PEAKSTON Kereskedelmi Korlátolt Felelősségű Társaság - PRIVACY NOTICE FOR THE WEBSITE
PEAKSTON Kereskedelmi Korlátolt Felelősségű Társaság (hereinafter: Controller), as controller, agrees to be bound by the provisions of this legal statement. The Controller warrants that all data processing related to its activities complies with the requirements set out herein and in applicable legislation. You can find the data protection principles related to data processing by the Controller at: www.peakston.hu.
The Controller reserves the right to change this notice at any time. Naturally, it will inform the public of these changes in time. Should you have any questions in connection with our privacy notice, write to us for an answer.
The Controller is committed to protecting the personal data of its clients and partners and considers respecting the right of its clients to informational self-determination to be of the utmost importance. The Controller processes personal data confidentially and takes all necessary security-, technical- and organisational measures to guarantee the security of data. In the following the Controller presents its data processing practice:
2. THE CONTROLLER
Name: PEAKSTON Kereskedelmi Korlátolt Felelősségű Társaság (PEAKSTON Kft.)
Seat: 2336 Dunavarsány, Bajai út 2090.
Mailing address: 2336 Dunavarsány, Bajai út 2090.
Tax number: 10893661-2-44
Company registration number: Cg. 13-09-182833
Court of registration: Company Registry Court of Budapest Environs Regional Court
Represented by: Andrea Bak and Péter Attila Rokszin, Managing Directors
3. Definition of KEY terms in the notice:
4. PRINCIPLES OF PROCESSING PERSONAL DATA
4.1 Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
4.2 Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
4.3 Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
4.4 Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
4.5 Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
4.6 Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
4.7. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (“accountability”)
4.8. Both when defining the method of data processing and during its course the Controller shall implement appropriate technical and organisational measures – e.g. anonymisation – in order to apply the above principles efficiently, fulfil its obligations, incorporate legal guarantees, etc., doing so in a regulated fashion and with detailed documentation. In practice, this mindset is helped by the training and data protection awareness of employees and by analysing risks and interests during the introduction of individual data processing activities and/or their regular review (“Privacy by design”).
4.9. Personal data shall maintain this quality as long as their link to the data subject can be restored. The link to the data subject is considered restorable if the Controller possesses the technical means required for such restoration.
The Controller pays particular attention to protecting the personal data of incapacitated persons, minors with limited capacity under the age of 16, and children. Their declaration requires the consent of their legal guardian, expect for those parts of the service where the declaration concerns data processing that is extremely common in everyday life and does not require particular consideration.
If personal data are recorded with the consent of the data subject, then, unless otherwise provided for by law, the Controller may process the recorded data
a) to comply with its legal obligations, or
b) to enforce legitimate interests of the Controller or a third party. If enforcing such interests is proportionate to the limitation of the right to the protection of personal data, then the Controller may also process these data without the consent of the data subject or following the revocation of their consent.
The Controller only processes personal data for specific purposes, to exercise its rights and fulfil its obligations. The Controller declares that all stages of its data processing are appropriate for its purpose and that data is recorded and processed fairly. The Controller declares that it shall only process personal data that is vital to and suitable for achieving the purpose of data processing, and only to the extent and for the duration required for this purpose.
The Controller declares that it shall only process personal data based on informed consent. The Controller shall inform the data subject appropriately before the start of data processing as to whether that is based on consent or mandatory. The Controller shall inform the data subject clearly, in an understandable way and in detail about all facts connected with the processing of their personal data, particularly the purpose, legal basis, and duration of processing, the person entitled to process data, and whether the controller is processing data with the consent of the data subject and in order to fulfil a legal obligation of the controller or to enforce legitimate interests of third parties, as well as on who may access these data. The information provided shall also cover the rights and legal remedies of the data subject in connection with processing.
During data processing, the Controller shall ensure that data are accurate, complete and up-to-date, and that the data subject can only be identified for the duration required for the purpose of processing.
