Privacy Policy
DATA MANAGEMENT NOTIFICATION
(hereinafter referred to as “Notification” or “Data Protection Notification”)
1. Fundamental Provisions
1.1. Background
The new data protection regulation No. 2016/679 of the European Union (General Data Protection Regulation, GDPR, hereinafter referred to as “Regulation” or “GDPR”) became directly applicable in Europe. According to the Regulation, the Company is considered as data controller, i.e. the Regulation is applicable in respect of the personal data managed by the Company as well.
1.2 The purpose of the Notification
The purpose of the Notification is to establish the data protection and data management provisions and principles followed and applied by, and applicable to:
Company:
SA2E Hungary Kft.
Headquarters:
Hungary – 1053 Budapest – Magyar utca 52. fszt. 5.
Telephone number:
+36 30 248 9323
Email address:
info@pizzaforiu.com
VAT number:
27485596-2-41
HU27485596
Registration number:
01-09-391963
Contact:
Cirella Simone
(hereinafter referred to as “Data Controller” or “Company”), as well as the data protection and data management policy of the company.
1.3 Laws
In course of determining the content of the Notification, in addition to in particular the Regulation, the Company took into consideration the provisions of Act CXII of 2011 on the Right to Informational Self-determination and the Freedom of Information (“Privacy Act”), Act V of 2013 on the Civil Code (Civil Code), and Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising Activity (Business Advertising Act) as well.
1.4 Scope
The scope of the present Data Management Notification covers the data managements related to the website available at:
pizzaforiu.com
(hereinafter referred to as “Website”) and data managements related to the commercial activity of the Company.
Unless there is notification to the contrary, the scope of the Notification shall not extend to those services and data managements which are related to the promotions, prize games, services and other campaigns of or to the content published by those third parties who advertise on the Website or appear on it any other manner.
Unless there is notification to the contrary, the scope of the Notification shall not extend to the services and data managements of those websites or service providers to which any reference to be found on the Websites leads. The scope of the Notification shall not extend to the data managements of those persons (organizations, companies) from the notification, newsletter or advertisement letter the Data Subject had become aware of the Website.
1.5. The amendment of the Notification
1.5.1. The Company reserves the right to amend the Notification through its unilateral consent.
1.5.2. By entering the Website the Data Subject accepts the prevailing effective provisions of the Notification, and unless otherwise provided by the Notification, further consent of the Data Subject is not required.
2. Definitions
The concepts used in the Data Management Notification shall have the following meaning:
2.1. Data Management: Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.2. Data Controller: Any natural or legal person, public authority, service or other entity that determines the purposes and means of the management of personal data individually or jointly with other parties.
2.3. Personal Data or data: means any information relating to an identified or identifiable natural person (“data subject”).
2.4. Data Processor: means a natural or legal person, public authority, agency or service provider which manages personal data on behalf of the Data Controller.
2.5. Data subject: means a natural person who provides his/her personal data or whose personal data are provided to the Company..
2.6. External service provider: means those third-party service provider partners employed – either directly or indirectly – by the Data Controller or the operator of the Website related to the provisions of the certain services, to which Personal Data are or may be transmitted in order to provide their services or which transmit Personal Data to the Company. In addition, external service providers shall include those service providers as well which are cooperating neither with the Company, nor the operators of the services, however, since they have access to the Website, they collect data from the Data Subjects, which either individually or linked with other data may be suitable for identifying the Data Subject. In course of the provision of hosting services, the Company considers the Data Subject as External service provider as well, in respect of the data management activity pursued on the hosting service used by the Data Subject.
2.7. Notification: the present data management notification of the Company.
3. The Data Controller and its activity
Company:
SA2E Hungary Kft.
Headquarters:
Hungary – 1053 Budapest – Magyar utca 52. fszt. 5.
Telephone number:
“+36 30 248 9323”
Email address:
info@pizzaforiu.com
VAT number:
27485596-2-41
Registration number:
01-09-391963
Data protection officer: Pursuant to the Regulation, the Company is not obliged to appoint a data protection officer
Position of the data protection officer: –
4. The fundamental principles of data management
4.1. Lawfulness, fairness
The data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Company manages only those data specified by law or provided by the Data Subject or the employers/principals/clients thereof, for the following purposes. The scope of the Personal Data managed is proportional to the purpose of the data management and shall not reach beyond it.
