Privacy Policy

Data Controller and contact details:

Name: FIX-Hungary Bt.
Registered office: 3060 Pásztó, Kövicses utca 46., Hungary
Tax number: 21406212-2-12
E-mail: fixhungarybt@gmail.com
Phone: +36 30 668 9005

Contact details of the Data Protection Officer:

Name: FIX-Hungary Bt.
Registered office: 3060 Pásztó, Kövicses utca 46., Hungary
Tax number: 21406212-2-12
E-mail: fixhungarybt@gmail.com
Phone: +36 30 668 9005

Definitions

„personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
„processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
„controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
„processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
„recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
„consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
„personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to processing of personal data

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The controller shall be responsible for, and be able to demonstrate compliance with, the above principles (‘accountability’).

Data Processing Activities

Data processing related to website operation

1.) Fact of data collection, scope of processed data and the purpose of data processing:

Personal data	Purpose of processing
Name	For contact purposes
E-mail address	Communication.
Phone number	Communication

Neither the username nor the e-mail address is required to contain personal data.

2.) Scope of data subjects: All data subjects filling out the form on the website.

3.) Duration of data processing, deadline for data erasure: Immediately upon cancellation of the registration. Except in the case of accounting documents, as under Section 169 (2) of Act C of 2000 on Accounting, these data must be retained for 8 years.

The accounting documents directly and indirectly supporting the bookkeeping records (including ledger accounts, analytical and detailed records) must be kept in readable form for at least 8 years, retrievable by reference to the accounting records.

4.) Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the sales and marketing staff of the data controller, respecting the above principles.

5.) Description of data subjects’ rights regarding data processing:

The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning them, and
may object to the processing of such personal data, and
the data subject has the right to data portability, as well as the right to withdraw consent at any time.

6.) The data subject can initiate access to, deletion, modification, or restriction of processing of personal data, data portability, and objection to data processing in the following ways:

by post at 3060 Pásztó, Kövicses utca 46., Hungary,
by e-mail at fixhungarybt@gmail.com,
by phone at +36 30 668 9005

7.) Legal basis for data processing:

Consent of the data subject, Article 6(1)(a), Section 5 (1) of the Info Act,
Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter: E-commerce Act):
For the purpose of providing the service, the service provider may process personal data that are technically indispensable for the provision of the service. In case of identical other conditions, the service provider must choose and in all cases operate the tools used in providing the information society service in such a way that personal data is only processed if strictly necessary for the provision of the service and the fulfillment of other purposes defined in this Act, but even in this case only to the necessary extent and duration.
In the case of issuing an invoice in compliance with accounting legislation, Article 6(1)(c).

8.) Please be informed that

data processing is based on your consent
you are obliged to provide personal data so we can fulfill your order.
failure to provide data has the consequence that we cannot process your order.

Employed Data Processors

Hosting Provider

Activity performed by the data processor: Hosting services
Name and contact details of the data processor:
Name: Rackhost Zrt.
Mailing address: 6722 Szeged, Tisza Lajos körút 41., Hungary
E-mail address: info@rackhost.hu
Phone number: +36 1 445 1200
Fact of data processing, scope of processed data: All personal data provided by the data subject.
Scope of data subjects: All data subjects using the website.
Purpose of data processing: Making the website accessible and operating it properly.
Duration of data processing, deadline for data erasure: Data processing lasts until the termination of the agreement between the data controller and the hosting provider, or until the data subject’s erasure request to the hosting provider.
Legal basis for data processing: the User’s consent, Section 5 (1) of the Info Act, Article 6(1)(a), and Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.

Cookie Management

1.) Cookies typical for webshops are the so-called “password-protected session cookies”, “shopping cart cookies”, and “security cookies”, the use of which does not require prior consent from data subjects.

2.) Fact of data processing, scope of processed data: Unique identification number, dates, times

3.) Scope of data subjects: All data subjects visiting the website.

4.) Purpose of data processing: Identifying users, maintaining the “shopping cart”, and tracking visitors.

5.) Duration of data processing, deadline for data erasure:

Cookie type	Legal basis for data processing	Duration of processing	Scope of processed data
Session cookies	Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (E-commerce Act)	The period until the closure of the relevant visitor session	connect.sid

6.) Identity of potential data controllers entitled to access the data: The data controller does not process personal data through the use of cookies.

7.) Description of data subjects’ rights regarding data processing: Data subjects have the option to delete cookies in the Tools/Settings menu of their browsers, usually under the Privacy settings.

8.) Legal basis for data processing: No consent from the data subject is required if the sole purpose of using cookies is the transmission of a communication over an electronic communications network or if it is strictly necessary for the service provider to provide an information society service explicitly requested by the subscriber or user.

