PRIVACY POLICY

Privacy Policy OF PEMÜ Műanyagipari Zrt.

I.) INTRODUCTION

PEMÜ Műanyagipari Zrt. (Hereinafter: Service Provider, data controller or PEMÜ Zrt.) Accepts the contents of this data management information as binding on it in accordance with the applicable legal regulations.

On the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation) REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL [2016. April 27) (hereinafter: Decree) we provide the following information.

This privacy statement primarily governs the privacy practices of the following website:

www.pemu.hu

The data management information is available from the following page: link

Amendments to the prospectus will take effect upon publication of the address above.

The scope of this data management information also covers the processing of identified or identifiable corporate and personal data that have come to the knowledge of the data controller and have become known to the data controller during the manufacturing and commercial activities (see Appendix XVI).

II.) DATA CONTROLLER AND CONTACT DETAILS:

Name: PEMÜ Műanyagipari Zrt. (CRN.: 13-10-040367, tax number: 12163771-2-13)

Headquarters: 2083 Solymár, Terstyánszky street 89.

E-mail: info@pemu.hu

Telephone: +36 26 561 260

III.) DEFINITIONS:

“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); identify a natural person who, directly or indirectly, in particular by reference to one or more factors such as name, number, location, online identifier or physical, physiological, genetic, mental, economic, cultural or social identity of the natural person is identifiable;

For the purposes of this data management information, personal data may also be considered to be data relating to an identified and identifiable legal person or an unincorporated economic operator and other organizations that come to the knowledge of the data controller in the course of its manufacturing and commercial activities;

“Data handling”: any operation or set of operations on personal data or files, whether automated or non-automated, such as collecting, recording, organizing, segmenting, storing, transforming or altering, querying, accessing, using, transmitting, distributing or otherwise making available, harmonization or interconnection, restriction, deletion or destruction;

“Data controller”: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are defined by Union or Member State law, the controller or the specific criteria for the designation of the controller may be determined by Union or Member State law;

“Data processor”: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

“Recipient”: the natural or legal person, public authority, agency or any other body to whom personal data is disclosed, whether or not a third party. Public authorities that may have access to personal data in the framework of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by these public authorities must comply with data protection rules in accordance with the purposes of the processing;

“Data subject’s consent”: a voluntary, informed and unambiguous statement of the will of the data subject, by which he or she indicates his or her consent to the processing of personal data concerning him or her by means of a statement or an act which unequivocally expresses his or her consent;

“Data protection incident”:  a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled.

 

IV.) PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA:

Personal data:

To be processed lawfully and fairly and in a manner that is transparent to the data subject (“legality, fairness and transparency”);

collected only for specified, explicit and legitimate purposes and not treated in a way incompatible with those purposes; further processing for data purposes for archiving in the public interest, for scientific and historical research purposes or for statistical purposes (“purpose limitation”) shall not be considered incompatible with the original purpose in accordance with Article 89 (1) of the Regulation;

they must be appropriate, relevant and limited to what is necessary for the purposes of the processing (“data saving”);

they must be accurate and, where necessary, kept up to date; all reasonable measures must be taken to ensure that personal data which are inaccurate for the purposes of data processing are erased or rectified without delay (“accuracy”);

it must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for a longer period only if the processing of personal data is carried out in accordance with Article 89 (1) for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, in accordance with this Regulation; subject to the implementation of appropriate technical and organizational measures to protect their freedom (“limited storage”);

it shall be handled in such a way as to ensure the adequate security of personal data, including the protection against unauthorized or unlawful processing, accidental loss, destruction or damage to personal data (“integrity and confidentiality”), using appropriate technical or organizational measures.

The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

 

V.) DATA MANAGEMENTS:

The data controller operates a website and carries out manufacturing, domestic and foreign trade (hereinafter: commercial) activities, in the course of which it is obliged to perform data management activities in accordance with the applicable legislation with regard to the data that it becomes aware of and obtains.

The fact of data collection, the scope of processed data and the purpose of data management:

Surname and first name

Required for contact, purchase, and proper invoicing.

E-mail address

Keeping in touch.

