Kocsis Mihály e.v.

Privacy Policy

Introduction

Kocsis Mihály e.v. (9495 Kópháza, Kossuth Lajos utca 39., Tax number: 91770200-1-28, Company registration number: 61863916) (hereinafter: Service Provider, Data Controller) is subject to the following policy:

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information.

This privacy policy governs the data processing of the following websites/mobile applications: https://kocsisit.com

The privacy policy is available at the following pages: https://kocsisit.com/hu/privacy, https://kocsisit.com/en/privacy

Amendments to this policy shall enter into force upon publication at the above address.

The Data Controller and Contact Details

Name: Kocsis Mihály e.v.

Registered address: 9495 Kópháza, Kossuth Lajos utca 39.

Email: info@kocsisit.com

Phone: +36 30 519 8154

Definitions

Principles relating to the processing of personal data

Personal data shall be:

The controller shall be responsible for, and be able to demonstrate compliance with, the above principles ("accountability").

The controller declares that its data processing activities are carried out in compliance with the principles set out in this section.

Contact

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

In the case of an email address, it is not necessary for it to contain personal data.

2. Scope of data subjects: All data subjects who send a message through the contact form.

3. Duration of data processing, deadline for data deletion: The controller processes personal data until the purpose of processing is fulfilled, but for a maximum of 2 years. If any of the conditions set out in Article 17(1) of the GDPR apply, processing continues until the data subject submits a request for erasure.

4. Description of the data subjects’ rights related to data processing:

• The data subject may request from the controller access to personal data relating to them, rectification, erasure or restriction of processing, and
• the data subject has the right to data portability, and to withdraw consent at any time.

5. The data subject can initiate access to personal data, their deletion, modification, or restriction of processing, as well as data portability, in the following ways:

• by post to 9495 Kópháza, Kossuth Lajos utca 39,
• by email to info@kocsisit.com,
• by phone at + 36 30 519 8154.

6. Legal basis for data processing: the data subject’s consent, Article 6(1)(a). If you contact us, you consent that your personal data obtained during the contact process (name, phone number, email address) will be processed in accordance with this policy.

7. Please note that

• this data processing is based on your consent, and is also necessary for providing a quotation.
• you are required to provide personal data so that you can contact us.
• failure to provide the data will have the consequence that you will not be able to contact the controller.
• withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Customer relationship

1. The fact of data collection, the scope of processed data, and the purpose of data processing:

2. Scope of data subjects: All data subjects who maintain contact with the controller by phone/email/in person, or who are in a contractual relationship with the controller.

3. Duration of data processing, deadline for data deletion: Letters containing inquiries are retained until the data subject requests deletion, but for a maximum of 2 years.

4. Persons entitled to access the data, recipients of personal data: Personal data may be processed by authorized employees of the controller, in compliance with the above principles.

5. Description of data subjects’ rights related to data processing:

• The data subject may request from the controller access to personal data concerning them, rectification, erasure or restriction of processing, and
• the data subject has the right to data portability and to withdraw consent at any time.

6. The data subject may initiate access to personal data, their deletion, modification, restriction of processing, and data portability in the following ways:

• by post to 9495 Kópháza, Kossuth Lajos utca 39,
• by email to info@kocsisit.com,
• by phone at + 36 30 519 8154.

7. Please note that

• data processing is necessary for the performance of a contract and for providing a quotation.
• you are required to provide personal data so that we can perform the contract/fulfill your request.
• failure to provide data will result in the consequence that we will not be able to perform the contract/process your request.

Newsletter, direct marketing activity based on consent

1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, the User may give prior and explicit consent to be contacted by the Service Provider with advertising offers and other messages at the contact details provided during registration.

2. Furthermore, taking into account the provisions of this notice, the Customer may consent to the processing of their personal data necessary for sending advertising offers.

3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from receiving offers at any time, without restriction or justification, free of charge. In such case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and will no longer contact the User with further advertising offers. The User may unsubscribe from advertisements by clicking on the link included in the message.

4. The fact of data collection, the scope of processed data, and the purpose of data processing:

5. Newsletter distribution is carried out in compliance with the provisions of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.

6. Scope of data subjects: All data subjects who subscribe to the newsletter.

7. Purpose of data processing: sending electronic messages containing advertising (email, SMS, push message) to the data subject, providing information about current news, products, promotions, new features, etc.

8. Duration of data processing, deadline for deletion of data: Data processing lasts until consent is withdrawn (until unsubscribing or until the data subject requests deletion), or until the newsletter service is terminated.

9. Description of the data subjects’ rights related to data processing:

• The data subject may request from the controller access to personal data relating to them, rectification, erasure or restriction of processing, and
• the data subject has the right to data portability and to withdraw consent at any time.

10. The data subject may initiate access to personal data, their deletion, modification, restriction of processing, and data portability in the following ways:

• by post to 9495 Kópháza, Kossuth Lajos utca 39,
• by email to info@kocsisit.com,
• by phone at + 36 30 519 8154.

