DATA HANDLING POLICY
Last modified: 2020.06.22.
1. General provisions and contact details
This policy (“Policy”) applies to the handling of any information (personal data) concerning identified or identifiable natural persons (data subjects) by Vostok Solutions Ltd. (“VOSTOK”).
Company name: Vostok Solutions Kft.
Seat: HU-1027 Budapest Kapás utca 46. 2/4.
Contact: Managing director
VAT number: 25900749-2-41
Data Protection Officer: Managing director Address: Vostok Solutions Kft. HU-1550 Budapest Pf. 4. E-mail: firstname.lastname@example.org
If you have any questions or remarks concerning this Policy, please contact VOSTOK at one of above contact details prior to using the website and prior to providing any information or data in accordance with this Policy.
2. Updates and access to the Policy
VOSTOK reserves the right to unilaterally modify the Policy, following any prior modifications, after which such modification shall come into effect. Modification of this policy can especially take place if it is necessary due to legal changes, data protection authority practice, company or employee demand, new purpose of data handling, or newly discovered security risks. VOSTOK may use the contact details of the data subject made available to VOSTOK for the purpose of making and maintaining contact with the data subject in connection with this Policy or with privacy issues or otherwise. Upon your request, for example, VOSTOK will send you a copy of the current effective version of this Policy or certify that the Policy has been made available to the data subjects.
3. Other data protection conditions
During use of the individual separate services, you may be subject to specific data protection conditions that you will be informed of prior to using the given service.
The data subjects must make available to VOSTOK the relevant personal data pursuant to applicable regulations in every case. In particular, they must have appropriate and informed consent or other legal basis for transferring personal data (such as transferring the data of contact persons, relatives). If VOSTOK learns that any of the data of a data subject has been transferred without their consent or without other legitimate legal basis, VOSTOK may immediately delete such data; in addition, the data subject will be entitled to exercise their rights and options for legal redress under this Policy. VOSTOK shall not be responsible for any damage, loss or injury arising from breach of the above obligations or statements by the data subject.
4. The scope of handled data and the purpose of data handling
The data management objectives are summarised as follows:
- Handling the data of contact persons of contracted partners acting in connection with contracts not identified in this Policy and of persons who are involved in the performance of these contracts and in monitoring performance (on a daily basis).
- Handling the data of contracted partners, contact persons as well as persons involved in the performance of these contracts and in monitoring performance for compliance issues regarding the contracts or for any other purpose, including seeking options for legal redress for ensuring contractual rights.
- Data handling in connection with the enforcement of the data protection rights of the data subjects (for details, see Section 9).
- Archiving the consents of the data subjects to data handling and the withdrawal of their consent, if any.
- Keeping records of privacy incidents (including the documentation of measures made in order to manage such idents).
If a data handling objective is necessary for the validation of legitimate interests of VOSTOK or a third party, VOSTOK will make available the weighing test used in determining legitimate interest if a request has been made through any of the above contacts.
VOSTOK particularly calls the attention to all involved parties that those involved have the right to object, at any time and for reasons connected to their personal situation, to the legitimate interest-based handling of their personal data, including profiling based on the provisions mentioned. In this case, VOSTOK will cease handling personal data unless it proves that the data handling is justified by such compelling reasons which give it priority over the interests, rights and freedoms of the involved party, or which are connected to the submission, enforcement or protection of legal claims. If the handling of personal data occurs for direct business acquisition purposes, the involved party has a right to object at any time to the handling of their personal data for this purpose, including profiling, if it is connected to direct business acquisition. When unsubscribing from advertising materials, a confirmation link will be sent to the e-mail address you’ve provided, which you must click to confirm your unsubscribe request. Confirmation is important because VOSTOK must be sure that the person wishing to unsubscribe is not a robot, is acting in their own name, is confirming the request through their own e-mail account and is using a genuine e-mail address.
The legal basis and the period of each data handling actions are essentially defines by the following rules of law:
- “Art.” – Act CL of 2017 on the rules of taxation. VOSTOK is obliged to keep the data supported by taxation certificates.
- “Ptk.” – Act V of 2013 on the Civil Code. If the duration of data handling is indicated as the expiry date of the obligation to provide information, the activity that interrupts the expiry extends the duration of data handling until the new date (Ptk. § 6:25 (2)). In the event that expiry is extended, the request can be presented within the one-year – or three-month if the period of expiry is shorter –deadline from the lifting of the restriction even if the period of expiry has already passed, or if less time remains than the above period. (Ptk. § 6:24 (2)).
