DATA PROTECTION AND DATA MANAGING POLICY OF INULINU LTD.
- Objective and extent of the Policy
1.1 Objective of present Policy is to record the data protection and data management principles applied by Inulinu Trading and Service Limited Liability Company (3/1 Szendrey Júlia Street, Kiskőrös, 6200, Hungary, hereinafter referred to as Company) and to record the data protection and management policy of the Company, which the Company as data manager, expresses its consent to be bound to it. which the Company as data manager undertakes to comply with.
1.2 The aim of present Policy is to ensure, concerning every field of the services provided by the Company, for all individuals without discrimination regarding their nationality or residence, that the rights and fundamental freedoms, in particular their right to privacy of each individual shall be respected during the automatic processing of their personal data (data protection).
1.3 During the formulation of the provisions, the Company has paid special attention to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 („General Data Protection Regulation” or „GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Privacy act”), Act V of 2013 on the Civil Code, Act XLVII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society services, Act C of 2000 on Accounting (with regard to the issuance and storage of invoices), Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing, Act VI of 1998 on The Protection Of Individuals With Regard To The Automatic Processing Of Personal Data, prepared in Strasbourg on 28 January 1981 and the recommendations of the “ONLINE PRIVACY ALLIANCE”.
1.4 In the absence of any contrary information, Policy does not cover services and data management related to the promotions, prize games, services and other campaigns or contents of third parties other than the Data Processor, that advertise or appear diverse ways on websites referred below.
In the same way, unless otherwise stated, Policy does not cover websites and the services and the data management of service providers that are accessible by links embedded on the websites given in present Policy. In case of such services, the third party’s own data protection principles apply, and the Data Manager does not assume any responsibility or liability for such data management.
- Definitions of terms
2.1 Data set: the total data managed within one database.
2.2 Data management: with no regard to the applied method, any operation or sum of operations of personal data, especially the collection, recording, organization, structuring, storage, alteration, changing, use, query, accession, communicating, forwarding, distributing, or making available otherwise, public disclosure, aligning or combining, blocking, deletion or destruction of personal data.
2.3 Data Manager: the entity, who -alone or in association with others- determines the purposes and tools of data management.
In the case of services referred in present Policy, the entity which qualifies as Data Manager is Inulinu Trading and Service Limited Liability Company (H-6200 Kiskőrös, Szendrey Júlia utca 3/1., Hungary, registered at Company Registry Court of Kecskemét Regional Court, company registration number: 03-09-108421; tax identification number: 12512498-2-03; hereinafter referred to as “Data Manager”).
The Data Manager is a business organisation registered in Hungary.
The Data Manager treats provided data related to its sales activities (preparing and sending price offers, fulfilling orders, case subsequent substantiating ordering conditions, billing and sending newsletter).
2.4 Personal Data or data: any data or information which makes a specific natural person, a User – directly or indirectly – identifiable.
2.5 Data Processor: the specific service provider that manages Personal data on behalf of the Data Manager. Concerning the Services referred in present Policy, Data Processors are the organizations listed in 9.1 of present Policy.
2.6 Website(s): websites operated by the Data Manager (inulinu.hu; inulinu.com).
2.7 Employee: the natural person, who is tied to the Data Manager by an employment contract or any other type of working relationship.
2.8 Potential Employee: the natural person, who applies for a job announced by the Data Manager
2.10 Data Destruction: the complete physical destruction of the media carrying the data.
2.11 Data Forwarding: the data is made available to a specific third party.
2.12 Public disclosure: making the data available for anybody.
2.13 Data Deletion: making data unrecognisable in a manner that their recovery in not possible.
2.14 Automatized Data set: any set of data undergoing automatic processing.
2.15 Automatic Processing: includes the following operations if they are carried out partly or completely by automatized devices: storage of data, the logical or arithmetical operations performed on the data, the alteration, deletion, retrieval and dissemination of the data.
