GDPR
GARZON BÚTOR CÉGCSOPORT ADATKEZELÉSI TÁJÉKOZTATÓ
GARZON FURNITURE GROUP OF COMPANIES
PRIVACY POLICY
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Regulation 95/46/EC (hereinafter: the Regulation), stipulates, that the company, as a data controller, takes appropriate measures in order to provide the data subject with all information regarding the processing of personal data in a concise, transparent, comprehensible and easily accessible form, formulated in a clear and comprehensible manner, and also facilitates the exercise of the rights of the data subject.
CXII of 2011. required by law. With the following information, we fulfill this legal obligation. The terms in the information sheet shall mean the terms used in the Regulation, the rules of the Regulation shall be applied to non-regulated issues. The information must be published on the company's website or made available to the person concerned and sent to him.
This information sheet contains information about the data manager and data processor, the legal bases and purposes of data management, your possible rights, and the possibility of exercising them.
DATA REGARDING THE DATA MANAGER
Name of the data controller: Garzon Bútor Céggroup companies
A-SET Real Estate Co., Ltd.
Headquarters: 8000 Székesfehérvár, Bakony utca 4.
company registration number: 07 09 015164
tax number: 14458695-2-07
Garzon Bútor Kereskedelmi Kft.
Headquarters: 8000 Székesfehérvár, Bakony utca 4.
company registration number: 07 09 009543
tax number: 13063203-2-07
Garzon Furniture Ltd.
Headquarters: 8000 Székesfehérvár, Bakony utca 4.
company registration number: 07 10 001035
tax number: 11105020-2-07
Garzon Novum Kereskedelmi Kft.
Headquarters: 8000 Székesfehérvár, Bakony utca 4.
company registration number: 07 09 021671
tax number: 23769429207
E-mail: garzon@garzon.hu
telephone: +36 22 512 220
fax: +36 22 329 403
website: www.garzon.hu
(hereinafter: Company)
The company's data protection officer:
dr. Gergely Kozma e.v. 52286010
e-mail: info@adatorom.hu
DATA PROCESSORS OF THE COMPANY
Data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller; (Article 4, 8 of the Regulation)
Personal data will also be transferred to the following data processors in order for them to be processed for us in accordance with our instructions and our data protection policy, in accordance with all other relevant confidentiality and security measures.
The use of the data processor does not require the prior consent of the data subject, but information is required. Accordingly, we provide the following information:
1. The company's IT service provider
For the maintenance and management of its website, our company uses a data processor who provides IT services (hosting services) and within this framework - for the duration of our contract with him - manages the personal data provided on the website, the operation performed by him is the storage of personal data on the server.
Name of data processor:
Company name: A-SET Real Estate Utilization Limited Liability Company
Headquarters: 8000 Székesfehérvár, Bakony u. 4.
Company registration number: 07 09 015164
Phone number: +36 22 512 220
fax.: +36 22 329 403
2. Postal services, delivery, parcel delivery
These data processors receive from our company the personal data necessary for the delivery of the ordered product (name, address, telephone number of the person concerned), and use this to deliver the product.
Name of data processor:
DHL Express, DPD Hungária Kft., GLS Hungary, Magyar Posta Zrt., Magyar Posta Zrt. - MPL Courier Service, United Parcel Service, in short UPS, Royal Courier Service, TNT,
LEGAL BASIS AND PURPOSE OF DATA MANAGEMENT
1. Data management based on the data subject's consent
In the case of consent-based data management, the company requests the data subject's consent to the processing of their personal data with the content and information in accordance with the declaration of consent defined in the data management regulations.
Consent is also considered if the data subject ticks a relevant box when viewing the company's website, makes relevant technical settings when using services related to the information society, as well as any other statement or action that, in the given context, constitutes the data subject's consent. clearly indicates the planned handling of your personal data. Silence, a pre-ticked box or inaction is therefore not consent. The consent is for the same purpose or purposes
covers all data management activities. If data processing serves several purposes at the same time, consent must be given for all data processing purposes.
If the data subject gives his consent in the context of a written statement that also applies to other matters - e.g. the conclusion of a sales or service contract - the request for consent must be presented in a way that is clearly distinguishable from these other matters, in an understandable and easily accessible form, with clear and simple language. Any part of such a statement containing the consent of the data subject that violates the Regulation is not binding.
