Privacy Policy

Privacy Policy

CUKOVY Europe Kft.

Site and webshop: www.cukovy.com

 

Effective from: May 10th , 2021.

Table of Contents

  1. Overview

Who processes my personal data?

What is my ‘personal data’?

Okay, but what is processing?

Data Controller of the personal data entered or provided by you in any way

Data Processors of the Data Controller

What does this notice do for me?

What are the basic principles of data management?

  1. Data Types and Purposes

How do I find out what my data is used for?

On what legal basis can you request personal data from me?

  1. Consent - Article 6 (a) of the GDPR
  2. Performance of the contract (in which one of the parties involved is the Data Subject) - Article 6 (b) of the GDPR
  3. Legal obligation to be fulfilled by the Data Controller - Article 6 (c) of the GDPR
  4. Legitimate interest of data controllers - Article 6 f) of the GDPR.
  5. Rights of the data subject

What are the rights I can exercise?

Where can I enforce my rights?

  1. Data Collection on the Site and Cookies

Do they use cookies on the Site?

How do I set cookies?

  1. Social media

How my personal data is handled in relation to social media sites?

  1. Children

Are there any provisions related to age restrictions?

  1. Security management and measures

What privacy policies are in force in the operation of Data Controller?

What steps are being taken to ensure security?

To who is my personal data transferred?

  1. Miscellaneous

Collection of special data

Profiling and Automated Decision Making

  1. Changes

 

 

1. Overview

Who processes my personal data?

What is my ‘personal data’?

Personal data includes information which can directly or indirectly identify the data subject (you).

 

Okay, but what is processing?

According to the European Data Protection Regulation (GDPR), ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In a nutshell: using your personal data.

Your data is used by a Data Controller and its Data Processors who are service providers of the Data Controller.

Learn more about this at https://www.eugdpr.org/glossary-of-terms.html

 

Who is the Data Controller in this case?

A Data Controller is the one who determines what data is collected, with which tools, and for what purposes.

Data Controller of the personal data entered or provided by you in any way

 

Data Controller’s name:

Cukovy Europe Kft.

(hereinafter referred to as ‘CUKOVY’ or ‘Merchant’ or ‘Data Controller’)

Headquarters and mailing address:

1012 Budapest, Lovas út 17.a 2.

Company registration number:

Cg. 01-09-353537

 Tax number:

27314739-2-41

 Website:

www.cukovy.com

 Email address:

info@cukovy.com

 Represented by:

Lívia Tálosi

 

Data Processors of the Data Controller

 

Data Processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller (Article 4 (8) of the GDPR).

 

The use of a Data Processor does not require the prior consent of the data subject (you) but requires the Data Controller to provide information about them.  Accordingly, we provide the following information:

IT services (Website operation and hosting services)

In order to maintain and manage its website, the Data Controller uses Data Processors who provide the IT services and, within the framework of our contract with them, manage the personal data provided on the Site, and manage the storage of personal data on its servers.

Our partner in this is Shopify.

 

COMPANY NAME:

Shopify Inc.

Shopify Commerce Singapore PTE. LTD.

Shopify International Ltd.

(collectively ’Shopify’)

ADDRESS:

2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland, VAT number IE 3347697KH

 

This means that the data we are collecting from you is processed and stored by the systems of Shopify. Shopify provides important information about how this data is managed.

Please read carefully the following terms:

 

  1. Shopify’s Privacy Policy for Customers (who buy the products of the Merchant (CUKOVY)

Available here: https://www.shopify.com/legal/privacy/customers

You can find a detailed explanation on what personal data is processed by Shopify and for what reason.

