Privacy Policy
Entry into force date: 2023.08.20.
Name: Vági & Vági Kft
Registered office: H-1162 Budapest, Irha u. 1.
Company registration number: 01-09-267635
Tax number: 10882630-1-42
Community tax number: HU10882630
1. GENERAL INFORMATION
Purpose of the Privacy Notice:
The primary purpose of this Privacy Notice is to inform the Data Controller about the data protection and data management principles and rules applicable to the personal data of natural persons who come into contact with the Data Controller or use its services.
In drafting the provisions of this Privacy Notice, the Data Controller has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as “Infotv.”) and other relevant legislation.
2. CONCEPTS RELATED TO DATA MANAGEMENT
The definitions of personal data processing are set out in the GDPR. For the sake of transparency and clarity, the Data Controller sets out the most important definitions in this section, taken from the GDPR.
- “personal data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “sensitive data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data and biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons. The processing of these data is prohibited as a general rule.
- “processing” means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “restriction of processing” means the marking of stored personal data for the purpose of restricting their future processing;
- “controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be determined by Union or Member State law;
- “processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
- “recipient” means a natural or legal person, public authority, agency or any other body to whom or with which personal data is disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
- “health record” means any record, register or any other form of information, irrespective of its medium or form, containing medical and personal data brought to the attention of the healthcare provider in the course of treatment;
- “third party” a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- “data subject’s consent” means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
- “enterprise” means any natural or legal person carrying on an economic activity, regardless of its legal form, including partnerships or associations carrying on a regular economic activity.
- “data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- “supervisory authority” means an independent public authority established by a Member State in accordance with Article 51 of the GDPR.
3. PRINCIPLES OF DATA MANAGEMENT
- The processing of personal data must be lawful, fair and transparent for the Data Subject.
- Personal data may only be processed for specified purposes and on specific legal grounds, for the exercise of a right or the performance of an obligation.
- At all stages of processing, the processing must be compatible with the purpose of the processing and the collection and processing of the data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed.
- Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
- The Data Controllers’ processing is accurate and up-to-date. The Data Controllers shall take all reasonable steps to ensure that personal data inaccurate for the purposes of the processing are erased or rectified without undue delay.
- The Data Controllers shall store the personal data in a form which permits identification of Data Subjects only for the time necessary to achieve the purposes for which the personal data are processed, subject to the storage obligations laid down in the applicable legislation.
- Personal data shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures.
The Data Controller is responsible for compliance with the principles described above and must be able to demonstrate such compliance.
4. DATA PROCESSING OPERATIONS
4.1. Data processing related to contacting
4.1.1. Contact via email and online contact form
Purpose of the processing:
Contacting the data subject at his/her request, maintaining contact with him/her and providing information on certain services. The Data Controller uses the data provided by the Data Subject for a specific purpose, only in connection with the data subject’s request or information. Unless otherwise required by law, the disclosure of personal data to third parties shall only be possible with the prior explicit consent of the data subject.
Legal basis for processing:
Voluntary consent of the data subject pursuant to Article 6 (1 )(a) GDPR.
The processing takes place on the basis of the data subject’s freely given informed consent, which the data subject gives by sending the request and the data contained therein to the Data Controller to the extent necessary to reply to the request and to carry out the activities contained therein (e.g. providing information).
The data subject gives consent by voluntarily providing the data in question and/or, in the case of a form, by filling it in and ticking the box.
Scope of personal data processed:
- Surname, first name, company name and contact name (for company)
- Address of registered office (in case of company), address, postal address
- E-mail address
- Telephone number
- System information (IP address, system version, resolution, statistics on pages viewed on the website, browsing habits, behaviour patterns)
The Controller does not verify the personal data provided to it. The person providing the data shall be solely responsible for its accuracy.
Duration of processing:
The personal data provided will be processed for the purpose of contacting or maintaining contact until:
- until the data subject withdraws his or her consent,
- but for a maximum of one year from the date of the provision of the data.