The Controller shall process personal data lawfully, fairly, and transparently towards the data subject. Pursuant to Section 2(2) of the Information Act, regarding basic principles the Regulation must be applied with the following addendum set out in Section 4(5) of the Information Act: “The processing of personal data shall be considered fair and lawful if, in order to ensure the freedom of the data subject to express their view, the person wishing to learn this view seeks out the data subject at their residence or place of stay, provided that the personal data of the data subject are processed in accordance with this Act and personal contact is not aimed at business. Under the Labour Code, personal contact may not take place on a public holiday.
The Controller does not check the personal data provided to it. The correctness of provided data is the sole responsibility of the person who provided them (data subject). By providing their e-mail address the data subject also assumes responsibility for being the sole person to use services from that e-mail address. In light of this commitment, all responsibility related to visits from the provided e-mail address is borne by the data subject who registered it.
5. TYPES OF PROCESSING, RANGE OF PERSONAL DATA, AND PURPOSE, LEGAL BASIS AND DURATION OF PROCESSING
Data processing by the Controller in connection with activities on the website are based on voluntary consent. In certain cases, however, the processing, storage, and transmission of some of the personal data provided is mandatory by law, of which we will inform our public separately.
We ask anyone who is providing data of another person to the Controller to note that they are responsible for obtaining the consent of the data subject.
The data processing principles of the Controller are aligned with legislation in force on data processing, particularly the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Information Act)
- Act CVIII of 2001 on Electronic Commerce and on Information Society Services (E-commerce Act).
5.1. DATA PROCESSED DURING USE OF THE WEBSITE
You can also use the www.peakston.hu site without providing your personal data; accordingly, the General Data Protection Regulation does not cover the use of the website.
Data generated when browsing the website is not stored or processed by the Controller in any way that could be tied to the specific data subject.
In order to provide a customised service, the operator of the www.peakston.hu website places a small data package, a so-called cookie on the computer of the user, which it also reads back. However, no processing of personal data is performed with the help of these cookies.
Legal basis of processing: Pursuant to Sections 13/A (3) and (4) of the E-commerce Act, the legislative provisions set out in Article 5(3) of Directive 2002/58/EC, and Section 155(4) of the E-commerce Act, the consent of the data subject, which we request and record at the first login to the site.
For more information about cookies visit:
Users can delete cookies from their computer or disable their use in their browser. Cookies can be managed usually in the Tools/Settings menu of browsers, under “cookies” in the Privacy settings.
5.3. PROCESSING IN CONNECTION WITH QUOTE REQUESTS
Types of personal data processed: Name, telephone number and e-mail address of the data subject.
Purpose of processing: Providing quotes requested in connection with products on the website and communication.
Data subjects: All natural persons who request a quote on the website of the Controller.
Legal basis of processing: the consent of the data subject, pursuant to Article 6(1)a) of the Regulation.
Duration of processing: the duration of the storage of user data in a database, until the user requests their erasure.
Description of the activity and process involved in data processing:
To request a quote, the data subject fills out a form, on which they must provide the information required for drawing up a quote.
5.4. PROCESSING IN CONNECTION WITH THE VERIFIABILITY OF CONSENT
Types of personal data processed: IP and e-mail address of the data subject and the time of consent.
Purpose of processing: During registration and orders the IT system saves IT data related to the consent in order to ensure its subsequent verifiability.
Data subjects: All natural persons who register on the website of the Controller or place an order or subscribe to a newsletter there.
Legal basis of processing: based on a statutory obligation (Article 6(1)c) of the GDPR), this obligation is prescribed in Article 7(1) of the GDPR.
Duration of processing: Legislative provisions prescribe subsequent verifiability; therefore data is stored for the limitation period following the end of processing.
5.5. PRESENCE ON SOCIAL MEDIA SITES
We integrated the components of the YouTube service on our website: www.peakston.hu.
YouTube is a platform where users can upload videos and can watch and comment on videos published by others.
Visiting the website creates a direct link between the browser and the servers of YouTube and Google. As a result, both YouTube and Google receive the information that the website was accessed from the given IP address. If a visitor is logged in to their YouTube/Google account or views a video embedded on the site from YouTube, then the content of the website can be linked to the given YouTube profile, through which YouTube may link the visit to the website to that account.
