Privacy policy

Summary

  • Personal data is collected for participating and interested businesses and processed only in accordance with the law.
  • System messages can be sent without consent.
  • The data is stored as safely as possible.
  • We disclose personal information to third parties only with explicit consent.
  • Anyone can request information about the data stored by pengonet in writing to info@pengonet.com.
  • Deletion of personal information can be requested at info@pengonet.com.

CURRENTLY MANAGED DATA

  1. Contact information in emails
  2. Contact information in a message sent to a website
  3. Contact information with regards to pengonet service registration and use

INTRODUCTION

Offerbox Kft.

  • headquarters: 2000 Szentendre, KovácsLászló u. 5th
  • tax number: HUN25900787
  • mailing address: 2000 Szentendre, Kovács László u. 5th
  • e-mailinfo@pengonet.com

such as the operator of the pengonet service and the www.pengonet.com website (hereinafter: Service Provider, Data Controller) will submit to the following policy.

CXII of 2011 on Information Self-Determination and Freedom of Information (20) of the Act (1) states that the data subject (in this case the user of the pengonet website or service, hereinafter referred to as “the user”) must be informed that the data processing is based on consent or mandatory before the data management begins.

The data subject must be clearly and thoroughly informed before any data processing begins. Information includes all facts relating to the management of his or her data, in particular the purpose and legal basis of the data management, the person entitled to data management and data processing and the duration of the data management.

According to Info tv. Article 6 para. (1) the affected person must be informed that personal data may be handled even if it would be impossible or disproportionate to obtain the consent of the data subject and the processing of personal data would be necessary to fulfil the legal obligation to the controller, or it is necessary to enforce the legitimate interests of the data controller or a third party and the enforcement of this interest is proportionate to the restriction of the right to the protection of personal data.

The information should also cover the data processing rights and remedies available to the data subject.

If informing those concerned is impossible or would involve disproportionate costs (such as the case case on a website), the information may also be given by the disclosure of the following information:

  • fact of data collection,
  • the range of people affected
  • purpose of data collection,
  • duration of data management,
  • the identity of potential data controllers authorized to access the data,
  • a description of the data subjects’ rights and remedies in relation to data management, and
  • if there is a place for data management in a data protection record, the registration number of the data management.

This Data Management Guide governs the data management of the following websites: http://pengonet.com and is based on the above content specification. The prospectus is available at  http://pengonet.com/privacy-policy

Amendments to this policy will become effective upon publication at the address above. We also show the legal reference behind each chapter title of the policy.

INTERPRETATIVE CONCEPTS (§3)

  1. affected / User:  any natural person identified or identified directly or indirectly by personal data;
  2. personal data: data  relating to the data subject, in particular the name of the data subject, his identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities, and the conclusion drawn from the data of the data subject;
  3. special data:
    • personal data relating to racial origin, nationality, political opinion or party, religious or other belief, membership of an organization of interest, sexual life,
    • personal data on health status, pathological passion, and criminal personal data;
  4. consent:  a voluntary and decisive declaration of the will of the data subject, based on appropriate information and with unambiguous consent to the processing of personal data relating to him or her for a full or specific operation;
  5. protest:  a statement by the person concerned to object to the processing of his or her personal data and requests the termination of data management and the deletion of the data processed;
  6. Data Controller:  a natural or legal person or an entity without legal personality that either independently or with others determines the purpose of data management, makes and implements decisions relating to data management (including the equipment used), or executes it with a data processor entrusted to it;
  7. data processing:  any operation or operation performed on data, irrespective of the procedure used, including, in particular, collection, recording, recording, systematization, storage, alteration, use, querying, transmission, disclosure, coordination or interconnection, blocking, deletion and destruction; preventing the further use of the data, taking photographs, sound or images, and recording physical characteristics suitable for identifying the person (eg finger or palmprint, DNA sample, iris image);
  8. data transmission: making  data available to a specific third party;
  9. disclosure: making  data available to anyone;
  10. data deletion:  making data unrecognizable in such a way that their recovery is no longer possible;
  11. data  designation : providing the data with an identification mark to distinguish it;
  12.  data blocking: for the purpose of limiting the further processing of the data with an identifier for a definitive or definite period of time;
  13.  data destruction: complete physical destruction of data media containing data;
  14. data processing:  performing technical tasks related to data management operations, irrespective of the method and equipment used to perform the operations and the location of the application, provided that the technical task is performed on the data;
  15. data processor:  a natural or legal person or an entity without legal personality which processes data on the basis of a contract concluded with the data controller, including the conclusion of a contract under the provisions of the law;
  16. data responsible:  the body performing the public task that produced the data of public interest that must be published electronically, or in the course of which the data was generated;
  17. informant:  the body performing the public task, which – if the data owner does not publish the data himself – publishes the data sent to him by the data controller on the website;
  18. data set:  a set of data processed in a register;
  19. third party:  any natural or legal person or organization without legal personality which is not the same as the data subject, the controller or the data processor.

