Oldal kiválasztása

GDPR

GDPR

 

Who are we

 

Bevezetés

KOTRA Commercial and Educational Limited Liability Company (Hungary 4150, Püspökladány, Kiss Ferenc utca 9. Tax number: 12938445-2-09, company registry code: 0909009228) (as Provider, Data Controller) hereby submits to the below policy.

In accordance with the regulations on the Protection of individuals concerning the processing of personal data, as well as repealing regulation 95/46/EK (General Data Protection Regulation) of the European Union and Council 2016/679 (27. April 2006.) the following information is provided.

Present Privacy Policy regulates the data protection practices of the following website: https://learntoparkapp.com/

 

 The Privacy Policy is available on the following link: https://learntoparkapp.com/gdpr/

 

Any change to the Policy takes effect on the date when it becomes publicly available on the above link.

 

The contact details of the Data Controller:

 

 

Name: KOTRA Kereskedelmi és Oktató KFT
Headquarters: 4150, Püspökladány, Petőfi utca.
E-mail: kotrakaroly@alfoldnet.hu
Phone: +36 54 451 654

 

 Definitions: 

  1. ’personal data’: means information about an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location detail, online registration, or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
  2. ‘data processing’: means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, tagging, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
  3. ’Data Controller’: means any natural person or legal entity, public authority, agency or other body who individually or collectively specifies the objectives and means of data processing; where the objectives and means of data processing are specified by EU legislation or legislation of a Member State, the Data Controller or the criteria of appointing the Data Controller could be specified by the EU law or by the Member State legislation;
  4. ‘Data Processor’: means a natural person or legal entity, public authority, agency or other body who works with personal data on behalf of the Data Controller;
  5. ‘recipient’: means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry following Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
  6. ‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  7. ‘data protection incident’: damage to the security of the data stored, distributed, or handled otherwise resulting in the accidental or unlawful destruction, loss, alteration, unlawful transmission, or unlawful access to the data.

    The criteria of data processing

 

 Personal data:

 

  1. must be processed lawfully, fairly and, in a transparent manner concerning the data subject („legality, due process, and transparency”);
  2. personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; public archive, scientific and historic research or statistical data processing do not constitute inconsistent with the original purposes within the meaning of Article 89. (1) paragraph (1) (purposes limitation);
  3. the data must be adequate, relevant and not excessive concerning the purposes of processing („data efficiency”);
  4. Personal data must also be accurate and kept up to date: every reasonable step must be taken to ensure that data that is inaccurate or incomplete are erased or rectified. („accuracy”);
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes by the rules and conditions of Article 89, also in relation to the technical monitoring and supervisory measures required in the same article for the protection of the rights and freedoms of data subjects („storage limitation”); 
  6. processing must be carried out to guarantee data security, including protection against undue or unlawful processing, accidental destruction, loss or damage by adequate technical or supervisory mechanisms („integrity and confidentiality”)

 

The Data Controller is responsible for compliance and must be able to demonstrate compliance („accountability”).

 

Data processing

Contact, Partner registration

 

  1. The fact of data collection, the scope of data collected, the purposes of the data processing:

 

 

Personal data Purposes of the data collection
Name of the driving school, e-mail address, phone number, address Contact, identification, partner data
Time when the message was sent Technical data processing.
Az üzenetküldés kori IP cím Technical data processing

 

    1. Parties involved: the driving schools are allowed to register on the website as partners
    2. The duration of the data processing and time of the erasure: the data processing remains active until registration of the partner ends or the partner cancels their website appearance.
    3. Data Controllers entitled to view the data: Personal data can be handled by the Data Controller under the above principles.
    4. Rights of the data subjects related to data processing:
    • The data subject may request the Data Controller to allow access to the personal data from, as well as alteration, deletion or restriction of processing of the data, and
    • may object to processing their personal data altogether, and
    • the data subject has rights to data portability, and to the withdrawal of their consent to data processing.

