DATA PROTECTION STATEMENT AND PRIVACY POLICY
Please click here to download!
DATA PROTECTION STATEMENT AND Privacy POLICY
As of the 30th of September 2022
1. The Controller
|
Name: |
EDELHOLZ Faipari Kft. |
|
Seat: |
9900 Körmend, Gárdonyi Géza u. 19., Hungary |
|
Tax number: |
13514417-4-18 |
|
Group tax number: |
17782799-5-20 |
|
Trade register number: |
18 09 106815 |
|
E-mail: |
info@edelholz.hu |
|
Phone number: |
06 92 571028 |
|
Website: |
https://edelholz.hu/ |
2. Data protection statement
This Data Protection Statement and Privacy Policy (hereinafter referred to as: the Privacy Policy) contains information on data protection regarding data processing in connection with the website www.edelholz.hu of EDELHOLZ Faipari Kft. (hereinafter referred to as: the Controller).
When using our website, you provide us with your personal data. We shall process such data with utmost care and in compliance with the legal regulations, and try to serve your claims and expectations regarding data processing. When processing data, we always exercise due diligence and protect the data from unauthorised access. This is a priority to us.
The most important legal regulations regarding our data processing activities:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR, hereinafter referred to as: the Regulation)
- Act CXII of 2011 on the right to informational self-determination and on the freedom of information (Privacy Act)
- Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity
This Policy aims at providing information to persons using our services or visiting our website on their rights and obligations concerning data transfer, processing, and data protection; on the data we process, the principles, methods, purposes, legal basis and period of processing.
3. Definitions
personal data means any information relating to an identified or identifiable natural person;
Data subject: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(10) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
transfers of personal data: disclosing personal data to a specified third party. Transfers to EEA Member States or to bodies of the European Union shall be considered as transfers within the territory of Hungary;
data erasure: making the data unrecognisable by deletion of content or by any other means that enables an equivalent result;
third country: Not EEA countries;
NAIH: Hungarian National Authority for Data Protection and Freedom of Information.
4. Principles relating to processing of personal data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
As Controller, we are responsible for compliance with these principles (‘accountability’).
5. Processed data
5.1 Communication
Data subjects: representative of the natural/legal person contacting the controller in order to communicate
The purposes of the processing: sending reply, communication
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point a) of Article 6 (1) Consent |
Until consent is withdrawn |
|
e-mail address |
||
|
phone number |
Processing:
If you have provided us with your contacts via e-mail or phone before or during entering into a contract, we shall use your contact information to communicate with you or to provide services.
Providing such data is optional, however, we will not be able to communicate with you unless you provide us with the data. You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
The data above may be transferred to our partner, Woodcorner Faműves és Kereskedelmi Kft.
5.2 Request for offer
Data subjects: every natural person who requests an offer through our website or is presented in such a request as a representative or contact person on behalf of a party (company) asking for an offer.
The purposes of the processing: presenting an offer, entering into a contract
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point a) of Article 6 (1) (consent) when a natural person requests the offer
GDPR point f) of Article 6 (1) (the Controller’s legitimate interest) – when a legal person requests the offer |
In the event of failure to enter into a contract, the data acquired before entering into a contract shall be deleted within 60 days. In the event of entering into contract, the Controller shall retain the data for five years after the termination of the contract. |
|
e-mail address |
||
|
phone number |
||
|
address |
Processing:
We use and process personal data received in the request for offer throughout the duration of any contractual relationship with the data subject, that is, for submitting the proposal, entering and performing the contract, personal identification of the data subject, and relationship management purpose. We ask for your address so that our subject matter expert or associate responsible for the region can get in touch with you.
When the person making the inquiry is a legal person and we receive the personal data of that legal person’s employees, usually to enable communication, we process such data on the basis of legitimate interest. Pursuing the legitimate interest of the parties shall override the employee’s right to have control of his or her personal data, as the restriction is necessary and proportionate for the employee to perform his or her job (NAIH/2018/2570/2/V). We have performed a balancing test regarding legitimate interest and the results show that processing is lawful.
