Dizendom Ltd. (Headquarters: 6800 Hódmezővásárhely, Bakay Nándor u. 6, hereinafter: Dizendom Ltd. Or an enterprise or data controller) is governed by the Hungarian Act CXII of 2011 on Information Self-Determination and Freedom of Information and the CVIII of 2001 on certain aspects of electronic commerce services and information society services. provides for the processing of personal data of persons who come into contact with the company, in accordance with the provisions of Act IV of the Act:
Principles of data management
1.1. The personal data obtained by Dizendom Ltd. in the course of its commercial activities and the operation of the websites operated by Dizendom Ltd. to fulfil its obligations.
1.2. At all stages of data management, the purpose of data management must be appropriate, and the recording and handling of data must be fair and lawful.
1.3. Dizendom Ltd. respects the privacy of natural persons.
1.4. Dizendom Ltd. May only handle personal data that is necessary for the fulfilment of the purpose of data management, and which is suitable for the achievement of the purpose. Personal data may be processed only to the extent and for the time necessary to achieve the purpose.
1.5. The enterprise shall ensure the accuracy, completeness and, where necessary for the purposes of data processing, the accuracy of the data and that the data subject can be identified only for the time necessary for the purposes of the data processing.
Legal basis of data management
2.1. The Company may manage the natural personally identifiable information and address required to identify the recipient for the purposes of establishing, defining, modifying, modifying, monitoring, and enforcing the content of a contract for the sale, use, or sale of a marketed product.
2.2. For billing fees from contracts related to the sale or use of the Product, you may manage the natural person's personal information, address, and date, time, and location of service.
2.3. In addition, the Company may process personal information that is technically indispensable for the provision of the Service in order to provide the Product. Unless otherwise stated, a business must select and in any case operate the tools used in the provision of the information society service in such a way that personal data is processed only if it is provided for the provision of the service, the sale of the product and is absolutely necessary for the achievement of goals, but in this case only to the extent and for the time necessary.
2.4. Any business use data for purposes other than those set out in the preceding paragraph, in particular to increase the efficiency of its service, to deliver electronic advertising or other addressed content to the user, for market research purposes only with the prior determination of the data management purpose and consent of the user manage.
2.5. A 2.4. shall not be linked to the identity of the recipient and shall not be disclosed to a third party without the consent of the recipient.
2.6. Dizendom Ltd. May manage personal data if the data subject has consented to it.
2.7. The consent of the data subject shall include, in addition to the express written statement to this effect, the initiative to establish an economic relationship with Dizendom Ltd. visiting, using, sending an inquiry, placing an order, concluding a contract, writing, electronic and verbal correspondence, electronic and paper correspondence, etc., related to the business of the company,
2.8. The consent of the data subject shall be deemed to have been given to the data subject voluntarily or at the request of the enterprise, as provided in these Rules.
2.9. Where personal data have been collected with the consent of the data subject, the data controller shall, unless otherwise provided by law, (a) fulfil his or her legal obligation, or (b) enforce a legitimate interest of the data controller or third party, it may be managed without further specific consent and may be managed after withdrawal of the data subject's consent.
Personal data managed by the company
3.1. Dizendom Ltd. Stores the following personal data of the persons contacting it: 3.1.1. For natural persons:
- birth name
- time and place of birth
- tax ID
- job title
- e-mail address
- phone number
- bank account number
3.1.1. In the case of legal persons and other entities:
- company name
- company registration number
- tax number
- phone number
- e-mail address
- name, address, e-mail address, telephone number of representative / contact
- Bank account number
- scope of activities
Data security requirement
4.1. The data controller must plan and execute the data processing operations in such a way as to ensure the protection of the privacy of the data subjects when applying the Info Act and other rules applicable to data processing.
4.2. The data controller and the data processor are required to ensure the security of the data and to take the technical and organisational measures and procedures necessary to enforce the Info Act and other data and confidentiality rules.
4.3. In particular, the data shall be protected by appropriate measures against unauthorised access, alteration, transmission, disclosure, deletion or destruction, and against accidental destruction or damage, or loss of access due to changes in the technology used.
4.4. In order to protect electronically managed data files in different registers, it must be ensured by appropriate technical means that, unless legally allowed, the data stored in the registers cannot be directly linked and assigned to the data subject.
4.5. During the automated processing of personal data, the controller and the processor shall take further measures to prevent unauthorised data entry;
(b) prevent the use of automatic data-processing systems by unauthorised persons using data communication equipment;
(c) the verifiability and identifiability of the bodies to which the personal data have been or may be transmitted using data communication equipment;
(d) the verifiability and identifiability of the personal data entered into the automated data-processing systems, when and by whom;
(e) the recoverability of installed systems in the event of a malfunction; and
(f) reporting of errors in automated processing.