2.16 System: the total of technical solutions operating the websites and services of the Data Manager and its partners.
III. Scope of Personal Data managed
3.1 The Data Manager’s System automatically records the User’s IP address, if the User visits one of the Websites.
3.2 Based on the User’s decision, the Data Manager may record the following data related to the use of Services available through the Websites: name, address, place of residence, telephone number, e-mail address, picture, User ID number recorded by the Data Manager, content of phone conversations between the User and the Data Manager.
3.3 If the User sends a message (like for example e-mail, reader’s mail) to some Services, or calls it, the Data Manager records the User’s address, e-mail address, telephone number and the time and date of the call and manages these data for the period and to the extent required to provide the requested Service.
3.4 Related to its contracts the Data Manager may manage the name, telephone number and e-mail address of the legal or authorized representative of the contracted partner or the contracted correspondent.
3.5 Regardless of the statements above, it may occur that a service provider technically related to the operation of Services, without informing the Data Manger, manages data on one of the Websites. Such activity does not qualify as Data Management carried out by the Data Manager. The Data Manager uses its best efforts to avoid and filter out such Data Management.
- Scope of additional data managed by the Data Manager
4.1 Data Manager places a small data package (so-called “cookie”) on the computer of the User in favour of customised Service. The purpose of the cookie is to ensure the highest quality possible for the operation of the webpage to increase user experience. The User can delete the cookie from their own computer and may set their browser to disable the application of cookies. By disabling the application of cookies, the User takes note that the operation of the webpage is not fully functional.
4.2 Though the usage of cookies the Data Manager manages the following Personal Data during the provision of customised Services: demographical data (based on the data referred in points 3.2 and/or 3.4 of present Policy) and information about personal interest, habits and preferences (based on browsing history).
4.3 Data technically recorded during the operation of the systems: those data of the login computer of the User which generate during the use of the Service and which are recorded by the system of the Data Manager as automatic results of technical processes. This data includes the User’s IP address, the operating system and browser used by the User, data of the websites which lead the User to the Data Manager’s Website, and the data of visits on the Data Manager’s Websites and the date of visits and time spent on the website. The automatically recorded data is recorded automatically by the system when the User signs in and sign outs, without requiring specific consent or other action from the User. Only the Data Manager has access to this data.
- Aim and legal basis of Data Management
5.1 Aim of Data Management of the Data Manager:
- a) providing online content;
- b) contact concerning the Company’s business activities;
- c) identification of the User and contact with the User;
- d) identification of User privileges (Services available to the User);
- e) provision of Services available through the Company’s Websites;
- f) display of personalised content and advertisements, compilation of statistics;
- g) facilitation of the customisation of advertisements and Services used by the Users, use of convenience functions;
- h) management and handling of unique User requests;
- i) compilation of statistics and analyses;
- j) contact with the purpose of direct solicitation of business, marketing (like for example newsletter, eDM, etc.);
- k) keeping records and sending reports on the Data Manager’s Employees as mandated by the law;
- l) recruitment and selection of the Data Manager’s Potential Employees;
- m) technical development of the IT system;
- n) protection of the User’s rights;
- o) enforcement of the Data Manager’s legitimate interests;
- p) facilitation of the signing and carrying out of contracts covered by the activities of the Data Manager.
The Company may use the data made accessible by the Users during the use of Services, to create user groups and publish targeted content and/or advertisements for the user groups on the Company’s Websites.
Data Manager may use the provided Personal Data for any of the above listed purposes.
Data Manager may not use the provided Personal Data for purposes different from those described in these sections.
5.2 If the Data Management takes place based on the User’s voluntary statement based on appropriate information, which statement contains the User’s explicit consent to the Personal Data they provided during the use of the Websites and the Personal Data generated on them being used. If during the Data Management the User’s Personal Data is forwarded, the Policy extends to this fact. In case of Data Management based on the User’s consent, the User has the right to withdraw consent at any point but that does not affect the legality of the Data Management taken place prior to the withdrawal.
