1. Preamble
The purpose of these Regulations is to record the BORETTWINE Agency Limited Liability Company (1141 Budapest, Gödöllői u. 173., tax number: 32229512-2-42., representative: Crab Mária Antoanett, registration authority: Capital City Court of Companies, which operates the website www.borett.com , company registration number: 01-09-413147, e-mail address: privacy@borett.com, phone: +36 70 269 1286) (hereinafter: Data Controller or Operator ) and the data protection and data management policy of the Operator.
This data management information is only valid for the website www.borett.com, it cannot be used by third parties in the case of websites, even if these websites are directly accessible from the www.borett.com website .
The Operator pays particular attention to the fact that during its data management, Act V of 2013 on the Civil Code and Act CXII of 2011 on the right to informational self-determination and freedom of information are in your interest. law, REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection decree), CXIX of 1995. Act – on the handling of name and address data for the purpose of research and direct business acquisition (“Research TV”) and other applicable data protection legislation, as well as the data protection practices developed during the activities of the data protection commissioner.
The website does not create an independent database or profile.
Our company does not forward your personal data to third countries or international organizations.
2. Definitions, abbreviations
Infotv.: Act CXII of 2011 on information self-determination and freedom of information;
Data manager: the natural or legal person or organization without legal personality who, independently or together with others, determines the purpose of data management, makes and implements decisions regarding data management (including the tool used), or has them implemented with the data processor;
Data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, systematization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or making accessible in any other way by item, coordination or connection, restriction, deletion or destruction; GDPR)
Personal data: data that can be associated with the data subject – in particular the data subject’s name, identification mark, and one or more pieces of information characteristic of the data subject’s physical, physiological, mental, economic, cultural or social identity, as well as the conclusion about the data subject that can be drawn from the data; “personal data”: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable (GDPR)
Operator: the natural or legal person or organization without legal personality who, independently or together with others, determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or has them implemented by the data processor;
Special data:
a) personal data relating to racial origin, nationality, political opinion or party affiliation, religious or other worldview convictions, interest-representative organization membership, sexual orientation,
b) personal data relating to health status, pathological addiction, as well as criminal personal data.
Data subject: a natural person identified or identifiable on the basis of any information;
Third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data manager, the data processor or the persons who have been authorized to handle personal data under the direct control of the data manager or data processor;
Profiling : any form of automated processing of personal data in which the data controller assigns personal data to a natural person to evaluate certain personal characteristics, in particular characteristics related to work performance, economic situation, health status, personal preferences, interests, reliability, behavior, location or movement used to analyze or predict;
Data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled; (GDPR)
IP address: the IP address is a sequence of numbers with which the computers and mobile devices of users accessing the Internet can be clearly identified. IP addresses can even be used to locate the visitor using a given computer geographically. The address of the pages visited, as well as the date and time data, are not suitable for the identification of the data subject by themselves, however, when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.
Principles for handling personal data
– legality, fair procedure and transparency,
– goal boundness,
– data saving,
– accuracy,
– limited storage capacity,
– integrity and confidentiality,
– the accountability of the data controller.
3. Methods of data management
3.1. By visiting the borett.com website operated by the Operator, you provide us with “personal identification data” (name, e-mail address).
During the maintenance of the Internet connection, technical data related to the browser used by the visitor, Internet protocol address (IP address), domain name (URL), the time of the visit, and the viewed pages are automatically generated in the provider’s computer system. The Operator uses them exclusively for the analysis and collection of statistical information related to the website and stores them for a maximum of 60 days .
During visits to the borett.com site, the visitor receives one or more cookies – i.e. a file containing a series of characters – on his computer, if you expressly consent to the use of cookies by pressing the allow cookies button. Through this, the browser of the visitor’s computer will be uniquely identifiable .
Used cookies : Analytics, tracking cookies ; Tracking via website; Login, user ID session cookie .
The “Help” function in the menu bar of most browsers provides information on how to disable cookies in your browser , how to accept new cookies , or how to instruct your browser to set a new cookie , or how to disable other cookies .