The company may not make the conclusion or performance of a contract dependent on consent to the processing of personal data that is not necessary for the performance of the contract.
It should be possible to withdraw consent in the same way as to give it.
If the personal data was collected with the consent of the data subject, the data controller may, unless otherwise provided by law, process the collected data for the purpose of fulfilling the relevant legal obligation without further separate consent, and also after the withdrawal of the consent of the data subject.
2. Data management based on the fulfillment of a legal obligation
In the case of data management based on legal obligations, the scope of data that can be handled, the purpose of data management, the duration of data storage, and the recipients are governed by the provisions of the underlying legislation.
Data management based on the legal title of fulfilling a legal obligation does not depend on the consent of the data subject, as data management is defined by law. Before data processing begins, the data subject must be informed that data processing is mandatory, and before data processing begins, the data subject must be informed clearly and in detail about all the facts related to the processing of their data, in particular the purpose and legal basis of data processing, the person entitled to data management and data processing, the about the duration of data management, about whether the personal data of the data subject is managed by the data controller based on the relevant legal obligation, and about who can see the data. The information must also cover the data subject's rights and legal remedies. In the case of mandatory data management, the information can also be provided by publishing a reference to the legal provisions containing the above information.
3. Data management based on legitimate interest
The company uses separate information regarding the camera surveillance used. In connection with its camera system, it examined and evaluated the legitimate interests of the data controller and third parties.
In the case of data processing based on legitimate interests by the company as an employer, the legitimate interests of the data controller and the employees were examined and evaluated. The company informs its employees separately about data management when establishing an employment relationship.
4. Promoting the rights of the data subject
During all data management, the company ensures the exercise of the rights of the data subject. In order to exercise your rights, you can contact the company at the contact details listed in the "data concerning the data controller" section.
The company will inform the data subject of the measures taken following the request within one month of receipt of the request.
The fulfillment of the request can be extended by another two months. The person concerned must be informed of the reasons for the extension of the deadline within one month of receipt.
If the company does not take action regarding the request, it shall inform the data subject within a maximum of one month of the reasons for the failure to take action, as well as of the right to file a complaint with the supervisory authority and to seek judicial redress.
The data subject can exercise the rights indicated in this information free of charge. If the data subject's request is clearly unfounded or - especially due to its repeated nature - excessive, the data controller may establish a reasonable fee based on administrative costs or refuse to act on the request.
If the purposes for which the data controller processes the personal data do not or no longer require the identification of the data subject, the company is not obliged to store, obtain or process additional information in order to identify the data subject in order to comply with the regulation.
If the company is not in a position to identify the person concerned, it will inform him of this. In such a case, the data subject may not exercise their right to access, correction, deletion, restriction, related notification, or data portability, unless the data subject provides additional information enabling identification in order to exercise their rights.
If the company has well-founded doubts about the data subject exercising his right to access, correction, deletion, restriction, related notification and data portability, as well as his right to object, he may request the provision of additional information necessary to confirm his identity, taking into account the provisions of the previous paragraph.
5. Purpose of data management, managed data
The company manages the data for the following purposes:
In the case of data processing related to invoicing, the company processes the name and billing address of the data subjects in order to fulfill the legal obligation of the data controller. It is possible for accountants performing accounting and taxation tasks to forward invoices. We keep invoices for 8 years.
In the case of data processing related to the conclusion of a contract (supplier, customer), the data subjects are informed about the purpose of the data processing, the legal basis, and the duration of the data storage in the contract.
The contact persons of contracts are employed by the contracting parties, performing the contact function is their job duty, therefore they are informed in the framework of employer information.
In the case of customer service (correspondence, telephone contact) data management, the performance of the contract with the contractual partners takes place on a legal basis, or on the basis of the data subject's request for consent to the processing of their data. We manage the data of customers recorded in the contract, the data of contacts, and the data provided based on consent, for the period specified in the contract in the case of a contract, or until its withdrawal in the case of consent.
The voluntary participation is ensured for the company's employees in the event of taking pictures of persons performing and participating in events organized by the company. The purpose of data management is to strengthen workplace cohesion, team building, and increase the company's reputation. Following on-site information, a crowd recording may be made of the persons performing and participating in the events, which the company may publish on its website. The consent of the person concerned is required for the creation and publication of portraits. The images are available on the company's website for 1 year, after which they are archived.
