Effective: from 15 August 2022
1. INTRODUCTION
Optimal Accounting Ltd. (hereinafter referred to as the "Data Controller") is committed to the protection of personal data, compliance with mandatory legal provisions, and safe and fair processing of personal data.
Data of the Data Controller:
Name: Optimal Accounting Kft.
Head office: 1133 Budapest, Visegrádi utca 107. 1. floor 26.
Tax ID: 32052769-2-41
Company registration number: 01-09-404566
In all cases, the Data Controller shall process the personal data provided to it in compliance with the applicable Hungarian and European legislation and ethical requirements, and shall take the technical and organisational measures necessary for the proper and secure processing of the data.
These rules have been drawn up taking into account the following legislation in force:
- Act CXIX of 1995 on the processing of name and address data for research and direct marketing purposes
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services
- Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information
- Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46
The Data Controller undertakes to unilaterally comply with this Policy and requests, through a notice on its website, that its clients also accept its provisions. The Data Controller reserves the right to change its Privacy Policy. If the policy is amended, the updated text will be made public.
2. INTERPRETATIVE PROVISIONS
In our policy, data protection terms have the following meanings:
- dataset : the set of data managed in one register;
- data processor : a natural or legal person or unincorporated body which processes data on the basis of a contract, including a contract concluded pursuant to a legal provision;
- data officer : the public sector body which has produced the data of public interest which must be disclosed by electronic means or in the course of whose activities the data were generated;
- data management: whatever the procedure used, any operation or set of operations which is performed upon the data, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and the recording of physical characteristics which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
- data controller : a natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or implements them with the processor;
- data communicator : the public sector body which, if the data controller does not publish the data itself, publishes on a website the data transmitted to it by the data controller;
- data tagging : marking the data with an identification mark to distinguish it;
- data transmission : making the data available to a specified third party;
- data erasure : making the data unrecognisable in such a way that it is no longer possible to recover it;
- data breaches : unlawful processing or processing of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage.
- data retention : to identify the data for the purpose of limiting its further processing permanently or for a limited period of time;
- criminal personal data : personal data relating to the criminal offence or the criminal proceedings, obtained in the course of or prior to the criminal proceedings, by the authorities responsible for the prosecution or investigation of criminal offences and by the law enforcement authorities, which can be linked to the data subject, and personal data relating to the criminal record;
- EEA country : a Member State of the European Union and another State party to the Agreement on the European Economic Area, and a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty concluded between the European Union and its Member States and a State not party to the Agreement on the European Economic Area;
- stakeholders: any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data;
- third country : any state that is not an EEA state;
- third party : a natural or legal person or unincorporated body other than the data subject, the controller or the processor;
- contribution : a freely given and freely given indication of the data subject's wishes, based on appropriate information, by which he or she unambiguously gives his or her consent to the processing of personal data relating to him or her
- in full or for specific operations;
- mandatory organisational regulation : an internal data protection policy adopted by a controller or a group of controllers operating in more than one country, including at least one EEA State, and approved by the National Authority for Data Protection and Freedom of Information (hereinafter "the Authority"), which is binding on the controller or group of controllers and which sets out the
in the case of a transfer to a third country, ensure the protection of personal data through a unilateral undertaking by the controller or group of controllers;
- data of public interest : any data not covered by the concept of data of public interest, the disclosure, disclosure or making available of which is required by law to be in the public interest;
- specific data:
- personal data revealing racial or ethnic origin, nationality, political opinions or opinions, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life,
- personal data concerning health, pathological addiction and personal data concerning criminal offences;
- disclosure to the public : making the data available to anyone;
- personal data : data which can be associated with the data subject, in particular his or her name, identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference which can be drawn from the data concerning him or her;
- objection : a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;
- personal data revealing racial or ethnic origin, nationality, political opinions or opinions, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life,
- personal data revealing racial or ethnic origin, nationality, political opinions or opinions, religious or philosophical beliefs, membership of an interest group or membership of a representative body, sex life,
-data processing : the performance of technical tasks related to processing operations, irrespective of the method and means used to carry out the operations and the place of application, provided that the technical task is performed on the data;
-data destruction : the complete physical destruction of the storage medium containing the data;
- personal data concerning health, pathological addiction and personal data concerning criminal offences;
- personal data concerning health, pathological addiction and personal data concerning criminal offences;
-data of public interest : information or knowledge, not falling within the concept of personal data, recorded in any way or form, which is held by a body or person performing a State or local government task or other public task, and which relates to its activities or arises in connection with the performance of its public task, irrespective of
the way in which it is managed, its autonomous or collective nature, in particular information on its powers, competences, organisational structure, professional activity, including an assessment of its effectiveness, the types of data held and the legislation governing its operation, as well as information on its management and the contracts concluded;
3. DATA PROCESSING SUB-POLICIES
Personal data may only be processed for specified purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful.
