Menu

DATA PROTECTION POLICY AND GUIDE

 

1. General provisions

(1) In relation with the services provided on the http://www.grabarics.hu websiteand the websites accessible at other addresses (hereinafter: „thewebsite”) operated by Grabarics Építőipari Kft. as Data Manager,the company acts on the basis of this Data Management Policy and Guidein the course of managing the information of natural persons.

By entering and using the website, the User recognizes the provisions of this Data Management Policy as compulsory for him.

   Data Manager in respect of this Policy:

  • Data Manager: Grabarics Építőipari Kft
  • Seat: 1053 Budapest, Reáltanoda u. 5.
  • Postal address: 1053 Budapest, Reáltanoda u. 5.
  • Electronic (e-mail) address: info@grabarics.hu
  • Court of registration: Fővárosi Törvényszék Cégbírósága
  • Registration number: 01-09-940225
  • Tax code: 11106485-2-41


(2) This Guide on data protection is aimed at determining the scope ofpersonal information managed by the Data Manager and the mode of datamanagement, and at ensuring the enforcement of constitutional privacyprinciples and the requirements of data security as well as avoidingunauthorized access to information and the changing and the unauthorizedpublication or use of information for the sake of respect for theprivate sphere of natural persons.

(3) For achieving theobjectives set forth in paragraph (2), the Data Manager handles thepersonal information (particulars) of users confidentially in line withthe requirements of prevailing regulations, provides for their security,takes the technical and organizational measures and develops the rulesof procedure that are necessary to the enforcement of the relatedstatutory provisions and other recommendations.

 

2. Legislative background

TheData Manager is obliged to observe the legislative requirements relatedto the management of personal information in each phase of datamanagement. First of all, the provisions set forth in the followingregulations apply to the handling of information by the Data Manager:

  • article 2:43§ (e) of act V of 2013 on the Civil Code
  • act CXII of 2011 on information-related self-determination right and information freedom („Privacy act”)
  • actCVIII of 2001 on certain questions of electronic trade service as wellas services related to the information society („E-trade act”)
  • act XLVIII of 2008 on the basic conditions of business promotion activity and its restrictions („Prom. act”)
  • actVI of 1998 on the promulgation of the Convention on the protection ofindividuals in electronic data processing, dated in Strasbourg on 28January 1981
  • act CXIX of 1995 on the handling of name and home address data serving for research and direct marketing („K&M act”)

 

3. Definitions

(1) person affected:  any natural person specified, identified or – directly or indirectly – identifiable  on the basis of personal information;

(2) personal information: data that can be related to the Person Affected – in particular thename, the ID code as well as information typical to one or severalphysical, physiological, mental, economic, cultural or social attributes– as well as conclusions that can be drawn from the data in relationwith the Person Affected;

(3) approval: voluntary anddecisive expression of the wish of the Person Affected, based onsufficient information, through which the Person Affected gives hisunmistakable agreement to the management of his/her personal information– including all or certain operations;

(4) protest: statement, in which the Person Affected raises objection against thehandling of his/her personal information and requests the termination ofdata management and/or the deletion of the information managed;

(5) data management: irrespective of the applied procedure, any or all operations performedon personal information, so e.g. the collection, recording, sorting,storage, change, use, forwarding, publication, harmonization orconnection,  locking, deleting and destroying of data as well ashindering the further use of information,  making photographic, voice orimage records, and recording of physical characteristics (e.g. fingeror palm prints, DNA pattern, iris image) suitable for the identificationof the Person Affected;

(6) data processing:  performingtechnical tasks related to data management operations, irrespective ofthe method and means applied to implement the operations and of the siteof application, assumed that the technical tasks are carried out on theinformation;

(7) data transmission:  making the information accessible for specified third entity;

(8) publication: making the information accessible for anyone;

(9) data manager: the natural person or legal entity and/or the organization withoutlegal personality that has identified on its own or together with othersthe purpose of managing personal information, takes and implements orgets the appointed data processing staff implement the decisions relatedto data management (including the applied tool);

(10) data processing entity:
the natural person or legal entity and/or the organization withoutlegal personality that performs processing of information on acontractual basis – including contracts concluded on the basis ofstatutory provision;

(11) data deletion: making the information unrecognizable in such a way that their recovery is not possible anymore;

(12) data files:  the whole of information handled in a record;

(13) third person:  the natural person  or legal entity and/or the organization withoutlegal personality that is not identical with the Person Affected, thedata manager or the data processing entity.

