2. Definitions of terms based on the terms used by GDPR
: Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. For example, Magyar Posta Zrt. (Hungarian Post) is the data processor when we deliver your order using their services.
: Consent of each data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
: Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For example: e-mail address, phone number, address or photographs and video images of people are considered personal data
: Data subject is every identified or identifiable natural person whose personal data is processed by a controller.
A person becomes data subject when personal data is being collected, held, or processed to maintain contractual relations (contact person), when applying for a job (applicant) etc.
3. Legal basis of the processing
When personal data is being processed our Company is in compliance with the following laws and regulations
4. Principles of Data Processing
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information
- Act V of 2013 on the Civil Code
- Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity
- Act C of 2000 on accounting
- Act CVIII of 2001 on certain issues of electronic commerce activities and information society services
- Act XXXIV of 2019 on the amendments necessary for the implementation of the European Union reform on data protection
The processing of personal data, is always be in line with Article 5 of the General Data Protection Regulation (GDPR)
When processing personal data our Company follows the following principles:
a) Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
b) We collect personal data exclusively for specified, clear and lawful purposes, and we do not process them in any manner that is incompatible with the purposes.
c) The data we collect, and process is relevant and compatible with the purpose of data collection and limited to the minimum necessary to accomplish the intended purpose
d) Our Company takes every reasonable measure to ensure that the data we process are correct and up-to-date, and we immediately erase or correct any incorrect personal data as explicitly requested by you or as we are officially informed.
e) Personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
f) Using appropriate technical and organizational measures, we can ensure appropriate security of the personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
5. Data controller
Granit Csiszolószerszám Kft
1194 Budapest, Fadrusz utca 2.
Katona Balázs, Reszegi Judit
Data Protection Officer:
Sterlné Lukács Erika
E-mail address of Data Protection Officer: email@example.com
6. Data procession
a) Mutual provisions
s: GDPR serves as the legal basis for our company for processing operations (especially: personal data transmitted on a voluntary basis, concluding contract, or if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.) Each data subject whose personal data is being processed based on his or her consent, shall have the right at any time to withdraw consent to the processing of personal data. Where the legal basis for the processing is GDPR Article 6 (1)(b) (such processing operations necessary to perform a contract) and in case that the personal data are not provided, our company will not be able to enter into the contract with you.
: The personal data we process primarily obtained from the data subject. We clearly indicate where the personal data are not collected from the data subject.
Right of access
The purpose of data processing
Ordinary Course of Business Activities
information and counselling
- delivery of catalogues and leaflets
- e-mail contact (in case of enquiries)
- keeping in touch with contractual partners
- handling business cards
- mailing, filing
- inquiry, order, invoicing
- balance statements, payment reminders, or enforce other claims
- quality complaints
Grounds for processing
- consent given by the data subject [GDPR Article 6 (1)(a)]
- legitimate interest of the Company and the Contractual partner [GDPR Article 6 (1)(f)]
- performing contract [GDPR Article 6 (1)(b)]
- compliance with a legal obligation [GDPR Article 6 (1)(c)]
Type of information we collect:
- name, email address, phone number, address
- contact person,
- VAT number, bank account number
The period for which personal data will be stored
- Section 169 of Act C of 2000 (accounting documents and the related purchase orders, contracts)
- Act V of 2013 6:22 (statute of limitations)
- Section 56-58 Act XXXIV of 2019 (26)
- If the duration of data processing undetermined by the legislation: Until the data subject withdraws consent
- Magyar Posta Zrt (Hungarian Post)
- Trevol Group Kft
7. Job application
Job application is possible on our Company website http://www.granitabrasive.hu/main.php?Lang=EN
by recruiting websites, HR companies and based on employee recommendations. Please do not provide personal data which is not necessary to apply for a position.
The purpose of data processing
: Applying for a specific position, participate in recruitment process
Ground for processing
: consent given by the data subject [GDPR Article 6 (1)(a)]
Type of information we collect
: name, address, place of residence, phone number, e-mail address, place of birth, date of birth, a photograph of yourself, motivation letter, curriculum vitae and the personal data provided in your CV.
The period for which personal data will be stored
: In case of applying for a specific position until the end of the recruitment process.
The Company preserves the rejected applications only if the consent of the applicant is given specifically, voluntarily and with unambiguous indication. The Company shall request the consent of the applicant after the recruitment process has been closed.
The application of the selected applicants will be stored in the employee personnel file.
: Recruiting websites
A cookie is a small file that is stored locally on your computer when you visit a website. Most of the most frequently used Internet Browsers are set to automatically accept and enable the setting of cookies. The data subject can prevent the setting of cookies, furthermore, cookies that have already been set can be deleted at any time.
Certain essential cookies do not require prior consent from the Data subject. The Company website provides information about these cookies prior to the first visit.
These cookies are the authentication cookies, user interface customization cookies, user centric security cookies.
Certain cookies require user consent. When the Data Process starts with the visit of our website, the Company provides information and ask for consent to use these cookies.
Our Company does not use or allows cookies which enables data collection for third parties.
The data subject may prevent the setting of cookies by our website. However, the Company are not responsible if not all functions of our website may be entirely usable if you reject certain cookies.
Our online services mostly use “session cookies”, which cookies are being deleted automatically after you close your browser. Occasionally “persistent cookies” are being used. These cookies do not expire when you close your browser. Persistent cookies stay on your computer until they expire, or they are deleted manually. Persistent cookies make it possible to identify your browser on future visits (personal account, after refreshing the page you still can see your own profile)
Browser settings may allow you to adjust settings to accept or reject cookies, to alert you when a cookie is placed on your computer, to clear browser cookies automatically when you close or exit. If you deactivate the setting of cookies in the Internet browser used, not all functions of our website may be entirely usable.
9. Disclosure of personal data
Depending on the required services (e.g.: call back, delivery of order, service request, information request), personal data can be transferred to a third-party service provider to support your request (e.g.: delivery agent, post, etc.). Beyond the above, personal data may be requested to enforce the conditions of other agreements or legal matters.
a) Complying with laws and legal obligations
The Company may transfer your personal data for the following purposes:
-to comply with the law, legislations, instructions of public authorities, or fulfilling and enforcing binding provisions
- security threats, fraud or to detect and prevent violation of law
- to protect/enforce the rights or property of the Data Controllers or third parties
- to protect the rights and personal safety of the Company employees and the employees of a third party.
10. Data transfer to third parties
The Company might use third party service providers to fulfill orders (e.g.: transporting agents). These third parties are required to use the personal information our Company collected and processed only to perform services on our behalf.
Inspections of public authorities (e.g.: NTCA) and audits may require the Company to provide documents and information which may involves personal data to the respective authorities or the auditor. The Company may transfer personal data to a third-party law firm to enforce its legitimate interest (e.g.: letter of formal notice, legal proceedings).
11. Rights of the data subject
Right to prior information
The Data Subject shall have the right be informed of the facts and information relating to the data processing prior to the commencement of the processing.
(Articles 13 to 14 of the Regulation)
Right of access
The data subject has the right to receive feedback from the Data Controller on whether his / her personal data is being processed and, if such data processing is in progress, he / she has the right to access personal data and related information specified in the Regulation. (Article 15 of the Regulation).
Right to rectification
Each data subject whose personal data is being processed shall have the right at any time without undue delay to the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the data subject shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (Article 16 of the Regulation).
Right to erasure (right to be forgotten)
Each data subject shall have the right to demand the erasure of personal data concerning him or her from the Data Controller without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay where any of the grounds specified in the Regulation exist. (Article 17 of the Regulation).
Right of restriction of processing
Each data subject shall have the right to demand the restriction of processing if the conditions specified in the Regulation exist. (Article 18 of the Regulation).
Right to data portability
Based on the conditions specified in the Regulation, each data subject whose personal data is being processed shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. The data subject shall also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. (Article 20 of the Regulation).
Right to object
Each data subject whose personal data is being processed shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her pursuant to Regulation Article 6 (1) (e) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party). (Article 21 of the Regulation).
If the data subject wants to exercise this right he/she can turn in this regard at any time to the Company at firstname.lastname@example.org
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it. (Article 19 of the Regulation).
The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. Where the request is made by electronic form the Company shall have the right to require further information to verify the identity of the person concerned.
The Data subject have the right to approach The Company with requests or file a complaint with the court or the competent data protection authority (National Authority for Data Protection and Freedom of Information) if his/her rights are violated. Contact details of National Authority for Data Protection and Freedom of Information: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; phone number: +36 1391 1400; fax: +36 1391 1410; e-mail: email@example.com; web: naih.hu.
12. Data protection provisions
a) Concerning all data processing activities under each purpose and legal grounds, the Company shall take the technical and organizational measures and establish the rules of procedure necessary for the enforcement of the Regulation and the Infotv.
b) The Data Controller shall take appropriate measures to protect the data against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure, or unauthorized access.
c) The Company qualifies and handles personal data as confidential information. Employees are bound by the obligation of confidentiality in connection with the processing of personal data. The Company restricts access to personal data by specifying authorization levels to ensure that access is granted only to those employees who need it to carry out their tasks. The Financial manager is responsible to establish the authorization system.
d) The Company applies firewalls and antivirus protection to protect IT systems. All software the Company uses to perform electronic data processing and data controlling are operating on servers located at its headquarters and comply with the requirements of data security.
e) The documents in progress and being processed are accessible only to authorized employees. The Company stores the archived data in a closed place at its registered office.
f) Restoration of archived databases is subject to permission of the managing director.
When restoring a database, the Company must specify
- the purpose of re-using the archive database,
- the users who shall have access to the archive database,
-duration and environment in which the archive data shall be used.
g) After the archived data has been restored to the live system, rectification, or erasure of data, required by data subject or regulations, shall be repeated based on the documentation of such rectifications and erasures.
Budapest, 13. May 2020