GRAFACITY VISUAL SERVICES's

Privacy POlicy

Grafacity Ltd., as data processor appreciates its partners, clients, employees, i.e. the users personal rights, therefore we have prepared our Privacy policy. It is available also on our official site: www.grafacity.eu . 

English Version Published:  26. 10. 2018.   /   Version: 1.0

 

Table of Contents

  1. Introduction
  2. General provisions
  3. Controller’s data
  4. Data processing
    1. Access to and preservation of personal data
    2. Data processors
    3. Legal ground of personal data processing 
  5. Definitions
  6. Employment related data processing
    1. Employment and personal records
    2. Processing relating to aptitude tests
    3. Personal data processing of job applicants, applications, CVs
    4.  Applying for an internship 
    5. Processing relating to the control of the use of an e-mail account
    6. Processing relating to the monitoring of computers, laptops and tablets
    7. Processing relating to internet usage monitoring at the workplace
    8. Processing relating to the control of the use of Company mobile phones
  7. Contract related data processing
    1. Information collected in relation to the use of the website
    2. Information on the use of cookies
    3. Social Media / Social network cookies
    4. Social Media platforms
    5. Disabling Google cookies
    6. Using the services of the Google Analytics system
    7. Using the services of the Google Drive system
    8. Processing relating to newsletter services
    9. Application for training
    10. ‘Notify me’ function
    11. Quotation request
    12. Personal data processing of participants interested in our trainings and/or services
    13. Personal data of persons participating in the realisation of contracts between legal persons or a natural and a legal person
    14. Photographs, video and sound recording in case of realisation of contracts between legal persons or a natural and a legal person
    15. Data from attendance sheets, performance certificates generated in the course of fulfilling our assignments
  8. Right of access to personal data
  9. The user’s rights in relation to their processed data
    1. Right to information
    2. Rights relating to personal data breaches
    3. Rectification of personal data
    4. Erasure of data
    5. Blocking of data
    6. Newsletter unsubscription or cancellation
    7. Objection to the processing of personal data
    8. Withdrawal of consent
    9. Right to data portability
    10. Complaints and enforcement options
    11. Compensation and restitution
    12. Automated decision-making and profiling
  10. Processing based on legal obligations
    1. Processing for the fulfilment of tax and accounting obligations
    2. Processing as payer
    3. Processing relating to documents of lasting value under the Archives Act
  11. Data security
  12. Other provisions

_____________________________________

1. Introduction

Grafacity Ltd. (H-1221 Budapest, Honfoglalás út 5. fsz 3.) (hereinafter: ‘Controller’ or ‘us’) is fully committed to the security of information it handles and the transparency of data processing. Proper processing of personal data is highly important for us and we respect our users rights associated with personal data processing.

Grafacity Ltd., also as operator of the website accessible via www.grafacity.eu domain, hereby publishes its employment and contract realisation related data processing regulations, data processing and data security principles and information about data processing, related also to the website and to the services offered on the site.

 2. General provisions

Our Privacy policy was prepared taking into account laws and regulations in force. If you have any questions about data protection, your request is welcome at any time. Contact details of our data protection officer:

Szilárd Strenner, general manager

We reserve the right to amend present notice at any time, should need for precision or completion arise for any reason. Completions and amendments come into effect immediately upon publishing on the website. We recommend regularly checking up the Privacy policy with regard to amendments or updates.

Personal scope of the notice: the notice is applicable to all natural persons, whose data are processed by Grafacity Kft. in the course of services related business relations.

Objective scope of the notice: present notice covers data processing exercised by the Controller, nevertheless we reserve the right of issuing special data processing policies in specific cases, for smaller group of data subjects.

By commencing to use the website, the users visiting the site accept all conditions specified in this Privacy policy. Therefore we kindly ask you to read through the Privacy policy carefully before you start using the website. 

3. Controller’s data

Controller of the data is the website operator Grafacity Limited (short name: Grafacity Ltd.)

  • Registered office: H-1221 Budapest, Honfoglalás street 5. fsz 3.
  • Office: H-1112 Budapest, Repülőtéri street 6.    I    Vasvári Industrial Park, Building ‘A’
  • Company registration number: 01-09-966187
  • Company’s tax number: 23450420-2-43
  • International (VAT) TAX Number: HU23450420
  • Name of representative, or data protection officer: Szilárd Strenner, general manager
  • Email address: info@grafacity.eu
  • Hereinafter: Controller

4. Data processing

4.1 Access to and preservation of personal data

The controller access to personal data by selling and advertising its services, by contracting (e.g. using our services), by communication, by acceptance of receiving marketing materials, on professional events, by participating in our trainings, by applying to our job ads, by concluding employment contract, or from other business partners, eventually from other persons acting on your behalf, from administrators, just as through files and cookies when browsing websites operated by us.

We store your personal data in electronic form basically on our own servers, or on servers that are operated by assigned third parties, whereas hard copies are stored in our registered office and in eventual other premises.

4.2 Data processors

Relevant server provider / operator of the website: ProfiTárhely Kft. www.profitarhely.hu (H-6000 Kecskemét, Szolnoki út 23. Company registration number: 03-09-121889 Data processing identification number: NAIH-74049/2014) 

Newsletter daemon: SalesAutopilot Kft.  www.salesautopilot.hu (H-1024 Budapest, Margit krt. 31-33. félemelet 4. Company registration number: Cg. 01 09 286773 Data processing identification numbers: NAIH-62272/2013, NAIH-62273/2013, NAIH-62274/2013, NAIH-62275/2013, NAIH-62276/2013, NAIH-62277/2013) 

Web hosting service provider: Amazon Web Services, Inc. https://aws.amazon.com

Accountancy service provider: Adóforrás Ltd. H-8200 Veszprém, Orgona street 3. 

