Data protection and data processing guideline

 

1. Objective of the data processing guideline

HILLEXPO Korlátolt Felelősségű Társaság (1123 Budapest, Alkotás street 1/A 1. floor 13., hereinafter, Data controller) as Data controller, recognizes the content of the present guideline as binding on itself. Commits itself, that all data processing in relation to its activity, is in accordance with the present guideline and with the applicable national regulations, as well as with the requirements set in the European Union legislation.

The Data controller reserves its right to change the present guideline at any time. In case you have a question concerning the present guideline, please, write to us and our colleague will answer your question.

The Data controller is committed to the protection of personal data of its customers and partners (Data subject), considers as particular importance to respect the right of information self-determination of its customers. The Data controller processes the personal data confidentially and makes all security, technical and organizational measures, which guarantee the protection of the data.

The Data controller describes its data processing here below.

2. Data of the Data controller

In case you contact the Data controller, you may contact us via the info@hillexpo.com email.

Name: HILLEXPO Korlátolt Felelősségű Társaság
Official seat: 1123 Budapest, Alkotás street 1/A 1. floor 13.
Company registration No.: 01-09-307618
Tax ID No.: 26203416-2-43
Telephone number: +36 30 910 9474
E-mail: info@hillexpo.com

website: www.hillexpo.com

 

3. Description of data processing, scope of processed personal data

3.1 Data related to online contact

In this case the Data subject particularly contacts the Data controller for the purpose of contact through the „Contact” menu on the website.

 

Processed data	Legal basis	Objective of data processing	Time period of data processing
name, e-mail address	the data subject’s consent	Contacting potential customers, the customer may ask for an offer during the contact.	Until withdrawal of Data subject’s consent

 

3.2 Data related to requesting online price offer

In this case the Data subject particularly contacts the Data controller for the purpose of contact through the „Prices” menu of the website. The Data subject may ask for an offer from the Data controller.

 

Processed data	Legal basis	Objective of data processing	Time period of data processing
name, e-mail address, telephone number, photos	the data subject’s consent, obligation according to law	Contacting potential customers, the customer may ask for an offer during the contact.	In case of asking an offer: until withdrawal of the Data subject’s consent, but maximum 5 years after the provision of data. In case of order: until the fulfilment of the service, but maximum 5 years after the provision of data.   In relation to invoice: for time period specified by law.

 

3.3 Data related to contact of partners and suppliers

The parties may assign a contact person in the contracts made with partners and suppliers.

 

Processed data	Legal basis	Objective of data processing	Time period of data processing
name, e-mail address, telephone number, invoicing data	the data subject’s consent, obligation according to law	Fulfilment of contractual obligation, relationship management with the other party.	Until the fulfilment of the objective of the service, but maximum for 5 years.   In relation to invoice: for time period specified by law.

3.4 Processing of data of employees

Processing of data of the Data subjects employed by the data controller.

 

Processed data	Legal basis	Objective of data processing	Time period of data processing
name, e-mail address, telephone number, address, Hungarian social security number, tax ID number, bank account number	obligation according to law	Accounting of salary and other payroll contributions of the employees, payment of salary, relationship management with the employees, keeping of records required by law	For time period specified by law.

 

Used data processors

Name	Contact	Data processing task
Tárhelypark Kft.	1122 Budapest, Gaál József road 24,	ensuring online storage
Medikont21 Bt.	3300 Eger, Malomárok street 56.	accounting services
Juhász Tímea EV	2040 Budaörs, Ötvös street 14/b.	website operator

 

3.5 Data related to newsletter

Registration for the newsletter is possible on the website of the Data controller. Data subject may unsubscribe from the newsletter at any time through the info@hillexpo.com email address.

Processed data	Legal basis	Objective of data processing	Time period of data processing
name, e-mail address	the data subject’s consent	sending of e-mail newsletters for those interested including advertisements, information about actual and current discounts, direct marketing	until withdrawal of the Data subject’s consent

 

3.6 Data related to enforcement of claims towards the customers

 

In case the Data subject does not pay the price of the ordered services until the due date, it is necessary to forward the Data subject’s data for the purpose of debt collection.