4.2 Accuracy
The data shall be necessary and relevant in respect of the purpose of the data management, as well as shall be accurate and up-to-date, if necessary.
4.3. Purpose limitation
In any case where the Company intends to use the Personal Data for any purpose other than that of the original data collection, then the Company shall notify the Data Subject thereof and shall obtain the prior express consent of Data Subject; for such purpose and shall provide opportunity to the Data Subject to prohibit the use.
4.4. Compliance
The Company does not verify the Personal Data provided to it. Only the person providing the Personal Data shall be responsible for the compliance of the Personal Data.
4.5 Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are managed.
4.6. Protection of the data of persons below the age of 16
The Personal Data of persons below the age of 16 may be managed only subject to the consent of the person of age who exercises parental control of such person. The Company cannot verify the right of the person giving consent or the content of the statement of such person, therefore the Data Subject or the person exercising parental control over the Data Subject shall warrant that the consent is compliant with the laws. In the absence of statement of consent, the Company does not collect Personal Data related to data subjects below the age of 16.
4.7. Save for the Data Processors and External service providers specified in the Notification, the Company does not provide the Personal Data to any third party.
Data shall be processed in a manner that ensures their appropriate security through taking the appropriate technical and/or organizational measures.
Exception to the provision of the present section is the use of the data in statistically summarized form, which shall not include any other data suitable for identifying the Data Subject in any form.
In certain cases – official judicial, police request, legal procedure due to infringement of copyright, financial right or any other right, or due to the reasonable suspicion of the above, the infringement of the interests of the Company, jeopardizing the provision of the service, etc. – the Company may disclose the available Personal Data of the Data Subject to third parties.
4.8. The Data Subject, as well as all those parties to whom the Company had transmitted the Personal Data for the purpose of Data Management shall be notified by the Company of the correction, restriction and deletion of the Personal Data. The notification may be omitted if considering the purpose of the Data Management, such omission does not damage the legitimate interest of the Data Subject.
4.9. Pursuant to the Regulation, the Company is not obliged to appoint a data protection officer, since the Company is not considered as public authority or public service provider, and the activities of the Company do not involve any operation which requires the regular and systematic monitoring of Data Subjects on a large scale, as well as the Company does not manage sensitive data, or personal data related to relating to decisions regarding criminal convictions and offences.
5. The legal basis of the data management
5.1 Article 6 of the GDPR established the cases in which the personal data of the Data Subjects may be managed:
a) the data subject has given consent to processing of his or her personal data for one or more specific purposes;
b) the data management is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into such contract;
c) the data management is necessary for compliance with a legal obligation to which the Data Controller is subject;
d) the data management is necessary in order to protect the vital interests of the data subject or of another natural person;
e) the data management is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
f) the data management is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
5.2. Considering the nature of the activity of the Company, the legal basis of the data management is primarily the freely given, express, informed consent of the Data Subject (Point a) Subsection (1) Section 5 of the Privacy Act), the above Article 5.1 (b) and Article 5.1 (c) of the Regulation in course of the preparation of any contractual obligation between the Company and the Data Subject or the employee/principal/client thereof, or after the conclusion of such obligation. In respect of the areas subject to video surveillance, the above Article 5.1 (d) of the Regulation. The Data Subject establishes contact with the Company in course of completing any task for his/her employer/principal/client voluntarily, or Data Subject registers voluntarily, or uses the service of the Company voluntarily. In the absence of the consent of the Data Subjects, the Company shall manage data only if unambiguously authorized by law.
5.3 If the data management is based on consent, then the data controller shall at all times be able to verify that the data subject had granted his/her consent to the management of his/her personal data.
5.4. The data subject shall have the right to withdraw his or her consent at any time in respect of all data management the legal basis of which is the above Article 5.1 (a) of the Regulation. The withdrawal of the consent does not prejudice the lawfulness of the data management based on consent and the data management according to the above Article 5.1 (b) and/or (c) and/or Article 5.1 (d) of the Regulation before the withdrawal.
