Information on the data management of ZÖLD-KER Kft.
A ZÖLD-KER Kft. (seat: 5000 Szolnok, Tószegi u. 5., tax number: 10569016-2-16) (hereinafter referred to as: Company) perform its data management activity in accordance with the Act CXII of 2011
on the Right of Informational Self-Determination and on Freedom of Information (“Privacy Act”). The purpose of the information is to provide visitors to the Company’s websites with information on the data managed by the Company on the website and other activities related to data management. The terms used in this information are the same as those defined in the Privacy Act.
- person concerned: any natural person identified or identifiable, directly or indirectly, on the basis of personal data.
- personal data: data which may be related to the person concerned, in particular the name of the person concerned, their identification number and knowledge of one or more physical, physiological, mental, economic, cultural or social identities and the conclusions which may be drawn from them regarding the person concerned.
- special data: data on racial origin, belonging to a national and ethnic minority, political opinion, party affiliation, religious or ideological beliefs, party membership, state of health, addiction, sexual life.
- data file: the totality of data managed in an inventory system
- criminal personal data: personal data obtained during or before criminal proceedings in connection with a criminal offense or criminal proceedings, produced by bodies authorized to conduct criminal proceedings or to detect criminal offenses, as well as by judgement enforcement institutions and which may be related to the people concerned and regarding to the criminal record
- consent: the voluntary and firm expression of a wish by the person concerned, based on appropriate information, giving his or her unambiguous consent to the processing of personal data concerning them, in full or for individual actions.
- protest: a statement by the person concerned objecting to the processing of their personal data and requesting the termination of the data processing or the deletion of the processed data.
- Company: a natural or legal person, or an organization without legal personality, who or which alone or jointly with others determines the purpose of data processing, makes and implements decisions on data processing (including the means used) or implements it with a data processor entrusted by them or it.
- data management: any operation or set of operations on data, regardless of the procedure used, in particular the collection, recording, recording, systematisation, storage, modification, use, querying, transmission, disclosure, coordination or linking, blocking, erasure and destruction of data, and prevent further use.
- data transfer: making the data available to a specific third party.
- disclosure: making data available to anyone.
- data erasure: making data unrecognisable by means that their recovery is no longer possible.
- data marking: the identification of the data in order to distinguish it.
- data blocking: the identification of data to limit their further processing permanently or for a specified period of time.
- data destruction: the complete physical destruction of the data carrier.
- data processing: the performance of technical tasks related to data management operations, regardless of the methods and means used to perform the operations and the place of application, provided that the technical task is performed on the data
- data processor: a natural or legal person or an organization without legal personality who or which, on the basis of a contract concluded with the Company, including the conclusion of a contract based on the provision of law, carries out the processing of data.
- data filing system: any structured, functionally or geographically centralized, decentralized or dispersed file of personal data that is accessible according to defined criteria
- data protection incident: unlawful handling or processing of personal data, unauthorized access, disclosure, transmission, erasure, damage or destruction
- third party: any natural or legal person, or any organisation without legal personality, who or which is not the same as the person concerned, the Company or the data processor.
- third country: any state which is not the member of the EEA.
Data management on the website
The purpose of data management: any external visitor can access the website of the Company (www.zoldker.hu) and the information provided by the Company.
Range of the managed data: date, time, IP address of the user’s computer, IP address of the visited page, IP address of the previously visited page, data related to the user’s operating system.
Legal basis of data management: the Company has a legitimate interest in identifying users and providing customized services [GDPR Article 6, Paragraph (1) Point f)]. Moreover, the voluntary consent of the people in accordance with the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
The Company handles the personal data during the existence of the purpose of data management, i.e. primarily during the existence of the legal relationship with the given User (after which period the data provided by the User concerned will be deleted) or until the User requests the erasure of their data or withdraws their consent.
Legal basis of personal data management: the data management by the www.zoldker.hu is performed in accordance with Section 5, Paragraph (1), Point a) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information the basis of the voluntary consent of the User and pursuant to the Act CVIII of 2001 on Electronic Commerce and on Information Society Services.
Users consent to that the Company shall process their personal data. The processing of personal data is based on the User’s voluntary consent given in the knowledge of this information.
In certain cases, the handling, storage and transmission of a given set of data is required by law, of which the Company notifies the User separately in each case.
