PRIVACY AND DATA PROCESSING POLICY

BalaSys IT Zrt. (1117 Budapest, Alíz utca 4., company registration number: 01-10-141679) (hereinafter: the Company ) handles various personal data in the course of its day-to-day business operations.

  • Data controller: BalaSys IT Zrt.
  • Representative of the data controller: Sándor Cseledi
  • Contact details: headquarters 1117 Budapest, Alíz utca 4., email address: info@balasys.hu
  • Data protection officer: The data controller does not have a data protection officer

The purpose of these regulations is to define the scope of personal data managed by the Company and the method of data processing, as well as to ensure the enforcement of data protection and data management principles and data security requirements, in particular Regulation (EU) 2016/679 of the European Parliament and the European Council (hereinafter: GDPR ) and Act CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: Privacy Act).

1. INTERPRETATIVE PROVISIONS

1.1. Data controller:

a natural or legal person who, within the framework of a law or a binding act of the European Union, determines the purposes and means of the processing of personal data, either individually or in association with others.

1.2. Data handling:

any operation on personal data or files, whether automated or non-automated, in particular the collection, recording, systematization, storage, alteration, interrogation, use, transmission, restriction or even deletion, or any combination of such operations.

1.3. Personal data:

any information relating to an identified or identifiable natural person ("data subject").

1.4. Data processor:

a natural or legal person who, within the framework and under the conditions laid down by law or a binding act of the European Union, processes personal data on behalf of or at the direction of the data controller.

a voluntary, specific and duly informed and unambiguous statement of the will of the data subject, by which he or she indicates his or her consent to the processing of personal data concerning him or her by means of a statement or an act which unequivocally expresses the confirmation.

1.6. Recipient:

the persons, bodies with whom the natural data have been or will be communicated.

DATA MANAGEMENT

A.) PRE-EMPLOYMENT AND OTHER DATA-PROCESSING ACTIVITIES

A.1. Data management prior to the establishment of the employment relationship

Data management prior to the establishment of the employment relationship is carried out in connection with the previous tendering procedure.

Legal basis: consent of the data subject

Objective: to evaluate the application, to conclude an employment contract

Relevant data: name, address, place of birth, time, education, professional qualifications, telephone number, email address, photo of data subject

Data subjects: persons applying for the job

Duration: Once an employee has been selected, the purpose of data processing for non-selected candidates will cease, which means that applicants' personal data must be deleted immediately, unless the person concerned has explicitly consented to the retention of his or her data and his or her personal contact for possible future employment.

Recipient: the person exercising the employer's authority, the employee(s) performing the human resources policy task

Legal basis: legitimate economic interest of the Company, taking into account the results of the balancing test required by the GDPR (GDPR Article 6 paragraph 1) point f))

Purpose:

  • adequate protection of the Company's property, ensuring the safety of persons and property;
  • in order to protect human life, bodily integrity and property, to prevent and detect violations, to commit the perpetrator and to prove the violations, to ensure adequate labor protection;
  • identification of unauthorized persons entering the Company's territory, recording the fact of entry, documenting the activities of unauthorized persons;
  • an examination of the circumstances of any accidents at work and other accidents which may occur;
  • verifiability of compliance with occupational safety and health rules;
  • control of technological processes;
  • fact-finding to establish possible liability.

Data in question:

  • In connection with the camera system: the facial image of the persons entering the Company's territory and other personal data recorded by the surveillance system (time and place of entry and exit).
  • In connection with the access control system: it can be linked to a given person based on the number on the card, in this way the access data can be retrieved for a given person.

Data subjects: persons entering the territory of the Company

Duration: Three working days in the absence of use in connection with the camera system [2005 CXXXIII. Act., otherwise known as SzVMt. Pursuant to Section 31 (2)]. Use is considered to be the use of recorded image, sound or image and sound recordings and other personal data as evidence in court or other official proceedings.

In connection with the access control system:

  • in the event of regular access, the identification data immediately upon termination of the right to access; in the case of occasional entry, it must be destroyed twenty-four hours after departure.
  • data generated during operation (e.g. date of entry) in the case of regular entry, upon termination of the right to enter, but not later than six months after the creation of the data; in the case of occasional entry, shall be destroyed 24 hours after departure.

