PRIVACY POLICY

GD Gép és Daru Rakodástechnikai Gépgyártó és Kereskedelmi Kft.
Head office: 1119 Budapest, Kelenvölgyi határsor 5.
Company registration number:  01-09-693138
Tax number: 12572382-2-43

Created by Value Data Solutions Kereskedelmi és Szolgáltató Kft.
Registered office: 6050 Lajosmizse, Bajcsy-Zsilinszky u. 78.
Company registration number: 03-09-131294
Tax number: 25947539-2-03
Vincze Katalin Gizella – Data Protection Officer

I. PURPOSE, SCOPE AND DEFINITION OF THE DATA CONTROLLER

The purpose of this Policy is to define the fundamental rules for the processing of data in order to respect the privacy of natural persons by data controllers. It applies to all data processing and data handling activities conducted within the territory of Hungary that pertain to the data of natural persons, as well as public data or data of public interest. The policy has been established based on the following applicable laws:

– Act CXIX of 1995 on the Processing of Name and Address Data for Research and Direct Marketing Purposes

– Act CVIII of 2001 on certain aspects of electronic commerce services and information society services

– Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information Act, No.

– Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46

  • The Fundamental Law of Hungary
  • Act V of 2013 on the Civil Code
  • Act I of 2012 on the Labor Code
  • Act C of 2012 on the Criminal Code
  • Act C of 2003 on Electronic Communications
  • Act CLXV of 2013 on Complaints and Public Interest Disclosures
  • Act XCII of 2003 on the Rules of Taxation
  • Act L of 2013 on the Electronic Information Security of State and Local Government Bodies
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising
  • Act on Accounting of 2000
  • Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing
  • Act CLI of 2017 on the Rules of Tax Administration
  • Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archival Material
  • Act CLXIV of 2005 on Trade
  • Act LXXXVIII of 2012 on Market Surveillance of Products
  • Act LXXVI of 2009 on the General Rules of the Commencement and Pursuit of Service Activities
  • Act C of 1990 on Local Taxes
  • Act LXXVI of 2009 on the General Rules of the Commencement and Pursuit of Service Activities
  • Government Decree 57/2013 (II. 27.) on Certain Manufacturing and Service Activities Exercised Based on a Site License or Notification of the Establishment of a Site, and on the Rules of Site Licensing and Notification

Prepared in: Lajosmizse, May 30, 2018

Data Controller Information:

Company Name: GD Gép és Daru Rakodástechnikai Gépgyártó és Kereskedelmi Kft.

Company Registration Number: 01-09-693138

Headquarters: 1119 Budapest, Kelenvölgyi határsor 5.

Site: 6050 Lajosmizse, Gyártelep 2.

Tax Number: 12572382-2-43

Data protection officer involved in the preparation of this privacy policy, contact details:

Value Data Solutions Kft. (6050 Lajosmizse, Bajcsy-Zsilinszky u. 78.) – Katalin Gizella Vincze –

v.datakft@gmail.com

GD Gép és Daru Rakodástechnikai Gépgyártó és Kereskedelmi Kft. (hereinafter referred to as the “Data Controller”) takes special care to protect personal data during its activities, ensuring compliance with mandatory legal provisions and ensuring secure and fair data processing. The Data Controller processes the personal data provided to it in accordance with the applicable Hungarian and European laws and ethical standards, and always takes the necessary technical and organizational measures to ensure secure data handling.

The Data Controller reserves the right to change the privacy policy and, in such cases, will publicly announce the modified policy. The most important principles affected by the current policy are as follows:

Personal data may only be processed if the data subject consents—written consent is required for special categories of data—or if it is ordered by law or, within the scope defined by law, by a local government decree.

Personal data may only be processed for a specific purpose, to exercise rights, or to fulfill obligations. The data processing must meet these purposes at all stages.

Only personal data that is essential for achieving the purpose of the data processing, and is suitable for achieving that purpose, may be processed, and only to the extent and for the time necessary for the realization of the purpose.

II. DEFINITION OF THE PURPOSE OF INTERNAL DATA PROCESSING 

During its economic activities, GD Gép és Daru Rakodástechnikai Gépgyártó és Kereskedelmi Kft. acts in accordance with the provisions set out in this policy. The primary economic activity of GD Gép és Daru Rakodástechnikai Gépgyártó és Kereskedelmi Kft. is the manufacturing of lifting and material handling equipment. This policy governs the handling of all personal data obtained by the company during its various activities.

Data processing refers to any operation or set of operations performed on data, regardless of the method used, such as collection, recording, organization, storage, alteration, use, retrieval, transmission, dissemination, alignment, or combination, blocking, erasure, and destruction, as well as preventing further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for personal identification.

In relation to customers, the primary objective is to uphold the principle of purpose limitation when handling personal documents in compliance with anti-money laundering legislation. When copying identification documents, the company always obtains the customer’s consent and provides information about the duration and purpose of the records.

The Data Controller may contact clients for business purposes via electronic communications, provided that the clients have given their consent. The Data Controller will not disclose tax secrets or any other documents provided by clients to third parties without the client’s written consent, except as required by law. The Data Controller will maintain the confidentiality of any business secrets that come to its knowledge and will not disclose them to third parties.

Further responsibilities of the Data Controller include:

  • Ensuring compliance with applicable legal regulations (e.g., the Labor Code, the Personal Income Tax Act, the Accounting Act, the Taxation Act) when registering and maintaining data of employees, clients, contractors, and patients.
  • Destroying personal documents copied for contracts if the initiated business negotiations do not lead to a successful outcome.
  • Preparing confidentiality agreements and adhering to business secrecy requirements, with written warnings to concerned parties (employees, business partners, accounting service providers) about the legal consequences of violations.
  • Restricting employee access to client data and thoroughly documenting physical, operational, and technical security requirements.
  • The legal basis for data processing is the legitimate interest of the company, which may be based on statutory requirements, contractual obligations, or voluntary consent, aimed at demonstrating compliance in the event of a potential legal dispute. The data processing legal bases used in this policy were determined following a balancing test.

III. DEFINING INTERNAL DATA PROTECTION MEASURES AND SECURITY OF DATA PROCESSING

 

The Data Controller protects data particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction and damage. In cooperation with the server operators, the Data Controller ensures the security of data through technical, organizational, and structural measures that provide an appropriate level of protection against the risks associated with data processing.

The data subject may provide consent within the framework of a written contract with the Data Controller for the purpose of fulfilling the contractual terms. In such cases, the contract must include all necessary information that the data subject needs to know concerning the processing of their personal data, such as the specification of the data to be processed, the duration of the processing, the purpose of use, data transmission, and the involvement of a data processor. The contract must unambiguously state that the data subject consents to the processing of their data as specified in the contract by signing it.

The right to the protection of personal data and the personality rights of the data subject cannot be infringed by other interests related to data processing, including the public disclosure of data of public interest, unless otherwise provided by law.

The storage, disposal, use, processing, and transmission of data are conducted in compliance with legal regulations, with precise documentation. The activities mentioned above are logged and tracked through the system operated by the company.

The deletion, correction, or blocking of data and the associated records are documented in the logs of the programs used by the company. This policy outlines the provision of the right to object for individuals, the basis for refusal (citing relevant legal provisions), and the method for identifying the data subjects. In the event of a data breach, the protocol involves promptly contacting the system operator after informing the company’s representative to prevent further data loss. The primary task following a data breach is to inform the data subjects, with the involvement of the data protection officer, and to provide a detailed report of the measures taken, including, if possible, organizing data recovery with expert assistance.

Including the customer’s address on invoices is a legal obligation. In this case, the legal basis for data processing is Section 13/A(2) of the E-Commerce Act, under which our company may process personal data related to the use of the service for the purpose of invoicing fees arising from the contract for the provision of the service. The duration of data processing is based on the obligation to retain accounting documents directly or indirectly supporting accounting entries for eight years as stipulated in Section 169(2) of Act C of 2000 on Accounting.

Our company provides customers and interested parties with the option to contact us via email. The email address is necessary for user identification. The legal basis for data processing in this case is the data subject’s consent, based on Section 5(1)(a) of the Information Act. Data will be processed for this purpose until the withdrawal of consent or, at the latest, one year after the last correspondence. After this, your data will be deleted from our contact list.

Following the conclusion of electronic correspondence, our entitlement to process personal data ends with the fulfillment of the contractual purpose. However, to demonstrate that we have fulfilled the contract appropriately and provided the services we committed to, it is necessary to retain these system messages for five years after sending, in accordance with Section 6:22 of Act V of 2013 on the Civil Code.

The Data Controller uses the services and assistance of the following website and server service providers for its activities:

Website: www.gepesdaru.com

RackForest Informatikai Kereskedelmi Szolgáltató és Tanácsadó Zrt. (1132 Budapest, Victor Hugo u. 11. Cégjegyzékszám: 01-10-142004 Adószám: 32056842-2-41)

NEFTY Informatika Korlátolt Felelősségű Társaság (6050 Lajosmizse, Kossuth Lajos utca 52. Company registration number: 03 09 118486, Tax number: 14840902-2-03)

COEL Számítástechnikai Korlátolt Felelősségű Társaság (1116 Budapest, Sopron út 64. A.N.D. Irodaház. ép. Company registration number: 01 09 563209, Tax number: 12186765-2-43)

IV. RIGHTS OF DATA SUBJECTS

The Data Controller processes personal data in all cases based on legal requirements or voluntary consent. In certain cases, data processing, in the absence of consent, is based on other legal grounds or Article 6 of the General Data Protection Regulation (GDPR) of the EU Parliament and Council, Regulation No. 2016/679. The data subject may request information from the Data Controller regarding the processing of their personal data, request the correction of their personal data, as well as the deletion or blocking of their personal data, except in cases of mandatory data processing.

