Aim of Information on Data Processing, Introduction
The A Peerformance Business & Talent Korlátolt Felelősségű Társaság (registered seat: 1031 Budapest, Nánási út 5-7. building A.; company registry number: 01 09 327074; tax identification number: 26377805-2-41), as the Controller, abides by the following document and undertakes the legal obligations arising out of it. The company states and warrants that all of its activities concerning data processing are in compliance with all and any requirements enshrined in this document, the relevant national regulations and the legal acts of the European Union.
The directives on data protection related to the service provider’s data processing are available here: https://peerformance.com/en/privacy-policy.
The service provider reserves the right to modify this information document any time, however, it will notify its subjects of the changes in due time.
The service provider is committed to protect the personal data of his or her customers and partners and finds imperative to respect the informational self-determination right of these customers. The service provider handles personal data as confidental and takes every security, technical and organisational measure that can guarantee data protection. Please, find the data processing principles of the service provider below.
Data of the Controller
Should you wish to contact the service provider, please, use the following forums:
Phone number: +36 1 336 1027
Email address: info@peerformance.hu
Purpose, means and legal basis of data processing
Data processing of the service provider is normally based on voluntary consent and statutory authorization. In case of voluntary consent, the subjects have the right to withdraw their consent at any stage of data processing.
There are cases when processing, storage and transmission of specified types of data are obligatory on the strength of law and we send a special information letter about it to our customers.
We draw the attention of our data providers that it is the obligation of the data provider to obtain the consent of a third person in the event they provide data of this third person.
The principles of data processing comply with the relevant legislation on data protection, including but not limited to the followings:
- Act CXII of 2011 – on the right of informational self-determination and on freedom of information (Infolaw),
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – on the protection of rights of natural persons with regard to personal data handling and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation, GDPR),
- Act V of 2013 – from the Hungarian Civil Code
- Act C of 2000 – on accounting (Accountancy Act)
- Act LIII of 2017 – on prevention and obstruction of money laundering and terrorism financing
Definitions
„personal data”: means any information relating to an identified or identifiable natural person („data subject”), an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, any location-related data, an online identification number or one or more facts referring to the phycisal, physiological, mental, economic, cultural or social identity of the natural person,
„processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, consultation, data-base access, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction,
„controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by Union or Member State, the controller or the specific criteria for its nomination may by provided by Union or Member State law,
„processor”: means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller,
„recipient”: means a natural or legal person, public authory, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients, the processing of these data by those public authorities shall be in compliance with the applicable data protecion rules according to the purposes of the processing,
„consent of the data subject”: means any freely given, specific, informed and unambiguous indication of the data subject’ wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her,
„personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Principles relating to processing of personal data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (’lawfullness, fairness and transparency’),
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (’purpose limitation’),
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (’data minimisation’),
- accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are procesed, are erased or rectified without delay (’accuracy’),
- kept in a form which permits identification of data subjects for no longer than what is necessary for the purposes for which the personal data are processed, personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisatioanl measures required by this Rgulation in order to safeguard the rights and feedoms of the data subject (’storage limitation’),
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (’integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with the abovementioned (’accountability’).
Other data processing
WEBPAGE DATA PROCESSING |
|
CUSTOMER CONTACT | Handling of client contacts |
ONLINE SHOPPING |
|
ONLINE MARKETING |
|
WEBSITE OPERATION
Server-logging
When the website is visited, the weberver automatically stores the user’s activity / does not record user data.
