of Anita Toth Products Limited Liability Company
PREAMBLE, LEGALITY OF DATA PROCESSING
The Data Controller declares that it processes personal data in accordance with the Fundamental Law of Hungary, Act 112 of 2011 on Informational Self-determination and Freedom of Information and Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).
The Data Controller respects the personal data of its employees, clients, contractual partners, furthermore of the visitors of the https://www.anitatoth.com/. It shall treat and process all data and facts that come to its knowledge as confidential and such data is processed solely on the basis of performance of a contract, legal obligation, its own legal interest with respect to the data subject’s interests and their consent based on prior information.
PRINCIPLES OF DATA PROCESSING
The processing of personal data is carried out by the Data Controller by following the below principles at all times:
Personal data is processed lawfully, fairly and in a transparent manner in relation to the data subject.
The principle of purpose limitation shall govern data processing, and the processing of personal data shall be compatible and relevant with its purpose, furthermore it shall be necessary for such purposes.
Data processing shall be accurate and, where necessary, kept up to date. The Data Controller shall make every reasonable step to ensure that inaccurate personal data is erased or rectified without delay.
Personal data are stored in a limited manner until the purpose of their processing has been met.
It ensures appropriate security of personal data against unauthorised or unlawful processing and accidental loss, destruction or damage.
The Data Controller only processes personal data that is essential for the realization of the purpose of data processing; suitable for the achievement of these purposes and only to the extent and time necessary for the realization of the purpose.
It uses appropriate technical or organisational measures in order to ensure the appropriate security of personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
INFORMATION PROVIDED TO DATA SUBJECTS
The partners aiding the work of the Data Controller(s) and Data Processor(s) are bound by the obligation of confidentiality with regard to the personal data of the data subjects.
- data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Name: Anita Toth Products Ltd.
seat: 1136 Budapest, Balzac str. 37. mz. 2.
branch office: HU-6724 Szeged, Pulz str, 46. B. ép.
company registry number: Cg. 01-09-330878
tax number: 24923510-2-41
manager: Anita Tóth
website: https://www.anitatoth.com/ and https://www.anitatoth.hu/
email address: firstname.lastname@example.org
mobile: +36 30 653 5549
- processing: the execution of the technical tasks relating to data processing, regardless of the used technique and instrument, or the place of processing, where the technical task is performed on personal data.
- data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Name: Írisz Office Zrt.
seat: 1114 Budapest, Bartók Béla road 29. 1st floor. 4.
tax number: 25338450-2-43
email address: email@example.com
mobile: +36 30 238 1302
telephone: +36 1 550 0510
As hosting provider:
Name: Tárhely.eu Szolgáltató Korlátolt Felelősségű Társaság
seat: 1144 Budapest, Ormánság str. 4. 10th floor 241.
tax number: 14571332-2-42
email address: firstname.lastname@example.org email@example.com
mobile: +36 30 238 1302
telephone: +36 1 789-2-789
As webpage developer:
Name: Eazy Digital Kft.
seat: 1024 Budapest, Széll Kálmán tér 11.
tax number: 25503160-2-41
email address: firstname.lastname@example.org
mobile: (+36 20) 210 5527
- destruction of data: the total physical destruction of the data medium on which the data are stored;
- erasure of data: making data unrecognizable in such a way that their recovery is no longer possible;
- transfer of data: making the data available to certain third parties;
Transferred data are processed solely by:
Name: GLS General Logistics Systems Hungary Kft.
seat: H-2351 Alsónémedi GLS Európa u. 2.
company registry number: 13-09-111755
tax number: 13-09-111755
email address: email@example.com
support telephone available from abroad: +36 29 88 66 70
- personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
- consent: a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,
such as by a written statement, including by electronic means, or an oral statement;
- Information Act: Act CXII of 2011 on Informational Self-determination and Freedom of Information;
- personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- objection: the declaration of the data subject in which he/she objects to the processing of his/her personal data, and demands the termination or erasure of his/her processed data;
THE DATA CONTROLLER PROCESSES YOUR PERSONAL DATA UNDER THE FOLLOWING RIGHTS AND PURPOSES:
Data processing based on the performance of a contract [GDPR Article 6 Section 1 paragraph b]
As part of the performance of a contract, the Data Controller processes the personal data of natural persons for the following purposes.