Only personal data that is necessary for the purpose of the processing and is suitable for achieving that purpose may be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
The personal data will retain this quality during processing as long as the relationship with the data subject can be re-established. The link with the data subject can be re-established if the controller has the technical conditions necessary for the re-establishment.
The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.
The processing of personal data shall be considered fair and lawful if, in order to ensure the freedom of expression of the data subject, the person who wishes to know the opinion of the data subject visits the data subject at his or her place of residence or stay, provided that the personal data of the data subject are processed in accordance with the provisions of this Act and the personal inquiry is not for commercial purposes. The personal inquiry may not take place on a public holiday within the meaning of the Labour Code.
Personal data may only be processed if the data subject consents to it or if it is ordered by law or - on the basis of a statutory authorisation and within the scope specified therein - by a local government decree for a purpose in the public interest (mandatory processing).
Personal data may be processed only for specified purposes, for the exercise of rights and the performance of obligations. The processing must comply with this purpose at all stages.
Only personal data that is necessary for the purposes for which it is processed, is adequate to achieve those purposes and is processed only to the extent and for the duration necessary for those purposes.
Personal data may be transferred and different processing operations may be combined if the data subject has given his or her consent or if the law permits it and if the conditions for processing are met for each individual personal data item.
Personal data may be transferred from the country to a controller or processor in a third country, irrespective of the data medium or the means of data transfer, if the data subject has given his or her explicit consent or if the law allows it and the third country ensures an adequate level of protection for the processing of the personal data transferred.
In the case of mandatory processing, the purposes and conditions of processing, the scope and availability of the data to be processed, the duration of processing and the identity of the controller are determined by the law or government regulation imposing the processing.
The law may order the disclosure of personal data in the public interest, by expressly indicating the scope of the data. In all other cases, disclosure requires the consent of the data subject, or in the case of sensitive data, written consent. In case of doubt, it shall be presumed that the data subject has not given his or her consent.
The consent of the data subject shall be deemed to have been given in respect of the data communicated by him or her in the course of his or her public activities or transmitted by him or her for the purpose of disclosure.
In a procedure initiated at the request of the data subject, his or her consent to the processing of the data should be presumed. This fact shall be brought to the attention of the data subject.
The data subject may also give his or her consent in the context of a written contract with the Data Controller for the performance of the contract. In this case, the contract must contain all the information that the data subject needs to know in relation to the processing of personal data, in particular the identification of the data to be processed, the duration of the processing, the purposes of the processing, the transfer of the data, the use of a processor.
The contract must unambiguously state that the data subject, by signing it, consents to the processing of his or her data as set out in the contract.
The right to the protection of personal data and the privacy rights of the data subject must not, unless an exception is provided for by law, be prejudiced by other interests in the processing, including the disclosure of data of public interest.
4. THE BASIS FOR DATA PROCESSING
The processing of personal data in the course of the Data Controller's activities is always based on law or voluntary consent. In some cases, in the absence of consent, the processing is based on other legal grounds or on Article 6 of Act CXII of 2011.
For website visitor data
The Data Controller does not record the IP address or any other personal data of the user when visiting the websites operated by the Data Controller.
The html code of the websites operated by the Data Controller may contain independent links from and to external servers for web analytics purposes. The measurement also includes tracking of conversions. The web analytics provider does not process personal data, only browsing-related data that cannot be used to identify individuals.
Currently the web analytics services are provided by Optimal Content Kft. (address: 1133 Budapest, Visegrádi utca 107. 1/26.).
Description of the technical solution for data protection: the Data Controller runs so-called remarketing advertisements via the Facebook and Google Ads advertising systems. These service providers may collect or receive data from the Controller's website and other internet sites through the use of cookies, web beacons and similar technologies. They use this data to provide measurement services or to target ads: these may appear on additional websites in the Facebook and Google partner network. Remarketing lists do not contain any personal data of the visitor and are not personally identifiable.
The user can delete the use of cookies from his/her own computer or prohibit their use in his/her browser. These options vary depending on the browser, but are typically available in the Settings / Privacy menu.
For more information about Google's and Facebook's privacy policies, please see the contact details below: http://www.google.com/privacy.html and https://www.facebook.com/about/privacy/
Newsletter
The Data Controller delivers online newsletters and direct marketing messages by electronic means to subscribers to the newsletters of the websites it operates, usually monthly, but no more than twice a week, containing news, news and business offers. To subscribe to the newsletter, you must provide your name and e-mail address, which is required to receive the messages.
