PRIVACY NOTICE
THE PROTECTION OF NATURAL PERSONS RIGHTS WITH REGARD TO THE PROCESSING OF PERSONAL DATA
INTRODUCTION
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR Regulation", "Regulation", General Data Protection Regulation) requires that the Data Controller shall take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject's rights.
The obligation to inform the data subject in advance is also required by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information. The following notice is provided to comply with this legal obligation.
Why is this privacy notice made?
During its operation, the Data Controller handles personal data for several purposes, while respecting the rights of the data subjects and fulfilling legal obligations. The Data Controller also considers it important to present to the data subject the handling and the most important characteristics of the personal data that came to the controller’s knowledge during the data processing activities.
What is the legal basis of processing the data subjects’ personal data?
Personal data is only processed for a specific purpose and on an appropriate legal basis. These purposes and legal bases are presented individually, in relation to specific data processing.
What external assistance is used to process your personal data?
Personal data is mostly processed by the Data Controller at own premises. However, there are operations for which a data processor’s external help is necessary. The data processor may change according to the characteristics of each data processing.
Who is processing your personal data?
The Data Subject's personal data may be disclosed to the Data Controller or Data Processor named in Section I of this Privacy Notice and to those to whom the Data Subject's personal data is disclosed or transferred (collectively, recipients).
What principles does the Data Controller consider important when processing your personal data?
Personal data is processed in accordance with the applicable legislation, in particular Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR Regulation).
In the course of the Data Controller's activities, only the personal data specified in the scope of individual processing are processed and the security of the personal data provided is protected by technical and organisational measures that are both possible and necessary. Special attention will be paid to ensure the confidentiality, integrity and availability of personal data.
The Data Controller is responsible for the authenticity and accuracy of the personal data once they have been provided by the Data Subject. The terms used in this notice shall have the meaning given to them in the interpretative provisions of the GDPR Regulation and on the Right of Informational Self-Determination.
SECTION I
NAME OF THE CONTROLLER
The issuer of this privacy notice is also the Data Controller:
COMPANY NAME: HeatVentors HÅ‘energiatároló Korlátolt FelelÅ‘sségű Társaság REGISTERED SEAT: 5400 MezÅ‘túr, Táncsics Mihály utca 15.
COMPANY REGISTRATION NUMBER: 16-09-017504
TAX NUMBER: 26106948-2-16
REPRESENTED BY: József Kakas Managing Director
E-MAIL: heatventors@gmail.com
CONTACT: under the "contact" section at https://www.heatventors.com/hu
(hereinafter referred to as "Data Controller", "Company")
SECTION II
NAME OF THE DATA PROCESSORS
Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Regulation Article 4 8.)
To use a data processor, prior consent from the data subject is not required, but he or she must be notified. Accordingly, the following information is provided:
Data processor performing accounting and payroll tasks:
COMPANY NAME: Tax Advisor Agency Korlátolt FelelÅ‘sségű Társaság
REGISTERED SEAT: 1051 Budapest, Hercegprímás utca 11. 2. em. 1. ajtó
COMPANY REGISTRATION NUMBER: 01-09-887776
TAX NUMBER: 14075692-2-41
Data processor performing invoicing activities:
NAME: National Tax and Customs Administration
REGISTERED SEAT: 1054 Budapest, Széchenyi utca 2.
TAX NUMBER: 15789934-2-51
REGISTRATION NUMBER: 789938
WEBSITE: https://onlineszamla.nav.gov.hu/
Furthermore, the data controller transfers data to the respective photo and video contractors.
Other Recipients:
COMPANY NAME: Google LLC
REGISTERED SEAT: 1600 Amphitheatre Pkwy Mountain View, CA 94043
(Entity listed in DPF)
WEBSITE: https://www.google.com/
COMPANY NAME: Meta Platforms, Inc.
REGISTERED SEAT: 1601 Willow Rd Menlo Park, CA 94025
(Entity listed in DPF)
WEBSITE: https://www.facebook.com/
COMPANY NAME: LinkedIn Corporation
REGISTERED SEAT: 1000 W Maude Ave Sunnyvale, CA 94085
(Entity listed in DPF)
WEBSITE: https://www.linkedin.com/
COMPANY NAME: Microsoft Corporation
REGISTERED SEAT: One Microsoft Way Redmond, Washington, USA
(Entity listed in DPF)
WEBSITE: https://www.microsoft.com/
Where the Privacy Notice generally refers to transfers to the Company's data processors, such transfers shall also be understood as transfers to the above recipients.
SECTION III.
LAWFULNESS OF PROCESSING
1. Data processing based on the data subject’s consent
1.1. Where the Company intends to carry out data processing based on consent, the data subject's consent to the processing of his or her personal data shall be obtained by means of the data request form and information as set out in the Data Processing Policy.
