Korzicon Ltd

Registered office: 2112 Veresegyház, Hegyláb utca 25.

Premises: 1137 Budapest, Radnóti Miklós street 9., 1st floor. No. 4.
VAT number: 27959945-2-13; corporate registration number:13-09-206095
Representative: Dr. Zita Parrák
Position of the representative: managing director
Hereinafter: Company

By virtue of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: Regulation) as well as Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter Infotv), data subjects shall be given unambiguous and detailed information – before starting data processing – on all the facts related to processing their data, in particular on the purpose and the legal basis of data processing, on the person authorised to carry out data processing, on the person authorised to have access to the data as well as on the rights and remedies of data subjects in connection with data processing. The Company fulfils its statutory obligation by way of this privacy policy.

A. Notice on data processing

I. Controller, representative of the controller and recipients of personal data

(1) The controller is the Company.

(2) Representative of the Company, as controller, and his contacts: Dr. Zita Parrák, managing director, address: 2112 Veresegyház, Hegyláb utca 25., phone number: 36205232324, e-mail: newbeauty@newbeauty.hu

(3) Recipients of personal data

a) Recipients with a general right to process data under any legal title:

– representative of the controller;

– employees appointed to deal with data processing tasks.

b) Recipients processing data based on consent:

– those listed in paragraph 1);

– employees performing customer service tasks;

– data processors.

c) Recipients processing data based on employment:

– those listed in paragraph 1);

– data processors.

d) Recipients processing data based on a contract:

– those listed in paragraph 1);

– employees performing customer service tasks.

e) Recipients processing data based on a legal obligation:

– those listed in paragraph 1);

– data processors.

f) Recipients dealing with obligatory data processing: those listed in paragraph 1).

 

II. Data processor

(1) Where processing is to be carried out on behalf of a Company, the Company shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Policy and ensure the protection of the rights of the data subject.

(2) Data processors used by the Company:

a) IT specialist: Golden Gift Media Kft, Csaba Polyák, telephone: 36304061149, e-mail: info@webshine.eu

b) https://mailchimp.com: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA

c) https://privy.com: 125 Kingston St, 6th Floor, Boston, MA 02111 USA, e-mail: info@privy.com

d) https://simplybook.me: 36 Aigyptou Avenue, 6030 Larnaca, Cyprus, e-mail: support@simplybook.me.

e) https://www.whatclinic.com: Global Medical Treatment Ltd., 12 Duke Lane Upper, Dublin 2, Ireland, telephone: 35316520520, e-mail: info@whatclinic.com.

(3) Data transferred to the data processors used by the Company

a) From among personal data processed based on employment (accountant):

– Name,

– Address,

– Mother’s name,

– Place and date of birth,

– Personal ID card number,

– Social insurance ID code,

– Tax ID code,

– Bank account number,

– Results of aptitude tests,

– Wage-related data.

b) From among personal data processed based on consent (IT specialist):

– The user’s name in full,

– The user’s e-mail address,

– User name,

– Password,

– Date of birth,

– Telephone number.

c) From among personal data processed with regard to newsletters and online appointments at the Company’s website (service providers listed in paragraphs VI/3 and IX/3 of Chapter 2):

– The user’s name in full,

– The user’s e-mail address,

– User name,

– Password,

– Date of birth,

– Telephone number.

d) From among personal data processed based on a legal obligation (accountant):

– Name,

– Address.

 

III. Data processing based on consent:

(1) The consent of the data subject is required for processing personal data that are not unconditionally necessary for contractual fulfilment. Processing certain personal data of the data subject – ranked into the special category under article II (3) of Chapter I – may be required for providing the Company’s services at a higher level – in a given case for safe fulfillment that does not endanger health – therefore, data processing requires the express consent of the data subject.

(2) The Company requests the data subject’s consent for data processing in a separate data request sheet. Prior to the data request, the Company makes its privacy policy available to the data subject, and the data subject separately declares to know the privacy policy in the data request sheet.

(3) The consent to data processing can be given at the Company’s website exclusively through active conduct, by way of any declaration or action that clearly shows in a given case that the data subject expressly and clearly consented to data processing.

(4) The data subject’s consent covers data processing related to the specific case, however, if data processing affects several cases, the Company requests consent for all data processing purposes.

(5) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration containing the data subject’s consent which infringes this privacy policy or the relevant laws shall not be binding.