LEGAL BASIS FOR DATA MANAGEMENT (§5 TO §6)

  1. Personal data can be handled if
    • the person concerned agrees, or
    • it is ordered by law or, under the authority of the law, within the scope defined therein, by a local government regulation for public interest purposes.
  2. Personal data may be handled even if it would be impossible or disproportionate to obtain the consent of the data subject and the processing of personal data would be
    • necessary to fulfil the legal obligation to the controller, or
    • it is necessary to enforce the legitimate interests of the data controller or a third party and the enforcement of this interest is proportionate to the restriction of the right to the protection of personal data.
  3. If, due to the incapacity of the data subject, or for other unavoidable reasons, he is unable to give his consent, the personal data of the data subject shall, during the existence of obstacles to consent, to the extent necessary for the protection of his or her or other person’s vital interests and for prevention of imminent danger to the life, bodily integrity or property of persons can be handled.
  4. The validity of your legal declaration containing the consent of the minor under the age of 16 is not subject to the consent or subsequent approval of your legal representative.
  5. If the purpose of the data-based data management is to execute a written contract with the data controller, the contract must contain all information that the data subject must know about the processing of personal data, in particular the definition of the data to be processed, the duration of the data management, the purpose of the use, the transmission of the data , recipients, fact of using a data processor. The contract must include unambiguously the consent of the data subject to the processing of his or her data as specified in the contract.
  6. If the personal data has been recorded with the consent of the data subject, the data controller may manage the recorded data without further special consent, unless otherwise provided by law, and after the withdrawal of the consent of the data subject, if the enforcement of this interest is in proportion to the restriction of the right to the protection of personal data
    • for the purpose of fulfilling his legal obligation, or
    • for the purpose of enforcing the legitimate interests of the controller or a third party

PURPOSE OF DATA MANAGEMENT (§4 [1] – [2])

  1. Personal data may only be processed for a specific purpose, exercising rights and fulfilling obligations. At every stage of data management, the purpose of data management must be met, the recording and processing of data must be fair and lawful.
  2. It is possible to handle personal data that is essential for the purpose of data management and is suitable for achieving the goal. Personal data can only be managed to the extent and for the time necessary to achieve the goal.

OTHER PRINCIPLES OF DATA MANAGEMENT (§4 [3] – [4])

Personal data in the course of data management retains this quality as long as your relationship with the affected person can be restored. The contact can be restored if the data controller has the technical conditions needed for recovery.

During data management, the accuracy, completeness of the data and, if necessary for the purpose of data management, its up-to-date information, and that the data subject can only be identified for the time necessary for the purpose of data management, shall be ensured. 

MANAGEMENT OF COOKIES

  1. CXII of 2011 on the Right to Information Self-Determination and Freedom of Information Pursuant to Section 20 para. (1) of the Act no.
    • fact of data collection,
    • the range of stakeholders
    • purpose of data collection,
    • duration of data management,
  2. Stakeholders: All those involved in the website.
  3. The purpose of data management is to identify users, track visitors and personalize them
  4. Duration of data management, deadline for deletion of data: the duration of data management in case of session cookies is up to the end of the visit of the websites, in other case up to 10 years.
  5. Personal data controllers are authorized to access the data: personal data may be handled by data controllers, while respecting the above principles.
  6. Description of data subjects’ rights to data management: Stakeholders have the option of deleting cookies in the Tools / Options menu of browsers, usually under the Privacy settings.
  7. Legal basis for data processing: The consent of the data subject is not required if the use of cookies is solely for the purpose of transmitting via the electronic communications network or for the provision of the information society service specifically requested by the subscriber or user.

