1. General provisions
We process personal data in the course of our business activities. In all cases, we ensure the lawfulness, accuracy and transparency of the processing of personal data. The purpose of this Notice is to provide data subjects with adequate information about the purposes, conditions and safeguards for which, and for how long, our company processes their personal data before they provide it.
Our company will abide by the terms of this Notice in all cases involving the processing of personal data, and we consider ourselves bound by the terms of this Notice. However, we reserve the right to make changes to the information in this Notice, provided that the data subjects are duly informed.
Our data processing activities are governed by Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter: GDPR) and in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Information Act”).
Our company details and contact information are as follows:
2. The Service Provider
- Name of service provider: Droposal Kft.
- Registered address: Labanc street 29. a. building. ground floor 2., Budapest 1021, Hungary
- Tax number: HU29318588
- Company registration number: 01-09-386947
- Date of registration: 06/24/2021
- Email: firstname.lastname@example.org
Detailed information about our individual data processing practices is set out below.
3. Processing of data of users registered in the application
Purpose of processing: to ensure the complete use of the service.
Legal basis for processing: prior consent of data subjects.
Personal data processed: name, email, encrypted password, profile picture.
Duration of processing: from registration until the deletion of the user's profile, i.e. until the withdrawal of consent.
Possible consequences of not providing data: Providing the data is voluntary, no contract will be concluded with our company if you fail to do so.
4. Data processing in relation to the newsletter
Purpose of the processing: to provide regular information to data subjects about products and services.
Legal basis for processing: prior consent of the data subjects.
Scope of personal data processed: email address.
Duration of processing: 5 years from registration or until the withdrawal of prior consent.
Use of a data processor: our company uses the services of a data processor to provide the newsletter service as follows.
Possible consequences of not providing data: The provision of data is voluntary, in the absence of which the data subject will not receive information about our company's products and services by newsletter.
5. Other data processing
Information about data processing not listed in this Notice is provided at the time of collection. We inform our customers that authorities, public authorities, courts may contact our Company for the purpose of disclosing personal data. Our Company will only disclose personal data to such organisations, if the organisation concerned has indicated the purpose and scope of the data request, in the amount and to the extent strictly necessary for the purpose of the request, and if the fulfilment of the request is required by law.
6. Social media sites of the controller
The data controller also operates a Facebook page, where personal data are also processed. The data controller also promotes its activities, its website and the application it develops on Facebook, and describes its services. This site is used by the data controller for marketing purposes.
The controller also provides comprehensive personal support through Facebook. If you send a question via Facebook, the controller will try to reply as soon as possible. It will only use the information you provide on the Facebook page to answer your question and not for any other promotional purposes.
The purpose of using the Facebook page is to advertise and provide information on social media. Facebook may also use the data for its own purposes, including profiling and targeting the data subject with advertising.
In order to contact the controller via Facebook, you must be logged in. Facebook may also request, store and process personal data for this purpose. The controller has no control over the type, scope and processing of such data and does not receive personal data from the Facebook operator. For more information on this, please visit our Facebook page.
The personal data of Facebook page followers are processed by the data controller on the basis of their consent (Article 6 (1) (a) of the General Data Protection Regulation), which is deemed to be given by the fact that the person concerned likes, follows or comments on the page and its posts.
The data controller is also present on the Instagram social media site with the following profile:
Personal data of followers is processed on the Instagram page. The processing takes place on the basis of consent given by following the site (Article 6(1)(a) of the General Data Protection Regulation).
The data controller is also present on the LinkedIn social media site with the following profile:
On LinkedIn, personal data of followers is processed. The processing takes place on the basis of consent given by following the site (Article 6(1)(a) of the General Data Protection Regulation).
7. DATA PROCESSORS CONNECTED TO THE CONTROLLER
Where the processing is carried out on behalf of the controller, the controller may only use processors that offer adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects.
The data controller hereby declares that in the course of its work, it will only deal with data processors that have adequate guarantees of compliance with the GDPR and that they implement appropriate technical and organisational measures to ensure the protection of the rights of data subjects.
By reading and acknowledging this Privacy Notice, data subjects accept that the controller transfers their personal data to the processors and joint controllers listed below.
