WEBSITE DATA MANAGEMENT INFORMATION
By publishing this data protection information, the Data Controller complies with the provisions relating to the processing of the personal data of the data subjects, a The prior information obligation required by REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, according to which all information according to the relevant articles of the Regulation must be made available to those affected by data management in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded.
I. NAME OF THE DATA PROCESSOR
In the context of the processing of the data subject’s personal data, the following are considered data controllers:
COMPANY NAME: Brilliant Water Kft.
SEAT/ REGISTERED OFFICE: H-1023 Budapest, Frankel Leo u. 21-23.
COMPANY REGISTRATION NUMBER: 01-09-999849
TAX NUMBER: 24284822-2-41
TELEPHONE: +36/ 30-7465-789
REPRESENTATIVE’S NAME: Csaba Vida
Personal data can be viewed by:
– employees of the Data Controller with access rights related to the relevant data management purpose
– persons and organizations performing data processing activities for the Data Controller based on service contracts within the scope determined by the Data Controller, to the extent necessary for the performance of their activities – other
The Data Controller records that it stores the personal data it manages on a paper basis at the following location:
– registered offices
Method of storing personal data handled in the form of an electronic file:
– Hard drive of the computer( s ) belonging to the data controller’s work organization
– Cloud service used by the data controller
II. NAME OF DATA PROCESSOR(S).
The data processors are:
COMPANY NAME: Brilliant Water Kft.
SEAT/ REGISTERED OFFICE: H-1023 Budapest, Frankel Leo u. 21-23.
COMPANY REGISTRATION NUMBER: 01-09-999849
TAX NUMBER: 24284822-2-41
REPRESENTATIVE’S NAME: Csaba Vida
1. concerned:natural person identified or identifiable on the basis of any information;
1a. identifiable natural person:the natural person who, directly or indirectly, in particular an identifier, such as a name, identification number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified based on;
2. personal data : any information about the data subject;
3. special data:all data belonging to the special categories of personal data, i.e. personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs or trade union membership, as well as genetic data, biometric data for the unique identification of natural persons, health data and natural personal data concerning the sex life or sexual orientation of persons,
3a. genetic data:all personal data relating to the inherited or acquired genetic characteristics of a natural person, which carries unique information about the physiology or state of health of that person, and which primarily results from the analysis of a biological sample taken from that natural person;
3b. biometric data:personal data concerning the physical, physiological or behavioral characteristics of a natural person obtained through specific technical procedures that enable or confirm the unique identification of a natural person, such as facial image or dactyloscopic data;
3c. health information:personal data relating to the physical or mental health of a natural person, including data relating to health services provided to a natural person, which carries information about the natural person’s health;
4. consent:the voluntary, definite and clear declaration of the data subject’s will based on adequate information, by which the data subject indicates through a statement or other behavior that clearly expresses his will that he gives his consent to the processing of his personal data;
5. data controller:the natural or legal person or organization without legal personality who – within the framework defined by law or a mandatory legal act of the European Union – independently or together with others determines the purpose of data management, decisions regarding data management (including the device used) bring it and execute it, or have it executed by the data processor ;
5a. common data manager:the data manager who – within the framework defined by law or a mandatory legal act of the European Union – determines the purposes and means of data management together with one or more other data managers, the decisions regarding data management (including the tool used) together with one or more other data managers bring and perform or perform with the data processor;
6. data management:regardless of the procedure used, any operation performed on the data or the set of operations, including in particular the collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, blocking, deletion and destruction of the data, as well as preventing its further use, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprint or palm print, DNA sample, iris image);
7. data transfer:making the data available to specific third parties;
7a. indirect data transfer : the transfer of personal data to a data manager or data processor conducting data management in a third country or international organization by forwarding it to a data manager or data processor conducting data management in another third country or international organization;
Disclosure 8 :making the data available to anyone;
9. data deletion:rendering the data unrecognizable in such a way that its recovery is no longer possible;
10. restriction of data management : blocking of the stored data by marking it to limit the further processing of the data;
11. data destruction:complete physical destruction of the data carrier containing the data;