Information on data management related to the newsletter is contained in a separate policy, which is available on the company's website before subscribing to the newsletter.
In the case of resumes, the company acts in accordance with the data protection regulations, and publishes information in the job advertisement stating that consent to data management must be given as part of the application, failing which the company will destroy the resume. In the case of CVs received without a call for tenders, if it does not include consent to the processing of the data for 3 months, the company is only entitled to check whether it has a vacant position corresponding to the tender material, if such a position is not available, at the request of the person concerned, the based documentation is returned, electronic documentation is destroyed. The purpose of data management is the selection and screening of the company's future employees, and the continuous provision of personnel.
INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED
The rights of the data subject in summary:
1. Transparent information, communication and facilitating the exercise of the rights of the person concerned
2. Right to preliminary information - if personal data is collected from the data subject
3. Informing the data subject and the information to be made available to him, if the personal data was not obtained from him by the data controller
4. The data subject's right of access
5. Right to rectification
6. The right to erasure (“the right to be forgotten”)
7. The right to restrict data processing
8. Notification obligation related to the correction or deletion of personal data or the limitation of data management
9. The right to data portability
10. Right to protest
11. Automated decision-making in individual cases, including profiling
12. Limitations
13. Informing the data subject about the data protection incident
14. The right to complain to the supervisory authority (right to an official remedy)
15. Right to an effective judicial remedy against the supervisory authority
16. Right to an effective judicial remedy against the controller or data processor
In order to exercise your rights, you can contact the company at the contact details listed in the "data concerning the data controller" section.
In the details of the data subject's rights:
1. Transparent information, communication and facilitating the exercise of the rights of the data subject pursuant to Article 12 of the Decree
The data controller provides the data subject with concise, transparent, comprehensible and easily accessible information regarding the processing of personal data.
must be provided in a clear and comprehensible form, especially in the case of any information addressed to children. The information must be provided in writing or in another way, including, where applicable, the electronic way. Verbal information can also be provided at the request of the data subject, provided that the identity of the data subject has been verified in another way.
The data controller must facilitate the exercise of the data subject's rights, which we have provided information about in a separate section above in this information sheet.
2. Right to preliminary information - if personal data is collected from the data subject based on Article 13 of the Regulation
The purpose of this information is to ensure that the data subjects are informed in advance about the data management, in the framework of which the data subject is entitled to receive information about the facts and information related to the data management before the data management begins. In this regard, the person concerned must be informed:
the identity and contact details of the data controller and its representative,
the contact details of the data protection officer (if any),
the purpose of the planned processing of personal data and the legal basis of data processing,
in the case of data management based on the assertion of legitimate interest, on the legitimate interests of the data controller or a third party,
about the recipients of the personal data - with whom the personal data is communicated - and the categories of recipients, if any;
where applicable, the fact that the data controller wishes to transfer the personal data to a third country or international organization.
In order to ensure fair and transparent data management, the data controller must inform the data subject of the following additional information:
on the period of storage of personal data, or aspects of determining the period;
about the data subject's right to request from the data controller access to personal data concerning him, their correction, deletion or restriction of processing, and to object to the processing of such personal data, as well as the data subject's right to data portability;
in the case of data processing based on the consent of the data subject, the right to withdraw consent at any time, which does not affect the legality of data processing carried out on the basis of consent before the withdrawal;
on the right to submit a complaint to the supervisory authority;
about whether the provision of personal data is based on legislation or a contractual obligation or is a prerequisite for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data, and what possible consequences the failure to provide data may have;
about the fact of automated decision-making, including profiling, as well as, at least in these cases, about the logic used and understandable information about the significance of such data management and the expected consequences for the data subject.
If the data controller wishes to carry out further data processing on personal data for a purpose other than the purpose of their collection, it must inform the data subject of this different purpose and all relevant additional information before further data processing.
3. Informing the data subject and the information to be made available to him, if the personal data was not obtained from him by the data controller in accordance with Article 14 of the Regulation
If the data controller did not obtain the personal data from the data subject, the data controller shall notify the data controller no later than one month from the date of acquisition of the personal data
within; if the personal data is used for the purpose of contacting the data subject, at least during the first contact with the data subject; or if it is expected that the data will be communicated to another recipient, at the latest when the personal data is communicated for the first time, you must inform about the facts and information written in point 2 above, as well as the categories of the personal data concerned, as well as the source of the personal data and, where applicable, that the data whether they come from publicly available sources.
