DATA PROTECTION STATEMENT OF FOTONATURA LTD.
- Controller
Name: FOTONATURA Ltd.
Address: 6769 Pusztaszer, Mező Str 2/B, Hungary
Data controller’s representative: Bence Máté
Data controller’s contact re. data protection: office@matebence.hu
This statement is the controller’s unilateral commitment, based upon the European Parliament and the Council (EU) as well as the relevant member states’ regulation No. 2016/679 of 27 April 2016.
This statement may be unilaterally modified and/or revoked by the controller at any time, with the simultaneous notification of the interested parties. The information is published on the website, depending on the nature of the amendment, by direct notification of the interested parties.
2 Purpose of data management
2.1. Contact with partners, customers, and suppliers
User’s identification, their distinction from the other clients or interested parties; communications; participation in events and related services, quotes, contracts, contact data management.
Legal basis of data management: Enforcement of data controller’s legitimate interest in order to keep contact records for performance of contracts and agreements (Article 6 (1) f). Scope of data processed: Name, address, e-mail address, phone number, unique identifier, type of contact
Planned deadline of processing: Until the last business day of the month of March of the 4th year following the termination of the partnership agreement or the objection of the interested party
Source of data: The interested party
2.2 Management of request of offer
Management and answering of questions, offers sent to the organization’s central email address or the employee’s personal email address. Sending offers.
Legal basis of data management: Enforcement of data controller’s legitimate interest (Article 6 (1) f). It is the controller’s legitimate interest to keep records of communications and contacts’ data prior to the agreement.
Scope of data processed: Name, address, e-mail address, phone number, unique identifier Planned deadline of processing: Until the last business day of the month of March of the 2nd year from the receipt of offer or the objection of the interested party Source of data: The interested party
2.3 Issue of invoice and compulsory documentation related to the implementation of services
Issue of invoice and compulsory documentation related to the implementation of services Legal basis of data management: Controller’s compliance with legal obligations (Article 6 (1), c)
Scope of data processed: Billing name and address, e-mail address, contact name and position
Planned deadline of processing: At least 8 years
Source of data: The interested party
2.4 Management and filing of agreements
Management and filing of agreements related to the controller’s activity; management and keeping up-to-date the contracting party’s contact data; the contracting party’s authorized representative’s data and updating them.
Legal basis of data management: Controller’s compliance with legal obligations (Article 6 (1), f). Keeping records of the contact’s data is the controller’s legitimate interest. Scope of data processed: Name, phone number, e-mail address, signature Planned deadline of processing: Until the last business day of the month of March of the 4th year following the termination of the agreement or the objection of the interested party. Source of data: The interested party
2.5 Advertisement of servie(s), provision of information to partners, newletters Request for new or renewed services, direct business acquisitions and marketing for advertising purposes, surveys, invitation to marketing events, eDM, phone calls involving telemarketing services.
Legal basis of data management: The interested party’s consent (Article 6 (1) a) Scope of data processed: Name, company name, e-mail, phone number Planned deadline of processing: Until the withdrawal of the interested party’s consent Source of data: The interested party
2.6 Registration to events
Management of events and registration related to the events organized by the controller. Legal basis of data management: The interested party’s consent (Article 6 (1) a) Scope of data processed: Name, company name, title, e-mail address, phone number Number of adult guests, number of underage (under 16 years of age) guests Planned deadline of processing: Until the withdrawal of the interested party’s consent Source of data: The interested party
2.7 Event photos and videos, their publication in social media platforms The controller takes photos and videos of the events organized by them, which can be published on the controller’s website and Facebook page, furthermore, they can be stored in their own organizational databases.
Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) f). The controller’s legitimate interest is the company’s personalized communication on their own website and social media.
Scope of data processed: face and body image
Planned deadline of processing: Until the interested party’s objection Source of data: The interested party
2.8 Management and administration of orders
Administration of orders until the conclusion of the contract or the circumvention of the order Legal basis of data management: Implementation of agreement (Article 6 (1) b) Scope of data processed: Name, address, e-mail address, phone number, unique identifier Planned deadline of processing: Until the last business day of the month of March of the 4th year following the termination of the contract, or the objection of the interested party Source of data: The interested party
2.9. Delivery of orders
Delivery by courier service, delivery to a courier service centre or delivery point. Legal basis of data management: Implementation of contract (Article 6 (1) b) Scope of data processed: Name, phone number, unique identifier
Planned deadline of processing: Until the expiration of withdrawal time, following the delivery
Source of data: The interested party
2.10 Operation of an electronic monitoring system
Protection of the the security of controller’s premises, the controller’s property, their employees and visitors’ health and property, investigation of circumstances of accidents and crimes that may occur.
Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) f). The controller has a legitimate interest in managing the guests and employees’ personal data in order to protect its assets.
Scope of data processed: The image of a natural person, motion picture recording (hereinafter referred to as ‘recorded together’)
Planned deadline of processing:1 week
Source of data: The interested party
2.11 Google Analytics
It measures the figures of website use
Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) f). The controller has a legitimate interest in monitoring website use in order to improve custormer satisfaction and service.
