PRIVACY POLICY OF RBS
Purpose and Scope of the Privacy Policy
- The purpose of this Privacy Policy is to the set forth the data protection and data processing principles applied by RAVATHERM Hungary Kft and the privacy policy of the company by which, as a data controller, the company undertakes to be bound.
- This Privacy Policy lays down the principles of processing Personal Data provided by Users.
When articulating the provisions of the Privacy Policy, the company paid special attention to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Info Act”), Act C of 2013 on the Civil Code (“Civil Code”), Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Comm. Adv. Act”).
In default of information to the contrary, the scope of this Privacy Policy shall not include services and data processing activities connected to promotions, prize competitions, services, other campaigns and other contents published by third parties other than the Controller, who advertise or otherwise appear on certain webpages referred to below in this Privacy Policy. In the same manner, in default of information to the contrary, the scope of this Privacy Policy shall not include the services and data processing activities of webpages and service providers referred to by links found on webpages included in the scope of the Privacy Policy. Such services shall be governed by the provisions set forth in the privacy policies of the third parties operating such services. The Controller shall not undertake liability for the data processing activities of such third parties.
Definitions
- Processing: irrespective of the method applied, Processing shall mean any operation or set of operations performed on Personal Data or on sets of Personal Data in particular collection, recording, organisation, structuring, storage, adaptation or alteration, utilization, retrieval, consultation, disclosure, transmission, dissemination or otherwise making available, publication, alignment or combination, restriction, erasure or destruction of Personal Data.
- Controller: shall be the person or entity which—alone or jointly with others—determines the purposes and means of the Processing.
In respect of the Services referred to in this Privacy Policy, the Controller shall be:
RAVATHERM Hungary Kft. (1117 Budapest, Hengermalom út 47/a.; registered by the Trade Registry Court of the Tribunal of Budapest (Fővárosi Törvényszék Cégbírósága), registration number: 01-09-362927; tax number: 10949951-2-43; hereinafter referred to as “Controller”) and Controllers shall be are business enterprises registered in Hungary.
Controller: the operator of the Webpages providing media content services on its webpage for the products it produces and providing the Services available through the Webpage in connection with its main activity.
Processor: provides first of all information technology services for the provision of the Services.
The Processing activities described in this Privacy Policy shall be considered as joint data processing as described in the GDPR, since the Personal Data provided by the User when signing up for the given Service and using the Webpage will be transmitted by one Controller to another who will process it in order to provide the Service. The scope of tasks and responsibilities with respect to joint data processing shall be determined by the agreement to be concluded between the Controllers. Based on this, the responsibility for Processing shall be distributed between the Controllers as follow: each Controller shall be responsible for the Processing he has performed, in particular that the Personal Data he collected is made available to the other Controller in a lawful manner.
The User may exercise his or her rights provided by the GDPR with respect to and against any one of the Controllers irrespective of the provisions of the agreement herein referred to.
Personal Data or data: shall be any data or information that makes a User, who is a natural person, identifiable in a direct or indirect manner.
Processor: shall be a service provider processing Personal Data on behalf of the Controller. In the case of services referred to in this Privacy Policy, the following may be Processors:
Look and Feel Kft.
Registered office: 1021 Budapest, Kuruclesi út 57.; Trade registry number: 01 09 989544; Tax number: 24081007241
Dentsu Aegis Network Hungary Média Kft
Registered office: 1027 Budapest, Kacsa utca 15-23.; Trade registry number: 01-09-168441
Court acting as trade registry court: Trade Registry Court of the Tribunal of Budapest (Fővárosi Törvényszék Cégbírósága)
Tax number: 10781137-2-41
Daniel Nosiadek KEDAISON
30-348 Kraków, ul. Chmieleniec 41/54; IP/BTW: PL 647-215-00-75
Webpage(s): the webpages operated by the Controller: Ravatherm.com.
Service(s): online publications operated by the Controller and the services offered by the Controller available on the Webpages.
