CONTENT

I. Introduction, Purpose of the Notice

II. Basic Concepts

III. Data Controller’s Details

IV. Principles of Data Processing

V. Rights of Data Subjects

V. Detailed Description of Data Processing Activities

I. INTRODUCTION, PURPOSE OF THE POLICY

The purpose of this data processing/privacy policy is to ensure that the data subjects affected by the data processing activities conducted by the Data Controller are informed in accordance with the General Data Protection Regulation (GDPR) of the European Union and related Hungarian laws (especially: Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (Info Act)).

The Data Controller also expresses its commitment to the protection of personal data, the enforcement of the principles and provisions of the General Data Protection Regulation, and the respect for the data subjects’ rights to informational self-determination through this notice.

The Data Controller publishes this policy publicly on the following website: https://theplannerportfolio.com/data-privacy-policy

The Data Controller reserves the right to amend, specify, or supplement this notice with new data processing information. Changes can be followed on the above websites.

In connection with the processing of personal data, the Data Controller emphasizes that it ensures the adequate security of personal data through the application of appropriate technical or organizational measures, especially against unauthorized or unlawful processing, accidental loss, destruction, or damage.

The most important Hungarian laws affecting the Data Controller’s activities include:

  • Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (Info Act).
  • Act V of 2013 on the Civil Code.
  • Act C of 2012 on the Criminal Code.
  • Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
  • Act XLVIII of 2008 on the essential conditions and certain limitations of economic advertising activity.
  • Act CXIX of 1995 on the handling of name and address data for the purpose of research and direct business acquisition.
  • Act C of 2000 on Accounting (Act on Accounting).

II. BASIC CONCEPTS

General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, which entered into force on 25 May 2018 and is directly applicable in all EU Member States, including Hungary. The text of the GDPR can be accessed at the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

Info Act: Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information, and its amendments or new law replacing it.

Data protection legislation: the GDPR, instructions, and recommendations of the Hungarian data protection authority, the opinions and guidelines of the Data Protection Working Party (Article 29 Working Party) established under the Treaty on the Functioning of the European Union (TFEU), as well as the Info Act and other legal provisions applicable to the specific data processing/data handling activity.

Data Subject: the natural person who is identified or identifiable, directly or indirectly, from the personal data being processed. Typically, this refers to you, whose personal data is processed by the Data Controller.

Other concepts used in this notice related to the processing of personal data, which are not defined above, are contained in Article 4 of the GDPR.

III. DATA CONTROLLER’S DETAILS

General information about the Data Controller:

  • Name of the Data Controller: Kis-Raffai Krisztina Zsuzsanna E.V.
  • Registered office: 1098 Budapest, Pottyos utca 6. 3.lph ¾. (Hungary)
  • Tax number: 48945411-2-43
  • Sole proprietorship registration number: 58827701

Postal address of the Data Controllers:

  • 1098 Budapest, Pottyos utca 6. 3.lph ¾. (Hungary)

Electronic contact:

    Areas of activity:  Retail business (internet)

    Contact information for the Data Controller’s data protection officer, data protection responsible:

    • Email address: info@theplannerportfolio.com
    • Postal address: 1098 Budapest, Pottyos utca 6. 3.lph ¾. (Hungary)

    If you have any questions or comments, or if you have any complaints or concerns about the processing of your data, please write to us at the above email address. Upon receipt of your inquiry, we will contact you without delay.

    IV. PRINCIPLES OF DATA PROCESSING

    1. The Data Controller processes personal data lawfully and fairly, and in a manner that is transparent to the Data Subject.
    2. The Data Controller carries out data processing activities in accordance with the principles and provisions of the Data Protection Legislation, committed to handling personal data fairly and without misleading the Data Subject, and making appropriate information about the data processing activities publicly available to the Data Subject. The use of personal data handled by the Data Controller – or made available by another data controller for the fulfilment of its tasks – for private purposes is prohibited. Employees of the Data Controller and those in a civil law relationship with it, as well as its data processors, may handle personal data in the course of their duties only in compliance with the provisions of the Data Protection Legislation.
    3. The Data Controller is committed to ensuring that the data are adequate and relevant for the purposes of the data processing and are limited to what is necessary.
    4. The Data Controller takes all reasonable measures to ensure that the personal data are accurate and, where necessary, kept up to date, and promptly deletes or rectifies inaccurate personal data.
    5. The Data Controller stores personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
    6. Disclosure of personal data handled by the Data Controller is prohibited, except where required by Hungarian and/or EU laws and legal norms.
    7. The Data Controller may process personal data in the following cases:

    7.1. The Data Subject has given consent to the processing of his or her personal data for one or more specific purposes

    7.2. Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract

    7.3. Processing is necessary for compliance with a legal obligation to which the Data Controller is subject

    7.4. Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person

    7.5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller

    7.6. Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.