The Data Subject may object to processing (see 8.8 for more details).
Providing the data is optional in both cases, however, it is necessary to acquire personal data suitable for identification and communication in order to make an offer, enter into contract or agreement.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.3 Making an appointment
Data subjects: every natural person who makes an appointment through our website.
The purposes of the processing: to organise the meeting.
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point a) of Article 6 (1) (consent)
|
Such data are retained by Hubspot as processor. We shall further retain such data only where offers/contracts/invoices are made. |
|
e-mail address |
||
|
phone number |
Processing:
You may make an appointment through our website to meet our colleague in person in our showroom. When making an appointment we are asking for your data necessary for communication.
Providing the data is optional, however, it is necessary for us to know your personal data suitable for identification and communication in order to make an appointment.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
Hubspot Inc. participates in processing as processor. The data above may be transferred to our partner, Woodcorner Faműves és Kereskedelmi Kft.
5.4 Subscribing to newsletter
Data subjects: natural persons who subscribe to our newsletter.
The purposes of the processing: sending newsletter
|
Type of data |
Legal basis |
Retention period |
|
e-mail address |
GDPR point a) of Article 6 (1) (consent) |
Until the withdrawal of consent |
|
name |
||
|
phone number |
||
|
postal code |
||
|
city |
||
|
areas of interest |
Processing:
When visiting our website you may subscribe to our newsletter, which we shall later use to inform our subscribers on what’s new, our special offers and other news. You may subscribe upon your first visit in a pop-up window or at any time later in the Download catalogue menu.
Providing such data is optional, however, we cannot send the newsletter to the Data Subject without such data.
The Data Subject may withdraw consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
Hubspot Inc. participates in processing as processor. The data above may be transferred to our partner, Woodcorner Faműves és Kereskedelmi Kft.
5.5 Social media
When the user decides to like or follow the Controller’s social media site, the Controller may also acquire the following data of the user: profile name, profile’s URL, profile identifier, profile picture, address stated, gender, birthday, introduction. In relation to the personal data provided by the visitors on social media sites, it is the operator of the Social Media site who is considered the Controller, and the operator’s terms on data protection and services shall apply.
5.6 Cookies
Our website (https://edelholz.hu/) uses cookies to improve your user experience, and to help us understand better how you use our website.
Upon your first visit to our website, we offer you detailed information and configuration options for the cookies we use.
5.6.1 The purpose of cookies
- to collect data on visitors and their devices;
- to remember the visitor’s preferences, such as language;
- to make the website easier to use;
- to provide quality user experience.
In order to tailor the services to the user’s needs, a small data package, called cookie is placed on the visitor’s computer, and the cookie is sent back upon later visits. If the browser sends back a cookie previously saved, the provider processing the cookie may connect the visitor’s current visit to earlier visits, but exclusively in relation to its own contents.
5.6.2 Strictly necessary, session cookies
These cookies ensure that visitors can fully browse edelholz.hu without any problems, use the website’s functions and services. Such cookies last for a session (browsing) and are deleted automatically from the computer or other devices you use to browse as soon as you close your browser.
Purposes: to store the user’s status during browsing the website.
5.6.3 Third-party cookies (statistics and marketing)
These cookies use the data to improve the website and the user experience. These cookies too are set in the browser on the visitor’s computer or other device used for browsing until they expire or the visitor deletes them. Personal data are not transferred to the third party.
5.6.4 Rejecting cookies
You may delete cookies set by edelholz.hu or a third party on your device using your browser. Please refer to your browser’s Help menu for detailed instructions. You may also use your browser to block cookies or request reminders every time your browser receives new cookies. Blocking cookies may technically interfere with your use of the website.
5.7 Video surveillance
Data subjects: persons entering the cameras’ field of view.
