HU EN

News, information, search

 

PRIVACY POLICY AND GUIDELINE

 

1. General provisions

(1) As regards the website http://www.hajduautort.hu operated by it, and the management of all data of natural person users of the services provided by any other website accessible via the links specified on it (hereinafter referred to as the „website“), HAJDU Autotechnika Ipari Zártkörűen Működő Részvénytársaság shall proceed, as Data Controller, in compliance with this Data Management Policy and Guidelines.
By entering and using the website, the User accepts the provisions of this Data Management Policy as binding upon him or her.

Data Controller in terms of this Policy:

a)    Data controller: HAJDU Autotechnika Ipari Zártkörűen Működő Részvénytársaság
b)    Registered office: 4243 Téglás, 0135/32.
c)    Mail address: 4243 Téglás, 0135/32.
d)    Electronic (email) address: info@hajduautort.hu
e)    Court of registry: Registry Court, Court of Debrecen
f)     Company registration number: 09-10-000395
g)    Tax number: 13560250-2-09

(2) The objective of the privacy guideline is to identify the set of personal data managed by the Data Controller, the way of data management, to ensure compliance with the constitutional principles of data protection and the data security requirements, and to prevent unauthorized access to, or changing or disclosure of the data, so that the privacy of any natural person user will remain respected.

(3) To achieve the objective under Clause (2), the Data Controller shall handle the users' personal data confidentially, in line with the effective provisions of law ensuring their security, and take all technical and organizational measures and develop all procedures needed to comply with the relevant provisions of law and other recommendations. By accepting this statement, the user agrees to the management of his or her data by the Data Controller. Newsletters form an exception to the foregoing, given that they require separate registration.

2. Legislative Background

The Data Controller shall observe the provisions of law related to the handling of personal data in all phases of data management. The management of data by the Data Controller shall be primarily governed by the provisions of the following laws:

  • Section 2:43 (e) of Act V of 2013 on the Civil Code
  • Act CXII of 2011 on informational self-determination and freedom of information (“Data Protection Act”)
  • Act CVIII of 2001 on certain issues relating to electronic commercial services and services concerning the information society (“E-Commerce Act”)
  • Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities ("Economic Advertising Activities Act")
  • Act VI of 1998 on the promulgation of the Convention done at Strasbourg on 28 January 1981 for the protection of individuals with regard to automatic processing of personal data
  • Act CXIX of 1995 on the use of name and address information serving the purpose of research and direct marketing (“Data Management Act”)

3. Definition of terms

(1) data subject: shall mean any natural person who is identified or identifiable, either directly or indirectly, based on specific personal data;

(2) personal data: shall mean any data liable to be associated with the data subject, including in particular the data subject's name, identification code or one or more details characterising his or her physical, physiological, mental, economical, cultural or social identity, as well as any conclusion deduced from such data relating to the data subject;

(3) consent: shall mean a voluntary and definite indication of data subject's wish given freely and sufficiently informed, by which the data subject signifies his agreement to personal data relating to him or her being processed either without limitation or with regard to specific operations;

(4) objection: shall mean the data subject's statement expressing objection to the processing of his or her personal data, and requesting that the processing of the data be terminated and the processed data be deleted;

(5) data management: shall mean any operation or set of operations that is performed on data, irrespective of the method used, such as, in particular, collection, capturing, recording, organization, storage, alteration, use, querying, forwarding, disclosure, alignment or combination, blocking, deletion or destruction, and blocking them from further use; photographing, sound and video recording, and the recording of physical attributes suitable for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);

(6) data processing: shall mean the technical operations involved in data management, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are performed on the data;

(7) disclosure by transmission: shall mean making data available to a specific third party;

(8) public disclosure: shall mean making data available to the general public;

(9) data controller: shall mean a natural or legal person or unincorporated organization that, either individually or jointly with others, determines the purpose of data management, makes decisions regarding data management (including the means used) and implements such decisions itself or engages a data processor to implement them;

(10) data processor:
shall mean a natural or legal person or unincorporated organization that carries out the processing of data under a contract, including when contracted by virtue of legal regulation;

(11) deletion of data: shall mean making data unrecognisable in such a way that they are not possible to restore any more;

(12) dataset: shall mean all data processed in a single file;

(13) third person: shall mean any natural or legal person or unincorporated organization other than the data subject, the data controller or the data processor.

