Our Company, IVM Zrt. (Hereinafter the Company or the Data Controller), places special emphasis on the protection of personal data. Our Company attaches great importance to the protection of the personal information entrusted to us by our clients and partners, and respects the right of individuals to self-determination. Our Company treats personal data confidentially and takes all organizational, technical security measures that guarantee the security of the data (its confidentiality, integrity and availability). We undertake to ensure that all data management related to our activities comply with the requirements set forth in this prospectus and applicable legislation.
The privacy policies arising from the Company’s data management are available at https://www.ivm-vending.eu/en/data/address.
1.1 Data Controller Information, contact:
Name: IVM Zrt.
Headquarters: 8000 Székesfehérvár Videoton Industrial Park, Berényi út 72-100 Building 22
Company Registration Number: 07 10 001386
Tax ID: 23003097-2-07
e-mail address: firstname.lastname@example.org
Name of the Data Protection Officer: CONSILIS DATA KFT. / Dr. József Csaba
Phone number: +3670 3377222
Your email address is email@example.com
1.2 Relevant Legislation
- 2016 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation 95/46 / EC (General Data Protection Regulation, ‘the Regulation’);
- C CXII. Act on the Right of Information Self-Determination and on Freedom of Information (hereinafter referred to as “Information Act”);
- Act V of 2013 on the Civil Code (hereinafter: Civil Code);
- Act I of 2012 on the Labor Code
- Act CVIII of 2001 on Electronic Commerce Services and certain aspects of information society services
- Law of 1997 on persons entitled to social security benefits and private pensions and the coverage of these services.
- LIII of 2018. Privacy Act
- CXXVII of 2017 Act on Accounting
- CXVII of 1995 Act on Personal Income Tax Act
- CL 2017 Taxation Act
When providing information on data management, the Company endeavors to provide as detailed information as possible regarding the management of personal data. The information shall in any case cover the persons authorized to handle and process the data, the purpose and legal basis of the data processing, the scope of the data processed and the duration of the data processing, who may have access to the personal data and legal remedies.
We process personal data only in accordance with the purpose limitation principle, for the specific purpose of exercising a right or fulfilling an obligation. We will only process data where it is necessary for the purpose of the data management, is suitable for the purpose, and only to the extent and for the time necessary to achieve the purpose.
The Company’s data management meets strict expectations. The collection and processing of personal data is lawful and fair.
Particular attention will be paid to the accuracy, completeness and timeliness of the data processed.
In the case of statutory data processing, the Company will process the personal data of the data subject specified in the law for the purpose specified by law until the end of the term prescribed by the applicable law.
Whenever an authority seeks the Company under a statutory authorization, it shall disclose personal information to the Authority only to the extent and to the extent required by the law of the requesting authority to accomplish its purpose.
3.LEGAL BASIS FOR OUR DATA MANAGEMENT
3.1 Consent of the data subject
The legal basis for data processing is the consent of the data subject in all cases where the data subject voluntarily submits to our Company. You will receive information from our Affiliated Company at the outset of the legal relationship, including the provision of data to the Data Controller as a voluntary disclosure. The data subject may withdraw his or her consent at any time, in which case no legal consequences may be attached to the provision of the data.
3.2 Authorization of a law, fulfillment of a legal obligation
Our company receives personal data from legal entities (companies) that have concluded a contract with the data subject. There was a contractual relationship between the data transferor and the data subject on the basis of which the data transferring party handled the data of the data subject.
3.3 Contract between Data Controller and Data Subject
If the data subject concludes a contract with the Data Controller, the performance of the contract shall constitute the legal basis for the management of all data necessary for the performance of the contract and for the initiation of such action by the data subject prior to the conclusion of the contract.
3.4 Claiming your legitimate interests
Article 6 (1) of the GDPR. (f), if data processing is necessary to assert the legitimate interest of the data controller or a third party, the Company will use the data to enforce that interest. If the management of the data is based on the legitimate interest of the Data Controller, the so-called “data processing” shall be performed on the results of interest balancing test.
