Purpose of the Privacy Notice
Full name: SIXAY Interior Design Services and Trading Company Ltd.
Company registration number: 08-06-004901
Tax number: HU22473064
Place of data processing: 9400 Sopron, Béke út 15.
Contact details of the data controller
firstname.lastname@example.org ; +36 (99) 505 990
Website address: www.sixay.com
The controller acknowledges that the contents of this legal notice bind it. The purpose of this Privacy Notice is to inform your customers, partners and clients about the processing of their personal data. The Data Controller shall process personal data only in accordance with the provisions of applicable law and in strict compliance with the provisions of the data management and data protection regulations, taking into account the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy and limited storage.
The data controller shall take all technical and organizational measures to ensure that the personal data of its partners are processed securely as required by Regulation (EU) 2016/679 of the European Parliament and the Council.
The data controller has developed its day-to-day activities, policies, records, templates and information documents in accordance with the above.
Personal, material, and temporal scope of the privacy notice
The personal scope of this Privacy Notice applies to the controller and to the natural persons whose data are included in the processing covered by this Notice, as well as to persons whose rights or legitimate interests are affected by the processing.
This Policy shall enter into force on the date of approval and shall remain in force indefinitely until further notice.
Data subject:any specified natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;
Data subject's consent: a freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
Personal data: data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inferences which can be drawn therefrom regarding the data subject;
Personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Restriction of processing: the marking of stored personal data for the purpose of restricting their future processing.
Profiling: any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict characteristics associated with the performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements of that natural person;
Pseudonymisation: the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organizational measures are taken to ensure that no natural person who is identified or identifiable can be linked to that personal data;
Filing system: means a set of personal data, structured in any way, whether centralized, decentralized, or structured according to functional or geographical criteria, which is accessible based on specified criteria;
Recipient: the natural or legal person, public authority, agency, or any other body, whether or not a third party, to whom or with whom the personal data are disclosed. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;
Controller: means a natural or legal person or an unincorporated body which, alone or jointly with others, determines the purposes for which the data are processed, takes and implements decisions regarding the processing (including the means used) or has them implemented by a processor on its behalf
Data processing: Any operation or set of operations which is performed upon data, regardless of the procedure used, such as collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure and destruction, as well as prevention of further use of the data, taking of photographs, audio or video recordings, or recording of physical characteristics that can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
Transfer: making data available to a specified third party;
Disclosure: making the data available to any person;
Data erasure: rendering data unrecognizable in such a way that it is no longer possible to retrieve it;
Data marking: means the marking of data with an identification mark to distinguish them;
Data blocking: the marking of data with an identifier to limit their further processing permanently or for a limited time;
Data destruction: the complete physical destruction of a data medium containing data;
Data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
Processor: means a natural or legal person or an unincorporated body which, under a contract with the controller, including a contract concluded under a legal provision, carries out the processing of data;
Third part: a natural or legal person or unincorporated body other than the data subject, the controller or the processor;
Third country: any State which is not an EEA State.
Lawful processing by the controller
Personal data are processed by the controller only in the following cases:
As a general rule, the method of justification of the legal basis is in writing, but even in the case of a legal basis established by imputability, it should be examined whether it can be clearly justified ex-post. In case of doubt, for reasons of reasonableness and economy, written confirmation of the imputability should be sought.
In the case of processing based on consent, the data subject gives his or her written consent to processing his or her personal data. Consent is not formally binding; subsequent evidence requires written consent on paper or electronically.
Processing based on a legal basis is independent of the data subject's consent, as the processing is defined by law.
Irrespective of the mandatory nature of the processing, the private individual concerned must be informed before the processing starts that the processing is mandatory and cannot be avoided and must be provided with clear and detailed information on all relevant facts concerning the processing of his or her data before the processing starts.