Phone number

Contact, more efficient coordination of billing or shipping issues.

Billing name and address

Issuance of a regular invoice, as well as the creation of the contract, the definition and modification of its content, the monitoring of its fulfilment, the invoicing of the fees arising from it, and the enforcement of the related claims.

Shipping name and address

Allowing home delivery.

Data necessary to identify an identified or identifiable legal entity or unincorporated enterprise and other organizations (company name, company registration number or other registration number, tax number, registered office, name of representative)

Required for contact, purchase, and proper invoicing

Stakeholders: Identified or identifiable natural people who comment on or post content on the website, as well as natural and legal people involved in the production and commercial activities of the data controller, as well as economic and other organizations without legal personality.

Duration of data management, deadline for deleting data: by deleting the registration immediately. Except in the case of accounting documents, as this data must be kept for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.

The accounting document (including the general ledger accounts, analytical and detailed records) supporting the accounting accounts, directly and indirectly, must be kept in a legible form for at least 8 years, retrievable by reference to the accounting records.

People of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff, respecting the principles above.

Description of data subjects’ rights in relation to data processing:

The data subject may request the controller to access, rectify, delete or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the data subject shall have the right to data portability and to withdraw consent at any time.

The data subject may initiate access to, deletion, modification or restriction of the processing of personal data, portability of data and protest against data processing in the following ways:

by post to PEMÜ Műanyagipari Zrt. 2083 Solymár, Terstyánszky street 89,

by e-mail to info@pemu.hu,

by phone at +36 26 561 260,

online at www.pemu.hu.

Legal basis for data management:

Consent of the data subject, Article 6 (1) (a), Information Act Section 5 (1), as well as fulfilment of the contract (s)

Act CVIII of 2001 on certain aspects of electronic commerce services and information society services. Act (hereinafter: e-commerce Act) 13 / A. § (3):

The service provider may process personal data that is technically necessary for the provision of the service in order to provide the service. If the other conditions are the same, the service provider must choose and, in all cases, operate the means used in the provision of the information society service in such a way that the processing of personal data takes place only if it is necessary for the provision of the service and other purposes specified in this Act., but in this case only to the extent and for the time necessary.

Article 6 (1) (c) if the invoice is issued in accordance with accounting legislation.

           

Please note that data processing is based on your consent.

You are required to provide personal information so that we can fulfil your order.

Failure to provide information will result in the inability to process your order.

 

VI.) DATA PROCESSORS USED

Transport

Activity performed by the data processor: delivery of products, transportation.

The name and contact details of the data processor (s) are not included in this data management information, as deliveries are made by own means of transport or through other external companies on the basis of ad hoc contracts.

The fact of data management, the scope of the managed data: delivery name, delivery address, telephone number, e-mail address.

Stakeholders: customers requesting delivery.

The purpose of data management is to deliver the ordered product to the delivery address.

Duration of data processing, deadline for deleting data: it lasts until the delivery takes place.

Legal basis for data processing: user consent.

 

Hosting provider

Activity performed by data processor: Hosting service

Name and contact details of the data processor:

Tárhely.Eu Szolgáltató Kft.

Tel.: +36 1 789 2 789

E-mail: gdpr@tarhely.eu

Address: 1144 Budapest, Ormánság street 4. X. floor 241.

Fact of data processing, scope of processed data: All personal data provided by the data subject.

Stakeholders: All stakeholders who use the website.

The purpose of data management: To make the website available and to operate it properly.

Duration of data processing, deadline for deleting data: The data processing lasts until the termination of the agreement between the data controller and the hosting provider or the data subject’s request of cancellation to the hosting provider.

The legal basis of the data processing: the consent of the user, the Information Act. Pursuant to Section 5 (1) and Article 6 (1) (a).

 

VII.) COMPLAINT HANDLING

The fact of data collection, the scope of processed data and the purpose of data management:

Surname and first name

Identification, communication.

E-mail address

Keeping in touch.

Phone number

Billing name and address

Identification, handling of quality complaints, issues and problems related to the ordered products.

Stakeholders: All stakeholders who act as customers in the production and commercial activities of the data controller and complain about quality.