User: a natural person signing up for the Services and as a consequence provides his or her data specified in Section III below.
External Service Provider: the third-party service providers used either directly or indirectly by the Controller to operate the individual Webpages or with respect to the services available through the Webpages to which Personal Data are or may be transmitted so that they can provide their services or to which the Controllers may forward Personal Data. Service providers who are not in cooperation with any Controller but, since they have access to the webpages of the Services, collect information on Users which either independently or combined with other information may be suitable for the identification of Users.
Privacy Policy: this Privacy Policy of the Controller.
Scope of Personal Data
When a User visits the interface of a Webpage, the system of the Controller shall automatically record the IP address of the User.
On the basis of the decision of the User, the Controller may process the following data in connection with the use of the services available on the Webpage: name, gender, place of residence, postal code, phone number, e-mail address, IP address and time of last access.
When a User sends an e-mail to a Service (e.g. a message or a reader’s letter), the Controller shall record the e-mail address of the User.
When editing activity takes place with respect to the content of the Controller, the data of all the natural persons contributing to producing such content—either as a source or any other manner as a result of which a reference to them is inserted in the edited content—shall be processed. In that case the Personal Data processed most frequently by the Controller may be: the name, position, place of work, age of the data subject, data related to his or her place of residence or other data referring to how the data subject is connected to the topic of the edited content.
If Users, at their own discretion, connect their Facebook account with their Indapass account, the Controllers may process the following Personal Data of the Users apart from those referred above: public Facebook profile information, city of birth provided on Facebook, Facebook list of contacts, Facebook profile name, Facebook profile picture, Facebook e-mail address, home address provided on Facebook, gender and birthday.
Irrespective of the above, it may occur that a service provider technically connected to the operation of the Services performs data processing activities on some of the Webpages without notifying the Controller. This activity shall not be considered Processing performed by the Controller. The Controller shall make every effort to prevent and eliminate such processing activities.
Scope of additional data processed by the Controller
In order to provide personalized services, the Controller places a small data package (known as “cookie”) on the User’s computer. The purpose of a cookie is to ensure the operation of the given page at the highest possible level, to offer personalized services and enhanced user experience. Users may remove the cookies from their computer themselves or may set their browsers to disable cookies. By disabling cookies, the User shall note that the operation of the given page shall not be fully fledged.
When providing personalized services by way of using cookies, the Controller shall process the following Personal Data: demographic data (based on the data referred to in Paragraph 3.2 above), information related to areas of interest, habits and preferences (based on browsing history).
Data technically recorded in the course of operation of the system: data of the User’s computer used for logging in generated while the Service is being used and recorded automatically by the Controller’s system as a result of technical processes. The data recorded automatically shall be logged by the system upon logging in and logging out without the separate consent or action on behalf of the User.
The purpose and legal basis of Processing
The purpose of Processing activities performed by the Controller shall be:
- providing online content services;
- identification of and communication with Users;
- identification of the User’s authorisations (identification of services that the User is entitled to use);
- handling and managing individual user’s requests;
- preparing statistics and analyses;
- providing storage space for user-generated contents (e.g. comments, blogs etc.);
- in individual cases, organizing and conducting prize competitions, notifying the winners and providing prizes to them;
- technical development of the information technology system;
- protection of the Users’ rights;
- enforcement of the Controller’s legitimate interests.
The Controller may process Personal Data for any of the above-mentioned processing purposes, while the purpose of Processing performed by Processors shall be data processing purposes b), c), d), f), g), i) or j).
Controllers may not use the received Personal Data for purposes other than those specified in the paragraphs above.
Processing shall be based on the freely given and informed statement of the User which shall include his or her express consent to the use of his or her Personal Data provided in the course of using the webpage and the Personal Data generated with respect to them. In the case of processing based on consent, Users shall be entitled to withdraw their consent any time, but this shall not affect the lawfulness of processing that took place before the withdrawal.
