BODÓ GALÉRIA Zrt
H-1055 BUDAPEST, FALK MIKSA UTCA 24-26.
PRIVACY AND DATA PROCESSING POLICY
- General provisions
- The purpose of this Privacy and Data Processing Policy (hereinafter referred to as: “Policy”) is to establish the privacy and data processing policy of BODÓ GALÉRIA Kereskedelmi és Szolgáltató Zártkörűen Működő Részvénytársaság (H-1055 Budapest, Falk Miksa utca 24-26.) as Controller (hereinafter referred to as: “Controller”) in accordance with the principles of data protection and data processing set out in the effective Hungarian and EU legislation in order to ensure that the personality rights of the data subjects – including in particular their right to protection of their personal data – is respected in the course of any processing of their personal data conducted in the scope of their use of the Controller’s services, including in particular (but not limited to) the website accessible at the domain name bodogaleria.hu (hereinafter referred to as: “Website”).
- Data of the Controller:
- Company name: BODÓ GALÉRIA Kereskedelmi és Szolgáltató Zrt.
- Registered office: H-1055 Budapest, Falk Miksa utca 24-26.
- Company registration number: 01-10-048656
- VAT number: 25413870-2-41
- Statistical code: 25413870-7022-114-01
- Court of registration: Court of Registration of the Budapest-Capital Regional Court
- Represented by: János Bodó, CEO
- Email: email@example.com
- Web: bodogaleria.hu
- The purpose of this Policy is to set out the scope of the personal data processed by the Controller and the means of processing, to ensure compliance with the constitutional principles of data protection and the requirement of data security and to prevent unauthorised access to or alteration, disclosure or use of the data in order so that the privacy of natural person users is respected at all times.
- Principles of processing
- The Controller shall process the personal data provided to it in accordance with the effective Hungarian and EU legislation and the ethics requirements relating to the profession, in a fair manner and providing for the security thereof, and shall implement the technical and organisational measures and design the procedures necessary for appropriate and secure processing and compliance with the relevant legislative provisions and other recommendations at all times.
- The Controller shall comply with the legislative provisions relating to processing of the personal data in all phases of the processing. The processing conducted by the Controller shall primarily be governed by the provisions of the following legislation and recommendations:
- Act V of 2013 on the Civil Code (hereinafter referred to as: “Civil Code”),
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as: “Info Act”);
- Act CVIII of 2001 on Certain Matters Relating to e-commerce Services and Services Related to Information Society (hereinafter referred to as: “e-commerce Act”);
- Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Commercial Advertising Activity;
- Act VI of 1998 Promulgating the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourt, 28 January 1981);
- Act CXIX of 1995 on the Processing of Name and Address Data for the Purpose of Research and Direct Marketing;
- Act LIII of 2017 on Preventing and Combating Money-Laundering and Terrorist-Financing (hereinafter referred to as: “Money Laundering Act”);
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).
- Personal data may only be processed for a specific purpose, in order for exercising rights and fulfilling obligations. The processing shall accord to the purpose of the processing in all stages of the processing, and the recording and processing of the data shall be fair and lawful.
- Only personal data that are essential and appropriate for the purpose of the processing may be processed. The personal data may only be processed to the extent and for the duration necessary for fulfilment of the purpose.
- During the processing, the personal data shall continue to be considered personal data as long as its connection to the data subject can be restored. The connection to the data subject can be restored if the data controller has the technical means necessary for the restoration thereof.
- In the course of the processing, it shall be ensured that the data is accurate, complete and – if it is necessary considering the purpose of the processing – up to date, as well as that the data subject can only be identified for the duration necessary for the purpose of the processing.
- The processing of the personal data shall be considered fair and lawful if the person who wishes to get to know the data subject’s opinion in order to ensure the data subject’s freedom of expression contacts the data subject at their place of permanent or current residence, provided that the personal data of the data subject are processed in accordance with the provisions of this Act and the purpose of the personal contact is not commercial. Such personal contacts may not take place on public holidays as set out in the Labour Code.