Postal services, delivery, parcel services: these data processors receive from our company the personal data that are necessary for the delivery (name, address, phone number), and they deliver the product by using these data. The service providers are:

A) Magyar Posta Zrt. H-1138 Budapest, Dunavirág utca 2-6. www.posta.hu

B) Courier services:

  • Company name: Hajtás Pajtás Ltd.
  • Registered office: H-1074 Budapest Vörösmarty street 20.
  • Company registration number: 01-09-278553
  • Company’s tax number:11954161-2-42
  • Name of representative: Szabolcs Szűcs 
  • Phone: +36-1/411-03-10

4.3 Legal ground of personal data processing

In the course of data processing, Controller is bound by the below law: 

  • GDPR (General Data Protection Regulation) – EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION (EU) REGULATION nr. 2016/679 (27.04.2016.) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); 
  • Data Protection Law – Act CXII. of 2011 on informational self-determination and freedom of information („Privacy Act”) and the relevant enacting clauses;
  • Act CXXV. of 2003 on Equal Treatment and the Promotion of Equal Opportunities; 
  • Act V. of 2013 on the Civil Code;
  • Act CL. of 2017 on the rules of taxation and the relevant enacting clauses;
  • Act C. of 2000 on Accounting and the relevant enacting clauses;
  • Act LXXVII. of 2013 on adult education.

Data processing by Grafacity Kft. is made based on the freely given consent of the user, according to point a. of subsection (1) of section 5 of Act CXII. of 2011 on informational self-determination and freedom of information (hereinafter: Privacy Act), and on Act CVIII of 2001 on certain issues of electronic commerce activities and information society services.

5.Definitions

The definitions for the purposes of present notice are comprised by Article 4. of the Regulation. We highlight the main definitions accordingly:

Controller: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of data;

Controlling: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processing: execution of technical tasks connected to data processing operations;

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (per assignment, on decision and order from the controller);

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Data subject: the identifiable natural person to whom the given personal data refers (such as visitor of the website, subscriber of the newsletter, applicant to a job ad);

Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

Special data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or personal data concerning a natural person’s sex life or sexual orientation;

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

6. Employment related data processing

6.1 Employment and personal records

Only such data may be requested and filed about employees and only such medical aptitude tests may be performed for jobs, which are required for the establishment, continuation and termination of employment or the supply of social and welfare benefits and do not infringe the personal rights of the employee.

The Controller processes the following data of employees under the title of enforcement of the employer’s legitimate interest (Article 6 (1) f) of the Grtv) for the purpose of establishment, performance or termination of employment:

  1. name
  2. birth name,
  3. date of birth, 
  4. mother’s name,
  5. address, 
  6. citizenship, 
  7. tax identification number, 
  8. Social security no.,
  9. pension ID number (in case of retired employees) 
  10. phone number,
  11. e-mail address,
  12. personal ID card number,
  13. address card number,
  14. bank account number,
  15. online ID (if any)
  16. start and end dates of employment,
  17. job role,
  18. copies of documents certifying school and vocational qualifications,
  19. photo,
  20. curriculum vitae,
  21. wage amount, wage payment and other benefit data,
  22. debts to be deducted from the employee’s wages on the basis of an effective decision or legal regulation or the employee’s written consent and the lawfulness thereof; 
  23. evaluation of the performance of the employee,
  24. mode and reasons of termination of employment,
  25. certificate of no criminal record, depending on jobs, 
  26. summary of the aptitude tests for jobs, 
  27. name, ID number of the private pension fund and voluntary mutual insurance fund and the membership number of the employee,
  28. passport number of foreign employees; title and number of the employee certifying the right to take employment, 
  29. data captured in the reports of accidents affecting the employee, and
  30. data required for using welfare services and commercial accommodation facilities.

The employer processes data of illnesses and trade union membership only in order to exercise any right or fulfil any obligation laid down in the Labour Code. 

Recipients of personal data: employer’s manager, individual exercising the employer’s rights, members of staff and processors of the Controller performing HR jobs. 

Personal data of only executive officers may be forwarded to the owners of the Controller. 

Duration of storage of personal data: 3 years after the termination of employment.  

Preservation period of employment data: (Pursuant to Act CL of 2017 on the Rules of Taxation); the Controller shall preserve employment data for: 50 (fifty) years. 

Prior to the start of processing, the data subject must be informed that processing is based on the Labour Code and the enforcement of the employer’s legitimate interests.  

6.2 Processing relating to aptitude tests

 An employee may be requested to take an aptitude test if one is prescribed by employment regulations, or if deemed necessary with a view to exercising rights and discharging obligations in accordance with employment regulations. Prior to the test, employees must be informed in detail on the skill or ability, which will be assessed during the aptitude test and the means and the methods involved in the test. When the test is required by law, the employees must also be informed of the title of the legal regulation and the exact provisions therein.

 The employer may make employees fill in test forms on aptitude and level of preparations for jobs both prior to the establishment of employment, or during employment.

 Larger groups of employees may only be made to complete tests suitable for research in psychological or personal features in order to perform and organise work processes clearly relating to employment more effectively, when the data detected during the analysis cannot be connected to specific employees, i.e. when data are processed anonymously.

 Scope of processable personal datable personal data: the fact of job aptitude and the related conditions. 

 Legal ground of processing: legitimate interest of the employer. 

 Purpose of processing personal data: establishment and continuation of employment, serving in a job. 

 Recipients of personal data and recipient categories:  The test results are disclosed to the tested employees and to the expert performing the test. The employer may receive only information on whether the tested individual is suitable or not for the job, and the conditions that have to be provided for it. However, the employer cannot have access to the details, or full documentation of the test. 

 Duration of processing of personal data: 3 years after the termination of employment. 

 6.3 Personal data processing of job applicants, applications, CVs 

 Scope of processable personal data: name, date and place of birth of the natural person, mother’s name, address, qualifications data, photo, phone number, e-mail address, employer’s notes of the applicant (if any), their CV and documents transferred electronically: digital portfolio. 

 Purpose of personal data processing: assessment of a tender or application, conclusion of an employment contract with the selected individual. The data subject must be informed if the employer did not select them for a particular job. 