Shopify claims that they will never use your personal information to independently market or advertise to you, unless you are using one of their services directly (not in relation with CUKOVY’s Site)

 

  1. Shopify’s Data Processing Addendum (for E.U. Customers)

Available here: https://www.shopify.com/legal/dpa

If you are a citizen of the E.U., you must understand and accept the following:

“Where a Data Subject is located in the European Economic Area, that Data Subject’s Personal Data will be processed by Shopify’s Irish affiliate, Shopify International Ltd. As part of providing the Services, this Personal Data may be transferred to other regions, including to Canada and the United States. Such transfers will be completed in compliance with relevant Data Protection Legislation.” (Copied from the Data Processing Addendum of Shopify)

 

Payment services

 

Your payment is processed by a third party service provider. As a final step of the order process, you will be navigated to the payment interface operated by the service provider. CUKOVY has no access to credit/debit card data.  

 

COMPANY NAME:

Stripe Payments Europe, Ltd.

ADDRESS:

C/O A&L Goodbody, Ifsc, North Wall Quay Dublin 1., Dublin 1, Dublin, Ireland

 

Billing services

 

Once your payment is successful, CUKOVY will issue an invoice about your purchase. The invoice is automatically generated and sent to you by the service provider named below.

 

COMPANY NAME:

Billingo Technologies Zrt.

ADDRESS:

1133 Budapest, Árbóc utca 6. III. emelet

 

Shipping services

 

Your order will be delivered by one of the delivery companies named below. Data Controller has sole discretion in choosing the shipping partner for your order.

 

COMPANY NAME:

DHL GoGreen Solutions by Deutsche Post AG

ADDRESS:

Charles-de-Gaulle-Straße 20, 53113 Bonn, Germany

 

COMPANY NAME:

DPD Hungária Kft.

ADDRESS:

1134 Budapest, Váci út 33., A épület II. emelet, Magyarország

 

COMPANY NAME:

General Logistics Systems B.V.

ADDRESS:

Breguetlaan 28-30, 1438 BC Oude Meer, The Netherlands

 

COMPANY NAME:

TNT Express Hungary Kft.

ADDRESS:

1185 Budapest II. Logisztikai központ - Irodaépület, BUD Nemzetközi Repülőtér 283. épület

What does this notice do for me?

 

Our primary goal is to make sure we offer protection for our visitors and travellers. We pay particular attention to making sure we guarantee the rights of the services we provide to everyone without discrimination of any kind. We want to make sure that we give you your right to privacy when handling personal data in any way.

 

The Info. (Act CXII. of informational self-determination and freedom of information law in 2011) and the European General Data Protection Regulation (2016/679 The EU Regulation on the protection of natural persons with regard to the processing of personal data and such free flow of data, hereinafter referred to as "GDPR"), which came into force on May 25th, 2018, also necessitates adequate information for stakeholders.

What are the basic principles of data management?

(Please see a detailed description of the basic principles we are following when processing your data in Appendix 1.)

 

2. Data Types and Purposes

How do I find out what my data is used for?

 

Each time we collect data it is done with a predefined purpose. We ensure that the information requested is done in a transparent manner. Your consent will be asked based on this. If you have any further questions, please contact us at one of the contact details above.

On what legal basis can you request personal data from me?

 

First of all, what is a ‘legal basis’?

It means the lawfulness of the processing. Data Controller must be able to prove that it was authorized and allowed to collect the data because at least one of the below mentioned legal basis options existed at the moment of collection (please see a detailed description of the legal basis in Appendix 2):

 

1. Consent - Article 6 (a) of the GDPR

2. Performance of the contract (in which one of the parties involved is the Data Subject) - Article 6 (b) of the GDPR

3. Legal obligation to be fulfilled by the Data Controller - Article 6 (c) of the GDPR

4. Legitimate interest of data controllers - Article 6 f) of the GDPR

 

Please note: the above list and information is for information only and is not a substitute for a detailed reading and understanding of the GDPR. If you have any questions, please feel free to contact us at one of the contact details above.

 

The following table shows all the possible cases where we may ask for your data:

What and when you are doing?

Data Subject(s) and data management operation

Why do we need your data?