Personal data of employees:
name; birth name; place and date of birth; mother’s maiden name; qualification; address; phone number; e-mail address; name of financial institution and account number; specimen signature
Personal data of clients and contractual partners:
name/company name; address; shipping address; name of contact person; phone number; e-mail address
The purpose of data processing is to enter into the relevant written contracts, fulfil contractual obligations and to provide contact details.
Data processing based on compliance with a legal obligation [GDPR Article 6 Section 1 paragraph c]
The following personal data of employees are processed and may be processed by the Data Controller based on the obligations set forth by the Labour Code on persons entitled to social security benefits and private pensions and the coverage of such services, the Act on social security pensions, the Act on personal income tax and the Act on taxation and judicial enforcement.
name; birth name; place and date of birth; mother’s maiden name; social security number; tax number; address; personal data on tax reduction; personal data on enforcement;
The purpose of data processing of employee’s data is to fulfil the obligation to pay contributions and annuities, to deduct the tax advances and to prepare personal tax returns in accordance with the needs of the employer and to perform any possible mandatory enforcement procedures.
The Data Controller stores the provided personal data in a written form at its branch office and electronically in its electronic database and online in the database of its websites from their registration until the expiry of employment claims. The mandatory time for securing such data is indicated in the specific applicable law(s). The Data Controller does not transfer the registered data.
It processes the following personal data of clients and contractual partners in accordance with the legal regulations on accounting, value added tax and the procedure of taxation:
name/company name; address/seat; tax number
The purpose of processing the data of clients and contractual partners is to issue invoices for purchases and performances.
The Data Controller stores the provided personal data electronically in its database and online in the database of its websites, furthermore it transfers them to the Data Processor mandated with the preparation of accounting and payroll tasks. It issues invoices of purchases via an online invoicing program. The Data Controller processes the issued invoices with the data content on them until the expiry of the accounting period of the given invoice.
Data processing based on consent [GDPR Article 6 Section 1 paragraph a)
The personal data of employees applying for work at the Data Controller are processed based on consent after having received prior information:
name; birth name; place and date of birth; mother’s maiden name; qualification; address; phone number; e-mail address
Data processing is carried out for the purpose of later employment following selection. The provided personal data are stored in a written form at the branch office of the Data Controllers and in the electronic database of the Data Controller. Data processing is performed from the provision of data until the end of the selection process. Following the end of the selection process and until the revocation of consent it handles the data of candidates until filling vacant positions. The Data Controller does not transfer such data.
Persons enquiring may send messages to the Data Controller using the contact section of the https://anitatoth.com/ website. In such cases, the personal data of enquirers are processed:
name; phone number; e-mail address
The provided personal data are stored in the electronic database of the Data Controller. The personal data provided for the purpose of contact is stored until the purpose of contact is fulfilled but not longer than a maximum of 1 year. The Data Controller does not transfer personal data processed for such purposes.
On the Data Controller’s website https://anitatoth.com/ the data subjects have the opportunity to subscribe to the Data Controller’s newsletter in addition to their voluntary decision based on prior information. In such cases, the following personal data of subscribers is processed:
name; e-mail address
Data subjects can find important information about the Data Controller’s products and services concerning them from the Data Controller’s newsletter. The Data Controller gives the data subjects the opportunity to unsubscribe from the newsletter at any time. The Data Controller stores the personal data of the subjects in the electronic database of its website until they unsubscribe, furthermore it does not transfer such data.
Data processing based on legitimate interest [GDPR Article 6 Section 1 paragraph f)
At its seat and at its production facility (branch office) at HU-6724 Szeged, Pulz utca 46. B. ép. the Data Controller operates an electronic surveillance system capable of recording image and sound (electronic surveillance system) for the purpose of ensuring the safety of persons and assets. People (potential data subjects) entering the premises are warned about the system via short information posters containing pictures and text alike.
