(hereinafter also referred to as the „Notice” or „Privacy Notice”)
1.1. Background
The new European Union General Data Protection Regulation 2016/679 (GDPR, hereinafter referred to as the „Regulation” or „GDPR”) will/has become directly applicable in Hungary. The Company is a data controller under the Regulation, which means that the Regulation applies to the personal data processed by the Company.
1.2 Purpose of the Prospectus
The purpose of this Notice is to set out the data protection and data management provisions and principles followed and applied by Fingerprint Limited Liability Companies (hereinafter also referred to as the „Controller” or the „Company”) and considered to be applicable to it, and the Company's data protection and data management policy.
1.3 Legislation
In determining the content of the Prospectus, the Company has, in addition to the Regulation, also taken into account the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information („Infotv.”), Act V of 2013 on the Civil Code („Civil Code”) and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities („Act XLVIII”).
1.4 Scope
This Privacy Policy applies to the website available at www.fingerprint.hu, www.truckroadshow.hu, www.logozva.hu, www.borcsomagolas.hu, www.maszklogozva.hu (hereinafter referred to as the „Website”)
data processing. Unless otherwise stated, the scope of this Notice does not cover the services and data processing of websites and service providers to which the Websites contain links. The scope of the Notice does not cover the processing of data by persons (organisations, companies) whose information, newsletters, advertising mailings the Data Subject has received from the Website.
1.5. Amendments to the Prospectus
1.5.1 The Company reserves the right to amend the Policy by unilateral decision.1.5.2 By accessing the Website, the Data Subject accepts the provisions of the Policy in force at the time, and no further consent of the Data Subject is required unless otherwise provided in the Policy.
Terms used in this Privacy Notice have the following meanings:
2.1. Data Management:
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.2. Data Controller:
A natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2.3. Personal data or information:
Any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.4. Data processor:
The natural or legal person, public authority, agency or service provider that processes personal data on behalf of the Controller.
2.5. Affected:
A natural person who provides his or her personal data or whose personal data is provided to the Company.
2.6. External service provider:
Third party service partners used by the Data Controller or the Website Operator, either directly or indirectly, in connection with the provision of certain services, to whom Personal Data are or may be transferred in order to provide their services, or who may transfer Personal Data to the Company. Third Party Service Providers are also service providers that are not in cooperation with the Company or the service providers, but by accessing the Website, collect data about the Data Subjects, which may be used to identify the Data Subject, either individually or in combination with other data. In providing hosting services, the Company also considers the Data Subject as a Third Party Service Provider for the purposes of the data processing activities on the hosting service it uses.
2.7. Information:
This privacy policy of the Company.
Name: fingerprint Ltd.
Head office: 6725 Szeged, Világos utca 17/A
Company registration number: 06-09-008262
Data Protection Officer: the Company is not obliged to appoint a Data Protection Officer under the Regulation, the Data Controller is a company registered in Hungary, the operator of the Website.
4.1. Legality, fairness
The processing of data must be lawful, fair and transparent for the data subject. The Company will only process the data specified by law or provided by the Data Subjects or their employers/contractors/customers for the purposes set out below. The scope of the Personal Data processed shall be proportionate to the purpose of the processing and shall not go beyond that purpose.
4.2 Accuracy
The data must be necessary and relevant for the purpose of the processing, accurate and, where necessary, kept up to date.
4.3. Specificity of purpose
In any case where the Company intends to use the Personal Data for a purpose other than that for which it was originally collected, the Company will inform the Data Subject and obtain his or her prior explicit consent or provide him or her with the opportunity to object to such use.
4.4. Compliance
Your Company does not control the Personal Data provided to it. The person providing the Personal Data is solely responsible for the accuracy of the Personal Data provided.
4.5 Limited shelf life
It must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
4.6. protection of the data of a person under the age of 16
The Personal Data of a person under the age of 16 may be processed only with the consent of the person who has parental authority over him or her. The Company is not in a position to verify the eligibility of the person giving consent or the content of his or her declaration, so the Data Subject or the person having parental authority over him or her guarantees that,
that the consent complies with the law. In the absence of a statement of consent, the Company will not collect Personal Data relating to a data subject under the age of 16.
