1. The Purpose of the Policy:
Rábalux Zrt – Rábalux Magyarország Kft / Körtefa utca 5., 9027 Győr, Hungary, hereinafter referred to as the Corporate Group / as controller carries out its data management activity in accordance with Act CXII of 2011 on the right to informational self-determination and on the freedom of information / Info Act / and on the Regulation (EU) 2016/679 (“GDPR”) of the European Parliament and of the Council. The purpose of this information leaflet is to provide visitors and customers registered on the website of the Corporate Group with information on data processed by the Corporate Group and on other activities related to data management. The definitions used in this information leaflet are identical with those described in Regulation (EU) 2016/679 (“GDPR”).
2. Principles Relating to Processing of Personal Data:
At the Corporate Group personal data must be processed lawfully and fairly, purposefully, minimised, accurately, with limited storage, confidentially and in an accountable and transparent manner in relation to the data subject.
Personal data shall be:
- collected only for specified, explicit and legitimate purposes
- processed only in a manner that is compatible with those purposes
- adequate and relevant
- limited to the necessary minimum
- accurate and, where necessary, kept up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
3. Data Management Taking Place During the Operation of a Contact Point:
Scope of data subjects: Visitors giving their consent on the website
Scope of processed data: Date, time, surname, forename, e-mail address
Legal basis for data management: Article 5 of Act CXII of 2011 on the right to informational self-determination and on the freedom of information, point (a) of Article 6(1) of Regulation (EU) 2016/679 (“GDPR”) and Article 6(5) of Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity.
Duration of data management: Until the withdrawal of the registration. In case of a request for erasure, the personal data shall be erased without undue delay.
Controllers authorized to get to know personal data and the recipients of personal data: Persons authorized to represent the Corporate Group, colleagues of the international marketing department
4. Preparation of Visitor Statistics:
The fact of data collection and the purpose of data management: Any external visitors may have access to the www.rabalux.com website of the Corporate Group and the information provided by the Corporate Group. The hosting provider of the website records visitor data during the visit of the website in order to control the operation of the service, to prevent abuse and to ensure normal operations. The purpose of recording is the collection of information regarding the use of the website and the preparation of visitor and internet use statistics and analyses. External service providers place and read back a so-called cookie on the computer of the user. If the browser sends back a cookie deployed earlier, the controllers have the right to link the current visit of the user to their earlier ones. The user may refuse the request related to cookies in the pop-up window any time.
Scope of data subjects: Visitors giving their consent on the website
Scope of processed data: Date, time, IP address of user’s computer, IP address of the visited website, data related to the operating system of the user
Legal basis for data management: Article 5 of Act CXII of 2011 on the right to informational self-determination and on the freedom of information, point (a) of Article 6(1) of Regulation (EU) 2016/679 (“GDPR”)
Duration of data management: A period of 1 year from the view of the website
Controllers authorized to get to know personal data and the recipients of personal data: Persons authorized to represent the Corporate Group, colleagues of the international marketing department,
5. Data Processing and Joint Data Management During the Operation of the Website:
During the operation of the website the controller only resorts to processors and joint controllers, who provide guarantees concerning the compliance with the requirements of Regulation (EU) 2016/679 and who carry out the appropriate technical and organisational measures in order to protect the rights of data subjects. During the data processing and joint data management Parties have determined their respective responsibilities in a transparent manner by entering into a written agreement for compliance with the obligations, in particular as regards the exercising of the rights of the data subject to carry out their respective duties. The Corporate Group shall resort to the following data processors, i.e. shall employ the following joint controllers in order to operate the website:
- Technical background support of the website / Data processing /:
Infoartnet Kereskedelmi és Szolgáltató Korlátolt Felelősségű Cégcsoport
- Hosting service, Technical background support / Data processing /:
Infoartnet Kereskedelmi és Szolgáltató Korlátolt Felelősségű Cégcsoport
6. Use of Google Analytics Application:
- During the operation of the website the controller uses Google Analytics application, the web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, i.e. text files saved on your computer, which make the analysis of the User’s website use possible.
- The information created about the User’s website use via the cookies is usually sent to a Google server located in the United States where it is stored. By activating IP anonymization on the website Google anteriorly abbreviates the User’s IP address in EU member states and in other countries belonging to the EEA agreement.
- It only happens in exceptional cases that Google sends the full IP address to its US server and abbreviates it there. Google will use this information as commissioned by the operator to assess the User’s website use and to compile reports about the activities on this website as well as to offer further services related to the use of the website and the internet to the operator of the website.
- Google will not link the IP address sent by the User’s browser to any other Google data. The User may disable the storage of cookies by the corresponding settings of their browser software. Data (including IP address) collection and processing by Google via cookies related to the User’s website use may be prevented by the User by the download and installation of the browser plugin available via the following link:
7. Other Rights of Data Subjects:
- Right of access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being managed, and, where that is the case, access to the personal data collected by the controller.
- Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds determined in Article 17(1) of Regulation (EU) 2016/679 applies.
- Right to be forgotten
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject; in this case the restriction applies for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing; in this case the restriction applies for a period pending the verification whether the legitimate grounds of the controller override those of the data subject.
- Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) of Regulation (EU) 2016/679 and the processing is carried out by automated means.
- Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of Regulation (EU) 2016/679, including profiling based on those provisions. In this case the controller shall no longer process the personal data.
- Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The former paragraph shall not apply if the decision:
- is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- is based on the data subject's explicit consent.
8. Measure Deadlines Related to the Data Management of the Website:
The Corporate Group shall provide information concerning measures taken responding to requests related to data management within one month. This deadline may be extended by two months if duly justified. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
9. Security of Processing:
Taking into account the state of the art science and technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
10. Notification of data subject about a personal data breach and notification of a personal data breach to the supervisory authority
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
11. Rights of Data Subject Related to Data Management:
- The data subject may require to have access to the personal data related to him or her, managed by the controller or their rectification and erasure as well as the restriction of processing.
- The data subject has the right to object to processing personal data concerning him or her via the contact details of the corresponding information leaflet.
- The data subject has the right to have access to his or her personal data based on the regulations of data portability as well as to withdraw his or her consent regarding the data management of personal data provided during the registration.
Persons authorised to erase, modify or restrict the processing of personal data:
- Sales and marketing colleague. Postal address: Rábalux Világítástechnika Zrt., marketing department, Körtefa utca 5., 9027 Győr, Hungary, e-mail: firstname.lastname@example.org, Phone: +36 96 526 716 / 4