PRIVACY NOTICE OF DOCKYARD ISLANDS KFT. (LLC)
TERMS USED IN THIS NOTICE
The terms used in this Notice are consistent with the terms defined by Act CXII of 2011 on Informational Self-Determination and Freedom of Information and GDPR respectively, and their interpretation. The Policy uses the following terms as defined in Article 4 of the GDPR:
'Personal data': any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
'Data processing': means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
'Restriction of data processing': the marking of stored personal data with the aim of limiting their processing in the future.
'Controller': the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
'Processor': means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
'Recipient': a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
'Third party': a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
'Consent of the data subject': any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
'Supervisory authority': means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.
'Personal data breech': a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
The Company manages personal data according to the following principles:
- The company will process personal data lawfully, fairly and in a transparent manner in relation to the data subject. To this end, through the Privacy notice and the ad hoc privacy notice attached to other documents, the Company will communicate to its clients and employees the privacy policies applied with respect to its business and internal proceedings. ('the principle of lawfulness, fairness and transparency')
- Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. ('the principle of purpose limitation')
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. ('the principle of data minimisation')
- Personal data shall be accurate and kept up to date through the entire workflow process, to this end the Company will take every reasonable step to ensure that personal data that are inaccurate are rectified or, if necessary, erased without delay. ('the principle of accuracy')
- The Company will process personal data only for the extent necessary for the realization of the purposes or till the relevant legal basis is in place, except where further processing is required by law. ('the principle of storage limitation')
- The Company will process personal data in a manner that ensures appropriate security of the personal data for the protection against personal data breeches, using appropriate technical or organisational measures. ('the principle of integrity and confidentiality')
- The Company shall be responsible for, and be able to demonstrate that its privacy policy and data processing practices based thereon are in compliance with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information, and GDPR. ('the principle of accountability')
LEGAL BASIS FOR THE COMPANY'S DATA PROCESSING PRACTICES
The legal basis for the company’s data processing practices is as follows:
- The data subject has freely given explicit consent.
- Data processing is based on a legal provision.
- Data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. In these cases, the Company shall always perform the necessary risk analysis, and decide on the matter of data processing accordingly.
ENFORCEMENT OF THE DATA SUBJECT'S RIGHTS
The Company shall take appropriate measures to provide to the data subject with thorough and comprehensible information regarding all relevant circumstances relating to the processing of his or her personal data, particularly the following information:
- the name and contact details of the Company’s administrator,
- the purposes of the processing for which the personal data are intended, as well as the legal basis for their processing,
- if the legal basis is based on the consent of the data subject, their consent must be obtained, if the legal basis is a legal provision it must be communicated to the data subject and, and if the legal basis is the legitimate interest of the controller or of a third party, the data subject must be informed on this matter,
- the recipients of the personal data to whom the personal data have been disclosed,
- the duration of the processing of personal data,
- their rights regarding the processing of personal data and the means of redress open to them,
- where personal data have not been obtained by the Company from the data subject, in addition to the information referred in the paragraph above, the Company shall disclose to the data from which source the personal data originate, and if applicable, whether it came from publicly accessible sources.
If the personal data have been obtained from the data subject, the Company shall provide the information at the beginning of data collection. If the personal data have been obtained from another source, the Company shall provide the information within a reasonable period after obtaining the personal data – but at the latest within one month –, or at the latest at the time of the first communication to that data subject. (‘the data subject’s right to information’)
The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, what are the purposes of processing in that specific phase. Furthermore, the data subject has to the right to be provided with information regarding any matter on which he or she is informed by the company at the beginning of data processing. (‘right of access by the data subject’)
The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her, at his or her request, or upon discovery. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.(‘right to rectification’)
The Company shall have the obligation to erase personal data concerning the data subject without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were processed, or the legal basis for the processing is no longer in place,
- the personal data have been unlawfully processed. (‘the data subject’s right to erasure – to be forgotten’)
At the request of the data subject, the Company shall restrict the processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data,
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
Where any personal data processing by the Company has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. (‘the data subject’s right to restriction of processing’)
The Company shall communicate any rectification or erasure of personal data or restriction of processing it carried out, to each recipient to whom the personal data have been disclosed, in order to allow the recipients to take the necessary measures regarding the data.