When the User enters the Websites, the Data Manager may record the User’s IP address without the specific content of the User, in line with the Data Manager’s legitimate interests and the legitimate provision of Services (for example to filter out use contrary to law or illegal content).
Legal basis of the Data Management during the provision of different services is to ensure the fundamental right to get information and to expression, within the legal framework.
Legal basis of the Data Management during the provision of different services may be the User’s voluntary consent, or the signing and carrying out of contracts created by the User, the legal provision that apply to the Data Manager and the facilitation of the Data Manager’s marketing/sales activities. The User as costumer consents by registering on the Websites or by using the Services to their Personal Data provided during the registration and/or the using process being stored, managed and used in accordance with the legal provisions in force always for the delivery of orders.
The Data Manager manages Personal Data from the invoices issued by the Data Manager in accordance with the act on accounting.
5.3 Data Forwarding to Data Processors listed in present Policy may be done without the User’s specific consent.
Transfer of Personal Data to third parties or authorities – unless the law states otherwise – may only occur based on the decision of authorities or on the User’s prior, explicit consent.
5.4 The User shall take responsibility for ensuring that they legally obtained the consent of any natural entity whose Personal Data they provided or made accessible during the use of Services (for example during the publishing of content generated by the User). The User is solely responsible for content uploaded or shared by them to the Services.
5.5 By providing their e-mail address or Personal Data during registration, every User takes responsibility for ensuring that
a./ the data and consent given are given by the User and are accurate,
b./ only the User will use Services whose data are provided.
Regarding this responsibility, all responsibilities regarding the entries made using a specified e-mail address and/or data shall be worn by the User who registered the e-mail address and data. If during registration the User has given the data of a third party for the use of services, the User is responsible, and the Company is entitled to seek damages from the User. In such case the Data Manager provides all the help it can for the acting authorities with the aim of identifying the infringer person.
5.6 With the aim of further development of its products, or with the aim of evaluation, improvement and extension of its Services, the Data Manager may conduct research activities and create anonymous statistics (hereinafter referred to as Research Activities) by using the data managed by the Data Manager. When conducting Research Activities, the Data Manager may only use data in an anonymous way where the unique User cannot be identified. The Company is entitled to use the anonymous research results, created by Research Activities, for the development of services and the introduction of new services, for the sending of online and traditional advertisements and newsletters targeting specific Users and to sell anonymous research results to third parties. The User explicitly consents to Data Management with the aims mentioned above.
- Principles and methods of Data Management
6.1 The Data Manager shall manage Personal Data in accordance with the principles of good faith, fair dealing and transparency, and legislation in force and the provisions of present policy, respectively.
6.2 Personal Data strictly necessary for using services shall be managed by the Data Manager solely for a specific purpose, based on the concerned User’s consent.
6.3 The Data Manager manages the Personal Data only for the purposes determined in present Policy and in the relevant legislation. Personal Data shall be proportionate to the purpose of their managing and shall not be expanded beyond it.
6.4 In every case where the Data Manager intends to use Personal Data for purposes outside of the original data recording’s purposes, the Data Manager has to inform the User and ask for its prior, explicit consent, in addition to providing the possibility to prohibit the use of its Personal Data.
6.5 The Data Manager shall not inspect the provided Personal Data. The person providing the data shall be exclusively responsible for the compliance of the data provided.
6.6 The Personal Data of a natural entity under the age of 16 shall only be managed with the consent of the legal adult exercising parental control. The Data Manager is not able to inspect the legitimacy of the consenting person and the content of the statement, thus the User or the person exercising parental control shall be exclusively responsible for the compliance of the content with legislations. In the absence of consent the Data Manager shall not manage and collect data of persons under the age of 16, except for the IP address recorded automatically during the use of the Service.
6.7 The Data Manager shall not forward Personal Data managed by them to third parties, except some Data Processors determined in the present policy and in some cases – referred in the present policy – some External Service Providers.