12. data processing : the set of data processing operations performed by a data processor acting on behalf of or at the request of the data controller;
13. data processor:the natural or legal person or organization without legal personality who – within the framework and conditions defined by law or a mandatory legal act of the European Union – processes personal data on behalf of or at the direction of the data controller;
14 :the totality of the data managed in one register;
15. third party:a natural or legal person, or an organization without legal personality, who is not the same as the data subject, the data manager, the data processor or the persons who carry out operations aimed at processing personal data under the direct control of the data manager or data processor;
16. data protection incident:a breach of data security that results in the accidental or unlawful destruction, loss, modification, unauthorized transmission or disclosure of personal data transmitted, stored or otherwise handled, or unauthorized access to it;
17. profiling:any processing of personal data – in an automated way – aimed at evaluating, analyzing or predicting the data subject’s personal characteristics, in particular those related to his performance at work, economic situation, health, personal preferences or interests, reliability, behavior, location or movement;
18. Recipient:the natural or legal person or organization without legal personality to whom or to which the data manager or data processor makes personal data available;
19. Pseudonym:processing of personal data in a way that – stored separately from the personal data – makes it impossible to determine to which data subject the personal data refers without the use of additional information, and by taking technical and organizational measures ensures that it cannot be linked to an identified or identifiable natural person;
20. enterprise : a natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.
21 : REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016).
22. data management system: the tools used for data management.
IV. ARC. LEGAL BASIS OF DATA MANAGEMENT
1. Consent of the data subject
(1) The legality of processing personal data must be based on the consent of the data subject or have some other legal basis established by law.
(2) In case of data processing based on the consent of the data subject, the data subject may give his consent to the processing of his personal data in the following form:
a) in writing, in the form of a statement giving consent to personal data management,
b) by electronic means, by the express behavior implemented on the Company ‘s website, by ticking a check box, or by making relevant technical settings during the use of services related to the information society, as well as any other statement or action that, in the given context, constitutes the data subject’s consent to their personal data clearly indicates the intended treatment.
(3) Silence, a pre-ticked box or inaction therefore does not constitute consent. (4) Consent covers all data management activities carried out for the same purpose or purposes.
(4) If data processing serves several purposes at the same time, consent must be given for all data processing purposes. If the data subject gives his consent after an electronic request, the request must be clear and concise, and it must not unnecessarily prevent the use of the service for which the consent is requested.
(5) The data subject is entitled to withdraw his consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal. Before giving consent, the data subject must be informed of this. It should be possible to withdraw consent in the same way as to give it.
2. Fulfillment of contract
(1) Data processing is considered lawful if it is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract.
(2) The consent of the data subject to the processing of personal data that is not necessary for the performance of the contract shall not be a condition for the conclusion of the contract.
3. Fulfilling the legal obligation of the data controller or protecting the vital interests of the data subject or other natural person
(1) The legal basis for Data Management is determined by law in the event of the fulfillment of a legal obligation, so the consent of the data subject is not required for the processing of their personal data.
(2) The Data Controller is obliged to inform the data subject about the purpose, legal basis and duration of the data management, about the person of the data controller, as well as about his rights and legal remedies.
(3) In order to fulfill a legal obligation, the Data Controller is entitled, after withdrawing the data subject’s consent, to manage the data that is necessary for the fulfillment of a legal obligation concerning him.
4. Execution of a task carried out in the context of public interest or exercise of public authority conferred on the data controller, enforcement of the legitimate interests of the data controller or a third party.
(1) The data controller – including the data controller with whom the personal data may be disclosed – or the legitimate interest of a third party may create a legal basis for data processing, provided that the interests, fundamental rights and freedoms of the data subject do not take precedence, taking into account their relationship with the Data Controller the reasonable expectations of the data subject. Such a legitimate interest can be discussed, for example, when there is a relevant and appropriate relationship between the data subject and the data controller, for example in cases where the data subject is a client of the data controller or is employed by it.
