Privacy Policy

This Privacy Notice was adopted and brought into force by ZOENTERN Kft. (hereinafter referred to as the “Data Controller”) on 28 March 2023 in order to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “Regulation”), and in particular with the provisions of Article 12 thereof, which requires measures to be taken to provide transparent information.

The purpose of this Privacy Notice is to ensure that the Data Controller provides data subjects with all information relating to the processing of personal data required from data controllers under the Regulation in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and to provide comprehensive information about the Data Controller’s activities relating to the processing of personal data.

I. General Information

I.1. The Data Controller

ZOENTERN Limited Liability Company

Registered office: 1173 Budapest, Pesti út 17., Hungary

Company registration number: 01-09-422814

Tax number: 26292234-2-42

Represented by: Kiss Gergő, Managing Director

Email address: info@zoentern.hu

I.2. Data Protection Officer

The Data Controller does not employ or engage a data protection officer.

II. Data Processing Activities Performed by the Data Controller

II.1. Intended purposes of processing personal data and the types and legal bases of the various processing activities

Personal data contained in contracts concluded by the Data Controller

Type of data processing:
Processing of personal data contained in contracts concluded by the Data Controller.

Categories of data processed:
Personal data of the parties entering into a contract with the Data Controller and of persons identified by name in the contract, in particular their name, birth name, place of birth, date of birth, mother’s name and residential address.

Purpose of data processing:
Performance of contracts concluded by the Data Controller with its partners, identification of the contracting parties, ensuring payment of the remuneration due to the Data Controller, proving the conclusion and validity of the contract, and fulfilling the notification obligations imposed on the Data Controller.

Legal basis for data processing:

  • Article 6(1)(b) of the Regulation: processing is necessary for the performance of a contract;

  • Article 6(1)(f) of the Regulation: processing is necessary for the purposes of pursuing the legitimate interests of the Data Controller;

  • Article 6(1)(a) of the Regulation: the data subject has given consent to the processing of their personal data.

Duration of data storage:
For the duration of the validity and effectiveness of the contract and until the expiry of the limitation period applicable to the enforcement of rights and claims arising from the contract.

Person or organisational unit authorised to access the data:
The acting Managing Director of the Data Controller.

Person authorised to manage the processed data and responsible for their processing:
The acting Managing Director of the Data Controller.

Sending newsletters electronically

Type of data processing:
Sending newsletters electronically.

Categories of data processed:
Email addresses of newsletter recipients.

Purpose of data processing:
To provide persons interested in the newsletter with continuous information about news, promotions and developments relating to the Data Controller’s activities.

Legal basis for data processing:
Article 6(1)(f) of the Regulation: processing is necessary for the purposes of pursuing the legitimate interests of the Data Controller.

Duration of data storage:
Until the newsletter relating to the data subject has been sent.

Person or organisational unit authorised to access the data:
The acting Managing Director of the Data Controller.

Person authorised to manage the processed data and responsible for their processing:
The Managing Directors of the Data Controller.

II.2. Further information pursuant to Article 13(1) of the Regulation

The Data Controller does not intend to transfer the personal data processed by it to a third country or an international organisation.

The Data Controller does not use automated decision-making or profiling.

II.3. Data processors in a contractual relationship with the Data Controller

The following contractors of the Data Controller may have access to personal data to the extent strictly necessary for the performance of their duties:

  • legal representative;

  • auditor and financial adviser;

  • IT service provider.

The Data Controller has entered into data processing agreements with the above-mentioned data processors in order to ensure the lawfulness of its data processing and data protection activities.

For the purpose of fulfilling its contractual and statutory obligations, the Data Controller also supplies data to its account-holding financial institution and other authorities.

III. Information on the Rights of Data Subjects in Relation to Data Processing

III.1. Consent of data subjects to data processing and withdrawal of consent

Where processing is based on consent, the Data Controller must be able to demonstrate that the data subject has consented to the processing of their personal data.

Where the data subject gives consent in the context of a written declaration that also concerns other matters, the request for consent must be presented in a manner clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration containing the data subject’s consent that infringes the Regulation shall not be binding.

In connection with entering into a contract with the Data Controller, the Data Controller may make the conclusion of the contract conditional upon the data subject providing data to the extent required by the Data Controller, namely the personal data specified by the Data Controller. If the data subject fails to provide such data, the Data Controller shall be entitled to refuse to enter into the contract.

Where the processing of personal data is based on the data subject’s consent, the data subject may refuse to provide the data. In such a case, however, the Data Controller shall be entitled to refuse to enter into the contract.

The exercise of the right to withdraw consent shall not affect the lawfulness of processing based on consent before its withdrawal.

III.2. Right of access by the data subject

Data subjects may request information about the personal data processed by the Data Controller, the purpose and duration of the processing, the persons to whom the data are transferred and the source of the data processed.

The data subject shall have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them are being processed and, where such personal data are being processed, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored or, where this is not possible, the criteria used to determine that period;

e) the existence of the data subject’s right to request the rectification or erasure of personal data, or the restriction of the processing of personal data concerning them, and to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data were not collected from the data subject, any available information as to their source.

The Data Controller shall provide the data subject with a copy of the personal data undergoing processing.