At their request, the Company will ensure that the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format, and also at their request, shall have the right to transmit those data to another data controller designated by the data subject:(‘the data subject’s right to data portability’)
Where personal data are processed for direct marketing purposes, the Company will ensure – where applicable – that data subject shall have the right to object to processing of personal data concerning him or her for such marketing. In this case, personal data may no longer be processed for such purposes. (‘the data subject’s right to object’)
The data subject shall have the right to lodge a complaint with a Supervisory Authority regarding the personal data processing carried out by the Company, concerning him or her, or the right to an effective judicial remedy against the Company or their data processor, where he or she considers that the processing of personal data relating to him or her infringes the provisions of the data protection regulations.
If judicial proceedings are instituted, the court proceeds expeditiously and alternatively, such proceedings may be brought before the courts according to the place of residence or habitual residence.
The Supervisory Authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság
(Hungarian National Authority for Data Protection and Freedom of Information)
1125. Budapest, Szilágyi Erzsébet fasor 22/C.
Telephone: +36 1 391 1400
Fax: +36 1 391 1410
Website: naih.hu
The Company shall take actions in connection with the request of the data subject concerning the personal data processing as follows:
- as a general rule, the Company shall inform the data subject on the actions taken based on the request within one month from the receipt of request,
- if it is justified by the complexity of the request or the large number of requests, the deadline may be extended by two months,
- if the data subject submitted the request electronically, the Company shall respond electronically, unless otherwise requested by the data subject,
- in the response, the Company shall draw the attention of the data subject to the available legal remedies,
- if the Company has reasonable doubt concerning the identity of the person submitting the request, it may ask further confirmatory information to confirm their identity,
- if the Company provides the actions taken at the request of the data subject free of charge; however, if the request of the data subject is obviously unfounded or repeated several times, the Company may charge an administration fee or may refuse to take actions based on the request.
DATA PROCESSING CONCERNING THE WEBSITE OF THE COMPANY
The Company uses short data files (cookies) on its website that are placed on the user’s computer by the website. The Company shall provide information on use of the cookies on the website under the PRIVACY POLICY section, and will install them on the Website visitor’s computer only with the explicit consent given by selecting the OK button.
On the Company’s website you may subscribe to the Newsletter.
The personal data processed under this section:
- last name of the subscriber,
- first name of the subscriber,
- e-mail address of the subscriber.
The purpose of data processing: communication with the subscriber for marketing purposes.
Legal basis for the data processing: the freely given explicit consent of the data subject.
Recipients of the data processing: the Company’s marketing specialists and the operator of the Website administrator.
Duration of data processing: until the subscriber’s consent is withdrawn.
Under the Contact section of the Company’s website, the visitors may send messages to the company.
The personal data processed under this section:
- name of the sender,
- e-mail address of the sender,
- phone number of the subscriber,
- personal data contained in the message.
The purpose of data processing: contact for marketing purposes.
Legal basis for the data processing: the freely given explicit consent of the sender.
Recipients of the data processing: the Company’s employee responsible for responding to the message content.
Duration of data processing: until the message has been fully responded to, or until the consent to data processing is withdrawn.
The Company operates a Web shop on its Website.
The personal data processed under this section:
- last name,
- first name,
- address,
- e-mail address,
- phone number.
The billing name, address, telephone number, e-mail address may differ from the shipping name, address, telephone number, and e-mail address.
The purpose of data processing: completion of purchase.
Legal basis for the data processing: data processing is necessary for fulfilling the contract entered into by the data subject.
Recipients of the data processing: the employees administrating the Web shop administrating employees, in case of shipping, the delivery company which carries out the shipping, as well as the Company’s employee in charge of accounting, tax administration.
Duration of data processing: with regard to the customer account and the loyalty program, until their termination, with regard to the purchase, until the deadline established by the Civil Code, and with regard to the accounting data, for 8 years from the purchase.
In order to advertise, promote and support its professional activity, the Company is present on Facebook. The personal data disclosed by the page visitors are not processed by the Company. The visitors are subject to the Privacy Policy and Terms and Services of the social media site.
In the event of disclosure of unlawful or harmful content, the Company may exclude the visitor from the website without prior warning or notice, or may cancel their entry.