NEWSLETTER, DM ACTIVITY

  1. On the basic conditions and certain limitations of the economic advertising activity, XLVIII. Pursuant to Section 6 of the Act no. 1, the Consignee shall have the prior, explicit and unambiguous consent of the Service Provider to seek out its advertising offers and other items (including electronic correspondence). However, pursuant to Section 6 para. (4) of the aforementioned legislation, postal advertising may be sent without the prior and explicit consent of the Recipient, if the Service Provider ensures that the recipient of the advertisement may prohibit the sending of the advertisement at any time free of charge and without restriction. In the event of a ban, the person concerned may no longer be advertised.
  2. The Recipient agrees that the Service Provider shall treat the personal data necessary for sending the advertisement offers by sending a prior and express declaration to the sender of the advertisement.
  3. The Service Provider does not send unsolicited advertising messages, and the Recipient may at any time, without limitation, justify the unsubscribe from sending the offers. In this case, the Service Provider deletes all of your personal data, which is necessary for sending the advertisement messages, from your register and does not contact the Recipient with your additional advertising offers. You can unsubscribe from the ads by clicking the link in the message.
  4. CXII of 2011 on Information Self-Determination and Freedom of Information Pursuant to Section 20 para.
    • fact of data collection,
    • the range of stakeholders
    • purpose of data collection,
    • duration of data management,
    • the identity of potential data controllers authorized to access the data,
    • a description of the data subjects’ rights to data management.
  5. The fact of data management, the range of data processed: name, e-mail address, phone, company name, company address
  6. Stakeholders: All those who subscribe to the newsletter.
  7. The purpose of data management is to send electronic messages containing the advertisement to the data subject, to provide information about current information, products, actions, new features, etc.
  8. Duration of data management, deadline for deletion of data: data management is pending until withdrawal of the consent statement, ie until the unsubscribe.
  9. Personality of data controllers authorized to access data: personal data may be handled by data controllers, respecting the above principles.
  10. Disclosure of data subjects’ rights to data management: You may opt out of the newsletter at any time, free of charge.
  11. The legal basis for data management is the voluntary consent of the data subject, Infotv. (5) (1) of the Act, and the Act XLVIII. Section 6 (5) of the Act:
  12. The advertiser, the advertising service provider, or the publisher of the advertisement, keeps a record of the personal data of the persons making the declaration that contributes to them, as defined in the consent. The data contained in this register, relating to the recipient of the advertisement, may be processed only in accordance with the consent statement, until it is revoked, and may only be transferred to a third party with the prior consent of the person concerned. 

CONTACT MANAGEMENT OF THE WEBSITE

  1. Letters to the email addresses posted on this website will also be sent to colleagues by email for further handling.
  2. Messages edited and sent on the website will also be sent to the responsible colleague by e-mail.
  3. Received mail will be deleted at the request of the sender, along with the sender’s name and e-mail address and other personal information provided voluntarily.
  4. If you have a question or a problem with our activity, you can contact the data controller at the contact details provided in this brochure. 

DATA TRANSMISSION

  1. CXII of 2011 on Information Self-Determination and Freedom of Information Pursuant to Section 20 para. (1) of the Act no.
    1. fact of data collection,
    2. the range of stakeholders
    3. purpose of data collection,
    4. duration of data management,
    5. the identity of potential data controllers authorized to access the data,
    6. a description of the data subjects’ rights to data management.
  2. The fact of data management, the range of data processed.
  3. The range of data transmitted for the purpose of conducting the newsletter: e-mail address, name, company name
  4. Interested parties: All those who subscribe to the newsletter.
  5. Purpose of data management: Send newsletter.
  6. Duration of data processing, deadline for deletion of data: Provided in the general provisions.
  7. Personal data controllers authorized to access the data: Providers of newsletters. 
  8. Disclosure of data subjects’ rights to data management: The data subject may request the deletion of his / her personal data from the newsletter provider.
  9. The legal basis for data transmission is the User’s consent, the Info. Article 5 (1) of the Act, and CVIII of 2001 on certain aspects of electronic commerce services and information society services; Act 13 / A. (3).