 

4. The legislative basis of data management

TheData Manager handles the particulars of Persons Affected in line withthe privacy regulations and on the basis of their approval, and

  • of article 13/A§ of act CVIII of 2001 on certain aspects of services related to the information society, and
  • of paragraph 6. § of act XLVIII of 2008 on the basic conditions and certain restrictions of the business promotion activity.

 

5. Scope of information managed, purposes and term of data handling

(1) This Data Protection Policy applies exclusively to the handling of thedata of natural persons due to the fact that personal information(particulars) can only be interpreted in the context of natural persons.
Theanonymous information collected by the Data Manager with the exclusionof personal implications which cannot be brought into connection withnatural persons  as well as the demographic data collected without anyreference to the particulars of natural persons so as no connection canbe created to natural persons shall not be considered personalinformation.

(2)  
Sending online messages, requesting offers:

Onthe website it is possible to request offers in relation to servicesprovided by the Service Provider and any other information along withindicating the following particulars:

  • name
  • e-mail address
  • phone number

Thepurpose of data management: providing personalized services to PersonsAffected and sending out offers requested by the Person Affected.

Anonymous user identification (cookie)
TheData Manager places onto the computer of the Person Affected anonymoususer identifier (cookie), which in itself is by no way able to identifythe Person Affected, it serves exclusively for the recognition of thehardware of the Person Affected. Name, e-mail address or any otherpersonal information are not needed since the User does not disclosehis/her particulars to the Data Manager when using the application, anddata exchange takes place exclusively between the two computers.

TheData Manager uses cookies in order to get familiar with the informationusing habits of the Persons Affected and to improve the standards ofhis services through this, and to display customized pages, marketingmaterials (commercials) for the user visiting the website.

Throughsetting his browser the Person Affected has the possibility of refusingthe placement of individual identification marks (cookies) on hiscomputer. The Person Affected understands that in the case of banning the cookies certain services will not work properly.

Use of community extensions (Facebook, Twitter, Linked-in)
Indefault situation the extensions are banned on the Portal. Extensionswill only be allowed if the Person Affected clicks on the related key.By authorizing the extension, the Person Affected creates a link to thecommunity site and approves the forwarding of his/her particulars toFacebook/Twitter/Linked-in.
If the Person Affected has logged in toFacebook/Twitter/Linked-in, it may happen that the specific communitynetwork associates his/her visit to the community account of the PersonAffected.

If the Person Affected clicks on the proper key,his/her browser will forward the related information directly to thecommunity network concerned and store it there.

Information aboutthe scope and purpose of data collection, and about the users’ rightsand settings aimed at the protection of his/her particulars in relationwith the further processing and use of particulars byFacebook/Twitter/Linked-in can be found in the privacy statements ofFacebook//Twitter/Linked-in.

Remarketing codes
TheService Provider uses Google Adwords as well as Facebook remarketingcodes on the Portal. The remarketing code uses cookies for tagging thevisitors of the Portal. The set cookie helps that advertisements relatedto the Service Provider’s products and services appear on otherwebsites belonging to the Google Display network or on Facebook when theuser of the Portal visits them later on.
The user may ban the cookies any time and personalize the advertisements on Google’s  adds settings interface.


Log files
Fort the availability of services the system automatically logs the following information:

  • the dynamic IP address of the user’s computer
  • the type of the browser and operation system used depending on the settings of the user’s computer
  • the user’s activity related to the website

Theuse of these pieces of information serve for technical reasons – likethe analysis and later inspection of the safe operation of servers – onthe one hand, and the Data Manager uses this information for compilingstatistics on page use and for analyzing users’ demands in order toimprove the standards of services, on the other hand.
The aboveinformation is not suitable for the identification of the user and theData Manager does not connect them other personal information.

(3) The Data Manager is allowed to handle personal information related tothe Person Affected for purposes other than indicated above – so inparticular for increasing the efficiency of his service or for marketresearch – only after having specified  the purpose of data managementand with the agreement of the Person Affected.
These data must not belinked with the particulars of the Person Affected and must not betransmitted to third entities without the agreement of the PersonAffected.
The Data Manager is obliged to delete these information ifthe purpose of data management has ceased or the Person Affected decidesso.

(4) The Data Manager shall ensure that the user hasthe opportunity to know before and any time during using the service thepurpose of data management and the types of information subject to datamanagement, including the handling of information in no direct contactwith the user.

(5) The legislative basis of data management performed by the Data Manager is in each case the approval of the Person Affected.