The legal ground of processing: consent of the data subject and the Anti-Discrimination Act. 

Recipients of personal data and recipient categories: manager entitled to exercise the employer’s rights at the Controller, members of staff performing HR tasks.  

Preservation period of the personal data: 3 years following the assessment of the application or tender. On the one hand, in the case of an unsuccessful tender, the applicant’s data will be processed for three months from the end of the selection process in the event that the employment of the selected candidate is terminated during the probationary period, we may re-consider the upcoming applications. On the other hand, you may submit a Court action on suspicion of a discriminative procedure within 3 years pursuant to the provisions of the Anti-Discrimination Act, thus, until the expiry of that period, we preserve your documents as evidence. The data of those who withdraw their applications or tender must also be erased. 

 The employer may keep tenders only with the express, clear and voluntary consent of the data subject providing that the preservation of data is required in order to achieve the objective of processing in compliance with the law.  Applicants must be requested to grant consent to that after the recruitment procedure has been completed.

6.4 Applying for an internship

Scope of processable personal data: name, date and place of birth of the natural person, mother’s name, address, qualifications data, photo, phone number, e-mail address, employer’s notes of the applicant (if any).  

 Purpose of processing personal data: assessment of an application or tender, conclusion of an internship agreement with the selected individual. The data subjects must be informed if the controller did not select them for a particular position 

 Legal ground of processing: data subject’s consent.

 Recipients of personal data and recipient categories: manager entitled to exercise the employer’s rights at the Controller, members of staff performing HR tasks. 

 Preservation period of the personal data: Until the application or tender is assessed. In the case of an unsuccessful tender, the applicant’s data will be processed for three years from the end of the selection process so that we can re-issue the following tenders within the social circle of the data subjects. The data of those who withdraw their applications or tender must also be erased.

 The Controller may keep tenders only with the express, clear and voluntary consent of the data subject providing that the preservation of data is required in order to achieve the objective of processing in compliance with the law.  Applicants must be requested to grant consent to that after the recruitment procedure has been completed.

 6.5 Processing relating to the control of the use of an e-mail account

If the Controller makes available an e-mail account to the employee, the employee may use the e-mail address and account provided exclusively for work purposes, for maintaining contact with other employees or corresponding with clients, other persons and organisations on behalf of the employer.  

The employee may not use the e-mail account for personal purposes and may not store any personal mails in the mailbox. 

The Controller may check the contents and use of the e-mail account regularly (every 3 months) in the course of which the legal ground of processing is the legitimate interest of the employer. The purpose of such checks is to make sure that the employer’s instructions for the use of the e-mail account are complied with and that the employee also performs the respective obligations (Sections 8 and 52 of the Labour Code).

 Such inspections may be conducted by the employer’s manager or the individual entitled to exercise employer’s right. 

Whenever it is possible under the conditions of the inspection, the employee should also be present. 

Prior to the inspection the employee must be informed about the employer’s interest in relation to which the inspection is conducted, on who may perform the inspection on behalf of the employer (the rules and the procedure, according to which the inspection is conducted (compliance with the principle of graduality)) and the rights and legal remedies relating to the processing, which is involved in the inspection of the e-mail account.

 During the inspection, the principle of graduality must be applied and therefore whether a message relates to the employee’s tasks within the job and is not part of personal communication must be concluded primarily from the address and subject of the e-mail. The Controller may inspect the content of non-personal e-mails without any limitation.

If, contrary to the provisions of this notice, it may be concluded that the employee used the e-mail account for personal communication, the employee must be ordered to erase the personal data immediately. When an employee is absent or fails to cooperate, the employer erases the personal data during such an inspection. The use of an e-mail account contrary to this notice may trigger legal consequences under the labour law applied against the employee by the employer. 

In relation to processing involved in the inspection of the e-mail account, the employee may exercise the rights described in the chapter of this notice dedicated to the rights of the data subject.

6.6 Processing relating to the monitoring of computers, laptops and tablets

An employee may use computers, laptops and tablets received from the Controller strictly for work purposes, in order to perform tasks relating to their job. The Controller prohibits their use for private purposes; the employee may not conduct any private correspondence or store any personal data on such devices.  The employer may verify the data stored on these devices. In every other aspect of the inspection of such devices by the employer and the legal consequences the provisions of the previous section 6.5 shall be applied. 

 6.7 Processing relating to internet usage monitoring at the workplace 

The employee may view only websites that relate to the tasks of their job; the employer prohibits the use of the Internet for private purposes at the workplace. 

The beneficiary of all online registrations made in the name of the Controller as a task of the job is the Controller. During registration, an ID and password referring to the Controller must be used. If personal data also need to be provided for registration, the Controller must initiate their erasure when employment is terminated.

The employer may check the internet use of the employee at the workplace, which, and the legal consequences of which, are governed by the provisions of section 6.5 above.

6.8 Processing relating to the control of the use of Company mobile phones 

The Controller does not permit the use of the company mobile phone for private purposes, the mobile phone shall be used only for work related purposes and the employer may check the phone numbers and data of all outgoing calls and the data stored in the mobile phone.

The employee must report to the employer when the Company mobile phone was used for private purposes. In that case, a check may be conducted by the employer’s requesting a call list from the telephone provider and instructing the employee to make the called numbers involved in the private calls unrecognisable in the document. The employer may order the employee to cover the costs of the private calls.

In every other aspect, the inspection and legal consequences are governed by the provisions of section 6.5

7. Contract related data processing

7.1 Information collected in relation to the use of the website

 During the use of the grafacity.eu website the relevant data of your device are automatically registered. E.g.: searched pages, date and time of the visit, IP address, the type of browser used, the website from where the visit was initiated, the type of the operating system and the domain name and address of the internet provider. The registered data are automatically recorded by the service providing web server without your specific consent. We generate statistical data from the recorded data. We use the information in consolidated and aggregated form to improve the quality of our services, to rectify any errors and to generate statistics.