The Data Controller shall not charge a fee or require reimbursement of costs for complying with the data subject’s first request for a copy. However, where the data subject requests the disclosure of data that the Data Controller has already provided to them, the Data Controller may make compliance with the request conditional upon the payment of a fee of HUF 5,000 plus VAT, irrespective of the volume of the documents concerned.

Where the data subject submits the request electronically, the information shall be provided in a commonly used electronic format unless otherwise requested by the data subject.

III.3. Right to rectification and restriction of processing

Data subjects may request the rectification of their personal data or the restriction of their processing.

The data subject shall have the right to obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data concerning them.

Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data subject shall have the right to obtain from the Data Controller the restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Data Controller no longer requires the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

d) the data subject has objected to processing, in which case the restriction shall apply for the period necessary to determine whether the legitimate grounds of the Data Controller override those of the data subject.

Where processing has been restricted pursuant to the above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State.

The Data Controller shall inform the data subject who has obtained restriction of processing pursuant to the above before the restriction of processing is lifted.

III.4. Right to data portability

The data subject shall have the right to receive the personal data concerning them that they have provided to the Data Controller in a structured, commonly used and machine-readable format.

The data subject shall also have the right to transmit those data to another data controller without hindrance from the Data Controller, provided that the processing is based on the data subject’s consent or is necessary for the performance of a contract.

III.5. Right to erasure – the right to be forgotten

The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay.

The Data Controller shall be obliged to erase personal data concerning the data subject without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;

c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing;

d) the personal data have been unlawfully processed;

e) the personal data must be erased in order to comply with a legal obligation under European Union or Member State law applicable to the Data Controller.

III.6. Right to object

The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them where the processing is necessary for the purposes of pursuing the legitimate interests of the Data Controller or for the performance of a task carried out in the exercise of official authority, including profiling based on those provisions.

In such a case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or unless the processing is required for the establishment, exercise or defence of legal claims.

III.7. Exercise of data subject rights, complaints and legal remedies

Requests relating to the exercise of the data subject’s rights of access, including requests for the disclosure, amendment or erasure of their data, may be submitted to the Managing Directors of the Data Controller by postal mail addressed to the registered office of the Data Controller.

Based on such a request, the Managing Directors of the Data Controller or an employee appointed by them shall inform the data subject within one month of receipt of the request of the measures taken by the Data Controller in response to the request.

Where the data subject suffers an infringement of their rights in connection with the Data Controller’s processing activities, they shall have the right to lodge a complaint with the competent supervisory authority:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Registered office: 1055 Budapest, Falk Miksa utca 9–11., Hungary

Website: www.naih.hu

Email: ugyfelszolgalat@naih.hu

Telephone: +36 1 391 1440

The data subject may also enforce their rights before a court in civil proceedings pursuant to the Hungarian Information Act and Act V of 2013 on the Civil Code.

IV. Measures Taken by the Data Controller in the Field of Data Protection and Data Security

IV.1. General information on data security

The Data Controller shall ensure the security of the data and shall take the technical measures necessary to ensure that the data collected, stored and processed are protected.

The Data Controller shall make every effort to prevent the destruction, unauthorised use and unauthorised alteration of the data.

The Data Controller also undertakes to require every person to whom the data may be transferred or disclosed to comply with the corresponding data security obligations.

IV.2. Data security within the IT infrastructure

The Data Controller takes the following specific measures to ensure data security at the level of its IT infrastructure:

The Data Controller stores the personal data available to it on servers operated by specialised IT companies, namely Rackhost Zrt. (registered office: 6722 Szeged, Tisza Lajos körút 41., company registration number: 06-10-000489).

Access to these servers is restricted to the Managing Director of the Data Controller and appropriately authorised IT professionals employed by the above-mentioned specialised companies, subject to strict confidentiality obligations.

Access to data stored in the document management system is only possible with a password and the appropriate authorisation. The Data Controller’s database may only be accessed with the appropriate authorisations and licences.

The Data Controller uses real-time protection against malicious software across all of its systems, including individual subsystems.

IV.3. Data security in communications

Data are transmitted in encrypted form between the Data Controller’s IT networks and the central firewalls.

Protection against unauthorised external intrusion is ensured by the hardware solution of the Data Controller’s perimeter device.

The network protocols used by the Data Controller guarantee the integrity of the data and secure communications.

IV.4. Physical data security

The security of the personal data processed by the Data Controller is ensured by the above-mentioned specialised IT companies, which are required under their contracts with the Data Controller to guarantee the physical and software security of personal data.

IV.5. Data security at the organisational level

The Data Controller makes this Privacy Notice available on its website and informs the parties entering into a contract with it about its contents before the establishment of a legal relationship with the Data Controller and during the conclusion of the contract.

The parties entering into a contract with the Data Controller acknowledge that they have familiarised themselves with this Privacy Notice during the contracting process. The Data Controller therefore documents that the Privacy Notice has been presented to them.

V. Management of Personal Data Breaches

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The Data Controller shall notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.

The communication shall describe the nature of the personal data breach in clear and plain language and shall include at least the name and contact details of the contact person from whom further information may be obtained, the likely consequences of the personal data breach, and the measures taken or proposed by the Data Controller to address the breach.

Effective from: 28 March 2023

ZOENTERN Kft.

Kiss Gergő
Managing Director

palyazatod.info@gmail.com