4.7 The Company will not transfer the Personal Data it processes to third parties other than the Data Processors and External Service Providers specified in this Policy. Data shall be processed in such a way as to ensure adequate security of the Personal Data by applying appropriate technical and/or organisational measures.
An exception to this provision is the use of data in aggregated statistical form, which may not contain any other form of data that could identify the Data Subject.
In certain cases, the Company may make available to third parties the Personal Data of the Data Subject that are accessible to it, in response to a formal judicial or police request, legal proceedings, or because of a reasonable suspicion of infringement or violation of copyright, property rights or other rights, or because of a threat to the interests of the Company, or to the provision of the service, etc.
4.8 The Company shall notify the Data Subject and all those to whom it has previously disclosed the Personal Data for the purpose of Processing of the rectification, restriction or erasure of the Personal Data processed by it. The notification may be omitted if this does not prejudice the legitimate interests of the Data Subject in relation to the purposes of the Processing.
4.9 The Company is not required to appoint a Data Protection Officer under the Regulation, as the Company is not a public authority or a body with public responsibilities, the Company's activities do not involve operations that require systematic and systematic large-scale monitoring of Data Subjects, and the Company does not process sensitive data or personal data relating to criminal convictions and offences.
5.1 Article 6 of the GDPR sets out the cases in which the personal data of Data Subjects may be processed: a) where the Data Subject has given his or her consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into the contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the protection of the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.”
5.2.Taking into account the nature of the Company's activities, the legal basis for data processing is primarily the Data Subject's voluntary and explicit consent based on proper information (Infotv. 5(1)(a)), during the preparation of any contractual obligation between the Company and the Data Subject or his/her employer/client/customer or following the conclusion of such an obligation, the provisions of point 5.1.b) of the Regulation above and point 5.1.c) of the Regulation above. The Data Subject voluntarily contacts the Company, either in the course of performing a task for his/her employer/client/customer, or voluntarily registers or uses the Company's services. In the absence of the Data Subjects' consent, the Company will only process data if it is expressly authorised to do so by law.
5.3 Where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data.
5.4.The Data Subject has the right to withdraw his or her consent at any time in respect of all processing for which the legal basis is the Regulation, in accordance with point 5.1.a) of the Regulation. The withdrawal of consent shall not affect the lawfulness of the processing based on consent and carried out prior to the withdrawal and in accordance with point 5.1(b) and/or (c) and/or 5.1(d) of the Regulation above.
- Transfers to Processors as set out in this Notice may be made without the Data Subject's specific consent. Unless otherwise provided by law, the disclosure of personal data to third parties or public authorities is only possible on the basis of a final decision by a public authority or with the prior explicit consent of the Data Subject.
o The Data Controller records the User's IP address when the User accesses certain websites in connection with the provision of the service, in the legitimate interest of the Data Controller and for the lawful provision of the service (e.g. to filter unlawful use or unlawful content), without the User's consent.
o By providing any User's e-mail address and the data provided during registration (e.g. user name, ID, password, etc.), the User also assumes responsibility for using the e-mail address and the data provided by him/her to use the service. In view of this assumption of responsibility, any liability for accessing the service from an e-mail address and/or using the data provided shall be borne solely by the User who registered the e-mail address and provided the data.
The processing of data must be lawful, fair and transparent for the Data Subject. The Company shall endeavour to process only personal data that is necessary for the purposes for which it is processed and is adequate for the purposes for which it is processed. Personal data shall only be processed to the extent and for the duration necessary to achieve the purpose.
The purpose of data processing is primarily the operation of the Website and the provision of the Data Controller's services, the establishment and performance of its commercial and contractual relations.
The purpose of the processing based on the above:
- identification of the Data Subject, contact with the Data Subject
- Preparation of the contract resulting from the contact made through the Website, fulfilment of contractual obligations by the Data Controller, enforcement of rights;
- provide the Data Subject with concise, transparent, understandable and easily accessible information
● the creation and performance of legal transactions between the Company and the Data Subject within the scope of the Company's activities
- collection of the fee, billing if the service is subject to a fee
- fulfil the obligations incumbent on the Data Controller, exercise the rights of the Data Controller
● analyses, statistics, development of services - for this purpose the data controller uses only anonymised data, aggregated data that cannot be personally identified
- Research, advertising and other marketing activities with the specific consent of the Data Subject
- protect the rights of the Data Subject.
The Company only processes Personal Data provided by the Data Subjects or entities using the services (work) of the Data Subjects for the preparation/performance of the transaction, and does not collect data from other sources.
The data is provided by the Data Subject via the contact form. During the registration, the Data Subject provides his/her name, e-mail address and telephone number.
If the Data Subject registers for a promotion organised by the Data Controller and provides his/her data, he/she consents to the processing of his/her personal data as set out in the information leaflet of the promotion. In this case, the Data Controller will only process the data provided during the promotion.
The Company only processes personal data provided in accordance with point 8. The data processed are the following:
The data processed by the Company can be divided into the following categories based on the purpose of the processing:
● Data required for contacting the Data Subject: by providing the Data Subject's first name, surname, e-mail address and telephone number, the Data Subject enables the contact.
- Data provided during marketing enquiries: during marketing enquiries made by the Company, the Data Subject provides his/her name, e-mail address, telephone number and e-mail address. The legal basis of the processing is the consent of the Data Subject, the primary purpose of the processing is to maintain contact for marketing purposes, to provide information, to send a newsletter or a direct request pursuant to Section 6 (1) of Article 6 of Act XLVIII of 2008.
- Suppliers' data: in the course of the business cooperation with suppliers, the Company shall provide the name, email address and telephone number of the Data Subject or his/her employer/client/customer in the event of data processing. The legal basis for processing is the performance of contracts and the fulfilment of legal obligations.
- Data provided in the course of public opinion polls: the data provided by the Data Subject will be processed, recorded and used in the course of public opinion polls carried out by the Company. The Company is entitled to process such data pursuant to Article 9(2)(e) GDPR.
- Billing data. If the Data Subject makes a payment to the Company, the Company processes the data related to the payment and invoicing (method of payment, details of the payment instrument, in the case of invoicing the name, address and tax number of the customer). The legal basis for the processing is partly the consent of the Data Subject and partly the legislation on taxation and accounting. The purpose of the processing is billing, collection of fees.
- Data and documents provided during authentication. Data Subjects have the opportunity, and in cases specified by the Company, the obligation to authenticate themselves, as described in Section 11 below. Documents will be handled as described in point 11. The purpose of the processing is to verify the identity of the Data Subject.
In addition to the above, the Company processes the technical data, including the IP address, as described in section 13.
The source of the data is the Data Subject or a legal entity having an employment/commission/contractual relationship with him/her, who provides the data (i) in the course of the preparation, establishment or performance of the legal transaction and/or (iii) when making a statement in connection with the newsletter or direct inquiry pursuant to Article 6 (1) paragraph (1) of Act XLVIII of 2008.
The Data Subject provides the data independently, the Company does not provide any binding guidelines or content requirements in this regard. The Data Subject expressly consents to the processing of the data provided by him/her. In addition to the data requested by the Company, the Data Subject is entitled to provide other data in his/her profile, the legal basis for the processing of the data in this case is also the Data Subject's voluntary consent.
If the Data Subject registers for a promotion organized by the Company (e.g. on Facebook) and provides the data requested there, he/she accepts the data management information related to the promotion.
In the event of a mandatory invitation on the Website, the possibility exists for the Data Subject to provide the Company with his/her personal documents in order to facilitate the conclusion of a legal transaction between the parties.
The Data Subject shall have the possibility, except where the Company has made it mandatory, to disclose the documents by deleting the personal data. If the Data Subject does not delete the data, he or she consents to the disclosure of the data in the event of publication.
If the Company does not require the disclosure of documents containing personal data and provides for the possibility to delete the data, the Company shall not be liable for any such disclosure.
The purpose of the authentication process is to enable the Company to verify the identity of the Data Subject. The Company verifies that the Data Subject who indicates his/her intention to enter into a contract is a natural person. Following the verification, the Company deletes the photos and data from the Website, but stores them in other storage space until the legal basis for the processing ceases to exist. The purpose of data processing is to authenticate the Data Subjects and to facilitate the creation and, after the conclusion of the legal transaction, its lawful performance.