1.2. Consent shall also be deemed to be given if the data subject ticks a box when viewing the Company's website, makes the relevant technical settings when using information society services, or makes any other statement or takes any other action which clearly indicates the data subject's consent to the intended processing of his or her personal data in the relevant context. Silence, ticking a box or inaction therefore does not constitute consent. The continuation of a telephone call after having been duly informed shall constitute consent.
1.3. Consent covers all processing activities carried out for the same purpose or purposes. Where processing is carried out for more than one purpose, consent shall be given for all the purposes for which the processing is carried out.
1.4. Where the data subject gives his or her consent in the context of a written statement which also relates to other matters, such as the conclusion of a sales or service contract, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language. Any part of such a statement containing the consent of the data subject which is in breach of the Regulation shall not be binding.
1.5. The Company shall not make the conclusion or performance of a contract conditional on the giving of consent to the processing of personal data which are not necessary for the performance of the contract.
1.6. The withdrawal of consent must be made as simple as the giving of consent. The data subject may withdraw his or her consent at any time by sending an e-mail to the e-mail address given in Section I.
1.7. If the data subject withdraws his or her consent, the controller may no longer process his or her data. When consent is withdrawn, the controller must ensure that the data are erased, unless another legal basis allows for the processing of those data (e.g. storage requirements or the need to perform a contract). If the data processing has been carried out for multiple purposes, the data controller may not use the personal data for the purpose for which the data subject has withdrawn consent.
2. Data processing based on performing legal obligations
2.1. In the case of data processing based on performing legal obligations, the scope of the data that can be processed, the purpose of the data processing, the duration of data storage and the recipients are governed by the provisions of the underlying legislation.
2.2. The processing of personal data for compliance with a legal obligation is independent of the consent of the data subject, as the processing is determined by law.
In this case, prior to the processing of the data, the data subject shall be informed that the data processing is obligatory and shall be clearly and in detail informed of all facts concerning the processing, in particular the purpose and legal basis of the data processing, the person authorized to handle and process the data, the duration of the data processing, whether the personal data of the data subject are processed by the Data Controller on the basis of the legal obligation applicable to him or her, and who can get access to the data. The information shall include the rights and remedies available to the data subject. In the case of mandatory data processing, the information may also take place with the publication of a reference to the legislative provisions which contain the foregoing information.
3. Data processing based on legitimate interests
3.1. The legitimate interests of the Company or a third party may provide a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. The reasonable expectations of the data subject based on his or her relationship with the controller should be taken into account, so that the processing of personal data for contact purposes, even for direct marketing purposes, may be considered to be based on legitimate interests.
3.2. The processing based on legitimate interests requires a balancing of interests test, in which the Company will always take into account the current circumstances and the situation of the controller and the data subjects. In the case of processing in the interest of the Company, the balancing of interests tests carried out separately have led to the following result: in the balancing of interests test, the Company has concluded, taking into account the conditions described for the processing in question, that the processing is justified subject to the appropriate safeguards, as set out in this Policy, without which the Company would not be able to operate competitively. In this light, the emotional impact on data subjects and the harm to their right to privacy can be considered proportionate.
4. Data processing for the protection of the vital interests of the data subject or other natural person
4.1. Protection of the life or other vital interests of the data subject or the interests of another natural person may also constitute a legal basis for processing. Such is the case for a natural person where processing is carried out in order to receive healthcare services or to prevent the spread of epidemics.
5. Data processing based on contractual interests
5.1. Data processing may also be based on a contractual interest if it is necessary for the performance of a contract in which the data subject is a party or if it is requested by the data subject in order to prepare the contract.
6. Promoting the rights of the data subject
6.1. The Company is obliged to ensure the exercise of the rights of the data subject during all data processing.
SECTION IV
INFORMATION ABOUT DATA PROCESSING BY THE COMPANY
Data processing of a natural person (either a private entrepreneur or an individual who issues an invoice) who has entered into a contract with the Data Controller
(1) On the basis of performing the contract, the Company may process the name, birth name, date of birth, mother's name, address, tax identification number, tax number, registration number, residence, registered seat, telephone number, email address, website address, bank account number, customer number (client number, order number), online identifier (customer lists, supplier lists, loyalty program lists) of the natural person with whom the Company has a contractual relationship, including for the purpose of preparing, concluding, performing, terminating the contract, and offering contractual benefits - summarized as supporting economic processes in the common interest. Such data processing is also lawful if it is necessary to take steps upon the request of the data subject prior to the conclusion of the contract.
(2) In view of the Company's long-term business relationship, the storage duration of the personal data is 8 years after the termination of the contract.