 

Processed data	Legal basis	Objective of data processing	Time period of data processing
name, e-mail address, telephone number, supplier name, invoicing data, ordered service, price	Enforcement of the Data controller’s legitimate interests	Collection of the Data subject’s debt toward the Data controller	until the expiry of the debt

4. Processing of website cookies

Cookie is a small file, which is placed on the computer, when the Data subject visits a website. Cookies have multiple functions, including gathering of information, storing the Data subject’s own settings, used while using for example online web shop carts and in general enhance the use of a website by the Data subject.

 

The Service Provider uses cookies to identify the Data subjects, to identify the actual work session of the Data subjects, to store the provided data and to prevent loosing of these data.

 

4.1.      Mandatory session cookies

 

• These cookies are necessary to enable the Data subjects to use our website, to use its functions, for example including storing the performed steps on a given page by the Data subject during a visit of the website. These cookies are valid exclusively during the actual visit of the Data subject, this type of cookies are automatically deleted from the Data subject’s computer at time of ending a session or at time of closing the browser. Without the use of these cookies we cannot guarantee the use of our website.

 

4.2.      Cookies enhancing usage

 

• These cookies ensure the possibility for the Data controller, to store the choices of the Data subject related to the website or the provided information, like for example the username, language, region in which the Data subject is located. Mostly with the help of these, the Data controller can adjust the website to the Users preferences. These (permanent) cookies having a set expiration date are stored on the computer until deletion or latest until the expiration date.

 

4.3.      Processing of cookies of third party service providers on the website:

 

Service provider	Detailed information about the cookies
Google Analytics	https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage https://support.google.com/adwords/answer/7521212?hl=hu https://www.smartsupp.com/help/privacy/

 

 

4.4       Accepting or blocking cookies

 

• The legal basis of processing cookies is the consent of the Data subject. The Data subject consents by clicking the „Accept” button on the website.

 

• All modern browsers allow changing the settings of the cookies. Most of the browsers accept the cookies automatically by default, but these generally can be changed, to block automatic acceptance and to offer each time the option of choice, if you would like to allow cookies or not. In case the Data subject does not accept the use of cookies, we automatically navigate him from our website.

 

• We draw attention of the Data subjects, that as the purpose of the cookies is to enhance or enable the usage and processes of the website, it may happen in case of blocking or deleting the cookies, that the Data subjects won’t be able to use all the functions of the website, or that the website will perform differently as planned in the browser.

 

• Further information about the cookie settings, setting restrictions of the most popular browsers is available on the below links: Google Chrome Firefox Microsoft Internet Explorer 11 Microsoft Internet Explorer 10 Microsoft Internet Explorer 9 Microsoft Internet Explorer 8 Safari

 

5. 5. Server logging of the website

 

When visiting the website the web server performs automatic logging of the Users activity in order to ensure the operation of the services. The following data are processed during this process: IP address, device and browser data, which in itself are not sufficient to identify the Data subject, however, by connecting them to other data (provided for example at registration), these may help to enable to draw conclusions related to the Data subject. The Data controller does not link the data from analysis of logging data to other information, does not aim to identify the Data subject.

6. Objective, method and legal basis of the data processing

6.1. General data processing directives

The data processing activity of the Data controller are based on voluntary consent and authorisation by law. In case of data processing based on voluntary consent, the Data subjects may withdraw their consent at any time.

In certain cases, the processing, storing, forwarding of certain parts of the provided data is obligatory by law, about which we separately inform the customers.

The data processing principles are in accordance with the legislation in force related to data protection, especially with the below: Act CXII of 2011 on Informational Self-determination and Freedom of Information (Privacy Act); Regulation (EU) 2016/679 of the European Parliament and of the Council (of 27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR); Act V of 2013 on the Civil Code (Civil Code); Act C of 2000 on Accounting (Accounting law); Act LIII of 2017 on the Prevention of Money Laundering and
Terrorism (PMT); Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises (HPT).

 

7. Method of storing personal data, security of data processing

 

Secure storage of the personal data is made on the server of the Data controller.

