Menu

DATA PROTECTION POLICY AND GUIDE

 

1. General provisions

(1) In relation with the services provided on the http://www.gvb.hu website and the websites accessible at other addresses (hereinafter: „the website”) operated by Grabarics Építőipari Kft. as Data Manager, the company acts on the basis of this Data Management Policy and Guide in the course of managing the information of natural persons.

By entering and using the website, the User recognizes the provisions of this Data Management Policy as compulsory for him.

   Data Manager in respect of this Policy:

  • Data Manager: Grabarics Építőipari Kft
  • Seat: 1053 Budapest, Reáltanoda u. 5.
  • Postal address: 1053 Budapest, Reáltanoda u. 5.
  • Electronic (e-mail) address: info@grabarics.hu
  • Court of registration: Fővárosi Törvényszék Cégbírósága
  • Registration number: 01-09-940225
  • Tax code: 11106485-2-41


(2)  This Guide on data protection is aimed at determining the scope of personal information managed by the Data Manager and the mode of data management, and at ensuring the enforcement of constitutional privacy principles and the requirements of data security as well as avoiding unauthorized access to information and the changing and the unauthorized publication or use of information for the sake of respect for the private sphere of natural persons.

(3) For achieving the objectives set forth in paragraph (2), the Data Manager handles the personal information (particulars) of users confidentially in line with the requirements of prevailing regulations, provides for their security, takes the technical and organizational measures and develops the rules of procedure that are necessary to the enforcement of the related statutory provisions and other recommendations.

 

2. Legislative background

The Data Manager is obliged to observe the legislative requirements related to the management of personal information in each phase of data management. First of all, the provisions set forth in the following regulations apply to the handling of information by the Data Manager:

  • article 2:43§ (e) of act V of 2013 on the Civil Code
  • act CXII of 2011 on information-related self-determination right and information freedom („Privacy act”)
  • act CVIII of 2001 on certain questions of electronic trade service as well as services related to the information society („E-trade act”)
  • act XLVIII of 2008 on the basic conditions of business promotion activity and its restrictions („Prom. act”)
  • act VI of 1998 on the promulgation of the Convention on the protection of individuals in electronic data processing, dated in Strasbourg on 28 January 1981
  • act CXIX of 1995 on the handling of name and home address data serving for research and direct marketing („K&M act”)

 

3. Definitions

(1) person affected:  any natural person specified, identified or – directly or indirectly – identifiable  on the basis of personal information;

(2) personal information: data that can be related to the Person Affected – in particular the name, the ID code as well as information typical to one or several physical, physiological, mental, economic, cultural or social attributes – as well as conclusions that can be drawn from the data in relation with the Person Affected;

(3) approval: voluntary and decisive expression of the wish of the Person Affected, based on sufficient information, through which the Person Affected gives his unmistakable agreement to the management of his/her personal information – including all or certain operations;

(4) protest: statement, in which the Person Affected raises objection against the handling of his/her personal information and requests the termination of data management and/or the deletion of the information managed;

(5) data management: irrespective of the applied procedure, any or all operations performed on personal information, so e.g. the collection, recording, sorting, storage, change, use, forwarding, publication, harmonization or connection,  locking, deleting and destroying of data as well as hindering the further use of information,  making photographic, voice or image records, and recording of physical characteristics (e.g. finger or palm prints, DNA pattern, iris image) suitable for the identification of the Person Affected;

(6) data processing:  performing technical tasks related to data management operations, irrespective of the method and means applied to implement the operations and of the site of application, assumed that the technical tasks are carried out on the information;

(7) data transmission:  making the information accessible for specified third entity;

(8) publication: making the information accessible for anyone;

(9) data manager:  the natural person or legal entity and/or the organization without legal personality that has identified on its own or together with others the purpose of managing personal information, takes and implements or gets the appointed data processing staff implement the decisions related to data management (including the applied tool);

(10) data processing entity:
the natural person or legal entity and/or the organization without legal personality that performs processing of information on a contractual basis – including contracts concluded on the basis of statutory provision;

(11) data deletion: making the information unrecognizable in such a way that their recovery is not possible anymore;

(12) data files:  the whole of information handled in a record;

(13) third person:  the natural person  or legal entity and/or the organization without legal personality that is not identical with the Person Affected, the data manager or the data processing entity.