11. The data subject may unsubscribe from the newsletter at any time, free of charge.

12. Please note that

• data processing is based on your consent.
• you are required to provide personal data if you wish to receive our newsletter.
• failure to provide the data will result in us being unable to send you the newsletter.
• you may withdraw your consent at any time by clicking the unsubscribe link.
• withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Use of Google Ads conversion tracking

Use of Google Analytics

Management of Cookies

1. The use of so-called “password-protected session cookies”, “shopping cart cookies”, “security cookies”, “strictly necessary cookies”, “functional cookies”, and “cookies responsible for managing website statistics” does not require prior consent from data subjects.

2. The fact of data processing, the scope of processed data: Unique identifier, dates, timestamps.

3. Scope of data subjects: All data subjects visiting the website.

4. Purpose of data processing: Identification of users, tracking visitors, ensuring personalized operation.

5. Duration of data processing, deadline for data deletion:

6. Description of data subjects’ rights related to data processing: Data subjects have the option to delete cookies in the Tools/Settings menu of their browser, usually under the Privacy settings.

7. Most browsers used by our users allow setting which cookies should be saved and allow (specific) cookies to be deleted again. If you restrict the saving of cookies on certain websites or do not allow third-party cookies, this may, under certain circumstances, result in our website no longer being fully usable. Here you can find information on how to customize cookie settings in common browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=en)

Microsoft Edge (https://support.microsoft.com/...)

Firefox (https://support.mozilla.org/en-US/kb/clear-cookies-and-site-data-firefox)

Safari (https://support.apple.com/guide/safari/manage-cookies-sfri11471/mac)

Data processors used

Hosting provider

1. Activity performed by the data processor: Hosting service

2. Name and contact details of the data processor:

Rackhost Zrt.
6722 Szeged, Tisza Lajos körút 41.
E-mail: info@rackhost.hu

3. The fact of data processing, the scope of processed data: All personal data provided by the data subject.

4. Scope of data subjects: All data subjects using the website/mobile application.

5. Purpose of data processing: Making the website/mobile application available and ensuring its proper operation.

6. Duration of data processing, deadline for data deletion: Data processing lasts until the termination of the agreement between the controller and the hosting provider, or until the data subject submits a deletion request to the hosting provider.

7. Legal basis for data processing: Article 6(1)(c) and (f) of the GDPR, and Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce Services and Certain Issues of Information Society Services. Legitimate interest: proper operation of the website, protection against attacks and fraud.

Other data processors (if any)

Nethely Kft. (domain and email service)
1115 Budapest, Halmi utca 29.
info@nethely.hu

Meta Platforms Ireland Limited (Facebook Pixel)
4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Social media platforms

Facebook / Meta joint data processing

The Controller maintains a Facebook / Meta profile in relation to its activities. Statistical data processing carried out on the Facebook social media platform constitutes joint data processing between the Controller and Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland). Detailed information about the joint data processing agreement is provided in the Page Insights Controller Addendum. The addendum is available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

The Controller communicates via private message on the social media platform only if you contact us there.

1. Categories of data subjects

• data subjects who are registered on the social media platform and have “liked” the Controller’s profile page,
• data subjects who contact the Controller via private message on the social media platform.

2. Purpose of data processing

The purpose of data processing on the Facebook social media platform is to share and promote the Controller’s activities and services. Personal data provided by the data subject in a private message may be used by the Controller to respond to the message. Otherwise, the Controller does not collect or extract data via social media platforms.

3. Legal basis for data processing

Data processing is based on Article 6(1)(a) of the GDPR; the legal basis is the data subject’s consent to the processing of their personal data on the Facebook social media platform.

4. Scope of processed data

• data subject’s registered name,
• data subject’s public profile picture,
• other public data provided or shared by the data subject on the social media platform.

5. Source of personal data:

The source of the processed data is the data subject.

6. Withdrawal of consent: You may withdraw your consent to data processing at any time and may delete your post or comment. Data processing takes place through social media platforms operated by third parties. If you withdraw your consent, the Controller will delete the conversation conducted with you. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

The data subject may initiate access to personal data, their deletion, modification, restriction of processing, and data portability in the following ways:

• by post to 9495 Kópháza, Kossuth Lajos utca 39,
• by email to info@kocsisit.com,
• by phone at + 36 30 519 8154.

7. Duration of data processing

• until the data subject withdraws their consent,
• in case of message exchange, for 2 years.

8. Transfer of personal data, recipients, and categories of recipients:

For the definition of recipient, see Article 4(9) of the GDPR. The Controller transfers personal data of the data subject only in exceptional cases and based on a legal obligation to public authorities, including in particular courts, prosecution authorities, investigative authorities and administrative offence authorities, and the National Authority for Data Protection and Freedom of Information.