The additional rules are governed by the previous point 2 (Right to prior information).
4. The data subject's right of access pursuant to Article 15 of the Regulation
Based on access, the data subject is entitled to inquire with the data controller and receive feedback from him as to whether his personal data is being processed, and if such data processing is underway, he is entitled to receive information about the following:
the purposes of data management;
categories of personal data concerned;
the recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients in third countries and international organizations;
where appropriate, the planned period of storage of personal data or, if this is not possible, the criteria for determining this period;
the right of the data subject to request from the data controller the correction, deletion or restriction of processing of personal data concerning him and to object to the processing of such personal data;
the right to submit a complaint to a supervisory authority;
if the data were not collected from the data subject, all available information about their source;
the fact of automated decision-making referred to in paragraphs (1) and (4) of Article 22 of the GDPR, including profiling, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management and what it means for the data subject has expected consequences.
If the data subject requests a copy of his or her personal data, the data controller will make it available to the data subject.
If the data subject submitted the request electronically, the company will provide the information in an electronic format, unless requested in a different format.
The company provides a copy of the personal data that is the subject of data management after the identification of the data subject. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.
The right to request a copy may not adversely affect the rights and freedoms of others, so, for example, the personal data of others may not be requested, except that the audio material of the notification made over the phone may be requested in its entirety.
5. The right to correction based on Article 16 of the Regulation
The data subject has the right to request that the data controller correct inaccurate personal data concerning him/her without undue delay, and is also entitled to request the completion of incomplete personal data, including by means of a supplementary statement. Data changes, if they are identifying data, must be verified.
Taking into account the purpose of the data management, the data subject is entitled to request the addition of incomplete personal data, including by means of a supplementary statement.
6. The right to erasure ("the right to be forgotten") according to Article 17 of the Regulation
The data subject has the right to request that the data controller delete the personal data concerning him without undue delay, and the data controller is obliged to delete the personal data concerning the data subject without undue delay, if
the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management;
the data subject objects to the processing of his data and there is no overriding legal reason for the data processing,
personal data has been processed unlawfully;
the personal data must be deleted in order to fulfill the legal obligation prescribed by the EU or Member State law applicable to the data controller;
the collection of personal data took place in connection with the offering of information society-related services offered directly to children.
The right to deletion cannot be asserted if data management is necessary
for the purpose of exercising the right to freedom of expression and information;
for the purpose of fulfilling an obligation under EU or Member State law applicable to the data controller, or for the execution of a task performed in the public interest or in the context of the exercise of public authority granted to the data controller;
on the basis of public interest in the field of public health;
for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the right to erasure would likely make this data management impossible or seriously jeopardize it; obsession
for the presentation, enforcement and defense of legal claims.
7. The right to restrict data processing based on Article 18 of the Regulation
If data management is subject to restrictions, such personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state.
In the following cases, the data subject has the right to have the data controller restrict data processing at his request:
the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the data controller to check the accuracy of the personal data;
the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use;
the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, assert or defend legal claims.
The data subject must be informed in advance of the lifting of the limitation of data management.
8. The notification obligation related to the correction or deletion of personal data or the limitation of data management pursuant to Article 19 of the Regulation
The data controller informs all recipients of all corrections, deletions or data management restrictions to whom or to whom the personal data was communicated, unless this
it turns out to be impossible or requires a disproportionate amount of effort. At the request of the data subject, the data controller informs about these recipients.
9. The right to data portability according to Article 20 of the Regulation
Right to data portability: cannot be exercised, because the company does not handle data in an automated manner.
10. The right to protest based on Article 21 of the Regulation
The data subject has the right to object at any time for reasons related to his own situation against the processing of his personal data based on the public interest, the performance of a public task (Article 6 (1) point e) of the Regulation) or legitimate interest (Article 6 point f) of the Regulation), including also profiling based on the aforementioned provisions. It cannot be used for data processing based on the data subject's consent and legal obligation.
After a protest, the data controller may no longer process the personal data, unless the data controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are related to the submission, enforcement or defense of legal claims .
If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including profiling, if it is related to direct business acquisition. If the data subject objects to the processing of personal data for the purpose of direct business acquisition, then the personal data may no longer be processed for this purpose.
These rights must be specifically brought to the attention of the data subject during the first contact at the latest, and the relevant information must be displayed clearly and separately from all other information.
The data subject can also exercise the right to protest using automated means based on technical specifications.
If personal data is processed for scientific and historical research purposes or for statistical purposes, the data subject has the right to object to the processing of personal data concerning him for reasons related to his own situation, unless the data processing is necessary for the performance of a task carried out for reasons of public interest.
11. Automated decision-making in individual cases, profiling pursuant to Article 22 of the Regulation
The company does not use automatic decision-making or profiling.
12. Restrictions according to Article 23 of the Regulation
The EU or Member State law applicable to the data controller or data processor may limit the scope of the rights and obligations contained in these regulations through legislative measures, if the restriction respects the essential content of fundamental rights and freedoms.
13. Informing the data subject about the data protection incident based on Article 34 of the Regulation
If the data protection incident likely involves a high risk for the rights and freedoms of natural persons, the data controller must inform the data subject about the data protection incident without undue delay. In this information, the nature of the data protection incident must be described in a clear and understandable manner, and at least the following must be disclosed:
the name and contact details of the data protection officer or other contact person providing additional information;
the likely consequences of the data protection incident must be described;
the measures taken or planned by the data controller to remedy the data protection incident must be described, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
The data subject need not be informed if any of the following conditions are met:
the data controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that make the personal data unintelligible to persons not authorized to access the personal data data;
after the data protection incident, the data controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future;
providing information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.
14. The right to complain to the supervisory authority (right to official remedy) pursuant to Article 77 of the Regulation
If you feel that you have been harmed during data processing, you can report this fact to the data controller at any time in order to resolve the situation using the contact details in the "data concerning the data controller" section.
You have the right to file a complaint with a supervisory authority - in particular in the Member State of your usual place of residence, workplace or the place of the alleged violation - if, according to the data subject, the processing of personal data concerning him violates the Regulation. The supervisory authority to which the complaint was submitted is obliged to inform the customer about the procedural developments related to the complaint and its outcome, including whether the customer is entitled to legal remedies.
Contact information of the National Data Protection and Freedom of Information Authority:
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22c
Postal address: 1530 Budapest, Pf.: 5.
Phone: +36 (1) 391-1400
Electronic mail address: ugyfelszolgalat@naih.hu
Website: www.naih.hu
15. The right to an effective judicial remedy against the supervisory authority based on Article 78 of the Regulation
Without prejudice to other administrative or non-judicial remedies, all natural and legal persons are entitled to an effective judicial remedy against the legally binding decision of the supervisory authority.
Without prejudice to other administrative or non-judicial remedies, all stakeholders are entitled to an effective judicial remedy if the competent supervisory authority does not
deals with the complaint, or does not inform the data subject within three months about the procedural developments related to the submitted complaint or its result.
Proceedings against the supervisory authority must be initiated before the court of the Member State where the supervisory authority is based.
If proceedings are initiated against a decision of the supervisory authority in relation to which the Board previously issued an opinion or made a decision within the framework of the uniformity mechanism, the supervisory authority is obliged to send this opinion or decision to the court.
16. The right to an effective judicial remedy against the data controller or the data processor according to Article 79 of the Regulation
Without prejudice to the available administrative or non-judicial legal remedies, including the right to file a complaint with the supervisory authority, each person concerned is entitled to an effective judicial remedy if, in his opinion, his rights according to this regulation have been violated as a result of the processing of his personal data not in accordance with this regulation.
Proceedings against the data controller or data processor must be initiated before the court of the Member State where the data controller or data processor operates. Such a procedure can also be initiated before the court of the Member State of the habitual residence of the person concerned, unless the data controller or the data processor is a public authority of a Member State acting in the capacity of public authority.
Legal notice:
The company's websites, all images, graphics, logos, textual content, data and information on them, as well as their layout, are protected by copyright, they may not be copied, stored electronically or in any other way, in whole or in part, beyond the requirements arising from the intended use. , may not be reproduced, transferred, distributed, printed, or made public without the explicit prior written permission of the company. Unauthorized use is against the law, and the company will initiate legal proceedings against it.
Dated, Székesfehérvár, May 25, 2018.
Companies of the Garzon Furniture Group:
A-SET Real Estate Co., Ltd.
Garzon Bútor Kereskedelmi Kft.
Garzon Furniture Ltd.
Garzon Novum Kereskedelmi Kft.