OrigSmart

Introduction

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter "the Regulation") requires that the controller takes appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject's rights.

The obligation to inform the data subject in advance is also provided for in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

The information below is our response to this legal obligation.

The information is available on the company's website or will be provided to the person concerned upon request.

Details of data handler

COMPANY NAME:	OrigSmart Ltd.
HEADQUARTERS:	52/A Gesztenyés str. Etyek, 2091 Hungary
COMPANY REGISTRATION NO.:	07-09-030176
TAX NUMBER:	26785350-2-07
WEBSITE:	https://origsmart.com
E-MAIL ADDRESS:	info@origsmart.com
PHONE NUMBER:	+36 20 611 8811
NAME OF REPRESENTATIVE:	Zoltán Vashegyi

(hereinafter referred to as: the Company or the Data Controller)

Information on data management

Information on data management based on the consent of the data subject

1. For consent-based data management, the Company requests the data subject's consent to the management of his/her personal data with the content and information of the data request form specified in the data management regulations.
2. Consent is also considered if the data subject ticks a relevant box when viewing the Company's website, makes relevant technical settings when using services related to the information society, as well as any other statement or action that, in the given context, clearly indicates the data subject's consent to the planned processing of their personal data.
3. Consent covers all data management activities carried out for the same purpose or purposes. If data processing serves several purposes at the same time, consent must be given for all data processing purposes.
4. If the data subject gives his consent in the context of a written statement that also applies to other cases, the request for consent is made in a way that is clearly distinguishable from these other cases, in an understandable and easily accessible form, with clear and simple language.
5. The Company does not make the conclusion or performance of a contract subject to consent to the processing of personal data that is not necessary for the performance of the contract.
6. The data subject has the option to withdraw his/her consent if he informs the Company of this by e-mail or in writing.
7. If the personal data was recorded with the consent of the data subject, the Company may process the recorded data for the purpose of fulfilling the relevant legal obligation without further separate consent, and also after withdrawing the consent of the data subject, unless otherwise provided by law.

Information on the management of customer data, contracting partners and contact persons

1. The Company handles the name, birth name, date of birth, mother's name, address, tax identification number, tax number, entrepreneur's and original producer's card of the natural person contracted with it as a buyer or supplier for the purpose of concluding, fulfilling, terminating the contract, and providing contractual benefits. number, identity card number, residential address, address of headquarters, location, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, main purchase lists), This data processing is considered lawful if also if the data management is necessary to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: the Company's employees performing tasks related to customer service, employees performing accounting and taxation tasks, and data processors. Duration of storage of personal data: 5 years after termination of the contract.
2. The legal basis for processing the data of the natural person provided in the contract for accounting and tax purposes is the fulfillment of a legal obligation, in this case the duration of data storage is 8 years.
3. The Company uses the personal data provided in the contract, as well as the residential address, e-mail address and telephone number, online identifier of the natural person acting on behalf of the legal entity contracting with it - the person signing the contract - for the purpose of maintaining contact, exercising the rights and obligations arising from the contract, contact under the legal address of legitimate interest handles. The storage period for this data is 5 years after the termination of the contract. In the case of data processing based on legitimate interests, the data subject has a priority right to object to data processing.
4. The Company handles the name, address, telephone number, e-mail address, online identifier of the natural person designated as the contact person in the contract concluded with it as a legitimate interest for the purpose of maintaining contact and exercising the rights and obligations arising from the contract, taking into account that the contact person has an employment relationship with the contracting party, so this data processing does not adversely affect the rights of the data subject. The contracting party declares that it has informed the relevant contact person about the data management related to the quality of the contact person. The duration of the storage of this data is 5 years after the existence of the contact quality.
5. Recipients of personal data for all stakeholders: the Company's executive, its employees performing tasks related to customer service, contacts, employees performing accounting and taxation tasks, and data processors.
6. The personal data may be transferred for data processing to the accounting office commissioned by the company for the purposes of taxation and bookkeeping, to the Magyar Posta for postal delivery or to the commissioned courier service, to the company's asset protection agent for asset protection.
7. Data processing is considered lawful if it is necessary in the context of a contract or intention to enter into a contract (Preamble 44.) if it is necessary to take steps at the request of the data subject prior to the conclusion of the contract (Article 6 (1) b./). Thus, personal data collected in the context of contract offers can also be processed under the legal title of contract performance as described in this point. When making an offer or accepting a bet, the Company is obliged to inform the offerer and the recipient of the offer.

