1. The controller
ExVA Vizsgáló és Tanúsító Korlátolt Felelősségű Társaság
Registered office: 1037 Budapest, Mikoviny Sámuel u. 2-4. Hungary
Represented by: Ágnes Bálint, Executive Director
e-mail: [email protected]
2. Specific data processing
Purpose of processing
Legal basis of processing
|Contact details of companies:|
name, position, email address, telephone number
|Business communication||As long as the business relationship exists or until a change in the contact person occurs||Our legitimate interest related to communication. You may at any time object to processing by contacting us at any of the contact details in Section 1 [Article 6(1)(f) of the GDPR]||4.2.,4.3.,4.5,4.7.|
personal data of contact persons and signatories
|Compliance with legal obligation||8 years following the termination of the contract||Compliance with legal obligation. Retention is required following the settlement of accounts, for compliance with tax law and accounting regulations 1. No contract may be concluded without personal data. [Article 6(1)(c) of the GDPR]|
|Personal data disclosed in an email, over the phone, on the website and in letters by post:|
name, telephone number, address, email address, other personal data disclosed
|Response to inquiries and complaint handling||5 years||Consent given by sending the inquiry. The consent may be withdrawn at any time by contacting us at any of the addresses in Section 1. Withdrawal shall not affect the lawfulness of processing prior to the withdrawal. [Article 6(1)(a) of the GDPR]||4.1.-4.6.|
|Automatic registration of IP address when visiting website||Technical improvement of the IT system, monitoring the service, statistics||30 days||Pursuant to Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce and on Information Society Services, our legitimate interest in the proper operation of the website. You may at any time object to processing by contacting us at any of the contact details in Section 1 [Article 6(1)(f) of the GDPR]||4.2.,4.3.,4.5,4.7.|
|Personal data, if any, indicated on the invoice issued: name, address in the case of a natural person or sole trader||Compliance with legal obligation||8 years||Compliance with legal obligation. Retention is required following invoicing, for compliance with tax law and accounting regulations 1. No order may be performed without data. [Article 6(1)(c) of the GDPR]||4.2.,4.3., 4.5.|
1 Pursuant to Section 169(2) of Act C of 2000 on Accounting: “The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for a minimum of eight years, shall be legible and retrievable by means of the code of reference indicated in the accounting records.”
3. Processors and other controllers
3.1. Processors and subprocessors
The website is hosted by Rackhost Zrt. (registered office: H-6722 Szeged, Tisza Lajos körút 41., Hungary).
3.2. Other controllers
Accounting services are provided by Béres Gyógyszergyár Zrt. (registered office: H-1037 Budapest, Mikoviny Sámuel u. 2-4., Hungary).
4. Rights and remedies
As far as processing is concerned, you have the rights set out in Sections 4.1 to 4.7. Should you wish to exercise any of these rights, please write to any of the addresses in Section 1.
Prior to responding to a request, we need to check your identity. You only need to give us some personal data that we have on file of you.
Response to request
Following identification, we provide information regarding your request either by post or in an email depending on how the inquiry was received.
We will inform you of the actions taken in response to the request, within 1 (one) month following the receipt of the request. This administration time may be extended by another 2 (two) months if the complexity and the number of requests requires so, but you will be informed of the extension within the 1 (one) month administration time. You will also be notified within the 1 (one) month administration time if no actions are taken. You have the right to file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) (Section 5.1) and you have the right to enforce judicial remedy (Section 5.2).
The information and action requested shall be free of charge. Except where the request is clearly unfounded or is excessive, in particular because it is repetitive. In such cases, you will be charged an administration fee or we may refuse to comply with your request.
4.1. You have the right to withdraw your consent
Your consent may be withdrawn at any time in cases of processing based on consent. Such withdrawal shall not affect the lawfulness of processing completed based on consent prior to the withdrawal.
4.2. You have the right to request information (access)
You have the right to request information on whether your personal data are processed, and if yes:
- For what purpose are data processed?
- What personal data are processed exactly?
- To whom are such data transferred?
