When using the services provided by Kocsiguru Kft, the data subject (natural person) provides personal data, which we process on the basis of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: the “Infotv.”), Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”), Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: the “Eker. Act”), Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: the “Grt.”), Act C of 2000 on Accounting (hereinafter: the “Accounting Act”), Act CXXVII of 2007 on Value Added Tax (hereinafter: the “VAT Act”), as well as Act V of 2013 on the Civil Code (hereinafter: the “Civil Code”) and Act CLV of 1997 on Consumer Protection (hereinafter: the “Consumer Protection Act”). In accordance with the provisions of the aforementioned legislation, we hereby inform you about the details of the processing of your personal data and your related rights.

 

1. Controller:

Kocsiguru Kft.
(registered office: 1112 Budapest, Budaörsi út 146/a,b,
telephone: +36-1-447-7699,
e-mail: kereskedes@kocsiguru.hu,
hereinafter: the “Controller”)

The Controller determines, for the purposes set out in point 2, the scope, purpose and duration of the data requested during service provision through the website http://kereskedes.kocsiguru.hu/ (hereinafter: the “Website”), as well as other essential conditions of data processing.

 

2. Scope of processed data, purpose and duration of data processing

The data subject may use the services provided on the Website without registration, through the Controller’s Website, during which the Controller processes the following data.

• Processed data:
  Using the request-for-quotation service as a private individual
  Personal data to be provided on the Website during the quotation request for the purposes of contact:
  
  mandatory: surname and first name of the company’s representative, e-mail address, telephone number
   
• Purpose of data processing:
  Use of the request-for-quotation service as a trader.
  The data provided on the Website are necessary for maintaining contact with the representative of the party requesting the quotation.
   
• Duration of data processing:
  until performance of the contract,
  until withdrawal of the data subject’s consent, in the absence of such withdrawal,
  the Controller will delete the data 5 years after the date of providing the quotation, pursuant to Section 6:22 of the Civil Code.
   
• Legal basis of data processing:
  In the case of a quotation request, performance of a contract pursuant to point (b) of Article 6(1) of the GDPR.
  
  For documenting the quotation request service, fulfilling accounting obligations and carrying out payment, compliance with legal obligations pursuant to point (c) of Article 6(1) of the GDPR, Section 169(2) of the Accounting Act and Section 179 of the VAT Act.
  
  For identifying the representative of the company requesting the quotation and for fulfilling the contact obligation with the requester, performance of a contract pursuant to point (b) of Article 6(1) of the GDPR.

 

3. Profiling

The Controller does not carry out profiling.

 

4. Persons having access to personal data

The processors named in this Extract of the Privacy Notice may access the data for the purpose of performing their tasks. For example, the Controller’s system administrator and the processors named in this Notice may have access to the personal data for case management and data processing purposes.

The Controller uses the web analytics services of Google LLC (1600 Amphitheatre Parkway Mountain View CA 94043), Google Analytics, Google Adwords; Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland); and Webshop Marketing Kft. (4028 Debrecen, Kassai út 129., Cg.: 09-09-02401709, info@shoprenter.hu), Optimonk, as web analytics service provider.

Web analytics services also use cookies, which are intended to help analyse the use of online interfaces. By giving separate and explicit consent on the online interfaces, the data subject authorises the transfer of information generated by cookies relating to the use of the online interface to the servers of Google Analytics and Google Adwords located in the United States of America. Other cookies are stored on servers within the European Union. By giving separate consent on the website, the user agrees to the collection and analysis of their data in the manner and for the purposes specified in the separate cookie notice forming an annex to this Policy.

 

5. Data transfer

5.1. Your data will not be transferred to third parties. Data transfer to third parties or recipients will take place only if you are informed in advance about the possible recipient and, thereafter, you give your prior consent, or if such transfer is required by law.

5.2. In the course of this data processing activity, we do not transfer personal data to third countries or international organisations.

 

6. Data processing

For the performance of the data processing activities described in this document, the Controller uses the Processors specified herein. The Processor does not make independent decisions and is entitled to act solely in accordance with the contract concluded with the Controller and the instructions received. The Controller supervises the work of the Processor. The Processor is only entitled to use another processor with the Controller’s prior written consent.