(2) In order to establish the existence of a legitimate interest, it is necessary to carefully examine, among other things, whether the data subject can reasonably expect that data processing may take place for the given purpose at the time and in connection with the collection of personal data.
(3) The interests and fundamental rights of the data subject may take precedence over the interests of the data controller if the personal data are processed under circumstances in which the data subjects do not expect further data processing.
V. THE RIGHTS OF THE DATA SUBJECT RELATED TO THE MANAGEMENT OF DATA
The Data Controller provides the following brief information about the rights of the person concerned:
The data subject has the right to:
- for information before the start of data management,
- to receive feedback from the data controller as to whether your personal data is being processed, and if such data processing is underway, you are entitled to access the personal data and the following information,
- to request the correction or deletion of your data, to receive a notification from the data controller that this has occurred,
- to request restriction of data management, to receive a notification from the data controller about this happening,
- for data portability,
- to protest if your personal data is processed for purposes of public interest or with reference to the legitimate interests of the data controller.
- be exempt from automatic decision-making, including profiling,
- to file a complaint with the supervisory authority. The data subject can exercise his right to file a complaint at the following contact details: National Data Protection and Freedom of Information Authority, address : 1055 Budapest, Falk Miksa u. 9-11., mailing address: 1363 Budapest, Pf. 9.; http://www.naih.hu e-mail: firstname.lastname@example.org
- for an effective judicial remedy against a supervisory authority,
- For an effective judicial remedy against the controller or data processor
- To inform about the data protection incident.
VI. PROCEDURE TO BE APPLIED IN THE EVENT OF A REQUEST BY THE PARTICIPANT
(1) The data controller facilitates the exercise of the data subject’s rights, and may not refuse to comply with the data subject’s request to exercise his rights, which are also set out in this data management information, unless he proves that he is unable to identify the data subject.
(2) The data controller informs the data subject of the measures taken following the request without undue delay, but in any case no later than 25 days from the receipt of the request.
(3) If the data subject submitted the application electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.
(4) If the Data Controller does not take measures following the data subject’s request, it shall inform the data subject without delay, but at the latest within 25 days of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the data subject may file a complaint with the supervisory authority and seek legal remedies with his right.
(5) The data controller shall provide the data subject free of charge with the following information and measures: feedback on the processing of personal data, access to the processed data, correction, addition, deletion of data, restriction of data processing, data portability, objection to data processing, information on data protection incidents.
(6) If the data subject’s request is clearly unfounded or – especially due to its repeated nature – excessive, the data controller, taking into account the administrative costs associated with providing the requested information or information or taking the requested measure: may charge a fee of HUF 20,000 or refuse the request action based on
(7) It is the responsibility of the data controller to prove that the request is clearly unfounded or exaggerated.
(8) Without prejudice to Article 11 of the Regulation, if the data controller has well-founded doubts about Articles 15-21 of the Regulation. regarding the identity of the natural person who submitted the application pursuant to Article
(9) If the data controller rejects the data subject’s request to correct, delete or restrict the processing of personal data processed by the Data Controller or a data processor acting on its behalf or at its direction, the data controller shall inform the data subject in writing immediately
a) on the fact of rejection, its legal and factual reasons, and
b) about the rights to which the data subject is entitled under this law, as well as the manner of their enforcement, and in particular about the fact that the data controller or the data processor acting on his behalf or at his direction may exercise his right to correct, delete or limit the processing of personal data with the cooperation of the Authority .
(10) If the Data Controller corrects, deletes or restricts the processing of personal data handled by him or by a data processor acting on his behalf or at his direction, the data controller shall notify the data controllers and data processors to whom the data was transferred of the fact of this measure and its content. forwarded in advance, in order for them to carry out the correction, deletion or limitation of data management in terms of their own data management.
