1. Introduction
Usernet Kft. (registered office: 1037 Budapest, Jeles utca 109.; tax number: 23113196-2-41; company registration number: 01-09-953586; mailing address: 1037 Budapest, Jeles utca 109.; e-mail: info@usernet.hu; website: www.usernet.hu) and its affiliated companies (hereinafter: the Controller) fully comply with the applicable data protection laws and regulations, in particular Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.), as well as the provisions of this Privacy Notice.
This Privacy Notice is available on the Controller’s website at www.usernet.hu. The Controller may amend the content of this Notice at any time and will inform data subjects of any changes in due time.
2. Definitions
Data subject: any identified or identifiable natural person, who can be identified directly or indirectly, in particular by reference to a personal data element.
Personal data: any information relating to the data subject – in particular the data subject’s name, identification number, as well as one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that person – and any inference that can be drawn from the data regarding the data subject.
Special categories of data:
a) personal data revealing racial origin, national or ethnic affiliation, political opinions or party affiliation, religious or other philosophical beliefs, membership in an interest representation organization, or data concerning sexual life;
b) personal data relating to health, pathological addictions, and criminal personal data.
Consent: a freely given and explicit indication of the data subject’s wishes, based on appropriate information, by which the data subject signifies their unambiguous agreement to the processing – in whole or in part – of personal data relating to them.
Objection: a statement by the data subject objecting to the processing of their personal data and requesting the termination of the processing and/or the deletion of the processed data.
Controller: any natural or legal person, or organization without legal personality, who, alone or jointly with others, determines the purposes of personal data processing, makes and implements decisions regarding data processing (including the means used), or has these implemented by a processor acting on its behalf.
Processing: any operation or set of operations performed on data, regardless of the procedure applied, such as collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure or destruction, as well as preventing further use of data, and the taking of photographs, sound or image recordings, and the recording of physical characteristics suitable for identifying a person (e.g. fingerprints, palm prints, DNA samples, iris images).
Data transfer: making data available to a specific third party.
Disclosure: making data available to anyone.
Data processing (technical): performing technical tasks related to data processing operations, regardless of the method and means used to carry out such operations and the place of application, provided that the technical task is performed on the data.
3. Principles of Data Processing
Personal data may only be processed for a specific purpose, to exercise a right or to fulfil an obligation. At all stages of data processing, the purpose of the processing must be met; the collection and processing of data must be fair and lawful.
Personal data may be processed if:
a) the data subject has given their consent; or
b) such processing is ordered by law, or by a local government decree adopted on the basis of a statutory authorization and within the scope defined therein, for a purpose in the public interest (hereinafter: mandatory processing).
Special categories of data may be processed in the cases defined in Section 6 of Infotv., and where the data subject has given their written consent; in the case of health data, processing may also be ordered by law for a purpose in the public interest.
Only personal data that is essential for achieving the purpose of the processing and suitable for achieving that purpose may be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
Before processing begins, the data subject must be informed whether the processing is based on consent or is mandatory. Prior to the start of processing, the data subject must be clearly and comprehensively informed of all facts relating to the processing of their data, in particular the purpose and legal basis of the processing, the identity of the person authorized to process and process the data, the duration of the processing, and who may have access to the data. The information must also cover the data subject’s rights related to processing and their remedies.
The data subject may give their consent to the processing of data relating to them.
Courts, public prosecutors, investigating authorities, and other bodies authorized by law may request information and data from the Controller. Such requests may only concern personal data and to the extent that is strictly necessary to achieve the purpose of the request.
4. Purpose and Legal Basis of Processing Personal Data
Data processing related to the Controller’s services is based on voluntary consent; personal data is provided directly by the data subjects (Infotv. Section 5(1)(a)).
The purpose of data processing is the performance of the services specified in contracts in accordance with contractual terms, facilitating such performance, informing clients, and sending newsletters and marketing communications. In addition, during visits to the website, the Controller records visitor data to monitor the functioning of the services, enable personalized service, and prevent misuse. By using the services on the website, visitors are considered clients of the Controller in this respect, even if they are not contractual partners in other ways. Through its electronic newsletter service, the Controller aims to enable interested clients to receive information by e-mail about the Controller’s activities, services, and related news.