 

The Data controller implements appropriate technical and organisational measures to guarantee a level of data security appropriate to the risks related to data processing. Including inter alia as appropriate: (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of physical or technical incident; (iv) a process of regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

7. Rights of Data subjects and legal enforcement possibilities

Present Guideline includes the information related to the personal data of the Data subject. Verbal information may be provided upon the request of the Data subject, provided, that personal identification is made. The Data controller may not refuse to fulfil the request of the below described rights of the Data subject, except, if proves, that he is not able to identify the Data subject. In case the Data controller has insufficient information to identify the personality of the natural person submitting the request, he may ask for further information, necessary for confirmation of the identity of the Data subject.

 

The Data controller without undue delay, but definitely within 1 month from the receipt of the request, informs the Data subject about the taken measures related to his request. In case of need, considering the complexity of the request and the number of requests, this due date may be prolonged by additional 2 months. The Data controller informs the Data subject about the prolongation of the due date and about the reasons of delay within 1 month from the receipt of the request. In case the Data subject submitted his request in electronic form, the information shall be provided as far as possible in electronic form, except, if the Data subject requests it in other form.

 

In case the Data controller does not take measures based on the request of the Data subject, without delay, but latest within 1 month from the receipt of the request, informs the Data subject about the reasons of not taking measures, as well as about the legal remedy possibilities of the Data subject, included in the present Guideline. The Data controller does not charge a fee for providing the information and for the taken measures. In case the request of the Data subject is clearly unfounded or – especially due to repetitive nature – exaggerated, considering the administrative costs related to the information or to the providing of the information or to the requested measures, the Data controller may charge a reasonable fee or may refuse to take the requested measures.

7.1. Data subject’s right of access

The Data subject has the right, to receive feedback from the Data controller, if the processing of his personal data is in process and if such processing is in process, he has the right of access to his personal data and to the information included in present Guideline relating to processing of his personal data.

 

The Data controller provides to the Data subject the copy of the personal data which are subject of the data processing. The Data controller may charge a reasonable fee based on administrative costs for the additional copies requested by the Data subject. In case the Data subject submitted his request in electronic form, the information shall be provided in generally used electronic form, except, if the Data subject requests it in other form.

7.2. Right of rectification

The Data subject may request to correct his inaccurate personal data and to amend his missing personal data processed by the Data controller.

7.3. Right of erasure

The Data subject has the right to request from the Data controller the erasure of personal data related to him without undue delay in case of below listed reasons:

• the purpose of gathering or processing of personal data no longer exists;
• the Data subject withdraws his consent upon which the data processing is based and no other legal basis exists for data processing;
• the Data subject objects the data processing and there is no precedent legal reason for data processing;
• personal data were processed unlawfully;
• personal data shall be erased due to legal obligation applicable to the Data controller prescribed in European Union or Member State legislation;
• personal data were gathered in relation to offering services related to information society.

Erasure of data may not be requested, if the data processing is necessary: due to exercising the right of freedom of speech or to information; due to fulfilment of legal obligation applicable to the Data controller prescribed by European Union or Member State legislation to process personal data or due to public interest or fulfilling a task within the exercising of public authority delegated to the Data controller; due to objective related to public health, or to objective of archiving, scientific or historical research or due to statistical objectives, based on public interest; or due to submitting, enforcing and protecting of legal claims.

7.4. Right of blocking data processing

The Data controller blocks the data processing upon the request of the Data subject in case of the below conditions:

• the Data subject argues the correctness of the personal data, in this case the blocking is valid for the time period, which enables the examination if the personal data are correct;
• the data processing is unlawful and the Data subject objects the erasure of the data and instead requests blocking of their processing;
• the data controller no longer requires the personal data for data processing, but the Data subject needs them to submit, enforce or protect legal claims; or
• the Data subject objects data processing; in this case the blocking is valid for the time period, until determination if the legitimate reasons of the data controller are preceding the legitimate reasons of the data subject.

In case the data processing is blocked, the personal data, except storing, may be processed only by the consent of the Data subject, or due to submission, enforcement or protection of legal claims, or due to protection of legal rights of other natural persons or legal entities, or due to important public interest of the European Union or of a Member State.

