• +36 20 326 7107
  • aziza@aziza.international

DATA PROTECTION NOTICE

The purpose of this notice is to set out the data protection and data management principles applied by AZIZA-INTERNATIONAL Ltd. (hereinafter referred to as the “Data Controller”, “Organization”, “Company”), the operator of aziza.international (hereinafter referred to as “website”), and the Data Controller’s data protection and data management policy, which the Data Controller acknowledges as binding on itself, as the objective of the Data Controller is to ensure the protection of the personal data of the Customer who provide their data on the website to the fullest extent possible.

By using the website, using any of its services or applications, the Customer agrees to the processing of his/her personal data in accordance with the provisions of this Data Protection Notice.

I. DATA CONTROLLER’S DETAILS

Seat: Nefelejcs utca 4., H-9700 Szombathely
Tax number: 23096974-2-18
Company registration number: 18-09-113099
Represented by: Márton KRENCSEY, managing director
E-mail: aziza.international@gmail.com

Storage Data Controller/Data Processor – Devwing Ltd.
Address: Hunyadvár utca 56. 1/3., H-1165 Budapest
Company registration number: 01-09-328866
Tax number: 26499785-2-42
Phone: +36 30 506 1132
E-mail: info@devwing.hu

II. UNDERSTANDING AND ACCEPTING THE NOTICE

By providing the personal data, the person concerned declares that he or she has become aware of the version of this Notice in force at the time the data or information is provided. In certain individual cases, specific data protection conditions may also apply, which will be notified separately to the persons concerned.

III. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA

The Data Controller determines the processing of the data that may result from its activities in accordance with the following legislation:

  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: InfoAct);
  • Act V of 2013 on the Civil Code (hereinafter: Civil Code);
  • Act C of 2012 on the Criminal Code (hereinafter: Criminal Code);
  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR);
  • Act C of 2000 on accounting (hereinafter Accounting Act);
  • Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
  • Act CLXIV of 2005 on trade;
  • Act CVIII of 2001 on Electronic Commercial Services and Certain Questions Relating to the Information Society;
  • Act XC of 2005 on the freedom of electronic information;
  • Act C of 2003 on Electronic Communications (in particular Section 155);
  • Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information

The present definitions are identical to the interpretation provided in Section 3 of the InfoAct.

  • Controller means the natural or legal person or organisation without legal personality which, within the framework laid down in an Act or in a binding legal act of the European Union, alone or jointly with others, determines the purposes of the processing of data, makes decisions concerning processing (including the means used) and implements such decisions or has them implemented by a processor; (InfoAct Section 3 (9));
  • Joint controller means the controller which, within the framework laid down in an Act or in a binding legal act of the European Union, jointly with one or more other controllers, determines the purposes and means of processing, and, jointly with one or more other controllers, makes decisions concerning processing (including the means used) and implements such decisions or has them implemented by a processor (InfoAct Section 3 (9a));
  • Processing means any operation or set of operations which is performed on data, regardless of the procedure applied; in particular collection, entering, recording, organisation, storage, alteration, use, retrieval, data transfer, disclosure, alignment or combination, blocking, erasure and destruction, as well as the prevention of the further use of data; taking photos and making audio or visual recordings, as well as the recording of physical characteristics suitable for identification (such as fingerprints or palm prints, DNA samples and iris scans) (InfoAct Section 3 (10));
  • Data processing means the totality of processing operations performed by the processor acting on behalf of, or instructed by, the controller (InfoAct Section 3 (17));
  • Data transfer means making the data available to a specific third party (InfoAct Section 3 (11));
  • Disclosure means making the data accessible to anyone (InfoAct Section 3 (12));
  • Processor means a natural or legal person, or an organisation without legal personality which, within the framework and under the conditions laid down in an Act or in a binding legal act of the European Union, acting on behalf, or according to the instructions, of the controller, processes personal data (InfoAct Section 3 (18));
  • Data erasure means making the data unrecognisable in such a way that restoration is no longer possible (InfoAct Section 3 (13));
  • Data subject means a natural person identified or identifiable based on any information (InfoAct Section 3 (1));
  • Identifiable natural person means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (InfoAct Section 3 (1a));
  • Personal data means any information relating to the data subject (InfoAct Section 3 (1a, 2)); In the course of processing, personal data shall be considered personal data as long as the relation to the data subject can be restored. The relation to the data subject shall be considered restorable if the controller has the technical means necessary for restoration. (InfoAct Section 4 (3));
  • Sensitive data means all data falling within the special categories of personal data, that is, personal data revealing racial or ethnic origin, political opinion, religious belief or worldview, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation (InfoAct Section 3 (3));
  • Criminal personal data means personal data which can be connected to the data subject and are related to criminal records, generated by organs authorised to conduct criminal proceedings or to detect criminal offences, or by the prison service during or prior to criminal proceedings, in connection with a criminal offence or criminal proceedings (InfoAct Section 3 (4));
  • Consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him (InfoAct Section 3 (7));
  • Data of public interest means information or data other than personal data, recorded through any method or in any form, processed by, and pertaining to the activities of, or generated in the context of the performance of public duties by, an organ or person performing state or local government duties as well as other public duties defined by law, irrespective of the method in which it is processed and regardless of its singular or collective nature; in particular, data concerning subject-matter competence, territorial competence, organisational structure, professional activities and the evaluation of such activities, including their effectiveness, the type of data held and the laws governing its operation, as well as financial management and concluded contracts; (InfoAct Section 3 (5));
  • Data accessible on public interest grounds means any data other than data of public interest the disclosure, accessibility or availability of which is required by an Act for the benefit of the general public  (InfoAct Section 3 (6));
  • Supervisory authority: the National Authority for Data Protection and Freedom of Information („NAIH”), which acts as an autonomous public authority in the framework of administrative procedures to ensure the protection of personal data and the free flow of personal data within the EU.
  • Third party means a natural or legal person, or an organisation without legal personality other than the data subject, controller, processor and persons who, under the direct direction of the controller or processor, carry out operations aimed at processing personal data (InfoAct Section 3 (22));
  • Filing system means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis (GDPR Article 4 (6));