Duration of data processing, deadline for deletion of data: Copies of the record, transcript and response to the complaint have been issued in accordance with CLV Act 1997 on Consumer Protection. Act 17 / A. § (7) shall be kept for 5 years.

Identity of potential data controllers entitled to access the data, recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff, respecting the principles above.

Description of data subjects’ rights in relation to data processing:

The data subject may request the controller to access, rectify, delete or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, also the data subject shall have the right to data portability and to withdraw consent at any time.

The data subject may initiate access to, deletion, modification or restriction of the processing of personal data, portability of data and protest against data processing in the following ways:

by post to PEMÜ Műanyagipari Zrt. 2083 Solymár, Terstyánszky street 89,

by e-mail to the e-mail address: info@pemu.hu

or by phone at +36 26 561 260.

Legal basis for data processing: consent of the data subject, Article 6 (1) (c), Information Act § 5 (1) and the CLV of 1997 on consumer protection. Act 17 / A. § (7).

Please note that the provision of personal data is based on a contractual obligation.

The processing of personal data is a precondition for concluding a contract.

You are required to provide personal information so that we can handle your complaint.

Failure to provide this will result in the inability to handle your complaint.

 

VIII.) CUSTOMER RELATIONS AND OTHER DATA PROCESSES

If a question arises during the use of our data management services, or if the data subject has a problem, he / she may contact the data controller in the ways provided on the website (telephone, e-mail, etc.).

The data controller for incoming emails, messages, phone calls, etc. will delete the data provided together with the name and e-mail address of the interested party and any other personal data voluntarily provided after a maximum of 2 years from the date of disclosure.

Information on data processing not listed in this prospectus will be provided at the time of data collection.

Upon exceptional official request, or in case of requesting other bodies based on the authorization of legal regulations, the Service Provider is obliged to provide information, disclose data, or make documents available.

In such cases, the Service Provider shall provide the requester with personal data only to the extent that is absolutely necessary to achieve the purpose of the request, provided that it has indicated the exact purpose and scope of the data.

 

IX.) RIGHTS OF STAKEHOLDERS

The right of access

You have the right to receive feedback from the data controller as to whether the processing of your personal data is in progress and, if such processing is in progress, you have the right to access the personal data and information listed in the Regulation.

Right to rectification

You have the right, at the request of the data controller, to correct inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the data processing, you have the right to request the incomplete personal data to be supplemented, inter alia, by means of an additional statement.

Right of cancellation

You have the right to delete personal data about you, at your request without undue delay, and the data controller is obliged to delete personal data about you without undue delay under certain conditions.

The right to forget

If the controller has disclosed personal data and is obliged to delete it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that you have requested the personal data in question and the deletion of links or copies or duplicates of such personal data.

Right to restrict data processing

You have the right, to request the controller, to restrict the processing of data if one of the following conditions is met:

You dispute the accuracy of your personal information; in which case the restriction applies to the period of time that allows the controller to verify the accuracy of your personal information;

the processing is unlawful and you oppose the deletion of the data and instead request a restriction on its use;

the data controller no longer needs the personal data for the purpose of data processing, but you request them in order to submit, enforce or protect legal claims;

You objected to the data processing; in this case, the restriction applies for as long as it is established whether the legitimate reasons of the controller take precedence over your legitimate reasons.

The right to data portability

You have the right to receive personal data concerning him or her made available to a data controller in a structured, widely used machine-readable format and to transfer such data to another data controller without being hindered by the data controller whose provided personal data (…)

Right to protest

You have the right to object at any time to the processing of your personal data, including profiling based on these provisions, for reasons related to your own situation.

Protest in case of direct acquisition

If your personal data is processed for the purpose of direct business acquisition, you have the right to object at any time to the processing of your personal data for this purpose, including profiling, insofar as it relates to direct business acquisition. If you object to the processing of personal data for the purpose of direct business acquisition, the personal data may no longer be processed for this purpose.

Automated decision making in individual cases, including profiling

You have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effect or similar effect on you.