DATA SECURITY (§7)

  1. The controller is obliged to design and execute the data management operations to ensure the protection of the privacy of the data subjects.
  2. The data controller or in the field of its activity, the data processor is obliged to ensure the security of the data and is obliged to take the technical and organizational measures and establish the procedural rules necessary to enforce the Info articla and other data and secret protection rules.
  3. The data shall be protected by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and unavailability due to accidental destruction or change in the technique used.
  4. In order to protect the electronically managed data files of the various registers, it must be ensured by an appropriate technical solution that the data stored in the registers, unless permitted by law, cannot be directly linked and assigned to the data subject.
  5. In the automated processing of personal data, the controller and the data processor provide additional measures
    1. preventing unauthorized data entry;
    2. preventing the use of automatic data processing systems by unauthorized persons using data transmission equipment;
    3. the controllability and verifiability of the bodies to which personal data have been transmitted or transmitted by means of data transmission equipment;
    4. the verifiability and verifiability of which personal data has been input into automatic data processing systems;
    5. recoverability of installed systems in case of malfunction and
    6. to report on errors that occur during automated processing.
  6. The controller and the data processor must take into account the state of the art in the definition and application of data security measures. More than one possible data management solution must be chosen that provides a higher level of protection for personal data, unless it would be a disproportionate difficulty for the controller.

RIGHTS OF STAKEHOLDERS (§14-19)

  1. The data subject may apply to the Service Provider to provide information on the management of their personal data, to request rectification of their personal data, and to request the deletion or blocking of their personal data, except for mandatory data management.
  2. At the request of the data subject, the data controller shall provide information on the data processed by the data subject concerned or processed by the data processor entrusted by the data controller, their source, the purpose of the data processing, its legal basis, duration, the name, address and data management activities of the data processor, and – in case of transfer of the personal data of the data subject. – the legal basis and the addressee of the transfer.
  3. The controller maintains a data transfer register for the purpose of verifying the legality of the data transmission and for informing the data subject, which includes the date of transmission of the personal data it manages, the legal basis and addressee of the data transmission, the definition of the scope of the personal data transmitted and other data specified in the legislation prescribing data management.
  4. The data controller is obliged to provide the information in writing in the shortest possible time from the submission of the application, but not later than within 30 days, in a comprehensible form, at the request of the data subject. The information is free.
  5. The Service Provider shall provide information on the data it manages, its source, the purpose of the data management, its legal basis, its duration, the name of the data processor, its address and its activities related to data management and, in case of transfer of the personal data of the data subject, the legal basis and addressee of the data transfer. The Service Provider shall provide the information in writing, in a comprehensible form, in the shortest possible time from the submission of the application, but not later than within 30 days. The information is free.
  6. The Service Provider, if personal data does not correspond to reality, and personal data corresponding to reality is available to the data controller, rectifies the personal data.
  7. Instead of deletion, the Service Provider locks the personal data if the User requests it, or if it can be assumed on the basis of the available information that the deletion would violate the legitimate interests of the User. Locked personal data may be processed only for as long as there is a data management purpose that precludes the deletion of personal data.
  8. The Service Provider deletes the personal data if its management is unlawful, the User requests, the managed data is incomplete or incorrect – and this condition cannot be legally remedied – provided the cancellation is not excluded by law, the purpose of data management ceased to exist or the data storage law stipulated by law expired, the court or the National Data Protection and Freedom of Information Authority ordered it.
  9. The controller handles the personal data it manages if the data subject disputes its accuracy or accuracy, but the inaccuracy or inaccuracy of the personal data at issue cannot be clearly established.
  10. The person concerned, as well as all those who have previously transmitted the data for their data management purposes, shall be informed of the rectification, blocking, marking and deletion. The notification may be omitted if it does not violate the legitimate interest of the data subject with respect to the purpose of the data management.
  11. If the data controller does not comply with the request for rectification, blocking or cancellation of the data subject, it shall, within 30 days of receipt of the request, provide written and substantiated reasons for refusing the request for rectification, blocking or cancellation. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the data subject of the possibility of a judicial remedy and of having recourse to the Authority.