4.6. The controller and the processor shall take into account the state of the art when defining and applying data security measures. There should be a choice between several possible data management solutions which provide a higher level of protection of personal data, unless this would be a disproportionate difficulty for the controller.
Transmission of data abroad
5.1. You may transfer personal data to a data controller or a data processor in a third country or to a data processor in a third country if
(a) the data subject has expressly consented to it, or
(b) the data processing pursuant to Section 5 of the Info and Article 6, and, except in the case provided for in Article 6 (2), an adequate level of protection of personal data shall be ensured in the processing and processing of the transferred data in the third country.
5.2. The transfer of data to an EEA State shall be considered as a transfer within the territory of Hungary.
6.1. The rights and obligations of the data processor in connection with the processing of personal data are determined by the data controller in the framework of the Info Act and the specific laws governing data processing. The controller is responsible for the legality of the instructions he gives.
6.2. The data processor may use additional data processor as directed by the data controller.
6.3. The data processor may not make a substantive decision regarding data processing, may process personal data of which he or she has knowledge only in accordance with the provisions of the data controller, shall not process data for his or her own purposes, and shall store and store personal data according to data controller regulations.
6.4. The data processing contract must be in writing. Data processing cannot be entrusted to an organisation that is interested in a business that uses the personal data to be processed.
Decision made by automated data processing
7.1. A decision based solely on the assessment of the personal characteristics of the data subject may be taken only by means of automated data processing where the decision) is made at the time of the conclusion or performance of a contract, provided it is initiated by the data subject; it also lays down measures.
7.2. In the case of a decision taken by automated data processing, the data subject shall, upon request, be informed of the method used and its substance, and given the opportunity to express his or her views.
Use of personal data for statistical purposes
8. Personal data collected, received or processed for statistical purposes may be processed for statistical purposes only, unless otherwise provided by law. The detailed rules governing the processing of personal data for statistical purposes shall be laid down in a separate law to which the controller shall comply.
Rights and enforcement of stakeholders
9.1. The data subject may request the controller to (a) inform him or her of the processing of his or her personal data, (b) to rectify his or her personal data, and (c) to delete or block his or her personal data.
9.2. At the request of the data subject, the controller shall provide information on the data processed by the data controller or processed by the data controller, the source, the purpose, legal basis, duration, name, address and data processing activities of the data subject. in case of transfer of personal data - the legal basis and the recipient of the transfer.
9.3. The Controller shall keep a record of the transfer for the purpose of checking the legality of the transfer and informing the data subject of the date of transfer, the legal basis and addressee of the transfer, the scope of the transferred personal data and other data prescribed by law. The Company shall ensure that the recipient of the service is able to prohibit the management of its data both before and during the use of the service.
9.4. The duration of the obligation to retain the data referred to in the previous paragraph in the data transfer register and, on that basis, the information obligation may be limited by the law governing the data processing. Within this limit, the period shall not be less than five years for personal data and less than twenty years for sensitive data.
9.5. The controller shall provide the information in writing, at the request of the data subject, in a comprehensible form, within the shortest possible period of 30 days from the submission of the request.
9.6. The information referred to in the previous paragraph shall be free of charge if the person requesting the information has not yet submitted an information request to the controller for the same scope in the current year. In other cases, reimbursement may be granted. The amount of the reimbursement may also be fixed in the contract between the parties. Reimbursement of costs already paid shall be refunded if the data have been unlawfully processed or the request for information has led to rectification.
9.7. The data controller may refuse to inform the data subject only in cases defined by law.
9.8. In the event of a refusal to provide information, the controller shall inform the data subject in writing of the provisions of the Info Act which have been denied. In the event of a refusal to provide information, the data controller shall inform the data subject of the possibility of judicial redress and recourse to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority). The controller shall inform the Authority annually of the rejected applications by 31 January of the year following the reference year.
9.9. If the personal data do not correspond to the reality and the correct personal data are available to the data controller, the personal data will be corrected by the data controller.
9.10. Personal data must be deleted if (a) its processing is unlawful; (b) at the request of the person concerned; (c) incomplete or erroneous, which cannot be legally remedied, provided that deletion is not excluded by law; (d) the purpose of the data processing has ceased to exist or the statutory period for storing the data has expired; (e) it has been ordered by a court or by the Authority.
9.11. In the case referred to in point (d) of the preceding paragraph, the obligation to delete shall not apply to personal data whose storage medium is subject to archival storage under the law on the protection of archival material.
9.12. In Figures 2.1 to 2.3. shall be deleted after the contract has been concluded, terminated and invoiced. A 2.4. The data processed for the purpose set out in point 4.2 shall be deleted if the purpose for which the data is processed ceases to exist or if the recipient so provides. Unless otherwise provided by law, deletion of data shall be effected immediately.
