11 minute read
5.2.OTHER DATA PROCESSING BY THE CONTROLLER
from Privacy Notice
5.2.1.E-mail service
Galvanize Nutrition Ltd. provides an e-mail service for its customers. The mail traffic (letters, attachments, log files) is stored on the servers of the data processor of Galvanize Nutrition Ltd., the Web Hosting Provider indicated in section 5.1.
Advertisement
The purpose of the processing: the smooth operation of the email service. Legal basis for processing: consent of registered customers.
Data processed: letters, attachments, log files. Duration of data processing: 5 years
5.2.2.Client register
The data of registered customers and partners are recorded in the company's unique system.Purpose of data management: to fulfil the order requests of customers and partners communication.
scope of data processed: customer's name, e-mail address, telephone number, address, shopping habits legal basis for processing: user's consent data retention period: until the deletion of contact data at the request of the data subject, in the case of accounting documents and other invoicing-related cases 8 years in accordance with Section 169 (2) of the Act on Accounting.
Persons entitled to access the data: the controller and processors
The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.
Data storage method: electronic.
5.2.3.Data transmission
By accepting this Privacy Notice, the Data Subject expressly consents to the transfer of his or her personal data to the recipients as data processors specified below:
Data range: name, telephone number, e-mail address, address, ...
Data source: data collected directly from the data subject legal basis for processing: consent of the user time limit for data storage: until the contact details are deleted at the request of the data subject, Persons entitled to access the data: the controller and processors
Recipient of the transfer: the set of data processors set out in point 2.1.
The data protection obligations applicable to natural or legal persons or unincorporated organisations carrying out data processing activities on behalf of the company are set out in the contract of engagement with the data processor.
Data storage method: electronic.
6.CONTACT How to contact the Data Controller
If you contact us, you can contact the controller using the contact details provided in this Notice or find more information on the official website (https://puregoldprotein.com/hu)
The Data Controller deletes all e-mails received by it, together with the sender's name, email address, date, time and other personal data provided in the message, after a maximum of five years from the date of the communication.
7. OTHER DATA PROCESSING
We inform our Customers that, based on legal obligations, the court, the prosecutor, the investigating authority, the administrative authority as an authority for administrative offences, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents.
The Data Controller shall disclose to public authorities, where the public authority has indicated the precise purpose and scope of the data, only such personal data as are strictly necessary for the purpose of the request and to the extent strictly necessary for the purpose of the request.
8. HOW THE PERSONAL DATA IS STORED, THE SECURITY OF DATA PROCESSING
The Data Controller's electronic information systems and other data storage locations shallbe and its data processors.
The Data Controller shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the processed data: a)is accessible to authorised persons (availability); b)authenticity and verification (authenticity of processing); c)can be verified to be unchanged (data integrity); d)be protected against unauthorised access (data confidentiality).
The Data Controller shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction, damage or loss, and inaccessibility resulting from technical changes in the technology used.
The Data Controller shall ensure, by appropriate technical means, that the data stored cannot be directly linked and attributed to the data subject, except where permitted by law, in order to protect the data files managed electronically in its various registers.
The Data Controller shall ensure the security of data processing by means of technical, organisational and organisational measures, taking into account the state of the art, which provide a level of protection appropriate to the risks associated with the processing.
The Data Controller shall retain during the processing a)confidentiality: it protects information so that only those who are entitled to it have access to it; b)integrity: it protects the accuracy and completeness of the information and the method of processing; c)availability: ensuring that when the authorised user needs it, he or she can actually access the information and the tools to do so are available.
The Data Controller and its partners' IT systems and networks are protected against computer fraud, espionage, sabotage, vandalism, fire and flooding, computer viruses, computer intrusions and denial of service by computer security procedures.
We inform users that electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or the disclosure or modification of information. The controller will take all reasonable precautions to protect against such threats. Systems are monitored to ensure that any security discrepancies are recorded and evidence of any security incidents is provided. System monitoring also allows the effectiveness of the security measures in place to be verified.
9. RIGHTS OF DATA SUBJECTS
The data subject may request information on the processing of his or her personal data, and may request the rectification, erasure or withdrawal of his or her personal data, except for mandatory data processing, and may exercise his or her right to data portability and objection in the manner indicated when the data were collected, or by contacting the controller at the above contact details.
Right to information:
The controller shall take appropriate measures to ensure that all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data is provided to data subjects in a concise and transparent manner, in an understandable and easily accessible form, clearly and concisely presented.