LEGAL REMEDY

  1. User may object to the processing of their personal data if
    1. the processing or transfer of personal data is solely required for the Service Provider to fulfill the relevant legal obligation or to validate the legitimate interest of the Service Provider, the Data Acquirer or a third party, unless the data management is prescribed by law;
    2. the use or transmission of personal data is for direct marketing, opinion polling or scientific research;
    3. otherwise provided by law.
  2. The Service Provider examines the protest as soon as possible after the submission of the application, but within a maximum of 15 days, decides on its validity and informs the applicant in writing of its decision. If the Service Provider determines the validity of the protest of the affected person, the data management – including further data collection and data transfer – shall be terminated and the data shall be blocked, and the protest and any measures taken on the basis thereof shall be notified to those to whom the personal data affected by the protest were previously transmitted and who they must take action to enforce the right of protest.
  3. If the User does not agree with the Service Provider’s decision, he / she may appeal to the court within 30 days of its notification. The court is acting out of line.
  4. Complaint against a possible violation of the data controller by the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information (NAIH)
1125 Budapest, Szilágyi Erzsébetfasor 22 / C. 
Mailing address: 1530 Budapest, Mailbox: 5. 
Phone: +36 -1-391-1400 
Fax: + 36-1-391-1410 
E-mail:  ugyfelszolgalat@naih.hu

JUDICIAL ENFORCEMENT (§22)

  1. The data controller is obliged to prove that the data management complies with the law. The data bearer must prove the legality of the data transfer.
  2. Judicial review is within the jurisdiction of the Tribunal. The lawsuit may, at the option of the data subject, also be brought before the court of the place of residence or place of stay of the data subject.
  3. There may also be a party to the lawsuit who otherwise has no legal capacity to sue. The Authority may intervene in the proceedings for the sake of the party concerned.
  4. If the court approves the application, the data controller obliges the data controller to provide information, correct, block, delete, cancel the decision made by automated data processing, take into account the right of protest of the data subject and issue the data requested by the data receiver.
  5. If the court rejects the data subject’s request, the data controller is obliged to delete the personal data of the data subject within 3 days of the delivery of the judgment. The controller shall also delete the data if the data importer does not go to court within the specified time limit.
  6. The court may order the disclosure of its judgment by publishing the identity of the controller if it is required by the interests of data protection and the greater number of protected rights of the data subject.

COMPENSATION AND COMPENSATION FEE (§23)

  1. If the Data Controller causes damage to others by unlawfully handling the data of the data subject or by violating the data security requirements, it is obliged to reimburse it.
  2. If the data controller violates the data subject’s privacy right by unlawfully handling the data of the data subject or by violating the data security requirements, the data subject may claim damages from the data controller.
  3. Contrary to the contact, the data controller is responsible for the damage caused by the data processor, and the data controller is also obliged to pay to the data subject the infringement fee in case of a personal breach committed by the data processor. The data controller is exempt from liability for damage caused and liability for damages if he proves that damage to the person or the privacy of the person concerned was caused by an unavoidable cause outside the scope of data management.
  4. It is not necessary to compensate for the damage and the non-recoverable amount of the claim in so far as the damage caused to the injured person or to the violation of his or her personal rights arose from the deliberate or gross negligence of the person concerned.

CLOSING REMARKS

In drafting this policy, we were observing the following laws:

  • 2011 CXII. Law on Information Self-Determination and Freedom of Information (hereafter: Infotv.)
  • CVIII of 2001 Act on certain aspects of electronic commerce services and information society services (in particular Section 13 / A)
  • 2008 XLVII. Act on the Prohibition of Unfair Commercial Practices against Consumers;
  • 2008 XLVIII. Act – on the basic conditions and certain limitations of economic advertising activity (especially §6)
  • 2005 XC. Act on Electronic Information Freedom
  • Act C of 2003 on Electronic Communications (specifically §155)
  • 16/2011. s. Opinion on the EASA / IAB Recommendation on Best Practice for Behavioral Online Advertising.