(6) The data subject shall have the right to withdraw his/her consent at any time. Withdrawing the consent does not affect the lawfulness of consent-based processing before the withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

(7) The Company exclusively processes data that are required for managing the given case (contractual fulfilment).

(8) In the event where the data subject consented to processing his/her personal data, the Company may also process the data without any further, separate consent and also after withdrawal of the consent – unless otherwise provided by law – in order to fulfill its legal obligation or to enforce the legitimate interest of the controller or a third party, provided that this interest enforcement is proportionate with the limitation of the right to personal data protection.

(9) The Company processes the following personal data based on the data subject’s consent (data processing related to appearance on the internet is specified in separate articles):

a) Anamnesis (health data),

b) Date of birth,

c) Date of treatment,

d) Treatment completed,

e) Materials used for treatment,

f) Photo,

g) Other health data indicated in the data request sheet.

(10) Data processing is based on the consent by the data subject.

(11) Period of data storing:

a) 5 years after termination of the contract signed with the data subject, or

b) Until withdrawal of the consent,

c) In the event of data processing specified in paragraph (8) of this article, until the fulfilment of the legal obligations or until enforcement of the legitimate interests.

(12) The Company processes the data of private entrepreneurs, primary producers and natural persons representing legal entities who conclude contracts with the Company in any capacity. Data processing requires consent by the data subject, and the Company requests the data subject’s consent for data processing in a separate data request sheet. Prior to the data request, the Company makes the privacy policy available to the data subject, and the data subject separately declares to know the privacy policy in the data request sheet.

(13) The Company processes the following personal data with regard to contracts, based on the data subject’s consent:

a) Name,

b) Address

c) Telephone number,

d) Email address.

(14) Data processing is based on the consent by the data subject.

(15) The data are stored for 5 years after the termination of the contract or the representation right, except where the laws specify another period.

 

IV. Data processing based on employment:

(1) Only those data may be requested from the employees that do not violate personality rights and are essential for establishing, fulfilling or terminating employment. Only those aptitude tests can be carried out on the employees that are prescribed by the rules on employment, or that are required for exercising the rights and fulfilling the obligations specified in the rules on employment.

(2) The Company shall notify the employees about processing their personal data. The Company may disclose facts, data and opinions about employees to third parties only in cases specified by law, or based on the employees’ consent. The employee-related data may be used for statistical purposes and may be transferred for statistical use without the employees’ consent and in a manner not suitable for personal identification.

(3) The Company may transfer to the data processor the employees’ personal data in order to fulfill employment-related obligations, by indicating the purpose of the data transfer and as prescribed by law. The employees affected shall be informed about this fact in advance.

(4) The Company is allowed to control the behaviour of the employees only to the extent pertaining to the employment. The control and the means and methods used may not be at the expense of human dignity. The private life of employees may not be controlled. The Company shall previously notify the employees about using the technical tools that serve the purpose of employee control.

(5) Personal data that can be processed about employees applying for jobs: the natural person’s name, name at birth, place and date of birth, mother’s name, address, qualification data, telephone number, e-mail address, photo, the employer’s notes made about the applicant. Period of storing personal data about applicants who were not selected or who withdrew their application: within 3 days following the decision or the withdrawal of the application. The application and the related data may be stored exclusively in the data subject’s interest, for the purpose of eventual application in the future as well as with the data subject’s express and unambiguous consent.

(6) The Company processes the following personal data with regard to employment:

a) Name,

b) Address,

c) Mother’s name,

d) Place and date of birth, 

e) Personal ID card number,

f) Social insurance ID code,

g) Tax ID code,

h) Bank account number, 

i) Results of aptitude tests,

j) Documents certifying education,

k) Security camera recordings.

(7) Legal ground of data processing:

a) Data processing is required in order to establish, fulfill or terminate employment (contractual fulfillment);

b) Processing is necessary for compliance with the Company’s legal obligations (statistical, taxation and accounting obligations);

c) Data processing is required for enforcing the Company’s legitimate interests (aptitude test, access control system, using cameras at work);

d) Exceptionally, basically in the interest of, and with the consent of the data subject (data required for the recruiting procedure and for social-welfare benefits).

(8) Period of storing personal data: 3 years after terminating the employment.

 

V. Data processing related to contracts:

(1) The Company processes the personal data of any natural person contracting with it in any quality with regard to the contract and in order to fulfill the contract. Before starting data processing, the data subject shall be given unambiguous and detailed information on all the facts related to processing his/her data, in particular on the purpose and the legal basis of data processing, on the person authorised to carry out the data processing and on the duration of data processing.