Recipient: the Company's senior executives, system administrator, employees performing personal and property protection tasks, data processors

B.) REGULATORY DATA PROCESSING ACTIVITIES

Legal basis: fulfillment of a legal obligation, (Section 159 (1) of Act CXXVII of 2007)

Purpose: to determine the mandatory data content of an invoice, to issue an invoice, to perform related accounting tasks.

Data in question: the name, address and tax number of the Company's natural person's customers, buyers and suppliers

Data subjects: the Company's natural person's customers, buyers and suppliers

Duration: 8 years from the termination of the contract (business relationship)

Recipient: employees issuing invoices as job responsibilities, employees performing accounting activities, data processors, senior official

Legal basis: fulfillment of a legal obligation (Section 50 (1) of Act CL of 2017)

Purpose: to prepare tax and contribution returns

Data in question: senior official of the Company, employees, their family members as defined in Article 50 Section (2), Highlighting the natural identification data of the natural person (including the previous name and title), gender, citizenship, tax identification number of the natural person sign, social security identification sign

Data subjects: senior executives of the Company, employees, their family members

Duration: 8 years from the end of the legal relationship

Recipient: employees, data processors, senior executives of the Company performing accounting and payroll activities as job responsibilities

C.1. Information on the data of visitors to the Company's website

A cookie is a packet of variable content, alphanumeric information sent by a web server that is stored on a user's computer and stored for a predetermined period of time. The cookie allows the web server to recognize the device used to browse and the history of browsing the website. With the help of cookies, the Company can get an idea of the user's website visits, internet usage habits and history. Cookies do not contain any personal data that can be used to identify users of the Website, they are only used to identify the user's computer.

Users of the Website have the opportunity to set what types of cookies the Website may use. During the visit, the Website collects data using cookies. By visiting the Website, the user can accept with one click that the Website uses cookies in accordance with our privacy policy. If the user disables or deletes cookies on their computer in their own browser, thereby restricting the usability of the Website (or certain parts thereof), the settings previously specified on the Website may be lost.

The user can also change the cookie settings in their browser at any time later.

Cookies required

The Required Cookies are absolutely necessary for the basic operation of the Website, they facilitate its use and collect information about its use without identifying the users.

The Company handles these cookies in the legitimate interest of the Website.

Performance cookies

With the help of Performance Cookies, the Company analyzes the habits and behavior of visitors in tomorrow in order to improve and improve the services and content of the Website.

COOKIE NAME (DOMAIN)PURPOSE OF APPLICATIONSTORAGE TIMELEGAL BASIS
YSC (youtube.com)The YouTube cookie is used to measure views of videos inserted with the EMBED code.SessionA legitimate interest in analyzing user habits anonymously.

The Website uses the cookies of the following service providers for statistical purposes:

Google Analytics - Google LLC

Google Analytics can be used to track Website activity, such as session duration, pages per session, bounce rate, etc., and information about the source of traffic.

Detailed information about Google Analytics is available at the following link: https://www.google.com/analytics/terms/us.html

Hotjar

A service used for heat map analytics that collects information about the location of clicks and the movement of the mouse

Detailed information about the Hotjar service is available at the following link:

https://www.hotjar.com/cookies

Functional cookies

With the help of functional cookies, the Website remembers the users' previous settings, data, information and other website usage habits, so that they do not have to be entered again the next time and the use of the website is more convenient. Cookies that facilitate the operation of certain functions of the Website (e.g. the sharing of content published on the Website via social media interfaces) are considered functional cookies.

COOKIE NAME (DOMAIN)PURPOSE OF APPLICATIONSTORAGE TIMELEGAL BASIS
na_id (addthis.com)Addthis.com's cookie allows you to share links on social sites like Facebook and Twitter.1 year 24 daysUser consent
ouid (addthis.com)Issued by Addthis, it aims to allow the sharing of the content of a website across various networking and social media interfaces.1 year 24 daysUser consent
Anj (adnxs.com)The anj contains cookie data that indicates whether the cookie ID is in sync with users.3 monthsUser consent

These cookies provide the opportunity to display advertisements to the user that are relevant to the user's interests, as well as to display and send personalized content and advertisements to the user by analyzing the use of the Website.