The preceding paragraph shall not apply if the decision:

It is necessary for the conclusion or performance of a contract between you and the data controller;

EU or Member State law applicable to the controller, which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or

It is based on your express consent.

 

X.) DEADLINE FOR ACTION

The data controller shall inform you of the action taken on the above requests without undue delay, within 1 (one) month from the receipt of the request.

If necessary, it can be extended by 2 (two) months. The data controller will inform you about the extension of the deadline within 1 (one) month from the receipt of the request, indicating the reasons for the delay.

If the controller does not take action on your request, it will inform you without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the fact that you can lodge a complaint with a supervisory authority and have recourse to the courts.

 

XI.) SECURITY OF DATA PROCESSING

The controller and the processor shall take appropriate technical and organizational measures to take into account the state of the art and the costs of implementation and the nature, scope, circumstances and purposes of the processing and the varying probability and severity of the risk to the rights and freedoms of natural people to ensure a level of data security commensurate with the degree of risk, including, where appropriate:

Pseudonymization and encryption of personal data;

ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;

in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;

a procedure for the regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures taken to ensure the security of data processing.

 

XII.) INFORMING THE STAKEHOLDER ABOUT THE DATA PROTECTION INCIDENT

If the data protection incident is likely to pose a high risk to the data subject’s rights and freedoms, the controller shall inform the data subject of the data protection incident without undue delay.

The information provided to the data subject shall clearly and intelligibly describe the nature of the data protection incident and the name and contact details of the data protection officer or other contact person for further information; the likely consequences of the data protection incident must be described; a description of the measures taken or planned by the controller to remedy the data protection incident, including, where appropriate, measures to mitigate any adverse consequences arising from the data protection incident.

The data subject does not have to be informed if any of the following conditions are met:

the controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular, measures such as the use of encryption which make it incomprehensible to people not authorized to access personal data;

the controller has taken further measures following the data protection incident to ensure that the high risk to the data subject’s rights and freedoms is no longer likely to materialize;

the information would require disproportionate effort. In such cases, data subjects shall be informed through publicly available information or a similar measure shall be taken to ensure that data subjects are informed in an equally effective manner.

If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to involve a high risk, order the data subject to be informed.

 

XIII.) REPORTING A DATA PROTECTION INCIDENT TO THE AUTHORITIES

The data protection incident shall be reported by the controller to the competent supervisory authority without undue delay and, if possible, no later than 72 (seventy-two) hours after becoming aware of the data protection incident, unless the data protection incident is not likely to endanger the rights and freedoms of individuals. If the notification is not made within 72 (seventy-two) hours, the reasons for the delay must be attached.

 

XIV.) CHANCE TO COMPLAIN

Complaints against possible breaches of the data controller can be made to the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority 1125 Budapest, Szilágyi Erzsébet fasor 22 / C.

Mailing address: 1530 Budapest, Mailbox: 5.

Telephone: +36 1 391 1400

Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

 

XV.) LAWS APPLIED

During the preparation of the prospectus, we complied with the following legislations:

On the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation) REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL 2016. April 27.)

2011 CXII. Act on the Right to Self-Determination of Information and Freedom of Information (hereinafter: the Information Act)

CVIII of 2012 Act – on certain issues of electronic commerce services and services related to the information society (mainly Section 13 / A)

2013 XLVII. Act on the Prohibition of Unfair Commercial Practices for Consumers;

XLVIII of 2014 Act – on the basic conditions and certain restrictions of commercial advertising (especially § 6)

2015 XC. Act on Electronic Freedom of Information

Act C of 2016 on Electronic Communications (specifically § 155)

16/2011. Opinion on the EASA / IAB Recommendation on Best Practices for Behavioural Online Advertising

Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46.

 

XVI.) APPENDIX

As a data controller, PEMÜ Műanyagipari Zrt. undertakes to treat non-natural people, but legal people, which become known, identified or identifiable in the course of its manufacturing and commercial activities on the basis of the obligations and regulations contained in the above legislation, and data of unincorporated enterprises and other organizations (such as, but not limited to, their company name, company registration number, other registration number, tax number, bank account number, name and registered office of their representative).