Purpose

What is the data we are collecting?

Data types

Based on what are we allowed collecting your data?

Legal basis

Until when can we retain your data?

Duration

Who will have access to your data?

Addressees

Account creation at our Site

Anyone who creates an individual account at www.cukovy.com

Identification, offering special promotions, easier order finalisation

Name, email address, password

Your Consent

(GDPR Art. 6. (1) a))

Until withdrawal of your consent

(you delete your account)

CEO

Employees

Data Processors

Order management – order placement, delivery of the order, contact for questions

All Customers

Providing the service, creation of the contract, determination of its content, modification, monitoring of its fulfilment, invoicing of the resulting fees and enforcement of related claims

Surname, First name, email address, phone number, shipping address, billing address, company name, company tax number

IP address

Your Consent and Fulfilling our Agreement

(GDPR Art. 6. (1) a), b))

Pursuant to Section 169 (2) of Act C of 2000 on Accounting, this data must be kept for 8 years, in the case of an IP address for 5 years

CEO

Employees

Data Processors

Payment

All Customers

Fraud monitoring, enabling online payments, confirming transactions

Data Processor does not process personal or bank card data.

Your Consent and Fulfilling our Agreement

(GDPR Art. 6. (1) a), b))

Pursuant to Section 169 (2) of Act C of 2000 on Accounting, this data must be kept for 8 years, in the case of an IP address for 5 years

CEO

Employees

Data Processors

Invoicing

All Customers

Invoicing of the resulting fees and enforcement of related claims

Surname, First name, email address, phone number, billing address, company name, company tax number

IP address

Your Consent and Fulfilling our Agreement

(GDPR Art. 6. (1) a), b))

Pursuant to Section 169 (2) of Act C of 2000 on Accounting, this data must be kept for 8 years

CEO

Employees

Data Processors

Requesting for more info through our web page

Anyone who gets in contact with us

Establish and keep contact

Name, email phone number

Date of sending message

IP address

Your Consent

(GDPR Art. 6. (1) a))

Until withdrawal of your consent

CEO

Employees

Involved data processors

Subscription to newsletter and/or to any other direct marketing reach out

Anyone who subscribes

Identification, enablement of newsletter subscription, marketing

Name, email address

Date and time of submitting request

IP address

Your Consent

(GDPR Art. 6. (1) a))

Until withdrawal of your consent

CEO

Employees

Involved data processors

You contact us through social media platforms

Anyone who gets in contact with us or likes our page

Establish and keep contact

Name, social media ID

Your Consent

(GDPR Art. 6. (1) a))

Until withdrawal of your consent (consent is given through social media)

CEO

Employees

Sweepstakes on social media platforms

Anyone who participates

Enablement of sweepstakes, publishing the name of the winner

Name, email address, phone number, social media ID

Your Consent

(GDPR Art. 6. (1) a))

The data will be deleted after the closing of the sweepstakes, except for the data of the winner, which the Data Controller is obliged to keep for 8 years according to the Accounting Act.

CEO

Employees

Involved data processors

Technical operations related to website visits

Any visitor

Identify users and track visitors

Date and time of visit, IP address

Your Consent

(GDPR Art. 6. (1) a))

The duration of data management in the case of session cookies is until the end of the visit to the websites, while in other cases it is a maximum of 2 years

CEO

Employees

Involved data processors

Data management related to consumer protection rights and complaint handling

Consumers

Handling complaints

Name, email address, phone number, content of complaint

Your Consent and our Legitimate Interest

(GDPR Art. 6. (1) a), c))

5 years

CEO

Employees

Data management related to the verifiability of consent

Anyone who gave consent

The system stores the IT data related to the consent for later verification

Date of consent given and IP address

Our Legitimate Interest

(GDPR Art. 6. (1) c))

Due to legal requirements, the consent must be able to be verified later, therefore the period of data storage will be stored for the limitation period after the termination of data processing.

