Date of publication: 2018. 05. 20.
The objective of this policy („Policy”) is to establish the principles and policy of the data protection and processing carried out by SOL-LIGHT Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered seat: 1077 Budapest, Wesselényi utca 6.; company registration number: 01-09-886027; „the Company”), the owner and operator of the website www.solinfo.hu („Website”) and SOL – HOME Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered seat: 1077 Budapest, Wesselényi utca 6.; company registration number: 01-09-874137), the co-operator of the Website (hereinafter referred to as „Companies”). The Companies express their commitment to be bound by this Policy.
This Policy sets out the principles of the processing of the personal data provided by the users of the Website and provides information for the data subjects on the processing of their personal data.
When establishing the provisions of the Policy, the Companies paid particular attention to the provisions of Regulation 2016/679 of the European Parliament and of the Council („GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information („Data Protection Act”), Act V of 2013 on the Civil Code („Civil Code”) and Act XLVIII of 2008 on the on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities („Commercial Advertising Act”).
- The data controller
The Companies process your personal data and, as data controllers, are liable for their lawful processing.
You can contact us using the contact details provided below:
Name of the company: SOL-LIGHT Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Postal address: 1077 Budapest, Wesselényi utca 6.
Company register no.: 01-09-886027
E-mail address: firstname.lastname@example.org
Name of the company: SOL – HOME Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Postal address: 1077 Budapest, Wesselényi utca 6.
Company register no.: 01-09-874137
E-mail address: email@example.com
- Brief introduction of the processing
In order to provide newsletter services, the Companies collect your personal data. The recording of personal data is carried out electronically, by the user filling out the dedicated panels and by clicking on the button confirming the subscription.
Depending on their functionality, our cookies may take the following forms:
- session cookies are necessary for browsing on the Website and for using its functions; among others, they restore the operations carried out on a website, or while using a certain function or a service. The undisturbed use of the Website cannot be guaranteed in the absence of session cookies;
- functionality cookies allow the Website to restore the operation mode you choose. This is in order to ensure that you do not have to restate your preferences on the next visit;
- the purpose of using advertising and targeting cookies is to select the ads holding the greatest interest or seeming important for our visitors and to display these ads on our Website;
- by using performance cookies we collect information on how our visitors use the Website (e.g. which and how many sites were visited, on which part of the Website the visitor clicked, how long the sessions were, what kind of error message the visitor received, etc.) This is to ensure that we develop the Website (the available services, functions, etc.) in accordance with the demands of our visitors, so that we are able to provide a high quality, user-friendly experience.
The Website uses the Google Analytics webanalytic services. Google Analytics uses performance cookies in order to help analyzing the use of the website.
- What kind of personal data we record
We collect the following data during the subscription to the newsletter:
- name (for your identification);
- e-mail address (for delivering the newsletter).
The above data qualify, under both the GDPR and the Data Protection Act, as personal data.
A software analyzing website hits runs on the Website and receives the following automatically generated data of our visitors:
- IP address of the visitor;
- date of the visit;
- data of the visited sites;
- type of browser used;
- preferences of the visitor.
The Website records these data. According to the provisions of the GDPR, the IP-address of the visitor qualifies as personal data.
- For what purpose we collect your personal data
Regarding the provision of our newsletter services, the purpose of processing your personal data is to provide periodic information on promotions currently available at the Companies and to provide relevant information from the customers’ perspective.
- to facilitate the customization of the ads and the services rendered by the visitors of the Website, to use its comfort functions;
- to prepare statistics, analyses regarding the number of visitors of the Website and the preferences of the visitors.
The provider of Google Analytics uses the above information to analyse your and other data subjects’ use of the Website, for compiling reports in connection with the activities carried out on the Website and for the provision of other services in connection with internet usage.
- The legal basis of the processing
- Term of the processing
The Companies process your personal data for the purpose of delivering marketing newsletters until you unsubscribe from the newsletter or otherwise request your personal data to be erased or restricted, or until you object to the processing.
Session cookies are deleted automatically by closing the browser. In the case of other type of cookies the Companies process your personal data until achieving the goal intended by the usage of the certain type of cookies.
- Data security measures
The Companies record the personal data collected during the subscription to the newsletter in the MailChimp newsletter sender and database manager service (provided by Rocket Science Group, LLC), through which service the Companies send you the newsletter.
Within the organization of the Companies only employees participating in the promotion and marketing activities of the Companies have access to your personal data. The Companies keep personal data confidential; we do not make them public or grant access to third parties with the exception of the data transmitted to Rocket Science Group, LLC or to employees not participating in the promotion and marketing activities of the Companies.