- For how long are such data stored?
- What rights and remedies do you have?
- From whom did we obtain your data?
- Were there any automated decisions made about you with the use of your personal data? In such cases, you have the right to request information about the logic (method) applied, and about the importance and expected consequences of such processing.
- If you find that your data are transferred to an international organisation or a third (non-EU) country, you have the right to request evidence of what guarantees the due and proper processing of your personal data.
- You have the right to request a copy of your processed personal data. (You may be charged an administrative cost-based fee for all further copies.)
4.3. You have the right to request rectification
You have the right to request rectification if your personal data are registered inaccurately or incompletely.
4.4. You have the right to request erasure (right to be forgotten)
You have the right to request the erasure of your personal data if:
a) the personal data are no longer necessary in relation to the purpose for which they were processed
b) processing is based on consent;
c) the processing of personal data is proved to be unlawful;
d) your objection is successful;
e) the personal data have to be erased for compliance with a legal obligation by Union or Member State law
Personal data may not be erased if they are necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation that requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest;
c) for the establishment, exercise or defence of legal claims.
4.5. You have the right to request the restriction of processing
You have the right to request the restriction of processing if any of the following arise:
a) You contest the accuracy of the personal data. In such cases, restriction applies for a period enabling the controller to verify the accuracy of the personal data.
b) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
c) The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
d) You have objected to processing. In such cases, the restriction shall apply for a period required to verify whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
4.6. You have the right to request the transfer of your personal data (right to data portability)
You shall have the right to receive the personal data concerning you in a structured, commonly used and machine-readable format and have the right to transmit, or at your request have those data transmitted by us to another controller if processing is based on consent or contract, and is carried out automatically.
4.7. You have the right to object to the processing of your personal data
You have the right to object to the processing of your personal data where the legal ground of processing is the legitimate interest of the Controller or a third party. In this case, personal data are erased unless the controller demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2 Pursuant to Section 169(2) of Act C of 2000 on Accounting: “The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for a minimum of eight years, shall be legible and retrievable by means of the code of reference indicated in the accounting records.”
5.1. You have the right to lodge a complaint with the NAIH
If you find the processing of the personal data to be in breach of the provisions of the GDPR, you have the right to lodge a compliant with the National Authority for Data Protection and Freedom of Information (NAIH)
President: dr. Attila Péterfalvi
mailing address: H-1363 Budapest, Pf. 9., Hungary
address: H-1055 Budapest, Falk Miksa utca 9-11., Hungary
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
e-mail: [email protected]
5.2. You have to right to judicial remedy
If you find the processing of your personal data to be in breach of the regulations of the GDPR, and through this your rights under the GDPR are violated, you may turn to the court.
The suit shall be heard by the competent tribunal. If so requested by the data subject, the suit may be brought before the tribunal in the jurisdiction of which the data subject’s home address or temporary residence is located. Any person otherwise lacking legal capacity to be a party to legal proceedings may also be involved in such suits. The Authority may intervene in the suit on the data subject’s behalf. The procedure of the court shall be governed by the provisions of the GDPR and also those of Title XII (Sections 2:51 to 2:54) of Part 3 in the Second Book of Act V of 2013 on the Civil Code, and also other regulations applicable to court procedures.
5.3. Indemnification and compensation
If damage is caused or the data subject’s personality rights are violated by the unlawful processing of the data subject’s data by the Controller, compensation may be claimed from the Controller. The Controller shall be released from the liability for the damage caused and the obligation to pay compensation if they can prove that the damage was caused or the personality rights were violated for reasons beyond its reasonable control arising outside the scope of the processing.
6. Data security
We will use our best endeavours to take adequate technical and organisational measures to ensure the appropriate security of the personal data, taking the state of the art and the costs of implementation, and the nature of the processing, including risks to the rights and freedoms of natural persons, into account. Personal data are always processed in a way to ensure confidentiality and the highest level of resilience, and by ensuring the possibility of restoring data should a problem arise.
Last updated: 12 May 2021