4.1.2. Contact by phone
Purpose of data processing:
The data subject may also contact the Data Controller by telephone. In this case, the Data Controller will also know the first and last name of the caller and the telephone number. The purpose of the processing is to contact the data subject on the basis of the data subject’s request.
By contacting the data subject by telephone, the controller shall inform the data subject orally of the contact details of this notice and shall inform the caller that the controller may process his or her personal data only if the caller confirms in writing that he or she has read and accepted the contents of this notice.
Legal basis for processing:
Voluntary consent of the data subject pursuant to Article 6 (1) (a) GDPR.
The processing is based on the data subject’s freely given informed consent, which he or she gives by sending the Data Controller the request and the data contained therein, to the extent necessary to reply to the request and to carry out the activities contained therein.
The consent is given by the data subject by voluntarily providing the data in question.
Scope of personal data processed:
- Name
- Phone number
The Controller does not verify the personal data provided to it. The person providing the data shall be solely responsible for its accuracy.
Duration of processing
The personal data provided will be processed for the purpose of contacting or maintaining contact until:
- until the data subject withdraws his or her consent,
- but for a maximum of one year from the date of the provision of the data.
4.2. Data related to online ordering
Purpose of data processing:
It is also possible to order services through the website and to request a free version.
Legal basis for processing:
In case of requesting the free version – voluntary consent of the data subject according to Article 6(1)(a) GDPR;
In relation to the service ordered- Article 6(1)(b) GDPR- performance of a contract.
Scope of personal data processed:
- Name (first and last name);
- E-mail address;
Duration of processing:
The data is stored electronically.
The Data Controller shall process the personal data during the contractual relationship between the Parties and shall delete these data from its records after its performance.
In case of the free version, the data will be deleted immediately after the withdrawal of the Data Subject’s consent.
4.3. Processing of data necessary for the use of the service
Purpose of the processing:
In order to use the service, the data subject must provide the necessary data in the order (and billing) interface (which, after the order, will be the login data required to use the service).
Legal basis for processing:
Performance of a contract for the service ordered- Article 6 (1) (b) GDPR.
Scope of personal data processed:
- Username, which is the same as the email address provided by the Data Subject during the ordering process;
- Password (this is automatically generated, but the user has the possibility to change it).
Duration of processing:
The data is stored electronically.
The Data Controller shall process the personal data during the contractual relationship between the Parties and shall delete these data from its records after its performance.
The User may at any time request the immediate deletion of his/her user account and the personal data stored therein by the Data Controller, which request shall be complied with by the Data Controller immediately upon receipt of the request.
4.4. Technical support
Purpose of the processing:
Technical assistance related to the service ordered by the data subject.
The Data Controller operates a so-called error ticket system through which subscribers can report IT-related errors in writing.
Legal basis for processing:
GDPR Article 6 (1) (b) – performance of a contract.
Scope of personal data processed:
- Name (first and last name);
- E-mail address;
- optionally telephone number;
Duration of processing:
The data is stored electronically.
The Data Controller shall process the personal data during the contractual relationship between the Parties and shall delete these data from its records after its performance.
4.5. Billing-related data management
Purpose of the processing:
Performance of services provided by the Data Controller, collection of payment, invoicing.
Legal basis for processing:
Article 6 (1) (c) GDPR (legal obligation) and Section 169 (e) of Act CXXVII of 2007 on Value Added Tax.
In the absence of the data content required by law for invoicing, the invoicing obligation and thus the processing cannot be fulfilled.
Scope of personal data processed:
- name;
- country/region;
- address (with postcode);
- address;
- e-mail address;
- telephone number;
Duration of processing:
The retention period of the data is 8 years pursuant to Article 169 of Act C of 2000 on Accounting.
4.6. Newsletter, direct marketing
Two types of newsletter may be sent by the Data Controller:
- Technical newsletter – an automatic notification and information letter linked to the subscription. Such a letter may only be sent to persons subscribed to the Data Controller with their prior and explicit consent.
- Promotional newsletter – an informative letter aimed at promoting the services of the Contracting Entity and increasing its visibility. This type of newsletter can be subscribed to both by the Data Subject who has a subscription with the Contracting Authority and by the Data Subject who subscribes to the free service (demo) provided by the Contracting Authority.