If the Data Subject consents, the Company will contact the Data Subject using the contact details provided and send him or her direct marketing. The advertisement may be sent by post, by telephone (including SMS) or by e-mail (including Messenger), subject in all cases to the consent of the Data Subject. The Data Subject may withdraw his/her consent at any time without giving any reason.
The Company's system may automatically record the IP address of the Data Subject's computer, the starting time of the visit and in some cases, depending on the computer's settings, the type of browser and operating system. The data thus recorded cannot be linked to other personal data. The data are processed for statistical purposes only. Cookies allow the Website to recognise, identify and record previous visitors. Cookies help the Company, as the operator of the Website, to optimise the Website and to tailor the Website's services to the habits of the Data Subjects. Cookies can also be used to
- remember the settings, so that the Data Subject does not have to re-enter them when entering a new page,
- remember previously entered data, so you don't have to re-enter it,
- analyse the use of the website to ensure that the improvements made using the information obtained are as relevant as possible to the Data Subject's expectations, to make it easy for the Data Subject to find the information they are looking for and to monitor the effectiveness of our advertising.
If the Company displays various content on the Website using external web services, this may result in the storage of some cookies that are not under the control of the Company and therefore it has no control over the data collected by these websites or external domains. Information on these cookies is provided in the policies for the relevant service.
The Company uses cookies to display advertisements to Data Subjects through Google and Facebook. The processing is carried out without human intervention.
The Data Subject has the option to delete cookies in their browser (usually in the privacy section of the settings). By disabling cookies, the Data Subject acknowledges that without cookies the functionality of the Website is not fully functional.
The Company shall only transfer personal data to third parties if the Data Subject has given his or her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorised by law.
The Company shall be entitled and obliged to transmit to the competent authorities any Personal Data which it has available and which it has stored in accordance with the law, and which it is required to transmit by law or by a final and binding obligation of a public authority. The Company shall not be liable for any such transfer and the consequences thereof.
In all cases, the Company shall document and keep records of the transfers.
The Company is entitled to use a data processor to carry out its activities. Data processors do not make decisions on their own and are only entitled to act in accordance with the contract concluded with the Company and the instructions received. The Company shall monitor the work of the processors. Processors shall be entitled to use an additional processor only with the consent of the Company. The Company shall only use processors who or which provide adequate guarantees to implement appropriate technical and organisational measures to ensure compliance with the processing and to protect the rights of data subjects.
The data processor may not use any other data processor without the prior written authorisation of the Company, either on a case-by-case basis or in general. In the case of a general written authorisation, the processor shall inform the Company of any planned changes affecting the use of additional processors or their replacement, thereby giving the Company the opportunity to object to such changes.
The Company shall identify the data processors used in the Prospectus.
The data processors used by the Company:
- Unicredit Bank Zrt. (6722 Szeged, Kossuth Lajos sgt. 18-20)
- dr. Márton Imre Law Office
The Company uses External Service Providers, with which the Company cooperates.
Personal Data processed in the systems of Third Party Service Providers is governed by the Third Party Service Providers' own privacy policies. The Company will use its best efforts to ensure that the Third Party Service Provider processes the Personal Data transferred to it in accordance with the law and uses it only for the purposes specified by the Data Subject or set out in the Notice below.
The Company will inform the Data Subjects about the data transfers to External Service Providers in the context of the Prospectus.
External service providers:
- Magyar Posta Zrt.
- GLS Hungary Ltd.
- Facebook (Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
- Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States)
- Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-7329, USA) - Dropbox Inc.(333Brannan Street, San Francisco CA 94107)
The Company shall ensure the security of the data, take the technical and organisational measures and establish the procedural rules that are required by the applicable legislation,
necessary to enforce data protection and confidentiality rules. The Company shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction or damage, and against inaccessibility due to changes in the technology used.
The Company and the data processor shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the scale of the risk, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons.
Within the framework of the above:
- ensure that measures are in place to protect against unauthorised access, including the protection of software and hardware devices and physical protection (access protection, network protection);
- take measures to ensure that data files can be restored, backed up regularly;
- takes measures to protect against viruses.
The Company will delete the Personal Data,
a. If it is found that the data is being processed unlawfully, the Company will delete it without delay.
b. Where the Data Subject requests it (except for processing based on law).