Within this, the purpose of the use of cookies related to advertisements is to enable the Company to select the advertisements that are most interesting or important to the users of the Website, and to be able to measure the success of the Company's campaigns.

The Website uses the cookies of the following service providers for advertising purposes:

COOKIE NAME (DOMAIN)PURPOSE OF APPLICATIONSTORAGE TIMELEGAL BASIS
__ss (balasys.hu)SharpSpring cookie of the marketing automation platform. It is used to track users and submitted forms (such as questionnaires).1 dayUser consent
__ss_referrer (balasys.hu)SharpSpring cookie of the marketing automation platform. It is used to track users and submitted forms (such as questionnaires).1 hourUser consent
__ss_tk (balasys.hu)Perfect Audience's cookies. Websites with the same ad space are used to display ads on other ad slots within the network.25 yearsUser consent
IDE (doubleclick.net)Google DoubleClick uses information to store information about how a user uses the website and any other advertisements before they visit the website. Its purpose is to encounter relevant ads based on the user's individual profile.1 year 24 daysUser consent
koitk (.marketingautomation.services)SharpSpring cookie of the marketing automation platform. It is used to track users and submitted forms (such as questionnaires).10 yearsUser consent
pa_crosswise_ts (.prfct.co)The Perfect Audience cookie is used for advertising purposes based on user behavioral data.2 yearsUser consent
pa_google_ts (.prfct.co)The Perfect Audience cookie is used for advertising purposes based on user behavioral data.2 yearsUser consent
pa_openx_ts (.prfct.co)The Perfect Audience cookie is used for advertising purposes based on user behavioral data.2 yearsUser consent
pa_rubicon_ts (.prfct.co)The Perfect Audience cookie is used for advertising purposes based on user behavioral data.2 yearsUser consent
pa_twitter_ts (.prfct.co)The Perfect Audience cookie is used for advertising purposes based on user behavioral data.2 yearsUser consent
pa_uid (.prfct.co)Perfect Audience's cookies. Websites with the same ad space are used to display ads on other ad slots within the network.2 yearsUser consent
pa_yahoo_ts (.prfct.co)The Perfect Audience cookie is used for advertising purposes based on user behavioral data.2 yearsUser consent
personalization_id (.twitter.com)Used by Twitter.com. Allows you to integrate page sharing options. It is also used to store information that shows how a user uses the website for tracking and targeting.2 yearsUser consent
test_cookie (.doubleclick.net)Published by doubleclick.net. Its purpose is to determine whether a user's browser is suitable for handling and using cookies.15 minutesUser consent
uid (.addthis.com)It measures website traffic and visitation habits based on anonymous data. This data identifies the number of visits, average length, number of views of subpages, etc. to refine your preference-based ads.1 year 24 daysUser consent
uuid2 (.adnxs.com)An AppNexus cookie that stores information that helps you distinguish between devices and websites. This information is used to filter out the ads offered by the platform, summarize the performance of the ads, and assign payment features to them.3 monthsUser consent
VISITOR_INFO1_LIVE (.youtube.com)The cookie used by Youtube.com allows you to track information about videos inserted with EMBED code on external websites.5 months 27 daysUser consent
CONSENT (.youtube.com)
16 years 8 monthsUser consent
i (.openx.net)
1 yearUser consent
  • Linkedin

LinkedIn is a social media interface for building business and professional relationships. The Company uses LinkedIn primarily for recruiting and accessing human resources.

Detailed information about LinkedIn is available at the following link:

https://www.linkedin.com/legal/cookie-policy

  • Sharpspring

A system used when using Sharpspring marketing automation services.

Detailed information about the Sharpspring service is available at the following link:

https://help.sharpspring.com/hc/en-us

  • Xandr (formerly AppNexus)

Xandr offers online infrastructure and technology for data management, optimization, financial accounting, and support for directly coordinated advertising campaigns.