5.5. Data Transfer to the Data Processors specified in the Notification may be carried out without the separate consent of the Data Subject. Unless otherwise provided by law, the personal data may be provided to third parties or authorities exclusively based on final and enforceable administrative decision, or based on the prior express consent of the Data Subject.
5.6. For the purpose of asset security, surveillance cameras are operated in the rooms open clients operated by the Company, as well as in the storage facilities. The legal basis of this is Article 6 (1) (d) of the Regulation.
5.7. Upon entry to certain websites, the IP address of the User is recorded by the Data Controller without the separate consent of the User, related to the provision of the service, considering the legitimate interest of the Data Controller and due to the lawful provision of the service (e.g. in order to filter unauthorized use or unlawful contents).
5.8. Upon providing his/her e-mail address and the data provided in course of the registration (e.g. username, identifier, password, etc.) the User simultaneously undertakes responsibility for the services being used exclusively by User through the e-mail address provided or with the use of the data provided by User. Considering this undertaking of liability, any and all responsibility in connection with entries with any e-mail address and/or data provided shall be borne exclusively by that User who had such e-mail address registered and who had provided such data.
6. Purposes of data management
The data shall be managed lawfully, fairly and in a transparent manner in relation to the Data Subject. The Company aims at managing only those personal data which are essential to realize the purpose of the data management and which are suitable for achieving the purpose. Personal Data shall be managed to the extent and for the duration necessary for the realization of the purpose.
The primary purpose of the data management is the operation of the Website, provision of the services of Data Controller, the establishment and performance of its commercial and contractual relations.
In accordance with the above, the purposes of the data management are the following:
– identification of the Data Subject, maintaining contact with Data Subject;
– preparation of the contract concluded in course of the purchase made on the Website, the fulfilment of the contractual obligations by Data Controller, the enforcement of the rights of the Data Controller;
– the provisions of brief, transparent, comprehensible and easily accessible information to Data Subject;
– the conclusion and fulfilment of the legal transactions within the scope of activity of the Company, between the Company and the Data Subject;
– in case of use of services subject to payment of fees, the collection of the fees, invoicing;
– fulfilment of the obligations to be fulfilled by Data Controller, exercising the rights to which Data Controllers is entitled to;
– preparation of analyses, statistics, the development of the services; for this purpose, the Data Controller uses only anonymized data and summaries unsuitable for personal identification
– subject to the specific consent of the Data Subject, advertising, research
– protection of the interests of the Data Subject.
7. The source of the data
The Company manages exclusively those Personal Data which had been provided by the Data Subjects or the legal entities using the service (work) of the Data Subjects in order to prepare/fulfil the transaction; the Company does not collect data from any other source.
The data are provided in course of the registration of the Data Subject. In course of the registration, the Data Subject provides his/her name, e-mail address and password.
If the Data Subject registers to any promotion organized by the Data Controller, and the Data Subject provides his/her data, then the Data Subject grants his/her consent to the management of his/her personal data in accordance with notification of the promotion concerned. In this case, the Data Controller manages only those data which had been provided in course of the promotion.
8. The scope of the data managed
The Company manages the personal data provided in accordance with Section 8 exclusively. The data managed are the following; the data managed by the Company may be classified into the following groups based on the purpose of the data management:
“- Data necessary for the registration.
In the framework of the registration necessary for the purchase on the Website, the Data Subject allows purchases from the webshop by providing his/her family name, first name, e-mail address, password, telephone number and club membership number.”
“- Data provided in course of communications of marketing purpose.
In courser of the communications of marketing purpose carried out by the Company, the Data Subject provides his/her name, e-mail address, telephone number and address. The legal basis of the data management is the consent of the Data Subject, the primary purpose of the data management is maintaining contact for marketing purposes, and sending information, newsletter or direct marketing under Subsection (1) Section 6 of Act XLVIII of 2008.”
“- Data related to participation in professional training.
The legal basis of the data management is the consent of the Data Subject, the primary purpose of the data management is the provision of information, and the performance of contract.”
“- Data of suppliers.
In course of the business cooperation with its suppliers of the Company, in case of data management, the Data Subject or the employer/principal/client of the Data Subject provides the name, e-mail address and telephone number of the Data Subject. The legal basis of the data management is performance of contract and the fulfilment of legal obligations.”