4. DATA MANAGEMENT
The Personal Data Protection Act, as well as the Decree of April 27, 2016, but only the Decree, which is mandatory from May 25, 2018, have been published in detail. These laws are available free of charge on the official website of the National Authority for Data Protection and Freedom of Information – www.naih.hu.
4.1 Registration of contractors, suppliers, invoicing
The purpose of data management is to manage the data related to the contracts concluded by the Company, to confirm the supplier’s payments, to register the contracts, to issue invoices.
Legal basis for the data management: consent of the data subject; legal obligation on Act of accounting article 169 (2).
The data to be processed include name, date of birth, date of birth, mother’s name, address, tax identification number, tax number, entrepreneurial, prime-breeder ID number, ID number, residential address, headquarters, branch address, telephone number, email address, website address, bank account number, customer number (customer number, order number), online ID (list of buyers, suppliers, loyalty lists).
Period of data management: For all data, the Accounting Standards. Act. Article 169 (2), eight years.
4.2 Handling Voice Records
Purpose of data management: compliance with consumer protection standards, quality assurance, reproducibility of verbal complaints made over the phone.
Legal basis for processing the data: voluntary consent of the data subject.
The range of data processed: unique identification number, customer name, telephone number, voice recording.
Duration of data management: 5 years in accordance with the provisions of the Consumer Protection Act.
4.3 Employee Registration
Purpose of Data Management: Documentation of employee records, employment and other employment relationships (collectively, “employment relationships”).
Legal basis for data management: Act I of 2012 on the Labor Code and/or the voluntary consent of the data subject.
The range of data processed: Personal information required by Labor code. and Social sec Act; and Personal Income TAX Act;
Duration of data management: The time required by law
Purpose of data management: applying for a position at the Company, participation in the selection process.
Legal basis for processing the data: voluntary consent of the data subject.
The scope of the data handled is identification number, name, address, telephone number, e-mail address, date and other personal data provided in the application.
Deadline for data deletion: maximum 3 months after completion of the selection procedure.
4.5 Customer correspondence with the Company
If you have any questions or problems while using our services, you may contact the Data Controller at the contact details provided in this brochure or on the Website.
Our Company will delete incoming emails together with the sender’s name, email address, and other personal information included in the message within a maximum of five years from the date of disclosure.
4.6 Data management of appropriateness tests
Purpose of data management: management of job suitability data
Legal basis for data management: Labor Code.
Scope of data processed: fact of suitability of job, time of examination
Deadline for deletion of data: 5 years at the latest after the termination of employment.
4.7 Data Access Control System
Purpose of data management: protection of property
Legal basis for data management: Labor Code.
The scope of the processed data: person entering, entry, time of leaving
Deadline for data deletion: 6 months at the latest after termination of employment, 24 hours for casual visitors
4.8 Camera surveillance
Purpose of data management: property protection, personal security
Legal basis for data management: the legitimate interest of the Company.
Scope of data processed: camera images taken within the Company
Deadline for data deletion: 30 days, 60 days for dangerous goods’ transport way
4.9 Data management of the Company’s website
( https://www.ivm-vending.eu/hu/ )
Purpose of data management: during the visit to the website, the service provider records the visitor data in order to check the operation of the services, personalized service and to prevent abuse.
Legal basis for data management: consent of the data subject and Eker. Tv. 13 / A. § (3).
The data handled include: ID number, date, time, address of the page visited, and IP address of the user’s computer.
Duration of data management: 28 days.
The Company does not link the data resulting from the analysis of the log files with other information, nor does it endeavor to identify the user.
Third party data management:
The html code of the Portal may include links from and to external servers that are independent of the Company. The third-party servers are directly connected to the user’s computer. Please note that the provider of these links may collect user data due to the direct connection from his / her servers and direct communication with the user’s browser.
Content that may be personalized to the user is served by the servers of the external service provider. The relationship between the Company and the external service provider’s servers is limited to the incorporation of the latter’s code, so no personal data is transferred or transmitted.
