Information Note on Data Protection and Data Processing
weCAN Communications Kft. (registered seat: H-1037, Budapest Seregély utca 3-5., firstname.lastname@example.org, hereinafter referred to as the Data Controller) processes the personal data of visitors registered in order to download the CANnual Report (hereinafter referred to as the User) for marketing purposes (sending newsletters, information notes, etc. electronically). Data Controller protects the personal data of registered Users in every reasonable way. By supplying their data, Users expressly consent to the storage, use and transfer of their personal data in the manner set out in this policy.
Data Controller reserves the right to involve data processors in data processing in which case it will be communicated to the Users by modifying this policy.
- Data subjects:
Visitors registered for the purpose of downloading the CANnual Report.
- Scope of personal data processed:
By supplying their data, Users expressly consent to the gathering, storage and use of their below data – which may be provided at their own discretion – for the purposes provided in this policy:
- email address
- logging of visits at our website
- Legal basis of data processing
Data processing is based on voluntary consent of the User.
- Purpose and method of data processing:
The purpose of data processing by Data Controller is to contact private individuals and enterprises – registered at cannualreport.wecan.net website in order to download the CANnual Report – for marketing purposes (sending newsletters, information notes, etc. electronically).
Data Controller does not verify the personal data supplied by the users; Users shall be liable for the authenticity and compliance of such data. Users assume liability for ensuring that the email address given by them is only used by them for the purposes of availing of Data Controller’s services.
Data Controller makes sure that its subcontractor involved in the processing of data complies with the provisions of this policy and the data controller is liable for the compliance by the subcontractor.
- Copyright protection
Registered users shall be entitled to read the CANnual Report, to make copies thereof by way of printing or downloading it to a disc for informational purposes, personal and non-commercial use only. Data included in the publication may be referenced, copied and distributed freely provided that the original source is indicated in such disclosure. No copies of any part of the publication CANnual Report may be sold or transferred in consideration for commercial profits, furthermore no parts of the publication may be changed or included in any other work, publication or website either electronically or traditionally.
- General rules of data protection:
Data processing by Data Controller is always in compliance with the applicable legal provisions and the data protection rules set out in this policy. Data Controller may only use such data in the course of its activity and shall not disclose them to any other natural or private person (except its subcontractor involved in data processing) for any reason without the consent of the data subject.
The previous provision shall not apply to data disclosure required by law and the use of aggregated data for statistical purposes without the name or other personal identifiers of the User.
Should Data Controller intend to use the data supplied for purposes other than those set out in this data protection policy, it shall inform the User thereof accordingly by sending an email to the email address provided by the User and request the User’s express and prior consent, as well as, allow for the User to prohibit the different use of such data.
- Term of data processing:
Having regard to the fact that data disclosure by User is voluntary and free of external influence, Data Controller processes the User’s data until when User prohibits the use of such data or withdraws the consent in writing, by sending an email to email@example.com email address or a postal mail to the following address: H-1037 Budapest, Seregély u. 3-5. In case of such prohibition or withdrawal, Data Controller will delete the data concerned from the register immediately. For further information about data subjects’ rights see Point 9.
In case of any suspected criminal offence or the enforcement of civil liability, the Operator/Data Controller shall be entitled to retain the data supplied by the User until the final closing of the proceedings initiated and to use them as evidence.
- Data processors:
The Data Controller and the data processors commissioned by the Data Controller have the right of access to the personal data according to the relevant and effective legal regulations.
The data are processed by the following data processing parties:
The Data Controller reserves the right to involve other data processors in data process in the future, and to inform the Users about it by amending this Privacy Notice.
- Rights of data subjects:
Access to personal data
Upon the User’s request the Data Controller provides information on whether the personal data of the User are being used for data processing purposes by the Data Controller, and if so, grants access to their personal data and shares the following information with them:
- the purpose(s) of the data processing activity;
- the type of the personal data affected by data processing;
- the legal ground and recipient(s) in the event of transferring the personal data of the User;
- the planned processing period;
- the rights of the User relating to the rectification, erasure and restriction of processing of the personal data, as well as the option to object to personal data processing;
- the possibility of turning to the Authority;
- the data source;
- the name, address of the processors and their activities related to data processing.
The Data Controller shall provide the User with a copy of the personal data processed free of charge. For any further copies requested by the User, the Data Controller may charge a reasonable fee based on administrative costs. If the User submits the request via an electronic channel the requested information shall be sent to them in a widely used electronic format unless the data subject requests a different format.
Rectification of processed data
Taking into account the purpose of the data processing, the User may request the rectification of inaccurate personal data or the supplementation of incomplete data from the Data Controller. The Data Controller shall fulfil the rectification requirement without undue delay.
Erasure of processed data (right to be forgotten)
The User has the right to request immediate erasure of their personal data by the Data Controller; upon receiving such requests the Data Controller is obliged to immediately erase the personal data relating to the data subject if any of the following criteria are fulfilled:
- the personal data requested to be deleted are no longer needed for the purpose they were obtained for and managed in any way;
- the User revokes their consent and there is no other legal ground for data processing;
- the User objects to the processing of their personal data;
- the personal data was processed unlawfully;
- the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Data Controller is subject;
- the personal data obtained based on consent was collected with the provision of services relating to the information society to children.