- “Data subject” means any specific natural person who is identified or identifiable (either directly or indirectly) based on personal data.
- “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future.
- “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
- “Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
- “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- “Third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- “Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- Scope of the personal data processed
- Use of the Newsletter service available via the Controller’s website (bodogaleria.hu) shall be conditional on subscription to the Newsletter, in the course of which the following personal data shall be provided:
- email address.
- The following personal data shall be provided in the course of the contractual business relationship to be established with the Controller (including in particular – but not limited to – the conclusion of consignment contracts, sale and purchase contracts, contracts for services, etc.):
- for natural persons:
- first and last name,
- first and last name at birth,
- place and date of birth,
- mother’s name at birth,
- address or current place of residency,
- type and number of identification document
- tax ID number.
- for legal persons and unincorporated organisations:
- name, abbreviated name,
- address of registered office or, for companies established abroad, address of Hungarian branch (if any),
- principal activity,
- name and position of persons authorised to sign on behalf of the company,
- data allowing for identification of person authorised to accept service,
- for legal persons registered in the company registry, the company registration number; for other legal persons, the number of the decision on their incorporation (entry into the records, registration) or registration number,
- VAT number.
- Data technically recorded in the course of operation of the system: data of the user’s computer logging in generated in the course of use of the service and recorded by the Controller’s system as an automatic result of the technical processes.
Automatically recorded data are automatically logged by the system at the time of logging in and logging out without any further declaration or act needed from the user. These data cannot be linked to any other personal data, except where the law requires this. Only the Controller is entitled to access the data.
- Legal basis, manner and purpose of the processing
- The Controller shall process the data of the Data Subject in accordance with the effective legislation relating to data protection, based on
- voluntary consent (e.g. subscription to newsletter, browsing the website, conclusion of sale and purchase contract),
- statutory obligations (e.g. requirements of the Civil Code or the Money Laundering Act).
- The data are provided via electronic means, in a non-automatic manner and in a paper-based manner. The servers and equipment used for storage in the course of the processing are located in Hungary, while paper-based processing takes place in the Controller’s official premises (registered office, place of business, branch).
- The purpose of the processing is for the Controller to be able to provide services at a high standard, information, correspondence and other economic events, as well as compliance with the obligations set out in the legislation.
- The Controller shall retain the data provided based on voluntary consent until the time such consent is withdrawn (the right to erasure is exercised), but at the maximum for 1 year, and shall retain data based on statutory obligations for the time required in such legislation.
- Anonymous data and cookies
- When logging in to the Controller’s website (bodogaleria.hu) and provided that the settings of the browser used by the Controller allow this or the visitor explicitly consents to this at the time of their first visit to the website, the website may automatically save information concerning the data subject’s computer or device used for browsing (e.g. tablet, smartphone, portable smart devices) and/or may place so-called “cookies” or other similar programs thereon.
Cookies are files that (may) be saved on the data subject’s computer or other device used for browsing when they visit a website. Cookies may have several functions and be used for various purposes, such as:
- collecting information regarding the data subject and/or their device,
- remembering the personal settings of the data subject,
- online transactions, or
- optimising advertising content on the website and other websites.
In general, cookies and other similar programs make use of the website easier and facilitate that the website can provide a real web experience and effective source of information to the data subjects, as well as ensure control over the operation of the website, prevention of abuses and the uninterrupted and provision of the services provided on the website in an appropriate quality for the operator of the website.
The Controller records and processes the following data concerning the data subject and the data subject’s computer or other device used for browsing via cookies:
- IP address used by the data subject,
- type of the browser,
- characteristics (e.g. type, language settings) of the operating system of the device used for browsing,
- time and date of the visit,
- address of the website visited previously,
- the site or subsite visited; the function or service used,
- time spent on the website.
Cookies are, in themselves, cannot identify the data subject’s identity.
