint a Data Protection Officer.
II. Regulations Serving as the Basis of Data Processing
The data processing as described in this notice is based on the following regulations:
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
- Regulation (EU) 2016/679 of the European Parliament and of the Council;
- Act LIII of 2017 on the Prevention and Combating of Money-Laundering and Terrorist Financing.
- data subject: a natural person identified or identifiable via any information;
- personal data: any information relating to a data subject;
- data of public interest: any information or knowledge, not falling under the definition of personal data, processed by and pertaining to the activities, or generated in connection with performing the public duty, of an organ or person performing a state or local government function or other public function determined by a rule of law, recorded in any way or any form, irrespective of the manner it is processed and its independent or collected character, thus, particularly, any data relating to competence, organisational structure, professional activity, its assessment including performance, the types of data possessed and the regulations controlling operation, as well as management and contracts concluded;
- data public on grounds of public interest: any data, not falling under the definition of data of public interest, the making public or accessibility of which is provided for by an Act on grounds of public interest;
- special categories of personal data (special data): personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as personal data relating to criminal convictions and offences;
- identifiable natural person: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future;
- profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- filing system: any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- enterprise: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- group of undertakings: a controlling undertaking and its controlled undertakings;
- supervisory authority: an independent public authority which is established by a Member State pursuant to Article 51; in Hungary, the National Authority for Data Protection and Freedom of Information;
- cross-border processing:
- processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the European Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
- information society service: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council;
IV. Data processing on the website operated by the controller, managing the newsletter database and processing personal data when concluding contracts
1. The scope of data to be processed and the purpose of data processing
- name: used to identify customers and other third parties, fulfil agreements, facilitate communication and the organisation of training courses;
- place and date of birth: when an agreement is concluded, processing is required in order to comply with the identification requirement under the Money Laundering Act;
- mother’s name: when an agreement is concluded, processing is required in order to comply with the identification requirement under the Money Laundering Act;
- company name, tax number, company registration number, website address: when an agreement is concluded, processing is required in order to comply with the identification requirement under the Money Laundering Act;
- citizenship: when an agreement is concluded, processing is required in order to comply with the identification requirement under the Money Laundering Act;
- address: in the case of private individuals, processing is required to identify the customer and issue an invoice;
- person represented: it can serve a more accurate identification of customers and other third parties;
- phone number: serves to facilitate making contact and quick provision of information about programme changes;
- e-mail address: serves to facilitate making contact; also used to send confirmation in response to applications for training courses and, in case of consent, to send newsletters;
- cookies: We recommend that you accept cookies to take full advantage of the services this website provides. Cookies are short text files which contain personalised information, stored on the data subject’s computer by the data subject’s browser. Cookies are designed to help us identify returning visitors, implement customised visitor’s functions and manage user login processes (identification, authentication). For more information about cookies, please visit: https://europa.eu/youreurope/citizens/cookies/index_hu.htm;
- 11. Data provided by Google (Google Analytics): data is only processed for statistical purposes, so that the Controller can enhance user experience using the website traffic data;
- Data provided by Facebook pixel: data is only processed for statistical purposes, so that the Controller can enhance user experience using the website traffic data;
- 13. Data provide by The Rocket Science Group (Mailchimp): data is processed so that the Controller can receive feedback on newsletter open and click rates, and implement changes where necessary;
- any other information provided on a voluntary basis.
2. The legal basis for data processing
- PERFORMANCE OF A CONTRACT: In order to conclude a contract with the data subjects or their sending organisations, and in the case of training courses organised by the Controller, to be able to identify the persons attending the training, as well as to keep track of the number of participants, the Controller needs the data subjects’ names and addresses. Taking into consideration the potential changes to the programme, the Controller also deems it necessary to record the data subjects’ phone numbers and e-mail addresses.
- THE LEGITIMATE INTERESTS OF THE DATA CONTROLLER: When visiting the Data Controller’s website, cookies, as well as Google Analytics and Facebook pixel services, are used in consideration of the Data Controller’s legitimate interests; however, the website allows data subjects to disable cookies. The feedback generated through the Mailchimp service is also used based on the legitimate interests of the Data Controller.
- CONSENT: Newsletters are only sent out based on the data subjects’ express consent. The data subjects have a right to withdraw their consent at any time without detriment; in this case, they will no longer receive newsletters.
- For more information about Google Analytics, please visit the following website: https://support.google.com/analytics#topic=3544906 On the following website, you can also restrict Google Analytics access by using the application available for download: https://tools.google.com/dlpage/gaoptout?hl=en
3. The duration of data processing
The data provided in connection with job applications will be processed or deleted by the Data Controller in accordance with Clause 1.
The data required under the money laundering act can be processed for 8 years after terminating the customer relationship and will be deleted within one year thereof.
The data provided as part of the request for quotation will be – in lack of a contract – retained for a period of 3 years.
In case no contract is concluded with respect to the training, the data provided by the registered data subject will be deleted within 30 days of completing the training.
The data provided when concluding the contract will be deleted after the end of a period of 1 year that follows the 8-year-period applicable to retaining accounting documents underlying the accounting records directly or indirectly, as specified in Section 169 (2) of Act C of 2000 on Accounting.
The data provided in order to receive newsletters will be deleted upon withdrawal of the consent, but not later than 1 year after the termination of the service.
4. Access to the data and data security measures
4.1. Access to the data and data transfer
The personal data provided by the data subject will be accessible to the Data Controller’s assigned staff members, financial department staff, the Controller’s managing officers, as well as the staff of the assigned IT service provider.