9. Possible consequences of failure to provide data

If data is not provided, the data subject will not be able to obtain information about the Controller’s activities and services via the Facebook social media platform, nor send messages to the Controller via Facebook Messenger.

10. Automated decision-making (including profiling):

No automated decision-making, including profiling, takes place during data processing.

11. Joint controller agreement concluded with Facebook Ireland Ltd.:

The Page Insights feature displays aggregated data that help understand how data subjects use the Facebook page. Facebook Ireland Limited (“Facebook Ireland”) and the Controller are joint controllers with regard to the processing of insights data. The Page Insights Addendum defines the responsibilities of Facebook and the Controller in relation to the processing of insights data. Facebook Ireland assumes primary responsibility under the GDPR for the processing of insights data and for complying with all applicable GDPR obligations related to such processing. Facebook Ireland also makes a summary of the Page Insights Addendum available to all data subjects. The Controller ensures that it has an appropriate legal basis under the GDPR for processing insights data, identifies the page controller, and complies with all other applicable legal obligations. Facebook Ireland bears sole responsibility for the processing of personal data in connection with the Page Insights feature, except for data falling within the scope of the Page Insights Addendum. The Page Insights Addendum does not grant the Controller the right to request personal data of Facebook users processed by Facebook Ireland, including insights data. The Controller may not act or respond on behalf of Facebook Ireland in fulfilling data protection requests.

Customer relations and other data processing

Rights of data subjects

1. Right of access

You have the right to obtain confirmation from the controller as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to access the personal data and the information listed in the Regulation.

2. Right to rectification

You have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller is obliged to erase personal data concerning you without undue delay where certain conditions are met.

4. Right to be forgotten

Where the controller has made personal data public and is obliged to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps – including technical measures – to inform controllers processing the data that you have requested the erasure of any links to, or copies or replications of, those personal data.

5. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

• you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and you oppose the erasure of the data and request the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
• you have objected to processing; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the controller override your legitimate grounds.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (...)

7. Right to object

In cases of data processing based on legitimate interest or the exercise of official authority as legal grounds, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data (...), including profiling based on those provisions.

8. Objection in case of direct marketing

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated decision-making in individual cases, including profiling

You have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph shall not apply if the decision:

• is necessary for entering into, or performance of, a contract between you and the controller;
• is authorized by Union or Member State law applicable to the controller, which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
• is based on your explicit consent.

Deadline for taking action

The controller shall inform you of the measures taken in response to the above requests without undue delay and in any event within 1 month of receipt of the request.

If necessary, this period may be extended by 2 additional months. The controller shall inform you of any such extension, together with the reasons for the delay, within 1 month of receipt of the request.

If the controller does not take action on your request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action, as well as of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

Security of data processing

Taking into account the state of the art and the costs of implementation, as well as the nature, scope, context and purposes of processing and the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk, including, among others, where appropriate:

In order to ensure the security of paper-based personal data, the Service Provider applies the following measures (physical protection):

IT protection

Information to the data subject about a data breach

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject without undue delay.

The information provided to the data subject shall describe in clear and plain language the nature of the personal data breach and shall include the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; and describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The data subject need not be informed if any of the following conditions are met:

• the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the data affected by the personal data breach, in particular measures – such as encryption – that render the personal data unintelligible to any person who is not authorised to access it;
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
• it would involve a disproportionate effort. In such cases, the data subjects shall instead be informed by way of a public communication or similar measure whereby they are informed in an equally effective manner.

If the controller has not already informed the data subject about the personal data breach, the supervisory authority, having considered whether the breach is likely to result in a high risk, may require the controller to inform the data subject.

Notification of a data breach to the authority

The controller shall notify the personal data breach to the supervisory authority competent under Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

Review in case of mandatory data processing

If the duration of mandatory data processing or the necessity of its periodic review is not determined by law, municipal decree, or a binding legal act of the European Union, the controller shall review at least every three years from the commencement of processing whether the processing of personal data carried out by it or by a processor acting on its behalf or under its instructions is necessary for achieving the purpose of the processing.

The controller shall document the circumstances and results of this review and retain the documentation for ten years following the review, and shall make it available to the National Authority for Data Protection and Freedom of Information (hereinafter: Authority) upon request.

Right to lodge a complaint

In the event of a possible violation by the controller, a complaint may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, P.O. Box 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Closing remarks

In preparing this notice, we have taken into account the following legislation and recommendations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
• Act CVIII of 2001 – on Electronic Commerce Services and Certain Issues of Information Society Services (in particular Section 13/A);
• Act XLVII of 2008 – on the Prohibition of Unfair Commercial Practices against Consumers;
• Act XLVIII of 2008 – on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (in particular Section 6);
• Act XC of 2005 on Electronic Freedom of Information;
• Act C of 2003 on Electronic Communications (in particular Section 155);
• Opinion 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising;
• Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information.