Information on data management based on the fulfillment of a legal obligation

1. In the case of data management based on legal obligations, the scope of data that can be handled, the purpose of data management, the duration of data storage, and the recipients are governed by the provisions of the underlying legislation.
2. Data management based on the legal title of fulfilling a legal obligation is independent of the consent of the data subject, as data management is defined by law. Before data processing begins, the Company informs the data subject of the obligation of data processing, as well as all facts related to the processing of his/her data, including, in particular, the purpose and legal basis of data processing, the person entitled to data processing and data processing, the duration of data processing, if the data subject's personal data is The company handles it based on the applicable legal obligation, as well as on who can see the data. The information also covers the data subject's rights and legal remedies. In case of mandatory data management, the Company provides the information by publishing a reference to the legal provisions containing the above information.

Information on data processing for the purpose of fulfilling tax and accounting obligations

1. The Company handles the legally defined data of natural persons entering into a business relationship with it as a buyer or supplier for the purpose of fulfilling legal obligations, tax and accounting obligations prescribed by law (bookkeeping, taxation). The processed data is in accordance with CXXVII of 2017 on general sales tax. TV. § 169 and § 202 in particular: tax number, name, address, tax status, pursuant to § 167 of Act C of 2000 on accounting: name, address, designation of the person or organization ordering the economic operation, the signature of the voucher issuer and the person certifying the implementation of the provision, as well as the inspector, depending on the organization; the signature of the receiver on the stock movement receipts and money management receipts, and the payer's signature on the receipts, CXVII of 1995 on personal income tax. based on the law: entrepreneur ID number, primary producer ID number, tax identification number.
2. The period of storage of personal data is 8 years after the termination of the legal relationship giving the legal basis.
3. Recipients of personal data: the Company's employees and data processors performing tax, accounting, payroll and social security tasks.

Information on payer data management

1. The Company processes the personal data of those concerned - employees, their family members, employees, recipients of other benefits - as required by tax laws for the purpose of fulfilling legal obligations, tax and contribution obligations prescribed by law (tax, tax advance, assessment of contributions, payroll, social security, pension administration) , with whom its payers (2017:CL. Act on the Taxation System (Art.) 7.§ 31.) are in contact. The scope of the processed data is determined by § 50 of Art., highlighting separately: the natural person's natural personal identification data (including the previous name and title), gender, citizenship, the natural person's tax identification number, social security identification number (Social security number). If the tax laws attach legal consequences to this, the Company may process the employees' health (Szja tv.§ 40.) and trade union (Szja tv. § 47.(2) b./) data for the purpose of fulfilling tax and contribution obligations (payroll, social security administration).
2. The period of storage of personal data is 8 years after the termination of the legal relationship giving the legal basis.
3. Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (paying) tasks.

Promoting the rights of data subject

During all data management, the Company is obliged to ensure the exercise of the rights of the data subject.

Visitors data management on the company’s website – information on the use of cookies

General information about cookies

1. The Company informs visitors to its website about the use of cookies and requests consent from the visitor.
2. A cookie is data that the visited website sends to the visitor's browser (in the form of a variable name and value) so that it can store it and later the same website can load its content. Cookies can be valid until the browser is closed, or for an unlimited time. In the future, the browser also sends this data to the server for every HTTP(S) request. This modifies the data on the user's machine.
3. The essence of the cookie is that, due to the nature of the website services, it is necessary to mark a user (e.g. that he has entered the page) and to manage accordingly in the following. The danger lies in the fact that the user is not always aware of this and it may be suitable for the user to be followed by the operator of the website or another service provider whose content is integrated into the page (e.g. Facebook, Google Analytics), thus creating a profile created from it, and in this case the content of the cookie can be considered personal data.
4. Types of cookies:
   • Technically absolutely necessary session (session) cookies: without which the site would simply not work functionally, these are used to identify the user, e.g. necessary to manage whether you have entered. This is typically the storage of a session ID, the rest of the data is stored on the server, which is therefore more secure. It has a security aspect, if the value of the session cookie is not generated well, there is a risk of a session-hijacking attack, so it is absolutely necessary that these values are generated correctly. Other terminologies call all cookies that are deleted when you exit the browser a session cookie (a session is a browser usage from start to exit).
   • Usage-facilitating cookies: this is what you call cookies that remember the user's choices, for example in what form the user wants to see the page. These types of cookies essentially mean the setting data stored in the cookie.
   • Performance cookies: although they have little to do with "performance", cookies that collect information about the user's behavior, time spent and clicks on the visited website are usually called this. These are typically third-party applications (e.g. Google Analytics, AdWords, or Yandex.ru cookies). These are suitable for profiling the visitor.