The use of the Personal Data in a statistically summarized form, which does not contain any other data allowing the identification of the concerned User, shall be concerned as an exception to these rules defined in the present policy, shall not be concerned as Data managing or Data forwarding.
The Data Manager in some cases – official judicial or police inquiries, legal proceedings, copyright-, property- or other infringements, or in the case of harm to the interests of the Data Manager, or endangerment regarding the provision of their Services caused by the substantiated suspicion of these – shall make the Personal Data of the concerned User available to third parties.
6.8 The System of the Data Manager may collect data about the activity of the Users which shall not relate to other data provided by the Users at the time of registration or with data generated at the time using other websites or services.
6.9 The Data Manager must notify the concerned User and those third parties, to whom Personal Data has been forwarded with the purpose of Data Management, about the correction, restriction or deletion of the Personal Data managed by the Data Manager.
The notification may be omitted if regarding the purpose of Data Management, it does not violate the legitimate interests of the concerned party.
6.10 The Data Manager undertakes to ensure the security of Personal Data and shall take all technical and organizational provisions and establish the rules of procedure which ensure for the collected, stored and managed Personal Data to be protected, and prevents their termination, unauthorized use and unauthorized alteration, respectively. To fulfil their obligations in this regard, the Data Manager also commits itself to notify each third party to whom Personal Data may potentially be forwarded by them.
6.11 With regards to the relevant provisions of GDPR, the Data Manager appoints a Data Protection Officer:
The Data Protection Officer’s
- name is Inulinu Ltd.: Szabó Ferenc
- e-mail address: firstname.lastname@example.org
- telephone number: 06-78/513-925
VII. The term of Data Management
7.1 Data Manager shall delete IP addresses recorded automatically seven days after their recording.
7.2. In the case of e-mails sent by the User, who does not have registration, the Data Manager shall delete the e-mail address of the User 90 days after the closure of the case referred in the e-mail, except in specific cases, when further management of the Personal Data is justified by the legitimate interest of the Data Manager, until this legitimate interest ceases to exist.
7.3 Personal Data given by the User related to the services provided at the Data Manager’s website persists until the User unsubscribes from the referred service – using the provided user name – or does not request the deletion of their Personal Data otherwise. In this case the Personal Data shall be deleted from the Data Manager’s system.
Personal Data provided by the User – even in the case when the User does not unsubscribe from the Service or by deleting their registry they withdraw only the possibility of entry, and the stored comments and uploaded contents persist – can be managed by the Data Manager until the User expressly requests in writing the termination of the Data Management. The request of the User concerning the termination of Data Management without unsubscribing from the Service does not affect their rights concerning the use of the Service; however, it may occur that due to the absence of Personal Data, they may not be able to utilize certain Services.
Personal Data may be managed for marketing purposes and with the purpose of direct solicitation until the User requests the deletion of their data.
7.4 In the case of illegal, misleading using of Personal Data or in the case of crime or attack against the System committed by the User, the Data Manager is entitled to immediately delete the personal data of the User at the same time of the termination of their registration, meanwhile – in case of suspicion of crime or suspicion of the violation of civil liability – has the right to preserve the data for the time period of the procedure to be performed.
7.5 The Personal Data to be automatically, technically recorded during the operation of the System, shall be stored in the System from their creation as long as it is necessary for the System to operate. The Data Manager shall ensure – except in cases where it is made obligatory by the law – that these automatically recorded data shall not be linked with other Personal Data. If the User terminated their consent regarding the management of their Personal Data or had unsubscribed from the Service, – excluding investigative Services and their experts – their person will not be identifiable.
7.6 If the court or authority lawfully orders the deletion of the Personal Data, the Data Manager shall execute the deletion. Instead of deletion, the Data Manager may – at the same time informing the User – restrict the use of Personal Data if the User requests so or if based on available information it is assumable that the deletion would harm the User’s legitimate interest. As long as the Data Management purpose which ruled out the deletion of Personal Data persists, the Data Manager shall not delete the Personal Data.
VIII. User’s rights, options for their enforcement
8.1 The User may ask to be informed by any of the Data Managers whether they manage their Personal Data and if they do, the User may ask the Data Manager to provide access to the Personal Data managed by them.
Personal Data provided by the User regarding the used Services can be viewed at the settings of the login system of Services and on the profile pages related to certain Services.
Regardless of this, the User may request to be informed about the management of their Personal Data in a written form, by a registered mail or by a registered letter with acknowledgement of receipt, or by an e-mail sent to email@example.com, at any time. The request for information sent via mail shall be considered authentic by the Data Manager only if the User is clearly identifiable based on the sent request. The request for information sent via e-mail shall be considered authentic by the Data Manager only if it has been sent from the registered e-mail address of the User, but this shall not rule out that before providing information the Data Manager may use a different method to identify the User.
The request for information may include the User’s data managed by the Data Manager, their sources, the purpose of Data Management, the legal basement of Data Management, its duration, the names and addresses of the possible Data Managers, the activities concerning the Data Management and in case of the forwarding of Personal Data, the past or future recipients of the User’s data and the purpose of the receipt.
8.2 The User may request the correction or alteration of the Personal Data managed by the Data Manager. Considering the purpose of the Data Management, the User may ask for the supplementation of deficient Personal Data.
The Personal Data provided by the User concerning the provided Services can be altered in the settings section of the login system of Services and on the profile pages related to certain Services. After the completion of an alteration request concerning the Personal Data, the previous (deleted) data cannot be restored.
8.3 The User may ask for the deletion of their Personal Data managed by the Data Manager.
The request can be denied (i) to enforce the freedom of expression and the right to information, or (ii) if the law allows the management of the Personal Data, or (iii) presenting, validating or protecting legal claims.
The User has to be informed in every case by the Data Manager about the refusal of the deletion request, and also about the reason for the refusal. After the completion of a deletion request related to Personal Data the previous (deleted) data cannot be restored.
8.4 The User may ask for the restriction of the management of their Personal if the concerned User has doubts about the accuracy of the managed Personal Data. In this case the restriction applies for the period which makes it possible for the Data Manager to check the accuracy of the Personal Data’s. If the User debates the correctness or accuracy, but the incorrectness or inaccuracy of the debated Personal Data cannot be clearly established, The Data Manager shall mark the Personal Data they manage.
The User may also request the restriction of the management of their Personal Data if the Data Management is unlawful, but the User is against the deletion of the managed Personal Data, and instead of deletion they requests the use of their Personal Data to be restricted.
The User may also request the restriction of the management of their Personal Data if the purpose of the Data Management has been fulfilled, but the User requires the management of the Personal Data by the Data Manager to put forward, validate or protect legal claims.
8.5 The User may ask the Personal Data provided by the User and stored automatically by the Data Manager to be handed over and/or forwarded to another Data Manager in a tabulated, commonly used and computer readable format.
8.6 The User, may exclaim against the management of their Personal Data (i) if the management of Personal Data is only necessary for the fulfilment of the legal obligation of the Data Manager or the enforcement of the legitimate interest of the Data Manager or a third party, (ii) if the purpose of the Data Management is direct solicitation, public opinion inquiry or scientific research or (iii) if the purpose of Data Management is to fulfil public interest. The Data Manager shall investigate the legality of the User’s request and if the bases of the request are established, the Data Manager shall terminate the Data Management and block the managed Personal Data, furthermore the Data Manager shall notify everyone to whom the protested Personal Data has been forwarded about the protest and the measures taken based on the protest.
- Data processing
The Data Manager’s servers are held at the registered office of Volvox Ltd:
Registered Office: 3/1 Szendrey Júlia Street, Kiskőrös, 6200, Hungary
Company Registration Number: CG 03-09-104733
Data of hosting service provider:
Name of company: W5 Informatic Plc.
Registered office: 12 Kossuth Street, Abaliget, 7678, Hungary
Telephone number: +36-30/203-0940
9.1 For processing, analysing and evaluating data, the Data Manager may use the services of additional Data Processors, when conducting Research Activities.
9.2 The Data Processors are entitled to the use of services of additional Data Processors solely with the permission of the Data Manager.
- External Service Providers
10.1 For the provision of services the Data Manager does not use External Service Providers in any cases, and the Data Manager does not cooperate with any External Service Providers.
- Possibility of Data Forwarding
11.1 The Data Manager is eligible and obliged to forward any available and properly stored Personal Data to the competent authority, to which Personal Data Forwarding they are bound by legislation or effective administrative obligation. In case of such Data Forwarding and concerning its consequences the Data Manager shall not be liable.
11.2 With the specific consent of the User, the Data Manager is entitled to forward the Personal Data marked in the consent form to a third party marked in the consent form for a purpose and term marked in the consent form. The third party shall manage the forwarded data in line with their own data protection principles.
11.3 The Data Manager shall keep records to verify the lawfulness of Data Forwarding, and to inform the User.
XII. Data Management concerning the Data Manger’s Employees, Potential Employees and visitors of the Data Manager’s premises
12.1 The Data Manager manages the following Personal Data of its Employees: name, birth name, tax ID number, social security number, mother’s name, place and date of birth, national ID number, nationality, permanent address, mailing address, bank account number, educational attainment, number of related certificate, name of spouse, birth name of spouse, tax ID number of spouse, name of child(ren), tax ID number of child(ren), social security number of child(ren), name of mother of children, place and date of child(ren)’s birth, child(ren)’s disabilities.
12.2 The purpose of the Data Management concerning the Employees is to fulfil of the Data Manager’s statutory obligations (obligation of registration and notification).
12.3 The period of the Data Management concerning the Employees is determined by the prescriptive legislation.
12.4 The legal basis of the Data Management concerning the Potential Employees of the Data Manager is the voluntary and well-informed consent of the concerned individual. The purpose of the Data Management is the recruitment and selection of the Data Manager’s Potential Employees.
12.5 By sending their CV and other documents necessary for the job application to the Data Manager, the Potential Employee consents to the Data Manager storing and managing their provided Personal Data in accordance with legal provisions in force at a time, until the Potential Employee withdraws their consent but no longer than 2 years after the fulfilment of the position in question.
The Data Manager is entitled to use the Personal Data provided by the Potential Employee in their CV and other documents necessary for the job application in a future situation which enables the possible employment of the Potential Employee by the Data Manger or if the Data Manager believes the Potential Employee can be suitable to establish employment or other type of working relationship with them. The purpose of using Personal Data in this case is that these data help the Data Manager to recognise whether the Potential Employee is a suitable candidate or not and they enable the direct contact with the Potential Employee.
12.6 With the aim of protection of property or work contract fulfilment The Data Manager may install and operate cameras in its offices and premises. The cameras may make recordings which may be viewed and used by the Data Manager with the aim of protection of property or work contract fulfilment. The recording must be deleted within 72 hours after their recordings unless they are used as described in this section.
XIV. Options for legal enforcement
14.1 Employees of the Data Manager can be contacted regarding any Data Management issue by writing an e-mail to firstname.lastname@example.org or by calling +36-78-513-925.
14.2 Regarding any issues related to Data Management the User may directly request the help of the National Data Protection and Freedom of Information Authority (address: 22/C Szilágyi Erzsébet alley, Budapest, 1125, Hungary; tel.: +36-1-391-1400; e-mail: email@example.com; website: www.naih.hu).
14.3 In the case of violation of their rights, the User may practice their options for legal enforcement in court. The judgement is in the jurisdiction of the court. The legal proceedings can be started at the court of the place of address or of the residence of the person concerned. Upon the User’s request the Data Manager shall inform the User about the options and means of remedies.
Budapest, 25 May 2018