CEO

Employees

Involved data processors

  

In any case we wish to use your personal data for any other purpose than the original request; we will talk to you first.

3. Rights of the data subject

What are the rights I can exercise?

Right of prior information

Before requesting data, we ensure to communicate accurate information to you on what the purpose of the data collection is and how it is processed, such as who can access it.

 

On our Site, we visibly display an outline that highlights what we will use personal information for.

 

Right of withdrawal of consent

You are entitled to withdraw your consent for us to manage your data at any time.

 

If you no longer wish to receive news from the Data Controller, you can unsubscribe at any time by clicking on the ‘Unsubscribe’ button at the bottom of the newsletter. If you do not wish to receive more emails from us in addition to our response, you can easily notify us by replying to our last email.

 

Right of access

Data subjects have the right to know about the personal information of their given organization and information about the management of the organization, and to inquire about what information is kept by an organization at any time.

 

Through our contacts you can send this request to Data Controller.

 

Right to data portability

The data subject shall have the right to receive the personal data that the Data Controllers have, and if technically possible, able to request the data to be forwarded to another data controller.

 

Through our contacts you can send this request to Data Controller.

 

Right to rectification

The data subject may request to correct inaccurate information from Data Controller without undue delay.

 

Through our contacts you can send this request to Data Controller.

 

The right to restriction of processing

The data subject has the right to request that the Data Controller stops processing his/her data if:

-          the data subject disputes the accuracy of the personal data

-          the data handling is illegal, and the data subject is opposed to the deletion of the data

-          the data controller no longer needs personal data, but the data subject requires them to enforce legal claims

 

Through our contacts you can send this request to Data Controller.

 

Right to object

The data subject has the right to object to the processing of his or her personal data for any reason relating to personal reasons if they are processed in the interest of the Data Controller or his public authority.

Through our contacts you can send this request to Data Controller.

Right to erasure

The user has the right to request that data controller without delays, delete personal data if:

  • personal data is no longer needed for the purpose for which it was collected
  • the data subject withdraws the consent given to the Data Controller and Data Controller does not have any other legal grounds for data processing
  • the data subject objects to the processing of his/her data because there was no prior legitimate reason for data handling
  • the personal data was unlawfully processed

 

Deletion means hard delete.

Through our contacts you can send this request to Data Controller.

Right to be forgotten

If the Data Controller has disclosed personal data and is obliged to delete it for some reason, he informs other data controllers that the person concerned has made such a request. The other data controller is typically a search engine operator who has access to handle the personal data if requested.

 

Though, Data Controller does not disclose any personal information.

 

Right to complain

Through our contacts you can send this request to Data Controller.

Where can I enforce my rights?

 

Data Controller seeks to maximize your rights and prioritize any questions or requests about our data management practices.

Data protection issues are dealt by the Hungarian National Data Protection and Information Freedom Authority, based on paragraph 22 of the GDPR definition.

Hungarian National Data Protection and Information Freedom Authority:

Postal address:

1530 Budapest, Pf.: 5.

Address:

1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone:

+36 (1) 391-1400

Fax:

+36 (1) 391-1410

E-mail:

ugyfelszolgalat@naih.hu

URL:

http://naih.hu

4. Data Collection on the Site and Cookies

The Data Controller collects data about the visitor during the use of the Site.

The purpose of data management is to improve the usability of the website and collection of information for statistical purposes which are performed by the Data Controller. The following data is collected:

  • the Internet Protocol (IP) address of the device used to visit the Website,
  • domain name (URL),
  • depending on the device settings, the type of browser used.

The data management is based on the Cisitor's consent. The data processing lasts until the withdrawal of the consent or, failing that, for three years from the visit.

The Data Controller shall not pass on or make available the Cisitor's data to third parties, with the exception of the necessary Data Processor (Shopify).

The Data Controller does not transfer the data to third country data controllers, data processors or international organizations.

Do they use cookies on the Site?