Pursuant to Article 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (hereinafter: Advertising Act), the User may expressly consent in advance to the Data Controller as a service provider contacting him/her with advertising offers and other mailings at the contact details provided by the Data Subject. In addition, the Data Subject may, subject to the provisions of this Notice, consent to the processing of personal data by the Controller necessary for the sending of advertising offers.
The Data Controller will not send unsolicited commercial communications and the User may unsubscribe from receiving such communications free of charge, without restriction and without giving any reason. In this case, the Data Controller will delete all personal data necessary for the sending of advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from the newsletters by clicking on the link in the message.
Purpose of the processing:
With regard to the technical newsletter, the purpose of data processing is to inform subscribers about current information related to the service/operation.
The purpose of sending promotional and advertising e-mails is to inform the Data Subject about current information, services and discounts.
Legal basis for processing:
On the basis of Article 6 (1) (a) GDPR – the data subject’s voluntary consent.
The data subject gives his or her freely given, informed and explicit consent by ticking the box.
Personal data processed:
- Name
- Email address
Duration of storage of personal data:
Until the data subject’s consent is withdrawn, which can be done by clicking on the unsubscribe button at the bottom of the newsletter, but for a maximum of one year from the date of subscription.
(In case of unsubscription of a Data Subject who has used the free service provided by the Referrer, his/her access to the demo will also cease.)
Method of storage: electronic.
5. DATA PROCESSING
Hosting provider: Hetzner Online GmbH,
Industriestr. 25, 91710 Gunzenhausen, Germany
VAT Reg. No. DE 812871812
IT partner:
Geza Bene E.V.
Office: 8500 Pápa, Huszár lakótelep 31 B lph. ground floor 1.
Tax number: 56997080-1-39
Registration number: 55712828
Payment by credit card:
Paylike ApS
https://paylike.io/
Company registration number: 36683279
P.O. Pedersens Vej 14
Skejby
8200 Aarhus N
Denmark
Google Inc.: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, additional contact details, mail system, data and file storage in the cloud, online document management, and related services Google Drive, Google Docs, Google Search Console, Google Analytics, Google AdSense, Google AdWords, YouTube, Blogger, Chrome browser support -Google Privacy and Data Protection Principles.
Facebook Ireland Ltd.: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, support for Facebook, Instagram, Messenger and other products and features offered by Facebook – privacy policy and contact details of the Data Protection Officer.
In specific cases, the contract may include additional data processors or companies.
6. SIGNED RIGHTS
Rights of the data subject.
- request information about the processing of personal data concerning him or her and access to such personal data,
- request the rectification of personal data concerning him or her,
- request the erasure of personal data concerning him or her,
- request the restriction of the processing of personal data,
- object to the processing of personal data,
- exercise the right to data portability.
- exercise the right to judicial remedy.
The data subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter referred to as “NAIH”) or apply to the competent court as set out at the end of this notice.
7. THE RIGHTS OF DATA SUBJECTS IN RELATION TO DATA PROCESSING
The Data Controller shall ensure that the rights of data subjects are respected as follows.
The Data Controller shall provide the data subject with the opportunity to make a request to exercise his or her data subject rights by any of the following means and contact details set out in this notice: (i) by post, (ii) by e-mail, (iii) by telephone.
- Email: info@simpledesignset.com
- Mailing address: H-1162 Budapest, Irha utca 3.
The controller shall comply with the data subject’s request without undue delay and in any event within 30 days of receipt of the request and shall inform the data subject thereof in a concise, transparent, intelligible and easily accessible form, in clear and plain language. The Data Controller shall also decide on the refusal of the request within that period and shall inform the data subject of the refusal, the reasons for the refusal and the data subject’s remedies in this respect.
The controller shall, as a general rule, comply with the data subject’s request by e-mail, unless the data subject requests otherwise. At the request of the data subject, information may be provided by telephone only if the data subject has provided proof of his or her identity. The controller shall not use the postal address or telephone number of the data subject for any other purpose.
