On the processing of personal data of Clients
The Data Subject must be notified about the processing prior to the start of processing. If requested, the Privacy Notice must be made available to the Data Subject in electronic or paper form. As for the management of the contracting process, if, after contracting, the Data Subject objects to processing, this may result in the cancellation of the contract.
Processing the personal data of Clients
In compliance with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information and Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as: General Data Protection Regulation or GDPR), ATTRACT Kft. as the Data Controller hereby notifies its Clients about the processing of their personal data.
Company name of the Controller: ATTRACT Kft.
Address of the Controller: H-7622 Pécs, Siklósi út 1/1.
Tax number of the Controller: 11777364-2-02
Company registration no. of the Controller: 02-09-066227
Telephone number of the Controller: +36 72 551 642
E-mail address of the Controller: firstname.lastname@example.org
Name of the data protection officer (if any): –
Contact details of the data protection officer: –
Categories of data processed, the purpose and legal basis of processing
|Description of personal data||Purpose of processing||Legal basis of processing|
|Surname and first name, telephone number||Getting in touch, calling back and answering the caller’s questions||Article 6, paragraph (1), item (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (after the Data Subject has given their voluntary, explicit and prior consent based on information provided thereto)|
|Surname and first name, telephone number||Getting in touch, answering the e-mail of the sender||Article 6, paragraph (1), item (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (after the Data Subject has given their voluntary, explicit and prior consent based on information provided thereto)|
|Surname and first name, billing and shipping address||Conclusion of the sales contract, fulfilment of the order, invoicing and delivery (purchase without registration), and invoicing of the repair fees for non-warranty repairs||Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) Article 6, paragraph (1), item (b) to (c) (performance of contractual and legal obligations), Section 169, item (c) of Act CXXVII of 2007 on Value Added Tax and Section 167, paragraph (1), items (a) to (j), and Section 169, paragraph (1) of Act C of 2000 on Accounting|
|Profile picture, comments, likes||Communication with visitors on the Data Controller’s own Facebook page||Article 6, paragraph (1), item (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (after the Data Subject has given their voluntary, explicit and prior consent based on information provided thereto)|
|Surname and first name, e-mail address||eDM registration by ticking the appropriate box|
|Surname and first name, e-mail address, shipping address, telephone number||Customer service: all operations related to the order of the Data Subject (sales, marketing, technical coordination, logistics, accounting, etc.), return of the repaired equipment if necessary||Customer service is a service provided by the Controller as part of the contract with the Data Subject, for the performance of which the Controller processes the personal data of the Data Subject for the performance of the contract pursuant to Article 6, paragraph (1), item (b) of Regulation (EU) 2016/679 of the European Parliament and of the Council.|
|Surname and first name, e-mail address||Filling in a post-purchase marketing questionnaire for a discount coupon|
In addition to the above, the personal data of the Data Subject may also be accessed by employees of the Controller to the extent and for the duration necessary for the performance of their duties at work.
The Data Controller operates a Facebook page in order for the Data Controller, as an entrepreneur, to inform its followers about its activities from time to time. The Facebook page also contains advertisements and prize draw invitations relating to the Controller as an undertaking and to the offers of the Controller’s partners.
The personal data generated on the Facebook page (first and last name, possibly profile picture, comments) – similar to contact by phone or e-mail – are processed by the Data Controller with consent in order to contact your followers, pursuant to Article 6, paragraph (1), item (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Using cookies on the website
Cookies are information packages consisting of letters and numbers, sent by websites to the browser of the user to
- save certain settings,
- make it easier to use the website, and
- help the operator of the website – the Data Controller – to collect some important statistical information about visitors.
The cookies do not contain personal information and cannot be used to identify the user individually. Cookies often contain a unique identifier, a secret, randomly generated sequence of numbers, that is stored on the website visitor’s device. Some cookies are deleted after the website is closed and some are stored on the website visitor’s device for a longer period of time.
Users can forbid all cookie-related activities and delete data files placed during their previous visits. The user’s browser will provide instructions on how to do this.
When certain parts of the website are downloaded, the Data Controller automatically places small data files, sometimes containing personal data of the visitor, on the visitor’s computer via Google Analytics, a visitor analytics software operated by Google Ireland Ltd (“Google”). This is notified to the user when they first visit the site, and the Data Controller asks for their consent, in accordance with current legislation.
The data files are necessary for the operation of certain functions of the website, and the information is transferred to the operator. For more information on the exact names of these data files (_ga, _gat, _gid), see the table below. Google Analytics stores the IP number obtained through the browser anonymously and cannot link it to the user. The data is kept for 2 years, which period will start again if a new event occurs in relation to the user.
By clicking on the links below, the user can find out how to access the cookie management menu for the most commonly used browsers (Mozilla Firefox, Google Chrome, Internet Explorer):
Browser programs accept cookies by default, but you can also choose to reject cookies automatically, or to indicate when they are received.
Detailed information about the cookies used by the website is provided in the attached table.
Details of the cookies used on this website
Cookies necessary for operation
Functional cookies allow the visitor to use the website as intended (for example: to navigate the site or to visit secure parts of the website). Without functional cookies being enabled, the website cannot function properly.