     You can find information about Google Analytics cookies here:
     https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

     You can find information about Google Ads cookies here:
     https://support.google.com/google-ads/answer/2407785?hl=en

   • Accepting and authorizing the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to notify you when a cookie is currently being sent. Although most browsers automatically accept cookies by default, they can usually be changed to prevent automatic acceptance and offer you a choice each time.
5. Accepting and authorizing the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to notify you when a cookie is currently being sent. Although most browsers automatically accept cookies by default, they can usually be changed to prevent automatic acceptance and offer you a choice each time.
6. You can find information about the cookie settings of the most popular browsers on the links below:
   • Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
   • Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amitweboldak-haszn
   • Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-11
   • Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-10-win-7
   • Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-9
   • Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-8
   • Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacyfaq
   • Safari: https://support.apple.com/hu-hu/HT201265

However, we would like to point out that certain website functions or services may not function properly without cookies.

Information about the cookies used on the Company's website and the data generated during the visit

1. The scope of data managed during the visit: Our company's website can record and manage the following data about the visitor and the device used for browsing during the use of the website:
   • the IP address used by the visitor,
   • the type of browser,
   • characteristics of the operating system of the device used for browsing (set language),
   • date of visit,
   • a visited (sub)page, function or service.
   • click.

   We keep this data for a maximum of 90 days and can primarily be used to investigate security incidents.

2. Cookies used on the website
   • Technically essential session cookies:
     The purpose of data management is to ensure the proper functioning of the website. These cookies are necessary so that visitors can browse the website, use its functions smoothly and fully, the services available through the website, so - among others - in particular the commenting of the actions performed by the visitor on the given pages or the identification of the logged-in user during a visit . The duration of the data management of these cookies applies only to the visitor's current visit, this type of cookie is automatically deleted from the computer when the session ends or when the browser is closed. The legal basis for this data management is Act CVIII of 2001 on certain issues of electronic commercial services and information society services. Act (Elkertv.) 13/A. § (3), according to which the service provider may process the personal data that is technically absolutely necessary for the provision of the service for the purpose of providing the service. If the other conditions are the same, the service provider must choose and in any case operate the tools used in the provision of services related to the information society in such a way that personal data is only processed if this is absolutely necessary for the provision of the service and the fulfillment of other objectives defined in this law necessary, but also in this case only to the extent and for the necessary time.
   • Cookies to facilitate use:
     These remember the user's choices, for example in what form the user wants to see the page. These types of cookies essentially mean the setting data stored in the cookie. The legal basis for data management is the visitor's consent. Purpose of data management: Increasing the efficiency of the service, increasing the user experience, making the use of the website more convenient. This data is rather on the user's computer, the website can only access and recognize the visitor through it.
   • Cookies for performance:
     They collect information about the user's behavior within the visited website, time spent, and clicks. These are typically third-party applications (e.g. Google Analytics, AdWords). Legal basis for data management: the consent of the data subject. Purpose of data management: analysis of the website, sending advertising offers.

Website contact form

The visitor can consent to data management by deliberately ticking the empty checkbox at the bottom of the form.