Scope of data processed: The data transmitted are not suitable for the data subjects’ identification.
Planned deadline of processing: Until the objection of the interested party Source of data: The interested party
2.12 Management of disclaimers
The Controller enters into a liability agreement with its customers concerning the services provided.
Legal basis of data management: Fulfilment of agreement (Article 6 (1) b) Scope of data processed: Name, address, identifiable data
Planned deadline of processing: Until the implementation of the agreement Source of data: The interested party
After the expiry of the deadline, the controller reclassifies it to the following data management purpose:
New purpose of data management: Enforcement of legal claims
Planned deadline of processing: Until the general statute of limitation, but maximum the last business day of the first month of March following the 4th year
2.13 Acknowledgement of the Covid-19 rapid test results
In order to protect the interested party or another natural person’s vital interests, a Covid-19 rapid test is made right before the use of service provided.
Legal basis of data management: Fulfilment of agreement (Article 6 (1) b) Scope of data processed: Name, Covid test result
Planned deadline of processing: Until entering into contract
Source of data: The interested party
2.14 Ensuring IT business continuity and data backup
Operation of IT systems and infrastructure, including operation of workstations and network elements, archiving and saving data as well as restoring them in the event of an emergency. Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) f). – It is the controller’s legitimate interest to supervise, maintain, assemble, troubleshoot, regularly save and archive IT systems in order to maintain business.
Scope of data processed: All categories of digital data collected or managed by the Organization
Planned deadline of processing: The Organization saves the data of the IT system for 30 days, and archives the data until the last business day of the month of March of the 2nd year following the backup.
Source of data: The interested party
2.15 Management of employee and customer data for legal and other claims The controller shall retain the personal employees and customers’ personal data for the purpose of asserting legal claims after the data has been provided during the general limitation perior.
Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) f). The controller has a legitimate interest in addressinf the legal and other needs of employees and customer data.
Scope of data processed: During the period of employment and the duration of contract, personal data managed according to individual data management purposes. Planned deadline of processing: After the termination of the employment contract, no later than the last business day of the first month of March, following the 2nd full year, or after the termination of the customer agreement, no later than the last business day of the first month of March following the 4th full year, or, in case of legal proceedings, 5 years after the conclusion of the legal proceedings.
Source of data: Reclassified from data collected for other data management purposes
2.16 Data management related to the GDPR regulation
Data management related to the GDPR regulation.
Legal basis of data management: Enforcement of the controller’s legitimate interest (Article 6 (1) c).
Scope of data processed: Name, data protection identification, interested party’s request, date, type, content, result of interested party’s request, incident’s date, documentation and result
Planned deadline of processing: Non-discardable
Source of data: The interested party
3 Consequence of failure to provide data
Possible consequence of failure to provide data: Failure of the purpose of data management
4 Persons affected
The partners who have a contract with the controller and the contact persons provided by them, as well as representatives of natural persons or legal entities who acquire or provide the products of the Organization.
5 Range of mandatory data
The data controller does not mark the data that must be filled in separately on the individual data entry interfaces, where all data is required to be entered. On interfaces where not all data is mandatory, the controller indicates the data fields that must be entered by displaying an asterisk*.
6 Children
Our products and services are not intended for persons under the age of 18 and do not fall under the scope of services related to the information society. Persons under the age of 18 are asked not to provide personal data to the data controller. Should we become aware that we have collected personal data from a child under the age of 18, we will take the necessary steps to delete the data as soon as possible.
7 Information concerning the use of data processing
The controller shall forward the data to the processor(s) contracted in order to implement the contract during the processing.
Categories of recipients: Authorities, social media sites, postal services, courier services Data processors: Newsletter supplier, event organizer, photo and video provider, hostess provider, website operator, IT provider, property protection provider, legal consultant, GDPR consultant
8 Persons entitled to access the data
The data controller shall not forward the data obtained to third parties, except for the data processor(s) and recipients indicated in Article 7.
8.1 Access to IT backup data
The Controller stores IT backups separately for access control. The saved data can only be accessed by the IT operations colleagues, who are subject to appropriate documentation procedures. In case of restoration from a data backup, there is a documented procedure for the review process of the data restored from the data backup prior to live use.
8.2 Access to the data of video monitoring system
The controller shall not forward the recordings to third parties, except for the asset protection service provider specified in Article 7. Only the controller and data processor(s)’s designated employees are entitled to view the recordings.
The data protection officer and the managing director can access the recordings made by the electronic monitoring system. Upon request, the data subject may only access recordings made of their person in the presence of one of the above-mentioned persons. In all cases, access shall be requested in writing by the data protection officer.
In each case, the controller shall prepare a record of the access, which will be stored by the company for 1 year.
8.3 Persons authorized to restrict images of an electronic monitoring system The limitation of recordings provided by electronic monitoring system may only be allowed in cases where the controller has detected an event that could potentially jeopardize the objective pursued by the electronic monitoring system.
At the request of the party involved, the processing of recordings made of their own person may be restricted. The party involved shall request the restriction in writing, at the Data Protection Officer, indicating its purpose and expected duration.