Statistical cookies help the site operator to understand visitors’ interactions by collecting anonymised data.
Marketing cookies collect information about the content a visitor reads. The purpose of cookies in this category is to allow the website operator to display relevant content and advertisements to the visitor, thereby enhancing user experience on the website.
Unclassified cookies are data packages individually developed by the website operator.
Withdrawal of consent
The Controller’s processing (as defined above) is based on consent for the following operations:
- contact by telephone or e-mail;
- subscribing to eDM (electronic direct marketing message);
- producing visitor statistics;
- managing comments and likes on the Facebook page.
The consent given by the Data Subject may be withdrawn at any time, as simply as the consent had been given. In the case of contacting, the Controller will ask the Data Subject to request the deletion of their data by sending a short message to email@example.com. The processing prior to the withdrawal of consent is considered lawful.
The contractual and legal obligation
The Data Controller is legally obliged to issue an invoice for the service with specific data content, so the keeping of billing data and the issuing of the invoice is a legal obligation. If the Data Controller does not receive the legally required data from the Data Subject, it cannot provide the service contracted. The legal basis for the processing is the fulfilment of the legal obligation of the Controller pursuant to Article 6, paragraph (1), item (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council, Section 169, item (c) of Act CXXVII of 2007 on Value Added Tax, and Section 167, paragraph (1), item (a) to (j), and Section 169, paragraph (1) of Act C of 2000 on Accounting.
The Data Controller draws the attention of the Data Subject to the fact that during the period of archiving the records and documents relating to the contract of sale, the Data Controller cannot ensure the Data Subject’s right to erasure.
Duration of data processing (storage)
- Surname and first name, billing address: for companies, the current year + 8 years, which is fixed by law (Section 169, paragraph (1) of Act C of 2000 on Accounting).
- In the case of cookies from the website, until the cookie expires or until the user deletes it from their browser (24 months for GA traffic statistics).
- In the case of a Facebook page operated by the Controller, until the Data Subject’s consent is withdrawn (by clicking the “Like” button again).
- Unsubscribing from eDM: by clicking on the “Unsubscribe” button in the eDM, as simply as subscribing had been made.
Profiling during data processing
No profiling is being performed during data processing.
Automated decision-making during data processing
No automated decision-making is being performed during data processing.
Source of the personal data processed
The personal data processed by the Controller come directly from the Data Subject.
Other data processing
The Data Controller shall provide information on the processing of data not listed in this notice at the time of recording the data. The Controller informs the Data Subject that the authorities and other bodies authorised by law may contact the Controller for the purpose of providing information, communicating or transmitting data or documents. However, in this case, the Controller shall disclose personal data only to the extent strictly necessary for the purpose of the request.
Data are transferred to:
|Category||Company name, registered seat, activity|
|Processors (entities performing the technical tasks related to processing operations)||Erste Bank Hungary Nyrt. (seat: H-1138 Budapest, Népfürdő utca 24-26.) – Account management Pintér-Audit Könyvvizsgáló Kft. (seat: H-7634 Pécs, Kovács Béla utca 6.) – Accounting KBOSS.hu Kft. (seat: H-1031 Budapest, Záhony utca 7/C) – szamlazz.hu account K3NET Kft. (seat: H-7634 Pécs, Kétágú utca 7) – Webshop operation Réder & Réder Kft. (seat: H-7624 Pécs, Jurisics Miklós utca 5. 3. em. 8) – System administrator and hosting services DIGI Távközlési és Szolgáltató Kft. (seat: H-1134 Budapest Váci út 35.) – Fixed-line internet services MiniCRM Zrt. (seat: H-1075 Budapest, Madách Imre út 13-14.) – Customer relationship management software Microsoft Ireland Operations Ltd. (One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 / Microsoft Corporation, 15010 NE 36th Street, Microsoft Campus Building 92, Redmond, WA 98052) – MS Office365 provider Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland) – Running the Facebook page of the Data Controller, receiving Messenger messages, running targeted Facebook campaigns Google Ireland Limited (Legal Department Gordon House, Barrow Street, Dublin 4, Dublin, D04E5W5, Ireland) – Production of visitor statistics Hotjar Ltd (Dragonara Business Centre. 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141. Malta) – Production of visitor statistics The Rocket Science Group LLC (Atlanta, GA, 675 Ponce De Leon Ave NE #5000, United States of America – sending eDm Telenor Magyarország Zrt. (seat: H-2045 Törökbálint, Pannon út 1.) – Management of company fleet telephones|
|Processors (entities performing the technical tasks related to processing operations)||Magyar Telekom Nyrt. (seat: H1097 Budapest, Könyves Kálmán krt. 36.) – Provision of fixed telephone services|
|Recipients (the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed)||GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (seat: H-2351 Alsónémedi, Európa u. 2.) – Home delivery of parcels UPS Magyarország Szállítmányozó Kft. (seat: H-2220 Vecsés, Lőrincz út 154. Airport City Logistics Park, G. épület) – Home delivery of parcels B2C Europe (Netherlands) B.V. (seat: Zuiderzeelaan 80, Weesp 1382 JW, the Netherlands) – Postal parcel delivery for returned goods from EU Member States|
|Third (non-EU) countries||Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland) – Operating the Facebook page of the Data Controller, processing Messenger messages, implementing targeted Facebook campaigns Google Ireland Limited (Legal Department Gordon House, Barrow Street, Dublin 4, Dublin, D04E5W5, Ireland) – Preparing visitor statistics The Rocket Science Group LLC (Atlanta, GA, 675 Ponce De Leon Ave NE #5000, United States of America – sending eDm Microsoft Ireland Operations Ltd. (One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 / Microsoft Corporation, 15010 NE 36th Street, Microsoft Campus Building 92, Redmond, WA 98052) – MS Office365 provider|
|Category||Company name, registered seat, activity|
|Célzott marketingkampányok kivitelezése||Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, D02X525, Ireland) – Operating the Facebook page of the Data Controller, implementing targeted Facebook campaigns|
Access to data and data security measures
Restriction of access: Documentation containing personal data is handled with appropriate security measures in place, and the scope of persons authorized for access is restricted. In the context of company processes, documentation containing personal data is stored separately in a structured system. Hardcopy documentation is stored in a lockable office. The office is equipped with an alarm system for property protection and personal safety purposes.