- whether the data subject has already visited the website and what subsites or other sites belonging to the bodogaleria.hu domain they visited,
- what functions and services the data subject used,
- what information the data subject inquired about and which of them they are interested in the most.
Certain cookies are essential for browsing the website and using its features and the services available via the website smoothly and to their full extent. These cookies are called session cookies, and they, among other things, allow for remembering the operations conducted by the data subject on the website or in certain features or services. These cookies are only valid for the time of the current visit, and upon termination of the session or closing of the browser, they are automatically deleted from the computer (if they are configured to do so).
So-called performance cookies are used for collecting information on the manner in which the data subjects use the website. These cookies collect information such as what site or subsite did the data subject view, what part thereof they clicked on, how many sites or subsites they visited, what other sites they visited, how long time they spent viewing each site, etc. The purpose of the foregoing is to improve and optimise the website and the features and services available thereon in order to improve user experience and provide uninterrupted service at an appropriate standard.
The website may contain links received from and pointing to external servers independent of the Controller. The provider of these references may, due to the direct connection to its own server, be able to collect user data (and possibly process such data in countries that do not qualify as safe third countries from the aspect of data processing), over which the Controller has no control. The Controller shall not be liable for such data collection, and it takes place solely subject to the visitor’s consent and until the withdrawal thereof or blocking/deletion of the cookies. External service providers also use so-called web beacons in relation to measuring user habits, displaying advertisements and for collecting information.
Third party cookies and other similar programs currently used by the website: Google Analytics service (e.g. remarketing, Google Display network display reports, Google Analytics demographic and interest reports).
You can learn about Google’s privacy guidelines relating to advertisements by clicking on the following link: https://policies.google.com/technologies/cookies?hl=hu.
You can learn more about cookies in the Google Analytics service by clicking on the following link: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.
You can learn more about Google’s cookie management policy by clicking on the following link: https://support.google.com/adwords/answer/2549063?hl=hu.
- By default, plug-ins are blocked on the website (bodogaleria.hu). Plug-ins are only enabled when the data subject clicks the relevant button. By enabling the plug-in, the data subject establishes a connection with the social network and consents to the transfer of their data to Facebook/Instagram.
If the data subject is registered to Facebook/Instagram, the relevant social network may associated their visit with their account in the social network.
If the data subject clicks the relevant button, their browser will forward the relevant data directly to the social network concerned and store such data thereon.
- Rights of the data subject
- The data subject may obtain from the Controller:
(a) information regarding the processing of their personal data,
(b) rectification of their personal data, and
(c) deletion or blocking of their personal data, except for mandatory processing.
- Upon the data subject’s request, the Controller shall, at the latest within 25 days after submission of the request relating thereto, inform the data subject in writing regarding the data processed by it or any processor commissioned by it or upon its instructions, as well as the source of such data, the purpose, legal basis and duration of the processing, the name and address of the processor and its activity related to the processing, the circumstances and impact of and measures taken for remedying any personal data breach, as well as, where the personal data of the data subject are transferred, the legal basis and recipient of the data transfer.
The information is free of charge if the person requesting the information has not yet submitted to the Controller another request for information relating to the same area in the year concerned. Otherwise, the Controller will charge a fee, with the provision that any fee already paid shall be refunded if the data were handled unlawfully or the request for information resulted in rectification.
- The Controller shall keep records of all data transfers in order to monitor the lawfulness of data transfers and notifying the data subject, which records shall contain the time and date of transfer of the personal data processed by the Controller, the legal basis and recipient of the transfer, the scope of the personal data transferred and the other data specified in the legislation requiring the processing.
- If the personal data are incorrect and the correct personal data are available to the Controller, the Controller shall rectify the personal data.
- The personal data shall be deleted if:
(a) its processing is unlawful;
(b) the data subject requests this in writing;
(c) it is deficient or incorrect, and this cannot be remedied in a lawful manner, provided that the law does not prohibit deletion;
(d) the purpose of the processing has ceased or the statutory period for storage of the data expired;
(e) the court or the Authority ordered this.