The purposes of the processing: protection of property, surveillance of large areas for security reasons (damages caused by fire, storm etc.), protecting life and health.
|
Type of data |
Legal basis |
Retention period |
|
Image of the data subject |
GDPR point f) of Article 6 (1) (legitimate interest)
|
Seven days |
Processing:
The images of persons entering the Controller’s premises are registered in the electronic surveillance system used.
The surveillance system is operated by a processor (security service provider).
In the event of security check, data may be transferred to the competent law enforcement bodies.
The provisions regarding video surveillance are contained in a separate surveillance policy.
We have performed a balancing test regarding necessity and proportionality of data processing and the results show that processing is lawful.
The Data Subject may object to processing (see 8.8 for more details).
5.8 Invoicing process
Data subjects: private person customers.
The purposes of the processing: handling of the accounting documents as per the Act on Accounting.
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point c) of Article 6 (1) (compliance with a legal obligation)
|
Eight plus one years after the termination of the contractual relationship |
|
home address |
Processing:
When issued for private persons, the accounting documents may contain personal data. We retain such documents in accordance with the provisions of the Act on Accounting.
The relevant legal regulations state that it is compulsory to provide the personal data. The invoice is not valid otherwise.
In the event of an audit, the data shall be disclosed to the competent authorities (the National Tax and Customs Administration).
5.9 Shipping
Data subjects: the natural person, or the representative of the legal person entering into contract with the Controller.
The purposes of the processing: delivery.
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point a) of Article 6 (1) (consent)
|
Five years after the termination of the contractual relationship |
|
phone number |
||
|
shipping address |
Processing:
For shipping the orders, we use the personal data provided. When a third party shipping service provider is responsible for shipping, we disclose the data necessary for shipping to them.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.10 Production list
Data subjects: the natural person, or the representative of the legal person entering into contract with the Controller.
The purposes of the processing: to organise production, reorders.
|
Type of data |
Legal basis |
Retention period |
|
Client name, identification codes (production numbers), information regarding orders licence plate number date and time of entry/exit |
GDPR point a) of Article 6 (1) (consent)
|
10 years |
Processing:
We process the data provided when placing the order in a production list as well. We refer to the list for information regarding orders and production, which may be necessary to fulfil future reorders.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
5.11 Placing an order
Data subjects: the natural person, or the representative of the legal person entering into contract with the Controller.
The purposes of the processing: presenting an offer, entering into a contract
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point a) of Article 6 (1) (consent) when a natural person requests the offer
GDPR point f) of Article 6 (1) (the Controller’s legitimate interest) – when a legal person requests the offer |
Five years after the termination of the contractual relationship. |
|
e-mail address |
||
|
phone number |
||
|
address |
||
|
invoicing data |
Processing:
We use and process personal data received with the order, provided by the client, throughout the duration of the contractual relationship, exclusively for the purposes of fulfilling the order, identification, and communication.
When the person placing the order is a legal person and we receive the personal data of that legal person’s employees, usually to enable communication, we process such data on the basis of legitimate interest. Pursuing the legitimate interest of the parties shall override the employee’s right to have control of his or her personal data, as the restriction is necessary and proportionate for the employee to perform his or her job (NAIH/2018/2570/2/V). We have performed a balancing test regarding legitimate interest and the results show that processing is lawful.
The Data Subject may object to processing (see 8.8 for more details).
Providing the data is optional in such cases; however, it is necessary to acquire personal data suitable for identification and communication in order to enter into contract or agreement.
You may withdraw your consent at any time without giving reasons, but such withdrawal shall not affect processing based on consent before the withdrawal.
In some cases we will disclose the data to the photographer we work with for taking photos for reference, and to our partner assisting with the preparation, installation and finishing of our products. We shall request a separate consent every time for disclosing the data.
5.12 Entry and exit control
Data subjects: natural persons visiting the Controller’s premises
The purposes of the processing: protection of property.
|
Type of data |
Legal basis |
Retention period |
|
name |
GDPR point f) of Article 6 (1) (legitimate interest pursued by the Controller) |
The controller shall not retain such data. If necessary, the controller may access the data retained by the processor, the Security Service Provider. |
|
licence plate number |
||
|
date and time of entry/exit |
Processing:
The processor, the security service provider registers the data of every person arriving to and leaving our premises.