According to the GDPR (General Data Protection Regulation), personal data may also be processed where the processing is necessary for the performance of a contract to which the individual concerned is a party or where the processing is necessary for the purposes of taking steps at the request of the data subject before entering into a contract. The controller may process personal data for the purposes of the conclusion, performance, or termination of the contract based on the legal basis for performance of the contract.
Processing of personal data by the controller
The data controller is at the disposal of its customers with custom furniture manufacturing and sales activities. While carrying out these activities, the controller comes into contact with personal data of natural persons. It carries out the following processing activities:
The Data Controller may be contacted for quotations by telephone or website. When requesting a quote, the data controller asks for the name of the customer, his/her telephone number, e-mail address and the main parameters of the property. The legal basis for the processing of personal data obtained in this way is the creation of a contract (Article 6(1)(b) of the General Data Protection Regulation). If the data subject does not use the services of the controller, the controller will delete the personal data without delay and within 3 working days at the latest. By attending a training session, a contractual relationship is in fact established between the parties. The legal basis for the processing of personal data is the fulfilment of contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) and the fulfilment of legal obligations when issuing the invoice (Article 6(1)(c) of the General Data Protection Regulation). The invoice will contain the name, address and possibly the tax number of the data subject. The invoice is issued by the controller in order to fulfil a legal obligation with this legal basis. The controller shall act in accordance with the provisions of the law with regard to the storage of the personal data contained in the invoice, which shall be kept for 8 years.
The contractual partners of the controller may be both natural and legal persons. The conclusion of a contract is preceded by a request for a proposal by telephone, e-mail, or using the form on the controller's website. The legal basis for the processing of personal data is the establishment of a contract (Article 6(1)(b) of the General Data Protection Regulation). If the data subject orders the service offered and accepts the controller's General Terms and Conditions, a contractual relationship is established between the parties. When the contracts are concluded, the controller will have access to additional personal data of individuals (partners and contacts). The legal basis for the processing is the performance of the contractual obligation (Article 6(1)(b) of the General Data Protection Regulation), and in the case of a contact person of a legal person, the consent of the data subject (Article 6(1)(a) of the General Data Protection Regulation). The controller issues an invoice for the services provided. The invoice shall contain the name, address and, where applicable, the tax number of the data subject. The issuing of the invoice is a legal obligation of the controller. The legal basis for the processing of personal data on the invoice is, therefore the fulfillment of a legal obligation (Article 6(1)(c) of the General Data Protection Regulation). The controller shall act in accordance with the legal provisions as regards the storage of personal data on the invoice and shall store them for 8 years.
In the performance of its tasks, the data controller shall process the e-mail addresses and telephone numbers of its partners and clients to fulfill its contractual obligations (Article 6(1)(b) of the General Data Protection Regulation) or based on their consent (Article 6(1)(a) of the General Data Protection Regulation).
Where the processing is carried out on behalf of the controller, the controller may only use processors that offer adequate guarantees of compliance with the requirements of the General Data Protection Regulation or implement appropriate technical and organizational measures to ensure the protection of the rights of data subjects.
The controller hereby declares that during its work, it will only use processors that offer adequate guarantees of compliance with the GDPR Regulation and implement appropriate technical and organizational measures to protect data subjects' rights. The relevant declarations of the data processors are available to you.
The contracted data processing and data management partners process the personal data of the partners exclusively based on the instructions given by the data controller (except where a legal requirement applies) and under an obligation of confidentiality.
By reading and accepting this Privacy Notice, data subjects agree that the controller may transfer their data to the processors and joint controllers listed below.
The data processor is the accounting firm employed by the controller:
Éva Horváth sole proprietor
9400 Sopron, Ferenczy János u. 6. 1st floor, door 11
The data controller's partner for issuing invoices:
Cobra-Conto Accounting Trade and Service Ltd.
1138 Budapest, Népfürdő utca 19/C.
The company hosting the website of the data controller is also a data processor:
MediaCenter Hungary Kft.
MediaCenter Hungary is the host company of MediaCenter Hungary.6000 Kecskemét, Erkel Ferenc utca 5.