Users may only enter their own personal data on the Website. Company shall not verify the authenticity of the provided personal data. The person providing the data, the User, is solely responsible for the adequacy of the provided data. When providing the e-mail address of any User, they are also responsible for ensuring that only they use the service from the provided e-mail address. Concerning this liability, all responsibility in connection with logins from a given e-mail address are solely born by the User who registered the e-mail address. If the User shall not provide their own personal data, the informing User is obliged to obtain the User’s consent.
The Company is entitled to get acquainted with the personal data, the Company does not transfer personal data to third parties.
At the request of the User, the Company provides information on the personal data managed by the User, their source, the purpose, legal basis and duration of the data management, and – in case of transfer of the User’s personal data – the legal basis and recipient of the data transfer. The information can be requested via the firstname.lastname@example.org e-mail address. The Company shall respond in writing no later than 30 (thirty) days from the receipt of the request.
For the purpose of monitoring the measures related to the data protection incident and informing the User, the Company keeps a register containing the scope of the User’s personal data, the scope and number of the Users involved in the data protection incident, the date, circumstances, effects and measures taken to prevent it and other data specified in the legislation requiring data management.
User has the right to request the correction of their personal data (indicating the correct data) also via the email@example.com e-mail address. The Company shall make the correction in its register without delay and notify the User in writing.
In addition to the above, the User may at any time request the erasure or blocking of their data – in whole or in part – via the firstname.lastname@example.org e-mail address by proving their identity (previously entered data: last name, first name, e-mail address) and providing their mailing address. Upon receipt of the cancellation request, the Company shall immediately ensure the termination of the data management and delete the User from its register.
Instead of deleting, the Company shall block the personal data if the User requests so, or on the basis of the information available it can be assumed that the deletion would harm the legitimate interests of the User. Personal data blocked this way may only be processed for as long as the purpose of the data management, which precluded the deletion of personal data, exists.
The Company shall notify the User, as well as all those to whom the data has previously been transmitted for data management purposes, of the rectification, blocking and erasure. The notification may be omitted if it does not infringe the legitimate interest of the User with regard to the purpose of data management.
If the Company shall not fulfil the User’s request for rectification, blocking or erasure, it shall notify the factual and legal reasons for the rejection of the request for rectification, blocking or erasure in writing within 30 days of receipt of the request. In the event of a rejection of a request for rectification, erasure or blocking, the Company shall inform the User of the possibility of judicial remedy and recourse to the National Authority for Data Protection and Freedom of Information.
In addition, the User may at any time decide that the Company should no longer send him a Newsletter. The User may withdraw his consent to receive the Newsletters at any time free of charge, without justification and restriction, by clicking on the Unsubscribe button at the bottom of the newsletters or via the email@example.com e-mail address by indicating their exact personal data. Upon receipt of the unsubscription request, the Company will immediately delete the data of the unsubscribing User from its database and shall not send any newsletter to the User in the future.
The User may object to the management of their personal data,
- if the management or transfer of personal data is necessary only for the fulfilment of a legal obligation to the Company or to enforce the legitimate interest of the Company, the data recipient or a third party, except in the case of mandatory data management;
- if the use or transfer of personal data is for the purpose of direct business acquisition, public opinion poll or scientific research; and
- in other cases, specified by law.
The Company shall examine the protest as soon as possible, but not later than within 15 days from the submission of the application, make a decision on the merits of the application and inform the applicant of its decision in writing. If the User does not agree with the decision of the Company, or if the Company fails to comply with the above deadline, the User may apply to a court within 30 days from the notification of the decision or the last day of the deadline.
If the User does not explicitly provide personal data or information on the Website as described above, the Company shall not collect or process any personal data about the User in a manner that would allow the User to be personally identified.
Such data is the data of the User’s login computer, which are generated during the use of the Website, and which is recorded by the cookies used on the Website as an automatic result of the technical processes. The automatically recorded data are automatically logged by the system – without a separate statement or action of the User – when visiting or exiting the Website.
These data are not linked to other personal user data, i.e. the User cannot be identified on the basis of these data. Such data may only be accessed by external service providers handling cookies and the Company.
The Company uses only cookies from external service providers (Google, Facebook) on the Website. Cookies are short text files that the Website sends to the user’s computer hard drive and contain information about the User.