4.10 Data management of the cookies on the https://www.ivm-vending.eu/en website
The purpose of data management is to identify the users, to distinguish them from each other, to identify the current session of the users, to store the data provided during the session, when requesting an e-mail address, telephone number, company name, to prevent data loss and to forward the user’s browser settings.
Legal basis for the data processing: consent of the data subject.
The range of data processed: ID number, date, time.
Duration of data management: until the end of the session.
In order to provide customized service, the Company or the external service provider may use a small data package. Places it on the user’s computer and reads back a cookie. If the browser returns a previously saved cookie, by managing it, the service provider will be able to link the user’s current visit to the previous one, but only for its own content.
Cookies that are valid until the end of the session will remain on your computer until you close your browser.
Cookies with the exact expiration date are stored on the computer until they are deleted, but no later than the expiration date.
Please be advised that https://www.ivm-vending.eu/en uses Google Analytics cookies to collect data. The Google Analytics Data Management Document.
“How Google Uses Data When You Use a Partner’s Site or App,” is available at: http://www.google.com/intl/en/policies/privacy/partnership/
4.11 Other/additional data management
Data handling not listed in this brochure will be reported at the time of data collection.
We inform our clients that, under the authority of a court, prosecutor, investigating authority, offense authority, administrative authority, National Data Protection and Freedom of Information Authority, or other legal entities, may seek data or information from data controller.
The Company shall disclose personal data to authorities only if the purpose of the request, provided by the authority has indicated the exact purpose, the scope and the proper legal basis of the data request.
5. HOW TO STORE PERSONAL DATA, SECURITY OF DATA MANAGEMENT
Our Company’s information technology systems and other data storage locations are located at its headquarters and on server computers located at its data processors.The Company selects and operates the IT tools used to manage personal data in the course of providing the service in such a way that the data processed:
- accessible to those entitled (availability);
- its authenticity and authenticity are assured (authenticity of data processing);
- its unchangeability can be demonstrated (data integrity);
- be protected against unauthorized access (confidentiality of data).
Our Company protects your data by appropriate organizational and technical measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction, damage, or loss of access due to changes in the technology used.
As a data controller, we protect the data stored electronically in our various records by ensuring that the data stored, unless permitted by law, is not directly linked and attributed to the data subject.
In view of the state of the art, the Company shall ensure the security of data management by technical, operational and organizational measures that provide a level of protection appropriate to the risks represented by the data processing.
The Company retains:
- confidentiality (confidentiality): protects the information so that only authorized persons have access to it;
- integrity: protects the accuracy and completeness of the information and the method of processing;
- availability: it ensures that when an authorized user needs it, he / she can actually have access to the information and tools that he / she needs.
Our Company and its partners’ IT systems and networks are protected against computer-aided fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, hacking and denial of service attacks. The operator maintains security through server-level and application-level security procedures.
Users are advised that electronic messages transmitted over the Internet, irrespective of protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that lead to fraudulent activity, contract disputes, or disclosure. Our Company will take all reasonable precautions to protect against such threats. Our systems are monitored to record any security inconsistencies and provide evidence for each security incident. System monitoring also allows you to check the effectiveness of the precautions you apply.
6. DATA TRANSMISSION AND DATA PROCESSING
6.1 Data transmission
Our company transfers personal data to a third party only if the data subject has explicitly consented to it – knowing the scope of the transferred data and the recipient of the data transfer – or the transfer of data is authorized by law.
6.2 Data processing
The Data Controller is entitled to use a data processor to perform its activities. The data processors do not make an independent decision, during the data processing on the basis of a written contract concluded with the Data Controller, specified in the contract and acting on behalf of the Data Controller in accordance with the instructions of the Data Controller. The Data Controller monitors the work of the data processors. Data processors are entitled to use additional data processors only with the consent of the Data Controller.