A cookie is a file that, when you visit a website, contains information about the website (for example, the display or management settings) on the data subject’s computer, where they are stored in a separate directory. There are several types of cookies and the data subjects can choose not to allow them to be saved to the computer in part, in full or at all. If you do not allow cookies to be downloaded at all, you may not be able to display certain websites or use certain personalized services. Once a cookie has been saved to your computer, it can only be read by the website that created it.

The duration of cookies is a maximum of 2 years. This retention period will not be extended by the site again during your visit.

Cookies may be placed on terminal servers with your consent. An information panel informs you of the use of cookies on arrival to the website. You can accept the placement of cookies by clicking on the 'Accept cookies' information link.

Acceptance and authorization of the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. Although most browsers automatically accept cookies by default, they can usually be changed to prevent automatic acceptance and offer a choice each time.

 

Scope of personal data managed:

  • the IP address used by the visitor,
  • browser type,
  • date of visit,
  • the (sub) page, function or service you are visiting.
  • click

Types of cookies used by the Data Controller:

The purpose of collecting the cookies used by the Data Controller is to enable the Data Controller to compile statistics on the usage habits of the Website, the characteristics of the Visitor, in an individually unidentifiable form and to assist the Data Controller in to provide a higher level of user experience to the visitors of the website.

 

Google Anyalytics

Google Analytics is a performance tracking cookie. Such cookies collect information about the user's behavior, time spent and clicks within the visited website. Learn more about Google Analytics cookies at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

 

Google Ads

The purpose of Google Ads is to track ad sales and other conversions. Learn more about Google Ads cookies here: https://developers.google.com/adwords/api/docs/guides/start

 

Facebook pixel

We use the Facebook Pixel cookie to track the conversion of ads running on Facebook. Facebook Pixel is a piece of code that, placed in the source code of the Data Controller's website, gives Facebook the opportunity to track the activities of data subjects.

 

Cookie acceptance cookie

Upon arrival at the site, you accept the cookie storage statement in the warning window. Duration: 365 days.

 

Session cookie

These cookies store the visitor's location and the language of the browser, their lifespan is when the browser is closed, or up to 2 hours.

How do I set cookies?

The "Help" feature in the menu bar of most browsers provides information about the browser

  • how to disable cookies,
  • how to accept new cookies,
  • how to instruct your browser to set a new cookie, or
  • how to turn off other cookies.

 

The consent of the Data Subject shall not be required if the sole purpose of the use of cookies is the transmission of communications over an electronic communications network or specifically requested by the subscriber or user, it is absolutely necessary for the service provider to provide an information society service.

Does Shopify use cookies, as well?

 

Yes. Please learn more about it here: https://www.shopify.com/legal/cookies

5. Social media

How my personal data is handled in relation to social media sites?

 

Page on Facebook

 

The Data Controller is available on Facebook, LinkedIn and the Instagram social media portal. The purpose of the presence on social media and the related data management is to share and publish the content of the website on the social site, i.e. the marketing of the Data Controller.

 

Pages are user accounts that can be created by individuals or businesses. To this end, the creator of the Page, after registering on Facebook, can use the interface developed by Facebook to present themselves to the users of this social site and the visitors of the Page. Administrators of Pages can access anonymous traffic statistics for these sites using a tool called Facebook Insights, which is provided to them by Facebook free of charge and under non-modifiable terms of use. The user ID, which can be associated with the login details of a user registered on Facebook, is collected and managed at the moment the Pages are opened.

 

The Data Controller does not manage the registration data, however, as the administrator of the Page, he may manage the personal data shared on the Page and the personal data of users who like or otherwise contact the Data Controller in relation with the connection. Accordingly, the conditions for data management are as follows:

 

  • Purpose of data management: The Data Controller collects and publishes user personal data on the Page in order to contact them.
  • Legal basis for data processing: your consent (deemed to have been given by the fact of contact)
  • Data Subjects: natural persons who voluntarily follow, share, like and value the Data Controller's social pages or the content that appears on them.
  • Scope of personal data managed:

name                            identification

e-mail                           contact

action                           response

  • Method of data management: electronically, automatically.
  • Duration of data processing: until cancelled at the request of the Data Subject.