4. Legal grounds of data processing

The Data Controller shall process the Data Subjects' data in line with the effective provisions of law on data protection, based on their consent, and observing the provisions of

  • extion 13/A of Act CVIII of 2001 on certain issues relating to electronic commercial services and services concerning the information society;
  • Section 6 of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities.

5. Scope, purpose and duration of data management

(1) This Privacy Policy applies to the management of natural persons only, given that personal data cannot be interpreted but in relation to natural persons.
Anonymous information collected by the data controller excluding personal identification, which may not be related to any natural person, or demographic data collected in such way that they are not linked to the personal data of identifiable persons, and therefore do not enable association with natural persons shall not qualify as personal data.

(2)
Request for price quote:
The website enables to request price quotes and other information relating to the Service Provider's services, subject to the supply of the following personal data:
- email address
- name
- phone number
The purpose of data management shall be to provide customised services to the Data Subjects or send them a price quote upon request.

Anonymous visitor identifier (cookie)
The Data Controller saves anonymous visitor identifier (cookie) to the Data Subject's PC, which does not allow the identification of the Data Subject in itself in any way; it enables only the identification of the Data Subject's PC without the need to supply any name, email address or further personal data, given that the User does not provide any personal data to the Data Controller when using the solution, and data exchange takes place between PCs only.

The Data Controller manages cookies to get more information about the Data Subjects' information usage habits, and thus, to improve the quality of its services, and display customised pages and marketing (advertising) materials during visits of the Portal.

Using appropriate browser settings, Data Subjects can prohibit the saving of unique IDs (cookies) on their PCs. The Data Subject understands that, if cookies are disabled, some services may not operate properly.

The Data Subject can give consent by clicking the button “Accept” in the window displaying the text below, or continuing to use the website (clicking any link or menu item). “This website uses cookies. They are files providing information to us about user's site visiting habits, however, they do not store any personal information. By continuing to browse the site you agree to the use of cookies. 

Use of integrated social media extensions
By default, extensions are disabled on the Portal. No extension will be enabled, unless the Data Subject clicks the appropriate button. By enabling an extension, the Data Subject connects to a social website and agrees that his or her data may be forwarded to Facebook/Twitter/Linked-in.
If the Data Subject is signed into Facebook/Twitter/Linked-in, the given social network may link his or her visit to his or her social network account.

If the Data Subject clicks on the appropriate button, the browser will forward the information concerned directly to and store the same at the given social network.

For the scope and purpose of such data collection, any further processing or use of the user's personal data by Facebook/Twitter/Linked-in, and his or her rights and settings concerning the protection of his or her privacy, the user should consult the privacy statement of Facebook//Twitter/Linked-in.

Remarketing codes
The Service Provider uses GoogleAdwords and facebook remarketing codes on the Portal. A remarketing code uses cookies to tag Portal visitors.
Cookies saved enable that advertisements related to the Service Provider's products and services will appear on other sites to be visited by the Portal visitor that are parts of the Google Display network, as well as on facebook.
The User can disable cookies at any time, and customize the advertising settings on the Google Ads Settings interface.

The Data Subject can give consent by clicking the button “Accept” in the window displaying the text below, or continuing to use the website (clicking any link or menu item). “This website uses cookies. They are files providing information to us about user's site visiting habits, however, they do not store any personal information. By continuing to browse the site you agree to the use of cookies.