The Company uses the services of the Google Analytics system in connection with the Website. Google Analytics helps you measure website traffic and other web analytics data. The information collected is transmitted to and stored on external servers operated by Google. It will use this information for the purposes of the Company primarily to track traffic to the Website and to provide analysis of activities on the Website. Google may share this information with third parties where required to do so by law. Google also has the right to transfer this data to third parties who use it to process the data. Google Analytics can provide detailed information about how your data is handled by Google Analytics (http://www.google.com/analytics).
The data collected with the above-mentioned technologies must not be used to identify the User, and the Company shall not link this data with any other data that may be identifiable.
The primary purpose of the use of such data is to enable the Company to operate the Website properly, which requires, in particular, the monitoring of data on visits to the Website and the prevention of possible abuses related to the use of the Website.
In addition to the above, the Company may use this information to analyse usage trends or to improve and develop the functions of the Website, as well as to obtain comprehensive traffic data on the full use of the Website.
The Company may use the information obtained to compile or analyse statistics related to the use of the Website, as well as to transmit to third parties statistical data (e.g. number of visitors, most viewed topics and content) that are not suitable for such identification, or disclose them in an aggregate, anonymous way.
The Company commits itself to ensure the security of the data, to take the technical and organizational measures and to establish the procedural rules to ensure that the recorded, stored and processed data are protected and to prevent their destruction, unauthorized use and unauthorized alteration. It also undertakes to call on all third parties to whom the data is transmitted or passed on with the consent of the Users to comply with the data security requirement.
The Company shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons. The managed data may only be seen by the Company and its employees, and the Company will not pass them on to third parties who are not entitled to access these data.
Company shall do its best to ensure that the data is not accidentally damaged or destroyed. The Company imposes the above commitment on its employees involved in data management activities.
The User acknowledges and agrees that the adding of personal data on the Website – even though that the operator of the Website has state-of-the-art security measures to prevent unauthorized access or data crawling – does not fully guarantee the protection of the data on the Internet. In case of unauthorized access or disclosure happens in spite of our efforts, the operator of the Website shall not be liable for such acquisition or unauthorized access or for any damage caused to the User due to these reasons. In addition, the User may also disclose their personal data to third parties who may use it for illegal purposes or in illegal way.
Under no circumstances does the Company collect special data, i.e. data on racial origin, belonging to a national or ethnic minority, political opinion or party affiliation, religious or other philosophical belief, membership of an advocacy organization, health status, addiction, sexual life and criminal record.
Duration of data management: 2 (two) years from the date of viewing the website.
The Company operates a career page on its websites, the purpose of which is to provide information about the Company’s current job vacancies. On the career page, the applicant can upload their CV and their related to the job seeking. To upload your CV to the career page, you must accept the privacy statement on the website.
Scope of the managed data: Name, address, education, and other personal data in the CV uploaded at the time of application.
Legal basis for data management: Section 6 of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
Duration of data management: Until the withdrawal of the applicant’s consent, but for a maximum of 1 year from the receipt of the curriculum vitae. Applicants may withdraw their consent to the storage of the CV at any time by sending an email to the firstname.lastname@example.org e-mail address.
Operation of the camera system
Our Company operates a camera system in its shops and sites in order to prevent accidents, protect physical safety, and prevent possible violations of the rules and crimes against property. The management of the Company is committed to operating cameras in public positions in stores. A sign at the entrance draws the customers’ attention to the camera surveillance.
Legal basis for data management: in the case of customers, the voluntary consent of the person concerned by entering the area, in the case of employees, the legitimate interest of the employer (based on the interest-balancing test) for the sake of ensuring the protection of persons and property.
Duration of data management: 3 days in accordance with the provisions of the Act CXXXIII of 2005 on the rules of personal and property protection and private investigation.
After the deadline set by law, the Company will delete the camera recording if it is not used. In case of use, the saving may take place after more than 3 working days, if the authority orders the saving of the camera recording during the trial, if the person concerned requests, by the demonstration of their legitimate interest, from the Company to save the recording concerning them. The Company evaluates the legitimacy of the received application and, in case of a legitimate application, ensures that the recording is saved and blocked in accordance with legal regulations.
In the event of an official request, the Company shall immediately transfer the saved recording to the requesting organization. If no request is made in connection with the blocked recording, the Company will destroy the recording after 30 (thirty) days.
The Company has prepared a data policy on the placement of the cameras, their viewing angle, the purposes of their observation, the areas and objects they observe, and the detailed layout of the placement of the cameras, which can be viewed in our stores.