We restore personal data on a server only accessible to certain individuals and in a password-protected database, both of which are protected by state-of-the-art firewalls and antivirus software. The database is only accessible by authorized employees and the password enabling access is customized, personal.
- Data processors
- IT-related activities regarding the website
SOL-LIGHT Kft., as the owner of the Website contracted Artitect Korlátolt Felelősségű Társaság (adress: 1084 Budapest, József utca 3. 3. em. 24.) for the provision of IT-related services in connection with the Website, namely the maintenance and development of the website and other related services.
The Companies carry out their newsletter-related marketing activities through the MailChimp newsletter sender and database manager service, provided by Rocket Science Group, LLC (675 Ponce de Leon Ave NE, Suite 5000; Atlanta, GA 30308 USA). The personal data recorded in MailChimp are transmitted to and stored on the servers of Rocket Science Group, LLC, located in the USA. Accordingly, the Companies explicitly draw your attention to the fact that using the MailChimp services entails the transmission of your personal data to a third country (USA) as per the GDPR.
Rocket Science Group, LLC operates the MailChimp newsletter sender services during the whole term of the processing, and it does not process data on its own behalf. Accordingly, Rocket Science Group, LLC qualifies as a data processor.
Rocket Science Group, LLC not only participates in the Privacy Shield framework regulating the transatlantic commerce of personal data, but also certified it compliance for this purpose (date of certification: 21/11/2016). Consistently, the Companies declare that Rocket Science Group, LLC, as a data processor, possesses the adequate and appropriate guarantees for the processing of your personal data.
The Companies carry out the analyzation of the website hits through Google Analytics, a service provided by Google LLC (Google Privacy Center: 1600 Amphitheatre Pkwy, Mountain View, California 94043). The cookie-generated information relating to the user statistics of the Website (the IP-address of the visitor) is transmitted to and stored by the servers of Google LLC, located in the USA. Accordingly, the Companies explicitly draw your attention to the fact that using the Google Analytics services entails the transmission of your personal data to a third country (USA) as per the GDPR. Google LLC qualifies as a data processor, given that it does not process data on its own behalf.
Googe LLC not only participates in the Privacy Shield framework regulating the transatlantic commerce of personal data, but also certified its compliance for this purpose (date of certification: 25/09/2017). Consistently, the Companies declare that Google LLC, as a data processor, possesses the adequate and appropriate guarantees for the processing of your personal data.
- Your rights and your right to remedies
- Your right as a data subject in connection with the processing of your personal data
- Right to information and access to personal data
You are entitled to obtain from the Companies confirmation as to whether personal data concerning you are being processed, and, where that is the case, to access to the personal data and the following information:
- the purposes of processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed (in particular the data processors);
- the envisaged period for which the personal data will be restored;
- your rights in relation to the processing of your personal data;
- where the personal data was not collected from you, any available information as to their source;
- information regarding automated decision-making.
Under the applicable legislation we provide the information on the processing of your personal data free of charge. We respond to your request in writing within a month. However, if such request is manifestly unfounded or excessive, in particular because of its repetitive character, the Companies may either, taking into account the administrative costs of providing the information or communication or taking the action requested:
- charge a reasonable fee; or
- refuse to act on the request.
If, after paying the fee, it turns out that the processing was unlawful, or upon your request we are obliged to correct your data, we will reimburse you the fees already charged.
If, despite our best efforts to protect your personal data, someone unlawfully gains access to, changes, transmits, publishes, erases, destroys or causes unintended erasure or injury to your personal data or otherwise processes them unlawfully, we, upon your request, will inform you about the conditions of such incident, including the date, the possible effects and our measures to prevent or to mitigate the consequences.
- Right to rectification
If the data we process are not correct, we will rectify them upon your request without undue delay. You are also entitled have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure
The Companies erase your personal data without delay, if:
- the personal data are no longer necessary in relation to the purpose of sending the marketing newsletter;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation concerning the Companies;
- the person exercising parental authority over a children under 16 has not consented to the processing;
- where the Companies has made the personal data public.
You are also entitled to request the erasure of your personal data by withdrawing the consent you previously gave to us. However, in such case we may refuse to further provide you certain services and/or certain services will not be available to you hereinafter.
Instead of erasing, we block your personal data if you request so, or it can be assumed that erasure would have an impact on your legitimate interests. We do not process blocked data for the above purposes. We only process blocked data for the purpose that excluded the possibility of erasure.
- Right to restriction of processing
Data processing may be restricted if:
- you contest the accuracy of the personal data, for a period enabling the Companies to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
- the Companies no longer need your personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
- you have objected to processing, pending the verification whether the legitimate grounds of the Company override yours.
For the duration of the evaluation of your objection, but not more than for 5 days the Companies suspend the processing, assess the merits of your objection and make a decision, about which the Companies inform you without delay.
If the objection is justified, the Companies restrict your data, i.e. only restoring as a means of processing can be carried out as long as
- you consent to the processing;
- your data is necessary for enforcing your legal claims;
- processing becomes necessary in order to the defend the rights of a natural or a legal person; or
- processing is ordered by law in the public interest.
If you requested your personal data to be restricted, the Companies will notify you prior to the lifting of the restriction.
- What happens and what can you do if we reject your request?
If the Companies reject your request for the correction, restriction of erasure of your personal data, within 1 month of receiving your request we will inform you in writing why we could not comply with your request and we will inform you about your possibilities of judicial remedy and that you may submit a notice to the Nemzeti Adatvédelmi és Információszabadság Hatóság (the National Authority for Data Protection and Freedom of Information). If you agree, we will send our reply via e-mail.
- What are your rights if you think the data processing is unlawful?
If you have some concerns regarding the lawfulness of the data processing, you have the right to object to it. Your objection should include a request for us to stop processing your data and to erase them.
If you object to the processing of your data, the Companies will examine the reasons of your objection within one month and will make a decision, regarding which the Companies notify you in writing.
If we find your objection to be valid, we stop every data processing operation, block the data concerned and inform about the objection and the following measures taken everyone to whom we transmitted the personal data concerned by the objection. These recipients should also take the necessary actions for your objection to prevail. If you disagree with our decision or if the Companies fail to comply with the abovementioned one month deadline, you may turn to the courts within 30 days either from the notification on the decision or from the last day of the deadline.
- What are the legal remedies available to you?
If you find that during the processing of your data our Companies breach the provisions of the GDPR, it is your right as a data subject to lodge a complaint before a supervisory authority (i.e. before any public authority set up by any of the EU member states in accordance with section 51 of the GDPR), in particular in the member state of your habitual residence, place of work or place of the alleged infringement. In Hungary the supervisory authority set up in accordance with section 51 of the GDPR is the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information; “NAIH” or “the Authority”).
In accordance with the GDPR, a supervisory authority concerned means a supervisory authority which is concerned by the processing of personal data because:
- the controller or processor is established on the territory of the Member State of that supervisory authority;
- data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
- a complaint has been lodged with that supervisory authority.
In connection with the data processing carried out by the Companies, under points a) and b) mentioned above, the supervisory authority concerned is NAIH, given that the Companies are established in Hungary and the data subjects affected by the processing are predominantly residing in Hungary. Accordingly, in the sections below we inform you about complaint procedure of NAIH. However, please note that given the reasons mentioned above, you nevertheless have the right to lodge a complaint before any supervisory authority set up by one of the EU member states, not just before the Authority.
- Notification to the Hungarian National Authority for Data Protection and Freedom of Information
Compliance with data protection legislation is supervised by the Hungarian National Authority for Data Protection and Freedom of Information. If you find that our data processing does not comply with the applicable law, or there is an imminent danger of non-compliance, you can lodge a complaint before the Authority through the following contacts:
Name of the authority: Nemzeti Adatvédelmi és Információszabadság Hatóság
Postal address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
E-mail address: firstname.lastname@example.org
Phone number: +36 1 391 1400
Fax number: +36 1 391 1410
For further information regarding data protection go to the website of the Authority: http://naih.hu/
Please note that in the case of a personal data breach (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed), the Companies shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Authority. If the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Companies shall communicate the personal data breach to you as a data subject without undue delay.
- Judicial proceedings for pursuing claims
If you find that your right to privacy has been infringed by us, or our decision regarding your objection was incorrect or we did not reply to your objection, you have the right to turn to the courts. You may also decide to initiate the proceeding before the tribunal of your domicile or habitual residence.
Furthermore, in accordance with conditions laid down by law, if our unlawful data processing or breach of security requirements caused damages to you, you may enforce your claim for compensation against the Companies before courts. In addition, if we violated your rights relating to personality, you shall be entitled to restitution, which is also enforceable before courts.
In this respect, we are responsible for our data processors.