The right to obtain information can be exercised in writing via the contact details indicated in the Introduction or in point 3. Upon request, the data subject may also be provided with information orally, after proof of his or her identity.
The data subject's right of access (Article 15 GDPR):
The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; the envisaged period of storage of the personal data; the right to rectification, erasure or restriction of processing and the right to object; the right to lodge a complaint with a supervisory authority; information on the data sources; the fact of automated processing, including profiling, and clear information on the logic used and the significance of such processing and the likely consequences for the data subject. In the case of transfers of personal data to third countries or international organisations, the data subject is entitled to be informed of the appropriate safeguards for the transfer.
The Data Controller shall provide the data subject with a copy of the personal data processed free of charge upon request. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Controller shall provide the information in electronic form. The controller shall provide the information within a maximum of one month from the date of the request.
Right to rectification (Article 16 GDPR):
The data subject may request that inaccurate personal data relating to him or her which are processed by the Controller correcting and completing incomplete data.
Right to erasure (Article 17 GDPR):
If one of the following applies, the data subject is entitled, at his or her request. The controller to delete personal data relating to him or her without undue delay:
• the personal data are no longer necessary for the purposes for which they were collected, or treated in a different way
• the data subject withdraws the consent on which the processing is based and the processing is no other legal basis
• the data subject objects to the processing and there are no overriding legitimate grounds for the for data processing
• the personal data have been unlawfully processed
• the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject
• personal data is collected in connection with the provision of information society services.
The erasure of data may not be initiated if the processing is necessary: for the exercise of the right to freedom of expression and information, for compliance with an obligation under Union or Member State law that requires the controller to process personal data, or for reasons of public interest, or for the establishment, exercise or defence of legal claims.
Right to restriction of processing (Article 18 GDPR):
At the request of the data subject, the Data Controller shall restrict processing if the following conditions are met one of the following is met:
• the data subject contests the accuracy of the personal data, in which case the restriction applies for a period of time which allows the accuracy of the personal data to be verified
• the processing is unlawful and the data subject opposes the erasure of the data and requests instead that the data be restrictions on the use of;
• the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
• the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject.
• Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
The controller shall inform the data subject in advance of the lifting of the restriction on processing.
Right to data portability (Article 20 GDPR):
The data subject has the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit such data to another controller.
Right to object (Article 21 GDPR):
The data subject shall have the right to object at any time to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. In the event of an objection, the controller may no longer process the personal data, unless it is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.
Automated decision making in individual cases, including professional searches (Article 22 GDPR):
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The above right shall not apply where the processing is
• necessary for the conclusion or performance of a contract between the data subject and the controller;
• is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
• based on the explicit consent of the data subject
Right of withdrawal (Article 7(3) GDPR):
The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
10. PROCEDURAL RULES
Without undue delay and in any event within one month of the request being made, the controller shall inform the data subject of the request and of the action taken in response to it pursuant to Articles 15 to 22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months.
The data controller shall inform the data subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay. Where the data subject has made the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.
If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.
The Data Controller shall provide the requested information and data free of charge. Where the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller may, taking into account the administrative costs of providing the information or information requested or of taking the action requested, charge a reasonable fee or refuse to act on the request.
The controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort.
The controller shall inform the data subject of these recipients at his or her request.
The data controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs.Where the data subject has made the request by electronic means, the information shall be provided in electronic format unless the data subject requests otherwise.
11. COMPENSATION AND DAMAGES
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Data Protection Regulation shall be entitled to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for damage caused by its processing only if it has failed to comply with obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller.
Where several controllers or several processors or both controller and processor are involved in the same processing and are liable for the damage caused by the processing, each controller or processor is jointly and severally liable for the entire damage.
The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
12. LEGAL REMEDIES
Initiate a complaint:
If you have a problem with the Data Controller's handling of your data, you can contact the Managing Director:
Name: László Garai Phone number: +36301310453
E-mail: info@puregoldprotein.com/hu
Right to apply to the courts:
In the event of a violation of his/her rights, the data subject may, in accordance with the applicable national legislation (Civil Code, § 2:51), take legal action against the controller before the competent court in the territory of the country. The court shall rule on the case out of turn.
Data protection authority procedure: https://edpb.europa.eu/about-edpb/board/members_hu
If you are not a Hungarian citizen and you wish to use the Company's services and you have a complaint, you can contact one of the national supervisory authorities available at the link below using the contact details provided.