(2) The Company processes the following personal data with regard to contracts and in order to fulfill contracts:

a) Name,

b) Date of birth,

c) Telephone number,

d) Address,

e) E-mail address.

(3) The fulfilment of the contract is the legal basis of data processing.

(4) The data are stored for 5 years after the termination of the contract, except where the laws specify another period.

 

VI. Data processing related to using the Company’s website (cookies)

(1) Cookies are small data files that are placed by the website – upon browsing – to the PC or the mobile device of the visitors to the pages of the website. Cookies do not contain personal information and are, in themselves, unable to identify the users, they are only suitable for recognizing the device used for browsing. With the help of cookies, the website stores the users’ certain operations and settings for a certain period, thus making the website usage easier and collecting statistical information about the visitors. Based on the directives of the European Commission, cookies may only be placed with the user’s express consent if they are not indispensably necessary for using the given service. The website uses temporary cookies that terminate upon closing the website as well as permanent cookies that remain on the PC until deletion by the user. Some cookies are indispensable for using the website and some cookies are meant to enhance the user experience.

(2) Cookies indispensable for website usage enable the usage of basic website functions, and numerous functions are not accessible without them. With these cookies, data are only processed during the browsing period, and the cookies are deleted at the end of the work process or upon closing the browser. Using such cookies does not require the user’s consent, it must be made known upon the first visit to the website that a summary of the notice is available at the website and the full notice is accessible through a link.

(3) Cookies meant to enhance the user experience basically improve the service, make the website usage more comfortable and increase the efficiency. Using such cookies requires the user’s express consent before data processing, and this consent may be given exclusively through active conduct, by ticking the relevant box. Together with the consent, information must also be given about using such cookies by providing a summary of the notice at the website and by providing the full notice through a link.

(4) With regard to cookie usage, the Company exclusively processes data on the user’s specific operations and settings, and does not process the user’s personal data. The user may disable such data processing at any time while using the website. The Company does not connect the processed data to the user’s other data and does not transfer them to third parties without the user’s consent.

(5) During the usage, the Company’s website processes the following data:

a) IP address used by the user,

b) Type of browser,

c) Features of the operation system,

d) Date of browsing,

e) Activities carried out at the website.

(6) The Company uses the following cookies at the website:

a) Google Analytics
With the help of Google Analytics cookies we collect information about the visitors’ conduct and features. This helps us to make the website more transparent and easier to use later. These cookies are unable to personally identify you, e.g. we do not record your name and email address; the data are stored in a summarized and anonym manner. The IP address is also recorded in part. When certain target sites are visited, we may also place third party cookies on the user’s device (e.g. Google AdWords Conversion Tracking). These provide for measuring the success of our campaigns. Information enabling identification is not stored in such cookies either.

In addition, you can encounter the following cookies when using the internet:

b) Permanent or temporary cookies
Some sites use both “temporary cookies” (work/session cookies) and “permanent cookies”. Temporary cookies remain on your PC until you leave the website. Permanent cookies remain on your device for a longer period (depending on your browser settings) or until you delete them manually.

c) Work session cookies
Temporary cookies that are used only during the current visit, and they are automatically deleted from the PC when ending the session or closing the browser. They are indispensable for website navigation and website operation. The work session cookies never collect information that could identify you.

d) Targeted or ad cookies
They collect information about the topics and contents that you may be interested in. These cookies help to measure campaign efficiency and feature later ads that are relevant to you. Targeted and ad cookies cannot identify you and do not collect personal information required for identification.

e) Functional cookies that enhance usage
With their help the website remembers decisions made at the site (e.g. data given on a form etc.). These cookies track your activities exclusively at the visited website but not at other websites. These cookies may store the personal identification data that you provided at our website, e.g. your name, email address, telephone number etc.

f) Third party cookies
Some pages may use external web services from third parties. In this case, cookie storing is not supervised by the website operator, and s/he has no control over the information collected by the external service providers.

(7) The legal basis of data processing is – in the case of cookies indispensable for website usage – article 13/A (3) of Act CVIII of 2001 (Elkertv) on electronic commercial services, and on certain legal aspects of information society services and – in the case of cookies enhancing the user experience – the user’s consent.

(8) Period of data storing:

a) Cookies indispensable for website usage: until the end of the work session or until closing the browser,

b) Cookies enhancing the user experience: until deletion of the browsing history by the user on his/her browser device.

