Privacy Policy

About processing the data of the contractual Partners of EB-Csoport Zrt and all its subsidiaries

This Policy summarises the rights of the representatives and contact persons of the business partners of EB-Csoport Zrt and all its subsidiaries (hereinafter: Data Controller) as data subjects, and the conditions binding on the Data Controller. Thus, the Data Controller hereby provides information on the principles and practices followed in the processing of the personal data of the Data Subjects connected to the contractual Partners, as well as on the data processing related rights of the Data Subjects and the manner and possibilities of exercising them.

The Data Controller recognises the contents of this legal notice on data processing as binding on it for the protection of the privacy of natural persons.

The Data Controller pays close attention to the processing and storage of the personal data obtained by it in connection with its business activities in accordance with the provisions of the applicable laws, including the following in particular:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and the free flow of such data, as well as on the repeal of Regulation 95/46/EC (General Data Protection Regulation) (” GDPR”);
  • Act CXII of 2011 on the Right to Informational Self-determination and the Freedom of Information;
  • Act V of 2013 on the Civil Code.

1. DATA AND CONTACT DETAILS OF THE DATA CONTROLLER

Name: EB-Csoport Zrt.
Registered seat:: 2040 Budaörs, Sóvirág utca 2.
Postal Address: 1115 Budapest, Bartók Béla út 105-113. 4. ép. 2. em.
Company registry number: 13 10 042407
Tax Number: 32144374-4-13, Csoportos adóazonosító: 17781956-5-13
Represented by: Tamás Csonka, Managing Director

Hereinafter: “Data Controller”.

2. DEFINITIONS

  1. „Data Subject or Partner”: any natural person identified or – directly or indirectly – identifiable on the basis of specific personal data. In relation to this Policy, the data subject concerned with the personal data transferred to the Data Controller during the establishment and for the maintenance of business relations; and natural persons acting on behalf of legal entities entering into a contractual relationship with the Data Controller or such private individuals;
  2. „Personal Data”: any information relating to an identified or identifiable natural person; identifiable is a natural person who can be identified directly or indirectly especially on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
  3. „Data Controller”: a natural person or legal entity, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data processing are determined by the EU or a member state law, the data controller or the special aspects regarding the designation of the data controller may also be defined by the EU or member state law;
  4. „Data Processing”: operation or aggregate of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, systematisation, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise making accessible, harmonisation or connection, limitation, deletion or destruction;
  5. „Consent of the Data Subject”: a voluntary, concrete and clear declaration of the will of the data subject based on adequate information, by which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he consents to the processing of the personal data relating him;
  6. „Recipient”: the natural person or legal entity, public authority, agency or any other body to which the personal data is communicated, regardless of whether it is a third party;
  7. „Personal Data Breach”: a breach of security that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or unauthorized access to, the personal data transmitted, stored or otherwise processed.

3. DATA PROCESSING ACTIVITY

The Data Subject/Partner gives his consent in respect of each data processing by voluntarily handing over the personal data to the Data Controller (on a business card, via e-mail, in the header of contracts or otherwise). Legal relationships are typically based on commission, business type and other civil law contracts.

The Data Controller makes this Policy available to the Data Subject. The Partner thereby becomes acquainted with this Policy and accepts the provisions contained therein as binding on him and gives his informed and definite consent to the processing by the Data Controller of the personal data voluntarily provided to him for the purposes specified in this Policy within the framework of the GDPR and this Policy.

3.1. Data processing during the establishment of partnership relations

Scope of the processed data: name of the representative of the partner company, name of the contact person, e-mail address, phone number, title, job position.

Legal basis for the processing: voluntary consent by the data subject Partner on the basis of Article 6 (1), point a) of the GDPR. The data subject Partner gives his consent to the processing of his personal data by voluntarily handing over his contact details to the Data Controller.

The purpose of data processing: to continue communication during the offer phase in order to facilitate the process of entering into business or other cooperation; contract preparation.

The duration of data processing and the deadline for data deletion: it will last until the concerned Partner’s request for deletion. In the absence of a request for deletion, the Data Controller will delete the personal data of the natural contact person 5 years after the last contact with the contact person of the potential Partner.