Where the definitions in the applicable data protection legislation (at the time of writing, the InfoAct and GDPR) differ from the definitions in this Notice, the definitions in the legislation shall prevail.

IV. DATA PROCESSING PRINCIPLE

The Data Controller shall process the personal data recorded in accordance with the data protection legislation in force, in particular the InfoAct and the GDPR, and in accordance with the present Notice.

V. LEGAL BASIS FOR DATA PROCESSING

The collection and processing of personal data in connection with the operation and services of the website is based on the voluntary consent of the data subject.

Personal data may only be processed for specific purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful.

Only personal data that is necessary for the purpose of the processing and is suitable for achieving that purpose may be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

In the course of processing, personal data shall be considered personal data as long as the relation to the data subject can be restored. The relation to the data subject shall be considered restorable if the controller has the technical means necessary for restoration.

The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the Data Subject can be identified only for the time necessary for the purposes for which they are processed.

When processing personal data, it respects the principles of data protection legislation. Accordingly, it ensures that

  • the processing of personal data is lawful, fair and transparent for the Data Subject;
  • the collection of personal data should be carried out only for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes;
  • the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed;
  • the personal data processed are accurate and, where necessary, kept up to date. The Controller will take all reasonable steps to delete or correct inaccurate personal data;
  • it stores personal data in a form which permits identification of Data Subjects only for the time necessary to achieve the purposes of the processing;
  • appropriate technical or organisational measures are in place to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

Unless otherwise provided by law, the Controller may process the personal data collected for the purposes of complying with a legal obligation to which it is subject (in particular, accounting obligations, contractual obligations with the Data Subject) or for the purposes of its own legitimate interests or the legitimate interests of a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the consent of the Data Subject.

VI. SCOPE AND DURATION OF THE DATA PROCESSED

During and after the performance of the service provided by the Controller, the Controller processes the following personal data of the Data Subject on the basis of the Data Subject’s voluntary consent:

The fact of data collection, the scope of data processed and the purposes of data processing:

Personal data

Purpose of processing

Family name, First name

Company name, Office name

Contact name

Identification

E-mail address

Telephone number

To contact

Data required for invoicing

To comply with legal requirements

The data subject is solely responsible for the truthfulness and accuracy of the personal data.

Duration of processing, deadline for deletion of data: if one of the conditions of Article 17 (1) of the GDPR applies, it shall last until the Data Subject’s request for deletion. The personal data will be deleted immediately upon cancellation of the registration. The Controller will inform the Data Subject by electronic means of the deletion of any personal data provided by the Data Subject pursuant to Article 19 of the GDPR.