The legal basis for processing is the data subject’s consent, with particular reference to Infotv., as well as Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
5. Scope of Processed Data
Personal identification data (surname, first name), contact details (telephone number, e-mail address), date and time, URL of the visited page, the IP address of the user’s computer, and any other data voluntarily provided by the clients.
6. Rights of Data Subjects and Remedies
All data subjects may request the rectification of their personal data and, following the termination of the legal relationship, the deletion of their data.
Data subjects may object to unlawful data processing at info@usernet.hu and may enforce their rights by turning to a court or to the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; mailing address: 1530 Budapest, Pf. 5; phone: +36-1-391-1400; website: www.naih.hu; e-mail: ugyfelszolgalat@naih.hu).
Controller: István Tusnádi
Registered office / address: 1037 Budapest, Jeles utca 109.
Name of processing activity: database processed for the purpose of sending newsletters – www.usernet.hu – sending newsletters to clients.
Data processing registration number: NAIH-93090/2016.
The data subject may request information on the processing of their personal data, and may request the rectification, deletion or blocking of their personal data (except for mandatory processing) at the Controller’s contact details indicated above.
Upon the data subject’s request, the Controller shall provide information regarding the data it processes or that is processed by a processor acting on its behalf, the source of the data, the purpose, legal basis and duration of processing, the name and address of the processor and its activities related to the processing, and, in the case of data transfer, the legal basis and recipient of such transfer. The Controller shall provide this information in an intelligible form in writing within the shortest possible time, but no later than 30 days from the submission of the request. The information is free of charge if the person requesting the information has not previously submitted a request for information regarding the same set of data in the current year. In other cases, the Controller may charge a fee.
The Controller shall rectify personal data if it is inaccurate and the correct personal data is available.
The Controller shall block personal data if requested by the data subject, or if, based on available information, it can be presumed that deletion would harm the legitimate interests of the data subject. Blocked personal data may only be processed as long as the purpose that excluded deletion exists.
The Controller shall mark personal data it processes if the data subject disputes its accuracy or correctness, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.
The Controller shall delete personal data if processing is unlawful, the data subject requests deletion, the processed data is incomplete or inaccurate and this condition cannot be lawfully remedied (unless prohibited by law), the purpose of processing has ceased, or the statutory time limit for storing data has expired, or deletion has been ordered by a court or the National Authority for Data Protection and Freedom of Information.
The Controller shall have 30 days to perform deletion, blocking or rectification.
If the Controller does not comply with the data subject’s request for rectification, blocking or deletion, it shall inform the data subject in writing within 30 days of the reasons for rejecting the request.
The Controller shall notify the data subject and all parties to whom the data had previously been transmitted for processing purposes of any rectification, blocking, marking or deletion of personal data. Notification may be omitted if this does not infringe the data subject’s legitimate interests in view of the purpose of processing.
The data subject may object to the processing of their personal data if:
- the processing or transfer of personal data is necessary solely for the fulfilment of a legal obligation of the Controller or for the enforcement of the legitimate interests of the Controller, data recipient, or a third party, except where processing is ordered by law;
- personal data is used or transferred for direct marketing, public opinion polling or scientific research purposes;
- in other cases specified by law.
The Controller shall assess the objection within the shortest possible time, but no later than 15 days from the submission of the request, decide on its justification, and inform the applicant of its decision in writing. If the Controller finds that the objection is justified, it shall terminate the processing (including further data collection and transfer), block the data, and notify all parties to whom the data had previously been transmitted and who are obliged to take measures to enforce the right to object.
If the data subject does not agree with the Controller’s decision, they may, within 30 days of receiving the decision, turn to a court.
The Controller may not delete the data of the data subject if processing has been ordered by law. However, data may not be transferred to the recipient if the Controller has agreed to the objection or if a court has found the objection justified. In case of infringement of their rights, the data subject may bring an action against the Controller before a court. The court shall act in such cases as a priority.
The Controller shall compensate any damage caused to others by the unlawful processing of the data subject’s data or by breaching data security requirements. In case of violation of the data subject’s personal rights, the data subject may claim non-pecuniary damages pursuant to Section 2:52 of the Civil Code.