In this regard the Data Controller processes the following personal data:
video and sound footage
The footage containing personal data is stored by the Data Controller in its electronic database for 72 hours following recording of such footage. The Data Controller operates the electronic surveillance system exclusively on private property, The Data Controller declares that it does not operate an electronic surveillance system in places where monitoring may violate human dignity, such as, in particular, changing rooms, washrooms and toilets. The Data Controller declares that the footage of image, sound and image and sound recorded during the operation of the electronic surveillance system may only be accessible to the current owner(s) and managing director(s) of the Data Controller. In cases where a person other than the member(s) or the managing director(s) of the Data Controller may view the recordings the reason and time and the name of the person entitled to watch shall be recorded in minutes by the Data Controllers.
The Data Controller declares that it does not transfer such data.
RIGHTS OF DATA SUBJECTS AND THEIR ASSERTION
- a) right of access ~ during the data processing, the data subject is entitled to access all data stored about him/her, and to be informed about the purpose, legal basis, storage and the duration of storage of his/her data. The right to information covers the rectification, erasure and restriction of processing concerning the processed data, and the option to file a complaint to the supervisory authority. Fulfilment of the request of the data subject to exercise his/her rights shall not be denied, unless it may be demonstrated that the data subject shall not be identified. For any further hard-copies requested by the data subject, we may charge a reasonable fee based on administrative costs.
- b) right to rectification ~ the data subject is entitled to ask from the Data Controller to have any of the data subject’s data that may be incorrect or incomplete, rectified.
- c) right to erasure (”right to be forgotten”) ~ Erasing of the data by the Data Controller upon the request of the data subject, but this does not mean a general obligation for the Data Controller. The data subject is entitled to have his/her data to be erased (forgotten), where at least one of the following conditions applies:
(i). the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed;
(ii). the data subject has withdrawn his or her consent to the processing of personal data concerning him or her, and the data processing does not have other legal basis;
(iii). the data subject objects to the processing of personal data concerning him/her, and there is no other prioritized reason for the data processing;
(iv). the data processing was unlawful;
(v). the data needs to be erased under applicable legislative duties of the Data Controller.
Following the termination of the legal basis for the data processing, including the case in which the data subject withdraws his/her consent to the processing of personal data, any personal data processed by the data controller shall be erased within a short period of time.
- d) right to blocking of data ~ Instead of erasure, the Data Controller shall block the personal data upon the data subject’s request, if based on the available evidence it can be assumed that the erasure would infringe the rightful interests of the data subject
Personal data blocked this way shall only be processed until the purpose prohibiting the erasure of the data, stands.
- e) right to restriction of processing ~ if the accuracy, lawfulness, or necessity of processing concerning the personal data is contested by the data subject, or if the data subject objects to the processing of personal data, the data subject is entitled to obtain from the Data Controller restriction of processing, concerning his/her data.
- f) right to obtain a copy of personal data ~ the data subject is entitled to obtain from the data controller a digital copy (pdf, doc, excel, txt) of the personal data undergoing processing, in order for the data to be provided to another data controller.
- g) right to object ~ where personal data are processed for the exercise of rights of the controller or any third parties; and where personal data are processed or forwarded for direct marketing or statistical purposes, scientific or historical research, and in the cases and under the conditions provided for by law, the data subject is entitled to object at any time to the processing of personal data concerning him or her.
The objection shall be without delay, and no later than 15 days
- the objection’s merits be decided, and
- the objector be informed about the decision.
USE OF DATA
It shall be considered use of data if the personal data are used as evidence in a court process or in other processes before an authority.
The person whose rights or rightful interests are concerned by the storing of data, along with proving his/her right or rightful interest, may request within 3 (three) working days from the storing of his/her data, for the data to not be erased or destroyed by the Data Controller. Upon request from a court or other authority, the personal data shall be immediately sent to the requesting court or authority. If no official request arrives within 30 (thirty) days from the day of the request for the data to not be erased or destroyed, the stored picture and/or sound recording, and other personal data shall be erased or otherwise destroyed.
