DOWN FOUNDATION PRIVACY AND DATA PROTECTION POLICY
I. Purpose of the Regulations
The purpose of these Regulations is to set out the data protection and management principles applied by the DOWN FOUNDATION (Foundation) and the Foundation's data protection and management policy, which the Company recognizes as binding on itself.
When developing these rules, the Company took into particular consideration the provisions of Act LXIII of 1992 on the protection of personal data and the disclosure of data of public interest, Act CXIX of 1995 on the processing of name and address data for the purpose of research and direct marketing, Act VI of 1998 on the protection of individuals with regard to automatic processing of personal data, on the promulgation of the Convention of 28 January 1981 in Strasbourg, as well as Act XLVIII of 2008 on the basic conditions and certain limitations of commercial advertising activities, and the recommendations of the “ONLINE PRIVACY ALLIANCE”.
The purpose of this Policy is to ensure that, in all areas of the services provided by the Foundation, every individual, regardless of nationality or place of residence, has their rights and fundamental freedoms, in particular the right to privacy, respected during the automatic processing of their personal data (data protection).
II. Definitions
Personal data: data that can be linked to a specific natural person (hereinafter referred to as the data subject), and a conclusion that can be drawn from the data concerning the data subject. Personal data retains this quality during data processing as long as its relationship with the data subject can be restored;
Data processing: the collection, recording and storage, processing, use (including transmission and disclosure) and deletion of personal data, regardless of the procedure used. Data processing also includes the alteration of data and the prevention of their further use;
Data controller: the DOWN FOUNDATION (address: 1145 Budapest, Amerikai út 14. Tel.: 363-6353)
Data processing: the performance of data management operations and technical tasks, regardless of the method and means used to perform the operations, and the place of application;
Data transfer: if the data is made available to a specific third party;
Disclosure: when the data is made available to anyone;
Data processor: the natural or legal person, or an organization without legal personality, who processes personal data on behalf of the data controller;
Data erasure: making data unrecognizable in such a way that its recovery is not possible;
Automated data set: a set of data that is automatically processed;
Machine processing: includes the following operations, when they are carried out partly or wholly by automated means: storage of data, logical or arithmetical operations on data, alteration, erasure, retrieval and dissemination of data.
III. Scope of personal data processed
3.1. Data that can be provided based on the user's decision: e-mail address, telephone number, name, place of residence/stay, place and time of birth.
3.2. Data technically recorded during the operation of the system: data of the user's login computer that is generated during the use of the service and that is recorded by the data controller's system as an automatic result of technical processes.
The automatically recorded data is automatically logged by the system upon login or logout without any separate declaration or action by the user. This data cannot be linked to other personal user data, except in cases required by law. Only the data controller has access to the data.
IV. Legal basis, purpose and method of data processing
4.1 Data processing is carried out on the basis of a voluntary, properly informed declaration by the users of the internet content on the norbi.hu website, which declaration contains the users’ express consent to the use of their personal data provided during the use of the website. The legal basis for data processing is the voluntary consent of the data subject, pursuant to Section 3(1)(a) of Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Data of Public Interest (Avtv.).
4.2 The purpose of data processing is to ensure the provision of services available under the URL norbi.hu. The scope of personal data required to use these services can be found in the description of the relevant services.
4.3 The purpose of the automatically recorded data (see point 3.2) is to prepare statistics, technically develop the IT system, and protect the rights of users.
4.4 The data controller may not use the personal data provided for purposes other than those specified in these points. The disclosure of personal data to third parties or authorities - unless otherwise required by law - is only possible with the prior, express consent of the user.
4.5 The Data Controller does not verify the personal data provided to it. The person providing it is solely responsible for the accuracy of the data provided. When providing an e-mail address, any user also assumes responsibility for the fact that he or she is the only one using the service from the provided e-mail address. In view of this assumption of responsibility, any liability related to logins made using a given e-mail address lies solely with the user who registered the e-mail address.
V. Principles of data processing
5.1 Data may only be obtained and processed fairly and lawfully.
5.2 Data may only be stored for specified and lawful purposes and may not be used for any other purpose.
5.3 Data must be proportionate to the purpose for which it is stored and must be relevant to that purpose, and must not go beyond that purpose.
5.4 The method of storing data must be such that the identification of the data subject is only possible for the time necessary for the purpose of storage.
possible.
5.5 Appropriate security measures must be taken to protect personal data stored in automated data files against accidental or unlawful destruction or accidental loss, as well as against unlawful access, alteration or dissemination.
VI. Data protection guidelines applied by the Foundation
6.1 The Foundation uses personal data that is essential for using the services of the Down Foundation based on the consent of the data subjects and exclusively for the purpose for which it was collected.
6.2 The Foundation, as the data controller, undertakes to handle the data it has obtained in accordance with the data protection law and the data protection principles set out in these Regulations, and not to transfer them to third parties. An exception to this is the use of the data in a statistically aggregated form, which may not contain the name of the user concerned or other data capable of being identified in any form.
6.3 In certain cases – in the event of an official court or police request, legal proceedings, infringement of copyright, property or other rights or reasonable suspicion thereof, harm to the interests of the Foundation, endangerment of the provision of its services, etc. – the Foundation makes the data of the user concerned accessible to third parties.
6.4 The Down Foundation's system may collect data on users' activity, which cannot be linked to other data provided by users upon registration, nor to data generated when using other websites or services.