Managed data	Purpose of data management	Legal basis for data management	Persons concerned	Data management period	Eligible persons	Storage
Name	Contact	Contribution		1 year
Email address			Website users or stakeholders who contact us by phone or email		Company's customer relations staff	Electronic. An antivirus with physically limited access, on a secure server, with a password, a firewall and a constantly updated version, protected by software
Phone number
Company name
Date of contact	Technical information operation
IP address	Technical information operation

Information about the rights of the person concerned

A brief summary of the rights of the data subject

1. Transparent information, communication and facilitating the exercise of the rights of the person concerned
2. Right to preliminary information - if personal data is collected from the data subject
3. Informing the person concerned and the information to be made available to him, if the personal data was not obtained from him by the Company
4. The data subject's right of acces
5. Right to rectification
6. The right to erasure ("the right to be forgotten")
7. The right to restrict data processin
8. Notification obligation related to the correction or deletion of personal data or the limitation of data management
9. The right to data portability
10. The right to protest
11. Automated decision-making in individual cases, including profiling
12. Limitations
13. Informing the data subject about the data protection incident
14. The right to lodge a complaint with the supervisory authority (right to an official remedy)
15. The right to an effective judicial remedy against the supervisory authority
16. The right to an effective judicial remedy against the Company as a data controller or data processor

The rights of the data subject in detail

1. Transparent information, communication and facilitating the exercise of the rights of the person concerned
   1. The Company must provide the data subject with all information and every piece of information regarding the processing of personal data in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded, especially in the case of any information addressed to children. The information is provided in writing or in another way, including, where applicable, the electronic way. Verbal information can also be provided at the request of the data subject, provided that the identity of the data subject has been verified in another way.
   2. The Company facilitates the exercise of the rights of the data subject.
   3. The Company shall inform the data subject without undue delay, but in any case within one month of the receipt of the request, of the measures taken as a result of his request to exercise his rights. This deadline can be extended by another two months under the conditions set out in the Regulation. about which the data subject must be informed.
   4. If the Company does not take measures following the data subject's request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, as well as of the fact that the data subject may file a complaint with a supervisory authority and exercise his right to judicial redress.
   5. The Company provides the information and information and measures on the rights of the data subject free of charge, however, in the cases described in the Regulation, it may charge a fee.
   The detailed rules can be found under Article 12 of the Regulation.
2. Right to preliminary information - if personal data is collected from the data subject
   1. The data subject has the right to receive information about the facts and information related to data management before the start of data management. In this context, the Company informs the data subject:
      • the identity and contact information of the Company and its representative,
      • the contact details of the data protection officer (if any),
      • the purpose of the planned processing of personal data and the legal basis of data processing,
      • in the case of data processing based on the assertion of a legitimate interest, on the legitimate interests of the Company or a third party,
      • the recipients of personal data - with whom the personal data is communicated - and the categories of recipients, if any;
      • where appropriate, the fact that the Company intends to transfer personal data to a third country or international organization.
   2. In order to ensure fair and transparent data management, the Company informs the data subject of the following additional information:
      • the period of storage of personal data, or if this is not possible, the criteria for determining this period;
      • the right of the data subject to request from the Company access to personal data relating to him, their correction, deletion or restriction of processing, and to object to the processing of such personal data, as well as the data subject's right to data portability;
      • in the case of data processing based on the consent of the data subject, the right to withdraw consent at any time, which does not affect the legality of data processing carried out on the basis of consent before the withdrawal;
      • on the right to submit a complaint to the supervisory authority;
      • whether the provision of personal data is based on legislation or a contractual obligation or is a prerequisite for entering into a contract, as well as whether the data subject is obliged to provide the personal data, as well as the possible consequences of not providing the data;
      • the fact of automated decision-making, including profiling, as well as, at least in these cases, the logic used and understandable information regarding the importance of such data management and the expected consequences for the data subject.