Detailed information about the Xandr service is available at the following link:

https://www.xandr.com/privacy/cookie-policy/

  • Google Doubleclick

An integrated advertising platform that enables the Company to more effectively create, manage, and distribute digital marketing campaigns.

Detailed information about Google Doubleclick is available at the following link:

https://www.google.com/intl/hu/policies/privacy

  • YouTube

Video-sharing portal. The Company uses the portal to share video content (product videos, presentations, tutorials) and to stream online events.

Detailed information about YouTube (Google Group) is available at the following link:

https://policies.google.com/?hl=en

Setting cookies in the user's browser

Modern browsers allow you to change "cookie settings". Some browsers automatically accept cookies by default, but this setting can also be changed to prevent the user from automatically accepting them in the future. In the event of a switch, the browser will continue to offer the option to "set cookies" each time.

The Company draws the users' attention to the fact that since the purpose of cookies is to support and facilitate the usability and processes of the Website, by disabling cookies, the Company cannot guarantee that the user will be able to fully use all functions of the Website. In this case, the Website may work differently in the browser than planned.

Information about the cookie settings of the most commonly used browsers can be found at the following links:

  • Chrome

https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=hu

  • Chrome (Mobile)

https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DAndroid&hl=hu

  • Edge

https://support.microsoft.com/hu-hu/help/4027947/microsoft-edge-delete-cookies

  • Firefox

https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito

  • Safari (desktop devices)

https://support.apple.com/hu-hu/guide/safari/sfri11471/mac

  • Safari (mobile devices)

https://support.apple.com/hu-hu/HT201265

C.2. Fill in the registration form

Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by filling in the registration form and ticking the text "I register".

Purpose:

  • applying for an event or training organized by the Company
  • getting to know the contents (professional articles, studies) available on the Website after registration

Data in question: name, email address, telephone number, job title, country

Data subjects : any natural person who registers on the Website as described above

Duration: until withdrawal of consent, but not exceeding 5 years

Recipient: the Company's customer relations and event management staff, data processors, senior executive

C.3. Data management during information requests and requests for quotations

Legal basis: consent of the data subject

Purpose: identification, contact, quotations

Data in question: name, telephone number, email address, job title, country

Data subjects: all natural persons who request information, an offer and provide their personal data in connection with the services and products of the Company through the Website.

Duration: up to 1 year after the information has been provided or the offer made

Recipient: customer service staff, data processors, senior official

C.4. Subscribe to newsletter

Legal basis: prior and explicit consent of the data subject

Purpose: to send email newsletters containing commercial advertising to those interested, to display marketing messages, to provide information on current information and promotions related to the Company's products and services, direct marketing inquiries,

Data in question: name, email

Data subjects: individuals who contribute to the sending of newsletters

Duration: personal data must be deleted immediately after unsubscribing from the newsletter or withdrawing the data subject's consent

Recipient: marketing staff, senior executives, contributors used to send newsletters

C.5. Fill in the contact form

Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by completing and submitting the contact form.

Purpose: contact, request for information, preparation for concluding a contract

Data in question: name, email address, telephone number, job title, country

Data subjects: any natural person who fills in and sends the contact form on the Website as described above

Duration: until withdrawal of consent, but not exceeding 5 years

Recipient: the Company's customer relations staff, data processors, senior executive

C.6. Request a trial

Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by completing and submitting the contact form.

Purpose: to test a trial version of a product

Data in question: name, email address, telephone number, country

Data subjects: any natural person who completes and submits the Trial Request Form on the Website as described above

Duration: until withdrawal of consent, but not exceeding 5 years

Recipient: the Company's customer relations staff, data processors, senior executive

C.7. Training registration

Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by filling in and submitting the training registration form.

Purpose: To participate in specific training

Data in question: name, email address, telephone number, country, company name, position, company address, contact form

Data subjects: any natural person who fills in and sends the training registration form on the Website as described above

Duration: immediately after the training

Recipient: the Company's customer relations staff

C.8. Using the Chatbot application

Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by using the chatbot application, providing and sending personal data.