“- Data provided in course of public opinion surveys.
In course of the public opinion surveys carried out by the Company, the data provided by the Data Subject will be managed, recorded and used later. The Company is entitled to manage such data under Point e) Section 9(2) of the GDPR”
“- Documents uploaded.
The Data Subject may or in certain cases is obliged to upload pictures of certain personal documents. The Company recommends that the personal data not necessary for the above legal transaction of the parties and not requested by the Company shall be deleted from such documents (in accordance with Section 10 below). If the Data Subject publishes any picture of a document containing personal data as well, then the legal basis of the data management is the consent of the Data Subject. In respect of photographs, the purpose of the data management is the provision of the services of the Website.”
“- Invoicing data.
If the Data Subject performs consideration to the Company, then the Company manages the data related to the payment and the invoicing (payment method, the data of the means of payment, the name, address and tax number of the buyer in case of invoicing). The legal basis of the data management is partly the consent of the Data Subject, and partly the laws relevant to taxation and accounting. The purpose of the data management is invoicing and the collection of the fees.”
“- The data, documents provided in course of authentication.
The Data Subjects may, or in the cases specified by the Company are obliged to authenticate themselves, as specified in Section 11 below. The documents are managed in accordance with Section 11 below. The purpose of the data management is verifying the personal identity of the Data Subject.”
In addition to the above, the Company manages the technical data – including the IP address – in accordance with the provisions of Section 13.
9. The description of the data management process
The source of the data is the Data Subject or any legal entity in employment/agency/works legal relationship with the Data Subject, who provides the data (i) in course of a possible registration and/or (ii) in course of the preparation or conclusion of the legal transaction and/or (iii) in course of making the statement related to the newsletter or the direct marketing under Subsection (1) Section 6 of Act XLVIII of 2008.
It is mandatory to provide the data indicated in the registration form, except if the contrary thereof is expressly indicated therein.
The Data Subject provides the data individually, the Company does not provide any mandatory guideline in this regard and specifies no content requirements. The Data Subject grants his/her express consent to the management of the data provided. The Data Subject may provide further data in his/her profile in addition to the data required by the Company, and the legal basis of managing the data shall be the voluntary consent of the Data Subject in this case as well.
If the Data Subject registers to any promotion organized by the Company (e.g. on facebook), and if the Data Subject provides his/her data requested there, then the Data Subject accepts the data management notification related to the promotion concerned. In this case, the Data Subject does not register on the Website by providing the data, however, the Data Subject gives his/her consent to his/her data being managed in accordance with the provisions of the notification of the promotion.
10. Data management related to documents
It is an option on the Website, that in case of mandatory notification on the Website, the Data Subject is obliged to provide his/her personal documents to the Company in the interest of facilitating the conclusion of the legal transaction between the parties.
The Data Subject – unless it is stipulated as mandatory by the Company – has the opportunity to publish the documents with the deletion of the personal data. If the Data Subject does not delete the data, then the Data Subject gives his/her consent to the publication of the data in case of disclosure.
If the Company does not require the disclosure of the documents with personal data, and it provides opportunity to delete the data, then the Company shall not be liable for any possible disclosure.
11. Authentication
The purpose of the authentication process is to allow the Company to affirm the authenticity of the person of the Data Subject. The Company verifies whether the Data Subject indicating intention to conclude a contract is actually a natural person. After the verification, the Company deletes the photos and data from the Website, however, the Company stores those in another place of storage until the cease of the legal basis of the data management. The purpose of the data management is the authentication of the Data Subjects, as well as the conclusion of the legal transaction, and after the conclusion thereof, facilitating the lawful fulfilment thereof.
12. Data management for advertisement purposes, sending newsletters
If the Data Subject grants his/her consent, then the Company may maintain contact with the Data Subject through the contact information provided, and may send advertisements to Data Subject with the method of direct marketing. The advertisements may be sent via mail, telephone (including SMS) or e-mail (including Messenger as well); the condition of this in all cases is the consent of the Data Subject. The Data Subject may withdraw his/her consent any time, without justification.