6.3 Data processors with a contractual relationship with the Company:
Data management: Customer complaints, development data, documentation management
Data Processing: Atlassian Pty Ltd, Level 6, 341 George St, Sydney NSW 2000, Australia
Data Management: Customer Data Management
Data processing: MiniCRM Szolgáltató és Kereskedelmi Zrt.
1075 Budapest, Madách Imre út 13-14
Data management: Correspondence, sharepoint
Data processing: Improve IT Engineering Kft. 8000 Székesfehérvár, Kandó K. u. 13
Data management: Payroll accounting, bookkeeping Data processing: adMinister Hungary Kft. 1097 Budapest, Könyves Kálmán krt. 12-14.
Data Management: Internal Accounting Software
Data processor: Key-Software. Plc. 1016 Budapest, Mészáros u. 13
Data management: Car fleet tracking
Data processing: Konetik Deutschland Gmbh. 10823 Berlin Akazienstrasse 3A
Data Management: Organizational Development
Data processing: Being More Kft. 8096 Sukoró, Halastólysás u. 37
Data management: IT service
Data processing: Improve IT Engineering Kft. 8000 Székesfehérvár, Kandó K. u. 13
Data management related to commercial contracts is implemented through joint data management with the Commercial Representatives of IVM Zrt.
7. LEGAL REMEDY OPTIONS
The data subject may request information on the processing of his or her personal data, including: – personal data managed by the Company,
– the purpose, legal basis and duration of the data processing,
– who received the data and for what purpose.The information shall be provided in writing, in a comprehensible form, as soon as possible after the receipt of the request, but not later than 30 days. The information shall be provided by the department competent to deal with the matter. The request and the information shall be notified to the Data Protection Officer.
The data subject may have access to the data processing concerning him or her. Access shall be granted in such a way that the data of the other person concerned cannot be disclosed during this period.
The provision of information or access may be refused only if the requested information has previously been declared a state secret or a professional secret by the competent authority in accordance with the appropriate procedure. The data controller is obliged to inform the data subject of the reason for refusing the communication.The person concerned may request in writing or in person:
the correction of personal data or the deletion of data to which you have previously given your consent, unless the processing is required by law or other legislation.
The data controller is obliged to correct the incorrect data within 5 working days. Based on a legitimate deletion request, the data must be deleted within 5 working days.
All requests for cancellation and rejected requests for rectification, as well as protests and the action taken on them, shall be documented.
The person concerned can turn to the
National Data Protection and Freedom of Information Authority (1125 Budapest, Szilágyi Erzsébet fasor 22 / c.) With a complaint: – www.naih.hu,
– Telephone: +36 (1) 391-1400,
– Fax: +36 (1) 391-1410
– E-mail: (firstname.lastname@example.org)or Act CXXX of 2016 on the Code of Civil Procedure. to enforce his rights in relation to the processing of personal data before a Court with jurisdiction and jurisdiction under the law.
7.1 Compensation of damages
The Company will indemnify the damage caused to others by the unlawful handling of the data of the data subject or the violation of the data security requirements. In the event of a violation of the data subject’s right to privacy, the data subject may claim damages (Section 2:52 of the Civil Code).
The data controller is also liable to the data subject for the damage caused by the data processor.
The data controller is released from liability if the damage was caused by an unavoidable cause outside the scope of data processing.
The controller shall not reimburse the damage and no damages may be claimed to the extent that the damage was caused by the intentional or grossly negligent conduct of the injured party or the breach of the right to privacy.
7.2 Complaint to the Data Protection Officer
If you have any concerns about the Company’s data management, please contact the DPO.
The contact details given in the chapter “Data controller’s contact details”.
8. DEALING WITH PRIVACY INCIDENTS
A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data that is transmitted, stored, or otherwise handled.
Our company will immediately report the data protection incident to the National Data Protection and Freedom of Information Authority, unless the data protection incident is not likely to pose a risk to the rights and freedoms of the data subjects.
Our company, as a data controller, records data protection incidents, together with the measures related to the given incident. If the incident is serious (presumably poses a high risk to the data subject’s rights and freedoms), our Company will inform the data subject of the data protection incident without undue delay.