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Server-logging |
|
if a website is visited, the service provider records user data to enable to control the operation of the website, to ensure customer-tailored service and to prevent misuse and breach | All the visitors of the website are subject |
Duration of data processing, deadline of erasing data | |||
Two weeks. | |||
Legal basis of data processing | |||
Article 6.(1) (f) of GDPR: processing is necessary for the purposes of the legitimiate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Act CVIII of 2001, Article 13/A (3) on certain issues of electronic commerce services and information society services |
Data processing related to Website visit, use of cookies
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Data processing related to website visit |
|
|
All the visitors of the website are subject, whether they use the available services or not. |
Duration of data processing, deadline of erasing data | |||
Data required for ensuring the customer-friendly operation of the website (IP-address, sequence of webpages visited while browsing) are stored only during browsing (i.e. until the visitor browses the website), and are erased when the visitor finishes browsing activity on the website. Processing of such data is carried out by the controller by using his or her own information technology devices, no third party can have access to it.Data necessary for assessing audience and mapping website customer habits are stored anonymour by the controller’s informatic system right from the beginning, these data cannot be linked to any person. These data are stored permanently but for maximum 2 years by the controller with the help of cookies that will be recorded on the device of the user. User can delete these cookies by setting it in his or her search engine. | |||
Possible controllers entitled to have access to data | |||
By using cookies, the controller processes no personal data. | |||
Legal basis of data processing | |||
No consent of the subject is required if the only purpose of using cookies is to transmit information via the electronic information network or the controller especially need it to be able to perform a service connected to information society expressely required by the subscriber or the user. Act CVIII of 2001, Article 13/A on certain issues of electronic commerce services and information society services with regard to data processing technically required for service provision, Article 6.(1) (f) of GDPR: processing is necessary for the purposes of the legitimiate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. |
Data process of host service provider
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Shared web hosting service | all personal data provided by the subject |
|
All the visitors of the website are subject. |
Duration of data processing, deadline of erasing data | |||
Data processing takes place until the termination of the agreement between the controller and the host service provider, or until the subject submits a claim for erasing his or her data to the host service provider. | |||
Legal basis of data processing | |||
Article 6.(1) (f) of GDPR: processing is necessary for the purposes of the legitimiate interests pursued by the controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Act CVIII of 2001, Article 13/A (3) on certain issues of electronic commerce services and information society services |
CUSTOMER CONTACTS
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Customer contacts |
|
|
All the subjects who are in contact with the controller on the phone or via email. |
Duration of data processing, deadline of erasing data | |||
The controller erases all the incoming emails, text messages, data provided by the subject on the phone, along with the subject’s name and email address within minimum 5 years as of data provision. | |||
Possible controllers entitled to have access to data | |||
Personal data can be processed by authorised staff members of the controller in compliance with the content of this document. | |||
Legal basis of data processing | |||
Article 6.(1) (a) of GDPR: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The data subject consents to processing his or her given data or any other data provided in his or her message by making a call in case of telephone enquiry, or by voluntarily dispatching his or her email in case of a message sent via email. Article 6.(1)(b) of GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Article 6.(1)(c): processing is necessary for compliance with a legal obligation to which the controller is subject. |
ONLINE SHOPPING
Registration, shopping
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Registration, shoppng |
|
|
All the visitors who register /buy on the website are subject. |
Duration of data processing, deadline of erasing data | |||
In case of profile data, duration of data processing terminates in 10 years as of the last website visit or upon a claim for cancellation filed by the data subject. The controller informs the data subject of cancellation of any personal data provided by the data subject in writing, in compliance with Art. 19 of GDPR. If the data subject claims the cancellation of his or her email address, too, then the controller deletes this email address after notification. In case of shopping data, duration of data processing terminates in 8 years according to Art. 169(2) of the Accountancy Act. |
|||
Possible controllers entitled to have access to data | |||
Personal data can be processed by authorised staff members of the controller in compliance with the content of this document. | |||
Legal basis of data processing | |||
Art. 6 (1)(a) of GDPR: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The data subject consents to processing his or her data by voluntarily disclosing his or her data upon registration and by ticking the box of the privacy statement. Act CVIII of 2001, Article 13/A on certain issues of electronic commerce services and information society services Art.169 (2) of the Accountancy Act |
Accountancy, invoicing
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Accountancy, invoicing |
|
|
All the visitors who make an order on the webpage are subject. |
Duration of data processing, deadline of erasing data | |||
Eight years according to Art. 169 (2) of the Accountancy Act | |||
Legal basis of data processing | |||
Art. 6 (1) (c) of GDPR Act CVIII of 2001, Article 13/A (3) on certain issues of electronic commerce services and information society services |