By using the features described in the following points (e.g. Application for training), users consent to the processing of their personal data by the Controller. Processing of personal data is based on the voluntary consent of the User granted being aware of this information.

In some cases, the processing, preservation and transfer of a particular set of data is mandatory by law, regarding which the Controller shall always notify the user separately.

Users may only specify their own personal data on the Website. The Controller does not control or verify the personal data provided to it. Only the person providing the data, the user or the contracting party is responsible for the accuracy of the provided personal data. When any User provides their e-mail address they also certify that only they use the provided e-mail address for the use of services. In view of that undertaking, any liability associated with any login made from the specified e-mail address shall lie with the user who registered the e-mail address.

If the user doesn’t provide their own personal data, then it is the responsibility of the data provider to obtain the consent of the User.

At each processing we will inform you whether the transfer of personal data is based on a statutory requirement or if a contractual agreement is required.

Data processing is done by SalesAutopilot Ltd., ProfiTárhely Ltd. and Grafacity Ltd., acting on behalf of the Controller. The Controller reserves the right to involve other data processors in data processing in the future, and to inform the Users about it by amending this Privacy policy.

Users can provide information and data about themselves on the website as follows: personal data explicitly provided or made available during the use of the website services (see section 7.1-5). Information made available to the Controller in connection with the use of the website, relating to the visiting of the website and its use (see section 10.1-5). 

Purpose and duration of data processing. 

The Controller uses the data to provide the services available on the website, in particular for the following purposes (at a general level):  

    • providing services available on the Website effectively;
    • communication, the primary purpose of which is to properly inform users, 
    • replying to messages sent by users,
    • registering and completing applications for training courses provided through the website, 
    • development of the ordered services, communication with users in relation to orders, training courses, etc.;
    • settle disputes arising from the use of the website;
    • sending of electronic newsletters that promote the services, promotions, events, and professional materials of Grafacity Kft. as well as other business inquiries (newsletters), provided that the user has expressly consented to it during its duration or until the withdrawal of consent.

    The duration of data processing is determined by the purpose of the data processing activity (if there is more than one purpose associated with any data, a longer preservation period may apply). The Controller processes personal data during the persistence of the purpose of the data processing, in particular during the period a legal relationship with the user exists (at the end of which the data of the user concerned will be erased), or until the user requests erasure of the data or withdraws their consent. If legislation makes it compulsory for us to retain certain documents, the personal data contained therein will be stored during the preservation period specified in the given legislation (6 months).

    What information do we collect in connection with the use of the Website?

    If a User does not expressly provide data or information about themselves on the website as previously specified, then the Controller shall not collect or process any personal data relating to the User which may be used in any way to identify the User.

Use of the information collected during the use of the website

The data collected with the above mentioned technologies cannot be used for the identification of the User, and the Controller shall not link these data with any other data that may possibly be used for identification.

The primary objective of using such data is to enable the Controller to operate the Website adequately, for which the monitoring of data relating to visits on the Website and the filtering out of potential abuse of the Website is especially important, and to make our website more user friendly.

In addition, the Controller may also use that information to analyse the tendencies of use and to improve and develop the functions of the Website, as well as to obtain complex traffic data of the overall use of the Website.

The Controller can use the information obtained in that manner to create and analyse statistics on the use of the Website, and to transfer such statistical data, not suitable for identification (e.g., number of visitors, most frequently viewed topics and content) to third parties, or to publish them on a consolidated basis, with anonymous data.

7.2 Information on the use of cookies

 A cookie is a small text file that is stored on the hard drive of a computer or the memory of a smart phone until the date set in the cookie and which is activated on later visits (feeds back to the service provider). Websites use cookies to document information regarding visits to the site (time spent on pages, visited pages, browsing data, leaving page, etc.), as well as user settings. Cookies help to create a user-friendly website in order to enhance the user experience.

In accordance with the provisions of Act C of 2003 on Electronic Communications, we inform our visitors that we use cookies on our website.  By visiting the Website all Users provide their consent for the Controller to use cookies managed by external service providers in relation to the Website, which are necessary for the recording of data and information specified in the notice.

Such data are the data of the User’s computer used for log-in which are generated during the use of the Website and registered by the cookies used on the Website as the automatic result of technical processes. The system logs the automatically recorded data without any specific declaration or act of the User when the User visits or leaves the Website. 

We differentiate between two types of cookies:

  • Persistent cookie or permanent cookie – is stored on your computer even after the conclusion of your visit. With the help of these the website will recognise you as a returning visitor. 
  • Session cookie – will only be stored until you leave the website. The session cookies help to store data, therefore the user does not have to re-enter the same information on multiple occasions.

These data are not connected with any other personal user data, i.e. the User cannot be identified on the basis of such data. Only the cookie managing external service provider and the Controller have access to such data.

Accepting or enabling cookies is not mandatory. You can see more information on the internet in relation to the cookie settings of the most popular browsers. However, please also note that certain site features or services may not function properly without cookies.

 7.3 Social Media / Social network cookies

You can also find social networking functions on our site. These functions are based on an operating principle that can read cookies or in some cases put social network cookies on your device. These cookies enable the sending of personalised ads. As a Controller we do not have access to these cookies and the data they collect, however, we would nonetheless like to inform you about these elements and ask for your permission to use them. 

 Based on the above, social network cookies for the following service providers may appear on the website:

Facebook – you can access the data privacy guidelines and policy of the service provider by clicking on the following links: 

Linkedin – you can access the data privacy guidelines and policy of the service provider by clicking on the following links: 

Youtube – you can access the data privacy guidelines and policy of the service provider by clicking on the following link: 

Twitter – you can access the data privacy guidelines and policy of the service provider by clicking on the following link: 

Pinterest – you can access the data privacy guidelines and policy of the service provider by clicking on the following link: 

Instagram – you can access the data privacy guidelines and policy of the service provider by clicking on the following links: 

7.4 Social Media platforms

The Controller is also present on the Social Media platforms indicated in section 7.3. On the news feeds of these platforms, a user can subscribe to published articles by clicking the ‘like’ (follow) link and unsubscribe at the same place by clicking the ‘dislike’ (unfollow) link. You can also delete unwanted news by modifying the settings of the news wall.

