Anita Toth Products Limited Liability Company

PREAMBLE, LEGALITY OF DATA PROCESSING

As Data Controller, Anita Toth Products Ltd. (hereinafter referred to as „Data Controller”) in order to ensure the security of personal data, declares that the collected data is processed according to the applicable laws in accordance with the Constitutional Law of Hungary, Act 112 of 2011 on Informational Self-determination and Freedom of Information and Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 („GDPR”) and constitutes its Privacy Policy as follows:

The processing of personal data is lawful only if one of the following conditions is met:

(i) the data subject has given consent to the processing of his / her personal data for one or more specific purposes;

(ii) data processing is necessary for the performance of a contract in which the data subject is a party, or before the signing of a contract, it is necessary to take action at the request of the data subject;

(iii) data processing is necessary to fulfil the legal obligation for the data controller;

(iv) data processing is necessary for the protection of the vital interests of the data subject or another natural person;

(v) data processing is necessary for the performance of a task in the public interest or exercised by the Data Controller in the framework of public duty entitled thereto on;

(vi) data processing is necessary to enforce the legitimate interests of the Data Controller or a third party, unless the interests or fundamental rights and freedoms of the data subjet have priority and require the protection of personal data, especially, if the data subject is a child.

 

I. DEFINITIONS

1. data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

2. data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Data Controller regarding present Privacy Policy:

Data Controller:
Name: Anita Toth Products Ltd.
seat: 1136 Budapest, Balzac str. 37.
company registry number: Cg. 01-09-330878
tax number: 24923510-2-41
manager: Anita Tóth
website: https://anitatoth.com/ and https://www.anitatoth.hu/
email address: hello@anitatoth.com
mobile: +36 30 653 5549

3. processing: the execution of the technical tasks relating to data processing, regardless of the used technique and instrument, or the place of processing, where the technical task is performed on personal data.

4. data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Data processor regarding present Privacy Policy:
As accountant:
Name: Írisz Office Zrt.
seat: 1114 Budapest, Bartók Béla road 29. 1st floor. 4.
tax number: 25338450-2-43
email address: iroda@iriszoffice.hu
mobile: +36 30 238 1302
telephone: +36 1 550 0510

5. destruction of data: the total physical destruction of the data medium on which the data are stored;

6. erasure of data: making data unrecognizable in such a way that their recovery is no longer possible;

7. transfer of data: making the data available to certain third parties;

According to present Privacy Policy the Data Controller transfers data on the grounds of employment-health reasons:

Transferred data are processed solely by:

Name: GLS General Logistics Systems Hungary Kft.
seat: H-2351 Alsónémedi GLS Európa u. 2.
company registry number: 13-09-111755
tax number: 13-09-111755
website: https://gls-group.eu/HU/hu/home
email address: info@gls-hungary.com
mobile: support telephone: +36 29 88 66 70
support telephone available from abroad: +36 29 88 66 70
Legal information: https://gls-group.eu/HU/hu/altalanos-uzleti-feltetelek

8. personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

9. GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;

10. consent: a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement;

11. Information Act: Act CXII of 2011 on Informational Self-determination and Freedom of Information;

12. personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

13. objection: the declaration of the data subject in which he/she objects to the processing of his/her personal data, and demands the termination or erasure of his/her processed data;

 

III. PRINCIPLES OF DATA PROCESSING

The processing of personal data by Data Controller is handled in accordance with the following principles:

The processing is conducted in accordance with the applicable laws, fairly and transparently for the data subject.

During the data procession, the principle of data minimalisation applies, based on which data procession must be appropriate and relevant to the purpose, and limited to necessity.

Data procession needs to be accurate and, if necessary, up-to-date. In this matter, Data Controller takes all reasonable steps to ensure that inaccurate data is deleted or corrected without delay.

Personal data is stored for limited time, only for the period necessary for its purpose.

In the procession of personal data Data Controller ensures the protection against unauthorized or unlawful handling and accidental loss, destruction or damage of the data.

Personal data is only processed for the purpose and manner specified in the Privacy Policy, in order to exercise and fulfil the rights specified in the Privacy Policy. This purpose has to be met at all stages of the data procession.

Personal data is only processed if it is essential for the data procession to reach its purpose and only to the extent and for the time needed to attain such.

Personal data is processed in particular when it is necessary to protect the vital interests of the data subject, to perform the contract between the data subject and the data controller, to enforce the legitimate interest of the data controller or third party.