The data will be processed until the data subject requests their deletion. A direct link to unsubscribe is provided in each newsletter. The user is responsible for the authenticity of the personal data provided.
The website is operated by Optimal Content Kft.
Details of sending newsletters:
In particular, the Data Controller shall protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction and against accidental destruction or accidental damage. The Data Controller, together with the server operators, shall ensure the security of the data by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with the processing.
Duration of data processing, deadline for deletion of data: in the case of accounting documents, subject to Section 169 (2) of Act C of 2000 on Accounting, under which these data must be kept for 8 years.
The accounting documents (including the general ledger accounts, analytical and detailed records) directly and indirectly supporting the accounting accounts must be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.
5. SECURITY OF DATA PROCESSING
The website is operated by Optimal Content Kft.
Company: Optimal Content Kft.
Head office: 1133 Budapest, Visegrádi utca 107. 1. floor 26.
Tax ID: 25862755-2-41
Company registration number: 01-09-404566
E-mail address: hello@optimalcontent.hu
6. RIGHTS OF DATA SUBJECTS
The data subject may request information about the processing of his or her personal data and may request the rectification, blocking or erasure of his or her personal data, except for processing required by law, by following the link in the footer of the newsletter or by contacting the Data Controller.
At the request of the data subject, the Data Controller shall provide information about the data of the data subject processed by the Data Controller or by a data processor appointed by the Data Controller or on his behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and his or her activities related to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy the data breach, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.
Where the Data Controller has an internal data protection officer, the Data Controller shall, through the internal data protection officer, keep records for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subject, which shall include
- the scope of the personal data concerned,
- the scope and number of data subjects affected by the data breach,
- the date, circumstances and effects of the personal data breach and the measures taken to prevent it; and
- other data specified in the legislation providing for the processing.
For the purpose of monitoring the lawfulness of the transfer and informing the data subject, the controller shall keep a record of the transfer, including the date of the transfer of personal data processed by the controller, the legal basis and the recipient of the transfer, the scope of the personal data transferred and other data specified in the legislation providing for the processing.
The duration of the obligation to keep the data in the data protection and transfer register - and, on that basis, the obligation to provide information - may be limited by the law providing for the processing. Within this limitation, the period may not be less than five years for personal data and twenty years for sensitive data.
The Data Controller shall provide the information in writing in an intelligible form, at the request of the data subject, within the shortest possible time from the date of the request, but not later than 25 days. This information shall be provided free of charge if the data subject has not yet submitted a request for information to the controller in the current year for the same set of data. In other cases, a fee may be charged. The amount of the fee may be fixed in a contract between the parties. Any compensation already paid shall be refunded if the data have been processed unlawfully or if the request for information has led to a correction. The Data Controller shall rectify personal data which are inaccurate.
The Controller shall erase personal data if the processing is unlawful, the data subject requests it, it is incomplete or inaccurate
- and this situation cannot be lawfully rectified - provided that erasure is not excluded by law, if the purpose of the processing has ceased, the statutory time limit for storing the data has expired or the court or the Data Protection Commissioner has ordered it.
It shall notify the data subject of the rectification and erasure and all those to whom it has previously disclosed the data for processing purposes. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing.
The data subject may object to the processing of his or her personal data if the processing (transfer) of the personal data is necessary solely for the purposes of the exercise of a right or legitimate interest pursued by the controller or the recipient of the data, unless the processing is required by law, the use or transfer of the personal data is for direct marketing, public opinion polling or scientific research purposes, or the exercise of the right to object is otherwise permitted by law.
The Data Controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, and inform the applicant in writing of the outcome of the examination, with the simultaneous suspension of the processing. If the objection is justified, the controller shall be obliged to terminate the processing, including further recording and transmission, and to block the data, and to notify the objection and the measures taken on the basis of the objection to all those to whom the personal data concerned by the objection have been previously disclosed and who are obliged to take action to enforce the right to object.
The data controller may refuse to provide the data subject with information only in exceptional cases, as defined in Article 9 (1) and Article 19 of Act CXII of 2011. In such cases, the Data Controller shall inform the data subject in writing of the provision of this Act on the basis of which the information was refused. In the event of refusal to provide information, the Data Controller shall inform the data subject of the possibilities of judicial remedy and of recourse to the Authority.
The data controller shall notify the Authority of rejected applications annually by 31 January of the year following the year in question. The data subject may bring an action against the controller before a court or the data protection authority in the event of a breach of his or her rights, of which the controller shall inform the complainant. Legal remedies and complaints may be lodged with the following contact details:
Name: National Authority for Data Protection and Freedom of Information
Address: 1055, Budapest Falk Miksa u. 9-11
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: www.naih.hu
Date: 15 August 2022, Budapest, Hungary