Where the Data Controller has made the personal data public (made it available to a third party) and is obliged to erase the personal data pursuant to the above, the Data Controller, shall take into account the available technology and the cost of implementation, shall take reasonable steps to inform controllers, which are processing the personal data of the User, that the User has requested them to erase any links to, or copy or replication of, those personal data as well as to erase any duplicate copies.
Personal data is not required to be erased when data processing is required:
- to exercise rights to freedom of expression and information;
- for compliance with a legal obligation which requires processing by EU or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- based on public interest that relates to public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the presentation, enforcement or defence of legal claims.
Restriction of data processing
The User has the right to request the Data Controller to, instead of rectifying or erasing, restrict the processing of their personal data, if any of the following criteria apply:
- the User contests the correctness of their personal data. In such cases the limitation shall only apply to the time necessary for the Data Controller to verify the correctness of the personal data;
- the processing is unlawful, and the User opposes the erasure of the personal data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the User for the establishment, exercise or defence of legal claims; or
- the User objected to data processing; in such cases the restriction shall only apply to the time necessary to determine whether the Data Controller’s justified needs precede the User’s justified needs.
Where processing has been restricted, such personal data shall, except for storage, only be processed with the User’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
The Data Controller shall notify the User, based on whose request the data processing activity was restricted, prior to the lifting of such restrictions.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the Data Controller shall inform the User of these recipients.
Right to objection
The User shall have the right to object to the processing of data relating to them, if the data processing
- is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
- is necessary for the enforcement of the legitimate interest of the Data Controller or a third party.
In case the User objects, the Data Controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or relate to the establishment, exercise or defence of legal claims.
Measures taken by the Data Controller in connection with the request of the User
The Data Controller shall inform the User without undue delay, but no later than within one month from the receipt of the request, of the measures taken in relation to the access, erasure, restriction, objection or data portability request. This deadline may, however, be extended by two months if warranted by the complexity of the request or the number of requests. The Data Controller shall notify the User of any such extension within one month of receiving the request; such a notification shall include the reason of the extension. If the User submits the request via an electronic channel the notification shall preferably be sent to them in an electronic format unless the data subject requests a different format.
If the Data Controller fails to act upon the User’s request they shall notify the User, without delay but no later than within one month of receiving the request, of the reasons of such a failure, and shall also inform the User that they may place a complaint at a supervisory authority and may seek judicial legal remedy.
Upon the request of the User, the information, notifications and the measures taken based on their request shall be provided free of charge. Where requests from a User are clearly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or may refuse to take action in relation to the request. The Data Controller shall bear the burden of demonstrating the clearly unfounded or excessive nature of the request.
- Data security
Data Controller undertakes to ensure the security of data and implement those technical and organizational measures and determine those procedural rules which ensure the protection of the recorded, stored and processed data and also prevent the destruction, unauthorized use and alteration of data. Data Controller also undertakes to draw every third parties’ attention to who gets access to the data or to whom the data are transferred with the consent of the Users, to comply with data security requirements.
Data Controller ensures that no unauthorized person get access to, disclose, forward, alter or delete the processed data. Only Data Controller and the employees of the data processors commissioned by Data Controller may have access to the data. Data Controller does not forward the data to any unauthorized third person.
Data Controller makes every necessary measure to avoid any damage, accidental loss or destruction of the data. Data Controller prescribes this obligation to its employees involved in data processing and to the data processors commissioned by Data Controller.
- Handling and reporting of data breach incidents
All incidents are considered a data breach incident, which results in the unauthorised processing or controlling of personal data, in particular unauthorised or accidental access, alteration, disclosure, erasure, loss or destruction of personal data controlled, transferred, stored or processed by the Controller, or in its accidental destruction or damage.
The Controller informs the data subjects about the data breach incident through the website of the Controller within 72 hours of detecting the data breach incident.
The Controller keeps a record of data breach incidents for controlling the measures taken in relation to the occurring incidents and for providing information to the data subjects. The record contains the following data:
- the scope of the affected personal data;
- the range and number of data subjects;
- the date and time of the data breach incident;
- the circumstances and effects of the data breach incident;
- the measures taken for the prevention of the data breach incident.
The data contained in the record will be kept by the Controller for 5 years from the detection of a data breach incident.
n freedom of information.
- Legal remedies:
Users shall be entitled to enforce their rights pursuant to the provisions of Regulation of the European Parliament and of the Council (EU) 2016/679 (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as GDPR), the Act CXII of 2011 on the informational self-determination and the freedom of information, Act V of 2013 on the Civil Code of the Republic of Hungary, as well as, the related laws and regulations before the competent authorities: at the Hungarian National Authority for Data Protection and Freedom of Information [Nemzeti Adatvédelmi és Információszabadság Hatóság] (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.) or before courts. For further information, Users may contact the National Authority for Data Protection and Freedom of Information (www.naih.hu).
- Governing law:
The governing law shall be the GDPR and the Hungarian Law, with special regard to the provisions of Act CXII of 2011 on the right of informational self-determination and the freedom of information.