Companies providing courier services:
GLS GENERAL LOGISTICS SYSTEMS HUNGARY KFT.
2351 Alsónémedi, GLS Európa utca 2.
UPS Hungary Kft.
2220 Vecsés, Lőrinci u. 154.
The company providing electronic payment at the controller:
Kereskedelmi és Hitelbank Zrt.
1095 Budapest, Lechner Ödön fasor 9.
Data processor due to the use of the Google Analytics service on the website of the data controller:
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
The controller's mail server is also a data processor:
Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, Ireland
Facebook is a data processing and joint data controller partner due to the use of the Facebook page and group and the social plug-ins built into the website:
Facebook Ireland Ltd.
4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland
Visitor data processing on the company's website Cookies are short data files placed on the user's computer by the website visited. The purpose of the cookie is to make the particular infocommunication, internet service easier and more convenient. There are several types, but they generally fall into two broad categories. One is the temporary cookie, which is placed on the user's device by the website only during a particular session (e.g., during the security identification of an online banking transaction), and the other is the persistent cookie (e.g., a website's language setting), which remains on the computer until the user deletes it. According to the European Commission's guidelines, cookies [unless strictly necessary for the use of the service] can only be placed on the user's device with the user's permission.
In the case of cookies that do not require the user's consent, information should be provided during the first visit to the website. The full text of the cookie notice doesn't need to appear on the website, but it is sufficient for website operators to briefly summarise the substance of the notice and provide a link to the full notice.
In the case of cookies requiring consent, the information may also be linked to the first visit to the website, if the processing of data associated with using cookies starts as soon as the page is visited. Where the use of the cookie is linked to the use of a function explicitly requested by the user, information may also be provided about the use of that function. Even in this case, it is not necessary for the full text of the cookie notice to be displayed on the website, a summary of the substance of the notice and a link to the full notice.
Community Policy / Data management on the Company's Facebook page
The Company maintains a Facebook page to publicize and promote its products and services.
A question on the Company's Facebook page does not constitute a formal complaint.
(Personal data posted by visitors to the Company's Facebook page is not processed by the Company.
The Company shall not be liable for any illegal content or comments posted by Facebook users. The Company shall not be liable for any errors, malfunctions or problems resulting from changes in the operation of Facebook.
Data processing in connection with the organization of prize draws
If the Company organizes a gift draw (Article 23 of Act XXXIV of 1991), it may process the name, address, telephone number, e-mail address, online identifier of the natural person concerned, based on his/her consent. Participation in the game is voluntary. Consent to data processing may be requested by filling in the data request form per Annex 1 to these Regulations.
The purpose of processing personal data is to identify and notify the winner of the prize draw and to send the prize. Legal basis for processing: consent of the data subject.
Recipients or categories of recipients of personal data: employees of the Company performing customer service tasks, employees of the Company's IT service provider performing server services as data processors, and employees of the courier service.
Duration of storage of personal data: until the gift classification is finalized.
Data processing for direct marketing purposes
Unless otherwise provided for by a separate law, advertising may be communicated to a natural person as the recipient of the advertising by means of direct contact (direct marketing), in particular by electronic mail or other equivalent means of individual communication, except the provisions of Act XLVIII of 2008, only if the recipient of the advertising has given his or her prior, clear and express consent.
The company may process the scope of personal data to advertise mailing inquiries: name, address, telephone number, e-mail address, and online identifier of the natural person.
The purpose of the processing of personal data is to carry out direct marketing activities related to the Company's activities, i.e. sending advertising publications, newsletters, and current offers in printed (postal) or electronic form (e-mail), periodically or periodically to the contact details provided at the time of registration.
Legal basis for processing: consent of the data subject.
Recipients and categories of recipients of personal data: employees of the Company performing customer service tasks, employees of the Company's IT service provider performing server services as data processors, and employees of the Post Office in the case of postal delivery.
Duration of storage of personal data: until consent is withdrawn.