The Data Controller shall not charge any fees or expenses for complying with the requests of the data subjects, as detailed below. However, in the event that a new, unfounded, excessive request for the same data subject is received from the data subject within one year of a previous, already executed request, the Controller reserves the right to charge a reasonable fee for executing the request, proportionate to the workload involved in executing the request, or to refuse to act on the request, in its discretion, giving adequate reasons.
● Right to information and access
The controller shall provide the data subject, at his or her request, with the following information in a concise, transparent, intelligible and easily accessible form, in clear and plain language:
- whether the processing of your personal data by the Data Controller is ongoing;
- the name and contact details of the Data Controller;
- the personal data of the data subject processed by the Controller and their source;
- the purposes for which the personal data are processed and the legal basis for the processing;
- the duration of the processing;
- the recipients or categories of recipients to whom or which the personal data have been or will be disclosed;
- the rights of the data subject;
- the circumstances of any personal data breach, its effects and the measures taken to deal with it.
● Right to rectification
The controller shall, at the request of the data subject, correct inaccurate personal data relating to the data subject.
The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the rectification, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the Controller shall inform the data subject of those recipients.
● Right to erasure (“right to be forgotten”)
At the request of the data subject, the Data Controller shall delete personal data relating to the data subject where one of the following grounds applies:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject objects to the processing;
- the personal data have been unlawfully processed by the Controller;
- the personal data must be erased in order to comply with a legal obligation under Union or Hungarian law applicable to the Controller.
The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the erasure, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the Controller shall inform the data subject of those recipients.
- Right to restriction of processing
At the request of the data subject, the Data Controller shall restrict the processing if one of the following conditions is met:
- the data subject contests the accuracy of the personal data – in this case, the restriction applies for the period of time that allows the Controller to verify the accuracy of the personal data;
- the processing is unlawful, but the data subject opposes the erasure of the data and instead requests the restriction of their use;
- the Controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims.
The controller shall inform all recipients to whom or with whom the personal data have been disclosed of the restriction, unless this proves impossible or involves a disproportionate effort. At the data subject’s request, the Controller shall inform the data subject of those recipients.
- Right to data portability
The Data Controller shall, at the request of the data subject, make available to the data subject the personal data concerning the data subject which the data subject has provided. The Controller further undertakes that the data subject may transfer such personal data to another controller without being prevented from doing so by the Controller.
- Right to legal redress
If the data subject believes that the Data Controller has infringed his or her right to the protection of personal data in the course of processing, he or she may, in accordance with the applicable legislation, seek redress from the competent authorities, i.e. lodge a complaint with the NAIH (address: H-1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9..; website: www.naih.hu; e-mail: ugyfelszolgalat@naih.hu; telephone: +36-1/391-1400) or apply to the competent court.
The controller undertakes to cooperate fully with the court concerned or the NAIH in these proceedings, and to disclose the data relating to the processing to the court concerned or the NAIH.
The controller also undertakes to compensate any damage caused by unlawful processing of the personal data of the data subject or by a breach of data security requirements. In case of violation of the data subject’s right to privacy, the data subject may claim damages. The controller shall be exempted from liability where the damage was caused by an unavoidable cause outside the scope of the processing and where the damage or harm caused by the infringement of the personality right results from the intentional or grossly negligent conduct of the data subject.
8. DATA SECURITY MEASURES
The Data Controller shall ensure the security of the data. The Data Controller has taken technical and organisational measures and established procedural rules to ensure that the data recorded, stored and processed are protected and to prevent their destruction, unauthorised use and unauthorised alteration. Furthermore, it calls upon third parties to whom the data concerned have been disclosed to comply with the requirement of data security.
The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons.
The Controller shall make every reasonable effort to ensure that the data are not corrupted or destroyed. The Data Controller shall impose the above commitment on its employees and partners involved in its data processing activities, including data processors acting on behalf of the Data Controller.