(11) In order to enforce the right to deletion, the Data Controller shall immediately delete the personal data of the data subject if
a) the data management is illegal, so especially if the data management is
– contrary to the basic principles laid down in these regulations,
– its purpose has ceased, or the further processing of the data is no longer necessary to achieve the purpose of the data processing,
– the period defined by law, international treaty or a binding legal act of the European Union has passed, or
– its legal basis has ceased and there is no other legal basis for processing the data,
b) the data subject withdraws their consent to data processing or requests the deletion of their personal data, unless the data processing is based on legal authorization, the protection of the data subject’s or other vital interests.
c) the deletion of the data was ordered by legislation, a legal act of the European Union, the Authority or the court, or
d) the period of existence of the data subject’s legitimate interest in not deleting his data has expired, or if the data retention period required to fulfill the documentation obligation required in the case of international data transmission has expired.
VII. PROCEDURE IN CASE OF A DATA PROTECTION INCIDENT (PERSONAL DATA BREACH)
(1) According to the Regulation, a data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or handled in another way.
(2) A data protection incident is the loss or theft of a device containing personal data (laptop, mobile phone), as well as the loss or inaccessibility of the code used to decrypt files encrypted by the data controller, infection by ransomware (blackmail virus), which makes the data managed by the data controller inaccessible until a ransom is paid, attacks on the IT system, disclosure of e-mails containing wrongly sent personal data, address lists, etc.
(3) If a data protection incident is detected, the Company’s representative shall immediately conduct an investigation in order to identify the data protection incident and determine its possible consequences. Necessary measures must be taken to prevent damage.
(4) The data protection incident must be reported to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident does not likely pose a risk to the rights and freedoms of natural persons looking at. If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.
(5) The data processor shall report the data protection incident to the data controller without undue delay after becoming aware of it.
(6) In the notification referred to in paragraph (3), at least:
a) the nature of the data protection incident must be described, including – if possible – the categories and approximate number of those affected, as well as the categories and approximate number of data affected by the incident;
b) the name and contact details of the data protection officer or other contact person providing additional information must be provided;
c) the likely consequences of the data protection incident must be described;
d) the measures taken or planned by the data controller to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
(7) If and to the extent that it is not possible to provide the information at the same time, it can be provided later in parts without further undue delay.
(8) The data controller keeps records of data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it. This register enables the supervisory authority to check compliance with the requirements set out in Article 33 of the Regulation.
VIII . DATA MANAGEMENT IN CONNECTION WITH THE WEBSITE
3.1. Information about the data of visitors to the Data Controller’s website
(1) During visits to the website of the data controller, one or more cookies – small information packages that the server sends to the browser, and then the browser sends back to the server on the occasion of every request directed to the server – are sent to the computer of the person visiting the website, which ( ek ) will enable its browser to be uniquely identified, if the person visiting the website has given his express (active) consent by continuing to browse the website after clear and unambiguous information. The person visiting the website can disable cookie data management in their browser program.
(2) Cookies work exclusively to improve the user experience and automate the login process. The cookies used on the website do not store personally identifiable information, the Data Manager does not manage personal data in this context, only the IP address of the users, the operating system and the browser, as well as the URL address of the visited pages and the time of the visit are logged.
(3) In the case of embedding social site plugins in a website, the Data Controller provides the following information: as a result of the embedded plugins , the Data Controller transmits user data to the social site (Facebook, Twitter , Pinterest, LinkedIn ) whose plugin has been placed on its website. The scope of transmitted user data is defined in paragraph (2). After the transmission of the data, the social site is obliged to provide the user with information about the handling of the received data.
3.2. Newsletter subscription, registration
3.2.1. Sign up for newsletter
(1) The legal basis for data management in the case of a newsletter subscription is the consent of the data subject, which is given by ticking the box next to the “newsletter subscription” text section on the website of the relevant Data Controller after receiving information about the processing of their data.
(2) The circle of stakeholders in the case of subscribing to the newsletter: all natural persons who subscribe to the Data Controller’s newsletter or register on the website and give their consent to the processing of their personal data.
(3) Scope of processed data in case of newsletter subscription:
– date of registration
– e-mail address.
(4) The purpose of data management in case of subscription to the newsletter: to inform the data subject about the Data Controller’s services and products, the changes that have occurred in them, information about news and events.
(5) Recipients of the data (those who can see the data) in the case of subscription to the newsletter: Head of the Data Controller, employee providing customer relations, data processing employees operating the website of the Data Controller.
(6) Duration of data management in the case of subscription to the newsletter: until withdrawal of consent, until unsubscribing from the newsletter.
(7) The data subject may unsubscribe from the newsletter at any time or request the deletion of his personal data. Unsubscribing from the newsletter is done by clicking on the unsubscribe link in the footer of the e-mails sent to the data subject or in a postal letter sent to the registered offices of the Data Controller.
(8) Our company uses the mailchimp newsletter system, for which further information is available at https://mailchimp.com/.
(1) In the case of registration, the legal basis for data management is the data subject’s consent, which the data subject provides by ticking the box next to the “registration” text on the Data Controller’s website after receiving information about the processing of their data.
(2) In case of registration, the group of stakeholders: all natural persons who register on the website of the Data Controller and give their consent to the processing of their personal data.
(3) Scope of processed data in case of registration:
– date of registration
– e-mail address
– phone number
(4) In the case of registration, the purpose of data management is: contact in order to prepare a contract, provision of free services available on the website to the affected party, access to non-public content of the website.
(5) Recipients of the data (those who can see the data) in the case of registration: the manager of the Data Controller, employees providing customer relations, data processing employees operating the website of the Data Controller.
(6) Duration of data management in the case of registration: until withdrawal of consent,
(7) The data subject may request the deletion of his/her registration (personal data) at any time. The interested party can initiate the cancellation of the registration by sending an electronic mail to the e-mail address of the Data Controller.
3.3. Data management related to direct marketing activities carried out on the website
(1) The Data Controller’s data processing for direct marketing purposes is based on the data subject’s consent, which is clear and explicit. The data subject gives his clear, explicit prior consent on the website of the Data Controller by ticking the box next to the text part of the consent to direct marketing inquiry after receiving information about the processing of his data.
(2) The scope of stakeholders: all natural persons who give their clear, express consent to the Data Controller handling their personal data for direct marketing purposes.
(3) The purposes of data management: identification, contact with service provision, sending messages containing advertising and offers related to product sales, for the purpose of notification of promotions electronically.
(4) Recipients of personal data: the head of the Data Controller, employees performing customer service tasks and marketing tasks based on their job title.
(5) Scope of processed personal data:
– phone number
– e-mail address
(6) Duration of data processing: the processing of personal data for direct marketing purposes until it is revoked by the data subject. (protest)
3.4. Data management related to the web store operated by the Data Controller
(1) For registration in the online store, for data management activities related to subscribing to the newsletter, as well as for informing visitors, 3.1., 3.2., 3.3. the provisions of point are governing.
(2) Online, electronic contracts (purchases) on the Data Controller’s website are subject to the CVIII of 2001. Act ( Eker tv.), therefore, the purpose of data management, in addition to the above, is to prove the fulfillment of the service provider’s obligation regarding consumer information prescribed by law, to prove the conclusion of the contract, to create the contract, determine its content, modify it, monitor its fulfillment, the invoicing of the resulting fee( s ), as well as the enforcement of related claims.
(3) In the case of a purchase in the online store, the legal basis for data management is the performance of the contract, the fulfillment of legal obligations.
(4) Categories of data affected by data management:
– name of customers
– buyer’s address,
– customer phone number,
– customer login password ,
– customer’s bank account number.
(5) Categories of persons affected by data management: all natural persons who register in the Data Controller’s online store, subscribe to newsletters, or make purchases.
(6) The categories of recipients of the data: the head of the Data Controller, employees performing customer relations tasks and sales-related tasks, data processing employees who operate the Data Controller’s website, and employees performing accounting tasks of the Data Controller, employees of the data processor performing these tasks.