The Operator uses the Google Analytics program, the web analysis service of Google Inc. (“Google”). Google Analytics also works with the use of cookies , text files that are stored on your computer and make it possible to have this checked by an IT specialist to analyze your use. The information created by the cookies , recording the use of the website by the Customer, is usually transferred to a Google server in the USA and stored there. Google uses this information to evaluate the use of the website by the Customer, to generate reports on page activity and to provide additional services to the Operator of borett.com in connection with the use of the website.
The storage of cookies by setting your browser accordingly.
In addition, you can prevent the transmission and processing of the data (e.g. IP address) created by the cookie and recording the use of your website to Google by downloading and installing the browser utility ( plugin ) from the following link: http://tools. google.com/dlpage/gaoptout?hl=de .
4. Purpose, legal basis, scope and duration of data management
Purpose of data management: contact with customers. Typically, contact is made with non-natural persons as customers, but the data of the contact persons of legal entities may also be the subject of data management.
4.1. Legal basis for data management
The legal basis for data management is established by paragraphs a, b, c, f) of Article 6 (1) of the GDPR, i.e. data management takes place on the basis of the Customer’s voluntary declaration and consent based on adequate information, which declaration contains the Customer’s express consent to the fact that the the personal data provided during the use of the website are used (GDPR Article 6 (1) a.), furthermore, the data management is necessary for the performance of a contract in which the Customer is a party (GDPR Article 6 (1) b) and the data management applies to the Operator necessary to fulfill a legal obligation (GDPR Article 6 (1) c.) (e.g. obtaining data required for invoicing).
The Customer is entitled to withdraw his consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.
If the personal data of the non-natural person contracting partner an employee’s, then the contractual partner will forward the personal data to the Operator to the extent necessary for maintaining contact. In such cases, the employer (the contractual partner) acquires based on Article 6 (1) (b) of the GDPR and Section 10 (1) of Act I of 2012 on the Labor Code (hereinafter: “Mt.”) and manages the personal data, while the Operator, according to Article 6 (1) (f) of the GDPR, takes over and manages the personal data to the extent and for the time necessary for the purpose in the legitimate interests of its contractual partner.
In case of reference to Article 6 (1) (f) of the GDPR, it is important to demonstrate ( balance of interests test) whether the enforcement of the legitimate interest of the third party has an advantage compared to the employee’s right to dispose of the employee’s personal data in the given case, and the employee’s job whether it is a necessary and proportionate restriction for his care. According to Hungarian regulations, the data of company representatives are public data for the purpose of business contacts in the public interest, as they are included in various public databases based on legislation.
4.2. Scope of data management
In the case of the above purposes, data processing is carried out only to the extent and for the time necessary to achieve the purpose, and only with the personal data that is absolutely necessary for the realization of the purpose of data management and is otherwise suitable for achieving the purpose.
By accepting these regulations during contact, the Customer agrees to have his data handled and used by the Operator.
The Operator does not disclose the data it has become aware of to third parties. Personal data may only be forwarded in the case of such a provision of the relevant laws or the consent of the data subject, to the extent specified therein.
The data is transferred to Hostinger International Ltd. (Headquarters: 61 Lordou Vironous str ., 6023 Larnaca , Cyprus , Website: https://www.hostinger.com/ , Contact: support@hostinger.com), which may use additional data processors to provide background IT services.
The hosting provider complies with the PCI DSS data security standard, the pages registered here have an SSL certificate .
4.3. Duration of data management
The Operator will process the personal data provided at the time of contact until you withdraw your consent to data management at the time of contact.
is stored by the system for 6 months from the date of logging, with the exception of the date of the last visit, which is automatically overwritten .
contract or agreement is concluded between the Data Controller and the Customer after the data processing prior to the conclusion of the contract , the Data Controller will delete the message( s ) after the communication is closed.
If a contract or agreement of any kind is established between the Data Controller and the Customer, the Data Controller may process personal data obtained during communication in connection with the given contract, up to the expiration of the limitation period (5 years after performance).