The purpose of data management: in order to promote the products, to conduct the prize game, to contact the winners, to check the right to participate in the event of participation in the game, to publish the winner’s name and photo.
Legal basis for data management: prior, voluntary consent of the user under Article 6, Paragraph (1) Point (a) of the GDPR.
Data managed: name, address, telephone number, e-mail address.
Duration of data management: until the goal is achieved, i.e. during the prize game and the data related to the winner’s taxation will be stored for 10 years.
Customer complaint management
The purpose of data management: to handle quality complaints related to the products offered by the Company and the services provided by them.
Legal basis for the data management: data management is necessary for the performance of the contract [Article 6 Paragraph (1) Point b) of the GDPR] and Paragraph 17/A., Section (7) of Act CLV of 1997 on Consumer protection.
Type of personal data processed: unique identification number of the complaint, name, address of the customer, place and time of the complaint, method of complaint procedure, list of papers, documents and other evidence submitted by the customer, description of the complaint, place and time of recording of the minutes, the name and signature of the registrar, or in the case of withdrawal, the details of the product.
Duration of the data management: Five years with regard to the copies of the minutes of the complaint and the replies given to the written complaints, in accordance with the Paragraph 17/A, Section (7) of the Act CLV of 1997 on Consumer protection.
Two years in case of duplicates of entries in the customers’ book.
Data transmission: Complaints and quality claims received to the central e-mail address and postal address of the Company, for the competent manager.
Legal basis for the transmission: the processing is necessary for the performance of the contract [Article 6 Paragraph (1) Point b) of the GDPR]
Request for loyalty card
A Loyalty Card can be requested in the Company’ stores.
The purpose of data management: to participate in the loyalty program by registering.
Data management is subject to the consent based on the prior information of the applicants.
Data management ends with the transmission of registration forms.
Data managed: name, address, telephone number.
Rights of the person concerned
Information and access to personal data
The Person concerned has the right to get acquainted with the personal data stored by the Company and the information related to their handling, to request it at any time, to check what data the Company keeps records of about it, and to access the personal data. The Person concerned is obliged to send their request for access to the data in writing to the Company, and the requested data is provided by the Company in writing (in a letter sent electronically or by post), no oral information is provided in this connection.
In case of exercising the right of access, the information shall cover the following data:
- defining the scope of managed data,
- the purpose, time and legal basis of the data management in terms of the scope of the managed data,
- data transmission: to whom the data has been or will be transferred later,
- designation of the data source.
The company shall provide a paper or electronic copy of personal data to the person concerned free of charge for the first time. The Company may charge a reasonable fee based on administrative costs for additional copies requested by the person concerned. If the person concerned requests the release of a copy electronically, the Company shall make the information available to the person concerned by e-mail in a widely used electronic format.
Following the information, the person concerned may, if they do not agree with the data management and the correctness of the managed data, request the correction, supplementation, deletion, restriction of the processing of personal data concerning them, protest against the processing of such personal data or initiate proceedings.
The right to correct and supplement managed personal data
At the request of the person concerned, the Company shall, without undue delay, correct the inaccurate personal data indicated by the person concerned in writing, or supplement the incomplete data with the content indicated by the person concerned. The Company shall inform all recipients to whom the personal data has been communicated of the correction or supplementation, unless this is proved to be impossible or requires a disproportionate effort. The person concerned shall be informed of the details of these recipients if they request it in writing.
Right to the restriction of data management
The person concerned has the right to restrict the management of data by the Company upon written request of the person if the person concerned disputes the accuracy of the personal data. In this case the restriction applies to the period of time that allows the Company to check the accuracy of the personal data if
- the processing is unlawful, and the person concerned opposes their erasure and requests the restriction of their use instead;
- The Company no longer needs personal data for the purpose of data management, but the person concerned requests it in order to submit, enforce or protect legal claims,
- the person concerned objects to the data management; in this case, the restriction shall apply for the period until it is determined, whether the Company’s legal grounds take precedence over the legitimate reasons of the person concerned.
The Company shall inform the person concerned, at whose request the data processing has been restricted, in advance of the lifting of the data management restriction.