Other than that, the Data Controller may only disclose the personal data to other persons or state bodies and authorities in cases governed by law. Thus, for example, in case
- court proceedings are initiated in a case which involves the data subject, and the documents (also) containing the data subject’s personal data must be disclosed to the competent court,
- an investigation authority contacts the Data Controller and requests transferring documents (also) containing the employee’s personal data for criminal proceedings.
- any other authority acting within its scope of competence specified by law requests transferring documents (also) containing the data subject’s personal data.
The Data Controller relies on the services of a Data Processor in the following cases:
- cases requiring a lawyer’s assistance and legal advice: Szűcs & Partners Attorneys-At-Law (registered office: 35 Madách utca, 5000 Szolnok);
- in IT issues also affecting personal data: W5 IT Services Ltd. (registered office: 12 Kossuth Lajos út, 7678 Abaliget, company registration No.: 02-09-072933), Webonic Ltd. (Registered office: 9-11 Budai út, 8000 Székesfehérvár, company registration No.: 07-09-025725)
4.2. Data security measures
The Data Controller stores the personal data provided by the data subject on the servers located at the registered office of Webonic Ltd. (9-11 Budai út, 8000 Székesfehérvár, company registration No.: 07-09-025725), in files located at the registered office of WebMedic Ltd. (14-18 Szép Juhászné út, F2 Building F, 1021 Budapest, company registration No.: 01-09-372820), as well as in a separate building dedicated to storing archives.
For processing personal data, the Data Controller relies on the services provided by Google (Analytics) and the Rocket Science Group (Mailchimp). In case the data transferred during the services are stored abroad, the place of processing is the United States of America. The security of processing is guaranteed by the Privacy Shield agreement concluded with the US. The Data Controller takes appropriate measures to ensure the protection of the personal data against, among others, unauthorised access or unauthorised alteration. Thus, for example, the server which stores personal data is in a locked room to which only reception staff, the managing officers of the Data Controller and the staff of the company contracted to provide IT services (“IT company”) have a key, the data stored on the servers is only accessible to staff members who have a unique identifier and a password, and in the case of dedicated data, access rights are also restricted, for example, only dedicated staff members and managing officers of the Data Controller have a right to access the e-mail list used for sending out newsletters. Besides, only the staff of the IT company can access the electronically stored data when necessary.
The IT company monitors the existence of the security conditions required to protect the data and backup storage on a daily basis.
5. Rights relating to data processing
5.1. Right to be informed
The data subject shall have the right to request information from the Data Controller via the contact details specified in Clause I about the following:
- which personal data,
- on what legal basis,
- for what purpose,
- from what source,
- for how long the Data Controller processes,
- to whom, when, on what legal basis and to which personal data
- the Data Controller granted access or to whom it transferred the personal data.
The Data Controller shall comply with the data subject’s request within no more than 30 days via mail sent to the address provided by the data subject.
5.2. Right to rectification
The data subject shall have the right to request the Data Controller in writing, via the contact details specified in Clause I, to rectify any personal data (for example, the data subject may change his or her e-mail address at any time). Before complying with the request, the Data Controller may request proper verification of the change (e.g., change of address, change of name). The Data Controller shall comply with the data subject’s request within no more than 30 days, and notify the data subject thereof via mail sent to the address provided by the data subject.
5.3. Right to erasure
The data subject shall have the right to request the Data Controller in writing, via the contact details specified in Clause I, to erase his or her personal data. The Data Controller may reject the request for erasure in case the Data Controller is bound by law or an internal policy to continue to store the personal data. If, however, no such obligation exists, the Data Controller shall comply with the data subject’s request within no more than 30 days, and notify the data subject thereof via mail sent to the address provided by the data subject.
5.4. Right to restriction of processing
The data subject shall have the right to request the Data Controller in writing, via the contact details specified in Clause I, to restrict processing his or her personal data. The restriction shall continue to apply as long as the reasons justifying it remain applicable. The data subject may, for example, request restriction of the personal data in case he or she thinks that the processing of the data by the Data Controller was unlawful, but it is essential for the public or court proceedings initiated by the data subject that the data is not erased by the Data Controller. In this case, the Data Controller shall continue to store the personal data until further notice from the competent authority or court and then erase the data.
5.5. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, that is, to request the Data Controller to transfer the data to him or her written on a CD.
5.6. Right to object
The data subject shall have the right to object against processing in writing, via the contact details specified in Clause I, in case the Data Controller intends to transfer or use the personal data for purposes of direct marketing, opinion poll or scientific research. Thus, for example, the data subject may object to the Data Controller processing his/her personal data for the purposes of scientific research without his/her consent. The data subject may also object against processing if the data subject thinks that it is only necessary for the Data Controller to comply with a legal obligation or pursue its legitimate interests, except for processing permitted by law. Thus, for example, the data subject may not object to the Data Controller transferring his/her inquiry containing his/her personal data to an authority in ongoing proceedings instituted by a public authority.
6. Claims and remedies related to processing
In case you have a complaint concerning the processing of your personal data, please contact us first. We will do everything in our power to remedy your complaint to your satisfaction as quickly as possible.
6.1. Initiating court proceedings
In case the data subject finds that the processing of his/her personal data is unlawful, he/she may initiate a civil suit against the Data Controller. The suit falls within the competence of the Court of Justice. The list and contact details of courts are available at the following link: https://birosag.hu/torvenyszekek
6.2. Filing a complaint to the supervisory authority
The data subject may initiate an investigation by filing a complaint about the breach of his/her data protection rights or the direct threat thereof:
- National Authority for Data Protection and Freedom of Information:
- 1530 Budapest, Pf. 5.
- 22/c Szilágyi Erzsébet fasor, 1125 Budapest
- +36 1 391 1400
- +36 1 391 1410 (fax)