The company that hosts the website of the data controller is also a data processor:
- Rackforest Kft. (1132 Budapest, Victor Hugo utca 18-22. 3. em. 3008., Tax number: 14671858-2-41)
Additional data processor in connection with the sending of newsletters:
- The Rocket Science Group LLC d/b/a Mailchimp (675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA)
The developer of the website and the app is also a data processor:
- Inflex Studio Kft. (1051 Budapest, Hercegprímás utca 18. attic, Tax number 24757902-2-41)
Data processor due to the use of Google Analytics, Google Firebase service used by the controller's website:
- Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland)
Hotjar, the data processor used by the data controller to use the web analytics service:
- Hotjar Ltd. (Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta, Europe)
Intercom, which is employed by the data controller and is a data processor due to its customer service instant messaging service:
- Intercom Inc. (2nd Floor, Stephen Court, 18-21 Saint Stephen's Green, Dublin 2)
The CRM system used by the data controller, which is used for sales and customer tracking due to data processing:
Data processor and joint data controller partner for the use of Facebook and Instagram:
- Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
Data processor and joint data controller partner due to the use of LinkedIn sites:
- Linkedin (Sunnyvale (HQ), CA United States, 1000 W Maude Ave)
When storing data in a cloud-based online database, the service provider is considered a data processor:
- Google LLC (1600 Amphitheatre Parkway Mountain View, CA 94043)
The data controller may transmit users' personal data (email address) to service providers registered on the website or application platform operated by the data controller for marketing purposes.
The contracted data processor and data controller partners will process the personal data of partners only on the basis of instructions given by the data controller (except where required by law) and under an obligation of confidentiality.
8. HOW PERSONAL DATA ARE STORED, THE SECURITY OF PROCESSING
Our Company's computer systems and other data storage locations are operated by RACKFOREST KFT. (Address: 1132 Budapest, Victor Hugo u. 18-22. Tax number: 14671858-2-41) and can be found on the data processing servers. Our Company selects and operates the IT tools used to process personal data in the course of providing the service in such a way that the data processed:
a) are accessible for authorised persons (availability);
b) their authenticity and verification is assured (authenticity of processing);
c) their integrity can be verified (data integrity);
d) are protected against unauthorised access (data confidentiality).
We take particular care to ensure data security, and we take the technical and organisational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, we take appropriate measures to protect the data against unauthorised access, alteration, transfer, disclosure, deletion or destruction, accidental destruction, damage and loss of accessibility due to changes in the technology used.
Our company’s and our contracted partners' IT systems and networks are protected against computer fraud, computer viruses, computer intrusions and denial of service attacks. The operator will ensure security at both server and application level through security procedures. In order to avoid data breaches, our company takes all possible measures, and in the event of such an incident, we will take immediate action to minimise the risks and prevent damage.
9. DATA SUBJECTS' RIGHTS, REMEDIES
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
- may request access to personal data concerning him or her,
- may request that they be corrected,
- may request their deletion,
- may request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and for no other purpose beyond that period), if the conditions set out in Article 18 of the GDPR are met,
- may object to the processing of personal data,
- may exercise their right to data portability. Under the latter right, the data subject has the right to receive personal data concerning him or her in Word or Excel format and the right to have these data transmitted to another controller at his or her request.
Other information on data processing: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, loss of a file containing personal data, unauthorised access).
Right to information:
Our Company will provide all information and any particulars concerning the processing of personal data to data subjects, upon their request, in a concise, transparent, intelligible and easily accessible form, in clearly understandable and plain language.
The right to information may be exercised in writing, using the contact details provided in point 1. Upon request, the data subject may be provided with information orally, after proof of his or her identity. We inform our customers that if our company's employees have doubts about the identity of the data subject, we may request the information necessary to confirm the identity of the data subject.
The right of access of the data subject:
The data subject has the right to receive feedback from the controller on whether his or her personal data are being processed. If personal data are being processed, the data subject has the right to access the personal data.
Right of rectification:
Under this right, any person may request the rectification of inaccurate personal data relating to him or her processed by our company and the completion of incomplete data.
Right to erasure:
The data subject shall have the right to have personal data relating to him or her erased without undue delay at his or her request if one of the following grounds applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) unlawful processing of personal data can be established;
e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data were collected in connection with the provision of information society services.
The deletion of data may not be initiated if the processing is necessary for compliance with an obligation under Union or Member State law to which the controller is subject, to which the processing of personal data is subject, or for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
At the request of the data subject, we restrict processing if:
a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the accuracy of the personal data to be verified;
b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.
If the processing is restricted, personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person. The data subject shall be informed in advance of the lifting of the restriction on processing.
Right to data transfer:
The data subject has the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and to transfer these data to another controller. Our company can fulfil such a request in Word or Excel format.
Right to object:
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for such purposes.
Right of withdrawal:
The data subject has the right to withdraw his or her consent to the processing at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent prior to its withdrawal.
Rules of procedure:
The controller shall, without undue delay and in any event within one month of receipt of the request, inform the data subject, free of charge, of the action taken on the basis of the request. If necessary, taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The data controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request.
If the data subject has made the request by electronic means, the information will be provided by electronic means unless the data subject requests otherwise.
Right to apply to the courts and data protection authority procedure:
The data subject may take the controller to court if his or her rights are infringed. The court is acting out of turn in the case.
You can lodge a complaint with the National Authority for Data Protection and Freedom of Information. Address of the authority: 1055 Budapest, Falk Miksa utca 9-11., mailing address: 1363 Budapest, Pf.: 9.
Budapest, 10 October 2022