     

    1. The data subject may request modification or erasure of the personal data in the following channels:
    • via post to KOTRA Kereskedelmi és Oktató KFT Székhely: 4150, Püspökladány, Petőfi utca.
    • E-mail: kotrakaroly@alfoldnet.hu
    • Phone: +36 54 451 654
    1. The legal basis of the data processing: the data subject’s consent, where point a) of Article 6. (1) of 5. § (1) of Act Infotv. applies 
    2. We hereby inform you that
    • The data processing is based on your consent
    • For us to be able to answer messages personal data are essential

    ● Not providing your personal data will result in us not being able to process your inquiry.

 

The data processing 

 

 

 

Storage space Provider 

 

  1. Provided by the Data Processor: storage and server services
  2. Data Processor’s name and contact details:

 

Company name: ZigITon Kft.
Headquarters:  2700 Cegléd, Besenyő u. 4
Tax number: 23585096-2-13
Company registry code: +36 20 263 7926 

 

  1. The fact of data collection, the scope of data collected: all the personal data provided by the data subject.
  2. Data subjects: all users of the website.
  3. Purposes of the data processing: access to the website, appropriate operation of the same.
  4. The duration of the data processing and time of erasure of the data: data processing continues until the termination of the agreement between the Provider and the Data Controller, or until the data subject submits a cancel data request.
  5. The legal basis of the data processing: The website user’s consent, and based on the section a) of paragraph (1) Article 6. of 5 § (1) of Infotv. and paragraph (3) of 13/A. § (3) of 2001. CVIII. legislation on electronic commercial practices and information society services.

 

 

 

Other Data Processors:
Cookies

 

  1. The fact of data collection, the scope of data collected: Unique identification number, date, time.
  2. Data subjects: all users of the website.
  3. Purposes of the data processing: identification of users and visitor tracking.
    4. The duration of the data processing and time of deletion of the data:

 

Types of cookies Legal basis of data processing The duration of the data processing and time of erasure of the data Scope of the handled data
Session cookies Paragraph (3) of Article 13/A. § of (Elkertv.) of 2001. CVIII. legislation on electronic commercial practices and information society services related questions. The time until the subsequent visitor session is concluded connect.sid

 

 

 

  1.   Data Controllers who are entitled to access the data: no personal data is handled via cookies by the Data Controller.
  2. Information about data subjects’ rights: The data subjects may delete the cookies in their browser settings Tools/Settings menu, usually under the Data protection submenu.
  3. Legal basis for data processing:
  4.  No consent is needed from the data subject so long as the sole purpose of using cookies is to transmit a communication over an electronic communications network or to provide information society services explicitly requested by the subscriber or user and not more than necessary. 

 

 

 

Google Adwords conversion tracking

 

  1. The Data Controller uses „Google AdWords” to promote the website including Google conversion tracking services. Google conversion tracking is one of Google Inc. Analytics services (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).
  2. When a User visits a website by clicking on a Google advert a conversion tracking cookie is installed on their computer. This cookie should be valid for a limited period and does not collect personal data therefore the User cannot be identified by them.
  3. When a User browses a webpage and the cookie is still valid Google and the Data Controller can track whether the User clicked on the ad.
  4. Every Google AdWords client is provided by a unique cookie therefore they cannot be tracked through the website pages.
  5. Information gathered by using conversion cookies will serve as statistic data for AdWords clients. Those clients will then be able to learn about the number of visitors who converted via clicking on the adverts. They cannot access information about data that could identify any of the users.
  6. If you would not like to be tracked for conversion you can change your settings to not accept the installation of cookies. Thereafter your visit will not be included in the conversion statistics
  7. More information and privacy policy of Google can be found here: https://policies.google.com/privacy

 

 

 

Google Analytics

 

  1. This website uses Google Analytics, a web analytics service provided by Google Inc. („Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. 
  2. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. By activating IP anonymity Google shortens the IP address of users from Member States of the European Union or third countries to the European Economic Area Agreement.
  3. Full IP addresses will be transferred to the United States and shortened there only on rare occasions. Google will use this information on behalf of the owner of this website to evaluate your use of the website, compiling reports on website activity for website operators and providing other services related to website activity and internet usage.
  4. Google will not associate your IP address with other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use the full functionality of this website. You can prevent Google’s cookie generated collection of data, referring to your use of the website (incl. your IP address), plus the processing of the data, by downloading and installing the browser plugin, which you can find here: https://tools.google.com/dlpage/gaoptout?hl=en 