   3. If the Company intends to carry out further data processing of personal data for a purpose other than the purpose of their collection, it shall inform the data subject of this different purpose and of all relevant additional information prior to further data processing.
   The detailed rules of the right to prior information are contained in Article 13 of the Regulation.
3. The information of the person concerned and the information to be made available to him/her, if the personal data was not obtained from him/her by the Company
   1. If the Company did not obtain the personal data from the data subject, the Company will notify the data subject no later than one month from the date of acquisition of the personal data; if the personal data is used for the purpose of contacting the data subject, at least during the first contact with the data subject; or if it is expected that the data will be communicated to another recipient, at the latest when the personal data is communicated for the first time, inform them of the facts and information written in point 2 above, as well as the categories of the personal data concerned, as well as the source of the personal data and, where appropriate, that the data is publicly available whether they come from accessible sources.
   2. The additional rules are governed by the previous point 2 (Right to prior information).
   The detailed rules of this information are contained in Article 14 of the Regulation.
4. The data subject's right of access
   1. The data subject has the right to receive feedback from the Company as to whether his personal data is being processed, and if such data processing is underway, he is entitled to receive access to the personal data and related information. (Regulation Article 15).
   2. If personal data is transferred to a third country or to an international organization, the data subject is entitled to receive information about the appropriate guarantees in accordance with Article 46 of the Regulation regarding the transfer.
   3. The Company will make a copy of the personal data subject to data management available to the data subject upon request. For additional copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs.
   Detailed rules regarding the data subject's right of access are contained in Article 15 of the Regulation.
5. Right to rectification
   1. The data subject has the right to have inaccurate personal data corrected by the Company without undue delay upon request.
   2. Taking into account the purpose of the data management, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.
   These rules are contained in Article 16 of the Regulation.
6. The right to erasure ("the right to be forgotten")
   1. The data subject has the right to request that the Company delete the personal data concerning him without undue delay, and the Company is obliged to delete the personal data concerning the data subject without undue delay if
      • the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
      • the data subject withdraws his/her consent, which is the basis of the data management, and there is no other legal basis for the data management;
      • the data subject objects to the processing of his/her data and there is no overriding legal reason for the data processing,
      • a personal data were handled illegally;
      • the personal data must be deleted in order to fulfill the legal obligation prescribed by EU or member state law applicable to the Company as a data controller;
      • the collection of personal data took place in connection with the offering of information society-related services offered directly to children.
   2. The right to deletion cannot be asserted if data management is necessary
      • for the purpose of exercising the right to freedom of expression and information;
      • for the purpose of fulfilling an obligation under EU or Member State law applicable to the Company as a data controller, or performing a task carried out in the public interest or in the context of the exercise of public authority conferred on the data controller;
      • on the basis of public interest in the field of public health;
      • for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the right to erasure would likely make this data management impossible or seriously jeopardize it; or to submit, assert or defend legal claims.
   Detailed rules regarding the right to deletion are contained in Article 17 of the Regulation.
7. The right to restrict data processing
   1. In the case of restrictions on data management, the Company processes such personal data, with the exception of storage, only with the consent of the data subject, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of other natural or legal persons, or for the important public interest of the Union or a member state.
   2. The data subject is entitled to request that the Company restrict data processing if one of the following conditions is met:
      • the data subject disputes the accuracy of the personal data, in this case the limitation applies to the period that allows the Company to check the accuracy of the personal data;
      • the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use;
      • the Company no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or
      • the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the Company take precedence over the legitimate reasons of the data subject.
   3. The Company informs the data subject in advance about the lifting of the limitation of data management.