 

4. The legislative basis of data management

The Data Manager handles the particulars of Persons Affected in line with the privacy regulations and on the basis of their approval, and

  • of article 13/A§ of act CVIII of 2001 on certain aspects of services related to the information society, and
  • of paragraph 6. § of act XLVIII of 2008 on the basic conditions and certain restrictions of the business promotion activity.

 

5. Scope of information managed, purposes and term of data handling

(1) This Data Protection Policy applies exclusively to the handling of the data of natural persons due to the fact that personal information (particulars) can only be interpreted in the context of natural persons.
The anonymous information collected by the Data Manager with the exclusion of personal implications which cannot be brought into connection with natural persons  as well as the demographic data collected without any reference to the particulars of natural persons so as no connection can be created to natural persons shall not be considered personal information.

(2)  
Sending online messages, requesting offers:

On the website it is possible to request offers in relation to services provided by the Service Provider and any other information along with indicating the following particulars:

  • name
  • e-mail address
  • phone number

The purpose of data management: providing personalized services to Persons Affected and sending out offers requested by the Person Affected.

Anonymous user identification (cookie)
The Data Manager places onto the computer of the Person Affected anonymous user identifier (cookie), which in itself is by no way able to identify the Person Affected, it serves exclusively for the recognition of the hardware of the Person Affected. Name, e-mail address or any other personal information are not needed since the User does not disclose his/her particulars to the Data Manager when using the application, and data exchange takes place exclusively between the two computers.

The Data Manager uses cookies in order to get familiar with the information using habits of the Persons Affected and to improve the standards of his services through this, and to display customized pages, marketing materials (commercials) for the user visiting the website.

Through setting his browser the Person Affected has the possibility of refusing the placement of individual identification marks (cookies) on his computer. The Person Affected understands that in the case of banning  the cookies certain services will not work properly.

Use of community extensions (Facebook, Twitter, Linked-in)
In default situation the extensions are banned on the Portal. Extensions will only be allowed if the Person Affected clicks on the related key. By authorizing the extension, the Person Affected creates a link to the community site and approves the forwarding of his/her particulars to Facebook/Twitter/Linked-in.
If the Person Affected has logged in to Facebook/Twitter/Linked-in, it may happen that the specific community network associates his/her visit to the community account of the Person Affected.

If the Person Affected clicks on the proper key, his/her browser will forward the related information directly to the community network concerned and store it there.

Information about the scope and purpose of data collection, and about the users’ rights and settings aimed at the protection of his/her particulars in relation with the further processing and use of particulars by Facebook/Twitter/Linked-in can be found in the privacy statements of Facebook//Twitter/Linked-in.

Remarketing codes
The Service Provider uses Google Adwords as well as Facebook remarketing codes on the Portal. The remarketing code uses cookies for tagging the visitors of the Portal. The set cookie helps that advertisements related to the Service Provider’s products and services appear on other websites belonging to the Google Display network or on Facebook when the user of the Portal visits them later on.
The user may ban the cookies any time and personalize the advertisements on Google’s  adds settings interface.


Log files
Fort the availability of services the system automatically logs the following information:

  • the dynamic IP address of the user’s computer
  • the type of the browser and operation system used depending on the settings of the user’s computer
  • the user’s activity related to the website

The use of these pieces of information serve for technical reasons – like the analysis and later inspection of the safe operation of servers – on the one hand, and the Data Manager uses this information for compiling statistics on page use and for analyzing users’ demands in order to improve the standards of services, on the other hand.
The above information is not suitable for the identification of the user and the Data Manager does not connect them other personal information.

(3) The Data Manager is allowed to handle personal information related to the Person Affected for purposes other than indicated above – so in particular for increasing the efficiency of his service or for market research – only after having specified  the purpose of data management and with the agreement of the Person Affected.
These data must not be linked with the particulars of the Person Affected and must not be transmitted to third entities without the agreement of the Person Affected.
The Data Manager is obliged to delete these information if the purpose of data management has ceased or the Person Affected decides so.

(4) The Data Manager shall ensure that the user has the opportunity to know before and any time during using the service the purpose of data management and the types of information subject to data management, including the handling of information in no direct contact with the user.

(5) The legislative basis of data management performed by the Data Manager is in each case the approval of the Person Affected.