 

 

 

Newsletter, DM activity

 

  1. In accordance with Act XLVIII. paragraph 6. § of 2008 on commercial advertising the User may give consent in advance and explicitly for the Provider to allow promotional offers and other advertising materials via the contact details provided at the time of registration.
  2. Also, given the provisions of the present policy the Customer may agree for the Provider to use the Customer’s personal data and send them offers.
  3. The Provider will not send unwanted spam messages, and the User may unsubscribe in an unlimited and free manner. In such cases the Provider will erase all personal data – needed to send advertising messages – and will not approach the User with further advertising offers. The User can unsubscribe from the adverts by clicking on the link in the original message.
  4. The fact of data collection, the scope of data, and the purposes of the data processing:

 

 

 

Personal data Purposes of the data processing
Name, e-mail address Identification, opt-in for receiving electronic newsletters.
Time of subscription Technical operation
IP address at the time of subscription Technical operation

 

 

 

  1. The data subjects: users subscribed to newsletters.
  2. Purposes of the data processing: distributing electronic (e-mail, message) with advertising content, providing information on current news, products, promotions, new functionalities, etc. 
  3. The duration of the data processing and time of erasure of the data: data processing remains active until the cancellation of consent, namely until the user unsubscribes.
  4. Data Processors involved during the data processing:
  5. The possible Data Processors entitled to access the personal data: Personal data can be handled by the sales and marketing colleagues of the Data Controller taking the above principles into account.
  6. Information about the rights of the data subjects on data processing:

 

 

 

  • The Data Subject has the right to request from the controller access to, rectification or erasure of personal data or restriction of processing of personal data 
  • Object to data processing
  • The Data Subject has the right to data portability and to cancel their consent to data processing at any given time

 

  1. The data subject may request access to, modification or deletion of the personal data, limitation of processing, portability, objection to data processing in the following channels:

 

  • via post to KOTRA Kereskedelmi és Oktató KFT Székhely: 4150, Püspökladány, Petőfi utca.
  • E-mail: kotrakaroly@alfoldnet.hu
  • Phone: +36 54 451 654

 

  1. The data subject may unsubscribe from the newsletter at any time for free.
  2. The legal basis of the data processing: The data subject’s consent, and based on the section a) of paragraph (1) Article 6. of 5 § (1) of Infotv. and paragraph (5) of 6. § of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities:

 

The advertiser, the advertising service Provider, and the publisher – as specified in the consent – keep a record of the users’ personal data based on their declaration of consent. From their records – concerning the subject of the advertisement – data can be extracted in line with and up to the validation date of the consent declaration, and can only be passed on to a third party with the data subject’s prior consent.

 

  1. We hereby inform you that

 

  • The data processing is based on your consent
  • For us to be able to send you newsletters your personal data are essential

 

●     Not providing your personal data will result in us not being able to deliver your newsletter.

 

Social media

 

The fact of data collection, the scope of data collected:

 

  1. registered username and profile picture from social media sites like Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc.
  2. The data subjects: all data subjects who registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. And liked the website.
  3. Purposes of the data collection: Promotion of some of the content, products, offers of the website, or the website itself on social media websites by encouraging „shares” and „likes”.
  4. The duration of the data processing and time of deletion of the data, the possible Data Processors entitled to access the data and their rights related to data processing: data subjects can find information about the source of the data, the ways of processing as well as transferring data, and the legal basis of the data processing on the social media websites. As the data processing occurs within the social media websites their privacy policy rules apply regarding the duration of the data processing as well as regarding options for the erasure or alteration of the data.
  5. The legal basis of the data processing: the data subject’s voluntary consent to the processing of their data on social media websites.