1. Name: APPON LINE Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
   Registered office: 2120 Dunakeszi, Római utca 1/1
   Company registration number: 13-09-229851
   Website: https://www.appon.hu
   E-mail: info@appon.hu

2. Name: Carsup Korlátolt Felelősségű Társaság
   Registered office: 2120 Dunakeszi, Mikes Kelemen utca 12.
   Company registration number: 01 09 938437

3. Name: ADERTIS Informatikai Fejlesztő és Szolgáltató Kft.
   Registered office: 1133 Budapest, Gogol u. 13.
   Company registration number: 01-09-919558
   E-mail: info@adertis.hu

4. Name: Benefit Consulting Könyvelő és Pénzügyi Tanácsadó Kft.
   Registered office: 1064 Budapest, Vörösmarty u. 67.
   Company registration number: 01 09 705615
   E-mail: nefrit2003@gmail.com

5. Name: MiniCRM Zrt.
   Registered office: 1075 Budapest, Madách Imre út 14.
   Company registration number: 01-10-047449
   E-mail: help@minicrm.hu

6. Name: IT-X Informatikai és Kereskedelmi Korlátolt Felelősségű Társaság
   Registered office: 2049 Diósd, Szabadság utca 13. A. building
   Tax number: 25827156-2-13
   E-mail: posa.norbert@kocsiguru.hu

7. Name: Adertis Kft.
   Registered office: 1133 Budapest, Gogol u. 13.
   Company registration number: 01-09-919558
   E-mail: info@adertis.hu

8. Information about the rights of data subjects

 

7.1. Right to information and access to processed personal data (Articles 13 and 15 of the GDPR)

The data subject has the right to obtain confirmation from the Controller as to whether or not personal data concerning him or her are being processed and, where that is the case, has the right of access to the personal data and to the following information:

• the purposes of the processing;

• the categories of personal data concerned;

• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

• the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing;

• the right to lodge a complaint with a supervisory authority;

• where the personal data are not collected from the data subject, any available information as to their source;

• the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved and the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

The Controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided by the Controller in a commonly used electronic form, unless otherwise requested by the data subject.

The right to obtain a copy referred to in the previous paragraph shall not adversely affect the rights and freedoms of others.

The above rights may be exercised through the contact details indicated in point 1.

 

7.2. Right to rectification (Article 16 of the GDPR)

The Controller shall rectify inaccurate personal data concerning the data subject without undue delay upon the data subject’s request. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

 

7.3. Right to erasure (“right to be forgotten”) (Article 17 of the GDPR)

The data subject has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

• the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

• the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of personal data for direct marketing purposes;

• the personal data have been unlawfully processed;

• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

• the personal data have been collected in relation to the offer of information society services.

Erasure of data may not be requested where processing is necessary:

• for exercising the right of freedom of expression and information;

• for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest;

• for preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services, on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards set out in Union or Member State law, or by another person who is also subject to a legal obligation of professional secrecy laid down by Union or Member State law;

• for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

• for reasons of public interest in the area of public health and where the data are processed by or under the responsibility of a professional subject to a duty of professional secrecy laid down by Union or Member State law, or another person who is also subject to such a duty of secrecy;

• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

• for the establishment, exercise or defence of legal claims.

 

7.4. Right to restriction of processing (Article 18 of the GDPR)

Upon the data subject’s request, the Controller shall restrict processing where one of the following applies:

• the accuracy of the personal data is contested by the data subject; in such a case, the restriction applies for a period enabling the Controller to verify the accuracy of the personal data;

• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the Controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defence of legal claims; or

• the data subject has objected to processing on grounds relating to his or her particular situation pending the verification whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted on the basis of the above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Controller shall inform the data subject who has requested restriction of processing before the restriction is lifted.

 

7.5. Right to data portability (Article 20 of the GDPR)

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:

• the processing is based on consent or on a contract; and
• the processing is carried out by automated means.

In exercising the right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right to data portability shall be without prejudice to the right to erasure (“right to be forgotten”). That right shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

The right to data portability shall not adversely affect the rights and freedoms of others.

 

7.6. Right to object (Article 21 of the GDPR)

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her by the Controller where the legal basis for processing is public interest, the exercise of official authority vested in the Controller or the necessity for the purposes of the legitimate interests pursued by the Controller or by a third party, including profiling based on those provisions. In such a case the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

7.7. Automated individual decision-making, including profiling (Article 22 of the GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her.