9. HANDLING DATA BREACHES
If the Data Controller becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or transmission of personal data transmitted, stored or otherwise processed by it, or of an event or act resulting in unauthorized access to such data (hereinafter collectively referred to as a “data breach”), it shall comply with Articles 33-34 of the GDPR. to notify the data protection incident to the competent and competent data protection authority (hereinafter referred to as “DPA”) and to inform the data subject or data subjects of the data protection incident where it is likely to result in a high risk to the rights and freedoms of natural persons.
A person who becomes aware of a personal data breach concerning personal data transmitted, stored or otherwise processed by the Controller as described above may notify the Controller using the following contact details:
Via email: info@simpledesignset.com
The notifier must provide, in addition to the subject matter of the data breach, the following information:
- name of the applicant;
- contact details of the notifier: telephone number and/or e-mail address,
- the incident concerns the software, if so, which part or which service.
The Data Controller shall, within 1 working day at the latest, if it considers the incident to be serious, investigate the notification without delay and, if necessary, request further data from the notifier. Within 72 hours of the notification of the incident, the Data Controller shall provide the NAIH with the data.
The data reporting shall include the following:
- the nature of the personal data breach, including the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
- the name and contact details of the contact person who can provide further information;
- the likely consequences of the data breach;
- the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
If the personal data breach requires further investigation, the Data Controller will take the necessary steps to assess the actual and potential impact of the personal data breach during the investigation, with the involvement of appropriate experts. A report shall be prepared by the experts called upon. The report shall include a proposal for the security measures necessary to remedy the personal data breach.
The Data Controller shall decide on the measures to be taken.
The controller shall, where it considers that the data breach is likely to result in a high risk to the rights and freedoms of natural persons, inform the data subject of the data breach without undue delay.
In the notification, the controller shall clearly and prominently describe the nature of the personal data breach, highlighting the following:
- the name and contact details of the contact person who can provide further information;
- the likely consequences of the data breach;
- the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
The controller shall not inform the data subject if:
- implemented appropriate technical and organisational protection measures and applied these measures to the data affected by the personal data breach, in particular measures such as the use of encryption to make the data unintelligible to persons not authorised to access the personal data;
- has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
- the provision of information would require a disproportionate effort, i.e. the data subjects are so numerous that the Data Controller could only provide the information referred to above at disproportionate expense. In such a case, the Data Controller shall arrange for appropriate information to be made public.
10. RECORDS OF DATA PROTECTION INCIDENTS
The Data Controller shall keep a record of the personal data breach.
It shall be recorded in the register:
- the scope of the personal data concerned,
- the scope and number of data subjects affected by the personal data breach,
- the date of the personal data breach,
- the circumstances of the personal data breach, its effects,
- the measures taken to remedy the personal data breach,
- other data specified in the legislation providing for the processing.
The Data Controller is obliged to keep the data on data protection incidents in the register for 5 years in the case of an incident involving personal data and for 20 years in the case of an incident involving sensitive data.
11. RIGHT TO LEGAL REDRESS
For any questions or comments regarding data management, please contact the Data Controller using one of the contact details provided in this notice.
Furthermore, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Office: H- 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
Webpage: www.naih.hu
E-mail: ugyfelszolgalat@naih.hu
In the event of a breach of the data subject’s rights, the Data Controller may take legal action against the data subject. The court shall rule on the case out of turn. The Data Controller shall prove that the processing complies with the law. The tribunal shall have jurisdiction to rule on the case. The action may also be brought before the courts for the place where the plaintiff, i.e. the data subject, is domiciled or resident.
The Data Controller undertakes to cooperate fully with the court or the NAIH concerned in these proceedings and to disclose to the court or the NAIH concerned the data relating to the processing.
The controller also undertakes to compensate the damage caused by unlawful processing of the personal data of the data subject or by the breach of data security requirements. In case of violation of the data subject’s right to privacy, the data subject may claim damages. The controller shall be exempted from liability where the damage was caused by an unavoidable cause outside the scope of the processing and where the damage or harm caused by the infringement of the personality right results from the intentional or grossly negligent conduct of the data subject.
The controller reserves the right to amend this notice at any time.