The data request form in Annex 1 to this Policy may be used for consent to data processing for direct marketing purposes.
Contact form used on the website
The website of the controller allows the visitor to contact the controller. You can use the contact form to indicate your interest in the services of the controller. In the contact form, the name, e-mail address and telephone number of the visitor must be provided. By filling in the form, the data subject declares that he/she has read the Controller's Privacy Notice. The personal data provided for this purpose will be processed by the data controller solely for the purpose of contacting the data subject. After contacting the data subject, the controller shall delete the interested party's personal data without undue delay and within 3 working days at the latest. The processing is carried out for the purpose of establishing the contract on this legal basis (Article 6(1)(b) of the General Data Protection Regulation).
The data subject declares on the controller's website that he/she is at least 16 years of age in relation to using the customer contact form. A person under the age of 16 may not contact the controller via the customer contact form, given that, pursuant to Article 8(1) of the GDPR, the validity of his or her consent to processing requires the consent of his or her legal representative. The controller cannot verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided is accurate.
The purpose of the processing in connection with the sending of the newsletter is to provide the recipient with complete general or personalized information on the latest news, events, and news on the website by the applicable and valid legislation. The subscription to the newsletter and/or the sending of the newsletter for DM purposes is based on voluntary consent; the controller will of course, give the data subject the possibility to withdraw his/her consent and unsubscribe from the newsletter at any time.
The data subject declares on the controller's website that he/she is at least 16 years of age when subscribing to the newsletter. A person under the age of 16 may not subscribe to the newsletter, given that, pursuant to Article 8(1) of the GDPR, the validity of his/her declaration of consent to processing requires the consent of his/her legal representative. The data controller is not in a position to verify the age and entitlement of the person giving consent, so the data subject warrants that the data he or she has provided are accurate.
Data security measures
The company is obliged to take the technical and organisational measures and to establish the procedural rules necessary to enforce the Regulation and the Infotv.
The Data Controller shall take appropriate measures to protect the data against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or access.
The undertaking shall classify and process personal data as confidential. It imposes a duty of confidentiality on its employees in relation to the processing of personal data, subject to the clause in Annex 10. The undertaking shall restrict access to personal data by setting levels of authorization.
The undertaking shall protect its IT systems with firewalls and virus protection.
The undertaking shall carry out electronic data processing and recording by means of a computer program which meets the requirements of data security. The programme ensures that access to the data is restricted to those persons who need it for the performance of their tasks and under controlled conditions.
When personal data are processed automatically, the controller and the processor shall take additional measures to ensure that:
1. a) the prevention of unauthorised access;
2. b) preventing the use of automated data processing systems by unauthorised persons by means of data transmission equipment;
3. c) the verifiability and ascertainability of the bodies to which personal data have been or may be transmitted by means of a data transmission installation;
4. d) the verifiability and ascertainability of which personal data have been introduced into automated data-processing systems, when and by whom;
5. e) the recoverability of the installed systems in the event of a failure; and
(6) (f) the reporting of errors in automated processing.
The undertaking shall ensure that incoming and outgoing communications by electronic means are monitored in order to protect personal data.
Documents in the course of work or processing shall be accessible only to competent administrators, and personnel, payroll, employment and other documents containing personal data shall be kept securely locked.
Adequate physical protection shall be ensured for the data, equipment, and documents.
Rights and remedies
Right to prior information: The data subject has the right to be informed of the facts and information relating to the processing before the processing starts.
Right of access for the data subject: The data subject has the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and related information as set out in the Regulation.
The right to rectification: the data subject shall have the right to obtain, upon his or her request, the rectification of inaccurate personal data relating to him or her by the Controller without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.
Right to erasure ("right to be forgotten")
The right to restriction of processing: The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if the conditions set out in the Regulation are fulfilled.
Obligation to notify rectification or erasure of personal data or restriction of processing: the Controller shall inform all recipients of any rectification, erasure or restriction of processing to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the data subject of these recipients.