9.13. Instead of deletion, the controller shall block personal data if the data subject so requests or if the information available to him / her indicates that deletion would harm the data subject's legitimate interests. The personal data so locked up may only be processed for as long as the purpose of the data processing, which precludes the deletion of the personal data, is fulfilled.
9.14. The controller shall designate the personal data it processes if the data subject disputes its correctness or accuracy, but the inaccuracy or inaccuracy of the personal data in question cannot be clearly established.
9.15. Rectification, blocking, marking and deletion shall be notified to the data subject and to those to whom data have previously been transmitted for data management purposes. Notification may be dispensed with if this is not contrary to the data subject's legitimate interest with regard to the purpose of the processing.
9.16. If the controller does not comply with the request for rectification, blocking or deletion of the data subject, he shall, within 30 days of receipt of the request, state in writing the factual and legal reasons for refusing the request for rectification, blocking or deletion. In the event of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of a judicial remedy and of recourse to the Authority.
Requirement for prior information to be provided
10.1. The data subject must be informed before the commencement of data processing whether the data processing is consent or obligatory.
10.2. The data subject shall be clearly and fully informed, prior to the start of the processing, of all facts relating to the processing of the data, including in particular the purpose and legal basis of the processing, the data subject and the duration of the processing. and who can access the data. The information should also cover the data subject's rights and remedies.
10.3. Where personal information of the data subjects would be impossible or disproportionate, the information could also be disclosed by the disclosure of: (a) the fact of the data collection, (b) the data subject, (c) the purpose of the data collection, the identity of the authorised data controllers; (f) a description of the data subjects' rights and remedies available to them;
Dispute against personal data management
11.1. The data subject may object to the processing of his personal data: (a) unless the processing or transfer of the personal data is necessary solely for the fulfilment of the legal obligation to which the controller is subject or for the legitimate interest of the controller, the recipient or a third party; (b) where the personal data are used or transmitted for the purpose of direct marketing, opinion polling or scientific research; and (c) in other cases provided for by law.
11.2. The controller shall investigate the objection as soon as possible after filing the application, and in any event within 15 days, and shall inform the applicant in writing of its decision.
11.3. If the controller establishes the validity of the data subject's objection, the data processing, including further data collection and transfer, shall be terminated and the data shall be blocked, and the person to whom he or she has previously communicated the data subject to the objection shall be notified of the objection and and who are required to take action to enforce the right of protest.
11.4. If the data subject is subject to the provisions of Article 11.2. disagree with the decision made in accordance with point 11.2. If the person fails to comply with the time-limit laid down in paragraph 1, he or she may, within 30 days of the date of notification of the decision or the last day of the time limit, apply to the court.
11.5. If the data subject does not receive the data necessary to assert the data subject's right because of the data subject's objection, he or she may, within 15 days of the notification under paragraph 3, bring an action against the data controller to obtain the data. The data controller may also sue the data subject.
11.6. If the controller fails to notify in accordance with paragraph 3, the data subject may request clarification from the controller of the circumstances surrounding the data transmission failure, which shall be provided by the data controller within 8 days of receiving the data subject's request. In the event of a request for information, the data subject may lodge a legal action against the data controller with the court within 15 days of giving the information, but not later than the time allowed. The data controller may also sue the data subject.
11.7. The data controller may not delete the data of the data subject if the data processing has been ordered by law. However, the data may not be forwarded to the data recipient if the data controller has consented to the protest or the court has determined that the protest is justified.
12.1. The data subject shall be held liable in the event of a breach of his - June 11 of this Directive, the data receiver may bring a case against the controller. The court will deal with the matter out of turn.
12.2. The data controller must prove that the data management complies with the provisions of the law.
12.3. The trial court shall have jurisdiction over the case. At the choice of the data subject, the lawsuit may be instituted before the court in the place where the data subject is domiciled or habitually resident.
Compensation and injury compensation
13.1. If the controller causes damage to another through unlawful processing of data of the data subject or violation of data security requirements, he or she is obliged to compensate him.
13.2. If the controller violates the privacy of the data subject by illegally processing the data of the data subject or by violating data security requirements, the data subject may claim damages from the data controller.
13.3. The data controller shall be liable to the data subject for the damage caused by the data processor, and the data controller shall also pay the data subject compensation for the personal data breach caused by the data processor. The controller shall be exempt from liability for damages and payment of damages if he proves that the damage or the violation of the privacy of the data subject was caused by an unavoidable cause outside the scope of the data management.
13.4. There is no need to compensate for the damage or to claim damages to the extent that the damage was caused by deliberate or grossly negligent behaviour on the part of the injured party or a violation of privacy.
Investigation by the national data protection and freedom of information
14. Anyone may, upon notification to the Authority, initiate an investigation alleging that there has been, or may be an imminent breach of law relating to the processing of personal data or the exercise of rights relating to the public or to the disclosure of data of public interest.