The Controller or its authorised employees are the only persons entitled to access the data on the basis of this Notice.

VII. PURPOSE AND LEGAL BASIS OF THE PROCESSING

The purpose of processing the Data Subject’s personal data is to enable the Service Provider to use them for the performance of the services included in the enquiry/contract (making an offer, completing the service). The Controller will not disclose the Data Subject’s personal data to unauthorised third parties.

General business data processing: processing of personal data provided in the context of a legal relationship with the Contracting Party for accounting, book-keeping, claims, contact management and other general purposes. Without the processing of these data, the Controller will not be able to perform the contract, to contact the Contracting Party, to fulfil its obligations under accounting and tax legislation, and the non-processing of the data may adversely affect the Company’s ability to enforce its claims.

Legal basis: consent of the interested party. The processing lasts for the duration of the enquiry or until the data are retained in accordance with the law.

  • Article 6(1)(a) and/or (c) and/or (f) of the GDPR

Duration of processing:

  • In connection with the enforcement of civil law claims or the performance of obligations, the data retention period is 5 years after the termination of the civil law relationship with the person concerned pursuant to Section 6:22 (1) of Act V of 2013 on the Civil Code (“Civil Code”).
  • If the Controller is obliged to retain the data pursuant to Sections 168-169 of Act C of 2000 on Accounting (” Accounting Act”), the Controller shall delete the data only after 8 years following the termination of the contractual relationship. In practice, such a case is where the data are part of the supporting documents for the accounting, for example, if they are included in documents related to the conclusion of a contract (e.g. an order) or an invoice issued.
  • In case of enquiries and if the service has not been ordered, the personal data will be deleted immediately after the offer expires.


VIII. RIGHTS OF THE CUSTOMER AND GIVING EFFECT TO THE RIGHTS (InfoAct sections 14-25, GDPR ARTICLES 15-21)

The Controller processes the personal data related to the use of the services until the purpose of the processing is fulfilled.

The Data Subject may request the Controller to delete his/her personal data by sending an e-mail to aziza.international@gmail.com. The Controller shall also delete the Data Subject’s personal data without the Data Subject’s request if the processing is unlawful, the purpose of the processing has ceased to exist, or the statutory period for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it, or if the processing is incomplete or inaccurate – and this situation cannot be lawfully remedied – provided that deletion is not excluded by law.

The Data Subject may request information about the processing of his/her personal data, may request the correction or – except for mandatory processing – the deletion or withdrawal of his/her personal data, may exercise his/her right to data portability and objection in the manner indicated when the data were collected or at the above contact details of the Controller, but primarily on the basis of a written request.

All incoming requests are documented in the data protection register.

In either case, a written request must be made and sent by the Affected Party.

Within three working days of receiving a request or objection to the Company, the Managing Director must reply to it, and in the event of cancellation, he/she will request the person responsible for IT to manage the request.

The Company will respond to the Data Subject’s request related to the processing of his or her personal data in writing and in an understandable form within 25 days of receipt at the latest, or 15 days in case of exercising the right for objection.

As a general rule, the information is free of charge, for the information specified in Article 15 (1) of the InfoAct, unless the information to the Data Subject can be refused by law.

As a general rule, the information is free of charge, and the Company will only charge a fee in the cases specified in Section 15 (5) of the InfoAct.

The Company shall reject a request only for the reasons specified in Article 9(1) or Article 19 of the InfoAct, and only with justification, with the information specified in Article 16(2) of the InfoAct, in writing.

The head of the department processing the data shall correct the inaccurate data, provided that the necessary data and the official documents evidencing them are available, and shall take measures to delete the processed personal data if the reasons set out in Article 17 (1) of the GDPR or Article 20 of the GDPR apply.

The head of the department responsible for data processing shall suspend the processing of the Data Subject’s personal data for the duration of the assessment of the Customer’s objection to the processing of the personal data, shall examine the validity of the objection and shall take a decision, of which the applicant shall be informed in accordance with Section 21 (1) of the InfoAct.

If the objection is justified, the head of the department processing the data shall act in accordance with the provisions of Section 21 (3) of the InfoAct.

Right of information

If the Data Subject requests information on the processing of his/her data on the basis of a written request to the Controller, he/she shall be informed of the following:

  • Contact details of the Controller;
  • the purposes and legal basis for the intended processing of personal data;
  • where the data are still processed in the legitimate interest of the Controller, the legitimate interest must be indicated.