Legal ground of data processing: Consent of the data subject

The purpose of data processing: Informing data subjects about current technical news, providing information, submitting relevant articles and content.

Duration of data processing: Our updates will only appear on news feed of the interested party as long as they allow. 

To find out about the data processing and privacy guidelines and policies of social media sites, see the links in section 7.3. 

 Method of submitting an objection to the processing of data: via e-mail, to the info@grafacity.eu address.

7.5 Disabling Google cookies

The use of Google cookies can be disabled by adjusting the Ad Settings (more information: http://www.google.hu/policies/technologies/ads/). Users can also disable the cookies of external service providers on the unsubscribing page of the Network Advertising Initiative (http://www.networkadvertising.org/choices/).

Data processing for the above mentioned external service providers is governed by the data protection regulations set forth by these service providers and the Controller does not take any responsibility with regard to such data processing activity. 

7.6 Using the services of the Google Analytics system 

The Controller uses Google Analytics services in relation to the Website. Cookies managed by Google Analytics assists in measuring the number of visits and other web analytics data of the Website. Information collected by the cookies is forwarded to and stored on external servers operated by Google. Google primarily uses this information in the interest of the Controller to track visits to the Website and to complete analyses of the activities carried out on the Website. Google is authorised to transfer this information to third parties only if it is required by law. Google also has the right to transfer this data to third parties who they use for the processing of data. Google Analytics can provide detailed information on how Google Analytics can process the data (http://www.google.com/analytics).

Controller ads are displayed on external websites (Google, Facebook) on websites. These third-party service providers (Google, Facebook) store cookies to ensure that the user has previously visited the Data Processor’s website and is personally displaying the ads to the User (that is, they are performing a remarketing activity).

7.7. Using the services of the Google Drive system

The Controller uses Google Drive services in relation to its operation. Data processed by Google Drive: We preserve data for client projects, services, subcontracting, supplier databases and the data of individuals taking part in training courses, interested individuals and applicants to our Job Advertisements. 

The purpose of data processing is to assist the Controller’s Operation, and communication. 

Information is transferred to and preserved on external servers operated by Google. Google preserved this information in the interest of the Controller. Google is not authorised to transfer this information to third parties. You can get detailed information about the security of the data processed in Google Drive on: https://policies.google.com/?hl=hu&gl=hu

Legal ground of data processing: Your consent and the interest of the controller.

The purpose of data processing: Your notification about current information, services, news relating to us, sending materials and communication.

Duration of data processing: Until unsubscription.

Method of submitting an objection to the processing of data: via e-mail, to the info@grafacity.eu address

7.8 Processing relating to newsletter services

Natural persons subscribing for the newsletter service on the website may grant their consent to the processing of personal data by ticking the respective box. It is prohibited to tick the box in advance.

The purpose of processing personal data: sending of direct marketing offers, invitations, newsletters and promotional materials. 

Legal ground of processing: data subject’s consent.  

Recipients of personal data and recipient categories: members of staff of the Controller performing customer service and marketing tasks and the Controller’s newsletter service provider, as the processor. 

You can withdraw your consent at any time to receive newsletters and / or promotional material: by simply clicking on the unsubscribe link in the newsletter or by sending an unsubscribing request to the info@grafacity.eu address complete with your identification data, which signifies the withdrawal of your consent. In such a case, the Controller shall erase all data of the unsubscribing user immediately. 

Concerned service provider: SalesAutopilot Ltd. www.salesautopilot.hu (H-1024 Budapest, Margit krt. 31-33, mezzanine level 4. Company register No.: Cg: 01 09 286773

For subscription to the Newsletter the following personal data must be provided:

  • Name of natural person (last name, first name) 
  • E-mail address

Duration of storage of personal data: as long as the newsletter / service is active, or until the data subject withdraws their consent (request for erasure).

7.9 Application for training

The purpose of the data processing is to maintain contact, the primary purpose of which is to properly inform of users, reply to messages sent by users, registering and completing applications for training courses provided through the website, and communication with the participants involved in the training; operation of a professional community and the provision of information. You may request the erasure or rectification of your data at any time by sending a request to the info@grafacity.eu address. The following personal data is required when applying for training courses or workshops published on the website: 

  • Last name 
  • First name 
  • E-mail address 
  • Phone number 
  • Address 
  • Sponsor / Company name 
  • Billing address 
  • Motivations
  • Experience as trainer, group-leader

Legal ground of processing: data subject’s consent.

Duration of storage of personal data: until the data subject withdraws their consent (request for erasure). You may request the erasure or rectification of your data at any time by sending an unsubscribing, erasure or rectification request to the info@grafacity.eu address. 

Recipients of personal data and recipient categories: members of staff of the Controller performing customer service and marketing tasks and the Controller’s newsletter service provider, as the processor.

7.10 ‘Notify me’ function

The user may indicate whether they wish for us to notify them of our trainings and workshops. The purpose of the data processing is to maintain contact, the primary purpose of which is to properly inform users. For this the following personal information is required:

  • Last name
  • First name
  • E-mail address

Legal ground of processing: data subject’s consent. Duration of storage of personal data: until the data subject withdraws their consent (request for erasure). You may request the erasure or rectification of your data at any time by sending an unsubscribing, erasure or rectification request to the info@grafacity.eu address.

Recipients of personal data and recipient categories: members of staff of the Controller performing customer service and marketing tasks and the Controller’s newsletter service provider, as the processor.

7.11 Quotation request

If we receive a request from you or the company you represent (personally, by telephone, through the website), the purpose of the data processing is to be able to respond to you without a contractual relationship, or if you do not provide the necessary information, we will not be able to answer, respond or communicate with you in relation to the request sent by you or the company or organisation represented by you. 

We process your information during sales, project implementation and follow-up, and use them for the sending newsletters and promotional material. 