 

The Data Subject may evaluate the Data Controller in text and number if this is permitted by the social networking site.

The Data Subject may receive information on the data management of the given social networking site.

Is automated decision-making profiling happening? NO.

The Data Controller draws attention to the fact that the organization operating the given social site as a data controller may perform profiling or other automated data management, but in this case the data controller will be the organization operating the social site.

 

Sweepstakes through social media (Page)

 

The Data Controller periodically conducts sweepstakes on social media platforms, which sweepstakes do not belong to Act XXXIV of 1991. Participants in the game can find out the details and conditions of the sweepstakes before participating in the game. The names of the winners of the game are published by the Data Controller on the same social media interface. However, the Data Controller informs the participants in the game that the winners of the game will be contacted by employees acting on behalf of the Data Controller through their own social media profile, given that it is technically not possible to send a message from the Page on first contact.

  • The purpose of data management: to collect and publish users' personal data in order to conduct sweepstakes
  • Legal basis for data management: your consent (which is considered to have been given by participating in the game, with the application of this Privacy Policy)
  • Data Subjects: natural persons who voluntarily follow, share, like, rate and participate in the game on the controller's social networking sites or the content that appears on them
  • Scope of personal data managed: name, social media ID, winner's address, email address, telephone number, tax number
  • Method of data management: electronically, automatically.
  • Duration of data management: until deleted at the request of the Data Subject, except for the data of the winner, which the Data Controller is obliged to keep for 8 years under the Accounting Act.

6. Children

Are there any provisions related to age restrictions?

Yes. The applied age restrictions are the ones in the Civil Code of Hungary. You must be at least 18 years old.

Nevertheless, we are not obliged to confirm this by requesting any official document.

7. Security management and measures

 

Data Controller ensures that the processing of personal data is in accordance with the rights, interests and data protection regulations of those concerned. Data protection is supported by the following technical actions and regulations:

What privacy policies are in force in the operation of Data Controller?

 

  • Data registers, in standard with the regulations
  • Internal data protection and data management rules, with a clear definition about accessibility
  • Processes to define the steps to be taken whenever security or data protection incident occur

What steps are being taken to ensure security?

 

The Data Controller and the Data Processor(s) shall take appropriate technical and organizational measures to take account of the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of the processing and the varying likelihood and severity of the risk to individuals' rights and freedoms to guarantee an appropriate level of security to the degree of risk, including, inter alia, where appropriate:

 

  • anonymization and encryption of personal data;
  • ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
  • in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
  • a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures taken to ensure the security of data processing.

 

  1. The followings are applied:

 

Privacy trainings

Backup copies

Password protected wifi

Document Shredder

Firewall

Username and password protected laptops

Lockable file cabinet

Mobile devices protected with password or biometric identified

Antivirus

Audit

Data storage only available for defined user groups

 

  1. Transfer of data outside the EU: The controller does not transfer personal data directly or indirectly to a third country outside the EU. However, Shopify may transfer your personal data to Canada or the United States.

 

  1. Physical server: The Data Controller stores the managed personal data (back-up and development systems) on a server located in the European Union on its behalf and also via a Data Processor.

To who is my personal data transferred?

 

Data transfer within the Company

 

The transfer of data within the Company can only take place in compliance with the general data protection principles, in particular the purpose limitation principle.

 

Transfer of data to third parties

 

The transfer of partners' data may only take place in accordance with the legislation in force in order to fulfil the contracts with them or to the competent authorities and courts. Data Controller may only transfer personal data to a service provider with a contractual relationship (including an accountant, payroll accountant) or to an authority (including the tax authority and employment authority) or a court in order to fulfil or enforce obligations arising from an employment or other employment relationship.