If you do not wish to link your visits to the website to your YouTube account, log out from your YouTube account before visiting the website.
The data protection provisions of YouTube can be found at
Https://www.google.com/intl/hu/policies/privacy,, where you will find information about the collection, processing and use of personal data by YouTube and Google.
Types of personal data processed: public name and e-mail address of the data subject, their message sent via social media, review or the result of a different operation.
Purpose of processing: sharing, publishing, and marketing contents of the website on social media sites. On our social media pages data subjects can also find the latest promotions.
Data subjects: All natural persons who voluntarily follow, share, or like social media pages of the Controller or their content.
Legal basis of processing: consent of the data subject (Article 6(1)a) of the GDPR and Section 6(5) of the Act on Business Advertising Activity. By following or liking contents of the Controller the data subject gives their voluntarily consent according to the terms and conditions of the social media site. As an example, data subjects can subscribe to the news feed on the wall of our YouTube page by clicking the “like” button on the page, with which they consent to publishing the news and offers of the Controller on their own wall, or can unsubscribe from it by clicking on the “dislike” button. They can also delete news feeds they do not wish to publish on their wall in the settings of this wall.
Duration of processing: until the data subject requests erasure.
5.6. EXTERNAL LINKS AND REFERENCES
Our website may contain numerous points of connection (links, references) that lead to websites of other service providers. The Controller is not responsible for the data- and information protection practices of these service providers. These websites are the following:
5.7. OTHER PROCESSING
We shall provide information about processing not listed here when the relevant data is recorded. We inform our clients that courts, prosecutors, investigating authorities, authorities dealing with offences, administrative authorities, the Hungarian National Authority for Data Protection and Freedom of Information, and other bodies as allowed under law may contact the Controller to request information, data, and documents.
Provided that the authorities specified their exact purpose and the range of data, the Controller shall only release to them personal data to the extent strictly necessary for achieving the purpose of the query.
6 USING A PROCESSOR
In certain cases the Controller may need to use processors, whereby we transmit your personal data also recorded in this privacy notice to the processor involved in the given service. Processors shall only use personal data for the following technical tasks requested by the Controller: storing, evaluating, analysing, organising, selecting, and archiving data, performing and securing technical and other organisational and execution tasks, operating the website, communicating with data subjects, and handling complaints.
Processors store data for the same period as the Controller, following which they erase them. In this regard the Controller declares that it selects all processors carefully, in each case emphasizing and expecting compliance with mandatory provisions under EU and Hungarian law when processing personal data. The Controller has the right to verify compliance with data protection and -security requirements.
The Controller reserves the right to use processors, on whose identity it shall provide separate information at the start of processing at the latest.
The Controller shall use the following processors:
|Name:||Sparks & Chill Korlátolt Felelősségű Társaság|
|Registered seat:||8245 Vászoly, Kossuth L. utca 8.|
|Company registration number:||Cg. 19-09-522377|
|Court of registration:||Company Registry Court of Veszprém Regional Court|
|Mailing address:||8245 Vászoly, Kossuth L. utca 8.|
|Represented by:||Lajos Tibor Tóth, Managing Director|
|Description of data processing activity:||web display|
|Name:||Tárhely.Eu Szolgáltató Korlátolt Felelősségű Társaság|
|Registered seat:||1144 Budapest, Ormánság utca 4. X. em. 241|
|Company registration number:||Cg. 01-09-909968|
|Court of registration:||Company Registry Court of Budapest-Capital Regional Court|
|Mailing address:||1538 Budapest, Pf.: 510|
|Represented by:||László Zoltán Kárpáti, Managing Director|
|Description of data processing activity:||hosting service|
|Registered seat:||901 Cherry Ave., San Bruno, CA 94066, USA|
|Description of data processing activity:||video sharing|
7 DATA STORAGE
The Controller shall store the personal data of data subjects on servers operated by Tárhely.Eu Kft.