- “Advertising Act” – Act XLVIII of 2008on Essential Conditions of and Certain Limitations to Business Advertising.
- “Accounting Act” – Act C of 2000 on accounting. VOSTOK is required to retain certain data – such as those that are contained in the documents (e.g. a sales contract) that support accounting, or that are included in the contract between VOSTOK and the client or on invoices issued – in accordance with the Accounting Act. The retention period of 8 years set forth in the Act from the date on which there was a piece of data in the given year that should be treated as an accounting item, or when the report/general ledger was based on the given data. In practice: if an item is included in a contract on the basis of which several different services are performed (e.g. several services are provided under the same contract), the 8-year period should be calculated separately for each service performed, because separate invoices are made out for each service, and the deals are recorded in the books accordingly. If the piece of data, for example, is included in a contract for the sale of something (the item has been delivered and the contract is terminated), the deal is entered into the books on the basis of the contract and the invoice, and the 8-year period mentioned above will commence from there.
5. Transfer of personal data to our contracted partners
The contracted partner acts as a so-called ‘data processor’: it handles the personal data outlined in this policy on behalf of VOSTOK. VOSTOK may only use such data processors which provide adequate guarantees, in particular concerning expertise, reliability and resources, regarding the implementation of technical and organisational measures to ensure compliance with GDPR requirements, including data handling security. The specific tasks and responsibilities of the data processor are specified by the contract between the data processor and VOSTOK. Following the handling of data on behalf of VOSTOK, the data processor will return or delete the personal data at VOSTOK decision, unless EU law or that of a member state applicable to the data processor prescribes its storage.
6. Cookies used on the website
Cookies are used in certain areas of the website. The cookies are files that store information on your hard disk or web browser.
Cookies, for example, make it possible for the website to recognise if you have visited previously, or, by allowing us to see which sites you visit and how much time you spend there, help us understand what part of the website is most popular. By studying this, we can better adjust the site to your needs and offer a more varied user experience. With the help of cookies, we can assure that the information displayed on your next visit to the site will meet your expectations (without identifying you personally).
When you visit one of our websites, technical information may be gathered that does not allow you to be personally identified. For example, the name of another website that directed you here, the location from where you accessed the website, and search queries completed on the website. Collecting this information helps us identify the preferred search habits of our website users without using their personal data. Such information is used strictly for internal purposes. Anonymous or general data from which your person cannot be identified does not qualify as personal data and thus does not fall within the scope of this Policy.
Links for the handling of cookies in the case of most frequently used browsers:
Google Analytics provides a further option of unsubscribing from the Google Analytics service: http://tools.google.com/dlpage/gaoptout?hl=en-GB.
7. Personal data relating to children and third parties
With the exception of when parental consent is provided, persons under 16 years of age are not permitted to provide any personal data.
By providing personal data, you declare and affirm that you have considered the above and that your legal capacity related to providing personal data is not limited.
If you do not have the right to independently provide personal data, you must acquire the permission of the appropriate third party (i.e. legal representative, guardian, other persons you are representing), or provide another form of a legal basis to do so. In relation to this, you must be able to consider whether the personal data to be provided requires the consent of a third party. To this point, you are responsible for meeting all the necessary requirements, as VOSTOK may not otherwise come into contact with the data subject and VOSTOK shall not be liable or bear any responsibility in this regard. Nevertheless, VOSTOK has the right to check and verify whether the proper legal basis has been provided with relation to the handling of data at all times. For example, if you are representing a third party, we reserve the right to request the proper authorisation and/or consent of the party being represented with relation to the matter at hand.
We will do everything in our power to remove all unauthorised information provided and ensure that such information is not forwarded to any third party, or used for our own purposes (advertising or any other activity). We request that you inform us immediately should you become aware that a child or any other third party has provided any personal data of yours that you have not properly authorised them to do so.
8. Data security
Data processed by VOSTOK is protected by the restrictions applied to the access of information. For example, only those who require it, in the interests of and for the purposes listed previously, have access to the data.