Use of Google AdWords Conversion Tracking

The data controller uses the online advertising program “Google AdWords” and, within its framework, utilizes Google’s conversion tracking service. Google Conversion Tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
When a User accesses a website through a Google ad, a cookie required for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data; thus, the User cannot be identified by them.
When the User browses certain pages of the website and the cookie has not yet expired, both Google and the data controller can see that the User clicked on the ad.
Every Google AdWords client receives a different cookie, so they cannot be tracked across the websites of AdWords clients.
The information obtained using conversion tracking cookies serves the purpose of generating conversion statistics for AdWords clients who have opted for conversion tracking. Clients are thereby informed about the number of users who clicked on their ad and were redirected to a page with a conversion tracking tag. However, they do not receive information that could identify any user.
If you do not wish to participate in conversion tracking, you can opt-out by disabling the installation of cookies in your browser. You will then not be included in the conversion tracking statistics.
Further information and Google’s privacy policy are available at the following page: www.google.de/policies/privacy/

Application of Google Analytics

This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, text files placed on your computer, to help analyze how users use the site.
The information generated by the cookie about the User’s use of the website is generally transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google will truncate the User’s IP address beforehand within Member States of the European Union or other parties to the Agreement on the European Economic Area.
Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to evaluate the User’s use of the website, to compile reports on website activity for website operators, and to provide other services relating to website activity and internet usage.
The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other Google data. The User may refuse the use of cookies by selecting the appropriate settings on their browser; however, please note that if you do this you may not be able to use the full functionality of this website. Furthermore, you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en

Complaint Handling

1.) Fact of data collection, scope of processed data and the purpose of data processing:

Personal data	Purpose of processing
Name	Identification, communication.
E-mail address	Communication.
Phone number	Communication.

2.) Scope of data subjects: All data subjects making purchases on the webshop website and submitting quality objections or complaints.

3.) Duration of data processing, deadline for data erasure: Copies of the record taken of the objection, the transcript, and the response given to it must be retained for 5 years in accordance with Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

5.) Description of data subjects’ rights regarding data processing:

The data subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning them, and
may object to the processing of such personal data, and
the data subject has the right to data portability, as well as the right to withdraw consent at any time.

6.) The data subject can initiate access to, deletion, modification, or restriction of processing of personal data, data portability, and objection to data processing in the following ways:

by post at 3060 Pásztó, Kövicses utca 46., Hungary,
by e-mail at fixhungarybt@gmail.com,
by phone at +36 30 668 9005.

7.) Legal basis for data processing: the data subject’s consent, Article 6(1)(c), Section 5(1) of the Info Act, and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.

8.) Please be informed that

the provision of personal data is based on a contractual obligation
the processing of personal data is a prerequisite for concluding the contract.
you are obliged to provide personal data so we can handle your complaint.
failure to provide data has the consequence that we cannot process the complaint submitted to us.

Social Media

Fact of data collection, scope of processed data: The name registered on social media networks such as Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc., and the user’s public profile picture.
Scope of data subjects: All data subjects who have registered on social media networks like Facebook/Google+/Twitter/Pinterest/Youtube/Instagram, etc., and have “liked” the website.
Purpose of data collection: To share, or “like”, and promote certain content elements, products, promotions of the website or the website itself on social media networks.
Duration of data processing, deadline for data erasure, identity of potential data controllers entitled to access the data, and description of data subjects’ rights regarding data processing: The data subject can find information about the source of the data, their processing, as well as the method and legal basis of transfer on the respective social media site. Data processing takes place on social media sites, thus the duration, method of processing, and possibilities for deleting and modifying data are governed by the regulations of the respective social media site.
Legal basis for data processing: the data subject’s voluntary consent to the processing of their personal data on social media sites.

Customer Relations and Other Data Processing

If questions arise or the data subject has an issue while using our services, they can contact the data controller using the methods provided on the website (phone, e-mail, social media sites, etc.).
The data controller deletes incoming e-mails, messages, data provided via phone, Facebook, etc., together with the inquirer’s name, e-mail address, and other voluntarily provided personal data, no later than 2 years from the date of communication.
Information about data processing not listed in this policy will be provided at the time the data is collected.
Upon exceptional official request, or based on authorization by law, in the case of requests from other bodies, the Service Provider is obliged to provide information, communicate data, hand over data, or make documents available.
In these cases, the Service Provider will disclose personal data to the requesting party – provided they have indicated the exact purpose and scope of data – only to the extent and in the amount that is strictly necessary to achieve the purpose of the request.

Rights of the Data Subjects

Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the Regulation.
Right to rectification
You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller shall have the obligation to erase personal data without undue delay where specific grounds apply.
Right to be forgotten
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing
You have the right to obtain from the controller restriction of processing where one of the following applies:
– you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
– the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
– the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
– you have objected to processing; in this case, the restriction applies for the period until it is verified whether the legitimate grounds of the controller override your legitimate grounds.
Right to data portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…)
Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you (…), including profiling based on those provisions.
Objection in case of direct marketing
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision:

is necessary for entering into, or performance of, a contract between you and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.

Time limit for taking action

The data controller shall provide information on action taken on a request to you without undue delay and in any event within 1 month of receipt of the request.

That period may be extended by 2 further months where necessary. The data controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

If the data controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Right to lodge a complaint

In the event of a possible infringement by the data controller, a complaint may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information (NAIH)
1055 Budapest, Falk Miksa u. 9-11., Hungary
Mailing address: 1363 Budapest, Pf.: 9.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Closing Remarks

During the preparation of this information policy, we took into account the following legislation:

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Info Act)
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (especially Section 13/A)
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (especially Section 6)
Act XC of 2005 on Freedom of Information by Electronic Means
Act C of 2003 on Electronic Communications (specifically Section 155)
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC