- Purpose of regulation
- Definitions / interpretative provisions
- Principles of personal data management
- The legal basis for the management of personal data
- Rules on personal data security
- Personal data management
- managing the processing of user information data.
- internal records on data processing and the transfer of personal data
- Using your personal data processor
- Rights of data subjects with regard to the management of personal data
- Managing incidents of personal data protection
- General legal remedies
- Annex no.1: Annex No. 1: Statement of Confidentiality + Work Agreement on Supplementing the Sample for Employees and Contract Partners.
- Annex no.2: Statement on IT Security
1. Purpose of regulation
PTechnology S.R.L. is committed to protecting personal data. The main aspect of our services is the protection of personal information and data.
Starting May 25, 2018, to comply with the provisions of Regulation 2016/679 / EU on the protection of individuals with regard to the processing of personal data and the free movement of such data, ie GDPR or RGPD, as well as other relevant legislation and international recommendations , PTechnology SRL (hereinafter referred to as the Company) will provide / protect the data generated during its operation, will determine the order of fulfillment of the personal data requests, will establish the order of responsibility, will ensure and protect the updates to the current information flow
Data processor’s name: PTechnology S.R.L.
DUNS NUMBER of data processor: 533637188
Registered office of data processor: BORSULUI, No.7, Floor IV/3. 410605 Oradea, Bihor, ROMANIA
Contact detail of data processor: firstname.lastname@example.org
1.2. Scope of the Rules
- The personal scope of the Policy
a) all employees of the Company.
b) the workers employed on a case-by-case basis;
c) the data processor and
d) in addition to the above, any other natural or legal person that has contractual relations with the Company.
- The objective scope of the Policy
a) all data generated by the Company,
b) data processed or processed in the IT system,
c) data generated as a result of data man data generated as a result of personal data management,
d) all hardware and software tools used by the Company;
e) data related to the activities of the Company during its operation
2. Definitions / interpretative provisions
2.1 data subject: any individual determined or determinable directly or indirectly or identifiable through personal data held by the Company.
2.2 personal data: personal data: the data relating to the data subject, in particular the name of the person concerned, the means of identifying him / her and the knowledge of one or more physical, physiological, mental, economic, cultural or social characteristics, as well as its characteristics concerning the data subject.
2.3 special data: any personal data concerning national minorities, racial or ethnic origin, political opinions, religious or philosophical or similar beliefs, union membership, health status, abnormal passion, sexual life
2.4 data files: a set of data managed by multiple records within the company
2.5 criminal personal data: in the case of bodies authorized to prosecute criminal offenses or criminal proceedings during or before criminal prosecution, as well as any personal data relating to the criminal enforcement bodies and those relating to the persons concerned as well as the criminal record.
2.6 consent: the voluntary and decisive expression of will-manifestation of the data subject based on correct information and the giving of clear and unequivocal consent to the processing of personal data directly relating to it for complete or specific operations.
2.7 objection: any statement by the person concerned in writing that he / she intends to oppose the processing of his / her personal data and requesting the following: termination of data management, updating, completion, correction and / or modification, and final deletion of processed data.
2.8 data manager: a natural or legal person or even an entity without legal personality that determines individually or in association with other persons the purpose for which the data are processed. The data manager also adopts and implements decisions on data management (including equipment used) or implements with a data processor all measures that have been entrusted.
2.9 data handling: all operations on personal data, regardless of the procedure followed, including the collection, recording, systematization, storage, modification, use, query, transmission, disclosure, coordination, interconnection or blocking, to prevent any unauthorized access.
2.10 transmission of data: the transmission of personal data available by various means, including through remote means of communication to a third party or a company.
2.11 disclosure: personal data becomes available to anyone who accesses them.
2.12 data deletion: personal data becomes unrecognizable, can not be accessed due to permanent deletion, so their recovery is no longer possible un
der any circumstances.
2.13 data designation: provision of personal data with a specific identification mark to enable them to distinguish and subsequently use it.
2.14 data lock: identifying personal data that requires blocking and then limiting their use or final processing or for a certain time period.
2.15 data destruction: physical and / or virtual destruction of data media containing personal data.
2.16 data processing: performing technical tasks related to the personal data management operations, regardless of the methods and tools used to perform the operations and the location of the application, provided that the technical task is carried out on personal data.
2.17 data processor: a natural or legal person or an organization without legal personality who, on the basis of the contract with the operator, including the conclusion of a contract under the law, processes the personal data.
2.18 data registration system: any structured, functionally or geographically centralized, decentralized or dispersed file of personal data that is accessible by specific criteria
2.19 data protection incident: access, disclosure, transmission, processing, manipulation or unauthorized destruction of personal data by any other person or entity not expressly authorized to do so
2.20 third person: any natural or legal person or entity without legal personality that is not the person concerned and who has no relationship with the data controller or the data processor.
2.21 third country: any state that is not a member of the EEA.
3. Principles of data management
The company carries out its activities in the field of personal data management. The company also carries out all communication relations with its customers in Hungarian and defines all the duties of its employees regarding the management of personal data. The purpose of the company's activities is to ensure the correctness of the data collected at all stages of its management in a transparent, legal and fair manner, as well as to ensure the protection of the personal data of the data subject with respect to any requests for access, transmission, deletion or unauthorized destruction. Annex no. 1.
4. The legal basis for data management
Personal data can be processed if:
a) the data subject expresses his / her willingness to do so
b) there is an imperative legal provision to this effect, or there are other rules / regulations of the local or central public administration that pursue an aim of public interest..
In the case of mandatory data management, the types of materials to be processed, the purpose and conditions of data management, the availability of the data, the duration of the data management, and the identity of the data processor are determined by the law and the local government regulation.
Personal data may be processed even if obtaining the consent of the data subject would be impossible or subsequently made; provided that the processing of personal data is absolutely necessary for the fulfillment of the legal obligations of the Company. The legal obligation of the Company is to perform all activities in accordance with the legitimate interest of the Company or a third party authorized in this respect and proportionate application of this interest with the minimum restriction of the right to the protection of personal data.
The data subject will be informed in writing by a means of communication chosen by the Company prior to the commencement of the processing of personal data if the personal data are not processed on the basis of a valid consent or is mandatory under the law. The data subject will be clearly and comprehensively informed of the personal data to be processed and of all facts and actions closely related to the management of his data, in particular with regard to the purpose and legal basis the processing of personal data in its person, the duration of the data management and the person or entity that follows or may have access to such data.
If the personal data are not registered on the basis of the consent of the data subject, the Company, in the absence of any other legal provisions, fulfills its legal obligation to seek the express consent of the data subject by any means, with the minimum restriction of the right to data protection and without causing any further harm to the data subject.
The company operates in data management on the basis of the following
- Regulation 2016/679 (27 April 2016) of the European Parliament and the Council of the European Parliament on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- European Parliament and Council Directive 95/46 / EC of 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
- Directive 2016/680 of the European Parliament and of the Council of the European Union on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of the prevention, detection, investigation or prosecution of criminal offenses or the execution of the sentence and the free movement of such data data.
- Law no. 129 of 15 June 2018 for amending and completing the Law no. 102/2005 on the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing, as amended and supplemented5. Rules on data security and information security.
The company processes personal data and stores them on secure servers on a computer network. The storage of personal data in a computer, hardware (hard disk), flash drive, optical disc must be subject to the security regulations in force for that device in order to protect personal data
5. IT Security Rules
In the exercise of its activities and duties, the Company applies IT security policy to protect electronic information. The remittances of our personal data protection actions are:
- protection of personal data by using a password that matches user authentication data
- protecting users' information from users by using the encryption system to store data
- saving information sent by the user to a geographically separate location;
- encrypt sensitive data under proper conditions
- use firewalls or other similar protection procedures, and
the proper use and constant updating of antivirus programs for filtering and eliminating viruses in internal traffic
6. Management of personal data concerning the user
Management of user data
It serves to meet the company's goals and services provided by the company, as well as the realization of the rights and obligations of the company and its users.
The range of data processed: user name: Alias / Nickname, Phone number, E-mail address, Password, billing information (Name, surname, address, bank account identification). The company does not store traffic data, balance / active balance information for active users and / or service expiration dates.
The legal basis for data management: Based on the use of the service provided by the Company, the individual expresses consent to the processing of personal data when he voluntarily provides such data by the means provided by the Company.
Duration of data management: The Company is entitled, upon consent of the data subject, to properly manage, store and process all personal data provided by it for a fixed or indeterminate period of time or until such time as a decision has been made as a result of the withdrawal of the agreement or other objections raised by the data subject or the law, a public or jurisdiction forces it to do so.
Internal register of the Company's data management and data transfer
The Company undertakes to keep a record of the management of personal data and the transfer of personal data in accordance with the legal framework for personal data management and data transfer process.
7. Use of a data processor
The Company reserves the right to transfer personal data to companies and specialized organizations for the processing of personal data solely for the purpose of meeting the objectives and tasks of the proper functioning of the Company's system. The processing of personal data by such a processor starts only after the prior signature of a confidentiality statement regarding the management of personal data.
The data processor can not take any unilateral decision on the management of personal data entrusted without the express written consent of the data controller. It may not process the personal data for any purpose other than as instructed by the data controller and can perform its tasks only after the express instructions of the data controller. The personal data processor is required to ensure full physical and virtual protection of the personal data he / she is about to interact with and undertakes to process only on the basis of the rules set out in the Data Protection and Personal Data Security Regulation.
The Company uses the following data processing companies in its activities:
- ACROBITS, S.R.O. Jindrisska 24 110 00 Prague 1 Czech Republic
- GoDaddy Operating Company, LLC. 14455 N. Hayden Rd #219, Scottsdale, AZ 85260 USA
- Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA
- PayPal (Europe) S.à r.l. et Cie, S.C.A. 22-24 Boulevard Royal, L-2449, Luxembourg, R.C.S. Luxemburg B 118 349.
- myPOS Europe Ltd, The Shard, Level 24, 32 London Bridge Street, London, SE1 9SG, United Kingdom
- Apple Inc. One Apple Park Way, Cupertino, California, USA,95014
8. THE RIGHTS OF DATA SUBJECT RELATED TO DATA PROCESSING
8.1 Information request
Any data subject may request information about his or her personal data that he provides to the Company as well as personal data managed by the Company such as: source, purpose, legal basis, duration, name of the processor, address and data management activities personal data and in the case of the transfer of personal data, the legal basis as well as the transfer beneficiary.
The Company fulfills the request for information to ensure the safety of the data of the data subjects. In order to do this, the request for information can be sent in written form by sending a letter of full private document, by sending the appropriate identification data by e-mail to the Company. The Company shall provide information in writing, in a clear manner, as soon as possible and within 1 month at the latest, to the address provided by the concerned.
Please note that information per data set is free per year, and the Company may charge you for additional information The Company undertakes to process the request for information to ensure the data protection, accuracy and transparency of the data subjects. In order to do so, the request for information must be sent in writing, by letter in a sealed envelope with acknowledgment of receipt or by sending to the Company the request for information at the email address email@example.com .
The Company will provide information to the person concerned in writing, in a clear manner, within 15 days of acknowledgment of receipt at the address indicated by the applicant.
If there is no basis for the request, or if the request for information infringes the rights of other persons with regard to security, confidentiality, transparency, the Company undertakes to provide a reasoned request to the requesting person in writing within no more than 15 days, the refusal to disclose such information.
If the data subject indicates in writing to the Company that the processed personal data is inconsistent with reality and requests the rectification in this respect or if the Company knows by other means personal data errors as well as the correct data; then the Company or Data Processor undertakes to correct properly and as soon as it has knowledge of the personal data that requires rectification. The company also undertakes that on the same day that the rectification was made notify the data subject of the correction or rejection of his rectification request.
If the same person has successive claims for the rectification of personal data, the Company reserves the right to consider the most recent application.
8.3 Deletion or block
Data subjects have the right to request in writing, by e-mail or by mail service; deleting or blocking your personal data. The blocking ordered by the Company is a temporary measure and may be terminated by a specific procedure called unblocking. The personal data indicated by the applicant will be blocked if, on the basis of the information available to the Company, it can reasonably be assumed that their removal could be detrimental to the legitimate interest of the Company or even of the data subject. Personal data will be blocked as long as there is a data management goal that excludes the possibility of deleting them.
The deletion ordered by the Company is equivalent to the immediate and immediate termination of the services provided to the data subjects. The company will notify the person concerned of the request to cancel, delete or block personal information
Right of objection
The data subjects have the right at any time for legitimate and legitimate reasons related to their particular situations to oppose the processing of personal data, even if only in part, unless they are absolutely necessary for the mandatory management of the data;,
• if the processing or transfer of their personal data is required solely for the purpose of fulfilling the Company's legal obligation or for the legitimate interests of the Company or a third party; or
• if their personal data are used or transmitted for direct marketing, opinion polls or scientific research, unless they have been given the will to do so; orif their personal data are used or transmitted for direct marketing, opinion polling or scientific research, unless they have been given consent; or
• in other cases specified by law.
The Company, subject to the option of the applicant, shall examine the objection as soon as possible after filing the application and within a maximum of 15 days shall decide on its merits and inform the applicant in writing of its decision.
If the objection is founded, the Company immediately interrupts the management of the data, including the collection and transfer of additional data, first of all disposes of the personal data block to prevent their use and will send notifications to all those who have previously used the personal data affected by the objection to take the same measure; similar actions and to carry out the exercise of the right of opposition of the requesting person.
8.5 Refusal to cooperate in direct marketing
In the case of so-called direct marketing, those involved in direct marketing correspondence have the right to refuse at any time and without justification that any data in direct contact with the data subject may no longer be used for commercial purposes. In this context, the data subjects have the right to refuse or prohibit the listing of their names on any contact list or on a merchant list. Individuals also have the right to prohibit the use of such data directly for commercial or specific purposes or even prohibit the transfer of such data to third parties.
8.6 Transferability or portability of personal data
Storing data that is perceived as a new legal element in the European Union allows all individuals concerned to request the transfer of personal data between several organizations.
The right to transfer and portability of personal data is free and allows affected parties to easily switch providers. This means that the data subject is entitled to receive free of charge his or her personal data in a reasonable time in a user-friendly, large-scale format that can then be opened on any smartphone such as CSV format .
9 Management of privacy incidents
PTechnology is committed to protecting personal data because, in the absence of appropriate and effective action, any data protection incident could cause physical, moral or material damage to the individuals involved. In order to manage data protection incidents, the company maintains a data protection incident log that records the circumstances of data protection incidents within 72 hours of the occurrence of the incident, and will also take all necessary and legal steps to restoring the previous situation. The measures that the company undertakes to meet include, in a limitative way:
- takes all necessary steps to immediately remove the cause of the confidentiality incident
- it notifies all affected data subjects in order to minimize the damage
- implements the necessary additional and legal measures in such situations.develops a plan to prevent this type of data protection incident from occurring in the future.
- draws up a structured plan to prevent any personal security incident occurring in the future
- implements the security incidents prevention plan with regard to personal data protection as soon as possible
10 General legal remedies
In accordance with the legal provisions in force, the General Personal Data Protection Regulation provides:
- The right to file a complaint with a supervisory authority.
- The right to an effective judicial remedy against a supervisory authority.
- The right to an effective judicial remedy against an operator or a person empowered by the operator.
- Representation of the data subjects.
- Suspension of procedures.
- Right to compensation.
Interested individuals may receive information about their personal data and may request that they be managed for rectification, update, deletion or blocking. The operator shall, as soon as he becomes aware of the content of the applicant's request, examine it and, within 15 days of receipt of the request, shall provide a reasoned reply to the information requested.
If the personal data of the data processor users are not properly recorded or there are obvious material errors but can be easily corrected or remedied, the data processor or the operator may modify them, subject to their correctness and completeness.
The data processor can delete personal data in the following situations:
- if the processing of the data is manifestly unlawful or whether there is an imperative legal provision available to that effect
- if an order has been received by a competent court or by a public authority
- the person concerned makes an express and well-founded request to that effect
- if personal data is incomplete or incorrect and this situation can not be legally remedied.
- if the purpose of managing data has ceased to exist or the legal term for the retention of personal data has expired
In the first instance, personal data subject to the cancellation obligation is blocked by the operator instead of the deletion, if the data subject requests by any means of communication or if, based on the information available at that time, it can be assumed that the removal would in any case affect the legitimate interests of the Company, the legal provisions in force or even the person concerned.
Personal data blocked by this means will only be managed for the purpose of processing data that prevents the deletion of personal data. The data processor may surrender personal data under legal provisions for the purpose of managing it when:
- there is a substantiated dispute resolution or there is an express and substantive request from the competent bodies and authorized by law
- in this way it contributes to the protection of national defense and security, public security, cooperation with competent authorities, investigation and prosecution bodies with respect to the commission of crimes against humanity
- if the data subject does not agree with the data processor's decision or other information, or if the data processor fails to meet the deadlines set by law, the data subject may refer the matter to the competent court of law or to the National Data Protection Authority and the Authority on the basis of free access to information, within 30 days of the announcement of the decision or the non-observance of the deadline.
Judicial review lies within the jurisdiction of the Tribunal within the territorial jurisdiction of the applicant's domicile. If the court approves the data subject's request, the data controller shall immediately provide all information, update, rectify, block, delete and / or cancel the decision taken, also take into account the person's right of protest and proceed consequently, according to the measures that are required for each case. In the case of a violation of the rights of the data subject or any other comments or complaints, any interested person may make a referral to the following contact details: PTechnology S.R.L. email: firstname.lastname@example.org