The Controller is also liable towards the data subject for any damage caused by the processor.
The Controller shall be exempt from liability if the damage was caused by an unavoidable event outside the scope of processing. The Controller shall not compensate damage and non-pecuniary damages to the extent that the damage or violation of personal rights resulted from the data subject’s intentional or grossly negligent conduct.
7. Duration of Data Processing
If a contractual relationship is established between the Controller and the client, the duration of processing is linked to the contract between the Controller and the data subject and lasts until the contract terminates. Following the termination of the legal relationship, the Controller shall retain the data until the expiry of the limitation period. In other cases, the duration of processing is 30 days.
8. Data Transfers
By registering online or on paper, the data subject accepts that their personal data may be transferred by the Controller to its affiliated companies, namely: The Rocket Science Group (MailChimp).
In addition, in order to facilitate its administrative tasks, the Controller may transfer certain personal data, in whole or in part, to processors, subcontractors or auxiliary agents engaged to perform specific data processing operations.
Processor: The Rocket Science Group, LLC
Address: 675 Ponce de Leon Ave NE
Suite 5000
Atlanta, GA 30308
USA
9. Data Security
Personal data is stored and processed at the Controller’s registered office on a web server protected by 24-hour security. The Controller takes all administrative, IT and physical security measures necessary to protect personal data from unauthorized access, loss, and any other potential threats. The Controller ensures the physical protection of paper-based documents containing personal data. Access to the data is limited to employees of the Controller working in marketing-related roles.
If you have any comments or concerns regarding the Controller’s data processing, please contact us at info@usernet.hu.
10. Information Relating to the Website
The www.usernet.hu website may be visited free of charge and without providing personal data. However, access to certain sections is subject to registration, during which the client provides information that qualifies as personal data.
By providing and submitting their data, and by visiting the website, the client consents to the processing and use of their data by the Controller in accordance with the relevant legislation and this Notice, including forms of processing that may qualify as automated individual decision-making.
The Controller shall not make personal data obtained during registration accessible to any third party without the data subject’s explicit prior consent, except where required by law or in the context of official procedures, as well as to members of the corporate group and processors.
Certain parts of the website use so-called "cookies" – files stored on the hard drive of the data subject’s device – for the purpose of recording data and facilitating identification and subsequent visits by the data subject. The data subject may set their browser to notify them when a cookie is being sent and to allow them to decide whether to accept it. (For more information on cookies, see www.cookiecentral.com.)
The IP addresses of computers accessing the website are logged in order to record user visits. The Controller analyzes this data to produce statistics, for example to determine which parts of the website are visited most frequently and how much time users spend there. IP addresses are not linked to any other data that would allow the data subject to be personally identified; the data is used solely for statistical purposes.
The Controller may display advertisements on the website. The system may collect personal data about users who click on advertisements. The scope and use of such data is described in more detail in Google’s Privacy Policy.
The Controller excludes all liability for damages resulting from the destruction, delayed arrival or other errors of electronic messages transmitted in electronic form.
Unless otherwise indicated, the content of the website is the property of the Controller and constitutes intellectual property protected by copyright. The Controller reserves all rights in this regard.
Under no circumstances does the content of the website constitute tax or legal advice; it is made available by the Controller for information purposes only, and all liability is excluded.
The Controller also excludes liability for any damages arising from downloading content from, or the unavailability of, the website.
The HTML code of the portal contains links to and from external servers independent of the Controller. The servers of these external providers are in direct connection with the user’s computer. As a result of this direct connection and direct communication with the user’s browser, the service providers of such links may collect user data. Any personalized content that may be displayed to users is served from the external providers’ servers. The relationship between the Controller and the external providers’ servers is limited solely to the embedding of their code; no personal data is transmitted or transferred.
The content downloaded by following external links on the website is beyond the Controller’s control.
The Controller excludes all liability for content appearing in the "forum" section of the website and for the content of offers, advertisements or notices published on the website. The Controller reserves the right to delete comments or user-submitted content without prior notice, warning or justification, but is not obliged to do so.
The Controller reserves the right to ban users and to terminate registrations without prior notice or justification.