Log files
To support the use of the services, the following data are automatically logged:

  • the dynamic IP address of the user's PC
  • subject to the settings of the user's PC, the type of the browser and operating system used
  • the user's activity concerning the website

The use of such data serves, on one hand, for technical purposes, such as the analysis and subsequent inspection of the secure operation of servers, and on the other hand, these data are used by the Data Controller for the creation of site usage statistics and the analysis of user needs, in order to improve the services.
The said data do not enable the identification of the user, and the Data Controller shall not link them to other personal data.

The Data Subject can give consent by clicking the button “Accept” in the window displaying the text below, or continuing to use the website (clicking any link or menu item). “This website uses cookies. They are files providing information to us about user's site visiting habits, however, they do not store any personal information. By continuing to browse the site you agree to the use of cookies.

(3) The Data Controller may not use any personal data related to the Data Subject for purposes other than those specified above – including in particular the improvement of service efficiency or market research –, but subject to the prior identification of the purpose of data management and to the Data Subject's consent.
These data may not be linked to data identifying the Data Subject, and may not be disclosed to third persons without the Data Subject's consent.
If the purpose of data management no longer exists or the Data Subject requires so, the Data Controller must erase these data.

(4) The Data Controller shall make sure that the visitor of the website will be enabled, at any time before or during the use of the service, to discover what data types are managed by the Data Controller and for what purposes, including the management of data not directly linked to the visitor.

Upon the data subject’s request the data controller shall provide information concerning the data relating to him or her, including those processed by a data processor hired by the data controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and if the personal data of the data subject is disclosed by transmission to others, the legal basis and the recipients.

(5) The legal basis for the data management carried out by the Data Controller shall be the Data Subject's consent in all cases.

The Data Subject may give his or her consent by accepting the Privacy Policy.

(6) Duration of data management:
Based on the Data Subject's consent, data management shall continue until amendment or withdrawal of such consent. Upon expiry of the duration of data management, the Data Controller shall erase the Data Subject's personal data.

For evidence in possible legal disputes, the Data Controller shall store all order related data, including any voice recording made in the course of transaction by phone, until expiry of the general limitation period that is 5 (five) years.
To meet any accounting obligation, the Data Controller shall manage all billing data until expiry of the period of 8 (eight) years, pursuant to Section 169 of Act C of 2000 and/or of the limitation period set out by XCII of 2003 on the rules of taxation.

(7) To enable the end-to-end performance of the services, the Data Controller may forward the personal data of the Data Subject to third persons on a temporary basis, and subject to the necessary consent, for the purpose of data processing or data management, and in particular:

- if online payment is made via the website, the Data Controller shall forward the number of the credit card/bank card required for the same to the financial institute without retaining it;

- if, for products ordered via the website, the Data Controller gives the deliverable product to a partner company contracted for delivery along with any data required for the completion of the delivery (delivery name and address). As regards the delivery data supplied, the partner company performing the delivery shall be considered as a data processor, who may not use such data for purposes other than the completion of the delivery.

The Data Subject may give his or her consent by accepting the Privacy Policy.

(8) In order to retrieve independent visitor statistics and other web analytics results from the site, the service provider shall use the GoogleAnatitycs software, whereby Google Inc. shall act as a data processor in respect of the data used by the said software. For more information about the Privacy Policy of Google Inc., please see http://www.google.com/intl/hu ALL/privacypolicy.html.
The visitor using the services offered by the website understands that, by using the website, he or she has agreed to the processing of his or her data by Google.

(9) When services are involved that require the User to send personal data online, such as bank card number, for online payments, so that he or she can use such services, the Data Controller shall provide a channel offering sufficient protection, i.e. SSL connection for such messages.

(10)Where certain services and pages of the website are operated by the Service Provider jointly with a company maintaining business relationship with it, the Service Provider's operator business partner shall collect personal data acting in the name, on behalf and for the benefit of the Service Provider, and such data management shall also be governed by the provisions of this Privacy Policy.
The Data Subject may give his or her consent by accepting the Privacy Policy.

For the management of such data, the Data Subject shall conclude a separate agreements with the Data Controller Service Provider.