Right of cancellation (forgetting)
At the request of the person concerned, the Company shall delete the personal data of the person concerned without undue delay if any of the specified reasons exists:
- personal data is no longer required for the purpose for which it was collected or otherwise managed by the Company;
- the person concerned withdraws their consent on which the processing is based and there is no other legal basis for the data management;
- the person concerned objects to the data management for reasons related to their own situation and there is no legitimate reason for the management of data,
- the person concerned objects to the management of their personal data for the purpose of direct business acquisition, including profiling, in so far as it relates to direct business acquisition,
- the Company manages personal data unlawfully;
- personal data was collected in connection with the provision of information society services offered directly to children.
- The person concerned may not exercise their right to delete or forget if the data management is necessary:
- for the purpose of exercising the right to freedom of expression and information;
- on grounds of public interest in the field of public health;
- for the purposes of archiving in the public interest, for scientific and historical research purposes or for statistical reasons, where the exercise of the right of erasure would make such processing impossible or seriously jeopardize the data management; or
- to submit, enforce or defend legal claims.
Right to data portability
Data portability allows the person concerned to obtain and further use the “own” data provided by them in the Company’s system, for their own purposes and through various service providers. In all cases, the right is limited to the data provided by the person concerned, there is no possibility of portability of other data. (e.g. statistics, transaction data, etc.)
The personal data of person concerned that can be found in the system of the Company (e.g. during newsletter subscription, card arrangement):
- are given to the person in a structured, widely used, machine-readable format,
- entitled to transfer to another Company,
- you may request the direct transfer of data to the other Company – if this is technically feasible in your Company system.
The Company fulfils the request for data portability only based on a request sent by email or post. In order to comply with the request, it is necessary for the Company to confirm that the person entitled to it actually wants to exercise this right. To do this the person concerned must provide the data submitted to the Company on a website or otherwise in order to be able to identify the claimant using the data in your system. Under this right, the person concerned may request the portability of only those data which they have voluntarily provided to the Company. Exercising the right does not automatically lead to the deletion of the data from the systems of the Company.
Protest against the management of personal data
The person concerned may at any time object to the management of their personal data, including profiling, for reasons related to their own situation; or the person concerned has the right to object at any time to the management of their personal data for the purpose of direct business acquisition, including profiling. If the person concerned objects to the management of personal data for the purpose of direct business acquisition, the personal data will no longer be processed by the Company for this purpose.
The person concerned can protest in writing (by e-mail or post) or, in the case of a newsletter, by clicking on the unsubscribe link in the newsletter.
Deadline for fulfilling the request
The Company shall, without undue delay, but in any case, within one month from the receipt of any request under Points 5.1) -7), inform the person concerned of the measures taken. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by another two months, but in this case the Company shall inform the person concerned within one month of receipt of the request, stating the reasons for the delay. If the person concerned has submitted the request electronically, the information shall be provided by the Company in an electronic way, unless otherwise requested by the person concerned.
The person concerned can exercise their rights in a request sent by e-mail or post. It is not possible to enforce any rights over the telephone.
The person concerned may exercise their rights at the following contact details:
Postal address: 5000 Szolnok, Tószegi u. 5.
E-mail address: email@example.com
The person concerned cannot enforce their rights if the Company proves that it is not in a position to identify the person concerned. If the request of the person concerned is definitely unfounded or excessive (especially in view of its repetitive nature), the Company may charge a reasonable fee for complying with the request or refuse to take action. The burden of proving this lies with the Company. If the Company has doubts about the identity of the natural person submitting the request, it may ask the provision of additional information necessary to confirm the identity of the applicant.
The person concerned can recourse to the
- National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; www.naih.hu) pursuant to the Decree and the Civil code (Act V of 2013) or
- can assert their rights before the court.
Data protection incident
The data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data that is transmitted, stored, or otherwise handled. For the purpose of monitoring the measures related to the data protection incident, informing the supervisory authority and informing the person concerned, the Company keep a register containing the scope of personal data, the number and scope of people concerned, the date, circumstances, effects of the incident and the countermeasures taken. If the Company considers that a particular incident poses a high risk to the rights and freedom of the people concerned, it shall inform the person concerned and the supervisory authority of the data protection incident without undue delay and within a maximum of 72 hours.
The Company commits itself to ensure the security of the data and shall take the necessary technical measures to ensure that the recorded, stored and handled data are protected and shall make every effort to prevent their destruction, unauthorised use and unauthorised alteration. It shall also require that any third party to whom the data may be transmitted or transferred shall also call on it to fulfil its obligations in this regard.