- The Controller shall block the personal data instead of deletion if the data subject requests this or if based on the information available to it, it can be assumed that deletion would harm the legitimate interests of the data subject. Personal data blocked in this manner may only be processed as long the purpose of the processing that precluded deletion of the personal data exists.
- The Controller shall flag the personal data processed by it if the data subject contests the correctness or accuracy thereof but the incorrectness or inaccuracy thereof cannot be clearly established.
- The data subject and anyone to whom the data was previously transferred to for the purpose of processing shall be notified regarding the rectification, blocking, flagging or deletion. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purpose of the processing.
- If the Controller fails to fulfil the data subject’s request for rectification, blocking or deletion, it shall notify the data subject regarding the factual and legal reasons of rejecting the request for rectification, blocking or deletion within 25 days after receipt of the request in writing or – if the data subject consents thereto – by electronic means. If the Controller rejects the request for rectification, blocking or deletion is rejected, it shall inform the data subject regarding the option of legal remedy or turning to the Authority.
- The data subject may obtain against processing of their personal data:
(a) if the processing or transfer of the personal data is necessary solely for the performance of a legal obligation concerning the Controller or enforcement of the legitimate interests of the Controller, the data importer or a third party, except for the case of mandatory processing;
(b) if the use or transfer of the personal data takes place with the purpose of direct marketing, opinion polls or scientific research; and
(c) in other cases set out in law.
The Controller shall investigate the objection, make a decision regarding whether it is justified and inform the applicant regarding such decision within the shortest time possible, but at the latest within 15 days after the submission of the application.
Controller finds the data subject’s objection to be justified, it shall terminate the processing (including any further recording and transfer of data), block the data and notify regarding such objection and the measures taken thereof all parties to whom it previously transferred the personal data concerned by the objection, which parties shall take measures in order for enforcement of the right to object.
If the data subject does not agree with the Controller’s decision or the Controller misses the 15-day deadline, the data subject may turn to a court within 30 days after the date of communication of the decision or the last day of the deadline.
- The data subject’s rights set out in Chapter V may be limited by law for the purpose of protecting the external and internal security of the state, including defence, national security, the prevention or prosecution of crimes and the security of law enforcement, as well as for the economic or financial interests of the state or a municipality, the material economic or financial interests of the European Union or the prevention and investigation of disciplinary and ethical breaches related to the practice of professions and breaches of labour law and work safety obligations, including – in all cases – supervision and monitoring, as well as for the protection of the rights of the data subject or others.
- Personal data breach
- The Controller shall report the personal data breach to the competent authority without undue delay, if possible at the latest within 72 hours after becoming aware thereof. If not report is made within 72 hours, the reasons justifying the delay shall also be attached to it.
- The personal data breach need not be reported to the authority if it is unlikely to pose a risk to the rights and freedoms of natural persons.
- If the personal data breach needs to be reported to the authority, the report shall:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
- The data subject need not be informed if any of the following applies:
- the company has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the company has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
- the provision of information would involve disproportionate effort In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- Right to remedy
- The Data Subject may contact the Controller with any question or observation regarding the processing at the contact points specified in Section I(2).
- If the data subject’s objection, complaint or request regarding their personal data is not settled by the Controller in a satisfying manner or if the data subject considers at any time that their rights were infringed in relation to the processing of their personal data or there is an immediate threat thereof, they may file a report with the Hungarian National Authority for Data Protection and Freedom of Information.
Hungarian National Authority for Data Protection and Freedom of Information
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
- The data subject may turn to the Budapest-Capital Regional Court (H-1055 Budapest, Markó u. 27.) if their rights are infringed or in the cases specified in Section VII(10). The court shall proceed in the case as a priority.
The data subject may initiate the litigation either at the regional court with competence over their place of permanent residence or their current place of residency at their own discretion.
Budapest, 3 January 2018