 

VII. Data processing related to the Company’s newsletter service

(1) The users can subscribe to the Company’s newsletter at the website. Subscribing to the newsletter service requires the user’s express consent, and this consent may be given exclusively through active conduct, by giving the data necessary for sending the newsletter and by ticking the relevant box to consent to personal data processing.

(2) The users may withdraw their consent at any time, in writing, or via a declaration sent to the Company’s email address, and in this case the users’ data will be deleted without delay.

(3) The Company provides the newsletter service at https://mailchimp.com (privacy policy: https://mailchimp.com/legal/privacy) and at https://privy.com (privacy policy: https://privy.com/privacy-policy).

(4) Data processed by the Company about the newsletter service:

a) The user’s name in full,

b) The user’s email address.

(5) The purpose of data processing about the newsletter service is to notify the users about the Company’s programmes, promotions, products and services.

(6) Data processing is based on the consent by the data subject.

(7) Period of data storing:

a) Until termination of the newsletter service, or

b) Until withdrawal of the consent.

 

VIII. Data processing related to the Company’s Facebook page

(1) The Company operates a Facebook page to promote its programmes and services. Comments on the posts made on the Company’s Facebook page shall not be regarded as a formal enquiry to the Company.

(2) The Company processes no personal data on its Facebook page or in connection with it, therefore it does not process personal data published by the users either, usage shall be governed by the privacy policy of Facebook (https://www.facebook.com/privacy/explanation).

(3) The Company reserves the right to delete the data subject and/or his/her comment without any further notice in the event of a comment that violates the Facebook terms of use (https://www.facebook.com/policies?ref=pf) or that is otherwise unlawful or incompatible with the Company’s philosophy and business policy, or if such contents are published. The Company shall not be held liable for such comments or contents.

(4) Data processing by the Company regarding newsletter services on the Facebook page is appropriately governed by article VI of this Chapter.

(5) Data processing by the Company for registration on the Facebook page is appropriately governed by article VIII of this Chapter.

 

IX. Data processing related to registration at the Company’s website

(1) Users can register at the website, which requires the user’s express consent, and this consent may be given exclusively through active conduct, by giving the data necessary for registration and by ticking the relevant box to consent to personal data processing.

(2) The users may withdraw their consent at any time, in writing, or via a declaration sent to the Company’s email address, and in this case the users’ data will be deleted without delay.

(3) The Company provides the registration service at https://simplybook.me (privacy policy: https://simplybook.me/en/policy) and at https://www.whatclinic.com (privacy policy: www.whatclinic.com/privacy-policy).

(4) Data processed by the Company about the registration service:

a) The user’s name in full,

b) The user’s email address,

c) User name,

d) Password,

e) Date of birth,

f) Telephone number.

(5) Purpose of data processing regarding registration: Notifying the users about the Company’s programmes, promotions, products and services.

(6) Data processing is based on the consent by the data subject.

(7) Period of data storing:

a) Until termination of the registration or

b) Until withdrawal of the consent,

 

X. Data processing related to the online appointments at the Company’s website

(1) Users can make online appointments at the website, which requires the user’s express consent, and this consent may be given exclusively through active conduct, by giving the data necessary for making the appointment and by ticking the relevant box to consent to personal data processing.

(2) The users may withdraw their consent at any time, in writing, or via a declaration sent to the Company’s email address, and in this case the users’ data will be deleted without delay.

(3) The Company provides the online appointment service at the https://simplybook.me (privacy policy: https://simplybook.me/en/policy) and the https://www.whatclinic.com (privacy policy: www.whatclinic.com/privacy-policy) websites.

(4) Data processed by the Company about online appointments:

a) The user’s name in full,

b) The user’s email address,

c) Telephone number,

d) Data given in a message

(5) Purpose of data processing regarding online appointments: providing the opportunity to make appointments in advance.

(6) Purpose of data processing regarding registration: notifying the users about the Company’s programmes, promotions, products and services.

(7) Data processing is based on the consent by the data subject.

(8) Period of data storing:

a) Until termination of the online appointment service or

b) Until withdrawal of the consent,

 

XI. Data processing based on legal obligations:

(1) The Company processes the data – specified by law – of natural persons establishing business contacts with it in order to fulfill its taxation and accounting obligations. Before starting data processing, the data subject shall be given unambiguous and detailed information on all the facts related to processing his/her data, in particular on the purpose and the legal basis of data processing, on the person authorised to carry out the data processing and on the duration of data processing.