The above provision shall not apply if the decision:

• a) is necessary for entering into, or performance of, a contract between the data subject and the Controller;
• b) is authorised by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
• c) is based on the data subject’s explicit consent.

In the cases referred to in points (a) and (c) above, the Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.

The above-mentioned decisions may not be based on special categories of personal data, unless point (a) or (g) of Article 9(2) of the GDPR applies, i.e. processing of such special data is carried out on the basis of appropriate consent under the GDPR or on the basis of substantial public interest as defined by the GDPR and suitable measures have been taken to safeguard the data subject’s rights and freedoms and legitimate interests.

The Controller records in relation to this point that, at present, in accordance with point 3 of this Policy, profiling is carried out by the Controller in relation to the processing activities set out in this Policy, the details of which, including the logic used, as well as the significance and the envisaged consequences for data subjects of the related processing, are set out in point 3 above.

 

7.8. Right to withdraw consent (Article 7(3) of the GDPR)

Where data processing by the Controller is based on the data subject’s consent, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

7.9. Data security measures

The Controller and the operator of the server network protect the data, with the most up-to-date hardware and software support reasonably available, in particular against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, thereby ensuring data security. As a general rule, personal data processed by the Controller may only be accessed by employees and other contributors of the Controller participating in the implementation of the data processing purposes set out in these Rules, who are subject to a duty of confidentiality in respect of all data they become aware of under their employment contract or the legal relationship governing their employment, or other contractual relationship, the provisions of law, or the Controller’s instructions.

The Controller’s IT systems and other data storage locations are located on servers at 1112 Budapest, Budaörsi út 146/D.

All data processing activities carried out by the Controller must be accurately documented. The Controller must keep records of all data processing activities it carries out (e.g. newsletters, etc.). The Controller keeps records of data transfers for the purpose of verifying the lawfulness of data transfers and for informing the data subject, which records contain the date of the transfer, the legal basis, the recipient, the definition of the scope of data, and any other data specified in the legislation governing the processing.

 

7.10. Security of personal data processed on paper

To ensure the security of personal data processed on paper, the Controller applies the following measures, which all employees must comply with:

• only those entitled to do so may have knowledge of the data, they may not be accessed by anyone else and may not be disclosed to others;

• documents are stored in a well-lockable, dry premises equipped with fire protection and property protection devices;

• only persons responsible may have access to records in continuous active use;

• during the day, an employee carrying out data processing may leave premises where data processing takes place only after locking away the data carriers entrusted to him or her or locking the office;

• after work, the employee carrying out data processing must lock away paper-based data carriers;

• where personal data processed on paper are digitised, the employer applies the security rules applicable to digitally stored documents.

 

7.11. Security of digitally stored personal data

To ensure the security of personal data stored on computers or networks, the Controller applies the following measures:

• computers used for data processing are the property of the Controller or are under the Controller’s control with rights equivalent to ownership;

• access to data in the Controller’s system is only possible by means of valid, personal, identifiable authorisation – at least with a username and password, with passwords being changed regularly by the Controller;

• all centrally managed system data relating to operations with the data are logged and can be traced;

• access to data stored on the network server (hereinafter: the server) is only granted to designated persons with appropriate authorisation;

• once the purpose of data processing has been achieved and the data processing deadline has expired, the file containing the data is irreversibly deleted and the data cannot be recovered;

• in order to ensure the security of data stored on the network, the Controller avoids data loss on the server by continuous mirroring;

• the Controller makes daily backups of active data in personal data databases, covering the entire data set on the central server and carried out on a data carrier;

• the data carrier on which the backup data are stored is kept in a fireproof safe specifically designed for that purpose and in a fireproof manner;

• the Controller ensures continuous virus protection on the network processing personal data;

• with the available IT tools and their use, the Controller prevents unauthorised network access;

• employees of the Controller may connect to the Controller’s network only via the Controller’s wired network or, in special cases, remotely via an encrypted VPN connection.

Backups of data stored on the Controller’s servers are made at the frequency specified below and are stored at the Controller’s registered office, and only the managing director or, in the event of use of a backup, the system administrator may have access to them.