Purpose: To answer specific questions

Data in question: name, email address

Data subjects: any natural person who fills in the chatbot application available on the Website and sends his/her questions as described above

Duration: deleted immediately after the question has been answered on the merits

Recipient: the Company's customer relations staff

INFORMATION IN ACCORDANCE WITH ARTICLE 13 (F) OF THE GDPR ON TRANSMISSION OF DATA TO THIRD COUNTRIES

Balasys IT Zrt. uses the software of SharpSpring (https://sharpspring.com/contact-us/) in its sales activities. The data controller stores in this system the personal data of the data subjects indicated above and re-listed below:

We collect the following personal information:

  • Name and contact information, such as last name and first name, email address, mailing address, telephone number
  • Computer, device, and contact information, such as IP address, browser type and version, and location

Pursuant to Article 13 Paragraph f) of the GDPR, the data controller Balasys IT Zrt. informs its affected customers that during the application of the SharpSpring software, the data controller transfers the personal data indicated above to a third country. The data controller also informs data subjects that the transfer is possible under Article 46 (1) of the GDPR, given that the processor has provided the following appropriate guarantees: The controller has entered into a model contract with SharpSpring containing general data protection clauses: https://sharpspring.com/legal/eu-standard-contractual-clauses/ Stored data is stored primarily in data centers in the United States, and this data can be accessed by both U.S. and SharpSpring international resources during the customer relationship. In addition, we would like to draw the attention of our esteemed affected customers to the fact that they may exercise their rights listed in Section 3 of the Policy as affected at any time.

INFORMATION IN ACCORDANCE WITH ARTICLE 22 OF THE GDPR

Pursuant to Article 22 of the GDPR, Balasys IT Zrt., as data controller, informs the affected customers that in order to make automated decisions, using the SharpSpring software:

  • We collect usage information, such as behavioral information, about how the affected customer navigates between services or products and which elements of these online sites you use most often; and collects information about the goods or services you wish to order, wish lists, preferences, and interests, etc., in order to provide the most personalized service to our customers.
  • (1) In addition, we send newsletters and direct advertising messages to our affected customers through this system if they consent.
  • (2) The information provided through the chatbot application is also collected in the SharpSpring system as well
  • (3) online contact forms are also handled in SharpSpring.

Here again, we draw the attention of our esteemed affected customers to the fact that they may at any time exercise the rights listed in Section 3 of the Regulations as affected.

D.) OTHER DATA MANAGEMENT ACTIVITIES

D.1. Contract management data management activities

The Company handles the personal data of the natural persons contracting with it – customers, customers, suppliers – in connection with the contractual relationship.

Legal basis: performance of contract

Purpose: to maintain contact, to enforce claims arising from the contract, to ensure compliance with contractual obligations

Data in question: name, address, registered office, telephone number, email address, tax number, bank account number

Data subjects: all natural persons who enter into a contractual relationship with the Company.

Duration: 8 years from the end of the legal relationship

Recipient: Customer service and accounting staff, data processors, senior executives

D.2. Other data processing

After subscribing to an attendance sheet or event available at events organized by the Company, newsletters will only be sent if the subscribers have expressly consented as individuals, or the email address provided at the time of subscription is an email address of a legal entity and cannot be linked to a natural person and does not contain personal information.

In other cases, sending a newsletter or invitation is only possible with the consent of the contract or the existence of a direct partnership, if no personal data can be linked to the partner's email address.

The Company is obliged to provide information on data processing not listed in these regulations when recording the data.

The Company shall provide personal data to the authorities, provided that the authority has indicated the exact purpose and scope of the data, only to the extent and to the extent strictly necessary to achieve the purpose of the request.

3. RIGHTS OF STAKEHOLDERS

The data subject may request information on the handling of his or her personal data, as well as request the correction of his or her personal data, - with the exception of mandatory data processing - deletion, revocation, exercise the right to carry data and protest in the manner indicated at the time of data collection.

Right to information: The Company shall take appropriate measures to provide the data subject with all information concerning the processing of personal data referred to in Articles 13 and 14, Articles 15 to 22 and Article 34 of the GDPR shall be provided in a concise, transparent, comprehensible and easily accessible form, in a clear and understandable manner.