A record of each step of the restriction process is prepared by the controller, who shall store it for a period of 1 year.
8.4 Disclosure of data
The controller shall not disclose the recordings of the electronic monitoring system.
9 Management of data received from third parties
If the User/Partner does not provide their own data to the controller, but another natural person’s, the User/Partner is solely responsible for providing the data with the consent, knowledge, and adequate information of this natural person. The controller is not liable to examine their existence. The controller draws the User/Partner’s attention to the fact that should they not comply with their obligation, which results in the data subject’s claim against the controller, the controller may pass on the claim and the amount of the damage to the User/Partner.
10 Data transmission to a third country or international organization The controller shall not forward the data subject’s personal data and recordings to third countries or international organizations outside the European Economic Area.
11 The rights of the involved party
The involved party may ask the controller via the contacts highlighted in Article 1 to: • provide access to a copy of their personal data managed by the controller, • correct their data,
- provide information regarding the goals and legal basis of data management, • erase their personal data and restriction of processing.
The data subject may exercise their abovementioned right at any time, and they can address to the controller at one of the contact addresses indicated in Article 1. • The involved party can request the transfer of their data to another controller where the processing is based on a contractual or a contribution and is managed by the Organization through an automated procedure.
- The involved party may specify the withdrawal of their contribution previously to the processing of data.
The controller shall, in exceptional cases, take care of or reject the notification within 1 month of submission of the application, in exceptional cases, within a longer period of time, permitted by the law. The involved party shall be informed in writing of the outcome of the investigation.
11.1 The costs of information
The Organization shall provide the measures and the necessary information free of charge for the first time.
If the involved party requests the same data for the second time within a month, which have not changed during this time, the controller shall charge administrative costs. • The basis of the administrative costs is the hourly wage of the minimum wage as an hourly rate.
- The number of working hours used for information shall be calculated as the first hourly rate.
- Furthermore, in case of a paper-based information request, the printing cost of the response at cost price and postal fees.
11.2 Refusal of information
Should the data subject’s request be clearly unfounded, they are not entitled to information, or the organization, as a controller, is able to prove that the data subject has the requested information, the controller will reject the request for information.
If the data subject’s request is excessive due to its repetitive nature, the organization may refuse to take action based on the request, if
- within one month, they submit an application related to the exercise of rights for the 3rd time, under Articles 15 – 22 in the same subject matter.
11.3 Right to object
The involved party may at any time object to the treatment of their personal data based on the legal basis of legitimate interest or public authority.
In this case, the Organization may no longer process the personal data, unless it proves that the data processing is justified by compelling, legitimate reasons that take priority over the interests, rights and freedom of the data subject, or they are related to the presentation, enforcement or defence of legal claims.
Should the objection be well-founded, the Organization shall terminate the processing of data as soon as possible, including data transmission and further processing. It shall notify all the objections that have been submitted by the involved party.
Processing the request is free of charge, except for unfounded or excessive requests, which may be charged a reasonable fee, corresponding to its administrative costs by the controller. If the data subject does not agree with the decision made by the controller, they may apply to the courts.
12 Information on data security measures
The controller manages the data in a closed system, based on the requirements of the Information Security Policy. To this end, the controller applies appropriate technical and organizational measures in order to:
- accurately regulate access to data,
- grant access only to individuals whose data is necessary for the purpose of carrying out the task, and only to access the minimum data necessary for the fulfilment of the task.
- carefully select the data processors commissioned and ensure the security of the data by means of an appropriate data processing agreement,
- ensure the integrity, authenticity, and protection of the data processed (data integrity). The controller applies reasonable physical, technical and organizational security measures in order to protect data subjects, especially against the accidental, unauthorized or illegal destruction, loss, alteration, transmission, use, access or processing of their data. The controller shall immediately notify the data subject in the event of unauthorized access to or use of personal data which might pose a high risk what the data subject is concerned.
Should the transmission of the information be required, the controller shall ensure that the data transmitted are adequately protected e.g., by encryption of the file. The controller is fully responsible for data management by third parties.
The controller shall also ensure adequate and regular security clearance to ensure that the subjects’ data are protected against loss or destruction.
13 Legal remedy
Should the concerned party consider that
- a) the controller restricts the enforcement of their rights or rejects their request for this purpose, the National Data Protection and Freedom of Information Authority may launch an investigation by notification in order to investigate the lawfulness of the controller’s measures,
- b) when processing personal data, the controller violates the legal requirements governing the processing of personal data,
- they may apply for the official data protection procedure, conducted by the National Data Protection and Freedom of Information Authority; furthermore,
- they can go to court against the controller, and if they choose, they can also launch a lawsuit before the competent court, according to their place of residence.
Contact details of the National Data Protection and Freedom of Information Authority:
President: Attila Péterfalvi dr.
Address: 1055 Budapest, Falk Miksa Street 9 – 11
Postal address: 1363 Budapest, Pf. 9.
Tel.: +36-1-3911400
E-mail: ugyfelszolgalat@naih.hu
www.naih.hu
Budapest, 3 January 2023