DATA PROTECTION AND DATA PROCESSING GUIDELINES
GDPR: General Data Protection Regulation of the European Union.
Data processing: Any operation, or sets of operations which is performed on personal data or sets of personal data by automated or non-automated means such as collection, recording, organization, structuring , storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Data processor: means the natural or legal person or any other body which processes personal data on behalf of the controller.
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier.
Data controller means the natural or legal person or any association not having legal personality, who or which, alone or jointly with others, determines the purposes and means of the processing of personal data, and makes decisions on data management (including the means used for data management) and implements data management or has data management implemented by the data controller.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Third party means a natural or legal person, other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Visitor means a person or persons who visit the website of COWARE.
User refers to any visitor who is properly included in database of COWARE website.
The aim of GDPR:
The general aim of the GDPR is to protect the fundamental rights and freedoms of natural persons in relation to processing, and in particular to protect their right to the protection of personal data, and to facilitate the free flow of personal data within the European Union (Article 1). In order for this, the Controller lays down rules relating to the processing of personal data and rules relating to the free movement of personal data, the most important aspect of which is to emphasize the responsibility of the Controller who can be either a private or a public body. The principles of data protection should apply to any information concerning an identified or identifiable natural person. This Document contains the management and processing principles of Customers’ data given by the Customer(s).
The scope of this Regulation applies to „the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.
The legal basis of processing personal data: voluntary contribution.
In making the regulations of this Document, the company has taken into account Law CXII of 2011 regulations on informational self-determination and the freedom of information as
discussed in the Regulation of 2016/679 of the European Parliament and Council (General Data Protection Regulation or GDPR), Law V of 2013 of the Civil Code, furthermore, Law XL VIII of 2008 on the general conditions and limitations of advertising.
Personal data can only be processed if the aim of the data processing cannot be performed by any other reasonable means.
Principles relating to processing data:
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Personal data shall be collected for specified, explicit and legitimate purposes. The purpose of processing personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Personal data shall be accurate and, where necessary, kept up to date. Personal data that are inaccurate must be erased or rectified without delay. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The principles of data protection should apply to any information concerning an identified or identifiable natural person. The employee of an organizazion who performs data controlling is liable to disciplinary action and has liability against damages, he or she has infringement and criminal liability for lawful processing of personal data. If the employee becomes aware of the fact that the data he or she controls are inaccurate, incomplete or not up-to-date, the employee must correct the data or initiate data correction.
Processing personal data:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.
Lawfulness of processing:
Processing personal data is lawful where one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Completion of a form on a website – Data processing and register with administrative purposes
We provide an opportunity for our partners to register on our website. We store the following data upon registration:
– First name
– Company name
– Postal address (country, city/town, street, house number)
– Business address (country, city/town, street, house number)
– Telephone number
– Tax number and/or VAT registration number
– Bank account number
– Email address
The company may process personal data connected to its operations with administrative and register purposes. Processing data is based on definite, voluntary consent of the data subject after receiving appropriate information on data processing. After porviding detailed information, which includes the aim of data processing, information on its legal ground and duration, and the rights of the data subject, the data subject must be informed about the voluntary nature of data processing. Consent to data processing must be recorded in writing.
Data processing for administrative and register purposes have the following aims:
– Data processing of the members and employees of the organisation, which is based on a legal obligation.
– Data processing of persons in any relation to the organisation has contact, accountability and register purposes.
Contact details of other organisations, institutes and businesses that are in a business relationship with the organisation can be contact details of natural persons, and identifying data. Based on the above, data processing is based on legal obligation, and the data subject has explicitly given his or her consent to processing his or her personal data. Compliance with legislation must be ensured in cases of data processing for administrative and register purposes. The user can give his or her consent for data processing by purposefully ticking the empty checkbox given on our website. By accepting data processing, the user explicitly expresses consent for processing data listed above.
Important data processing information:
The duration of data processing always depends on the specific user goals. You can request the deletion of data before the specified time if you know that you are entitled for deletion. Request for deletion of data shall be done by a sending an email to email@example.com. You may object to the method of data storage and to processing personal data. In these cases, please see the data processing information listed above, and you have the right to the proceedings according to the legislation detailed above.
The role of these cookies is to improve user experience. For instance, these cookies detect and store the browser you opened the website with, or they store the previously given information and settings: for example, atomatic log-in, selected language, other customizable features such as font and font size, or other customizeable elements of the website. These cookies do not track any of your activities on other websites. However, there may be personal identification data which you shared in the information they collect. Cookies can be deleted or blocked in the browser you use. Browsers allow the placement of cookies by default. This can be blocked in the settings of the browser, and the already existing cookies can be deleted here also. Furthermore, after the appropriate setting, the browser will send a notification to the user when it sends a cookie to the device. However, it must be noted that blocking or restricting cookies will deteriorate the browsing experience, and an error can occur in the operation of the website.
Conditions for consent of the data subject:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. (See filling in the form on the website). Processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority.
Responsibility of the controller:
The controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
Rights related to data processing:
Right to request for information:
Any person can request for information on what data the organization stores regarding this person, on what basis his or her data are stored, what the the purpose of the processing is, from what source the data are, and for how long the data will be processed. Information on the issues above shall be sent to the given contact address promptly or no longer than 15 days. Please contact us at firstname.lastname@example.org for more information.
Right to rectification:
Any person can request for the rectification of any of his or here data. This must be carried out promptly or no longer than 15 days and information must be sent to the given contact address. Please contact us at email@example.com for rectification.
Right to erasure:
Any person can request for the erasure of any of his or here data provided he or she has no contractual relation to the data controller. This must be carried out promptly or no longer than 15 days and information must be sent to the given contact address. Please contact us at firstname.lastname@example.org for erasure.
Security of personal data:
Personal data must be protected by appropriate measures especially against unauthorized acces, alteration, transfer, unauthorized disclosure thereof, erasure, distruction, accidental distruction or damage or against impossibility to access the personal data due to the change of the applied technology. The appropriate technical solutions must be provided in order to protect electronically handled datasets in registers so that these data stored in registers cannot be linked directly to the data subjects. The data processing solution which provides the highest protection of personal data shall be selected if more data processing solutions are available except when this causes disproportionate difficulty for the data processor.
Personal data breach:
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.
Law enforcement regarding data processing:
National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, Mailbox: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone number: +36 (1) 391-1400
E-mail address: email@example.com
In the event of violation of the rights of the data subject in relation to data protection, the data importer may bring the matter before the Court of Justice against the data controller. The Court shall give the case priority. The person concerened may file a lawsuit at the Court where that person resides.
Laws on which data processing is based:
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
Act LXVI of 1995 on public documents, public archives and the protection of private archives
Goverment decree 335/2005 (XII. 29.) on general requirements of document management of public bodies
Act CVIII of 2001 on certain aspects of electronic commerce services and information society services
Act C of 2003 on electronic communications
Storage method of data: electronic and paper-based. Providing the personal data which we request (name, telephone number, email address) is essential for keeping contact. We need further data in case of orders or issuing invoices. Invoices our company issues contain the following mandatory information regarding private persons and self-employed persons, in accordance with Paragraph 169 of Law No. CXXVII of 2007 on value added tax: name, address, tax number of customer (in case of a foreigner customer: VAT registration number) and bank account number. Methods of payment can be bank transfer, cash or non-cash means of payment. Invoces can be stored electronically and paper-based.