The right to be informed can be exercised in writing through the contact details of the Company written in these regulations. Upon request, the data subject may be provided with oral information upon verification of his or her identity.

Right of access of the data subject: The data subject has the right to receive feedback from the Company as to whether the processing of his or her personal data is in progress, and if such data processing is in progress, he or she has the right to access the personal data and the following information:

  • the purposes of data management;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom or with whom the personal data have been or will be communicated;
  • the intended period for which the personal data will be stored;
  • the right to rectify, erase or restrict data processing and to protest;
  • the right to lodge a complaint with the supervisory authority;
  • information on data sources;
  • the fact of automated decision making, including profiling.

The Company shall provide the information within a maximum of one month from the submission of the application.

Right of rectification: The data subject may request the correction of inaccurate personal data concerning him or her handled by the Company without undue delay and the addition of incomplete data.

Right of cancellation: The data subject has the right to have his or her personal data deleted without undue delay at the request of the Company if one of the following reasons exists:

  • personal data are no longer required for the purpose for which they were collected or otherwise processed;
  • the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
  • the data subject objects to the processing and there is no overriding legitimate reason for the processing;
  • personal data have been processed unlawfully;
  • personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the Company;
  • personal data was collected in connection with the provision of information society services.

Deletion of data cannot be initiated if data management is required:

  • for the purpose of exercising the right to freedom of expression and information;
  • to fulfill an obligation under Union or Member State law applicable to the Company to process personal data or to perform a task carried out in the public interest or in the exercise of a public authority conferred on the Company;
  • in the field of public health, or for archival, scientific and historical research or statistical purposes, in the public interest; or
  • to file, enforce or defend legal claims.

Right to restrict data processing: At the request of the data subject, the Company restricts data processing if one of the following conditions is met:

  • the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period which allows the accuracy of the personal data to be verified;
  • the processing is unlawful and the data subject opposes the deletion of the data and instead requests that their use be restricted;
  • the Company no longer needs personal data for the purpose of data processing, but the data subject requests it in order to submit, enforce or protect legal claims; or
  • the data subject has objected to the processing; in this case, the restriction shall apply for as long as it is established whether the legitimate reasons of the Company take precedence over the legitimate reasons of the person concerned.

Where processing is restricted, personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the European Union or a Member State.

The Company shall inform the data subject in advance of the lifting of the restriction on data management.

Right to data: The data subject has the right to receive personal data concerning him or her made available to the Company in a structured, widely used, machine-readable format and to transfer this data to another data controller if the data processing is based on consent or contract and data management is automated.

Right to protest: The data subject has the right to object at any time, for reasons related to his or her situation, to the processing of personal data in the public interest or in the exercise of public authority or to the legitimate interests of the Company or a third party, including provisions-based profiling. In the event of a protest, the Company may no longer process personal data unless it is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims.

Where personal data are processed for the purpose of direct business acquisition, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for that purpose, including profiling, in so far as it relates to direct business acquisition. In the event of an objection to the processing of personal data for the purpose of direct business acquisition, the data may not be processed for this purpose.

Automated decision-making in individual cases, including profiling: The data subject has the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects or would be similarly significant for him or her.

The above authority does not apply if the data management

  • is necessary for the conclusion or performance of the contract between the data subject and the Company;
  • is made possible by any European Union or Member State law applicable to the Company, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
  • based on the express consent of the data subject.

Right of withdrawal: The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal.

Right to redress:

  • Right to go to court:

In the event of a violation of his or her rights, the data subject may apply to a court, as a result of which, in the event of a violation of the law, the data subject may claim compensation or damages in addition to the court enforcing the data subject's obligations. The court is acting out of turn in the case.

  • Data protection authority procedure:

Complaints can be lodged with the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf .: 9.
Phone: 06.1.391.1400
Fax: 06.1.391.1410
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

4. RULES OF PROCEDURE

The Company will protect the processed data (such as name, e-mail address, telephone number, job title, country, email address) with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction by third parties, as well as against accidental destruction and damage and inaccessibility due to changes in the technology used.