7.5. Right to data carrying

The Data subject has the right to receive the personal data related to him, provided to a data controller, in a widely used lay-out format, possible to read on a computer, furthermore has the right to forward these data to another data controller without hindrance from the data controller, to whom he provided the personal data, if:

1. a) the data processing is based on consent or on a contract; and
2. b) the data processing is automated.

 

The Data subject while exercising the right of data carrying is entitled to – if technically feasible – request direct forwarding of the personal data between the data controllers, but this may not adversely affect the rights and freedom of others.

7.6. Automated decision making in unique cases, including profiling

The Data subject is entitled to not being affected by a decision based exclusively on automated data processing – including as well profiling – which has legal effect on him or effects him in similar substantial manner, except, if the decision (i) is necessary in order to sign a contract between the Data subject and the Data controller or to fulfil such contract; (ii) is possible by such law applicable to the Data controller, which sets out measures ensuring the protection of the rights and freedom, as well of legitimate interests of the Data subject; or (iii) specifically based on the consent of the Data subject.

 

In the interest of giving effect of the Data subject’s rights, the Data subject has the right, to request human interference from the Data controller, to express his viewpoint and to raise an objection against the decision.

7.7. Right of withdrawal

The Data subject is entitled to withdraw his consent at any time.

7.8. Right to initiate judicial procedure

In case the Data subject does not agree with the decision of the Data controller, he may initiate judicial procedure – within 30 days from the receipt of the decision. The Service Provider is obliged to prove, that the data processing is in accordance with the regulations. Judicial review is within the authority of the court. The legal proceeding – according to the decision of the Data subject – may be initiated at courts within the Data subject’s address or usual residence as well.

7.9. Data protection authority procedure

The Data subject is entitled to request information about his rights at the Authority, furthermore, to request an investigation on the grounds of infringement or its direct danger, on the below contacts:

 

Hungarian National Authority for Data Protection and Freedom of Information

Official seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Pf.: 5.

Telephone: 06.1.391.1400 Fax: 06.1.391.1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

 

8. Data protection incident*

 

In case the data protection incident likely involves high risk related to the rights and freedom of natural persons, the Data controller informs the Data subject about the data protection incident without undue delay. The information shall include clear and plain description of the nature of the data protection incident and the below information and measures shall be communicated: (i) name and contact details of the person providing the information; (ii) likely consequences of the data protection incident; (iii) taken or planned measures by the data controller to remedy the data protection incident.

 

It is not necessary to inform the Data subject if any of the following conditions are met: (i) the Data controller took appropriate technical and organisational protection measures and these measures were applied concerning the data affected by the data protection incident; (ii) the Data controller took further such measures after the data protection incident, which ensure, that the high risk related to the Data subject’s rights and freedom will likely no longer exist; (iii) providing of information would require disproportionate efforts.

 

In these cases the Data subjects shall be informed by public information or such similar measure shall be taken, which ensures informing the Data subjects with similar effectiveness.

 

* A data protection incident is such a security breach, which results in accidental or illegitimate destruction, loss, alteration, disclosure or access of, forwarded, stored or processed in another way, personal data.

 

 

9. Liability, compensation, legal remedy

 

All those persons, who as a result of a breach of the Privacy Act, suffer financial or non financial damages, are entitled for compensation of those damages from the Data controller Service provider or from the data controllers or data processors marked in present Guideline.

 

All data controllers involved in the data processing are liable for all the damages, which result from such data processing which breach the Privacy Act. The data processor is liable for the damages caused by data processing, if he did not comply with the obligations specific to the data processors, defined in the Privacy Act, or if he omitted or opposed the legitimate instructions of the Data controller.

 

The Data controller and the data processor are not liable, if prove, that they are not responsible in any way for the event that caused the damage. In case several data controllers or several data processors or both the data controller and the data processor are affected in the same data processing and are liable for the damages caused by the data processing, each data controller or data processor has joint liability for the full damages in order to ensure actual compensation of the Data subject.

 

In case of questions, remarks, problems concerning the data processing of the Data controller, please contact the Data controller.

 

Budapest, 1st of April 2019