(11)Where a joint service is operated with any content provider of the website, the right of use in the personal data shall be held jointly, however, the provisions of this Privacy Policy shall still apply, subject to the rules governing the management of data with the same scope under the contract concluded with the partner.  

(12) For the management of data referred to under paragraphs (6) to (7), the identity of the data controller and the data processor shall be clearly highlighted in the course of the data supply and the data processing.

(13) Data and contact details of the data processors:

Name: DBI Szoftver Kft (storage provider)
Registered seat: 4034 Debrecen, Vágóhíd utca 2, building 4, floor 2

Upon the data subject’s request the data controller shall provide information concerning the data relating to him or her, including those processed by a data processor hired by the data controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and if the personal data of the data subject is disclosed by transmission to others, the legal basis and the recipients.

The Service Provider reserves the right to use the services of data processors other than those listed above, setting out that the Service Provider shall publish the name and address of any other data processor no later than by the start of the data processing in a manner enabling access by the Data Subjects.

6. Rights of the Data Subject

(1) The Data Subject may request the Data Controller to
a) provide information about the management of his or her personal data;
b) have his or her personal data corrected, and
c) have his or her data deleted or blocked, except for any mandatory data management.

(2) Upon the Data Subject’s request, the Data Controller shall, within no more than 30 days from submission of the relevant request, provide written information concerning the Data Subject's data managed by the Data Controller, including those processed by a data processor hired by the Data Controller or by others based on its instructions, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and on its activities relating to data processing, and if the personal data of the data subject is disclosed by transmission to others, the legal basis and the recipients.
Such information shall be given free of charge, provided that the requestor of the information has not yet requested the Data Controller to provide information about the same area during the given year. Otherwise the Data Controller shall establish a fee, setting out that any fee already paid shall be reimbursed if the data concerned turn out to have been managed unlawfully, or the request for the information results in a correction.

(3) To verify the lawfulness of disclosure and ensure notification of the data subject, the Data Controller shall maintain data transmission records including the date when personal data managed by it are transmitted, the legal grounds and addressee of the transmission, the identification of the set of personal data transmitted, as well as any other information specified by the law requiring the data management.

The term of the obligation of keeping transmission records for the data and providing information based on this may be restricted by the law requiring the data management.

(4) If the personal data is untrue and the Data Controller is in possession of the correct personal data, the Data Controller shall correct the personal data.

(5) The personal data must be deleted if

a) its management is unlawful;
b) this is requested by the Data Subject (except for mandatory data management);
c) the data are incomplete or wrong, and this state cannot be lawfully remedied, provided that deletion is not excluded by law;
d) the purpose of the data management no longer exists or the time limit for the storage of data specified by law has expired;
e) this has been ordered by court or the Hungarian Data Protection Supervisory Authority.

(6) Instead of deletion, the Data Controller shall block the personal data, where this is requested by the Data Subject, or it is presumed, on the basis of available information, that deletion would infringe the legitimate interests of the Data Subject. Any personal data blocked this way shall be managed only as long as the purpose of data management excluding the deletion of the personal data exists.

(7) If the correctness or accuracy of a personal data item managed is contested by the Data Subject, but its incorrectness or inaccuracy cannot be ascertained beyond doubt, the Data Controller shall mark such personal data.

(8) Any correction, blocking, marking or deletion of the data must be notified to the Data Subject and all recipients to whom the data have been transmitted earlier for the purpose of data management. Such notification can be bypassed when this does not violate the legitimate interests of the Data Subject in terms of the purpose of the data management.

(9) Should the Bank fail to fulfil the Data Subject’s request for correction, blocking or deletion, the Data Controller shall inform the Data Subject in writing of the factual and legal rationale for the rejection of such request for correction, deletion or blocking within 30 (thirty) days of receipt of the request. Where a request correction, deletion or blocking is refused, the Data Controller shall notify the Data Subject of the possibility to seek legal remedy in court and to turn to the competent Authority.