(2) The Company processes the following personal data in order to fulfil its legal obligations:

a) Name,

b) Address.

(3) The fulfilment of the Company’s legal obligation is the legal basis of data processing.

(4) The period of data storing is 8 years after the termination of the underlying legal relationship.

 

XII. Obligatory data processing:

(1) Personal data may also be processed if it is ordered by law, or – based on the authorisation conferred by law and within the range of data specified therein – ordered by a local government decree. Before starting data processing, the data subject shall be given unambiguous and detailed information on all the facts related to processing his/her data, in particular on the purpose and the legal basis of data processing, on the person authorised to carry out the data processing and on the duration of data processing.

(2) If data processing is obligatory, the types of data to be processed, the purpose and conditions of data processing, the accessibility of data, the duration of data processing, as well as the person of the data controller shall be determined by law or by the local government decree ordering the data processing.

(3) Currently the Company processes no data under this legal title.

 

XIII. Data protection

(1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the Company shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Policy and protect the rights of data subjects.

(2) The Company shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

(3) The Company protects the data with appropriate actions against accidental or unlawful destruction, loss, modification, damage, unauthorised disclosure or unauthorized access.

(4) The Company qualifies and processes personal data as confidential data, and prescribes the obligation of confidentiality to its employees with regard to personal data processing.

(5) The Company restricts access to personal data by setting authorization levels.

The PC used by the Company for data processing and data registration is protected with a password and with anti-virus protection.
The data processed by the Company on paper are stored in a lockable cabinet at the Company’s registered seat.

 

B. Rights of the data subjects

I. Transparency and actions

(1) The Company shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. At the choice of the data subject, the information may be provided in writing or in an electronic format, however, if requested by the data subject, oral information may also be given, provided that the identity of the data subject is proven by other means.

(2) The Company promotes the exercising of the rights of the data subjects. In the cases specified in II/5 b) of Chapter I, the Company may not refuse to comply with the request of the data subject to exercise his/her rights, unless it is proven that it is not possible to identify the data subject.

(3) The Company shall notify the data subject about the actions taken as a result of the above request without any unjustified delay but by all means within one month from receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request in an electronic format, the information shall be provided in an electronic format where possible, unless otherwise requested by the data subject.

(4) If the Company does not take action on the request of the data subject, it shall inform the data subject without delay but at the latest within one month of receipt of the request about the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

(5) The Company provides information and takes actions free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may – with regard to the administrative costs related to providing the requested information or taking the required action – charge a reasonable fee or refuse to act based on the request. The Company shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

(6) Where the Company has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

(7) The information to be provided to data subjects pursuant to the next section may also be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable.

 

II. Information and access to personal data

(1) Where personal data relating to a data subject are collected from the data subject, the Company shall, at the time when personal data are obtained, provide the data subject with all of the following information:

a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d) the legitimate interests of the controller or a third party if data processing is required for enforcing the legitimate interests of the controller or a third party;

e) the recipients or categories of recipients of the personal data, if any;

f) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

g) The data subject may request from the controller access to, and rectification or erasure of personal data or restriction of processing or to object processing, as well as the data subject has the right to data portability;

h) In the case of data processing based on the data subject’s consent, the existence of the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

i) the right to lodge a complaint with a supervisory authority;

j) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Where the Company intends to further process the personal data for a purpose other than that for which the personal data were collected, the Company shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 1.

The section shall not apply where and insofar as the data subject already has the information.

(2) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a) those listed in paragraph (1) a)-i) and k);

b) the categories of personal data concerned;

c) source of the personal data and, in a given case, whether the data come from a publicly available source.

The Company shall provide the information referred to in paragraph (2):

– within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

– if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

– if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

Where the Company intends to further process the personal data for a purpose other than that for which the personal data were collected, it shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

The section shall not apply where and insofar

– the data subject already has the information;

– the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or in so far as the obligation referred to in this paragraph is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

– obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or

– where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

III. Right of access by the data subject

(1) The data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, access to the personal data and to the following information:

a) Purposes of data processing;

b) The categories of personal data concerned;

c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) The right to lodge a complaint with a supervisory authority;

g) Where the personal data are not collected from the data subject, any available information as to their source.

(2) The Company shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

(3) The right to obtain a copy referred to in paragraph (2) shall not adversely affect the rights and freedoms of others.

