PRIVACY AND DATA SECURITY POLICY
I. GENERAL PROVISIONS
1. The Company provides among others direct marketing within the framework of activities, – including promotional activities (sending newsletters and advertisement newsletters, calls to participate in giveaways, offering products/services) and telemarketing/telesales activities – to that end handling company names and residential address data (contact details), as well as personal data.
2. Computer programming (software development) is also an activity of the Company, during which client data may be transferred to the Company in relation to carrying out this activity.
5. The Company ensures that data are collected and used in a fair and lawful manner.
6. The Company shall process such data
• for the purpose specified in the Data Processing Policy, thus for marketing or direct marketing activities,
• and the Client Data in the course of their software development activity performed for their contractual partners exclusively in the interest of carrying out software development activity (hereinafter jointly: activity or activities) in accordance with them, in addition to be allowed to process only data, which are required and suitable for such respective activities. Data processing is allowed exclusively to the extent required for the purposes of carrying out the respective activity and in the case of Client Data with respect to the software development activity
specified in the respective contract for the duration necessary for performing the software development activity under the respective contract.
8. Access to data will be granted by the Company exclusively to employees, or persons working under any other arrangement who by virtue of their duties are authorized and obligated to
• carry out activities, and/or
• operate the server hosting data.
9. During data handling attention should be paid to data integrity.
10. In the event the process of activities changes or otherwise warranted by circumstances influencing the performance of activities, the company will – as required – amend this data protection and the data processing policy accordingly.
II. TECHNICAL MEASURES FOR DATA PROTECTION
1. The Company shall store data on password protected servers or also in password protected CRM databases ensuring that they are displayed only on password protected work stations.
2./a. The Company shall provide for the physical protection of the data-hosting server by using premises equipped with security locks (server rooms). The entrance of the premise dedicated to safeguard the server (server room) can only be accessed after entering the building of the company’s seat, any other doors and windows will prevent forced entry using generally accepted methods. The seat of the company is located in an office building with 24-hour concierge and equipped with an alarm system. There is one designated person at the company authorized to use the keys to the server room. At the same time, the Company designates a substitute person to use the keys should the person in care of the keys be unable to perform this duty for any reason. The keys can be handed over exclusively in this latter case, to the identified substitute person with the purpose of handling the keys.
2. b. In addition to this, the Company uses cloud services to store data, where access is also password-protected.
3. To prevent any unauthorized person from accessing the IT assets storing data accessible through networks all IT/information technology tools available at all times should be utilized.
6. The Company by sustaining and maintaining the actually available IT asset park shall ensure their availability and load capacity required for the software development activity as per contract.
7. The erasure of electronically stored data will be performed by final deletion.
III. ORGANISATIONAL MEASURES FOR DATA PROTECTION AND SECURITY
1. The Company will grant data access exclusively for employees, or who work for them under any other arrangement and who due to their duties are authorized and obligated to have access to such data
• to perform their respective activities, they need to have access to data pertaining to given activity, as well as to persons, who
• operate the server hosting data.
4. Displaying data is only allowed during the work when such activity is performed and only for that purpose, only for the time period necessary to carry out given activity.
5. Furthermore, it is expressly forbidden to print or display the data by any other physical means (hard copy) for any other purpose than performing the activity, or to take the hard copy of the document from the premises designated to carry out such tasks. It should also be ensured that while displaying data, no such data is lost, damaged or destroyed and their content does not become known to, or accessed by any unauthorized person. Should the storage of the hard copy of data become inevitable, it should be kept for the time period absolutely necessary to normally carry out the activity and only in closed premises and in lockable filing cabinets. Any hard copy of the data, when the purpose of printing the hard copy ceased to exist, should be immediately destroyed.
7. Client Data forwarding is only permitted strictly in accordance with the provisions of the software development contract, unless otherwise stated in the relevant contract exclusively for the contractual partners under the respective contract of the Company.
10. The Company keeps records of the data handled ensuring control over data handling, as well as over the provisions on data protection and data security, and to trace the database path. The records include the name of the database, the date of each phase and the end of data handling, as well as the name and signature of persons handling the data along with their superiors.
IV. MISCELLANEOUS PROVISIONS
Budapest, 29 November 2019
MULTISOFT Information Technology Services Limited Liability Company
Pursuant to the effective Hungarian regulations as well as Regulation No 2016/679 of the European Parliament and the Council (hereinafter: Regulation) you are voluntarily consenting to MultiSoft Ltd. (seat: 1115 Budapest, Bartók Béla út 105-113.; Company Registration Number: 01-09-161858; Data Protection Register Number: NAIH-83380/2015., NAIH-129040/2017., NAIH-112080/2017; email address: firstname.lastname@example.org) – hereinafter: “MultiSoft Ltd.” or “Data Controller”, upon registering on their website, submitting a Contact form, or subscribing to the newsletter of MultiSoft Kft. (hereinafter: newsletter), to handle your personal data for data processing purposes specified under section 5 in compliance with the referred legal provisions.
Please note that legal ground for data processing is your voluntary consent to such data processing. You have the right to revoke your consent to your data being processed at any time, to request information on your data being processed at any time, as well as to request rectification or deletion of your data, (cessation of data processing) for the purposes, or for some of the purposes outlined below in writing in a letter sent to “1115 Budapest, Bartók Béla út 105-113.“ or to the email address email@example.com.
You should be especially aware that the User has the right to object to processing his or her data for direct marketing purposes in a letter sent to “1115 Budapest, Bartók Béla út 105-113.“ or to firstname.lastname@example.org.
While registering on the webpage of Data Controller, submitting the Contact form, or signing up for the newsletter, the personal data entered by the User will be processed by the Data Controller until such consent is revoked by the User.
Withdrawing consent to data processing will not affect the legality of data processed until that time.
The Data Controller will not be liable for the authenticity of the data you provided.
Data Protection Register Numbers: NAIH-83380/2015., NAIH-129040/2017., NAIH-112080/2017;
1. GENERAL PROVISIONS
– to facilitate the enforcement of regulations on data protection;
– to specify the User’s scope of personal data processed by the Data Controller under Section 6, the method of data handling, respecting the privacy of natural person Users in compliance with other regulations, fulfilling the requirements of data protection and data safety.
– before starting data processing to inform Users on the identity of the Data Controller, the purpose, the duration and legal ground for data collection, as well as the options and ways to enforce User rights relating to data management, and;
– to prevent any unauthorised access to, alteration or unlawful disclosure or use of User’s personal data.
4. DECLARATION BY USER
By registering and/or signing up for the newsletter and/or submitting the Contact form, User consents to the Data Controller managing the personal and other data voluntarily provided for the purposes outlined in Section 5, at the same time, consents to the use of his or her name and access data (email address, telephone number, residential address) for continuous, as well as for repeated contact.
The User declares that the information provided during registration is true and that it does not constitute a breach of personal or other rights, nor legally protected rights of third parties.
5. DATA PROCESSING OBJECTIVES
Management of the Users’ personal information will be carried out for:
– the use, provision, maintenance, protection of services offered through the website by the Data Controller (hereinafter: “Services”);
– further development of Services, as well as the development of new services;
– protection of the Data Controller and the User;
– for the preparation and completion of activities by the Data Controller with regard to the Services, specifically including the display of contents posted on the Website, as well as providing support for such activities by the Data Controller;
– promotional purposes related to above activities (to sending newsletters, or promotional mails, to participate in giveaways, to send product/service offers, for direct marketing and telemarketing/telesales activity, promotion of functions)..
6. SCOPE OF PERSONAL DATA MANAGED
The provisions related to handling and the protection of User’s personal data are applicable exclusively to natural persons given that personal information may only be interpreted in the context of natural persons.
6.1. Personal information processed for the purposes of user identification, or any other activities
The Data Controller processes the following personal data of Users for identification:
(1) Natural personal identification data of user: first and surname, date of birth;
(2) User’s email address;
(3) User’s residential and mailing address;
(4) User’s direct telephone and fax number;
(5) Any personal information provided voluntarily by the User (such as address, position, interests) and other information.
6.2. Information processed in order to use the Services
(1) The IP address of User’s computer;
(2) Information on User’s activity related to the use of the webpage (such as tracking metrics of banner ad clicks).
Such data will be automatically logged by the Data Controller’s system. These data are not suitable for personal identification, the Data Controller shall not link the data in the log file to other personal data in order to use such data for trend analysis, for preparing statistics of site use, for administering the services, analysing and satisfying user demands, to contribute to developing the level of service.
6.3. Services /
Registration forms: on these pages the Data Controller may ask for personal data required to use the services, these are submitted also voluntarily.
Contact forms: on these pages the Data Controller may ask for personal data required to keep contact, these are submitted also voluntarily.
7. LEGAL GROUNDS AND METHODS OF DATA PROCESSING
In the event the User places an order on the webpage, until delivering the order pursuant to Article 6(1) b) of the Regulation and Article 6(4) of the Info Act the lawful basis for data processing is the legal interest of Data Controller in the fulfilment of the contract – in case they are needed to fulfil the contract.
8. DATA SECURITY
In compliance with Article 7 of the Info Act and Articles 32-34 of the Regulation, the Data Controller shall make every effort to ensure the security of your personal data. In addition, the Data Controller will take all necessary technical and organisational measures and establish the operational rules required to enforce the Info Act and other data and privacy regulations.
In the event there is any change to details provided by the User the corresponding updates should also be indicated This may be carried out by mailing a letter to the “1115 Budapest, Bartók Béla út 105-113.” address, or to email@example.com email address, in the event User has a user account on the webpage, updates may also be performed on the webpage.
9. USER RIGHTS
In the event the Data Controller fails to take measures as a follow up on the User’s request, then within one month following receipt of the request they will advise the User as to the reason of failing to take measures, as well as of User’s option to lodge a complaint at the National Agency for Data Protection, or he or she may seek judicial redress.
Any such request will be addressed by the Data Controller free of charge, except, if the request is clearly unfounded, excessive or excessive due to repetitive occurrences, in which case the Data Controller may charge a reasonable fee or may deny taking measures based on the request.
(a) Information, access
Information may be requested about personal data processing based on Article 14. A), as well as Article 15(1) of the Regulation. Upon request the Data Controller may give information to the User if his or her personal information is processed by the Data Controller or a Data Processor, who is commissioned or assigned by the Data Controller. If the information is processed by the Data Controller or by a Data Processor commissioned for processing or assigned by the Data Controller, then the Data Controller will make the personal information processed by the Data Controller or the Data Processor commissioned for processing or assigned by the Data Controller available to User and within the framework of or depending on the request will inform User about
– the source of the personal data processed and;
– the purpose and the legal ground, the duration of data processing,
– the scope of personal data,
– in case of forwarding the personal information processed the scope of recipients of data forwarding including recipients in third countries and international organisations,
– the duration of storing the personal information managed, the viewpoints in determining this time frame,
– the rights User is entitled to under the Info Act, as well as advising about the ways of enforcing such rights,
– in case of profiling, this fact itself, furthermore
– the circumstances of any eventual data protection incidents in handling User’s personal information, their impact and the measures taken to manage and mitigate them,
in addition to advising the User about their activities in relation to data processing.
The Data Controller may rectify a personal data if requested by a User, in case some of the personal information is inaccurate and the accurate data is made available to the Data Controller. Besides, the User is entitled to ask for any missing personal data.
In compliance with the provisions in this Section 8(b) if the information processed by the Data Controller or by the Data Processor commissioned or assigned by the Data Controller is incomplete, incorrect or missing, then they will immediately be rectified or corrected by Data Controller especially so if requested by the User, or if it is compatible with the purpose of data processing, it will be complemented with the additional personal data made available by the User or with User’s comment on the personal information handled. The Data Controller will be exempted from the liability described in the previous sentence, if no correct, true and complete personal information is available and they are not provided by the User, or the truthfulness of the personal information provided by the User cannot be assessed beyond any doubt.
The Data Controller shall delete the personal information, if this or the cessation of data processing is requested by a User.
The Data Controller may only refuse a request to erase personal information in the following cases:
a) Additional processing of information is required for the freedom of expression and to exercise the right for information; or
b) additional processing of information is required to comply with the EU or member state rights stipulating the procession of personal information applicable to the Data Controller; or
(d) Restriction of data processing
The Data Controller will restrict data processing, if
– the User disputes the accuracy, truthfulness or completeness of the personal data processed by the Data Controller or by the Data Processor commissioned or assigned by the Data Controller, and the accuracy, truthfulness and completeness of the personal data processed cannot be established beyond any doubt, or
– as a result of unlawful data processing the information should be deleted due to the unlawfulness of data processing, but based on the written statement by the User or based on the information available for the Data Processor there are grounds to believe that deleting the information would harm legitimate user interests, for the duration of legitimate interests giving grounds for not deleting data or
– due to unlawful data processing the information should be deleted, but for examinations or procedures carried out by the Data Controller or by or with the participation of other bodies with public service mission set forth in regulations – thus especially in criminal proceedings – the information should be retained as evidence until closing such examination or procedure.
Personal data restricted in this fashion will be handled by the Data Controller only until the time the purpose of data handling that excluded the deletion of the personal data continues to exist. Restricted personal information, except for storage, may only be processed for enforcing legitimate User interests, or with User’s consent, or for litigation, enforcement of to defend legal claims, or in the defence of other natural or legal entity or on the grounds of an important public interest of the European Union or a member state. The Data Controller will notify the User if restriction is imposed. The Data Controller will give advance notice to User on the withdrawal of restriction, in the case restriction was necessary for verifying data accuracy, truthfulness or completeness.
The User may at any time object to processing his or her personal information. In the event the User objects to data processing, then his or her personal data should not be further processed, unless the Data Controller proves that there is a compelling justification for data processing which outweigh User interests, rights and freedoms, or which are linked to litigation, enforcement of defence of legal claims.
In the event the User objects to processing personal information for direct marketing efforts, then the personal information may not be further used for such purpose.
To object to data processing for direct marketing, the User has options ranging from other communications to selecting the appropriate checkbox on the website of the Data Controller.
(f) Right to Data Portability
Within the scope of right to data portability the User is entitled to ask for a structured, widely used, machine-readable copy of his or her personal information processed by the Data Controller, as well as to ask the Data Controller to directly forward his or her personal information to another data controller.
10. RIGHTS TO LEGAL REDRESS
(a) Judicial Enforcement
The User may turn to court in relation to the Data Controller or – to the data processing operations falling within the Data Controller’s activities – against the Data Controller, if in his or her view the Data Controller or the Data Processor commissioned or assigned by the Data Controller handles his or her personal information contravening the provisions outlined in the regulations on personal data processing or in any mandatory EU legislative act.
Demonstrating compliance with the requirements outlined in regulations or in the mandatory EU legislative acts on processing personal information is the responsibility of Data Controller or Data Processor commissioned by the Data Controller.
The case may be brought before the court competent according to his or her residence or place of stay at his or her discretion. Persons with no legal capacity may also be party to the case.
If the Data Controller or the Data Processor commissioned or assigned by the Data Controller breaches the provisions set forth in the regulations or mandatory EU legislative acts on processing personal information, thus causing damage to others is liable to compensate for.
If the Data Controller or the Data Processor commissioned or assigned by the Data Controller breaches the provisions set forth in the regulations or mandatory EU legislative acts on processing personal information, infringing personality rights of somebody else, the person whose personality rights suffered harm by the Data Controller or the Data Processor commissioned or assigned by the Data Controller may claim compensation in tort.
The detailed means of enforcement, as well as the detailed legal provisions on the responsibilities of the Data Controller are set out in the Info Act.
The rights of incapacitated Users, or Users with limited legal capacity regarding data processing – including giving consent to personal data processing – will be exercised by their legal representative, or guardian and the User’s responsibilities will be fulfilled by such representative or guardian. No consent or post factum approval by the legal representative or guardian is required for the validity of a consent provided by a minor under the age of 16.
(b) Public Enforcement
– may initiate an investigation by the National Agency for Privacy Protection to examine the legality of measures by the Data Controller, if before starting data processing the Data Controller failed to inform the User or failed to inform in accordance with the provisions of the Info Act, or hindered the User in
enforcing his or her rights outlined in Section 9 of this Data Processing Policy or refused the application to enforce such rights, or
– may initiate a procedure by the National Agency for Privacy Protection if in his or her view during processing his or her personal information the Data Controller or the Data Processor commissioned or assigned by the Data Controller breaches the provisions specified in the Regulation or in the mandatory EU legislative acts on data processing.
11. CLOSING PROVISIONS
The Internal Data Protection and Data Security Policy of Data Controller forms a not severable Schedule I of this Policy that specifies all technical and organisational measures ensuring the protection of data processed for direct marketing.
Budapest, 29 November 2019