3.2. Data processing for the purpose of possible claim enforcement during and after the contractual relationship

Possible range of processed data: name of company representative, name of contact person, e-mail address, telephone number, job position, title; in case of an individual entrepreneur, registration number, tax number, card number.

Legal basis for the processing: data processing is necessary for the performance of a contract on the basis of Article 6 (1) point b) and/or point f) of the GDPR.

The purpose of processing: maintaining the contact necessary for the performance of the contract, achievement of the service goal, performance of the contract; issuance of a correct invoice; enforcement of claims.

The duration of processing and the deadline for data deletion: we will keep the data until the end of the contractual legal relationship or until the end of the time available to enforce claims arising from it. If requested by any concerned Partner, based on the statement of consent of the Data Subject, the Data Controller may process the personal data of the Data Subject also after the above deadline, until the Partner’s statement is revoked.

3.3. Data processing related to the maintenance of partnership relations

Scope of the processed data: name of contact person, e-mail address, telephone number, position.

Legal basis for the processing: voluntary consent of the concerned Partner based on Article 6 (1) point a) of the GDPR.

The purpose of processing: to maintain the business relations after the end of the contractual relationship.

The duration of data processing and the deadline for data deletion: it will last until the concerned Partner’s request for deletion. In the absence of a deletion request, the Data Controller will delete the personal data of the natural contact person, with the exception of the data necessary to fulfil accounting obligations, after 1 year from the last contact with the contact person of the Partner.

3.4. Data processing related to the fulfilment of tax and accounting obligations

Possible range of processed data: name, address, tax status, tax identification number, person ordering the economic operation, signature of the payment allocator and the person certifying the execution of the order, signature of the recipient and the payer, and registration number, tax number and card number of the individual entrepreneur.

Legal basis for the processing: fulfilment of the legal obligations under Article 6 (1) point c) of the GDPR (Sections 169 and 202 of Act CXXVII of 2017, Section 167 of Act C of 2000, Section 47 of Act XCII of 2003).

The purpose of processing: data processing related to the payment of commission fees and other fees, fulfilment of tax and accounting obligations.

The duration of data processing and the deadline for data deletion: 8 years after the end of the legal relationship constituting the legal basis.

4. RIGHTS OF THE DATA SUBJECTS, AND ENFORCEMENT OF THEIR INFORMATIONAL SELF-DETERMINATION RIGHTS

4.1. Provision of information and access to personal data

The Data Subject has the right to know his personal data stored by the Data Controller and the information related to their processing, to ask for them at any time and to check what data the Data Controller has about him, and has a right of access to the personal data.

The Data Subject shall submit his request for access to the data to the Data Controller in writing, and the Data Controller shall provide the requested data in writing (electronically or in a letter sent by post).

After receiving the information, if the Data Subject does not agree with the processing or the correctness of the processed data, he may ask for the correction, addition, deletion or limitation of the processing of his personal data, may object to the processing of such personal data, or may initiate the procedure specified in point 5 below.

4.2. Right to the correction and supplementation of the processed personal data

At the request of the Data Subject, the Data Controller shall correct without undue delay any inaccurate personal data indicated in writing by the Data Subject, and supplement any incomplete data with the content indicated by the Data Subject. The Data Controller shall inform all the recipients to whom the personal data has been communicated about the correction or addition, unless this proves to be impossible or requires a disproportionately great effort. The Data Controller shall inform the Data Subject about the details of these recipients if he requests this in writing.

4.3. Right to the limitation of data processing

The Data Subject, in case of his written request, has the right to the limitation of processing by the Data Controller if

  • the Data Subject disputes the accuracy of the personal data, and in this case the limitation applies to the period allowing the Data Controller to check the accuracy of the personal data,
  • the processing is unlawful and the Data Subject opposes the deletion of the data and asks for the limitation of their use instead,
  • The Data Controller no longer needs the personal data for processing purposes but the Data Subject requires them for the submission, enforcement or defence of legal claims,
  • The Data Subject objects to the data processing; in this case, the limitation applies for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the Data Subject.
4.4. Right to deletion

At the request of the Data Subject, the Data Controller shall delete without undue delay the personal data relating to the Data Subject if one of the following reasons applies: i) the personal data are no longer needed for the purpose for which the Data Controller collected them or otherwise processed them; ii) the Data Subject withdraws the consent constituting the basis of processing and the processing has no other legal basis; iii) the Data Subject objects to the processing for reasons related to his own situation, and there is no lawful reason for the processing, iv) the Data Controller processes the personal data unlawfully.