Data security measures: A business e-mail system is used in the data processing process. Cloud-based storage is protected by access right management and password protection. Data are transferred to controllers via this platform. The network is protected by virus protection and firewalls. Security backups are made at regular intervals. Personal data are stored in a structured system, in the software used by the company. Central password and access right management is in place.
The Data Controller shall choose the IT tools it uses in such a way that the data processed are accessible to those authorised to access them, their authenticity is ensured, their integrity is verifiable, and they are protected against unauthorised access.
The Data Controller’s IT system and network are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and attacks that could lead to denial of service. The Data Controller ensures security through server-level and application-level protection procedures.
Electronic messages transmitted over the internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity or the disclosure or modification of information. The Controller shall take all reasonable precautions to protect against such threats. It monitors systems in order to record any security discrepancies and to provide evidence of any security incidents. However, it is well known – and therefore, known to those concerned – that the internet is not 100% secure. The Data Controller is not liable for any damage caused by an indefensible attack, despite the utmost care.
Rights of the Data Subject
Right to request and receive information – The Data Subject has the right to request and receive information on the method of personal data processing prior to the start of processing.
Right to rectification – The Data Subject has the right to request the rectification of personal data, if the personal data stored at the Controller are untrue or incorrect and they can prove this.
Right to access – The Data Subject has the right to request from the Controller the personal data stored concerning the Data Subject.
Right to data portability – The Data Subject has the right to request the personal data stored concerning them digitally, in a table form.
Right to review automated decision-making – The Data Subject has the right to request the manual review of all processes where the Controller has used automated decision-making with legal effect concerning the Data Subject.
The Data Subject has the right to lodge complaints with the data protection authority. The Data Subject may turn to the Hungarian National Authority for Data Protection and Freedom of Information as follows:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) [HungarianNational Authority for Data Protection and Freedom of Information]
Seat: H-1055 Budapest, Falk Miksa utca 9-11.
Postal address: H-1374 Budapest, Pf.: 603.
Telephone number: +36 (1) 391-1400
Fax number: +36 (1) 391-1410
The provisions on legal remedy are set out in Act CXII of 2011 on Informational Self-Determination and Freedom of Information.
If the Data Subject has objected to processing, the Controller investigates the objection within the shortest time possible from the submission of such request, but within 15 days at the latest, makes a decision on the substantiation of the request and informs the applicant of the decision in writing. If the Data Subject does not agree with the decision made by the Controller, or if the Controller fails to observe the above due date, the Data Subject has the right to turn to the court within 30 (thirty) days of the communication of the decision or from the deadline specified.
In the event of the violation of their rights or in the above cases, the Data Subject may file action with a court against the Controller. The court proceeds in the action as a matter of urgency. Alternatively, such proceedings may also be brought before the court competent according to the Data Subject’s residence or place of stay. Entities or persons that otherwise have no legal capacity may also be parties to the court action. The data protection authority may intervene in the proceedings in the interest of a ruling in the Data Subject’s favour.
The Controller shall compensate for any and all damage caused by the unlawful processing of the Data Subject’s data or a breach of the data security requirements. If the Controller violates the Data Subject’s privacy through the unlawful processing of the Data Subject’s data or a breach of the data security requirements, the Data Subject may claim compensation from the Controller. The Controller is also liable for damage caused to the Data Subject by the processor, and the Controller shall also pay the Data Subject compensation for any breach of the Data Subject’s personal rights by the processor.
The Controller is released from the liability for the damage caused and the obligation to pay compensation for personality rights breach if the Controller can prove that the damage was caused or the Data Subject’s personal rights were violated due to a cause beyond its reasonable control and the scope of processing. The damage shall not be paid and no compensation may be claimed if the damage was caused or the violation of rights caused by the violation of the personality rights arose from the wilful misconduct or gross negligence of the Data Subject.
Date and place of entry into force: Pécs, 09 November 2021