 

IV. PROCESSED DATA

Data Controller performs data processing in the following registers:
• labour registry
• data of contracting parties
• sending of direct marketing material (newsletter)
• occasional data processing

Data Controller registers the data stored in the different registry systems, the purposes of data processing, and the regulations regarding the means and time of data storage.

 

V. RIGHTS OF DATA SUBJECTS AND THEIR ASSERTION

Information about the Data Controller, the Data Processor, the processed data, the purpose of processing, the rights and the options for asserting of rights of data subjects, are provided for the data subjects in the Privacy Policy issued.

a) right of access ~ during the data processing, the data subject is entitled to access all data stored about him/her, and to be informed about the purpose, legal basis, storage and the duration of storage of his/her data. The right to information covers the rectification, erasure and restriction of processing concerning the processed data, and the option to file a complaint to the supervisory authority. Fulfilment of the request of the data subject to exercise his/her rights shall not be denied, unless it may be demonstrated that the data subject shall not be identified. For any further hard-copies requested by the data subject, we may charge a reasonable fee based on administrative costs.

b) right to rectification ~ the data subject is entitled to ask from the Data Controller to have any of the data subject’s data that may be incorrect or incomplete, rectified.

c) right to erasure (”right to be forgotten”) ~ Erasing of the data by the Data Controller upon the request of the data subject, but this does not mean a general obligation for the Data Controller. The data subject is entitled to have his/her data to be erased (forgotten), where at least one of the following conditions applies:

(i). the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed;

(ii). the data subject has withdrawn his or her consent to the processing of personal data concerning him or her, and the data processing does not have other legal basis;

(iii). the data subject  objects to the processing of personal data concerning him/her, and there is no other prioritized reason for the data processing;

(iv). the data processing was unlawful;

(v). the data needs to be erased under applicable legislative duties of the Data Controller.

Following the termination of the legal basis for the data processing, including the case in which the data subject withdraws his/her consent to the processing of personal data, any personal data processed by the data controller shall be erased within a short period of time.

d) right to blocking of data ~ Instead of erasure, the Data Controller shall block the personal data upon the data subject’s request, if based on the available evidence it can be assumed that the erasure would infringe the rightful interests of the data subject

Personal data blocked this way shall only be processed until the purpose prohibiting the erasure of the data, stands.

e) right to restriction of processing ~ if the accuracy, lawfulness, or necessity of processing concerning the personal data is contested by the data subject, or if the data subject objects to the processing of personal data, the data subject is entitled to obtain from the Data Controller restriction of processing, concerning his/her data.

f) right to obtain a copy of personal data ~ the data subject is entitled to obtain from the data controller a digital copy (pdf, doc, excel, txt) of the personal data undergoing processing, in order for the data to be provided to another data controller.

g) right to object ~ where personal data are processed for the exercise of rights of the controller or any third parties; and where personal data are processed or forwarded for direct marketing or statistical purposes, scientific or historical research, and in the cases and under the conditions provided for by law, the data subject is entitled to object at any time to the processing of personal data concerning him or her.

The objection shall be without delay, and no later than 15 days
• examined,
• the objection’s merits be decided, and
• the objector be informed about the decision.

 

VI. USE OF DATA, DATA TRANSFER

VI.1. USE OF DATA

It shall be considered use of data if the personal data are used as evidence in a court process or in other processes before an authority.

The person whose rights or rightful interests are concerned by the storing of data, along with proving his/her right or rightful interest, may request within 3 (three) working days from the storing of his/her data, for the data to not be erased or destroyed by the Data Controller. Upon request from a court or other authority, the personal data shall be immediately sent to the requesting court or authority. If no official request arrives within 30 (thirty) days from the day of the request for the data to not be erased or destroyed, the stored picture and/or sound recording, and other personal data shall be erased or otherwise destroyed.

VI.2. DATA TRANSFER

Personal data may only be transferred to third parties with the prior written consent of the data subject. The Data Controller shall inform the data subjects about the data processors and other recipients of data transfer in chapter I. of the Privacy Policy. (see: Chapter I. section 7.)

The Data Controller in order to fulfil its contractual obligations, shall keep contact with the recipients of data transfer specified in chapter I. section 7. The Data Controller in order to fulfil its contractual obligations shall transfer the personal data of the Data Subjects (Customers) to the recipients.