Data Controller will not share your data with service providers who are not among the Data Processor list described above.

 

Transfer of data to a third country or international organization

 

The Data Controller does not transfer data to a third country or international organization. The transfer of personal data abroad can only take place in a way that does not compromise the level of protection guaranteed to natural persons in the General Data Protection Regulation.

 

Security incidents

Data Controller maintains a policy and procedure for information security and privacy incidents that include initial response, investigation, notification and/or public disclosure. These guidelines are regularly reviewed and tested annually.

In the event of information security and/or privacy incidents, we will immediately notify the affected users with appropriate security measures and without delay and, if possible, 72 hours after the privacy incident has come to our attention, to the competent authority. Our procedure is in line with our GDPR obligations and industry standards. We are committed to constantly informing you about issues that are relevant to the security of your account and provide you with all the information you need.

8. Miscellaneous

Collection of special data

In the course of its activities, the Data Controller shall not collect or process data relating to natural persons which would fall into a special category of personal data under the General Data Protection Regulation, unless the legal regulations in force expressly allow it.

Profiling and Automated Decision Making

The Data Controller does not perform automated collection and evaluation of personal data (web profiling) and automated decision-making related to this data.

9. Changes

The Privacy Policy may be amended unilaterally by Data Controller but will notify the users. Any modification is valid only if it complies with applicable legislation.

 

Appendix 1.

 

Legality: The legal basis for handling data is explicit and well-founded

Fairness and Transparency: There is sufficient amount of information that can be easily understood and accessible regarding data management

Purpose limitation: Data management is exclusively for the purposes defined and communicated in advance

Data efficiency: Only the data required and relevant are requested during data processing

Accuracy: Managed data is up to date

Limited storage: Data management is only done for the duration of its purpose

Integrity and confidentiality: The technical and organizational measures used in data management provide a high level of security

Accountability: The Data Controller procedure is aligned with the national and international standards

 

Appendix 2.

 

  1. Consent - Article 6 (a) of the GDPR

- voluntary, informed, revocable, without prejudice to the lawfulness of previous data processing

- the consent is given on paper or also constitutes consent if the data subject ticks the appropriate box when viewing the Data Controller's website, makes technical adjustments when using the information society services, as well as any other statement or action, which clearly indicates in the context the Data Subject 's consent to the intended processing of his or her personal data. Silence, a pre-ticked box, or inaction do not therefore constitute consent

- if the data processing serves several purposes at the same time, the consent must be given for all data processing purposes

- if the Data Subject gives his / her consent in the form of a written statement that also applies to other matters, e.g.: conclusion of a sales or service contract - the request for consent must be made in a manner that is clearly distinguishable from these other matters

- if the personal data has been collected with the consent of the Data Subject, the Data Controller may, unless otherwise provided by law, process the collected data without further separate consent and after the withdrawal of the Data Subject's consent.

 

  1. Performance of the contract (in which one of the parties involved is the Data Subject) - Article 6 (b) GDPR

- Data processing is necessary for the performance of a contract in which the Data Subject is one of the parties or to take steps at the request of the Data Subject prior to the conclusion of the contract.

 

  1. Legal obligation to be fulfilled by the Data Controller - Article 6 (c) GDPR

- In the case of data management based on a legal obligation, the provisions of the underlying legislation apply to the range of data that can be processed, the purpose of data processing, the duration of data storage and the recipients.

- Data processing based on the fulfilment of a legal obligation is independent of the Data Subject's consent, as data processing is defined by law.

 

  1. Legitimate interest of data controllers - GDPR Article 6 f)

- The legitimate interest of the Data Controller or a third party may create a legal basis for the processing, provided that the Data Subject's interests, fundamental rights and freedoms do not take precedence over the legitimate interest of the Data Controller (or third party). expectations.