8 DATA SECURITY MEASURES
The Controller and its processors shall implement appropriate technical and organisational measures, taking into account the state of technology, implementation costs, the nature, scope, circumstances, and purposes of processing and the risks of varying likelihood and severity to the rights and freedoms of natural persons, in order to guarantee a level of security commensurate with the risk.
The Controller shall select and operate the IT equipment used for processing personal data ensuring that processed data:
- is accessible to those entitled (availability);
- is valid and certified (credibility of processing);
- remains verifiably unaltered (data integrity);
- is protected against unauthorised access (data security).
The Controller shall protect data with appropriate measures, particularly against unauthorised access, alteration, transmission, publication, erasure, destruction, accidental destruction, damage and becoming unavailable due to changes in the applied technology.
In order to protect data sets managed electronically in its various registers, the Controller shall implement appropriate technical measures to ensure that stored data cannot be linked to each other directly nor associated with the data subject, unless this is permitted under law.
Taking the state of technology into account, the Controller shall implement technical and organisational measures to guarantee the security of processing, which provide a level of security commensurate with the risks that arise during processing.
During processing, the Controller shall preserve:
- confidentiality: it shall protect information, limiting access to it to those entitled;
- integrity: it shall protect the accuracy and completeness of information and of the processing method;
- availability: it shall ensure that authorised users can access the information they need when they need it, and that the related means are available.
The IT system and network of the Controller and of its partners involved in processing are protected against computer-aided fraud, espionage, sabotage, vandalism, fire, flood, computer viruses, hacking and denial-of-service attacks. The operator shall ensure security through both server- and application level protection measures. We would like to inform our users that regardless of the protocol used (e-mail, web, ftp, etc.), electronic messages transmitted over the Internet are vulnerable to network threats aimed at dishonest activities, disputing contracts, or disclosing or altering information. The Controller shall take all measures that can be expected of it to protect data against such threats. It monitors systems so as to be able to record any deviation from security and provide evidence for any security event. The monitoring of systems also enables the verification of the efficiency of the taken protective measures.
The Controller keeps records of personal data breaches, recording the facts associated with them, their effects, and the remedy measures taken. The Controller shall report personal data breaches to the Hungarian National Authority for Data Protection and Freedom of Information without delay, if possible within 72 hours of becoming aware of them, unless the personal data breach is unlikely to pose a threat to the rights and freedoms of natural persons. If the report is made beyond 72 hours, the reasons that justify the delay must be attached to it.
9 RIGHTS AND LEGAL REMEDIES OF DATA SUBJECTS
The data subject may request information about the processing of their personal data and may request the rectification or – with the exception of mandatory processing – erasure or restricted processing of personal data, and may exercise their rights to data portability and objection, as indicated when the data was recorded, at the above contact details of the Controller.
9.1. Right to be informed
The Controller shall take appropriate measures to ensure that it provides all information mentioned in Articles 13 and 14 of the GDPR in connection with the processing of personal data and all information under Articles 15-22 and 34 in a compact, transparent, intelligible and easily accessible form, in clear and plain language.
9.2. Right to access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: - the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- the envisaged period for which the personal data will be stored,
- the existence of the right to rectification, right to erasure, right to restricting processing, and the right to object;
- the right to lodge a complaint with a supervisory authority;
- available information as to the source of data;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The Controller shall provide the requested information within one month of the submission of the request.
9.3. Right to rectification
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her and the completion of missing data.
9.4. Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services;
The erasure of data cannot be requested if processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims.
9.5. Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing; in which case the restriction applies to the period of verifying whether the legitimate grounds of the controller override those of the data subject;
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State
9.6. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
9.7. Right to object
The data subject has the right to object for reasons associated with their own situation to processing that is performed out of public interest or is necessary for performing a task under the authority vested in the Controller, or to processing necessary for enforcing lawful interests of the Controller or a third party, including profiling based on the aforementioned provisions. If the data subject objects to it, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
9.8. Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
9.9. Right to withdraw consent
The data subject shall have the right to withdraw his or her consent at any time.
9.10. Right to an effective judicial remedy
If the rights of the data subject are violated, they may turn to a court against the Controller, that is, they may initiate legal proceedings at the court competent according to their residence or place of stay (for the list of courts, click on the following link: http://birosag.hu/torvenyszekek). The court shall give priority to the case.
