GDPR – EN – Steak Trezor

Data protection and personal data handling policy

(Privacy notice)

1. General provisions

1.1. Preamble

The EU 2016/679 regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR, “the Regulation”) has become applicable in Hungary. Our company qualifies as a data processing controller therefore the regulation is applicable in regard to the personal data handled by the company.

1.2 The goal of this notice

The goal of this notice is to determine the governing regulations and principles applied and followed by NPK Charolles Szociális Szövetkezet (Controller or “the Company”) and to declare the Company’s data protection and data handling policy.

1.3 Relevant laws

Aside from the Regulation, when determining the content of this Notice the Company has taken into particular consideration the Act CXII of 2011 on the right to informational self-determination and on the freedom of information and the Act XLVIII. of 2008 on the conditions and particular limitations of commercial advertising.

1.4 Scope

The scope of this Privacy Notice extends to data processing activities performed by the Company in relation to their commercial activities. This especially includes data processing related to the websites https://npkbeef.com and https://steaktrezor.hu (Website, Websites).

Without contradictory notice, the scope of this Notice does not extend to services and data processing activities related to sales promotions, services, other campaigns or content of other, third party websites and providers advertised or shown by other means on the Websites.

Without contradictory notice, the scope of this Notice does not extend to services and data processing activities linked by the Websites. The scope of this Notice does not extend to data processing activities of other individuals or organizations from whose advertisement, newsletter or notification the Data Subject of this Notice was informed about the Websites.

1.5. Revisions to this Notice

1.5.1. The Company reserves the right to one-sidedly revise this Notice.

1.5.2. By visiting the Websites the Data Subject accepts the prevailing provisions of this Notice, without contradictory regulation, further consent by the Subject is not required.

2. Definitions

2.1. Data Processing

Any automated or non-automated operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronizing or connecting, blocking, erasing and destroying the data.

2.2. Controller

The natural or legal person, or organisation having no legal personality, which, within the framework laid down in an Act or in a binding legal act of the European Union, alone or jointly with others, determines the purposes of data processing, makes decisions or has them implemented by a processor.

2.3. Personal data or data

Any information related to a natural person identified or identifiable (Data Subject); a person can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.4. Data processor

The natural or legal person, or an organisation not having legal personality which, acting according to a mandate or instructions given by the controller, processes personal data.

2.5. Data Subject

The natural person who provides their personal data, or whose personal data is provided to the Company.

2.6. Third party provider

Any third party service providing partners enlisted directly or indirectly by the Controller or the operator of the Websites in order to provide particular services, to whom personal data is or may be forwarded or who forwards or may forward personal data to the Company in order to provide their services. Moreover, providers not related to the Company or to the operator of the services, but who by accessing the Websites collect data related to the Data Subjects that can be used by themselves or combined with other data to identify the Data Subject. During storage hosting provision the Company considers the Data Subject a Third party provider in relation to their data processing activities performed using the provided storage.

2.7. Notice

This data handling notice of the Company.

3. The identity and activities of the Controller

Name: NPK Charolles Szociális Szövetkezet
Headquarters: 0151/3 Szilágypuszta, 7720 Pécsvárad
Company Registration number: 02-02-060486
Phone number: 36302027610
E-mail: rendeles@npkbeef.com
Data protection officer: According to the Regulation the Company is not required to appoint a data protection officer
Post of the data protection officer: –
The controller is a Hungarian registered business organisation.

The controller operates the Websites that were created for the promotion and sale of the Company’s own services and products and other redistributed products. The company is in commercial relation with their suppliers and operates commercial units.

4. General policies of data handling

4.1. Lawfulness and fairness

The processing of personal data shall be performed fairly and lawfully in a clear and transparent manner to the Data Subject. The Company only processes personal data specified and required by binding legal acts or provided by the Data Subjects or the employers/contractors/clients of the Data Subjects for the purposes specified below. The range of processed personal data is proportional to the purposes of the data processing, and it shall not extend beyond these purposes.

4.2 Accuracy

The data shall be accurate, and necessary and relevant for the purposes of the data processing. If deemed necessary, the up-to-date status of the data shall be ensured.

4.3. Purposefulness

If the Company wishes to process obtained personal data for any purpose unrelated to the original purposes of the collection of this data, the Company notifies the Data Subject and acquires their prior, explicit approval while also offers the possibility to forbid the planned further use.

4.4. Appropriateness

The company does not verify the provided personal data. The provider is solely responsible for the appropriateness of the provided personal data.

4.5 Limited storability

Personal data shall be stored in a manner that allows the identification of the Data Subject only for the time necessary to achieve the purposes of the data processing.

4.6. Data protection of Data Subjects under the age of 16

Personal data of people under the age of 16 can only be processed with the permission of their legal guardian. As the company lacks the means to verify the legitimacy of the person giving the permission notice or the contents of this notice, the Data Subject and their legal guardian assures that the notice conforms to related legal acts. Without a permission notice the Company does not collect personal data of people under the age of 16.

4.7.

Aside from the data processors and third party providers specified in this notice, the Company does not provide access to collected personal data to third parties.

During processing, appropriate technical or organisational measures shall be applied to ensure the appropriate security of personal data.

The regulation declared in this article does not apply to statistically summarised data that must not include any further personal data suitable for the identification of the Data Subject.

In particular cases – official court order, police inquiry, legal procedure related to copyright breach, property infringement or other law violations, or thorough suspicion of these resulting in the harm of the Company’s interests or risks to the continuation of service provision – the Company provides access to available personal data of the Data Subject for third parties.

4.8.

In case of correction, modification, restriction or destruction of personal data, the Company notifies the Data Subject and all other parties to whom the Company forwarded the personal data for data processing. This notification requirement can be ignored if doing so does not violate the lawful entitlements of the Data Subject.

4.9.

According to the Regulation the Company is not required to appoint a data protection officer as the Company does not qualify as a public authority or public body, the Company’s activities do not include any operation that requires systematic and large scale surveillance of the Data Subjects, and the Company does not process sensitive data or data related to criminal convictions and offences.

5. Az adatkezelés jogalapja

5.1 A GDPR 6. cikke megállapítja, hogy az Érintettek személyes adatai mely esetben kezelhetők:

“1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

5.2.

With regard to the nature of the Company’s activities, the legal basis for data processing is mainly Data Subject’s voluntary consent based on proper notification (Act CXII of 2011 5.§ article (1) a)), during the preparations and of a contractual obligation and while in effect between the Company and the Data Subject or their employer/contractor/client, the above 5.1.b) point of the Regulation. Regarding the camera surveillance areas, the above 5.1.d) point of the Regulation. The Data Subject contacts the Company, registers on the Websites or uses the Company’s services of their own volition even if assigned to do so by their employer/contractor/client. The Company only processes data without the approval of the Data Subjects if a binding legal act clearly permits it.

5.3.

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

5.4.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal and of processings based on the above points 5.1.b) and/or 5.1.d) of the Regulation.

5.5.

Transferring data to processors specified in this Notice can be performed without additional consent by the Data Subject. Transferring data to third parties or legal authorities can only be performed on the basis of a binding legal decision or with the explicit prior consent of the Data Subject.

5.6.

On the premises of the Company open for customers and on the customer services surveillance cameras are in operation for property security reasons. The legal basis for this is article 6. paragraph (1) point d) of the Regulation.

5.7.

The controller records the visitors’ IP addresses on their Websites in relation to the provided service without the Data Subject’s specific consent, on the basis of the Company’s specific lawful right in order to ensure the lawfulness of the provided service (e.g. to filter unlawful usage and content).

5.8.

By providing their email address and registration information (e.g. username, identifier, password, etc.) the user takes responsibility for being the sole person using the services with the provided email address and other data. On the basis of this responsibility the person providing the data takes full responsibility for all logins and logged in activities using the email address and other data.

6. The purpose of data processing

The processing of personal data shall be performed fairly and lawfully in a clear and transparent manner to the Data Subject. The Company aims to process only personal data appropriate and necessary for the achievement of the data processing purposes. Personal data may be processed only to the extent and for the period of time necessary to achieve its purpose.

The main purpose of the data processing is to operate the Websites and to provide the Controller’s services, to create and fulfill their commercial and contractual relationships.

The purpose of data processing based on the above:

Providing online content.
Selling tickets online.
managing services online (ensuring information and controlling obligations related to services provided in existing contractual environment)
Identifying the Data Subject, keeping contact with the Data Subject.
Identifying the rights and entitlements of Data Subjects.
Aiding the customisation of adverts and services used by the Data Subject, and the use of convenience features.
Preparing contracts concluded by purchases on the Websites, fulfilling obligations related to such contracts by the Controller, enforcing their rights.
Providing compact, clear, transparent, accessible information for the Data Subject.
Creating and fulfilling legal transactions between the Company and the Data Subject within the scope of the Company’s activities.
Invoicing and collecting payment for paid services.
Fulfilling obligations and enforcing rights of the Controller.
Creating analyses and statistics, improving services – for this purpose the Company uses anonymised, summarised data inappropriate for identification.
With the explicit consent of the Data Subject, advertisement and research.
Providing the platform for the content created by the Data Subject (e.g. comments)
In unique cases organising prize competitions, contacting the winners and delivering the winnings.
Improving the IT system.
Protecting the rights of the Data Subject.

7.The source of Data

The Company only uses data provided by the Data Subject or by legal entities using the services (labour) of the Data Subject in relation to the preparation/fulfillment of the transaction. The Company does not collect data from other sources. The data provision is performed during the registration process of the Data Subject. The Data Subject provides their name, email address, password, phone number and company name.

In case the Data Subject registers for a sales promotion organised by the Controller and provides their data, according to the notice of that particular sales promotion the Data Subject consents to the processing of their personal data. In this case the Controller only processes data given during this sales promotion.

8. Scope of data processed

The Company only processes personal data specified in article 8. The processed data are the following:

The data processed by the Company can be categorised as follows:

Data required for registration: In the form of a registration process the Data Subject provides their first and last names, email address, password, phone number and the name of the represented company in order to perform online purchases or use free services on the Website.
Data provided for marketing purposes: The Company performs marketing activities during which the Data Subject provides their name, e-mail address, phone number and address. The basis for this data processing is the Data Subject’s consent, the primary purpose for data processing is to perform marketing inquiries, sending information and newsletters or a direct inquiry specified in Act XLVIII. of 2008. article 6 paragraph 1.
Data required for participation in professional training: The Data Subject provides their name, email address, phone number and address in order to participate in professional training provided by the Company.
Supplier data: During business partnership between the Company and their suppliers the Data Subject or their employer/contractor/client may provide the Data Subject’s name, email address and phone number. The legal basis for data processing is the fulfillment of contracts and legal obligations.
Data provided for Surveys and polling: During polls and surveys performed by the Company personal data processing, and recording takes place. The legal basis for this data processing is the article 9 paragraph (2) point e) of the Regulation.
Uploaded documents: The Data Subjects have the possibility – in some cases obligation – to upload photographs of personal documents to the website. The Company recommends the removal (according to article 10.) of all personal data from these uploaded documents that are not necessary for the completion of the legal transaction and are not required by the Company. If the Data Subject provides photographs of documents that include personal data, the legal basis for data processing is the consent of the Data Subject. The purpose of this data processing is to provide services on the Websites.
Invoicing information: If the Data Subject fulfills payment for the Company, the Company processes data related to payment and invoicing (payment method, details of the means of payment, in case of invoicing, customer name, address, Tax ID). The legal basis for this data processing is the consent of the Data Subject and the relevant binding legal measures. The purpose of this data processing is to complete invoicing and collect payment.
Data provided for authentication: The Data Subjects have the possibility – in some cases specified by the Company, obligation – to authenticate themselves according to article 11. The documents are handled according to article 11. The purpose of this data processing is the verification of the Data Subject’s identity.

Aside from the above mentioned the Company handles technical data, including IP addresses, according to article 13.

9. Description of the Data processing procedure

The source of personal data is the Data Subject or a legal entity in a legal relationship by employment/contract/business assignment with the Data Subject, who provides data by the means of (i) registration, (ii) preparation of legal transaction and/or (iii) by providing a statement related to a newsletter or to a direct inquiry conforming to the act XLVIII of 2008 6.§ point (1). Providing personal data required by the registration form is obligatory except if an explicit contradictory notice is given.

The Data Subject provides personal data voluntarily, the Company does not give any obligatory guidelines or requirements relating to the content provided. The Data Subject gives explicit content for the data processing. The Data Subject has the right to provide further personal data in their personal profile, the legal basis for this data processing is the consent of the Data Subject in this case as well.

In case the Data Subject registers on a sales promotion organised by the Company (e.g. on Facebook) and provides their personal data, accepts the privacy notice of that sales promotion. In this case the Data Subject does not register on the website, but gives consent for the processing of their personal data according to the notice of that sales promotion.

10. Data processing related to legal documents

The Websites offer the possibility – in certain cases, if the Data Subject is notified about it by the Websites, obligation – to provide personal documents in order to assist a legal transaction between the parties.

The Data Subject is offered the possibility – if a Company prescribed obligation is not in effect – to remove personal data from the provided documents. In case the Data Subject does not remove the data and the personal data is shared, the Data Subject gives consent for public sharing.

In case the Company does not prescribe the sharing of documents with included personal data and offers the possibility of data removal, the Company takes no responsibility for shared personal data.

11. Authentication

The purpose of the authentication process is to verify the identity of the Data Subject. The Company verifies that the intent for contracting arrives from a natural person. The Company removes all related personal data from the Websites after the authentication process is concluded, but stores that data in a separate storage until the legal basis for data processing terminates. The purposes of this data processing are the authentication of the Data Subject, the creation of a legal transaction and the lawful conclusion of that transaction.

12. Marketing related data processing and newsletters

If the Data Subject consents to it, the Company contacts the Data Subject using the provided contact information and sends advertisement in the form of direct inquiry. Advertisements can be sent by post, by phone (including SMS) or by email (including Messenger), all cases are based on consent by the Data Subject. The Data Subject can withdraw their consent at any time, without justification.

13. Cookies

The Company’s system can record the Data Subject’s IP address, the start time of the visit and in some cases – depending on computer settings – the types of the Web browser and operating system. These recorded data cannot be connected to other personal data. The data processing serves statistical purposes only. Cookies allow the Websites to recognise, authenticate and record previous visitors. These cookies help the Company as the operator of the Websites to optimize the Websites and to adjust the Websites’ services to the habits of the visitors. Furthermore cookies are capable to:

Record settings, so the visitor does not have to reset them when visiting new pages;
Record previously entered data, so the visitor does not have to type them again;
Analyze website usage in order to provide data for improvements on the website to meet the Data Subjects requirements and allow the Data Subject to find the requested information easier.
Monitor advertisement effectiveness.

In case the Company presents content on the Websites using third party services, it can result in storing cookies the Company does not control, so it does not have influence over the types of data collected by these websites and external domains. Information about these cookies can be found in the notices and regulations relating to the particular services.

The Company uses these cookies to present advertisements to the Data Subject using Google and Facebook. This data processing takes place without human involvement.

The Data Subjects can delete cookies in their web browsers (usually in the settings’ privacy section). By forbidding the usage of cookies the user acknowledges that the Website does not operate completely.

14. Data transfer

The Company transfers personal data only if the Data Subject gives explicit consent in the knowledge of the transferred dataset and the identity of the recipient, or the transfer is permitted by a legal measure.

The Company has the right and obligation to transfer all lawfully stored personal data to a competent authority that requested the data transfer via a binding legal measure. The Company cannot be held responsible for any consequence of such data transfer.

In all cases the Company documents data transfers and keeps records of data transfers.

15. Data processing

The Company is permitted to enlist a data processor. Data processors do not make independent decisions, they are only allowed to process data following the contract with the Company and the instructions given by the Company. The Company controls the work of the data processors. Data processors are only allowed to enlist further data processors with the consent of the Company. The Company must enlist only processors who provide appropriate guarantee on that they perform all appropriate technical and organisation measures required to protect the rights of the Data Subjects and the legal conformity of the data processing.

The data processor must not enlist further data processors without the Company’s prior ad hoc or general written authorization. In case of a general authorization the data processor informs the Company about all planned changes involving the enlistment of new data processors or the replacement of already enlisted ones, thus allowing the Company to raise an objection to these changes.

The Company specifies the enlisted data processors.

The data processors enlisted by the Company:

– Magyar Domain Kft. (8000 Székesfehérvár, Börgöndi Fő utca 19.)

– Mailgun Technologies, Inc. (535 Mission St. San Francisco, CA 94105)

16. External service providers

The Company uses services of external providers with whom the Company cooperates.

Regarding the personal data stored in the systems of external providers, the governing regulations can be found in the privacy policies of the external providers. The Company does everything in its power to ensure lawful processing of transferred data and exclusive usage according to terms specified by the Data Subject or by this Notice below.

The Company notifies the Data Subjects about data transfer to external providers in this Notice.

External Providers:

– Facebook (Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

– Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)

– Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-7329, USA)

17. Tasks related to data protection

The company ensures data protection, takes technical and organisational measures and lays out rules of procedures required to enforce governing legal measures and data and secret protection rules. The Company takes the appropriate measures to protect data from unauthorized access, modification, transfer, publication, deletion, destruction, accidental destruction and inaccessibility due to changes to the technical infrastructure.

The Company and the data processor takes technical and organisational measures appropriate for the current state of science and technology, the expenses of realisation, the nature, scope, circumstances and purposes of the data processing and the varying risks to the freedom and rights to natural persons in order to guarantee data protection proportional to the level of related risks.

18. Time period of data processing

The Company deletes personal data in the following cases:

a) If the data processing turns out to have happened unlawfully, the Company immediately performs the deletion.

b) The Data Subject requests the deletion (except for data processings required by law). The Data Subject can request the deletion of data processed on the basis of consent. The Company deletes the data in this case. The deletion request can only be denied if the data processing is permitted by law. The Company notifies the Data Subject about the denial of deletion and the legal measure permitting the continued data processing in all cases.

c) The data turns out to be incomplete or incorrect and this state cannot be amended lawfully, given that the deletion is not precluded by law.

d) The purpose of data processing has ceased or the time period for storing the data prescribed by law has ceased. The deletion can be denied if

i)A legal measure permits further data processing

ii)The data is necessary for rights protection or enforcement.

e) The deletion is ordered by the court or by the National Authority for Data Protection and Freedom of Information. In case data deletion is ordered by the court or by the National Authority for Data Protection and Freedom of Information, the Company performs the deletion.

Instead of deletion – with the information of the Data Subject – the Company blocks the personal data if the Data Subject requests it or it can be presumed by the available information that the deletion would harm the Data Subject’s legal rights. The blocked personal data can only be processed until the data processing purpose that precluded deletion is in effect. The Company marks the processed personal data if the Data Subject disputes its accuracy or appropriateness but the inaccuracy or inappropriateness of that data cannot be determined definitely.

For data processings required by a legal measure, the governing deletion procedure is given by that legal measure.

During deletion the Company renders the data inappropriate for identification. If a legal measure prescribes it, the company destroys the data carrier medium.

The Company informs the Data Subjects about the denial of deletion in all cases with referral to the basis of the deletion denial. Following a fulfilled deletion request the deleted data is rendered unrestorable.

Unsubscription from the newsletters sent by The Company is possible via the unsubscription link sent in such newsletters. In case of unsubscription the Company deletes the Data Subject’s personal data in its database.

Automatically registered IP addresses are kept by the Controller for no more than 7 days.

In the case of emails sent by the Data Subject, if the Data Subject is not registered, the Controller deletes the email address 90days after the closure of the inquiry’s case, except if further data processing is the legal right of the Controller, until such legal right ceases to be in effect.

Personal data given by the Data Subject can only be processed until the Data Subject explicitly requests the termination of data processing in writing, even if the Data Subject does not withdraw their registration or during the withdrawal of registration only removes the possibility of further logins but comments and uploaded content remain stored. The request for data processing termination, without unsubscription from a service does not affect the Data Subject’s right to use that service, but the lack of personal data might render the Data Subject unable to use that service.

19. Rights of Data Subjects related to data processing

19.1.

The Company informs the Data Subject about data processing while making contact. The Data Subject has the right to request information about the data processing at any time.

The data subject has the right to request information about whether their personal data is being processed, and if so, they have the right to request access to processed personal data and to information about the purpose of the data processing, the categories of personal data involved, the categories of recipients to whom the personal data was or will be transferred, and the planned interval of data storage or if determining that interval is not possible the aspects of determining the interval. The Data Subject has the right to request the modification, removal or restriction of usage of their personal data and has the right to object to the processing of such data. Furthermore they have the right to raise a formal objection to the competent authorities.

19.2.

The Data Subject has the right to request the rectification of their personal data without undue delay. The Data Subject has the right to request the supplementation of their personal data, taking into account the purpose of the data processing, with a supplementary statement, among other possible means.

19.3.

The Data Subject has the right to request the removal of their personal data with the exclusion of data processing prescribed by legal measures. The Company informs the Data Subject about the removal.

19.4.

The Data Subject has the right to object to the processing of their personal data according to the Act CXII of 2011.

19.5.

The Data Subject can send their request for information, rectification or removal in writing in mail addressed to the Company’s headquarters or in email addressed to adatvedelem@npkbeef.com

19.6.

The Data Subject can request the Company to block further processing of their personal data if they dispute the accuracy of the data being processed. In this case the blocking period lasts until the Company can verify the accuracy of the data. The Company marks the processed personal data if the Data Subject disputes its accuracy or appropriateness but the inaccuracy or inappropriateness of that data cannot be determined definitely.

The Data Subject can request the Company to block further processing of their personal data even if the data processing is unlawful but the Data Subject objects to the data being removed.

The Data Subject can even request the Company to block further processing of their personal data if the purpose of the data processing has ceased, but the Data Subject requires the Company to handle their personal data for the protection or enforcement of their legal rights or claims.

19.7.

The Data Subject has the right to request the personal data provided to the Controller by them in an articulated, widely used, machine legible format and has the right to transfer these data without hindrance by the original recipient of these data.

19.8.

In case the Company does not fulfill the Data Subject’s request for rectification, blocking or removal, it informs the Data Subject about the reasons for the refusal. In case of one such refusal the Controller informs the Data Subject about the possibilities of legal remedies by the court or by the National Authority for Data Protection and Freedom of Information.

19.9.

The Data Subject can make the statements above on the Controller’s contact provided in article 2.

19.10.

The Data Subject can send their objection directly to the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu). The Data Subject has the right to seek legal remedy according to Act CXII of 2011. 22. § (1). The court has jurisdiction to hear the case. The lawsuit may also be instituted before the court of the data subject’s place of residence or stay, at the choice of the data subject. Upon request, the Data Controller shall inform the Data Subject in detail about the possibility and means of legal remedies.