(6) Term of data management:
The information managed with the agreement of the Person Affected can be handled until the changing and/or  withdrawal of the approval. Upon the expiry of the term of data management the Data Manager is obliged to delete the particulars of the Person Affected.
The Data Manager shall store the information related to orders – including the voice records made in the course of telephone transactions – for evidence in legal disputes, if any, until the general limitation period i.e. for 5 (five) years.
The Data Manager shall manage the information related to billing for the fulfillment of his accounting obligations for 8 (eight) years pursuant to article 169. § of act C of 2000 and until the limitation period specified in act XCII of 2003 on the tax regime, respectively.

(7) It may happen that for the provision of full services the Data Manager transmits certain particulars of the Person Affected to third party – on a provisional basis and with the required approval – for the purpose of data processing or data management, so in particular:

  • if online payment is effected via website, the Data Manager forwards the credit card / bank card number needed for payment to the financial service provider, without making records on it;
  • if in the case of products ordered via website, the Data Manager transfers the product to be delivered and the information needed for delivery to the partner contracted for transportation (delivery name and address). The partner contracted for transportation is considered data processor in relation with the transferred delivery information and must not use that information for any other purpose but only for the fulfillment of delivery.

(8) For the purpose of extracting independent attendance and other web analytical data from the website, the Service Provider uses Google Analytics software, therefore, Google Inc. acts as data processing entity in respect of these information. The Privacy Policy of Google Inc. is accessible  on  http://www.google.com/intl/hu_ALL/privacypolicy.html .
The user of the website services understands that by using the website he/she has given his/her approval to data processing by Google.

(9) Should services be concerned in the course of which the user shall forward personal information – so e.g. bank card number for online payment – for using the service, the Data Manager ensures a channel for providing adequate protection for such messages i.e. SSL-based connection.

(10) Should the Service Provider operate certain services and pages of the website through a firm in business relation with him, the operating partner of the Service Provider – acting on behalf and in representation of the Service Provider to the benefit of the Service Provider – collects personal information, the handling of which is also subject  to the provisions of this Privacy Policy.

(11) Should the website maintain joint services with some of its content provider partners, the right of using personal information is shared but the provisions of this Data Management Policy – in line with the rules related to data management with identical contents required in the contractual relation with the partner – shall also apply.

(12) In the case of data management tasks referred to in paragraphs (7)-(11) the data manager and the data processing entity, respectively, shall explicitly be referred to in the course of data supply and/or data processing.

(13) Particulars and contact data of data processing entities:

Name: DBI Szoftver Kft (memory space provider)
Seat: 4034 Debrecen, Vágóhíd utca 2. 4. épület 2. emelet

The Service Provider reserves the right of involving further data processing entities in addition to those listed above, assumed that the Service Provider will make accessible to those concerned the name and address of such further data processing entity not later than at the beginning of data processing.

 

6. Rights of Persons Affected

(1) The Person Affected may request the Data Manager to:
a) provide information about the management of his/her personal information,
b) correct his/her personal information, and
c) delete or lock his/her personal information – except for compulsory data management.

(2) Upon the request of the  Person Affected the Data Manager provides written information about the  particulars of the Person Affected managed by  the Data Manager and/or by the data processing entity hired by him, about their source, the purpose of data management, its legislative basis, term, about the name and address of the data processing entity as well as its activity in relation with data management, furthermore – in the event of forwarding the particulars of the Person Affected – about the legislative basis and the addressee of data transmission, not later than within 30 days reckoned from the submission of the related request.
This information is free of charge if the applicant has not submitted any information request in relation with the same area to the Data Manager in the current year. In other cases, the Data Manager shall establish a compensation, assumed that the compensation already paid has to be refunded if the information has been managed illegally or if the request for information has led to correction.

(3)
For controlling the lawfulness of the transfer of data and for informing the Person Affected, the Data Manager shall keep data transmission records indicating the time of forwarding of data managed by the Data Manager, the legislative basis and the addressee of data transmission, the scope of personal information forwarded as well as other information specified in the legislation requiring data management.

(4) Should the personal information not comply with reality and the personal information complying with reality is available to the Data Manager, the Data Manager shall correct the personal information.

(5) The personal data are to be deleted if:
a) their handling is unlawful;
b) upon the request of the Person Affected (except for compulsory data management);
c) they are incomplete or incorrect and this status cannot be remedied lawfully, assumed that  the law does not exclude deletion;
d) the purpose of data management has ceased or the legislative deadline for information storage has expired;
e) the court or the Authority has  ordered it.

