1. Introduction

The Service Provider (Böszörményi út 182. Debrecen 4032, Hungary) (from this on The Service Provider) as data controller considers the contents of the following legal notices binding and engages that all data controlling in connection with its activities meet the requirements defined by the law in force and the present notification.

The Service Provider retains the right to change the contents of the present notification. Should a modification happen, the public will duly be informed.

The Service Provider is committed towards the security of the private data of its customers and partners, while finds it of paramount importance to respect the right of information self-determination of its clients. The Service Provider manages personal details as confidential, utilizing all necessary security, technological, and organizational arrangements that will guarantee the security of these data.

Below please find the data management principles defined and followed by Undefasa Hungária Kft. with the expectations defined and met regarding itself as data manager. The general principles of data management policy is in accord with the laws and regulations regarding managements of private and personal data in force, and especially the following:

• • Act LXIII of 1992. – on the Protection of Personal Data and Disclosure of Data of Public Interest (hereinafter DPA Data Protection Act);
• • Act CXIX of 1995. - on the Handling of Names and Addresses for Purposes of Research and Direct Marketing;
• • Act C. of 2000. - on Accounting 2000. (Acc.);
• • Act CVIII. of 2001 - on Electronic Commerce and on Information Society Services (ECom);
• • Act XLVIII of 2008 - on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (CA).

2. Definitions

2.1. personal data: means any data relating to a specified (identifiable or unidentifiable) natural person and any conclusion drawn from such data with respect to him or her. As long as data subject can be identified by the data it preserves this personal characteristic;

2.2. consent: a voluntary and defined proclamation of the data subject based on proper information and through with the data subject gives his or her unambiguous permission to the general or task based processing of the related personal data;

2.3. protest: the proclamations by the data subject, through which a the processing of the related personal data is objected and the termination of data processing and the destruction of the data collected is requested;

2.4. data controller: means any natural or legal person, as well as any organization without legal personality, who determines the purpose of the processing of personal data, who makes the decisions upon data processing and implements them, who may entrust a data processor to perform the implementation;

2.5. data processing: means the collection, recording and storage, process, use (including transfer and disclosure) and deletion of personal data, regardless of the procedure employed. It also includes alteration of data and prevention of their further use;

2.6. transfer: means access by specified third person to data;

2.7. disclosure: means access by anyone to data;

2.8. deletion: includes any step taken for data being unidentified, with no possibility of their retaining;

2.9. distrait: includes any step taken for making it impossible to transfer, disclose, access, alter, destroy, delete connect or synchronize data terminally or for a set period of time;

2.10. destruction: the complete physical annihilation of data or data medium;

2.11. technical data processing: means any operation and technical activity performed upon personal data, irrespective of the method and means employed, as well as of the place of operation;

2.12. data processor: means any natural or legal person, as well as any organization without legal personality, who processes personal data on behalf of the data controller;

2.13. third party: means any natural or legal person, as well as any organization without legal personality other than the data subject, the data controller or the data processor;

2.14. third country: means any state not part of the EEC.

3. Principles of data control at Undefasa-Hungária Kft

Personal data shall be collected only if

a) consented by the data subject, or

b) ordered by law or - under special provisions of law - by decree of local self-government.

In the case of underage persons of incapability and partial incapability, the consent of the legal representative is required for the disclosure. No special consent is required with regard to personal data let known by data subject in the course of public appearance, or turned over by him or her with the purpose of disclosure.

Personal data shall be processed only for a specified purpose, in exercise of a right, or in compliance with an obligation. In the course of the entire processing this purpose shall be complied.

No personal data shall be processed other than those indispensably required for satisfying the purpose of processing and only in a way compatible with that purpose. Data shall not be used excessively and longer than is required for that purpose.

Personal data may be controlled only by consent based on adequate information.

The data subject shall be informed in writing in a detailed and intelligible form, of the processing of his or her personal data performed either by the data controller or by a data processor, the purpose of the processing, its legal basis and duration, the name and address and activity in connection with the data processing of a data processor, as well as of who received or will receive data and for what purpose. The information shall also detail the rights and means of legal remedy of the data subject in relation with the data collection.

Personal data undergoing processing shall be:

a) obtained and processed fairly and lawfully;

b) accurate, complete and where necessary kept up to date;

c) preserved in a form which permits identification of data subject for no longer than it is required for the purpose for which these data are stored.

limited, general and uniform personal identification code shall not be used.

Data shall not be transferred and files shall not be connected unless consented to by the data subject or provided for by law. The conditions for data processing shall meet in each case with regard to each personal data.

Personal data shall not be transferred from the country to any data controller abroad, whatever the data medium or the mode of transmission, except when consented to by data subject or permitted by law, provided that the same principles of data protection shall be obeyed by the foreign controller in respect of each data. Data transmission to any member states of the EEC shall be considered according to the same requirements to be met during the data transfer within the borders of the Republic of Hungary.

4. The sphere of personal data, the goal of data controlling, legal basis and duration

The data controlling activities of The Service Provider are based on voluntary consent. In certain cases however the controlling, storing and transferring of the personal data provided are required by the applicable laws. The customers will be informed on this.

Those who transfer data towards The Service Provider please be noted that in the case you are providing personal data other than your own the consent of the data owner must be provided.

Our users please be noted that during the course of using our service some special health and medical data might be necessary to be controlled (please see paragraph 2.2 of this notification). It is the users' responsibility to only provide consent to such personal data regarding which the possible risks of a possible infringement have been considered and accepted.

4.1. The data of the visitors at www.undefasa.hu

The goal of data control: The Service Provider records the visitors' data during each visit to the portal www.undefasa.hu in order to be able to provide a better service, control its operation and prevent any infringement.
The legal base of the data controlling is provided by the voluntary consent of the subject, and Sect. 3 of Para. 13/A from Act CVIII. of 2001 on Electronic Commerce and on Information Society Services.

The sphere of data controlled: the time and date of the visit, the IP of the visitor's computer, browser name, the currently and previously visited website's address. The duration of data control: no more than 60 days following the visit of the site.

The html code of the portal accessible at www.undefasa.hu is independent from The Service Provider and contains links originating from and pointing to third party servers. The service providers of such servers are capable to collect personal data due to the direct links pointing to their servers.

The third party servers assist in the auditing and independent measuring of visiting and other web analytic data of the site (by Google Analytics for example). The data controllers can provide detailed information regarding the control of the collected data.
The data controllers can be connected at: www.google.com/analytics/

The service provider and the assigned third -party service providers may place and read back small data packets called "cookies" on the users' computer in order to assist personalized servicing. In the case the browser returns a previously saved cookie the service provider controlling the cookie has the option to connect the cookies stored at the time of the actual visit with the ones stored during earlier visits by the user, however only in relation with its own content.

The user can delete the cookie from his or her own computer and also has the option to disable their use in the browser. The handling of cookies can usually be set in the Devices/Settings menu of the browser under Security.

Third party service providers usually use so called web beacons in order to be able to probe user habits and serve commercial interests. These web beacons function like cookies however they cannot be disabled within the browser.

4.2. www.undefasa.hu registration and shopping

Customers may only purchase items from Undefasa web store following the completion of the registration process.
The aim of data controlling is: the identification and distinction of the users, contact, ability to provide a more customized service, ability to provide certain permissions for certain services, ability to compile user statistics, handling orders and purchases, ability to meet and uphold contractual obligations, and if required the ability to publish newsletters.

The legal base of data controlling: the voluntary consent of the data subject, Para 13/A of Act CVIII. of 2001 on Electronic Commerce and on Information Society Services and Sect 5 of Para 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

The sphere of controlled data: identification number, username, password, first and last name, e-mail addresses, phone numbers, company name, consent to receive newsletter, time and date of registration, the IP of the user’s computer at the time of order placement, the time and date of the order, the order’s details, and all accountancy documents generated during the purchasing.

The date of data deletion: a period of three years following the time of the last login, in the case of unconfirmed registration requests 168 hours, and in the case of consents for receiving newsletter until the time of the consent’s withdrawal. Accounting documents are stored for a period of 8 yrs according to Sect 2 of Para 169 of Act C. of 2000 on Accounting.

Data transfer: in the case of an online payment made, the transaction identifiers, the total amount, with the time and date of the purchase are forwarded to CIB Bank Zrt. (1027 Budapest, Medve u. 4-14.).

Personal details can be modified in the Modify Details menu. Deletion of personal details – not including accounting documents – can be requested at the addresses detailed in Section 6 of the present document.

4.3. undefasa.hu newsletter

The goal of data processing: sending newsletter containing economic information for interested parties, in order to inform them on ongoing sales and new products.

The legal base of data processing: the voluntary consent of the data subject and Sect 5 of Para 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

The sphere of data processed: identification number, name, e-mail, date, time.
Period of deletion: until withdrawal of consent, or in the case of unconfirmed requests for mailing list inclusions 168 hours.

Banning the forwarding of newsletters and the deletion of any personal details can be requested by clicking the link included within the newsletter, at www.undefasa.hu/leiratkozas or via mail, at the address detailed in Paragraph 6. of the present document.

4.4. Sending the products’ availability to an acquaintance

In the case any of the items are found interesting, a memo can be sent on them to either the user itself or any of the user’s acquaintances.

The goal of data controlling: sending a message on a product’s availability.

The legal basis of the data controlling: subject’s consent.

The sphere of data controlled: name, address, and e-mail of the sender, the address of the page referenced, date and time.

The period of data controlling: data provided are deleted immediately upon forwarding.

4.5. Clients’ contacting regarding the service.

Should you have any issues or questions while using the service, the service providers can be contacted via the means detailed in the menus Contact or Client Services.

The Service Provider will store the incoming mailing including the name, e-mail, and all the personal data of the sender provided on a voluntary basis for a period of no more than five years following the settlement of the case.

4.6. Further data controlling

All data controlling processes not detailed within this notification will be informed of at the time of the data collection.

Please be noted that according to the decrees of the court, the prosecutor, the investigative authority, the administrative authority, the data protection commissioner, and based on mandates provided by the law other authorities may approach the data controller in order to communicate, hand over and make available all the data controlled.

The Service Provider shall make personal data available for the authorities – in the case the exact purpose and sphere of data has been defined – only in the quantity and quality that is absolutely necessary for fulfilling the pre-defined purpose.

5. Storing personal data and security of data controlling

The computing systems and other data recording sites of The Service Provider can be found at the headquarters of the company, its data processors, and in the hall of Interware Zrt. of the server centre of MediaCenter Hungary Kft. (Victor Hugo u. 18-22, Budapest 1132).

The Service Provider chooses and operates the information technology appliances for controlling personal data during the provision of the service in a way that the data controlled are:

a) available for those authorized for access (availability);

b) secure for accuracy and authentication (authenticity of data controlling);

c) verifiable for being unmodified (data integrity);

d) protected against unauthorized access (classification of data).

The Service Provider is ensuring the protection of the security of data controlling using technical, institutional and organizational measures that suit the level of protection required in relation to the possible risks posed by the controlling of data. During the course of the data controlling, Undefasa Hungária Kft shall keep:

a) classification: shall protect the data to be accessible only for authorized parties;

b) integrity: shall protect the accuracy and authenticity of the data and the processing methods;

c) availability: shall ensure that the data required are available for access by authorized users and all the equipment in connection with this are also available.

The information technology systems and the networks of The Service Provider and its partners are protected against computer related fraud, phishing, sabotage, vandalism, fire and flood, computer viruses, computer related breaches, and denial of service type attacks. The operator is ensuring the security using server and application-level processes.

Please note that irrespective for the protocol used (e-mail, web, ftp, etc.) all electronic messages forwarded via the Internet are vulnerable for threats that may result dishonest activities, impugnation of contractual obligations, exposure and modification of data and information. The service provider will carry out all required precautions in order to protect the user from such threats. The systems are monitored in order to be able to record all security non-conformances and to be able to provide ample evidence in the case a security event. System monitoring also makes the controlling of the effectiveness of the precaution processes utilized possible.

6. Details and availabilities of the data controller

Name: The Service Provider
HQ: Böszörményi út 182. Debrecen 4032
Company registration number: 09-09-005271
Court of registration: Registry Court of Hajdú-Bihar County
Tax Registration number: 11555030-2-09
E-mail: info@undefasa.hu. This e-mail is protected against spamming search-engines and as such JavaScript must be enabled in order for it to be visible.

7. Details and availabilities of the data controller

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
HQ: GLS Európa u. 2. Alsónémedi 2351

8. Facilities of legal remedy

The subject of the data controlling shall be able to require information on the controlling processes related to, move for a correction of, and – with the data controlling processes defined by the law excepted – a deletion of his or her personal data using the means indicated at the time of the provision of such data.

If required, Undefasa Hungária Kft as data controller shall provide information regarding the data controlled by it or any of its partners, the purpose, the legal basis, and the period of the data controlling, the name and address (HQ) of the data controller, all the activities related to the data controlling, and on who and why the data and information are provided for.

The data controller shall provide the information required as soon as possible but within a period of no more than 30 days following the issuing of the petition in writing, using plain language. This information provision is free of charge in the case the petitioner has not handed in a petition on a similar field for the data controller in the actual year. In all other cases, The Service Provider is to set a charge for the service.

The Service Provider shall delete all personal data in the case their controlling is against the law, it is required by the subject, the purpose of the data controlling ceased to exist, the period for storing the controlled data as set by the law has ended, or ordered by the decree of the court or the data protection commissioner.

Regarding the deletion of data, The Service Provider shall notify the data subject and all other parties the data have been forwarded too. In the case the rights of the data subject are not infringed, this notification may be cancelled.

The data subject may raise an objection against the controlling of his or her personal data if:

a) the controlling (and forwarding) of the personal data are due to the sole legal interest of the data controller or the recipient unless the data controlling is required according to the laws in force;

b) The collection and forwarding of the personal data are carried out solely due to the purpose of direct business gains, public surveys, or scientific research;

c) The laws make objection an option.

The Service Provider shall investigate the petition within a period of no more than 15 days – while at the same time suspending the controlling of the data in question – and notify the petitioner on the outcome of the investigation in writing.

In the case the objection is found valid, the data controller shall immediately cease the controlling of the data – including any further data recording and data forwarding – distain the data collected, notify on the cessation and all the other measures taken following the petition of the objection, and all other parties that might have received the personal data objected. These parties must carry out all necessary arrangements toward the validation of the right to object.

In the case the data subject finds the resolution unacceptable, he or she may take the case to court within a period of 30 days following the resolution’s disclosure.

In the case the data controlling is required by the law The Service Provider may not delete the data collected on the subject. The data however may not be forwarded to any data recipient in the case the data controller accepted the objection or the court found the base of the objection legal.

In the case of a breach of the data subject’s rights the data subject may take the case into court against the data controller. The court shall hold the hearing out of turn.

The Service Provider must compensate for any damages caused due to the illegal controlling of the subject’s data or failing to meet the technical requirements. The data controller may not be considered responsible in the case the damages were caused due to some unavertable event.

The controller shall not compensate in the case the damages caused were due to wilful or negligent actions on the part of the aggrieved party.

For legal remedy or filing a complaint please find the office of the Data Protection Commissioner (Adatvédelmi Biztos irodája):

Name Office of the Data Protection Commissioner (Adatvédelmi Biztos Hivatala)
HQ: Nádor u. 22. Budapest, 1051
Mailing address: Budapest 1387, Pf.: 40.
Phone: +36 (1) 4757186, 4757100
Fax: +36 (1) 2693541
E-mail: adatved@obh.hu

This e-mail is protected against spamming search-engines and as such JavaScript must be enabled in order for it to be visible.