We have performed a balancing test regarding legitimate interest and the results show that processing is lawful.
The Data Subject may object to processing (see 8.8 for more details).
5.13 Client database
Data subjects: every natural person who requests an offer through our website or is presented in such a request as a representative or contact person on behalf of a party (company) asking for an offer.
The purposes of the processing: to manage the order and production process.
|
Type of data |
Legal basis |
Retention period |
|
client visits, notes, order status |
GDPR point f) of Article 6 (1) (legitimate interest pursued by the Controller)
|
In the event of entering into contract, the data shall be retained for five years after the termination of the contractual relationship. In the event of not entering into contract, the retention period shall be three years after the date of the offer. |
Processing:
We continuously keep track of the client’s order status in order to optimise the order and production process.
We have performed a balancing test regarding legitimate interest and the results show that processing is lawful.
The Data Subject may object to processing (see 8.8 for more details).
5.14 In some cases, we transfer the data to the photographer cooperating with us for reference photography, as well as to our partner involved in the implementation. We always ask for separate consent for the transfer of data.
Data subjects: the natural person, or the representative of the legal person entering into contract with the Controller.
The purposes of the processing: Organization of the production, post-orders.
|
Type of data |
Legal basis |
Retention period |
|
Customer name, identifiers (production serial numbers), order related information, license plate number entry/exit time |
GDPR point a) of Article 6 (1) (consent) |
10 years |
Processing:
The data given during the order are also processed in a production list. From the list, information related to the order and production can be retrieved, which may be necessary to fulfill subsequent reorders.
You can withdraw your consent at any time without giving reasons, but this does not affect the previous data processing based on consent.
5.15 Access to download centre
Data subjects: natural persons who registered to the download centre
The purposes of the processing: Sharing of content.
|
Type of data |
Legal basis |
Retention period |
|
Name |
GDPR point c) of Article 6 (Fulfilment of legal obligations) |
10 years |
|
E-mail address |
||
|
Name of company |
||
|
Headquarters (or place of residence) |
||
|
Profession |
||
|
Password |
Processing:
On our website, it is possible to access downloadable professional content. Access is subject to registration. We use the data requested during registration to create and manage the account. The provision of data is not mandatory, but the provision of personal data suitable for identification and contact is a condition for the creation and use of the account. You can withdraw your consent at any time without giving any reason, but this does not affect the previous data processing based on consent.
6. Data security
We are ensuring appropriate level of security concerning the personal data processed by implementing technical and organisational measures and developing processes.
We are protecting the data against access by unauthorised persons, modification, transferring, disclosing, deleting or destruction, accidental destruction and damages, and becoming inaccessible due to changes in the technology used.
Only associates of ours who need to access personal data to perform their tasks are allowed to gain access.
In order to ensure data security
- we assess and take into consideration all possible risks when designing and operating our information technology system and try to continuously reduce such risks;
- we monitor upcoming threats and vulnerability (e.g. computer viruses, computer intruders, denial-of-service attacks etc.) in order to be able to react and avoid or prevent them;
- we protect both IT devices and information stored on paper against unauthorised physical access and environmental effects/impacts (e.g. water, fire, electric overvoltage);
- we monitor our information technology system to discover possible problems and events;
- it is our priority to choose providers involved in operation based on their reliability.
7. Data transfer and disclosure
We transfer or disclose the personal data of natural persons using our services or website only to our partners and processors stated below and in section 5, and to authorities upon request.
We always make written agreements containing the details of data processing with the partners and processors involved in our data processing activities.
We do not transfer data to a third country or international organisations.