The above provisions do not affect the fulfillment of the retention obligations specified in the legislation (e.g. in accounting legislation: Pursuant to § 169 (2) of Act C of 2000 on accounting, the Data Controller handles personal data for 8 years from the date of issue), as well as in other ways data processing based on additional consents given.
4.4. Responsibility for providing data
The Operator does not check the personal data provided to him. The person providing the data is solely responsible for the adequacy of the data provided. When the Customer provides his e-mail address, he also assumes responsibility for the fact that only he uses the service from the specified e-mail address. In view of this responsibility, any responsibility related to logins and logins at a specified e-mail address rests solely with the Customer who provided the e-mail address.
4.5. Recipients of data transfer, details and contact information of data processors
We may share information about you with:
a) With our collaborators used in order to fulfill our contracts; contributors (including our contractual partners) are subject to a contractual obligation to treat the data confidentially and securely, and are prohibited from using the data for any purpose other than providing the services provided.
b) In the event that we deem it necessary or appropriate: (a) pursuant to applicable laws; (b) based on legal requirements, including legal proceedings initiated by public administrative or governmental authorities; (c) to enforce our contractual terms and conditions; or (d) to enable you to pursue legal remedies available to you or to limit the damages we suffer.
5. Exercising the Customer’s rights, handling complaints
The Customer may request from the data controller access to the personal data relating to him, their correction, deletion or limitation of processing, and may object to the processing of such personal data, as well as the right to data portability.
5.1. Customer’s right of access
The Customer is entitled to receive feedback from the data controller as to whether his personal data is being processed, and if such data is being processed, he is entitled to access the personal data and the information specified in Article 15 of the GDPR (e.g. purposes of data management; categories of recipients or recipients to whom the personal data has been or will be communicated, if applicable, the criteria for determining this period of time may request from the data controller the correction, deletion or restriction of processing of personal data and may object to the processing of such personal data; the right to submit a complaint to a supervisory authority).
The data controller shall respond to the Customer’s request without undue delay, but within one month at the latest, and if the data controller does not comply with any of the Customer’s requests, it must provide reasons. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If the data subject submitted the request electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.
If the data controller does not take measures following the data subject’s request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the data subject may file a complaint with a supervisory authority and exercise his right to judicial redress.
The data controller provides the Customer with a copy of the personal data that is the subject of data management. For additional copies requested by the Customer, the data controller may charge a reasonable fee based on administrative costs.
5.2. Right to rectification
You have the right to request the correction of your incorrectly recorded data at any time. You can initiate the correction of incorrect data with the Operator at the e-mail address maria.crab@borett.com .
5.3. The right to erasure (“the right to be forgotten”)
You have the right to request that the data manager delete your personal data without undue delay, and the data manager is obliged to delete your personal data without undue delay if:
- a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
- b) You withdraw your consent, which is the basis of the data management, and there is no other legal basis for the data management;
- c) You object to the processing of your data and there is no overriding legal reason for data processing,
- d) personal data were handled unlawfully;
- e) personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller.
Deletion can be initiated by sending a request to the Operator via e-mail to maria.crab@borett.com .
5.4. You can object to the processing of your personal data ,
- a) if the processing or transmission of personal data is necessary solely for the fulfillment of the legal obligation of the data controller or for the enforcement of the legitimate interests of the data controller, data receiver or third party, except in the case of mandatory data processing;
- b) if personal data is used or forwarded for the purpose of direct business acquisition, public opinion polls or scientific research; as well as
- c) in other cases defined by law.
The data controller examines the objection as soon as possible, but no later than 15 days after the submission of the application, makes a decision on its validity, and informs the applicant of his decision in writing. (Info TV.)