9. Your data protection rights and legal options for remediation
Your data protection rights and legal options for remediation are detailed in the relevant provisions of the GDPR (particularly in GDPR articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80 and 82). The following summary contains the most important provisions, as well as information provided accordingly by VOSTOK, on your rights and legal options for remediation regarding data handling.
Please note that with respect to profiling (sending of promotional materials etc.) described above in this Policy, you are entitled to request personal intervention from VOSTOK, and to express your position in written form and make it known to VOSTOK. You may also object to the decision which follows the results of the profiling. In such a case, VOSTOK will investigate the decision with personal intervention and in consideration of the information you have provided, and will inform you of the outcome.
The information must be provided in writing or in other forms – including electronically in some cases. Verbal information may also be provided upon request, provided that you have otherwise confirmed your identity.
VOSTOK will inform you of any measures taken in response to your request without undue delay, but in any case within one month of the arrival of your application for legal remediation (see GDPR articles 15-22). If necessary, taking into account the complexity and number of applications, this deadline can be extended by two additional months. VOSTOK will inform you within one month of receiving the request of the extension of this deadline by indicating the reasons for the delay. If you submitted your request electronically, you must be informed electronically whenever possible unless otherwise requested.
If VOSTOK takes no action following your request, you will be informed of the reasons for the failure to act without delay and at most within one month of receipt of your request. You will also be informed that you may submit a complaint with a supervisory authority and exercise your right to judicial redress.
9.1 Access rights
(1) You are entitled to receive a notification from us to indicate that the handling of your personal data is in progress. If data processing is in progress, you are entitled to be provided with access to your personal data and the following information:
a) purpose of the data handling;
b) categories of the data subject’s personal data;
c) recipients or categories of recipients, who have been or will be informed of personal data, particularly third party national recipients and international organisations;
d) where appropriate, the planned period of personal data storage, or if it is not possible to provide this, the criteria for determining such a timeframe;
e) it is your right to request an update, deletion or processing restriction of personal data related to you, as well as to object to such personal data handling;
f) the right to lodge a complaint to the supervisory authority; and
g) if the data was not provided by you, all available information as to the source of such data;
h) automated decisions, including profiling, and at least in these cases, the applied logic and related information, the degree of relevance and expected consequences that these types of data handlings have for you.
(2) If personal data is transferred to a third country, you are entitled to receive notification of such associated applicable guarantees.
(3) A copy of the personal data subject to the data handling shall be made available to you. If your request was made electronically, the information shall be made available in the most commonly used electronic format, unless requested otherwise.
9.2 Right to update
You are entitled to have your information updated without delay or reason at your request. You are entitled to request that any missing or incomplete personal data is updated by making, inter alia, a supplementary declaration.
9.3 Right to deletion (‘right to be forgotten’)
(1) You are entitled to have your information deleted without delay or reason, at your request, if any of the following conditions are met:
a) there is no longer a need for the personal data for the purposes it was gathered for or handled otherwise;
b) you revoke your consent on which the handling is based and there is no other legal basis for the data handling;
c) you object to the data handling, and in the given case there is no overriding legitimate reason for the data handling;
d) the personal data was processed unlawfully;
e) the personal data must be deleted in order to fulfil our obligations under European Union or Member State law; or
f) the collection of personal data was associated with the offering of information society services,
You will find technical regulations related to the deletion of your account in the attached purposes for data handling.
(2) If VOSTOK disclosed any personal data and is obligated to delete such data based on paragraph (1), VOSTOK shall, with consideration to available technology and costs associated with carrying them out, take the necessary and expected steps – including technical measures – in the interest of informing those handling the data that the data subject has requested the deletion of links to the personal data in question or copies thereof, as well as further duplication of such personal data.
(3) Paragraphs (1) and (2) are not applicable in so much as the data handling is necessary, among others:
a) for the purposes of exercising the right to freedom of expression and information;
b) for the purposes of fulfilling our obligations relating to personal data handling under European Union or Member State law, as defined therein;
c) for the purposes of archiving in the public interest, scientific and historical research or statistical purposes, in so much as the rights contained in paragraph (1) would seriously threaten such data handling or most likely make it impossible; or
d) for the submission, validation and protection of legal proceedings.