The Data Subject may request the erasure of data processed on the basis of his or her voluntary consent. In this case, the Company will delete the data. Deletion may only be refused if the processing of the data is authorised by law. The Company shall in any case provide information on the refusal of the request for erasure and on the law authorising the processing.
- Where it becomes known that the data is incomplete or inaccurate, and this situation cannot be lawfully remedied, provided that deletion is not excluded by law.
- If the purpose of the processing has ceased or the statutory time limit for storing the data has expired;
The erasure may be refused (i) if the processing of Personal Data is authorised by law; and (ii) if necessary for legal protection or enforcement.
(e) It has been ordered by a court or the National Authority for Data Protection and Freedom of Information If a court or the National Authority for Data Protection and Freedom of Information has issued a final order for the deletion of the data, the Data Controller shall carry out the deletion.
Instead of deletion, the Company shall block the personal data, after informing the Data Subject, if the Data Subject so requests or if, on the basis of the information available to it, it is likely that deletion would harm the Data Subject's legitimate interests. Personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data is pursued. The Company shall mark the personal data it processes if the Data Subject contests its accuracy or correctness but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
In the case of processing required by law, the erasure of data shall be governed by the law.
In the event of deletion, the Company will render the data unidentifiable. If required by law, the Company will destroy the data carrier containing the personal data. In any case, the Company shall inform the Data Subject of any refusal to comply with a request for erasure, indicating the reasons for the refusal. Once the request for erasure of personal data has been complied with, the previous (erased) data can no longer be restored.
Newsletters sent by the Company can be unsubscribed via the unsubscribe link in the newsletter.
In case of unsubscription, the Company will delete the Personal Data of the Data Subject in the newsletter database.
19.1 The Company shall inform the Data Subject about the processing of the data at the time of contacting the Data Subject. The Data Subject shall also have the right to request information on the processing at any time.
The Data Subject has the right to receive feedback from the Company as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and to be informed of the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period. The data subject shall have the right to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of such personal data. He or she shall also have the right to lodge a complaint with a supervisory authority and, where the data have not been collected from the data subject, to obtain any available information concerning their source.
19.2 The Data Subject shall have the right to have inaccurate personal data relating to him or her corrected by the Controller without undue delay upon his or her request. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
19.3 Except for processing required by law, the Data Subject may request the Company to delete personal data concerning him or her without undue delay. The Company shall inform the Data Subject of the erasure.
19.4. The Data Subject may object to the processing of his or her personal data in accordance with the provisions of the Data Protection Act.
19.5.The Data Subject may submit a request for information, rectification or erasure in writing, by letter addressed to the registered office of the Company or by email to the Company at info@fingerprint.hu.
19.6 The Data Subject may request the Company to restrict the processing of his or her Personal Data if the Data Subject contests the accuracy of the Personal Data processed. In this case, the restriction shall apply for the period of time that allows the Company to verify the accuracy of the Personal Data. The Company will flag the Personal Data it processes if the Data Subject disputes its accuracy or correctness but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.
The Data Subject may request that the Company restrict the processing of his or her Personal Data even if the processing is unlawful, but the Data Subject opposes the erasure of the processed Personal Data and instead requests the restriction of its use.
The Data Subject may also request the restriction of the processing of his or her Personal Data by the Company if the purpose of the processing has been fulfilled, but the Data Subject requires the processing of his or her Personal Data by the Company for the establishment, exercise or defence of legal claims.
19.7 The Data Subject has the right to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data.
19.8 If the Company does not comply with the Data Subject's request for rectification, blocking or erasure, it shall inform the Data Subject in writing within 30 days of receipt of the request of the reasons for refusing the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the Data Subject of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information.
19.9.The Data Subject may make the above statements in relation to the exercise of his or her rights at the contact details of the Controller set out in point 2.
19.10. The Data Subject may also lodge a complaint directly with the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu). The Data Subject is entitled to take legal action under Article 22 (1) of the Data Protection Act in the event of a breach of his/her rights. The court of law has jurisdiction to decide on the case. At the Data Subject's option, the lawsuit may also be brought before the court of the Data Subject's domicile or residence. Upon request, the Data Controller shall provide the Data Subject with detailed information on the possibilities and means of legal remedy.
Szeged, 2024. 03. 25.
English
Magyar