The Data Controller, at the time of- and after concluding the legal relationship relating to data transfer, expects from its data processor partners that during the processing of personal data they shall act in accordance with the provisions of the Info Act, GDPR and the applicable data protection laws and regulations. The recipients of the data transfer shall undertake the principle of data minimalisation. The Data Controller shall ask for a separate, express consent of the data subjects in case it plans to transfer data outside the EEA. Both the information given to the data subject and the consent shall cover the exact name and address or company name and seat of the data processor, the transferred data, the exact geographical location of the storage and processing of data.

The Data Controller in order to monitor the lawfulness of the data transfer, and in order to keep the data subjects informed, shall keep a record of the major and high risk data transfers, which shall contain the date of the transfer of the processed personal data, the purpose and recipient of the data transfer, the exact list of the transferred data, and other information about the data processing provided for by law.

VI.3. ACCESSING THE DATA

Only those persons shall have a right to access the personal data of the Data Subjects processed by Data Controller, who need it for the assertion of their rights. The name of the data controller, or other persons entitled to access the data, the purpose and date of the access shall be registered in a record.

 

VII. DATA BREACH

The data shall be protected by adequate means especially against unauthorised access, modification, transfer, disclosure, erasure or destruction and accidental destruction or damage, and against inaccessibility resulting from the change of the technology used for access.

The Data Controller and the data processor shall consider the present state of technology at the time of taking actions regarding data security. When multiple options are available, the option providing the highest level of data security shall be chosen, with the exception if this would result in disproportionate difficulties for the Data Controller.

The Data Controller has drafted a data breach policy for data breaches, which contains the possibilities of reporting the data breach and the persons responsible for preventing data breaches, and also the relevant deadlines.

The Data Controller shall keep record of all data breaches.

 

VIII. ACCESS TO JUSTICE

The data subject has the right to apply to the courts, should his/her rights be infringed. The court shall proceed promptly. The law suit shall be decided before a Municipal Court of Justice. The law suit – subject to the choice of the data subject – may be filed to the Court of Justice of the data subject’s home address or residence.

 

IX.4. RIGHT TO COMPENSATION FOR DAMAGES

The Data controller shall compensate for any and all damages caused by unlawful data processing or by violation of the requirements of data security. If the Data controller infringes the rights relating to personality of the data subject by unlawful data processing or by violation of the requirements of data security, the data subject shall be entitled to demand restitution from the Data Controller.

Regarding the data subject, the Data Controller shall also be liable for the damages caused by the data processor. The Data Controller shall be relieved of the liability if it proves that the damage was caused by unavoidable reasons, beyond the scope of data processing. No compensation shall be required and no restitution shall be claimed insofar as the damages or infringement of the rights relating to personality are a result of the deliberate or gross negligence of the data subject.

 

X. DATA PROCESSING REGARDING DATA CONTROLLER’S WEBSITE

On the website, all information and content can be accessed without providing any personal data

The website may use so-called cookies:

• Necessary cookies – which serve the base functions;
• Functional cookies – which save user preferences;
• Performance cookies – which help increase the performance of the website, thus improving the user experience;;
• Statistical cookies – follows user behaviour, measures the accessibility of the website and the number of returning visitors;.
• Online advertising cookies – provide advertisements according to the personal interest of visitors.

The following cookies are used on the website:
• Necessary cookies – which serve the base functions of the website

During the use of the website, cookies of third parties may be downloaded to your computer, which help the sharing of content on social media sites, or the creating of visitor statistics.

The measurement and auditing of visitor statistics and other internet-analytical data are supported by third-party providers. (For further details, please visit: google.com/analytics/).

On the website, links and icons of other websites (for example Youtube video links or links to contracting parties’ websites) are also present, which redirect the user to the specified websites. These websites also use cookies, of which information can be found on the certain website. The data controller does not oversee the websites of third parties, and shall not be liable for the content of third-party pages.

The purpose of the data stored within cookies is to improve the user experience and to develop the website’s online services. The cookies used by the website do not store any personal information.

Any cookies stored on your computer during your visit of the website may be removed, and you are able to prevent the use of cookies in your internet browser settings.

The Data Subject, by providing his/her name and email address, may contact the Data Controller by clicking on the „Contact” tab.

Providing information is voluntary, by sending the e-mail, which we consider a consent regarding the above mentioned purposes to be given. The Data Controller stores the ideas, opinions, comments contained in the emails for 1 year, but with the expiry of the cause of data processing, the e-mails are erased.

Effective from: 09th August, 2018.