The Company does not take responsibility for data content and comments in breach of the law that have been published by the users of the social media site. Furthermore, the Company does not take responsibility for any error resulting from the operation of the social media site or problems resulting from the operation of the system.
DATA PROCESSING CONCERING JOP APPLICANTS
Acting to this end, the Company shall process the personal data of job applicants who are natural persons.
The processed personal data:
- name of the natural person,
- name at birth,
- date of birth,
- place of birth,
- mother’s maiden name,
- permanent address,
- phone number,
- personal data relevant to the job application.
The purpose of data processing: application, application evaluation.
Legal basis for the data processing: the freely given explicit consent of the data subject.
Recipients of the data processing: the Company’s manager responsible for exercising employer’s rights.
Duration of data processing: until the evaluation of the application. The personal data of applicants not selected shall be erased and the same shall apply to the personal data of any applicant who withdraws their application during the application period.
After the application period ends and after the results have been published, the Company may process the personal data of the applicants only with their freely given and explicit consent. The Company shall ask for the consent in a notice sent on the closure of the application procedure, giving a reasonable deadline for the response. The reasonable period of further processing shall be specified in this notice. If the data subject does not respond to the letter or does not give consent to the further processing, the Company shall erase their personal data.
PROCESSING PERSONAL DATA CONCERNING INDIVIDUALS, SOLE PROPRIETORSHIPS IN A CLIENT RELATIONSHIP WITH THE COMPANY, CONTAINED IN CONTRACTS, BUSINESS CORRESPONDENCE
If a formal contract is entered into, or an invoice is issued:
The processed personal data:
- the name of the individual or sole proprietorship
- the address of the individual, or the registered address of the sole proprietorship
- the tax identification number of the sole proprietorship,
- the registration number of the sole proprietorship,
- the contract price,
- the bank account number.
The purpose of data processing: entering into and fulfilling the contract.
Legal basis for the data processing: the applicable provisions of the Civil Code.
Recipients of the data processing: the Company’s managing director and the employee in charge of accounting, tax administration.
The Company shall pay particular attention as to the personal data processed accordingly shall not be included in any communication with third parties, for business or other purposes.
The cash register receipt does not contain any personal data.
Duration of personal data processing: 5 years from the termination of the contractual relationship, 8 years for the accounting data.
PROCESSING PERSONAL DATA CONCERNING NATURAL PERSON REPRESENTATIVES OF LEGAL PERSON CLIENTS IN A CONTRACTUAL RELATIONSHIP WITH THE COMPANY, CONTAINED IN CONTRACTS, BUSINESS CORRESPONDENCE
The processed personal data:
- name, job title of the natural person,
- phone number,
- e-mail address.
The purpose of data processing: entering into and fulfilling the contract between the Company and its legal person clients, a smooth business relationship.
Legal basis for the data processing: the applicable provisions of the Civil Code.
Recipients of the data processing: the Company’s managing director and, with regard to the concluded contract, the employee in charge of accounting, tax administration as well.
The Company shall pay particular attention as to the personal data processed accordingly shall not be included in any communication with third parties, for business or other purposes.
Duration of personal data processing: 5 years from the termination of the contractual relationship, or right to represent of the natural person, 8 years for the accounting data.
DATA PROCESSORS ENTRUSTED BY THE COMPANY
The Company’s IT service provider:
Hunet Kft. (LLC), 1145 Budapest, Varsó u. no. 31.
The Company's web hosting service provider:
RackForest Kft.
Victor Hugo utca 11. 5. em. B05001. a.
1132 Budapest
Tax number: 14671858-2-41 EU tax number: HU14671858
Company registration number: 01-09-914549
The delivery company employed by the Company:
GLS General Logistics Systems Hungary Kft. (LLC), 2351 Alsónémedi, Európa u. no. 2.
The Company transmits to the delivery company only the most important personal data necessary for shipping.
The personal data transmitted:
- shipping name,
- shipping address,
- shipping e-mail address,
- shipping phone number.
The purpose of data processing: fulfilling shipping.
The purpose of data processing: entering into and fulfilling the contract between the Company and its legal person clients, a smooth business relationship.
Legal basis for the data processing: the applicable provisions of the contract concluded with the client.
Recipients of the data processing: the delivery company.
Duration of the data processing: until the completion of delivery.
Budapest, 2018.05.25.