The right to data portability: Under the conditions set out in the Regulation, the data subject shall have the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data.
The right to object: The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation.
Automated decision-making in individual cases, including profiling: The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Restrictions: Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict, in accordance with Articles 12 to 22 and Article 34 and in accordance with the rights and obligations set out in Articles 12 to 22
If you become aware of processing that would violate your rights, it is advisable to send your comments to the head of the company before initiating legal proceedings, as this will give the Controller the opportunity to rectify the situation on its own initiative.
If you experience unlawful processing, you can bring a civil action before a court. The court has jurisdiction to hear the case. You may also bring the action before the court of your place of residence if you so choose. You can find a list of courts and their contact details at the following link: http://birosag.hu/torvenyszekek
In the event of unlawful processing, you can also initiate an investigation with the supervisory authority
(NAIH), whose contact details are:
The President of the National Authority for Data Protection and Freedom of Information (NAIH):
Address of the NAIH.
Address: 1055 Budapest, Falk Miksa u. 9-11.
Phone number: +36 (1) 391 1400
Fax: +36 (1) 391 1410
e-mail address: email@example.com
Data protection incident
Data Breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
The most common incidents reported may include, for example: loss of a thumb drive, laptop or mobile phone; unsecure storage of personal data (e.g. payment slips thrown in the trash); unsecure transmission of data; unauthorised copying or transmission of patient, customer and customer partner lists; attacks against servers; hacking of websites.
The prevention and handling of data breaches and compliance with relevant legal requirements is the responsibility of the business manager.
Access and attempted access to IT systems should be logged and analysed on an ongoing basis.
If the controller's supervisory employees detect a data protection incident in the course of their duties, they must immediately notify the head of the service provider.
The controller's employees must report to the head of the undertaking or the person exercising the employee's rights if they observe a data protection incident or an event suggesting such an incident has occurred.
A data protection incident can be reported to the central e-mail address or telephone number of the enterprise, where employees, contractors, and data subjects can report the underlying events or security weaknesses.
In the event of a data breach notification, the head of the company, if necessary with the involvement of an IT or operations manager, shall immediately investigate the notification, identify the incident, and decide whether it is a real incident or a false alert. It should be investigated and determined:
- the time and place of occurrence of the incident,
- the description of the incident, its circumstances, its effects,
- the scope and the number of data compromised during the incident,
- the number of persons affected by the compromised data,
- a description of the measures taken to remedy the incident,
- a description of the measures taken to prevent, remedy and mitigate the damage.
In the event of a data breach, the systems, persons and data involved shall be contained and isolated and care shall be taken to collect and preserve evidence that the breach occurred. Damage restoration and return to lawful operations can then begin.
Records of data breaches should be kept, including:
- the scope of the personal data concerned,
- the scope and number of persons affected by the personal data breach,
- the date of the personal data breach,
- the circumstances of the personal data breach, its effects,
- the circumstances of the personal data breach, the circumstances of the personal data breach, the effects of the personal data breach, the circumstances of the personal data breach, the circumstances of the personal data breach, the circumstances of the personal data breach, the effects of the personal data breach, the measures taken to remedy the personal data breach,
- other data specified in the legislation providing for the processing.
Data relating to data breaches in the register shall be kept for 5 years. Details of the incidents are set out in the "Data Protection Incident Register".
Data protection incidents that are likely to pose a risk to the rights and freedoms of natural persons shall be notified by the controller to the competent supervisory authority pursuant to Article 33(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter "GDPR").
The GDPR requires the controller to notify a data protection incident to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention.
The National Authority for Data Protection and Freedom of Information (hereinafter: NAIH) has prepared a single online interface, the NAIH Incident Reporting System, available at the link below, with regard to the minimum content of the data breach notification requirements set out in Article 33(3) of the GDPR, for the purpose of fulfilling the notification obligation electronically.
For data controllers who wish to submit a paper-based data breach notification, the NAIH provides a notification form available at the link.