The data processing shall continue until your consent is withdrawn. You may request the erasure or rectification of your data at any time by sending an unsubscribing, erasure or rectification request to the info@grafacity.eu address.

The categories of personal data processed:

  • Company 
  • Last name
  • First name
  • Position
  • Company e-mail address
  • Company phone number

Legal ground of processing: data subject’s consent.

Recipients of personal data and recipient categories: members of staff of the Controller performing customer service and marketing tasks and the Controller’s newsletter service provider, as the processor. 

7.12 Personal data processing of participants interested in our trainings and/or services 

Grafacity Kft. will provide information about our services to the data subjects who have previously participated in our previous events, or an event organised by our partner, with the sending of a newsletter. We collect the personal data directly from you. The purpose of data processing: providing information to interested natural persons, communication. 

The categories of personal data processed:

  • Company 
  • Last name
  • First name
  • Position
  • Company e-mail address
  • Company phone number

Legal ground of processing: data subject’s consent.

Duration of storage of personal data: until the data subject withdraws their consent (request for erasure). You may request the erasure or rectification of your data at any time by sending an unsubscribing, erasure or rectification request to the info@grafacity.eu address.

Recipients of personal data and recipient categories: members of staff of the Controller performing customer service and marketing tasks and the Controller’s newsletter service provider, as the processor.

7.13 Personal data of persons participating in the realisation of contracts between legal persons or a natural and a legal person

During the performance of contractual assignment between Grafacity Kft. and its corporate partners, it processes personal data in order to perform the contract. Such data are e.g.: the names and contact details of the employees, agents or subcontractors of the client company or enterprise. The personal data will be transferred to us by the employer of the data subject or obtained by the Controller directly from you. 

The purpose of data processing: is to fulfil the contract between partners and to protect our security interests in the case of activities at Grafacity.

Legal ground of data processing: Legal ground is legitimate interest if we received your data from the employer of the data subject or their principal. Please note that you may object to such data processing at any time, in which case we shall consult your employer (principal), and based on that consultation decide whether to accept or reject the objection. In the case of rejection you may seek a legal remedy. 

The categories of personal data processed:

  • Company 
  • Website
  • Registered office, site address
  • Client or order ID
  • Last name
  • First name
  • Position
  • Company e-mail address
  • Company phone number

Duration of data processing: In the case of a legitimate interest legal ground: the data processing shall continue until you declare your objection against the data processing, which is accepted by the controller, or until the purpose of the data processing is present. The Accounting Act and the Act on the Rules of Taxation specify the basic documents necessary for reporting and the fulfilment of the tax obligation and their preservation period (10 years after the performance of the contract).

You may object to the processing of data by sending an e-mail, to the info@grafacity.eu address. 

7.14 Photographs, video and audio recordings in case of realisation of contracts between legal persons or a natural and a legal person

During the performance of contractual assignment between Grafacity Kft. and its corporate partners, it processes personal data in order to perform the contract. Such data are e.g.: the names and contact details of the employees, agents or subcontractors of the client company or enterprise. The personal data will be transferred to us by the employer of the data subject or obtained by the Controller directly from you. 

The purpose of data processing: is to document the fulfilment of the contract, process consents to content for the performance of contractual activities, marketing activities. 

Please note that you may object to this type of data processing at any time by sending an e-mail, to the info@grafacity.eu address. You may withdraw your consent at any time. 

The legal ground for data processing is your consent, in the event that your personal data is collected from you directly by the Controller. Please not also that you may withdraw your consent at any time, in which case we shall cease the data processing activity and erase your data.

The categories of personal data processed:

  • photographs produced during the preparation, execution and evaluation of programs, 
  • video recordings, 
  • audio recordings,

Duration of data processing: data processing will continue until your consent is withdrawn or until the purpose for data processing is present (12 months after completion of the contract). 

7.15 Data from attendance sheets, performance certificates generated in the course of fulfilling our assignments

During the performance of contractual assignment between the clients of Grafacity Kft. and its corporate partners, it processes personal data in order to perform the contract. Such data are e.g.: the names and contact details of the employees, agents of the client company or enterprise. The personal data will be transferred to us by the employer of the data subject or obtained by the Controller directly from you.

The purpose of data processing: the performance of the contract or in the case of activities at Grafacity, the preservation of our security interests.

The categories of personal data processed:

  • attendance sheets generated during the execution of programs: names, e-mail addresses, phone numbers, billing addresses, 
  • certificates of completion. 

Duration of data processing: The Accounting Act and the Act on the Rules of Taxation specify the basic documents necessary for reporting and the fulfilment of the tax obligation and their preservation period. Currently the preservation period for basic certificates is 8 years

8. Right of access to personal data

The controller or the processor(s) used by them are entitled to access personal data in accordance with the effective legislation.

Without an expressed statutory provision, the Controller may transfer to third parties data suitable for user identification only with the expressed consent of the particular user.

9. The user’s rights in relation to their processed data

9.1 Right to information

Upon the request of the user, the Controller shall provide information regarding the data they process, their source, the purpose of the data processing, its legal ground, duration and – in the case of transfer of the user’s personal data – the legal ground and recipients of the data transfer. Information can be requested by e-mail via the info@grafacity.eu e-mail address and by post at the following postal address: Grafacity Ltd. H-1112 Budapest, Repülőtéri út 6., in both cases by verifying your identity and providing a correspondence address. The Controller shall respond in writing within 30 (thirty) days of the receipt of the request. In terms of costs: the data subject may request information free of charge, with the exception of the case where the request is unfounded or possibly exaggerated (due to its repetitive nature). In this case a Data Processing fee may be charged, or your request may also be denied.