(6) Term of data management:
Theinformation managed with the agreement of the Person Affected can behandled until the changing and/or  withdrawal of the approval. Upon theexpiry of the term of data management the Data Manager is obliged todelete the particulars of the Person Affected.
The Data Manager shallstore the information related to orders – including the voice recordsmade in the course of telephone transactions – for evidence in legaldisputes, if any, until the general limitation period i.e. for 5 (five)years.
The Data Manager shall manage the information related tobilling for the fulfillment of his accounting obligations for 8 (eight)years pursuant to article 169. § of act C of 2000 and until thelimitation period specified in act XCII of 2003 on the tax regime,respectively.

(7) It may happen that for the provision offull services the Data Manager transmits certain particulars of thePerson Affected to third party – on a provisional basis and with therequired approval – for the purpose of data processing or datamanagement, so in particular:

  • if online payment is effectedvia website, the Data Manager forwards the credit card / bank cardnumber needed for payment to the financial service provider, withoutmaking records on it;
  • if in the case of products ordered viawebsite, the Data Manager transfers the product to be delivered and theinformation needed for delivery to the partner contracted fortransportation (delivery name and address). The partner contracted fortransportation is considered data processor in relation with thetransferred delivery information and must not use that information forany other purpose but only for the fulfillment of delivery.

(8) Forthe purpose of extracting independent attendance and other webanalytical data from the website, the Service Provider uses GoogleAnalytics software, therefore, Google Inc. acts as data processingentity in respect of these information. The Privacy Policy of GoogleInc. is accessible  on http://www.google.com/intl/hu_ALL/privacypolicy.html .
The user ofthe website services understands that by using the website he/she hasgiven his/her approval to data processing by Google.

(9) Shouldservices be concerned in the course of which the user shall forwardpersonal information – so e.g. bank card number for online payment – forusing the service, the Data Manager ensures a channel for providingadequate protection for such messages i.e. SSL-based connection.

(10) Should the Service Provider operate certain services and pages of thewebsite through a firm in business relation with him, the operatingpartner of the Service Provider – acting on behalf and in representationof the Service Provider to the benefit of the Service Provider –collects personal information, the handling of which is also subject  tothe provisions of this Privacy Policy.

(11) Should thewebsite maintain joint services with some of its content providerpartners, the right of using personal information is shared but theprovisions of this Data Management Policy – in line with the rulesrelated to data management with identical contents required in thecontractual relation with the partner – shall also apply.

(12) In the case of data management tasks referred to in paragraphs (7)-(11)the data manager and the data processing entity, respectively, shallexplicitly be referred to in the course of data supply and/or dataprocessing.

(13) Particulars and contact data of data processing entities:

Name: DBI Szoftver Kft (memory space provider)
Seat: 4034 Debrecen, Vágóhíd utca 2. 4. épület 2. emelet

TheService Provider reserves the right of involving further dataprocessing entities in addition to those listed above, assumed that theService Provider will make accessible to those concerned the name andaddress of such further data processing entity not later than at thebeginning of data processing.

 

6. Rights of Persons Affected

(1) The Person Affected may request the Data Manager to:
a) provide information about the management of his/her personal information,
b) correct his/her personal information, and
c) delete or lock his/her personal information – except for compulsory data management.

(2) Upon the request of the  Person Affected the Data Manager provideswritten information about the  particulars of the Person Affectedmanaged by  the Data Manager and/or by the data processing entity hiredby him, about their source, the purpose of data management, itslegislative basis, term, about the name and address of the dataprocessing entity as well as its activity in relation with datamanagement, furthermore – in the event of forwarding the particulars ofthe Person Affected – about the legislative basis and the addressee ofdata transmission, not later than within 30 days reckoned from thesubmission of the related request.
This information is free of chargeif the applicant has not submitted any information request in relationwith the same area to the Data Manager in the current year. In othercases, the Data Manager shall establish a compensation, assumed that thecompensation already paid has to be refunded if the information hasbeen managed illegally or if the request for information has led tocorrection.

(3)
For controlling the lawfulness of thetransfer of data and for informing the Person Affected, the Data Managershall keep data transmission records indicating the time of forwardingof data managed by the Data Manager, the legislative basis and theaddressee of data transmission, the scope of personal informationforwarded as well as other information specified in the legislationrequiring data management.

(4) Should the personalinformation not comply with reality and the personal informationcomplying with reality is available to the Data Manager, the DataManager shall correct the personal information.

(5) The personal data are to be deleted if:
a) their handling is unlawful;
b) upon the request of the Person Affected (except for compulsory data management);
c)they are incomplete or incorrect and this status cannot be remediedlawfully, assumed that  the law does not exclude deletion;
d) the purpose of data management has ceased or the legislative deadline for information storage has expired;
e) the court or the Authority has  ordered it.