9.4 Right to restrict data handling
(1) You are entitled to request that we restrict data handling if any of the following conditions are met:
a) you dispute the accuracy of the personal data, in which case the restriction is applied for the timeframe that allows for the inspection of the personal data’s accuracy;
b) the data handling is unlawful and you object to the deletion of the data, and instead request its restricted use;
c) we have no further use for the data for the purposes of data handling, but you request them for the submission, validation and defence of your legal claims; or
d) you objected to the data handling; in which case, the restriction applies to the time period required to determine whether VOSTOK legitimate reasons take precedence over those of the data subject.
(2) If data handling is subject to a restriction based on paragraph (1), such personal data, with the exception of storage, can only be processed with your consent, or for the submission, validation and defence of your legal claims, or in the interests of protecting the rights of other natural or legal persons, or in the important public interest of the European Union or a Member State.
(3) We shall inform you prior to the lifting of the data handling restriction.
9.5 Notification obligation related to the updating, deleting and data handling restriction of personal data
VOSTOK shall communicate any updates, deletion or data handling restriction to those recipients to whom the data have been disclosed, unless this proves to be impossible or requires excessive resources. We shall inform you of the recipients upon your request.
9.6 Right to data portability
(1) You are entitled to receive personal data applicable to you and made available to us, in an articulate, commonly used, machine-readable format, furthermore, you are entitled to forward these data to another data processor without obstruction from VOSTOK, if:
a) data handling is based on consent or a contractual agreement; and
b) data handling takes place through automated means.
(2) In exercising the right of data portability according to paragraph (1), you are entitled to – if technically possible – request the direct transmission of personal data between data controllers.
9.7 Right to object
(1) You have the right to object, on grounds relating to your own situation, to the handling of personal data based on a legitimate interest, including profiling. In such a case, we shall not further process your personal data, unless we demonstrate compelling legitimate grounds for handling that takes precedence over your interests, rights and freedoms or relates to the submission, validation and defence of legal claims.
(2) If the personal data is processed for the purposes of direct marketing, you have the right to object, at any time, to the handling of personal data relating to you in the interest of such, which also includes profiling in so much as it relates to direct marketing. When unsubscribing from advertising materials, a confirmation link will be sent to the e-mail address you’ve provided, which you must click to confirm your unsubscribe request. Confirmation is important because VOSTOK must be sure that the person wishing to unsubscribe is not a robot, is acting in their own name, is confirming the request through their own e-mail account and is using a genuine e-mail address.
(3) If you object to the handling of personal data for the purposes of direct marketing, the personal data can no longer be processed for this purpose.
(4) You may also exercise your right to object through automated means, based on technical specifications, relating to the use of information society services and notwithstanding Directive 2002/58/EC of the European Parliament.
(5) If the handling of personal data is for the purpose of scientific or historical research or for statistical purposes, you have the right to object, on grounds relating to your own situation, to the handling of personal data, unless the handling of data is necessary for the performance of tasks carried out in the public interest.
9.8 Right to lodge a complaint to the supervisory authority
You are entitled to lodge a complaint to a supervisory authority – particularly in your habitual residence, place of work or the Member State of the alleged infringement – if, according to your assessment, the handling of personal data related to you infringes your rights under the GDPR. The competent supervisory authority in Hungary is: National Authority on Data Protection and Freedom of Data (http://naih.hu/; 1530 Budapest, Pf.: 5.; Tel.: +36 1 391 1400; fax: +36 1 391 1410; e-mail: email@example.com).
9.9 Right to an effective judicial remedy against a supervisory authority
(1) You are entitled to an effective judicial remedy against the supervisory authority’s legally binding decision applicable to you.
(2) You are entitled to an effective judicial remedy if the competent supervisory authority does not respond to the complaint, or does not inform you within three months on the progress or outcome of the proceedings related to the lodged complaint.
(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
9.10 Right to effective judicial remedy against the data controller or processor
(1) You are entitled to an effective judicial remedy if, according to your assessment, the handling of personal data was improperly processed as per the GDPR and, as a result, infringes your rights under the GDPR.
(2) The proceeding must be initiated against the data controller or the data processor before the courts of the Member State where the data controller or data processor has its principal place of business. Such proceedings may be initiated before the courts of the Member State of the data subject’s usual place of residence. In Hungary, such a proceeding falls under the jurisdiction of the court. The subject may initiate the proceeding before the court applicable to the place of residence or domicile as the subject chooses. You can find out more about the jurisdiction and contact details of the court at the following website: www.birosag.hu.