The User is entitled to have access to information relating to the processing of their personal data: depending on whether the processing of their data ongoing, and if so:

  • What data are being processed?
  • Who do we transfer these data to?
  • Who long do we preserve these data?
  • What are your rights and options for legal remedies in relation to it?
  • How did we gain access to your data?
  • Do we make an automated decision regarding you by using your personal data?
  • If you have found that your data has been transferred to an international organisation or third country (non-EU Member State), you may request that we provide you with information on how we guarantee that your personal data is adequately processed.
  • You may request a copy of your processed personal data. (We may charge a fee based on administrative costs for additional copies.)

9.2 Rights relating to personal data breaches

The Controller – if they have an internal data protection officer, then through the internal data protection officer – keeps records of the personal data breaches to control the measure taken in relation to them and to provide information to the user, which contains the personal data set of the user, the users affected by the personal data breach and their numbers, the date and time of the personal data breach, its circumstances, impacts and measures taken for its elimination as well as other data specified in the prescriptive legislation.

9.3 Rectification of personal data

The user is entitled to request the rectification of their personal data (indicating the correct data) also via the info@grafacity.eu e-mail address or the Grafacity Kft. H-1112 Budapest, Repülőtéri út 6 postal address, in both cases verifying their identity and providing a correspondence address. The Controller shall perform the rectification in the records promptly and shall notify the user in writing of its completion (Article 16 of the GDPR).

9.4 Erasure of data

You may at any time request the erasure or blocking of your data, in whole or in part, via the info@grafacity.eu e-mail address or the Grafacity Kft. At H-1112 Budapest, Repülőtéri út 6 postal address free of charge, without justification, with the verification of your identity and the provision of a correspondence address. Following the receipt of the erasure request, the Controller immediately ensured that the data processing is ceased, and erases the user from their records (Article 17 of the GDPR). It does not notify the user about this.

We are unable to erase data if they are required

  • for the presentation, enforcement or defence of legal claims, 
  • based on public interest that relates to public health, 
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • to fulfil of the obligation relating to the processing of personal data by the Controller based on legislation of the European Union or a Member State thereof, or out of public interest;
  • to exercise rights to freedom of expression and information. 

9.5 Blocking of data

If so requested by the User or if according to the available information it can be assumed that the erasure would violate the rightful interests of the User, The Controller shall, instead of erasure, restrict access to the personal data Blocked personal data shall be processed only as long as the data processing purpose which prevented their erasure prevails. The controller does not notify the user about blocking and erasure.

If the Controller does not fulfil the User’s request for rectification, blocking or erasure, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within 30 days of receipt of the request. Where rectification, erasure or blocking is refused, the data controller shall inform the user of the possibilities for seeking judicial remedy or lodging a complaint with the National Authority for Data Protection and Freedom of Information.

9.6 Newsletter unsubscription or cancellation

In addition, the user may decide at any time that they do not wish to receive any further newsletter from the controller. The user can withdraw their consent to receiving newsletters at any time free of charge, without justification or restriction, by clicking on unsubscribe at the bottom of the newsletter or via the info@grafacity.eu e-mail address (with the indication of their accurate personal data). After receiving the unsubscription request, the controller erases the data of the unsubscribing user immediately from the direct marketing database and will no longer send the newsletter to the user.

If the withdrawal of consent only concerns data processing for a direct marketing purpose (sending of Newsletter), then the controller shall immediately erase the data of the user only from the direct marketing records, and will still be entitled to process the data of the user to provide the services of the website.

9.7 Objection to the processing of personal data

  • if the processing or transfer of the personal data is required only for performing a legal obligation of the Controller or it is necessary for the enforcement of a legitimate interest of the Controller, the data recipient or a third party, with the exception of mandatory data processing;
  • if the use or transfer of personal data is done for direct business acquisition, public opinion polling or scientific research; or
  • in other cases specified by law.

The Controller shall review the objection within the shortest possible time or within no more than 15 days following the submission of the request, shall make a decision on its merits and shall notify the requestor in writing of its decision. If the User disagrees with the decision of the Controller or if the Controller fails to comply with the above deadline, the user may refer the matter to the court within 30 days from the notification of the decision or from the last day of the deadline.

9.8 Withdrawal of consent

In the case of data processing that we carry out based on the subscriber’s consent, you may withdraw your consent at any time (Article 7 of the GDPR). Upon receipt of this notice, we shall erase your personal data without undue delay.

9.9 Right to data portability

You have the right to request that your stored data be handed over to you or to another party designated by you in a structured, commonly used and computer-readable format (e.g. PDF or Word).

9.10 Complaints and enforcement options

Grafacity ltd. makes every effort to ensure that personal data is processed in accordance with the law. However, if you feel that we have not done so, please e-mail us at info@grafacity.eu. If you consider the processing of your personal data to be in violation of GDPR or other privacy laws, you have the right to file a complaint with the National Authority for Data Protection and Freedom of Information (NADPFI) and we also encourage you to contact us as soon as possible.

The National Media and Communications Authority is responsible for advertisements sent electronically, the detailed rules of which are contained in Act CXII of 2011 on the Right of Informational Self-determination and Freedom of Information and in Act CVIII of 2001 on Electronic Trading Services and Certain Issues Concerning Services in an Information Society.

National Authority for Data Protection and Freedom of Information (NADPFI):

  • Correspondence address: H-1530 Budapest, P.O. Box.: 5
  • Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
  • Phone: (+36 1) 391-1400
  • Fax: (+36 1) 391-1410
  • Web: http://naih.hu
  • E-mail: ugyfelszolgalat@naih.hu 

If the User believes that their personal data is being processed in violation of the General Data Protection Regulation and violates their rights under the General Data Protection Regulation, then the plaintiff (the Data owner) is entitled to turn to a court. The case shall be heard by the competent general court. If so requested by the data subject, the case may be brought before the general court in whose jurisdiction the data subject’s home address or temporary residence is located. In addition to the provisions of the Data Protection Regulation, court proceedings are governed by Chapter 3, Title XII (Sections 2:51 to 2:54) of Act V of 2013 on the Civil Code, as well as other legal provisions governing court proceedings.