    1. Sources of personal data:
    • The Data Subject’s personal data may come to the Data Controller directly from the Data Subject (or his/her representative) (e.g., through email, or website interactions), through consent. Please note that if the data provider does not provide his/her own personal data, it is the data provider’s duty to obtain the Data Subject’s consent and ensure that the Data Subject is familiar with the data processing information found on the website, as well as in case of personal representation, to provide proof of the right to represent.
    • Personal data may also be generated and come to the Data Controller when visiting the www.theplannerportfolio.com website, either from technical data automatically generated and later deleted related to the use and access of the website, or from data derived from cookies, detailed further in this notice.
    • From publicly available databases or other sources (e.g., company registers, databases)
    1. About Cookies in general:
    • Most websites, including those operated by the Data Controllers, use cookies. Cookies do not harm your computer and do not contain malicious codes. A cookie is a small data packet that internet services and websites store in your browser on your computer, and read back when you revisit the site, thus storing information about the visitors and their devices. This technology is indispensable for the operation of efficient and modern online services and is supported by today’s browsers. For example, they can be used to log into a site or access personalized information on the internet.
    • You can enable or disable the use of cookies through your browser settings. If you disable cookies, it may result in web pages not working properly and not all features being available. For more information, such as how to view, manage, and delete cookies stored on your computer, visit www.allaboutcookies.org.
    • It is important to note that you can delete cookies from your computer or browser at any time.
    • There are several types of cookies, each serving different purposes. The most common uses of cookies are: website development, operation, measuring the usage and traffic of websites, facilitating navigation on the website, monitoring activity on the website, and displaying personalized offers (possibly on other websites).
    • The types of cookies used by the organization:

    9.1. Essential cookies, session cookies: ensure the proper operation of the websites, facilitate their use, and collect information about their use without identifying the visitors, storing certain information (e.g., form data filled out, login data, the status of cookie policy settings). If the browser sends back a previously saved cookie to the service provider, it will have the opportunity to link the user’s current visit with the previous ones.

    9.2. Statistical cookies: the use of this type of cookies aims to analyze and measure the usage and traffic of the website (which page the visitor opened, how much time they spent on the page, what they clicked on), thereby helping the development of the website. These cookies also contain anonymous data; the visitor is not identifiable. This group includes Google Analytics cookies.

    • If you enable the use of such cookies, the Data Controller may use the data to create content that matches the interests of the visitor, better understand the visitors of the website, and supplement this with remarketing activities to stay in the readers’ view. Thus, various Google and Facebook advertisements may appear for previous visitors or those with similar interests.

    9.3. Third-party advertising, targeting cookies: the purpose of these cookies is to display personalized advertisements and ads to the visitor during their browsing, and to analyze and evaluate how visitors use the pages.

    • Further details can be found in the web page cookie information.
    1. About the operation and visitation of the website in general:
    • The server operating our website logs visits to prevent abuses, malicious attacks, and to check the correct operation of the pages. These log files (access logs) record the visitor’s computer IP address, the date and time of the visit, and the URL (the address of the visited page). The servers automatically delete the log files.
    • Embedded content from other websites:
    • The posts available on the www.theplannerportfolio.com use embedded content (e.g., videos, images, articles) from external sources. Embedded content from external sources behaves exactly as if the reader visited that other website.
    • Similarly, these websites may collect data about visitors, use cookies, or use tracking codes from third parties. The Data Controller does not assume responsibility for the data and information protection practices of these pages, but strives to ensure that the embedded content available on its own website does not violate data protection and data security regulations. If the Data Controller becomes aware that the embedded external content violates applicable laws or engages in harmful behavior, it immediately removes the links from the site. The data processing information for embedded content can be found on the respective external website.
    1. Data processing, data transmission, the circle of persons who become acquainted with the data:
    • The Data Controller is entitled to employ a data processor without the separate consent of the Data Subject – in a manner based on a contractual relationship defined in the GDPR – who performs the personal data and certain specified data processing operations on behalf of and under the instructions of the Data Controller. Data processing involves the Data Controller providing the personal data to the data processor.
    • If the Data Controller transfers data to data processors or other third parties, it keeps a record of this and indicates the utilized data processors and recipients in the respective data processing sections.
    • The data processor and the employees involved in data processing are subject to a confidentiality obligation by the data processor, provided they are not subject to any professional confidentiality obligation by law. The conditions prescribed by the GDPR ensure that the personal data of the Data Subject remain secure during data processing. The Data Controller typically employs the following service providers involved in data processing:
    • IT service providers,
    • Postal service providers, courier companies delivering packages,
    • Payment service providers,
    • Event organizers,
    • Accounting service providers.
    • Based on a legal obligation or a request based on legal regulations, the Data Controller may forward personal data to the court, the prosecutor’s office, the investigative authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the Hungarian National Bank acting within its supervisory role concerning the financial intermediary system, or to other bodies authorized by law. The Data Controller strives to check the legality and justification of such requests and to fulfill the data transfer within the legal frameworks, to the extent necessary to achieve the purpose of the request.
    • The Data Controller otherwise employs organizational measures within its organization to ensure that personal data are accessed only by those employees for whom it is necessary for their work.
    1. The Data Controller carries out the processing of personal data in such a way that appropriate technical or organizational measures are implemented to ensure the proper security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage. The Data Controller considers the state of science and technology, the costs of implementation, and the nature, scope, circumstances, and purposes of the data processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to determine the appropriate level of security. The Data Controller applies the following security measures:
    • Encryption of data, password protection,
    • Firewall protection,
    • Regular safety checks, updates,
    • In the case of cloud-based data storage, ensuring the safety of data servers through contractual data protection guarantees.
    1. Data transfer to third countries or international organizations:
    • The Data Controller does not transfer personal data to third countries or international organizations.