(6) Instead of deleting them the Data Manager shall lock the personal dataif the Person Affected has requested this or if it can be assumed on thebasis of available information that deletion would violate thelegitimate interests of the  Person Affected. Personal informationlocked in such a way can be managed only until the purpose excluding thedeletion of the personal data under dispute applies.

(7) The Data Manager marks the personal information managed by him if thePerson Affected challenges their correctness or accuracy but  theincorrectness or inaccuracy of the personal information cannot beestablished unambiguously.

(8) The Person Affected and allthose shall be notified about the correction, locking, marking anddeletion to whom the data had been forwarded for the purpose of datamanagement. The notification can be omitted if this does not violate thelegitimate interests of the  Person Affected in respect of the purposeof data management.

(9) Should the Data Manager not fulfilthe request of the Person Affected for refusal of the request forcorrection, locking or deletion, the Data Manager shall communicate inwriting the factual and legal reasons of the refusal of the request forcorrection, locking or deletion within 30 days following the receptionof the request. In the event of refusal of the request for correction,locking or deletion the Data Manager shall inform the Person Affectedabout the possibilities of turning to court or to the competentAuthority for legal remedy.

(10) The Person Affected can protest against the management of his/her personal data if:
a)the management or transmission of personal data is necessaryexclusively for the fulfilment of the Data Manager’s legal obligationsor the enforcement of the legitimate interest of the Data Manager, datareceiver or a third entity, except for compulsory data management;
b) the use or transmission of personal information is aimed at direct marketing, poll or scientific research; and
c) in any other case specified by law.

TheData Manager – along with the simultaneous suspension of dataprocessing – is obliged to investigate the protest within the shortesttime but not later than within 15 days reckoned from the submission ofthe request and to inform the applicant on the outcome in writing.Should the protest be justified, the Data Manager is obliged to suspenddata management – including further data recording and transmission –and to lock the data, and to notify all entities about the protest andthe measures taken as well as about the reasons to whom the personaldata affected by the protest have been forwarded earlier and who areobliged to take measures for the enforcement of the right to protest.

Shouldthe Person Affected not agree with the decision of the Data Managerand/or if the Data Manager omits the deadline of 15 days, he/she canturn to court within 30 days reckoned from the related notificationand/or from the last day of the deadline.

(11) The rightsof the Person Affected referred to in this section 5 may be limited bylaw for the sake of the external and internal security of the state i.e.for the reasons of national defense, national security, prevention orprosecution of criminal offenses, punishment security, furthermore forthe economic or financial interest of the  state or of localgovernments, the substantive economic or financial interests of theEuropean Union as well as for the purpose of preventing and detecting disciplinary and ethical offenses in relation with the exercising ofprofession, labor law and labor safety breaches – always  includingcontrol and supervision – furthermore for the sake of protecting therights of the Person Affected or of others.

 

7. Possible remedies

(1) The Person Affected may turn for legal remedy to:
a.) the Office of the Privacy Commissioner  (1051 Budapest, Nádor u. 22.),
b.) the National Privacy and Freedom Authority
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, Pf. 5.
Telephone: 06 -1- 391-1400
Telefax: 06-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
c.) the court of justice competent according to the home or the  place of residence of the Person Affected.
Inproceeding the court shall give priority to the case. The lawfulness ofdata management has to be proven by the Data Manager while thelawfulness of the reception of data has to be proven by the entityhaving received the data.

Ifthe court accepts the application,  the court shall oblige the DataManager to provide information, to correct, lock or delete theinformation,  to make the decision made by automated data processingnull and void,  to take into consideration the right of protesting ofthe Person Affected as well as to hand out the data requested by theentity specified in article 21.§ of the Info act.
Should the courtrefuse the request of the receiving entity in cases specified in article21.§ of the Info act, the Data Manager is obliged to delete thepersonal data of the Person Affected within 3 days reckoned from thecommunication of the decision.
The Data Manager is also obliged todelete the personal data if the receiver of the data does not turn tothe court within the deadline specified in paragraph (5) or (6) ofarticle 21.§ of the Info act. The court may order the publication of itsdecision also indicating the Data Manager’s particulars – if privacyinterests and the rights of a relatively large number of affectedpersons protected by this act require this.

(2) The Data Manager is obliged to pay compensation for the damage causedto others by the unlawful management of the data of the Person Affectedor by breaching the information security requirements. The Data Manageris also liable to the Person Affected for the damages caused by the dataprocessing entity. The Data Manager is exempt from liability if heverifies that the damage has been caused  by any unavoidable reasonfalling outside the scope of data management.
The Data Manager doesnot need to compensate the damage if it has resulted from theintentional or gross negligence of the damaged person.