Privacy notice

About the rights of the natural person concerned with regard to the processing of his or her personal data

INTRODUCTION

on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC  REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 (hereinafter referred to as the Regulation) requires that the Controller takes appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject's rights. 

 The obligation to inform the data subject in advance is also provided for in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

 The following information is provided to comply with this legal obligation.

 The information must be published on the company's website or sent to the person concerned on request.

NAME OF THE CONTROLLER

Company name: ERON Systems Zrt.

Address: 1054. Budapest, Honvéd utca 8. 1.em 2.

Company registration number: 01-10-141076

Tax number: 28831189-2-41

Representative:Gábor Szántó

Website: www.eronsystems.com

(hereinafter referred to as "the Company")

 

  1. CHAPTER 2

ENSURE THE LAWFULNESS OF PROCESSING

 

  1. Processing based on the consent of the data subject

(1) Where the Company intends to carry out data processing based on consent, the data subject's consent to the processing of his or her personal data shall be obtained by providing the information and content set out in the privacy notice.

(2) Consent shall also be deemed to be given if the data subject ticks a box when viewing the Company's website, makes the relevant technical settings when using information society services, or any other statement or action which, in the relevant context, clearly indicates the data subject's consent to the intended processing of his or her personal data. Silence, ticking a box or inaction therefore does not constitute consent.

(3) Consent shall cover all processing activities carried out for the same purpose or purposes. Where processing is carried out for more than one purpose, consent shall be given for all the purposes for which the processing is carried out.

(4) Where the data subject gives his or her consent in the context of a written statement which also relates to other matters, such as the conclusion of a sales or service contract, the request for consent must be presented in a manner clearly distinguishable from those other matters, in a clear and easily accessible form, in clear and plain language. Any part of such a statement containing the consent of the data subject which is in breach of the Regulation shall not be binding.

(5) The Company may not make the conclusion or performance of a contract conditional on the consent to the processing of personal data that are not necessary for the performance of the contract.

(6) The data subject may withdraw his or her consent to the processing at any time.

(7) Where the personal data have been collected with the consent of the data subject, the controller may process the collected data for the purpose of complying with a legal obligation to which the data subject is subject, unless otherwise provided by law, without further specific consent and even after the withdrawal of the data subject's consent.

  1. Processing based on the performance of a legal obligation

(1) In the case of processing based on a legal obligation, the scope of the data to be processed, the purpose of the processing, the duration of the storage of the data and the recipients shall be governed by the provisions of the underlying legislation.

(2) The processing based on the legal ground of performance of a legal obligation is independent of the consent of the data subject, since the processing is determined by law. In such cases, the data subject shall be informed before the processing starts that the processing is mandatory and shall be provided with clear and detailed information on all the facts relating to the processing of his or her data, in particular on the purposes and legal basis of the processing, the identity of the controller and of the processor, the duration of the processing, whether the controller is processing the personal data of the data subject on the basis of a legal obligation to which the data subject is subject and the recipients of the data. The information should also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory processing, the information may also be provided by making public a reference to the legal provisions containing the foregoing information.

  1. Promoting the rights of the data subject

The Company shall ensure the exercise of the rights of the data subject in all its processing.

 

 

 CHAPTER III

Purpose and duration of processing

  1. Purpose of data processing

 

  • Create and manage a user account on the Company's website.
  • Processing orders for services, including receiving, processing and invoicing.
  • Providing support services, including answering questions from the data subject about the services provided by the Company or about a specific order.

 

The processing of the data subject's data for the above purposes is in most cases necessary for the conclusion and performance of a contract between the Company and the data subject. In addition, the processing of certain data in this context is required by law, including the laws on taxation and accounting.

  1. Duration of processing

The personal data of the data subject will be stored for the duration of the user account registered on the Company's website. Notwithstanding this, you may at any time request us to delete certain of your data or to terminate your user account, however, we will ensure compliance with the legal requirement for certain data, even after termination of your user account.