9.11. Procedure of the data protection authority
You can lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information:
Name: Hungarian National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5
9.12. Informing the data subject of personal data breaches
If the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons, then the Controller shall inform the data subjects of the personal data breach without undue delay.
The information provided to the data subject must inform them clearly and in an understandable way about the nature of the personal data breach, the name and contact details of the Data Protection Officer or other contact person who can provide further information, the probable consequences of the personal data breach, and the measures taken or planned by the Controller for remedying the personal data breach, including, where appropriate, measures aimed at mitigating any negative consequences of the personal data breach.
The data subject does not need to be informed where one of the following holds:
- the Controller has taken appropriate technical and organisational measures, which were applied with regard to the data affected by the personal data breach, particularly measures – e.g. the use of encryption – that render data unintelligible for persons without authorisation to access personal data;
- following the personal data breach, the Controller has taken further measures that ensure that the high risk to the rights and freedoms of the data subject are no longer likely to arise;
- providing information would require disproportionate effort; In such cases the data subjects must be informed via publicly announced information or a similar measure must be taken, which ensures the similarly efficient notification of data subjects.
If the Controller has not yet notified the data subject about the personal data breach, then the supervisory authority, after assessing whether the personal data breach is likely to pose a high risk, may order the notification of the data subject.
9.13. Compensation of damage and grievance
Any person who suffers material or non-material damage as a result of a breach of the data protection regulation is entitled to compensation from the Controller or the processor for damages sustained. The processor shall only be responsible for damage caused by processing if it did not fulfil the statutory obligations specific to processors or if it ignored the lawful instructions of the Controller or acted contrary to them.
If several controllers or processors or both the controller and the processor are involved in the same processing, and they are liable for damage caused by processing, then the liability of each controller or processor regarding the total damage shall be joint and several.
The Controller or processor shall be exempted from their liability if they demonstrate that they are in no way responsible for the event that caused the damage.
9.14. Procedural rules
- The Controller shall inform the data subject of the measures taken upon their request pursuant to Articles 15-22 of the GDPR without delay, within one month of receiving the request at the most.
- If necessary, given the complexity and number of requests, this deadline may be extended by two months. The Controller shall notify the data subject of the deadline extension within one month of receiving the request, indicating the reasons for the delay. If the data subject submitted their request electronically, then the information shall be provided to them electronically, unless the data subject requests otherwise.
- If the Controller will not take any measures upon the request of the data subject, then it shall inform the data subject without delay, within one month of receiving the request at the most, of the reasons for it not taking action and of the fact that the data subject has the right to lodge a complaint with a supervisory authority and the right to legal remedy.
- The Controller shall provide the requested information free of charge. If the request of the data subject is clearly unfounded or - particularly due to being repetitive - excessive, then the Controller may charge a reasonable fee in light of its administrative costs connected with providing the requested information or taking the requested measure, or may refuse to act upon the request.
- The Controller shall inform all recipients to which or to whom personal data were communicated about all rectifications, erasures, and restricted processing it performs, unless this is impossible or would require disproportionate effort. Upon request, the Controller shall inform the data subject of these recipients.
- The Controller shall provide to the data subject a copy of the personal data that constitute the subject of the processing. For further copies requested by the data subject the Controller may charge a reasonable fee based on administrative costs. If the data subject submitted their request electronically, then the information shall be released to them electronically, unless the data subject requests otherwise.
10 AMENDING THE PRIVACY NOTICE
The Controller reserves the right to amend this privacy notice, without affecting the purpose and legal basis of the processing. By using the website following the entry into force of the amendment you accept the amended privacy notice.
In the event that Controller wishes to perform further processing in connection with collected data for purposes different from those for which they were originally collected, then the Controller shall inform you of the purpose of processing and the following information, before the start of the further processing.
The processing may only start after these, and if it is based on consent, you also need to consent to the processing in addition to receiving the information.
Budapest, 31 October 2019
Péter Attila Rokszin, Managing Director