Personal data may only be transferred to third parties with the prior written consent of the data subject.
The Data Controller in order to fulfil its contractual obligations, shall keep contact with the recipients of data transfer specified in chapter I. section 7. The Data Controller in order to fulfil its contractual obligations shall transfer the personal data of the Data Subjects (Customers) to the recipients.
The Data Controller, at the time of- and after concluding the legal relationship relating to data transfer, expects from its data processor partners that during the processing of personal data they shall act in accordance with the provisions of the Info Act, GDPR and the applicable data protection laws and regulations. The recipients of the data transfer shall undertake the principle of data minimisation. The Data Controller shall ask for a separate, express consent of the data subjects in case it plans to transfer data outside the EEA. Both the information given to the data subject and the consent shall cover the exact name and address or company name and seat of the data processor, the transferred data, the exact geographical location of the storage and processing of data.
The Data Controller in order to monitor the lawfulness of the data transfer, and in order to keep the data subjects informed, shall keep a record of the major and high risk data transfers, which shall contain the date of the transfer of the processed personal data, the purpose and recipient of the data transfer, the exact list of the transferred data, and other information about the data processing provided for by law.
ACCESSING THE DATA
Only those persons shall have a right to access the personal data of the Data Subjects processed by Data Controller, who need it for the assertion of their rights. The name of the data controller, or other persons entitled to access the data, the purpose and date of the access shall be registered in a record.
The data shall be protected by adequate means especially against unauthorised access, modification, transfer, disclosure, erasure or destruction and accidental destruction or damage, and against inaccessibility resulting from the change of the technology used for access.
The Data Controller and the Data Processor shall consider the present state of technology at the time of taking actions regarding data security.
The Data Controller has drafted a data breach policy for data breaches, which contains the possibilities of reporting the data breach and the persons responsible for preventing data breaches, and also the relevant deadlines.
The Data Controller shall keep record of all data breaches.
Upon infringement of their rights, the data subjects may contact the Hungarian National Authority for Data Protection and Freedom of Information (seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; telephone: +36 (1) 391-1400, fax: +36 (1) 394-1410, e-mail: firstname.lastname@example.org ) and they are also entitled to enforce their rights before the competent courts.
The Data Controller shall be obliged to repair any and all damages caused by unlawful data processing, or by the violation of the obligation regarding data security. In the event that the Data Controller violates the rights relating to personality of the Data Subject, the Data Subject shall be entitled to claim restitution.
The Data Controller may use any personal data lawfully processed in order to prevent legal disputes between the parties, and also during any meetings, hearings, and official proceedings as well.
- DATA PROCESSING REGARDING DATA CONTROLLER’S WEBSITE
On the Data Controller’s website, all information and content can be accessed without providing any personal data
The website operated by the Data Controller uses so-called cookies:
- Necessary cookies – which serve the base functions (WordPress);
• Functional cookies – which save user preferences (Woocommerce, Cooke banner);
The number of views and other web analytic data regarding the website are being calculated and audited by third-party service providers, like Google Analytics; Google TagManager.
The cookies used on the website store the data subjects’ unique internet protocol address (IP address) – as a personal data.
The Data Controller shall not investigate third-party websites and hereby excludes its liability for any content found thereon.
The purpose of processing the data stored in cookies is the improvement of the user experience and the online services of the website. The cookies used by the website do not store any data which would be able to identify the user (data subject).
In case you wish to know more about these functions or wish to set your cookie preferences, please refer to the instructions or help-desk of your web browser, or you may also freely toggle the cookies of each service providers on the following link (in Hungarian): http://www.youronlinechoices.com/hu/ad-choices. For more information about cookies, see the following link: https://support.google.com/accounts/answer/61416?co=GENIE.Platform%3DDesktop&hl=en
Effective from: November 2020.