  1. CHAPTER 2

Scope of the data processed

  1. User name and address: The purpose of the processing is to identify the data subject.
  2. Username: It is essential for the identification of the user registering on the Company's website in the database and for the purpose of contacting the user.
  3. Password: It is used for secure access to the user account.
  4. E-mail address: It is essential for the identification of the user registering on the Company's website in the database and for the purpose of contacting the user.
  5. IP address: The identification number assigned by the ISP to the user's device when logging in to the system. It is managed by the Company to ensure the IT security of the system.
  1. CHAPTER 2

INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED

  1. A brief summary of the data subject's rights:
  2. Transparent information, communication and facilitating the exercise of the rights of the data subject.
  3. Right to prior information - where personal data are collected from the data subject.
  4. The information to be provided to the data subject and the information to be made available to him or her if the personal data have not been obtained by the controller from him or her.
  5. The data subject's right of access.
  6. The right to rectification.
  7. The right to erasure ("the right to be forgotten").
  8. Right to restriction of processing.
  9. The obligation to notify the rectification or erasure of personal data or the restriction of processing.
  10. The right to data portability.
  11. The right to protest.
  12. Automated decision-making on individual cases, including profiling.
  13. Restrictions.
  14. Informing the data subject about the data breach.
  15. The right to lodge a complaint with a supervisory authority (right to official redress).
  16. The right to an effective judicial remedy against the supervisory authority.
  17. The right to an effective judicial remedy against the controller or processor.
  1. Your rights as a data subject in detail:
  1. Transparent information, communication and facilitation of the exercise of data subject rights

1.1. The controller shall provide the data subject with all information and any particulars relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular in the case of any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, information may be provided orally, provided that the identity of the data subject has been verified by other means.

1.2. The controller must facilitate the exercise of the data subject's rights.

1.3. The controller shall inform the data subject, without undue delay and in any event within one month of receipt of the request, of the measures taken in response to the request to exercise his or her rights. This time limit may be extended by a further two months under the conditions laid down in the Regulation, of which the data subject shall be informed.

1.4. If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

1.5. The data controller shall provide the information and the information and action on the rights of the data subject free of charge, but may charge a fee in the cases provided for in the Regulation.

The detailed rules are set out in Article 12 of the Regulation.

  1. Right to prior information - when personal data are collected from the data subject

2.1. The data subject shall have the right to be informed of the facts and information relating to the processing before the processing starts. In this context, the data subject shall be informed:

  1. a) the identity and contact details of the controller and its representative,
  2. b) the contact details of the Data Protection Officer (if any),
  3. (c) the purposes for which the personal data are intended to be processed and the legal basis for the processing,
  4. (d) in the case of processing based on legitimate interests, the legitimate interests of the controller or a third party,
  5. (e) the recipients to whom the personal data are disclosed and the categories of recipients, if any;
  6. (e) where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation.

2.2. To ensure fair and transparent processing, the controller must provide the data subject with the following additional information:

  1. (a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
  2. (b) the data subject's right to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the data subject's right to data portability;
  3. (c) in the case of processing based on the data subject's consent, the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
  4. (d) the right to lodge a complaint with a supervisory authority;
  5. (e) whether the provision of the personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data;
  6. (f) the fact of automated decision-making, including profiling, and, at least in those cases, the logic used and clear information on the significance of such processing and the likely consequences for the data subject.

2.3. If the controller intends to further process personal data for a purpose other than that for which they were collected, the controller must inform the data subject of that other purpose and of any relevant additional information before further processing.

The detailed rules on the right to prior information are set out in Article 13 of the Regulation.

  1. Information to the data subject and the information to be provided to him or her where the personal data have not been obtained by the controller from him or her

3.1. If the controller has not obtained the personal data from the data subject, the data subject must be informed by the controller no later than one month after the personal data were obtained; if the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; or, if the data are likely to be disclosed to another addressee, no later than the time of the first disclosure of the personal data, in accordance with the provisions of Article 2. the facts and information referred to in point (2), the categories of personal data concerned and the source of the personal data and, where applicable, whether the data originate from publicly available sources.

3.2. The other rules are those set out in point 2 (Right to prior information) above.

The detailed rules for this information are set out in Article 14 of the Regulation.

 

  1. Right of access of the data subject

4.1. The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and related information described in points 2-3 above.

4.2. Where personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.

4.3. The controller must provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.

Detailed rules on the right of access of the data subject are laid down in Article 15 of the Regulation.

  1. The right to rectification

5.1. The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her.

5.2. Taking into account the purpose of the processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

These rules are set out in Article 16 of the Regulation.

 

  1. Right to erasure ("right to be forgotten")

6.1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay if.