8. Notification obligation related to the correction or deletion of personal data or the limitation of data management

   The Company informs all recipients of all corrections, deletions or data management restrictions to whom or to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. At the request of the person concerned, the Company will inform about these recipients.

   These rules can be found under Article 19 of the Regulation.

9. The right to data portability

   1. Under the conditions set out in the Regulation, the data subject is entitled to receive the personal data relating to him/her provided to the Company in a segmented, widely used, machine-readable format, and is also entitled to forward this data to another data controller without would hinder the Company if
      • data management is based on consent or a contract;
      • and data management is automated.
   2. The data subject can also request the direct transmission of personal data between data controllers.
   3. The exercise of the right to data portability may not violate Article 17 of the Regulation (The right to erasure ("the right to be forgotten"). The right to data portability does not apply in the event that the data processing is in the public interest or the exercise of the public powers vested in the Company as a data controller This right must not adversely affect the rights and freedoms of others.

   The detailed rules are contained in Article 20 of the Regulation.

10. The right to protest

    1. The data subject has the right to object at any time to the processing of his personal data based on the public interest, performance of a public task (Article 6 (1) e)) or legitimate interest (Article 6 f)) for reasons related to his own situation, including the aforementioned provisions based profiling as well. In this case, the Company will not process the personal data further, unless the Company can prove that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are necessary for the presentation, enforcement or are related to its protection.
    2. If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including profiling, if it is related to direct business acquisition. If the data subject objects to the processing of personal data for the purpose of direct business acquisition, the Company will no longer process the personal data for this purpose.
    3. The Company draws the attention of the data subject to these rights at the latest during the first contact with the data subject, and displays the relevant information clearly and separately from all other information.
    4. The data subject can also exercise the right to protest using automated means based on technical specifications.
    5. If personal data is processed for scientific and historical research or statistical purposes, the data subject has the right to object to the processing of personal data concerning him for reasons related to his own situation, unless the data processing is for the purpose of performing a task carried out for reasons of public interest need.

    The relevant rules are contained in Article 21 of the Regulation.

11. Automated decision-making in individual cases, including profiling

    1. The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have a legal effect on him or affect him to a similar extent.
    2. This right does not apply if the decision:
       • necessary in order to conclude or fulfill the contract between the person concerned and the Company;
       • its adoption is made possible by EU or member state law applicable to the Company, which also establishes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or based on the express consent of the data subject.
    3. In the cases mentioned in the second and third subsections of the above (II.), the Company will take the appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Company, to express his point of view, and file an objection against the decision.

    Additional rules are contained in Article 22 of the Regulation.

12. Restrictions

    EU or Member State law applicable to the Company as a data controller or data processor may limit the scope of rights and obligations (Articles 12-22, Article 34, Article 5 of the Regulation) through legislative measures, if the restriction respects the essential content of fundamental rights and freedoms.

    The terms of this restriction are contained in Article 23 of the Regulation.

13. Informing the data subject about the data protection incident

    1. If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the Company shall inform the data subject of the data protection incident without undue delay. In this information, the nature of the data protection incident is described in a clear and comprehensible way, and at least the following is communicated:
       • the name and contact details of the data protection officer or other contact person providing additional information;
       • describes the likely consequences of a data protection incident;
       • describes the measures taken or planned by the Company to remedy the data protection incident, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
    2. The Company will not inform the data subject if any of the following conditions are met:
       • the Company has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that make it unintelligible to persons not authorized to access personal data the data;
       • following the data protection incident, the Company took additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future;
       • providing information would require a disproportionate effort. In such cases, the Company informs the affected parties through publicly published information, or takes a similar measure that ensures similarly effective information to the affected parties.

14. The right to lodge a complaint with the supervisory authority (right to an official remedy)

    The data subject has the right to file a complaint with a supervisory authority - in particular in the Member State of his or her usual place of residence, workplace or the place of the alleged infringement - if, in the opinion of the data subject, the processing of personal data relating to him/her violates the Regulation. The supervisory authority to which the complaint was submitted is obliged to inform the customer about the procedural developments related to the complaint and its outcome, including whether the customer is entitled to a judicial remedy.

    These rules are contained in Article 77 of the Regulation.

15. The right to an effective judicial remedy against the supervisory authority

    1. Without prejudice to other administrative or non-judicial remedies, all natural and legal persons are entitled to an effective judicial remedy against the legally binding decision of the supervisory authority.
    2. Without prejudice to other administrative or non-judicial remedies, all data subjects are entitled to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments related to the submitted complaint or its result.
    3. Proceedings against the supervisory authority must be initiated before the court of the Member State where the supervisory authority is based.
    4. If proceedings are initiated against a decision of the supervisory authority in relation to which the Board previously issued an opinion or made a decision within the framework of the uniformity mechanism, the supervisory authority is obliged to send this opinion or decision to the court.

    These rules are contained in Article 78 of the Regulation.

16. The right to an effective judicial remedy against the controller or processor

    1. Without prejudice to the available administrative or non-judicial remedies, including the right to complain to the supervisory authority, all affected parties are entitled to effective judicial remedies if, in their opinion, their rights under this Decree have been violated as a result of the processing of their personal data not in accordance with this Decree.
    2. Proceedings against the Company as a data controller or the data processor must be initiated before the court of the Member State where the Company or the data processor operates. Such proceedings can also be initiated before the court of the Member State of the habitual residence of the affected person, unless the Company or the data processor is a public authority of a Member State acting in its public authority.

    These rules are contained in Article 79 of the Regulation.