(10)  (1) The Data Subject may raise objection against the management of his or her personal data

a) if the personal data are managed or transmitted solely for the purpose of fulfilling the Data Controller’s legal obligation or for enforcing the legitimate interests of the Data Controller, the data recipient or a third person, except for mandatory data management;
b) if the personal data are used or transmitted for the purpose of direct marketing, public opinion polling or scientific research; or
c) in other cases specified by law.

(2) The Data Controller shall review the objection raised as soon as possible, but within no more than 15 days from submission, and it shall decide on the merits of the request notifying the applicant in writing of its decision.

(3) If the objection is found well grounded, the Data Controller shall terminate the management of the data, including any further data recording or transmission, and block the data notifying all earlier recipients of the data affected by the objection, who must take measures to enforce the given right of objection of the objection and any measure taken as a result.

(4) If the Data Subject disagrees with the Data Controller’s decision taken pursuant to paragraph (2), or if the Data Controller fails to observe the deadline specified under paragraph (2), the Data Subject shall have the right to seek legal remedy within 30 days from such deadline in the manner specified under Section 22 of the Data Protection Act.

(11) The rights of the Data Subjects specified in this Clause 5 may be restricted by law, for reasons of internal or external state security, including national defense, national security, the prevention or prosecution of crimes or the security of law enforcement, as well as of governmental or municipal economic or financial interests, significant economic or financial interests of the European Union, or to promote the prevention or investigation of disciplinary and ethical violations, and breaches of obligations related to the labour law or occupational safety, including any review or surveillance measures, and the protection of the rights of the Data Subject or others.

(12) All matters not covered in this Guideline shall be governed by the provisions of the laws specified under Clause 2.

7. Judicial remedy

(1)  In the event of any infringement of his or her rights, the Data Subject may seek legal remedy at:

a.) the Office of the Commissioner for Fundamental Rights (1051 Budapest, Nádor u. 22),
b.) the Hungarian National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mail address: 1530 Budapest, P.O. box 5
Phone: 06 -1- 391-1400
Fax: 06-1-391-1410
Email: ugyfelszolgalat@naih.hu
c.) the competent court of the Data Subject place or residence or stay.

The court shall act in extraordinary proceedings. The burden of proof shall lie with the Data Controller, as to the lawfulness of data management, and with the data recipient, as to the lawfulness of the receipt of data.
If the court decides in favour of the application, the Data Controller shall be requested to provide the information, correct, block or delete the data, revoke the decision on automated data processing, observe the Data Subject's right of objection and/or disclose the data requested by the data recipient, as set out under Section 21 of the Information Act.
If the court rejects the data recipient's application in the cases specified under Section 21 of the Information Act, the Data Controller shall delete the Data Subject's personal data within 3 days from the notification of the decision.
The Data Controller must delete the data, even if the data recipient fails to turn to the court within the time limit determined under Section 21 (5) or (6) of the Information Act.
The court may order the public disclosure of its resolution along with the identification of the Data Controller, if the same is justified for data protection interests and the enforcement of several Data Subjects' rights protected under the said Act.

(2) The Data Controller must indemnify the Data Subject for all damages caused by unlawfully managing the Data Subject's data or violating the requirements of data security.

If the Data Controller infringes the Data Subject's privacy rights by unlawfully managing the Data Subject's data or violating the requirements of data security, the Data Subject may claim restitution from Data Controller.

The Data Controller shall assume liability to the Data Subject for all damages caused by the data processor, and the Data Controller shall pay to the Data Subject any restitution for infringements of the Data Subject's privacy rights by the data processor. The Data Controller shall be exempted from its liability for the damages caused and the payment of the restitution, if it can prove that the damage or the infringement of the Data Subject's privacy rights is attributable to reasons outside the scope of data management and its reasonable control.

No indemnification or restitution shall be paid, if the damage or the infringement of the Data Subject's privacy rights is attributable to the deliberate actions or grave negligence of the damaged party or the Data Subject.