ONLINE MARKETING
Newsletter, DM activity
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Newsletter, DM activity |
|
|
All the visitors who subscribed to the newsletter are subject. |
Duration of data processing, deadline of erasing data | |||
Duration of data processing terminates upon withdrawal or unsubscription. The data subject may consent in advance and expressly that the Service Provider may send him or her advertisements and other deliveries to the given address. By considering this document, the data subject may consent that the Service Provider may process his or her data that are necessary for sending advertisements. The Service Provider refrains from sending spams, the data subject may unsubscribe without limitation and reasoning and free. In this case, the Service Provider deletes all his or her personal data – necessary for sending advertising newsletters – and refrains from sending him or her any advertising newsletters in the future. The data subject can unsubscribe by clicking on the unsubscription link. | |||
Possible controllers entitled to have access to data | |||
Personal data can be processed by the sales and markering staff of the controller in compliance with the principles on data processing. | |||
Legal basis of data processing | |||
Art. 6 (1) of GDPR: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. Article 6.(1) (f) of GDPR: processing is necessary for the purposes of the legitimiate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Act XLVIII of 2008, art. 6 (5): on the basic requirement and certain restrictions of commercial advertising activities: advertisers, advertising service providers and publishers of advertising shall maintain records on the personal data of persons who provided the statement of consent to the extent specified in the statement. The data contained in the aforesaid records – relating to the person to whom the advertisement in addressed – may be processed only for the purpose defined in the statement of consent, until withdrawn, and may be disclosed to third persons subject to the express prior consent of the person affected. |
Use of Google Adwords conversion tracking
The controller uses „Google AdWords” online advertising program and within its framework, he or she uses the conversion tracking service of Google. The Google conversion tracking is the analytic service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).
When the User visits a website via a Google-advertisement, a cookie is placed on his or her computer that is needed for conversion tracking. The validity of these cookies is limited and they do not contain any personal data resulting in the fact that the User cannot be identified with their help.
When the User browses certain pages of the website and the cookie is still valid, then both Google and the controller can see that the User has clicked on the advertisement.
Every Google AdWords customer is assigned a different cookie, thus they cannot be tracked on the websites of the AdWords customers.
The information obtained with the help of conversion tracking cookies is used to make conversion statistics for the AdWords customers who choose conversion tracking. So, the customers can gain knowledge of the number of visitors who clicked on their pages and were guarded onto a webpage labelled as conversion tracking one. However, they cannot get access to information that could enable the identification of any user. If you do not wish to participate in conversion tracking, you can reject it simply by excluding the possibility of installing cookies in your search engine. Afterwards, your data will not be included in the conversion tracking statistics. Please, click here for further information and the privacy statement of Google: www.google.de/policies/privacy/
Use of Google Analytics
This website uses Google Analytics, which is the service of Google Inc. („Google”). Google Analytics uses „cookie”, textfiles, which are saved on their computers and hereby foster the analysis of the website visited by the user. The information gained with the help of cookies related to the website and visited by the user will be sent to and stored on one of the servers of the Google located in the USA. By activating IP-anonimization on the website, Google shortens the user’s IP-address in advance in the European Union member states or in states parties to the agreement of the European Economic Area.
Transmission and shortening of the complete IP-address take place only in exceptional cases on a Google server located in the USA. Mandated by the operator of this website, Google will use this information to assess how the User used the website, and, to make reports related to the activity of the website to the operator of the website, furthermore, to perform other services related to the use of the website and internet-usage.
Google Analytics does not correlate the IP-address sent by the browser of the User with other Google data. The User may prevent the storage of cookies by setting his or her search engine to do so, however, please note that it can result in the fact that not every function of the website can be used completely. You can also prevent Google from collecting and processing your data provided by cookies and relating to your website usage (including your IP-address) if you download and install the browser plugin from here: https://tools.google.com/dlpage/gaoptout?hl=hu
Social websites
Type of data processing | Scope of processed data | Purpose and use | Subjects concerned |
Social websites |
|
|
Every person is subject who is registered on Facebook / Google+ / Twitter / Pinterest / Youtube / Instagram etc. social websites and „liked” the website. |
Duration of data processing, deadline of erasing data | |||
The data subject may obtain information of the source and processing of the data, the way of transmission and its legal basis on the social websites. Data processing is carried out on the social websites, thus the regulations of the website concerned apply to the duration and method of data processing and the possibilities of cancelling or modifying data. | |||
Legal basis of data processing | |||
Voluntary consent of the data subject to process his or her personal data on the social websites. |
Rights of the data subject
Right to information and access to peronal data: you have the right to obtain feedback from the controller pertaining to whether your personal data are processed, and, if yes, you have the right to have access to these personal data and information prescribed in the regulation.