(7) The place of data management is the IV of these regulations. It was recorded in paragraph (4).
(8) Duration of data management: 5 years from the termination of the contract.
3.5. Rules of presence on social media sites
- The data manager is present on the following social media sites:
(2) Categories of affected persons: natural persons who follow the Data Controller’s social page.
(3) The legal basis for data management is the voluntary consent of the data subject in the case of following the Data Controller’s social page.
(4) Categories of data affected by data management: The Data Manager does not manage the data published on the social site by visitors or persons sharing its content, the purpose of the social presence is to share and promote content related to the Data Manager’s products and services on the social site, to maintain contact with followers in the above subject area . The data manager manages the names of the followers, and does not manage other data published by the followers on the social media site, the provisions of the data management regulations of the social media site apply to them.
(5) Categories of recipients of the data: Employee managing the Data Controller’s social page based on their job title, Manager of the Data Controller.
(6) Duration of data management: until the consent of the data subject is withdrawn.
IX. DATA MANAGEMENT ACTIVITY RELATED TO CONTRACT PERFORMANCE
(1) The Data Controller manages the personal data of natural persons who contract with it – customers, buyers, suppliers – in connection with the contractual legal relationship. The data subject must be informed about the handling of personal data.
(2) Scope of stakeholders: all natural persons who establish a contractual relationship with the Data Controller, contacts of legal entities with a contractual relationship with the Data Controller.
(3) The legal basis of data management is the performance of a contract, the purpose of data management is to maintain contact, assert claims arising from the contract, and ensure compliance with contractual obligations.
(4) Recipients of personal data: the head of the Data Controller, the Data Controller’s employees and data processors performing customer service and bookkeeping tasks based on their duties.
(5) Scope of processed personal data:
– natural person customer name
– residential address of a natural person customer
– telephone number of a natural person customer
– e-mail address of a natural person customer
– bank account number of a natural person customer
– business card number
– primary producer ID number
– the name of the business organization’s customer contact person
– e-mail address of the business organization’s customer contact person
– the telephone number of the business organization’s customer contact person
(6) Duration of data management: 5 years from the termination of the contract.
X. DATA SECURITY PROVISIONS
(1) The data controller may only process personal data in accordance with the activities set out in these regulations and according to the purpose of data management.
(2) The data controller ensures the security of the data, and in this context undertakes to take all the technical and organizational measures that are absolutely necessary for the enforcement of the data security laws, data and privacy protection rules, and to establish the procedural rules necessary for the enforcement of the laws defined above.
(3) The data controller protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.
(4) The technical and organizational measures to be implemented by the Data Controller for the sake of data security are laid down in the data protection regulations of the Data Controller.
(5) When defining and applying measures for data security, the data controller takes into account the state of the art at all times, and in the case of several possible data management solutions, chooses a solution that ensures a higher level of protection of personal data, unless it would represent a disproportionate difficulty.
XI. RULES RELATED TO DATA PROCESSING
(1) The rights and obligations of the data processor related to the processing of personal data are determined by the law and the data controller within the framework of separate laws on data management.
(2) The data controller declares that he does not have the competence to make a substantive decision regarding data management during his data processing activities, that he may only process the personal data he comes to know in accordance with the provisions of the data controller, that he may not perform data processing for his own purposes, and that he is obliged to store the personal data in accordance with the provisions of the data controller and preserve.
(3) The Data Controller is responsible for the legality of the instructions given to the data processor regarding data management operations.
(4) The obligation of the data controller is to provide the data subjects with information about the person of the data processor and the place of data processing.
(5) The Data Controller authorizes the data processor to use additional data processors:
– does not give.
(6) The contract for data processing must be in writing. Data processing cannot be entrusted to organizations that are interested in business activities that use the personal data to be processed.
NOTICE: The company’s complete Data Protection Policy in Hungarian can be found on the following site: https://brilliantwater.eu/en/jogi-dokumentumok/ The Data Protection Policy was originally written in Hungarian, in case of possible translation differences, the original Hungarian policy is .