    V. RIGHTS OF DATA SUBJECTS

    1. Right to Information and Access to Personal Data:
    • Every Data Subject has the right to receive information from the Data Controller about the processing of their personal data and to request access to the personal data being processed.
    • The Data Controller provides information on the processing of personal data when the personal data is obtained from the Data Subject, or within a reasonable period after obtaining the personal data from another source. This period should not exceed one month from obtaining the data.
    • The information provided should include, but is not limited to, the purposes of processing, the categories of personal data, the legal basis for processing, the recipients or categories of recipients of the personal data, if any, the period for which the personal data will be stored, the source of the data if not obtained from the Data Subject, and whether the Data Controller intends to transfer the personal data to a third country or international organization.

    1. Right to Rectification:
    • The Data Subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning them.
    • The Data Subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

    1. Right to Erasure (‘Right to be Forgotten’):
    • The Data Subject has the right to obtain the erasure of personal data concerning them without undue delay from the Data Controller, and the Data Controller has the obligation to erase the personal data without undue delay, subject to certain exceptions. These exceptions include cases where the processing is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation which requires processing by EU or Member State law to which the Data Controller is subject, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise, or defense of legal claims.
    • Where the Data Controller has made the personal data public and is obliged under Article 17 of the GDPR to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data.

    1. Right to Restriction of Processing:
    • The Data Subject has the right to obtain from the Data Controller restriction of processing where one of the following applies:

    4.1. The accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data.

    4.2. The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.

    4.3. The Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims.

    4.4. The Data Subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

    1. Right to Data Portability:
    • The Data Subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided, where:

    5.1. The processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the GDPR or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and

    5.2. The processing is carried out by automated means.

    • In exercising their right to data portability, the Data Subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

    1. Right to Object:
    • The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

    1. Automated individual decision-making, including profiling:
    • The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless such a decision is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller, is authorized by Union or Member State law to which the Data Controller is subject (which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests), or is based on the Data Subject’s explicit consent.
    • Where decisions based on automated processing, including profiling, are made, the Data Controller shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Data Controller, to express their point of view and to contest the decision.

    1. Rights related to automated decision-making and profiling:
    • Where personal data are processed for profiling purposes, the Data Subject has the right to be informed about the logic involved, as well as the significance and the envisaged consequences of such processing for them.
    • The Data Subject has the right to request that the Data Controller not use personal data for profiling purposes.

    VI. DATA CONTROLLER CONTACT DETAILS

    • Contact person: Krisztina Kis-Raffai
    • Email address: info@theplannerportfolio.com
    • Postal address: 1098 Budapest, Pottyos utca 6. 3.lph ¾. (Hungary)
    • If you have any questions or comments, or if you have any complaints or concerns about the processing of your data, please write to us at the above email address. Upon receipt of your inquiry, we will contact you without delay.

    The information provided in this document is detailed and structured to facilitate an understanding of the principles and practices applied by the Data Controller regarding data protection. It includes essential elements like the legal grounds for processing, the types of personal data processed, measures for data protection, and the rights of Data Subjects under GDPR. This template can be adapted to meet specific requirements and ensure compliance with data protection regulations in different contexts.