Right to rectification: you have the right that the controller shall rectify your inaccurate personal data without undue delay upon your request. Taking into consideration the purpose of data processing, you have the right to have incomplete personal data completed – including by means of providing a supplementary statement.
Right to erasure: You have the right to obtain from the controller the erasure of personal data concerning you without undue delay upon your request, and the controller is obliged to erase your personal data without undue delay under certain conditions.
Right to be forgotten: if the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measure, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing: you have the right to obtain from the controller restriction of processing where one of the following applies: – you contest the accuracy of the personal data, in this case restriction applies to a period enabling the controller to verify the accuracy of the personal data, – the processing is unlawful and you oppose to the erasure of the data, instead, you request the restriction of their use, – the controller no longer needs the personal data for the purposes of the processing, however, you require these data for the establishment, exercise or defence of legal claims, – you have objected to data processing, in this case restriction applies to a period until it is proven that the legitimate grounds of the controller override your legitimate grounds.
Right to data portability: you have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format, furthermore, you have the right to transmit those data to another controller without hinderance from the controller to which the personal data have been provided.
Right to object: you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including the profiling based on the said provisions.
Right to object to direct marketing: where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that is related to such direct marketing. If you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
Automated individual decision-making, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The former paragraph shall not apply, if the decision: – is necessary for entering into, or performance of, a contract between you and the controller, – is authorized by Union or Member State law which lays down suitable measures to safeguard your rights and freedoms and legitimate interests, – is based on your explicit consent.
Deadline for action
The controller informs you of the actions based on the abovementioned claims without undue delay but at least in 5 months as of receiving said claim. This deadline may be extended with 2 months if needed. The controller informs you of the deadline extension explaining the reasons for the delay in 1 month as of receiving the claim. In the event the controller fails to take action related to your claim, the controller shall inform you without delay, but at the latest in 1 month as of receiving said claim, of the reasons for failing to take action, and, of the fact that you are entitled to file a complaint at some supervisory authority and you may exercise your right to be remedied at court.
Security of data processing
The service provider shall implement and operate appropriate informatic devices suitable for processing personal data which ensure that
- the processed data shall be available for the authorized persons (availability)
- accuracy and verification of the personal data shall be ensured (validity of data processing)
- lack of personal data modification is ensured (data integrity)
- protected against unauthorized access (confidentiality).
The controller takes appropriate measures to ensure security of the personal data against unlawful processing, amendment, transmission, publication, erasure or destruction and accidental loss.
The controller shall implement appropriate technical and organisational measures that are capable of ensuring a level of security appropriate to the risk.
The controller, while processing data, shall safeguard:
- confidentiality: the controller safeguards the information so that only the authorized persons could have access to it
- accuracy: the controller safeguards the exactness and completeness of the information and the method of processing
- availability: the controller ensures that the authorized person could have access to the information when it is needed and the devices needed for it shall be operational.
Personal data breach
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controlller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of personal data breach, the name and contact details of the data protection officer who provides more information, the likely consequences of the personal data breach, the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication to the data subject shall not be required if any of the following conditions are met:
-the controller has implemented appropriate technical and operational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption,
-the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize,
– the communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If the controller has not communicated the personal data breach to the data subject yet, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so. In case of personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The user hereby consents to his data collected on a European server by the controller and sending reports required for counselling procedures.
Complaint possibility
You can lodge a complaint with the Nemzeti Adatvédelmi és Információszabadság Hatóság in case of breach likely having been committed by the controller:
Nemzeti Adatvédelmi és Információszabadság Hatóság
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Postafiók: 5.
Phone number: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu