INFORMATION ON DATA HANDLING

Introduction

VP Logisztika Kft. (address: 4400 Nyíregyháza, Derkovits utca 132-136; Tax number: 13095642-2-15) further to be mentioned as Service Provider, Data Handler hereby subjects itself to the following:

In accordance with Decree 2016/679 of the European Parliament and the Council (EU) issued on April 27th, 2016 we hereby provide the following information on the protection of handling natural entities’ personal data and the free flow of such data, and also the elimination of Decree 95/46/EC (decree on general data protection):

Present data handling information regulates the data management of the following website: https://vplogisztika.hu/

The data handling information can be accessed on the following page: link

Any amendments in the information shall come into effect by publishing them on the above page.

The Data Handler and its contact information:

Name: VP Logisztika Kft

Official address: 4400 Nyíregyháza, Derkovits utca 132-136.

E-mail: info@vplogisztika.hu

Contact information of the data protection official:

Name:

Address:

E-mail:

Telephone:

Terminology

„personal data”: any information related to an identified or identifiable natural entity (i.e. “person affected”); a natural entity is identifiable if – directly or indirectly – especially through any identifier such as name, number, location, online identifier or the natural entity’s physical, physiological, genetic, intellectual, economic, cultural or social characteristic(s) can be identified;
„data handling”: any operation or series of operations carried out on personal data or databases in an automated or non-automated way including collection, recording, management, grouping, storing, transformation or changing, searching, insight, usage, publication via forwarding, dissemination or any other way of disclosure, harmonization or connecting, limiting, deleting or destroying;
„data handler”: a natural or legal entity, body of public authority, agency or any other body which determines the goals and means of the handling of personal data alone or with others; if the goals and means of data handling are determined by EU or Member State law, then the data handler or the aspects of assigning a data handler can be determined by EU or Member State law;
„data processor”: a natural or legal entity, body of public authority, agency or any other body which handles personal data on behalf of the data handler;
„addressee”: a natural or legal entity, body of public authority, agency or any other body to which the personal data are sent regardless if it is a third party. Bodies of public authority which can access personal data in an individual examination in accordance with the EU or Member State law do not qualify as addressee; the handling of the mentioned data by these bodies of public authority must comply with the relevant data protection regulations in accordance with the goals of the data handling;
„statement of consent by the person affected”: voluntary and unambiguous declaration of the affected person’s intention based on distinct and proper information, in which the person affected indicates through a declaration or an act expressing confirmation without doubt that they approve of the handling of personal data related to them;
„data protection incident”: a breach of security which results in the accidental or illegal destruction, loss, alteration, illegal publication of or unauthorized access to personal data forwarded, stored or handled in any other way.

Principles on the handling of personal data

Personal data

must be handled according to the law and respectfully, and in a way that is transparent to the person affected („legality, respectful process and transparency”);
should be collected with specific, unambiguous and legal goals, and must not be handled in a way that is unrelated to those goals; in accordance with Article 89 (1) it is not considered unrelated to the original goals if they are further processed for the sake of archiving for public interest, scientific or historical research or statistics („linked to the goals”);
must be adequate and relevant to the goals of data handling and should be limited to the necessary level („data economics”);
must be accurate and, if necessary, up-to-date; all sensible measures must be taken so that personal data that are inaccurate in relation to the goals of data handling be deleted or corrected without delay („accuracy”);
must be stored in a way which enables the identification of the person affected only for the period of time needed to achieve the goals of the data handling; personal data may be stored for a longer period of time than that only if the handling of personal data is aimed at archiving for public interest, scientific or historical research or statistics as described in Article 89 (1), observing the proper technical and organizational measures stipulated in the regulation for the protection of the affected person’s rights and freedoms („limited storage”);
must be handled in a way so that by taking proper technical or organizational measures proper security of the personal data be enabled, including the protection of the data against unauthorized or illegal handling, accidental loss, destruction or damage („integrity and confidentiality”).

The Data Handler is responsible for complying with the above, furthermore, must be able to present verification of that compliance („accountability”).

Data handling

Data handling when operating an online store

The fact of data handling, range of data handled and the goals of data handling:

Personal Data	The goals of data handling
User name	Identification, enabling registration
Password	Secure entry to user’s account
First and last name	Needed for making contact, purchase and the formal issue of invoice
E-mail address	Keeping contact
Telephone number	Keeping contact, solving issues of invoicing and shipping effectively
Invoiced name and address	Formal issue of invoice, making the contract, determining the contents of the contract, making amendments and following the fulfillment of the contract, calculating and invoicing the fees, as well as enforcing claims pursuant to that contract

Neither the user name nor the e-mail address require to contain any personal data.

The scope of persons affected: All persons affected who registered/requested an offer on the website
Duration of data handling, date of deleting data: immediately upon deleting registration. With the exception of accountancy forms, since Accountancy Act C of 2000, 169. § (2) obliges merchants to keep these data for the period of 8 years.

Accountancy forms that directly and indirectly support accountancy clearance (including general ledger accounts, analytical as well as detailing records) need to be stored for at least 8 years in a readable form and in a way which enables regaining on the basis of references in the accountancy records.

Scope of possible data handlers entitled to access the data, the addressee of the personal data: Personal data may be handled by the sales and marketing staff of the Data Handler, observing the above principles.
Informing the person affected about their rights regarding data handling:
The person affected may request the Data Handler to grant them access to their personal data, and enable them to correct and delete them or limit the handling, and
may protest against the handling of such personal data, as well as
have the right of data portability and withdrawal of their consent at any given time.
The person affected can initiate the access to the personal data, their deletion, amendment or limitation of their handling, the portability or protest against their handling in the following ways:
via mail at the address of 4400 Nyíregyháza, Derkovits utca 132-136,
via sending e-mail to ugyvezeto@vplogisztika.hu

The legal base of data handling:

Satement of consent by the person affected as in Article 6 (1) Point a) in Information Act §5 (1),

Act CVIII of 2001 on certain issues of Electronic Commerce and Information Society Services (to be referred to as Elcomm Act) Section 13/A. § (3):

Service providers shall be authorized to process personal data in connection with providing the service, to the extent absolutely necessary for technical reasons. Where all relevant conditions remain unaltered, service providers shall install equipment for the provision of information society services – and operate under all circumstances – with facilities to ensure that the processing of personal data takes place only when it is absolutely necessary for providing the services and to meet the objectives set out in this Act; however, under no circumstances may they exceed the extent required in terms of time and volume.

When issuing the invoice pursuant to the accountancy regulations Article 6 (1) Point c)
We hereby inform you
that handling your data is based on your consent.
You are obliged to provide your personal data so that we can fulfill your order.
If you fail to provide the data, as a consequence it will result in our failure to process your order.

Data processors engaged

Storage space provider

Activity of the data processor: providing space for data storage
Name and contact information of the data processor: TeraHost Kft, 2220 Vecsés, Kinizsi utca 73, Company Registration number: 13-09-153911, Tax number: 23810329-2-13, info@teratarhely.hu, +36 30 690 9394
The fact of data handling, range of data handled: all personal data provided by the person affected
Range of persons affected: all persons affected who use the website
The goal of data handling: making the website accessible and properly operable
Duration of data handling, time of deletion: data handling lasts until the termination of the contract between the Data Handler and the storage space provider, or until the person affected requests the storage space provider to delete their data.
The legal base of data processing: the user’s statement of consent, Information Act §5 (1) Article 6 (1) Point a), and Section 13/A. § (3) of Act CVIII of 2001 about certain issues of Electronic Commerce and Information Society Services

Handling cookies

Cookies characteristic of websites so called „cookies used for password-protected workflows”, „cookies needed for shopping baskets” and „security cookies”, whose usage does not require the prior consent of the person affected.
The fact of data handling, scope of data handled: individual identification number, dates, times
Scope of persons affected: all persons affected who visit the website
The goal of data handling: identifying the users and tracking visitors
Duration of data handling, time of deleting the data:

Type of cookie	Legal base of data handling	Duration of data handling	Range of data handled
workflow cookies (session)	Act CVIII of 2001 about certain issues of Electronic Commerce and Information society Services (to be referred to as Elcomm Act) Section 13/A. § (3)	The period lasting till the end of the related workflow	connect.sid

Scope of possible data handlers entitled to access the data: by using cookies the data handler does not handle personal data.
Informing the person affected about their rights regarding data handling: the person affected can delete the cookies using Tools in the Setting menu of their browser usually under Data Protection.
Legal base of data handling: no consent of the person affected is needed if the sole purpose of using cookies is forwarding information through the electronic information network or if they are definitely needed by the service provider to provide information society services and specifically requested by the subscriber or user.

Using Google AdWords conversion tracking

The Data Handler uses the online advert software called „Google AdWords”, furthermore, it uses the conversion tracking service of Google. Google conversion tracking is the analysing service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; „Google“).
When a user lands at a webpage via a Google advert, a cookie is placed on their device for conversion tracking. The validity of these cookies is limited and do not contain any personal data so the user can not be identified by them.
When the user is browsing certain pages of the website, and the cookie is still valid, then Google and the Data Handler can see that the user clicked on the advert.
Every Google AdWords client receives an individual cookie, therefore it can not be tracked through the websites of AdWords clients.
The information attained with the help of conversion tracking cookies serves the purpose of creating conversion statistics for clients using AdWords conversion tracking. Thus the clients are informed about the number of users who click on their adverts and are redirected to the page given a conversion tracking label. However, they are not given any information that would allow the identification of the user.
If you do not wish to participate in conversion tracking, you may reject it by banning the placement of cookies on your device in your browser. That way you will not be part of the conversion tracking statistics.
Further information and the data protection declaration of Google can be accessed here: www.google.de/policies/privacy/

Application of Google Analytics

this website uses the application called Google Analytics, which is the web analysing service of Google Inc. („Google”). Google Analytics uses text files so-called cookies, which are saved on your device, thus promoting the analysis of how the websites visited by the users are used.
The information created by the cookies in connection with the websites visited by the user are usually sent and stored on one of the servers of Google in the USA. By activating IP anonymization on the website Google preliminarily shortens the user’s IP address within the Member States of the EU or in other states participating in the agreement on the European Economic Area.
Sending the entire IP address to Google’s server in the US and shortening it there only happen in exceptional cases. On the commission of the operator of this website Google will use the information for analysing how the user uses the website, making reports about the website’s activities for the operator of the website and for providing further services related to the usage of the website and the Internet.
Google will not merge the IP address sent by the user’s browser within the frame of Google Analytics with their other data. The user may prevent the storage of cookies on their device by appropriate settings in the browser, however, we will draw their attention to the fact that not all functions of the website may be entirely available for them in that case. Furthermore, the user may prevent Google from collecting and processing data from cookies related to their usage of the website (including their IP address) if they download and install the browser plugin accessible through the following link: https://tools.google.com/dlpage/gaoptout?hl=hu

Newsletter, DM activity

Pursuant to § 6 of Law XLVIII of 2008 about the fundamental conditions and certain restrictions of commercial advertising activities the users may previously and specifically approve that the service provider can send them commercial offers and other materials using the contact information provided during registration.
Furthermore, users may approve that the service provider can handle their personal data needed for the shipping of said commercial offers, observing the terms laid down in the present information package.
The service provider does not send unsolicited commercial messages, and the users may unsubscribe to receiving the offers free of charge without limitations and without giving a reason. In that case the service provider will delete all of the user’s personal data needed for sending the commercial messages in the records and will not send any more commercial offers to the user. The user may unsubscribe to receiving the commercial messages by clicking the link provided in the message.
The fact of collecting data, the range of data handled and the goal of data handling:

Personal data	Goal of data handling
Name, e-mail address	Identification, allowing the subscription to the newsletter
Date of subscribing	Carrying out technical operation
IP address upon subscribing	Carrying out technical operation

Scope of persons affected: all persons affected who subscribe to the newsletter
Goal of data handling: sending electronic messages containing advertisement (e-mail, text message, push message) to the person affected, providing information about current details, products, promotions, new functions etc.
Duration of data handling, time of deleting data: until the withdrawal of the consent i.e. data handling lasts until unsubscription.
Registration number of the data handling: in process
Scope of possible data handlers entitled to access the data, the addressee of the personal data: Personal data may be handled by the sales and marketing staff of the Data Handler, observing the above principles.

Informing the person affected about their rights regarding data handling:

The person affected may request the Data Handler to grant them access to their personal data, and enable them to correct and delete them or limit the handling, and
may protest against the handling of such personal data, as well as
have the right of data portability and withdrawal of their consent at any given time.

The person affected can initiate the access to the personal data, their deletion, amendment or limitation of their handling, the portability or protest against their handling in the following ways:

via mail at the address of 4400 Nyíregyháza, Derkovits utca 132-136,
via sending e-mail to ugyvezeto@vplogisztika.hu
by phone, calling +36 70 267 3914

The person affected may at any time unsubscribe to the newsletter free of charge.
The legal base of data handling: the statement of consent by the person affected, Information Act §5 (1) Article 6 (1) Point a), and § 6 (5) of Law XLVIII of 2008 about the fundamental conditions and certain restrictions of commercial advertising activities:

Advertisers, advertising service providers or publishers of advertising shall maintain records on the personal data of persons who provided the statement of consent to the extent specified in the statement. The data relating to the person to whom the advertisement is addressed may be processed only for the purpose defined in the statement of consent, until withdrawn, and may be disclosed to third persons subject to the express prior consent of the person affected.

We inform you that

data handling is based on your consent.
you are obliged to provide personal data, if you wish to receive newsletters from us.
if you fail to provide your data, it will result in not being able to receive the newsletter from us.

Social media sites

The fact of data collection, the range of data handled: your user name registered with Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. and the associated public profile image.
Scope of persons affected: all affected persons who have registered on social media sites like Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. and liked the website.
The goal of data collection: to share certain contents, products, promotion of the website or the website itself on social media, to attract likes, promoting the site
The duration of data handling, time of deleting data, scope of possible data handlers entitled to access the data, informing the person affected about their rights concerning data handling: the person affected may get informed about the data sources, their handling, the way of transfer and the legal base on the given social media site. The handling of data is done on the social media sites, therefore the duration of data handling, its mode as well as the way of deletion and alteration are all subject to the regulations of the given social media site.
The legal base of data handling: the affected person’s voluntary statement of consent to handling their personal data on the social media sites

Customer relations and other data handling

If there are any questions regarding our data handling activity, or the person affected might have any relevant problem, the Data Handler can be contacted in the various ways provided on the website (by telephone, e-mail, social media sites etc.)
The Data handler will delete the received e-mails, messages, and data given via telephone, Facebook etc. along with the name, e-mail address and any other personal data of the inquirer provided voluntarily within 2 years from providing those data.
Information about data handling not stipulated in this present information package will be provided upon handing over the data.
Upon exceptional requests of authorities or pursuant to regulations in the case of requests from other bodies the service provider is obliged to provide information, issue and hand over data or allow the viewing of documents.
In these cases the service provider will issue personal data only to the extent that is absolutely necessary for the purpose of the request – if the exact purpose and the scope of data are given by the inquiring body.

The rights of the person affected

The right of access

You have the right to get an answer from the Data Handler to the question whether your personal data are being handled, and if they are, you have the right to get access to your personal data as well as the information listed in the regulation.

The right of correction

You have the right to request the Data Handler to correct your inaccurate personal data without delay. Observing the goals of data handling, you have the right to request that your missing personal data be added via a supplementary declaration beside other things.

The right of deletion

You have the right to request the Data Handler to delete your personal data without delay, and the Data Handler is obliged to delete your personal data without delay in certain conditions.

The right to be forgotten

If the Data Handler has disclosed personal data, and they have to be deleted, the Data Handler, while observing available technology and the implementation costs, takes the steps including technical measures that can reasonably be expected in order to inform the data handlers that handle the data about your request to delete the links leading to your relevant personal data or copies of these personal data.

The right to limit data handling

You have the right to request the Data Handler to limit data handling if any of the conditions below occur:

You impugn the accuracy of your personal data: in that case the limitation is for the period of time which is necessary for the Data Handler to check the accuracy of your personal data;

data handling is illegal, and you object to the deletion of your personal data, instead, you request the limitation in their usage;

the Data Handler no longer needs your personal data for handling but you demand to have them for the submission, enforcement or protection of legal claims;

You have protested against data handling: in that case the limitation is for the period of time needed until it becomes clear whether the rightful reasons of the Data Handler are in priority versus your rightful reasons.

The right of data portability

You have the right to receive data related to you or personal data handed over to the Data Handler by you in a form that is segmented, widely used and digitally readable, furthermore, you have the right to forward these data to another data handler without the Data Handler you handed the data over to preventing it (…)

The right to protest

You have the right to protest at any time – for reasons related to your situation – against the handling of your personal data (…) including the profiling based on the mentioned regulations.

Protest against direct marketing

If the handling of personal data is aimed at direct marketing, you have the right to protest at any time against the handling of your personal data including profiling for that purpose. If you protest against the handling of your personal data for the purpose of direct marketing, then your personal data can no longer be handled for that purpose.

Automated decision making in individual cases including profiling

You have the right to not have the effect of any decision making exclusively based on automated data handling including profiling which would result in a legal effect on you or relate to you to a similarly significant extent.

The previous paragraph is not applicable if the decision

is necessary for making or fulfilling the agreement between you and the Data Handler;
is allowed to be made by EU or Member State law effective on the Data Handler which also states measures related to the protection of your rights, freedoms and rightful interest; or
is based on your express consent.

Deadline for action

The Data Handler shall inform you about the measures taken regarding your mentioned requests without delay but definitely within 1 month from receiving the request.

This deadline may be extended by 2 months if need be. The Data Handler shall inform you about the extention of the deadline along with the reasons behind it within 1 month from receiving the request.

If the Data Handler does not take measures regarding your request, they shall inform you without delay but within one month from receiving the request at the latest about the reason(s) behind it, furthermore, about your option to make a complaint at one of the supervisory authorities, and that you may have the choice of legal action.

Safety of data handling

Observing the current state of science and technology, the costs of implementation as well as the way, range, circumstances and goals of data handling, the variable likelihood and seriousness of risks posed to the rights and freedoms of natural entities, the Data Handler and data processor take appropriate technical and organizational measures in order to guarantee a level of data safety proportionate to the extent of the risks including but not limited to in certain cases:

pseudonymization and encrypting personal data;
continuously providing the confidentiality, integrity, availability and resistance of the systems and services utilized for the handling of personal data;
the ability to regain access to personal data and insure availability of the data in due time in case of a physical or technical incidence;
the process implemented for the regular testing, assessing and evaluating the effectiveness of technical and organizational measures that guarantee the safety of data handling.

Informing the person affected by a data protection incident

If a data protection incident poses a possibly high risk to the rights and freedoms of a natural entity, the Data Handler informs the person affected about the data protection incident without delay.

When informing the person affected, the kind of the data protection incident must be stated clearly and plainly, furthermore, the name and contact information of the data protection officer or any other person who can provide further information must be given; the likely consequences of the data protection incident must also be mentioned; the Data Handler’s measures taken or planned to correct the data protection incident must be disclosed including measures targeted at mitigating the possible harmful consequences of the data protection incident in certain cases.

The person affected does not need to be informed if any of the following conditions occur:

the Data Handler has taken appropriate technical and organizational protective measures, and these measures were applied with regard to the data affected by the data protection incident, particularly those measures – like applying encryption – that make the data unintelligible for people who are not authorized to access personal data;
following the data protection incident the Data Handler took further measures that insure the high risk posed to the rights and freedoms of the person affected would possibly no longer appear;
informing the person affected would require disproportional efforts. In such cases, the persons affected shall be informed via publicly available disclosures, or similar measures that insure the comparably effective information of the persons affected shall be taken.

If the Data Handler has not informed the person affected about the data protection incident, after contemplating whether the data protection incident posed a possibly high risk, the supervisory authority may order them to inform the person affected.

Reporting a data protection incident to the authorities

Without delay, and possibly within 72 hours – at the latest – after gaining knowledge of the data protection incident, The Data Handler shall report the data protection incident to the supervisory authority specified in Article 55, except when the data protection incident is not likely to pose a risk to the rights and freedoms of the person affected. If the incident is not reported within 72 hours, the reasons behind the failure to do so must be attached.

Complaints

Complaints againts any possible violation of rights by the Data Handler may be made to the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority

address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Postafiók: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

Afterword

When preparing this information package, we observed the following regulations:

Decree 2016/679 of the European Parliament and the Council (EU) issued on April 27th, 2016 on the protection of handling natural entities’ personal data and the free flow of such data, and also the elimination of Decree 95/46/EC (decree on general data protection)
Act CXII of 2011 on the Right of Self-Determination and on Freedom of Information (i.e. Infotv.)
Act CVIII of 2001 on Electronic Commerce and on Information Society Services (particularly §13/A)
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (particularly §6)
Act XC of 2005 on the Freedom of Information by Electronic Means
Act C of 2003 on Electronic Communications (particularly §155)
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
Recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements of preliminary information