In case of questions, remarks or complaints related to data management, or if they wish to exercise any of the above rights, they may do so by sending an email to info@balasys.hu or by post to the Company. (1117 Budapest, Alíz utca 4.)

The Company shall, without undue delay, but in any case within one month from the receipt of the request, inform the data subject of the action taken on the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Company shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.

If the Company does not take action at the request of the data subject, without delay, but no later than within one month from the receipt of the request, inform the data subject of the reasons for non-action and that the data subject may file a complaint with the supervisory authority and have legal remedies.

The Company shall provide information in accordance with Articles 13 and 14, Articles 15 to 22 and Article 34 of the GDPR (feedback on the processing of personal data, access to processed data, rectification, supplementation, deletion, restriction of data processing, data portability, protest against data processing, information on the data protection incident) to the data subject free of charge.

If the data subject's request is manifestly unfounded or, – in particular due to its repetitive nature – excessive, the Company may charge a reasonable fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or action or taking the requested action. The burden of proving that the application is manifestly unfounded or excessive is on the Company.

If the Company has reasonable doubts as to the identity of the natural person submitting the application, it may request the provision of additional information necessary to confirm the identity of the data subject.

If the data subject has complaints about the processing of personal data that have not been resolved by the Company, the data subject may contact the National Data Protection and Freedom of Information Authority in Hungary (see Data Protection Authority procedure above).

5. RULES RELATING TO DATA PROCESSORS RESPONSIBLE BY THE COMPANY

The Company uses an external data processor in connection with the personal data it manages in order to perform the following tasks:

  • fulfillment of tax and accounting obligations,
  • operation and maintenance of a website, activities related to marketing and newsletters

The list of data processors is contained in Annex 1 to these Regulations.

In the course of their activities, data processors do not have the competence to make a substantive decision on data management, they may not perform data processing for their own purposes.

6. DATA SECURITY PROVISIONS

Principles for implementing data security

The Company may process personal data only in accordance with the activities set out in these regulations, in accordance with the purpose of data management.

The Company ensures the security of data, in this context it undertakes to take all technical and organizational measures that are essential for the enforcement of data security legislation, data and confidentiality rules, and to establish the procedural rules necessary for the enforcement of the legislation specified above.

The Company shall protect the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, as well as becoming inaccessible due to changes in the technology used.

The Company keeps records of the data it manages in accordance with the applicable legislation, ensuring that the data can be accessed only by those employees and other persons acting in the Company's interest who need it in order to perform their job or duties.

Protection of the Company's IT records

The Company shall take the following necessary measures for the implementation of data security with regard to its IT records: a. Provide permanent protection against the computer files it manages (uses real-time anti-virus software). b. Provide physical protection for IT system hardware devices, including protection against elemental damage. c. Ensure the protection of the IT system against unauthorized access, both in terms of software and hardware devices. d. Take all measures necessary to restore the data files, perform regular backups, and perform separate, secure management of the backups.

Protection of the Company's paper records

The Company will take the necessary measures to protect the paper records, in particular with regard to physical security and fire protection.

The Company's manager, employees and other persons acting on behalf of the Company are obliged to securely store and protect the data carriers they use, including personal data, regardless of the method of recording the data, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and against accidental destruction and damage.

Incident management procedure

The purpose of the procedure is to facilitate the handling of events that violate data protection in connection with the operation of the Company in a unified system. To this end, the Rules of Procedure set out the concepts, procedures and measures that ensure how an event that violates data protection during the operation of the Company is handled, and promotes the prevention of the recurrence of such an event. (Annex 3)

The adoption and amendment of these regulations is the responsibility of the Company's management.

Budapest, 2021.

BalaSys IT Zrt. rep. Sándor Cseledi, CEO

Annexes:

  1. Annex: Register of data processors
  2. Annex: Data deletion and disposal rules
  3. Annex: Incident Management Procedures

Annex 1

NAME OF DATA PROCESSORDATA PROCESSOR CONTACTACTIVITY
Fabo-Markt Kft.1097 Budapest, Vaskapu u. 1/E., +36-1-246-1357Fulfillment of tax and accounting obligations