The request for information shall be free of charge and shall be provided to the Data Subject as soon as possible.

The Data Subject’s right of access

If the Data Subject has received feedback from the Controller on whether his or her personal data are being processed and, if such processing is in progress, he or she has the right to obtain information on the personal data and the following information:

  • the purposes of the processing;
  • the categories of Data Subject Personal Data;
  • the intended storage duration of the personal data or, where this is not possible, the criteria for determining that duration;
  • the Data Subject’s right to request the Controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
  • the right to submit a complaint to one of the supervisory authorities;
  • if the data was not collected from the Data Subject, any available information about its source.

Right to rectification

The Data Subject shall have the right to have inaccurate personal data relating to him or her corrected by the Controller without undue delay upon request. Taking into account the purpose of the processing, the Data Subject shall have the right to request the supplementation of incomplete personal data, including by means of a supplementary declaration, which may be requested by electronic means or by post.

Right to erasure

At the Data Subject’s request, the Controller shall delete personal data relating to the Data Subject without undue delay, and the Controller shall be obliged to delete personal data relating to the Data Subject without undue delay if one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the Data Subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  • the Data Subject objects to the processing and there are no legitimate overriding reasons for the processing;
  • the personal data have been processed unlawfully;
  • personal data must be erased in order to comply with a legal obligation under EU or Member State law applicable to the Controller.

The Data Subject may request the erasure of his/her data by electronic means or by post.

Right to restriction of processing

The Data Subject has the right to have the stored personal data marked for the purpose of limiting their future processing. In this case, the Data Subject may:

  • challenge the accuracy of the data;
  • draw the attention to unlawful processing of his/her data and restrict their use;
  • the Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims;
  • has already objected to the processing, but the Controller must consider whether its legitimate grounds override the Data Subject’s legitimate grounds and requests and therefore restrict the use of the data.

Right to object (Article 21 of the GDPR)

The Data Subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the Controller, or necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on the aforementioned provisions. In the event of an objection, the Controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Any request received from an e-mail address previously provided to the Controller shall be considered as a request from the Data Subject. In the case of claims from other email addresses and claims submitted in writing, the Data Subject may submit a claim only if he/she has duly demonstrated his/her capacity as a Data Subject.

IX. THE USE OF COOKIES ON THE SITE AND THE COLLECTION OF DATA

A cookie is defined as a small text file containing data that is stored on the Data Subject’s computer when they visit a website. The purpose is to allow websites to remember what the Data Subject has done while on the website. It may store information about whether the Data Subject clicked on certain links or pages, logged in with the Data Subject’s name, or read certain pages on the site months or even years before.

This website does not use cookies and therefore their type, designation, nature and time of use are not indicated.

X. LEGAL ENFORCEMENT OPTIONS

The Data Subject may exercise his/her legal enforcement rights before a court of law pursuant to the Info Act and Act V of 2013 on the Civil Code, and may also seek the assistance of the National Authority for Data Protection and Freedom of Information in any matter related to personal data.

Anyone may submit a request for an investigation to the Authority by notifying the Authority that personal data or the exercise of rights of access to data of public interest or of rights of access to data in the public interest have been processed in a way that violates or threatens to violate rights. The Authority may issue a report on an investigation carried out on the basis of a request if no official or judicial proceedings have been initiated by the Authority in the case. The Authority may or shall initiate a data protection supervisory procedure in order to enforce the right to the protection of personal data. The procedure shall result in an Authority decision.

XI. UPDATE AND AVAILABILITY OF THE NOTICE

The Controller reserves the right to amend this Notice unilaterally, with effect from the date of the amendment. The Controller reserves the right, at its unilateral discretion, to modify or withdraw the provisions of this Notice at any time by informing the Data Subject by means of making available the current version of this Notice. In particular, this Notice may be amended if necessary as a result of changes in legislation, data protection authority practices, business needs or newly identified security risks.

Name: National Authority for Data Protection and Freedom of Information

Seat: Falk Miksa utca 9-11., H-1055 Budapest

Postal address: Pf.: 9., H-1363 Budapest

Telephone: +36 1 3911400

Fax: +36 1 3911410

ugyfelszolgalat@naih.hu

www.naih.hu