We work with the following data processors:
- MORGENS Design Kft. – hosting service provider
- Hubspot Inc. – making appointments, newsletter, client database
- Nextcloud GmbH – cloud storage, file sharing interface (Hauptmannsreute 44A 70192 Stuttgart, Germany, HRB 227086 (AG Munich), +49 711 25 24 28 90)
- HolistiCRM Kft. – marketing (1182 Budapest, Tarkő utca 62., Trade register number: 01 09 200582, Tax number: 25115486-2-43)
- Patent Védelem Security Kft. – protection of property (9024 Győr, Mécs L. u. 7., Trade register number: 08-09-030367, Tax number: 26540575-2-08)
- Grád Kft. – preparation, installation and finishing (2600 Vác, Quell Rudolf utca 7., Trade register number: 13 09 177783, Tax number: 11359494-2-13
- SZALAI Fafeldolgozó és Kereskedelmi Kft. – production (8900 Zalaegerszeg, Hegyközség u. 2., Trade register number: 20 09 063139, Tax number :11359425-4-20)
- SMART Informatika Kft. – system administrator: (8900 Zalaegerszeg, Berzsenyi utca 9, Trade register number: 20-09-070966, Tax number: 22954282-2-20)
- Zalaware – Corporate management systen (Zalaware Informatikai Rendszerház Kft., 8900 Zalaegerszeg, Rákóczi u 2-4., Trade register number:20 09 071807, Tax number :23443558-2-20)
- Woodcorner Faműves és Kereskedelmi Kft. – associate partner, showroom(6725 Szeged, Szentháromság utca 49., Trade register number: 06-09-026045, Tax number:27949362-2-06)
8. The rights of data subjects
8.1 Right to information
The data subject shall have the right to receive information prior to processing of personal data in a transparent, intelligible, clear and easily accessible form in writing from the Controller. The Controller shall provide the information latest when personal data are obtained.
Where the Controller intends to process the personal data for a purpose other than that for which they were collected, the Controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.
8.2 Right of access
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
8.3 Right to rectification
The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.4 Right to erasure (’right to be forgotten’)
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which processing is based, and where there is no other legal ground for the processing;
c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
f) the personal data have been collected in relation to the offer of information society services.
Where the Controller has made the personal data public and is obliged pursuant to the points above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the data subject has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.
The points stated above shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims .
8.5 Right to restriction of processing
The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the data subject.
When processing has been restricted in accordance with the points above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
8.6 Right to notification regarding rectification or erasure of personal data or restriction of processing
The data subject has the right to request from the Controller information about the recipients to whom the personal data have been disclosed. The Controller shall be obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
8.7 Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Exercising the data subject’s right to data portability shall not adversely affect the rights and freedoms of others. Should that be the case, the Controller shall comply with the right of the data subject to data portability without disclosing the personal data supported by that fact, while informing the subject in details.
8.8 Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, or for the purposes of the legitimate interest pursued by the Controller or by a third party, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
8.9 Automated decision-making, profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
In the cases referred to in points a) and c), the data Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
8.10 Right to communication of a personal data breach to the data subject
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject.
8.11 The data subject’s right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.
Supervisory authority of Hungary as Member State:
Nemzeti Adatvédelmi és Információszabadság Hatóság [Hungarian National Authority for Data Protection and Freedom of Information] (postal address: 1363 Budapest, Pf. 9., seat: 1055 Budapest, Falk Miksa utca 9-11., website: www.naih.hu, phone number: 06-1-391-1400, e-mail address: ugyfelszolgalat@naih.hu).
8.12 Right to an effective judicial remedy against a supervisory authority
Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
The data subjects involved may exercise these rights in writing, using our contact information provided below, or, upon prior consultation, in person. We are doing our best to reply to each request as soon as possible, but within 15 workdays the latest.
Contact us to exercise your rights:
- via post: 9900 Körmend, Gárdonyi Géza u. 19., Hungary
- using e-mail: info@edelholz.hu
- in person: please call 06 92 571028 to set a meeting.
We are not giving out information concerning personal data via the phone, as we cannot identify the caller.