The Data Subject may not exercise his right to deletion or oblivion if the processing is necessary i) for exercising the right to freedom of expression and information; ii) on the basis of public interest concerning public health; iii) for archiving in the public interest, for scientific and historical research or for statistical purposes if the exercise of the right to deletion would prevent or seriously jeopardise this processing; or iv) for the submission, enforcement or defence of legal claims.

4.5. Right to data portability

This right is limited to the data provided by the Data Subject, and there is no possibility for the portability of any other data. The Data Subject:

  • shall receive in a segmented, widely used, machine-readable format,
  • may transfer to another data processor,
  • may ask for the direct transmission to another data controller – if this is technically feasible in the system of the Data Controller – the personal data contained about him in the Data Processing system.

If the Data Subject exercises his right to data portability, he will do so without prejudice to his other rights. The Data Controller shall fulfil the request for data portability only on the basis of a request sent by e-mail or post. For the fulfilment of the request, the Data Controller shall make sure that it is really the entitled Data Subject who wishes to exercise this right. For this, the request of the Data Subject shall include the personal data that are suitable for the Data Controller to identify the applicant by making a comparison to the data contained in its system.

Exercising this right shall not automatically result in the deletion of the data from the system of the Data Controller, therefore the data of the Data Subject will be stored in the system for the data processing duration defined above, unless the Data Subject withdraws his consent or asks for the deletion of his data.

4.6. Objection to the processing of personal data

The Data Subject may at any time object to the processing of his personal data based on legitimate interests for reasons related to his own situation. An exception to the right to object is if the Data Controller proves that the processing is justified by such legitimate interests on his part that take precedence over the interests, rights and freedoms of the Data Subject, or that are related to the submission, enforcement or defence of legal claims.

4.7. Deadline to fulfil the request

The Data Controller shall, without undue delay but in any case according to points 4.1-4.6, inform the Data Subject about the measures taken within one month from the receipt of any request. If the Data Subject submitted the request electronically, the Data Controller will provide the information electronically unless otherwise requested by the Data Subject.

5. ENFORCEMENT OPTIONS

The Data Subject can exercise his rights by sending a request by e-mail or post to the contact details specified in point 1.

The Data Subject cannot enforce its rights if the Data Controller proves that it is not in a position to identify the Data Subject. If the Data Controller has doubts about the identity of the natural person submitting the request, it may ask for the provision of additional information necessary to confirm the identity of the applicant.

Based on the GDPR and the Hungarian Civil Code (Act V of 2013), the Data Subject

  1. can enforce its rights before a court, or
    can turn to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; Tel.: 36 -1-391-1400, e-mail: ugyfelszolgalat@naih.hu,  www.naih.hu)./li>

  2. can turn to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; Tel.: 36 -1-391-1400, e-mail: ugyfelszolgalat@naih.hu,  www.naih.hu).

6. PERSONAL DATA BREACH MANAGEMENT

A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to the personal data transmitted, stored or otherwise processed. The Data Controller keeps a register for the purpose of checking the measures related to the personal data breach, for informing the supervisory authority, and for informing the Data Subject, which includes the personal data affected by the breach, the range and number of the affected parties, the date, circumstances and effects of the breach, and the measures taken to eliminate it. If the Data Controller deems that a specific breach poses a high risk to the rights and freedoms of the data subjects, it shall inform the Data Subject and the data protection supervisory authority (NAIH) about the personal data breach.

7. DATA SECURITY

The Data Controller commits itself to ensure the security of the data, and to take the technical measures ensuring that the recorded, stored and processed data are protected, and to do its best to prevent their destruction, unauthorized use and unauthorised alteration.

8. OTHER PROVISIONS

The Data Controller reserves the right to unilaterally amend this Privacy Policy, especially but not exclusively in the event of a change in the law.