9.11 Compensation and restitution

If Grafacity Ltd. causes damage to the user with the negligent processing of their data or violates the privacy right of the data subject, then the Controller may be required to pay restitution. If the Controller proves that the damage or violation of the data subject’s privacy right were brought about by reasons beyond the scope of their data processing activity, they shall be exempt from liability for damages and from paying restitution.

9.12 Automated decision-making and profiling

The user has the right to excuse themselves from the force of resolutions which are based on automated data management (including profiling) and would have legal effect on them or would affect them in any other way of similarly significant extent.

10. Processing based on legal obligations

10.1 Processing for the fulfilment of tax and accounting obligations 

The Controller processes the data specified by law of natural persons who enter into contracts with it as clients or suppliers under the title of performance of a legal obligation, in order to fulfil the tax and accounting obligations specified by law (bookkeeping, taxation). The processed data include, pursuant to sections 169 and 202 of Act CXXVII of 2017 on value added tax especially the following: tax number, name, address, taxpayer status, pursuant to section 167 of Act C of 2000 on accounting: name, address, person or organisation ordering the business transaction, signatures of the individual authorising transactions and certifying the execution of the orders and, depending on the organisation, of the controller; signatures of the recipient on cash certificates and cash management documents, signatures of the payers on counter receipts, pursuant to Act CXVII of 1995 on personal income tax: number of the business licence, number of the agricultural producer licence, tax identification code. 

Duration of storage of personal data is 8 years after the termination of the legal relationship representing the legal grounds. 

Recipients of personal data: employees and processors of the Controller performing taxation, bookkeeping, payroll accounting and social security tasks. 

10.2 Processing as payer

The Controller processes the personal data specified in the tax regulations of data subjects (employees and their family members, other employed parties and recipients of other benefits) in relation to whom the Company is the payer (section 7 item 31 of Act CL of 2017 on the order of taxation (Taxation Act)) under the title of performance of a legal obligation, in order to fulfil the tax and contribution obligations specified by law (establishment of tax and tax advances, as well as commissions, payroll accounting, social security and pension administration).  The processed data are determined in section 50 of the Taxation Act, including specifically: the natural personal identification data of natural persons (including former names and titles), gender, citizenship, tax identification code and social security number (TAJ number) of the natural person. Whenever the tax regulations attach a legal consequence to it, the Controller may process health (section 40 of the Personal Income Tax Act) and trade union membership (section 47 (2) b./ of the Personal Income Tax Act) data of its employees for the purpose of fulfilling tax and contribution obligations (payroll accounting, social security administration).

Duration of storage of personal data is 8 years after the termination of the legal relationship representing the legal grounds. 

Recipients of personal data: employees and processors of the Company performing payroll accounting and social security (payer) tasks. 

10.3 Processing relating to documents of lasting value under the Archives Act 

The Controller processes its documents deemed to be of lasting value pursuant to Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives (Archives Act) to fulfil its legal obligation, to ensure that the lasting value of the archival material of the Controller is maintained intact and usable for future generations. Preservation period: until delivery to the public archives. 

The recipients of the personal data and other issues concerning data processing are governed by the Archives Act.

11. Data security

Grafacity Ltd. takes the necessary steps to implement the appropriate technical and organisational measures in order to guarantee an adequate level of data security for the degree of risk, by taking into account the current state of technology, the costs of implementation, the nature of the data processing and the risk to the rights and freedoms of natural persons.

The Controller undertakes to ensure the security of data and takes all technical and organisational measures, puts into place the procedural rules that ensure the protection of all collected, stored and processed data, as well as preventing the destruction, unlawful use and unlawful alteration of data. The Controller also undertakes to call upon each third party to whom data are transferred or transmitted without the Users’ content to comply with the data security requirements.

The Controller shall ensure that no unauthorised persons may access, disclose, transfer, modify or erase the processed data. The processed data may be accessed only by the Controller and its employees, as well as the Processor(s) employed by them, and the Controller shall not transfer the data to any third party not authorised to have access to them.

The Controller shall take every possible effort to ensure data are not accidentally damaged or destroyed. The Controller requires all its employees taking part in data processing activities to assume the above obligations and, for this purpose, the processed data is always processed in a confidential manner, with limited access, encryption and the maximisation of resilience, and by ensuring restoration in the event of a problem.

The User acknowledges and accepts that in case their personal data are provided on the Website, full data protection cannot be guaranteed on the internet despite the fact that Grafacity Kft. has up-to-date security equipment to prevent any unauthorised access to data or the detection thereof. If data are accessed without authorisation or data are obtained despite our efforts, Grafacity Kft. shall not be held liable for the obtaining of data in such a manner or for any unauthorised access to them, or for any damage occurring at the User as a consequence thereof. In addition, the User may also supply personal data to third parties who may use them for unlawful purposes and in an unlawful manner.

The Controller shall under no circumstances collect special data revealing racial origin or nationality, being part of an ethnic minority, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade union membership, or data concerning health conditions, sex life, harmful addiction, sex life or a criminal record.

For data security reasons, it is important that you sign out from the Website following the use of public computers in public places for surfing the internet. If you visit our site from your computer, it will remain logged in for a certain period of time depending on the application. In this case, be careful not to allow strangers to access your computer or to carry out transactions (subscriptions, applications, orders, etc.) on your behalf.

12. Other provisions

This notice is governed by the Hungarian Law, especially the provisions of Act CXII of 2011 on Informational Self-determination and Freedom of Information.

The Controller reserves the right to modify this notice unilaterally at any time following prior notification to the User. The User must accept the modification on the Website – for further use of the Website – in the manner provided by Grafacity Kft. Amendments shall enter into effect against the User following the acceptance of the modifications or with the first visit to the Website.

Budapest, 2018. October 26.

Szilárd Strenner

Managing Director

Grafacity Visual Services

——————-

Legal Declaration:

The Privacy policy of Grafacity Ltd. was created with the use of the Data Processing Navigator Guide for SMEs document of Önadózó Zrt. and the data protection documents of Flow Consulting Ltd.  We thank you for your consent.