6.5 The Foundation undertakes to publish a clear, eye-catching and unambiguous notice before recording, recording or processing any data of its users, informing them of the method, purpose and principles of data collection. In addition, in all cases where data collection, processing or recording is not mandatory by law, the Foundation draws the user's attention to the voluntary nature of data provision. In the case of mandatory data provision, the law ordering data management must also be indicated. The data subject must be informed of the purpose of data management and who will manage or process the data. Information about data management is also provided if a law provides for the recording of data by forwarding or linking it from existing data management.
6.6 In all cases where the Foundation intends to use the provided data for a purpose other than the original purpose of data collection, it will inform the user of this and obtain their prior, express consent, or provide them with the opportunity to prohibit the use.
6.7 The Down Foundation, as a data controller, shall comply with the restrictions set by law in all cases when collecting, recording and processing data, and shall inform the data subject of its activities by electronic mail upon request. The Foundation undertakes not to impose any sanctions on a user who refuses to provide non-mandatory data.
6.8 The Down Foundation undertakes to ensure the security of data, to take technical and organisational measures and to establish procedural rules to ensure that the data recorded, stored and processed are protected and to prevent their destruction, unauthorised use and unauthorised modification. It also undertakes to call on any third parties to whom the data may be transmitted or transferred to fulfil their obligations in this regard.
VII. Duration of data processing
7.1. The personal data provided by the user will be processed until the user unsubscribes from the service – using the given username. The deletion date is 10 working days from the receipt of the user's unsubscribe (deletion request).
In the event of illegal or misleading use of personal data or a crime committed by the user or an attack on the system, the Data Controller is entitled to delete the user's data immediately upon termination of their registration, but in the event of suspicion of a crime or civil liability, the Data Controller is entitled to retain the data for the duration of the proceedings to be conducted.
7.2. The personal data provided by the user – even if the user does not unsubscribe from the service – may be processed by the Foundation as the data controller until the user expressly requests in writing to terminate their processing. The user’s request to terminate data processing without unsubscribing from the service does not affect his/her right to use the service, however, it may be possible that in the absence of personal data, he/she will not be able to use certain services. The data will be deleted within 10 working days of receipt of the request.
7.3. Data automatically and technically recorded during the operation of the system will be stored in the system for a period of time justified from the time of their generation in order to ensure the operation of the system. The Foundation ensures that these automatically recorded data cannot be linked to other personal user data – except in cases required by law. If the user has withdrawn their consent to the processing of their personal data or has unsubscribed from the service, their person will no longer be identifiable from the technical data.
VIII. Handling of personal data
8.1 Changes in personal data or a request to delete personal data can be communicated by means of a written statement sent via the service's internal mail system. The sending of newsletters can be cancelled by modifying the user interface settings on the site.
8.2 Certain personal data can also be modified by making changes on the personal profile page.
8.3 After a request to delete or modify personal data has been fulfilled, previous (deleted) data can no longer be restored.
IX. Data processing:
9.1 The Down Foundation does not use a separate external data processor. It processes the personal data it manages itself.
X. Possibility of data transfer
10.1. The Foundation, as a data controller, is entitled and obliged to forward all personal data at its disposal and duly stored by it to the competent authorities, which data it is obliged to forward by law or a legally binding official obligation. The data controller cannot be held liable for such data forwarding and the consequences arising therefrom.
XI. Amendment of the data management policy
11.1 The Down Foundation reserves the right to amend this Data Management Policy at any time by its unilateral decision. After the amendment of the Data Management Policy, all users must be informed in an appropriate manner (in a newsletter, in a pop-up window upon entry). By continuing to use the service, users acknowledge the changed data management rules, and there is no need to request their consent beyond this.
XII. Users' rights regarding their personal data processed by the data controller
12.1 Users may request information from the Foundation, as the data controller, about the processing of their personal data at any time in writing, by registered or registered letter with acknowledgment of receipt sent to the data controller’s address, or by e-mail sent to admin@kezmuveshop.hu. The data controller considers a request for information sent by e-mail to be authentic only if it is sent from the user’s registered e-mail address. The request for information may include the user’s data processed by the data controller, the purpose, legal basis, duration of the data processing, the name and address of any data processors, the activities related to the data processing, and who has received or will receive the user’s data and for what purpose.
12.2 The data controller is obliged to respond to any question related to data processing within 8 working days of receipt. In the case of e-mail, the date of receipt shall be considered the first working day following the sending.
XIII. Legal enforcement options:
13.1 The user may exercise his rights in court under the Avtv. and Act IV. of 1959 (Ptk.), and may also request the assistance of the Data Protection Commissioner in any matter related to personal data. (1051. Budapest, Nádor u. 22., postal address: 1387. Bp. Pf.: 40.). In addition, with any questions or comments related to data management, you can also contact the data controller's staff at admin@kezmuveshop.hu by email.
Budapest, 2015-02-25
PayU supplement
I agree that the following personal data stored in the user database of https://kezmuveshop.hu by the Down Foundation (1145 Budapest, Amerikai út 14. Tel.: 363-6353) will be transferred to PayU Hungary Kft. (1074 Budapest, Rákócziút 70-72.), as data controller. The scope of the transferred data: username, surname, first name, country, telephone number, e-mail address. The purpose of the data transfer: providing customer service assistance to users, confirming transactions and fraud monitoring for the protection of users.