 

Customer services and other data processing processes

 

  1. Should the data subject have any question or problem regarding the data processing services, they can contact the Data Controller on the contact details provided on the website (phone, e-mail, social media websites, etc.)
  2. The Data Controller erases the incoming e-mails, messages, information provided via phone, Facebook, etc. together with the name, e-mail, or any other personal data 2 years from the time of communication.
  3. Further information on data processing not mentioned in the current document will be provided at the time of data collection.
  4. In case of a supervisory authority request or at the legally justified request of any other body the Provider is obliged to present and hand over information, data, documentation.
  5. The Provider will in these cases allow access for the authority to certain personal data only to an extent that is indispensable to their research where the objective and the type of data that must be processed are preliminarily defined.

     

 

Rights of the data subjects 

 

The data subject shall have the right to obtain from the Data Controller the information regarding their personal data being processed, access to the processed data and information specified in the relevant legislation.

 

Right to rectification
You have the right to have any inaccurate personal data rectified without undue delay upon request. Taking the purposes of the data processing into account, you have the right to request rectification of incomplete data – via supplementary declaration.

 

 Right to erasure

 

You are entitled to request the Data Controller to erase your personal data and related files without undue delay, and the Data Controller is obliged to erase all your personal data without undue delay upon your request under certain conditions.

 

Right to be forgotten

 

Once the Data Controller made the personal data public and their obligation to erase them becomes imminent, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data.

 

 Right to restriction of processing

 

You are entitled to obtain from the Data Controller restriction of processing where one of the following applies:

 

  •   The accuracy of the personal data is contested by you, for a period enabling the Data Controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
  • you objected to the processing; in which case the restriction is pending the verification whether the legitimate grounds of the Data Controller override those of yours.

 

Right to data portability

 

You are entitled to receive the personal data concerning you, which you had provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided(…)

 

Right to object

 

You are entitled to object to the processing of any personal data relating to your particular situation (…) including profiling.

 

 

 

Objection in the case of direct marketing. Where personal data are processed for the purposes of direct marketing, you have the right to object to such processing including profiling. Should you object to such data processing your personal data can no longer be processed.

 

Automated individual decision-making, including profiling

 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or would affect you similarly significantly.

 

The above shall not apply if the decision:

 

  • is necessary for entering into, or performance of, a contract between you and the Data Controller
  • is authorized by a European Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  • is based on your explicit consent.

 

Deadline for action

 

The Data Controller shall inform you without delay and, at the latest within one month of receipt of the request.

 

That period can be extended by 2 months if need be. The Data Controller must inform you about the deadline extension and the reasons for it, the latest within one month of receipt of the request.

 

If the Data Controller refuses to take action on the request of the data subject, the Data Controller shall inform you of the reasons for the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.

 

Security of processing

 

Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: 

 

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

 

Security measures by the controller: Password, username, SSL encryption

 

Notification of data subjects about data protection incident

 

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

 

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain the name and the contact details of the customer service executive; any potential consequence due to the data breach; the measures or planned measures to be taken by the controller, including any measures to alleviate the consequences of the data breach.

 

 

 

The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

 

  • the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
  • it would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

 

 In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

 

Complaint procedure

 

In case of the controller’s infringement the data subject may appeal to the Hungarian National Authority for Data Protection and Freedom of Information: Hungarian National Authority for Data Protection and Freedom of Information

 

1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Address: 1530 Budapest, Postafiók: 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

 

Afterword

 

When preparing the Privacy Policy we took the below legislations into account:

 

  • Protection of individuals concerning the processing of personal data, as well as repealing regulation 95/46/EK (General Data Protection Regulation) of the European Union and Council 2016/679 (27. April 2006.)
  • Act CXII. on rights to privacy, informational self-determination and data protection (Infotv.)
  • Act CVIII. on electronic commerce, information society services related topics (13/A. § in particular)
  • Act XLVII. on unfair business-to-consumer commercial practices;
  • Act XLVIII. on the essential conditions and certain limitations of business advertising activity (6.§ in particular)
  • Act XC. on Informational Self-determination
  • Act C. on electronic communications(specifically 155.§)
  • 16/2011. comments on EASA/IAB recommendations on online behavioural advertising

 

● Recommendations of the Hungarian National Authority for Data Protection and Freedom of Information on legal requirements of prior notifications