Backups are made daily and any backup containing personal data is deleted after one week if not used.

Backups may be used by the Controller if the Controller’s server collapses or suffers data loss and the lost data are necessary for the Controller’s activities, management or are otherwise considered essential. Backups may also be used if the Controller’s server suffers unauthorised access from external or internal devices, such as a hacking attack, or if the server is attacked by an IT virus or other malware.

 

7.12. Procedure in the event of a data subject request relating to the exercise of the above rights

The Controller shall provide the data subject with information on action taken on a request relating to the exercise of the rights laid down in this Policy without undue delay and in any event within one month (30 days) of receipt of the request. That period may be extended by two further months, taking into account the complexity and number of the requests.

The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the Controller does not act on the data subject’s request, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Controller shall provide information and communication and take any action requested free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may, taking into account the administrative costs of providing the information or communication or taking the action requested, either charge a reasonable fee or refuse to act on the request.

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out by it to each recipient to whom or which the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.

 

8. How to submit your comments, questions or complaints

You may send any of your questions, requests or objections relating to your stored personal data and data processing to the Controller’s contact details specified in this Policy, in writing or by e-mail. Please note that, in your interest, we can only provide information or take action in relation to the processing of your personal data if you have duly verified your identity.

 

9. Personal data relating to children and third parties

Persons under the age of 16 may not provide personal data about themselves unless they have obtained permission for this from their legal representative exercising parental responsibility. By providing personal data to the Controller, the data subject declares and warrants that he or she is acting in compliance with the above and that his or her legal capacity is not limited in relation to the provision of such information.

If the data subject is not legally entitled to provide any personal data independently, he or she is obliged to obtain the consent of third parties (e.g. legal representative, guardian, other person – such as a consumer – on whose behalf he or she is acting), or to provide another legal basis for providing the data. The data subject is required, in this context, to assess whether consent of any third party is necessary in relation to the provision of the given personal data. It may occur that the Controller does not enter into personal contact with the data subject, therefore compliance with this point is the responsibility of the person providing the personal data and the Controller assumes no liability in this respect. Nevertheless, the Controller is entitled at any time to verify whether an appropriate legal basis exists for the processing of certain personal data. For example, if the data subject is acting on behalf of a third party – such as a consumer – the Controller is entitled to request a power of attorney and/or the appropriate data processing consent of the data subject concerned for the specific matter.

The Controller will do everything reasonably possible to delete any personal data provided unlawfully. The Controller ensures that, if such an issue comes to its knowledge, such personal data will not be transferred to others or used by the Controller. Please inform us immediately via the contact details indicated in point 1 if you become aware that a child has unlawfully disclosed personal data about him- or herself or that a third party has unlawfully disclosed personal data of the data subject to the Controller.

 

10. Handling of data protection incidents

The Controller pays special attention to the lawful and secure processing of personal data.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

Notification of a personal data breach to the supervisory authority

The Controller shall notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification to the supervisory authority is not made within 72 hours, the reasons for the delay shall accompany the notification.

The processor shall notify the Controller of the personal data breach without undue delay after becoming aware of it.

The notification to the supervisory authority shall:

1. describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records concerned;

2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

3. describe the likely consequences of the personal data breach;

4. describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    

Communication of a personal data breach to the data subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay, in clear and plain language.

Communication to the data subject shall not be required if any of the following conditions are met:

a) the Controller has implemented appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular measures such as encryption which render the personal data unintelligible to any person who is not authorised to access it;

b) the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

c) the communication would involve disproportionate effort. In such a case, there shall instead be a public communication or a similar measure whereby the data subjects are informed in an equally effective manner.

 

11. Remedies

The data subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information (postal address: 1363 Budapest, Pf. 9., telephone: +36 (30) 683-5969, e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu) claiming that his or her rights have been infringed or that there is an imminent risk of such infringement in relation to the processing of his or her personal data, and may also bring the matter before a court in the event of an infringement of his or her rights. The court shall proceed in the case as a matter of priority. It is for the employer to prove that data processing complies with the provisions of the legislation. The case falls within the competence of the regional court (törvényszék). The employee may bring the action before the regional court having jurisdiction on the basis of his or her place of residence or habitual residence.