The data subject has the right to object at any time to the processing of his personal data based on points e) or f) of Article 6 (1) of the GDPR, including profiling based on the aforementioned provisions, for reasons related to his own situation. In this case, the data controller may not process the personal data further, unless the data controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedom of the data subject, or that are necessary for the presentation, enforcement or defense of legal claims. ( GDPR)
5.5. The right to restrict data processing
You have the right to have the data controller restrict data processing at your request if one of the following is true:
- a) You dispute the accuracy of the personal data, in which case the limitation applies to the period that allows the data controller to check the accuracy of the personal data;
- b) the data management is illegal and you object to the deletion of the data and instead request the restriction of its use;
- c) the data controller no longer needs the personal data for the purpose of data management, but you require them to submit, enforce or defend legal claims; or
- d) You objected to data processing; in this case, the limitation applies to the period until it is established whether the legitimate reasons of the data controller take precedence over your legitimate reasons.
5.6. The right to data portability
You have the right to receive the personal data about you that you have provided to a data controller in a segmented, widely used, machine-readable format, and you have the right to transmit this data to another data controller without being hindered by the data controller whose provided the personal data to you if the data processing is based on your consent or a contract and the data processing takes place in an automated manner.
5.7. Complaint handling:
If you do not agree with the Operator’s decision, or if the Operator misses the deadline, you can go to court within 30 days of the communication of the decision or the last day of the deadline. The adjudication of the lawsuit falls under the jurisdiction of the county court where the data controller is based, or the Capital Court in the capital (hereinafter: together: county court). According to your choice, the lawsuit can also be initiated in the county court of your place of residence or residence.
You can file a complaint with the National Data Protection and Freedom of Information Authority regarding the Operator’s data management You can file a complaint with the National Data Protection and Freedom of Information Authority regarding the data management of the Data Controller (Head office: 1125 Budapest Szilágyi Erzsébet fasor 22/c, Postal address: 1530 Budapest, Pf.: 5., Phone: +36 (1) 391-1400, E-mail: ugyfelszolgalat@naih.hu).
If the data controller causes damage to others by unlawfully handling the data subject’s data or by violating data security requirements, he is obliged to compensate them. If the data controller violates the data subject’s right to privacy by illegally handling the data subject’s data or violating data security requirements, the data subject may demand damages from the data controller.
6. Data security, data protection incident
The Operator electronically stores personal data generated during contact on its own server.
The Operator strives to implement the safe handling of data with particular care, and therefore takes the technical and organizational measures necessary to enforce the data and privacy protection rules. The Operator strives to protect the data in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage.
6.1 Built-in and default data protection
The data controller takes into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing, as well as the variable probability and severity of the risk posed to the rights and freedoms of natural persons, both when determining the method of data processing, and during data processing implements appropriate technical and organizational measures – for example, pseudonymisation – which aim, on the one hand, to effectively implement data protection principles, such as data saving, and on the other hand, to incorporate the guarantees necessary to meet the requirements of the GDPR and protect the rights of the data subjects into the data management process.
The data controller implements appropriate technical and organizational measures to ensure that, by default, only such personal data as are necessary for the given specific data management purpose are processed . This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their accessibility. In particular, these measures must ensure that personal data cannot by default become accessible to an indefinite number of persons without the intervention of the natural person.
6.2 Data protection incident:
As soon as the data controller becomes aware of the data protection incident, he must report it to the competent supervisory authority without undue delay, and if possible, no later than 72 hours after he became aware of the data protection incident, unless he can prove in accordance with the principle of accountability that the a data protection incident probably does not pose a risk to the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, the reason for the delay must be indicated, and the required information can be provided in detail without further undue delay.
The data controller will inform the Customer without undue delay if the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, so that he can take the necessary precautions. The information must include a description of the nature of the data protection incident, as well as suggestions for the affected natural person aimed at mitigating possible adverse effects. The information of the affected parties must be ensured as soon as possible within the framework of reasonableness, in close cooperation with the supervisory authority and following the instructions given by it or other relevant authorities, such as law enforcement authorities.
7. Other rules
7.1. The data is processed on the one hand with IT tools, and on the other with the use of a data processor. In all other matters related to data management and data protection, Infotv . and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC ( provisions of the General Data Protection Regulation) are applicable.
7.2. BORETTWINE LLC is entitled to amend this Information Sheet. In this case, the Operator will publish the updated version on the website.