 

IV. Right to correction

The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

 

V. Right to erasure (‘right to be forgotten’)

(1) The data subject shall have the right to obtain from the Company the erasure of personal data concerning him/her without undue delay and the Company shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article IX (1) of Chapter 3 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article IX (2) of Chapter 3;

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article II (3) a) of Chapter 1.

(2) Where the Company has made the personal data public and is obliged pursuant to paragraph (1) to erase the personal data, the Company, taking account of the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expressing opinion and gathering information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;

c) for the establishment, exercise or defence of legal claims.

 

VI. Right to limit data processing

(1) The data subject shall have the right to obtain from the Company restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to Article IX (1) of Chapter 3 pending the verification whether the legitimate grounds of the Company override those of the data subject.

e) Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

f) A data subject who has obtained restriction of processing pursuant to paragraph (1) is informed by the Company before the restriction of processing is lifted.

 

VII. Information about rectification, erasure or restricted data processing

The Company shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with the above rules to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Company shall inform the data subject about those recipients if the data subject requests it.

 

VIII. Right to data portability

(1) The data subject shall have the right to receive the personal data concerning him/her, which he or she has provided to a Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Company without hindrance from the controller to which the personal data have been provided, provided that data processing is based on consent under article II (2) a) of Chapter 1 or article II (4) of Chapter 1 or based on the contract under article II (2) b) of Chapter 1; and the data are processed automatically.

(2) In exercising his/her right to data portability pursuant to paragraph (1), the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(3) Exercising the right under paragraph (1) may not violate the provisions regulating the right to erasure. The mentioned right shall not apply in the case where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company.

(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

 

IX. Right to protest

(1) The data subject may protest against processing his/her personal data for reasons related to his/her own situation – also including profiling based on the a.m. provisions – if data processing is in public interest or required for implementing a task carried out by exercising an official authority assigned to the Company, or required for enforcing the legitimate interests of a third party. 

In this case the Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

(2) If personal data are processed for direct marketing, the data subject may protest at any time against processing his/her personal data for such a purpose, also including profiling, if it is attached to direct marketing.

(3) If the data subject protests against processing his/her personal data for direct marketing, in that case the personal data may no longer be processed for such a purpose.

(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs (1) and (2) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means using technical specifications.

 

X. Notifying the data subject about data processing incidents

(1) If the data protection incident probably involves a high risk for the rights and freedoms of natural persons, the Company shall notify the data subject about the data protection incident without unreasonable delay.

(2) The communication to the data subject referred to in paragraph (1) shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of paragraph (3) of the previous article.

(3) The communication to the data subject referred to in paragraph (1) shall not be required if any of the following conditions are met:

a) The Company took appropriate technical and organizational actions and these actions were applied for data affected by the data protection incident, especially actions – e.g. applying encryption – that make the data uninterpretable by persons not authorized to access the personal data;

b) The Company has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph (1) is no longer likely to materialise;

c) The information would require disproportionate efforts. In such cases, the data subjects shall be notified through publicly disclosed information, or similar actions shall be taken to ensure that the data subjects are informed in a similarly effective manner.

(4) If the Company has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph (3) are met.

 

XI. Right to lodge a complaint with the supervisory authority

(1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him/her infringes this Policy.

(2) The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, also including the possibility of a judicial remedy.

 

XII. Right to an effective judicial remedy against the controller or processor

(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy where he or she considers that his/her rights under this Policy have been infringed as a result of the processing of his/her personal data in non-compliance with this Policy.

(2) Proceedings against the controller or the processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his/her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

 

XIII. Representation of data subjects

(1) The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his/her behalf, to exercise his/her rights on his/her behalf, and to exercise the right to receive compensation on his/her behalf where provided for by Member State law.

(2) The Member States may provide that any body, organisation or association referred to in paragraph (1) of this Article, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority and to exercise the a.m. rights if it considers that the rights of a data subject under this Policy have been infringed as a result of the processing.

 

XIV. Right to compensation and liability

(1) Any person who has suffered material or non-material damage as a result of an infringement of this Policy shall have the right to receive compensation from the controller or processor for the damage suffered.

(2) Any controller involved in processing shall be liable for the damage caused by processing which infringes this Policy. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Policy specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

(3) The controller or processor shall be exempt from liability under paragraph (2) if it proves that it is not in any way responsible for the event giving rise to the damage.

(4) Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs (2) and (3), responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

(5) Where a controller or processor has, in accordance with paragraph (4), paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph (2).

(6) Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article XI (2).