(6) Instead of deleting them the Data Manager shall lock the personal data if the Person Affected has requested this or if it can be assumed on the basis of available information that deletion would violate the legitimate interests of the  Person Affected. Personal information locked in such a way can be managed only until the purpose excluding the deletion of the personal data under dispute applies.

(7) The Data Manager marks the personal information managed by him if the Person Affected challenges their correctness or accuracy but  the incorrectness or inaccuracy of the personal information cannot be established unambiguously.

(8) The Person Affected and all those shall be notified about the correction, locking, marking and deletion to whom the data had been forwarded for the purpose of data management. The notification can be omitted if this does not violate the legitimate interests of the  Person Affected in respect of the purpose of data management.

(9) Should the Data Manager not fulfil the request of the Person Affected for refusal of the request for correction, locking or deletion, the Data Manager shall communicate in writing the factual and legal reasons of the refusal of the request for correction, locking or deletion within 30 days following the reception of the request. In the event of refusal of the request for correction, locking or deletion the Data Manager shall inform the Person Affected about the possibilities of turning to court or to the competent Authority for legal remedy.

(10) The Person Affected can protest against the management of his/her personal data if:
a) the management or transmission of personal data is necessary exclusively for the fulfilment of the Data Manager’s legal obligations or the enforcement of the legitimate interest of the Data Manager, data receiver or a third entity, except for compulsory data management;
b) the use or transmission of personal information is aimed at direct marketing, poll or scientific research; and
c) in any other case specified by law.

The Data Manager – along with the simultaneous suspension of data processing – is obliged to investigate the protest within the shortest time but not later than within 15 days reckoned from the submission of the request and to inform the applicant on the outcome in writing. Should the protest be justified, the Data Manager is obliged to suspend data management – including further data recording and transmission – and to lock the data, and to notify all entities about the protest and the measures taken as well as about the reasons to whom the personal data affected by the protest have been forwarded earlier and who are obliged to take measures for the enforcement of the right to protest.

Should the Person Affected not agree with the decision of the Data Manager and/or if the Data Manager omits the deadline of 15 days, he/she can turn to court within 30 days reckoned from the related notification and/or from the last day of the deadline.

(11) The rights of the Person Affected referred to in this section 5 may be limited by law for the sake of the external and internal security of the state i.e. for the reasons of national defense, national security, prevention or prosecution of criminal offenses, punishment security, furthermore for the economic or financial interest of the  state or of local governments, the substantive economic or financial interests of the European Union as well as for the purpose of preventing and detecting  disciplinary and ethical offenses in relation with the exercising of profession, labor law and labor safety breaches – always  including control and supervision – furthermore for the sake of protecting the rights of the Person Affected or of others.

 

7. Possible remedies

(1) The Person Affected may turn for legal remedy to:
a.) the Office of the Privacy Commissioner  (1051 Budapest, Nádor u. 22.),
b.) the National Privacy and Freedom Authority
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, Pf. 5.
Telephone: 06 -1- 391-1400
Telefax: 06-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
c.) the court of justice competent according to the home or the  place of residence of the Person Affected.
In proceeding the court shall give priority to the case. The lawfulness of data management has to be proven by the Data Manager while the lawfulness of the reception of data has to be proven by the entity having received the data.

If the court accepts the application,  the court shall oblige the Data Manager to provide information, to correct, lock or delete the information,  to make the decision made by automated data processing null and void,  to take into consideration the right of protesting of the Person Affected as well as to hand out the data requested by the entity specified in article 21.§ of the Info act.
Should the court refuse the request of the receiving entity in cases specified in article 21.§ of the Info act, the Data Manager is obliged to delete the personal data of the Person Affected within 3 days reckoned from the communication of the decision.
The Data Manager is also obliged to delete the personal data if the receiver of the data does not turn to the court within the deadline specified in paragraph (5) or (6) of article 21.§ of the Info act. The court may order the publication of its decision also indicating the Data Manager’s particulars – if privacy interests and the rights of a relatively large number of affected persons protected by this act require this.

(2) The Data Manager is obliged to pay compensation for the damage caused to others by the unlawful management of the data of the Person Affected or by breaching the information security requirements. The Data Manager is also liable to the Person Affected for the damages caused by the data processing entity. The Data Manager is exempt from liability if he verifies that the damage has been caused  by any unavoidable reason falling outside the scope of data management.
The Data Manager does not need to compensate the damage if it has resulted from the intentional or gross negligence of the damaged person.