  1. (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. (b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  3. (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
  4. d) the personal data have been unlawfully processed;
  5. (e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
  6. f) the personal data were collected in connection with the provision of information society services directly to a child.

6.2. The right to erasure cannot be exercised if the processing is necessary

  1. a) for the exercise of the right to freedom of expression and information;
  2. (b) to comply with an obligation under Union or Member State law to which the controller is subject or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. c) on the basis of public interest in the field of public health;
  4. (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
  5. (e) for the presentation, exercise or defence of legal claims.

Detailed rules on the right to erasure are set out in Article 17 of the Regulation.

  1. Right to restriction of processing

7.1. Where processing is restricted, such personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

7.2. The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if one of the following conditions is met:

  1. (a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
  2. (b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
  3. (c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
  4. (d) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

7.3. The data subject shall be informed in advance of the lifting of the restriction on processing.

The relevant rules are set out in Article 18 of the Regulation.

 

  1. Obligation to notify the rectification or erasure of personal data or restriction of processing

The controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.

These rules can be found under Article 19 of the Regulation.

  1. The right to data portability

9.1. Under the conditions set out in the Regulation, the data subject has the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, if.

  1. (a) the processing is based on consent or on a contract; and
  2. (b) the processing is carried out by automated means.

9.2. The data subject may also request the direct transfer of personal data between controllers.

 

9.3. The exercise of the right to data portability must not infringe Article 17 of the Regulation [the right to erasure ("the right to be forgotten")]. The right of portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This right shall not adversely affect the rights and freedoms of others.

The detailed rules are set out in Article 20 of the Regulation.

  1. The right to protest

10.1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the public interest, the performance of a public task (Article 6(1)(e)) or a legitimate interest (Article 6(1)(f)), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

10.2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.

10.3. These rights must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information must be clearly displayed separately from any other information.

10.4. The data subject may also exercise the right to object by automated means based on technical specifications.

10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The relevant rules are set out in Article 21 of the Regulation.

  1. Automated decision-making on individual cases, including profiling

11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

11.2. This entitlement does not apply in the case of a decision to:

  1. (a) necessary for the conclusion or performance of a contract between the data subject and the controller;
  2. (b) permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
  3. (c) based on the explicit consent of the data subject.

11.3. In the cases referred to in points (a) and (c), the controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

Further rules are set out in Article 22 of the Regulation.

  1. Restrictions

Union or Member State law applicable to a controller or processor may limit the scope of rights and obligations (Articles 5, 12 to 22, 34 of the Regulation) by legislative measures, if the limitation respects the essential content of fundamental rights and freedoms.

The conditions for this restriction are set out in Article 23 of the Regulation.

  1. Informing the data subject about the personal data breach

13.1. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must inform the data subject of the personal data breach without undue delay. This information shall clearly and plainly describe the nature of the personal data breach and shall include at least the following:

  1. (a) the name and contact details of the Data Protection Officer or other contact person who can provide further information;
  2. (c) describe the likely consequences of the data breach;
  3. (d) describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

13.2. The data subject need not be informed if any of the following conditions are met:

  1. (a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
  2. (b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  3. c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or by a similar measure ensuring that the data subject is informed in an equally effective manner.

Further rules are set out in Article 34 of the Regulation.

  1. The right to lodge a complaint with a supervisory authority (right to official redress)

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation. The supervisory authority with which the complaint has been lodged must inform the data subject of the procedural developments and the outcome of the complaint, including the right of the data subject to judicial remedy.

These rules are set out in Article 77 of the Regulation.

Contact details of the supervisory authority:

Name: National Data Protection Authority

Address:1055 Budapest, Falk Miksa utca 9-11.

E-mail: uygfelszolgalat@naih.hu

Phone: +36 (1) 391 1400

 

  1. Right to an effective judicial remedy against the supervisory authority

 

15.1. Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.

15.2. Without prejudice to any other administrative or non-judicial remedy, any data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint.

15.3. Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

15.4. If proceedings are brought against a decision of a supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority is obliged to transmit this opinion or decision to the court.

 

These rules are set out in Article 78 of the Regulation.

 

  1. The right to an effective judicial remedy against the controller or processor

16.1. Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, every data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

 

16.2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.

These rules are set out in Article 79 of the Regulation.

Done at Budapest, 16 June 2021.

en_USEnglish
hu_HUHungarian en_USEnglish