(3) Recipients of personal data: personal data may be accessed by employees of the Data Controller who are involved in the preparation, execution and storage of the contract. Executive officers of the Company, employees performing customer service related tasks, contact persons, data processors of the Company, in particular employees performing sales tasks, and data processors. Furthermore, the bodies specified by law which are authorised to monitor by the law.
(4) The personal data may be transferred for postal delivery purposes to the Hungarian Post or the contracted delivery service, for the purpose of asset protection to the data controller's asset protection agent, and to the data controller's data processors.
(5) The processing shall be considered lawful if it is necessary in the context of a contract or the intention to conclude a contract (Preamble 44) if it is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract (Article 6 (1) b.). Thus, personal data collected in the context of contractual offers may also be processed for the purposes of the performance of a contract as described in this point. When making or receiving an offer, the Company is obliged to inform the offeror or the offeree of the offer.
Data processing related to the issuing of invoices and the storage of supporting documents for contracts concluded by the data controller.
(1) Purpose of data processing: to issue invoices and fulfil the obligation to store accounting documents in order to pay the consideration for the service pursuant to Act CXXVII of 2007 on value added tax.
(2) Data subjects: the natural person who has entered into a contract with the Data Controller or the representative of the person who has entered into a contract with the Data Controller.
(3) Scope of personal data that can be processed: name and address of the natural person; name, registered seat and tax number of the private entrepreneur; tax number of the legal person
(4) Legal basis for processing: necessary for the fulfilment of a legal obligation of the Data Controller. [Article 6(1)(c) GDPR]
(5) Recipients and categories of recipients of the personal data: data processors of the Company, in particular employees performing accounting and tax tasks, and data processors. National Tax and Customs Administration
(6) Storage period of personal data: pursuant to Article 169 (2) of Act C of 2000 on Accounting, for 8 years after the invoice is issued.
Processing of data of natural persons signing a contract on behalf of a legal person entering into a contract with the Data Controller
(1) Purpose of the processing: the purpose of the processing is to establish a contract, exercise the rights and obligations contained in the contract, enforce any civil law claims that may arise in the performance of the contract, and to record and fulfil the obligations undertaken by the Data Controller.
(2) Data subjects: natural persons who sign the contract
(3) Scope of personal data that can be processed: the natural person who signs:
-
Name, title (job title)
-
E-mail address
-
telephone number
-
mailing address
-
specimen signature
(4) Legal basis for processing: the legitimate interests of the Data Controller based on the following balancing of interests test [Article 6(1)(f) GDPR].
The Data Controller assesses whether the legal basis for the processing of the natural persons who have signed the contract is in accordance with the legitimate interest referred to in Article 6(1)(f) GDPR and that the processing does not adversely affect the interests or fundamental rights and freedoms of the Data Subjects in such a way that the legitimate interests of the Data Controller are overridden (the specific interests or fundamental rights and freedoms of the Data Subject do not prevail over the interest).
The legitimate interest exists
The delivery and acceptance of goods/services necessary for the performance of the contract and the verification thereof are interests not exclusively of the Data Controller, but also of the contracting party as a third party, which interest can be traced back to the fulfillment of contractual obligations under the law of obligations.
The Data Controller also has a significant interest in fulfilling its contractual obligations appropriately and contractually, thereby avoiding potential legal disputes. It is the Data Controller's legitimate business interest to evoke satisfaction in its contractual partners and maintain good business relationships with them.
The data processing is necessary
Data processing is necessary because without the personal data of the representative associated with a non-natural person, legal entities and the Data Controller cannot establish contact with each other. The absence of the representative's personal data would significantly hinder communication with contractual partners and the performance of contracts, which could lead to difficulties in the performance of the contracts.
Processing means a proportionate restriction on the data subject
The Data Controllers process the personal data of the Data Subject's representative only to the extent necessary to achieve a legitimate business purpose and/or to the extent necessary to contact another external body.
The processed data does not fall within the special categories of personal data, which supports the permissibility of this data processing. There is no disadvantage to the Representative as a result of the data processing; it represents a proportionate restriction since the Data Controller ensures their right to request erasure of the Representative's personal data from the Data Controller's records in case of such a request or objection.
The Data Controller limits and restricts access to personal data for its own employees. In addition, the Data Controller ensures adequate firewall and virus protection to protect the data, thereby guaranteeing the protection of data processing on a risk-proportionate basis.
The processing of the specimen signature is necessary to comply with the Data Controller's legal obligations. [Article 6 (1) (c) GDPR] The Data Controller is obliged to process the signature of the contracting partner's representative pursuant to Section 3:116 (1) of Act V of 2013.