Upon the data subject’s request, the Data Controller provides information about the data processed by them or by a data processor assigned by them, the source of the data, the purpose, legal basis, and duration of the data processing, the name and address of the data processor, and the nature of its activities related to data processing, the circumstances of any data protection incidents, their effects, and the measures taken to mitigate them. In the case of data transmission, the Data Controller also provides information about the legal basis and the recipient of the data transfer.

The Data Controller deletes personal data if its processing is unlawful, if the data subject requests it, if the data is incomplete or incorrect (and this condition cannot be legally corrected), provided that deletion is not precluded by law, if the purpose of data processing has ceased, the legal retention period of the data has expired, or if it is ordered by a court or the data protection authority.

The Data Controller notifies the data subject and all those to whom the data was previously transmitted for data processing purposes about the correction or deletion, except when such notification does not violate the legitimate interest of the data subject in consideration of the purpose of data processing. The user is responsible for the accuracy of the provided personal data.

The data subject may object to the processing of their personal data if the processing or transmission of personal data is necessary solely for the enforcement of the rights or legitimate interests of the Data Controller or the data recipient, except when the processing is required by law, or if the personal data is used or transmitted for direct marketing, public opinion polling, or scientific research purposes, or if the right to object is otherwise permitted by law.

The Data Controller is required to investigate the objection, while simultaneously suspending the data processing, within the shortest possible time from the submission of the request but no later than 15 days, and inform the applicant in writing of the outcome. If the objection is justified, the Data Controller must terminate the data processing, including further data collection and transmission, and block the data. Additionally, the Data Controller must notify all parties to whom the personal data affected by the objection was previously transmitted and who are required to take action to enforce the right to object.

If the data subject’s rights are violated, they may take legal action against the Data Controller or appeal to the data protection authority.

 

 V. DEFINITIONS

 

In our policy, data protection terms are defined as follows:

Personal Data: Any information related to an identified or identifiable natural person (hereinafter referred to as the data subject), or from which conclusions about the data subject can be drawn. Personal data retains this quality throughout the processing as long as the link with the data subject can be restored. A person is considered identifiable if they can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, or one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

Consent: A voluntary and explicit expression of the data subject’s will, based on appropriate information, by which they give unambiguous consent to the processing of their personal data, either fully or for specific operations.

Objection: A declaration by the data subject opposing the processing of their personal data, requesting the termination of data processing, and the deletion of the processed data.

Data Controller: The natural or legal person, or the organization without legal personality, who alone or jointly with others determines the purposes and means of the processing of personal data, makes and implements decisions regarding data processing (including the means used), or has them implemented by a data processor.

Data Processing: Any operation or set of operations performed on data, regardless of the procedure used, such as collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment, or combination, blocking, deletion, and destruction, as well as the prevention of further use of data, taking of photographs, sound or video recordings, and recording of physical characteristics suitable for identifying a person.

Data Transfer: Making data accessible to a specific third party.

Disclosure: Making data accessible to anyone.

Data Deletion: Making data unrecognizable in such a way that it can no longer be restored.

Data Marking: Indicating data with an identifier to distinguish it.

Data Blocking: Indicating data with an identifier to limit its further processing either permanently or for a specified period.

Data Destruction: The complete physical destruction of the data carrier containing the data.

Data Processing Operations: The technical tasks related to data processing, regardless of the methods and tools used, and the location of the application, provided that the technical task is performed on the data.

Data Processor: A natural or legal person, or an organization without legal personality, who processes data on behalf of the Data Controller, based on a contract, including contracts concluded based on legal provisions.

Data Set: The totality of data processed in a single record system.

Third Party: A natural or legal person, or an organization without legal personality, who is not the same as the data subject, the Data Controller, or the data processor.

EEA State: A member state of the European Union and any other state party to the Agreement on the European Economic Area, as well as any state whose citizens enjoy the same legal status as citizens of a state party to the Agreement on the European Economic Area based on an international treaty between the European Union and its member states and a state not party to the Agreement on the European Economic Area.

Third Country: Any state that is not an EEA state.

Data Protection Incident: The unlawful handling or processing of personal data, including unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction or damage.

SUPERVISORY AUTHORITIES:

Competent District Court – for civil law matters

In case of data protection incidents or misuse of personal data:

Name: National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Phone: 06-1-391-1400

Fax: 06-1-391-1410

Email: ugyfelszolgalat@naih.hu

Website: naih.hu

Lajosmizse, May 30, 2018.

Prepared by: Value Data Solutions Ltd. – Katalin Gizella Vincze, Data Protection Officer