When the User enters individual webpages, the Controller shall record the User’s IP address in connection with the provision of services without the User’s specific consent, with respect to the lawful interest of the Controller (e.g. in order to eliminate unlawful usage and/or illegal contents).
The legal basis of Processing in the context of content service and/or in connection with that, apart from the freely given consent of the User, may be also the Controller’s compelling lawful interest as well as the granting of the fundamental rights to information and to freedom of expression within the context provided by law.
In cases where the legal basis of Processing is the compelling lawful interest of the Controller, Controllers examine the balance of interests in compliance with the provisions of the GDPR and they may examine such balance, also in the future, to justify that the lawful interest of the Controller in respect of the given Processing is stronger than the data subject’s rights and freedoms with respect to the Processing. In case of such a request, the Controller shall provide information to the data subject with respect to the matter referred to in this paragraph in compliance with this Privacy Policy.
Data transmissions to the Processors specified in this Privacy Policy may be performed without the User’s separate consent. Disclosure of Personal Data to third persons or authorities may be performed exclusively on the basis of an authority decision or on the basis of the User’s prior express consent unless otherwise provided by law.
The User shall warrant that in the case he or she provides or makes available any Personal Data of other natural persons in the course of using the Services (e.g. during the disclosure of user-generated content etc.) the concerned data subject’s consent for the Processing has been lawfully obtained by the User. The User shall be fully responsible for all shared user content uploaded to the Services.
The User shall also undertake liability that when he or she provides his or her e-mail address and data for the purposes of registration (e.g. user name, identifier, password etc.) exclusively he or she shall use the Services by way of the specified e-mail address and/or the data specified by him or her. With respect to this undertaking of liability, all liability related to entries by way of a given e-mail address and/or data shall be borne exclusively by the User who has registered the e-mail address and provided the data.
Principles and method of Processing
The Processor shall process Personal Data based on the principles of good faith, fairness and transparency as well as in compliance with the provisions of law in force and this Privacy Policy.
The Personal Data that are indispensable for using the Services shall be used by the Controller based on the consent of data subjects and limited exclusively to the specified purpose.
The Controller shall process the Personal Data for the purpose determined in this Privacy Policy and/or the related rules of law. The scope of Personal Data shall be commensurate with the purpose of the Processing and shall not extend over it.
In every case where the Controller wants to use Personal Data for purposes other than those for which it had been originally collected, the User shall be notified of this fact and his or her prior express consent shall be obtained or the opportunity shall be offered to the User to object against such use.
The Controller shall not carry out any checking with respect to the Personal Data received. The person providing data to the Controller shall have exclusive liability for the relevance of data he or she provides.
Personal Data of data subjects under 16 years of age may be processed in possession of the consent of a major exercising parental authority over the data subject. The Controller is not in the position to check the authority or the content of the declaration of the person giving his or her content, so either the User or the person exercising parental control over him or her shall warrant that the consent complies with the rules of law. In default of a declaration of consent, the Controller shall not collect Personal Data for data subjects under 16 years of age, with the exception of the IP address used when the Service is used, which is automatically recorded arising from the nature of Internet-based services.
The Controller shall not transfer the Personal Data to any third party except for the Processors determined in this Privacy Policy and in certain cases—referred to in this Privacy Policy— to External Service Providers.
The use of data in statistically aggregated form which may not in any form include any data suitable for the identification of the data subject—and as such is not considered as Processing or transmission—shall constitute an exception from the provision of this paragraph.
The Controller shall in certain cases—such as official requests by a court or the police, legal proceedings as a consequence of any violation of law with respect to author’s rights, property rights or other violations of law or reasonable grounds for the suspicion thereof, injury to the Controller’s interests, endangerment of the safety of the provision of services etc.—disclose the available Personal Data of the concerned User to third parties.
The Controller’s system may collect data concerning the activities of Users which may not be connected to other data provided by the Users at registration nor with data generated at the time of using the Services.
In case of any amendment, restriction or erasure of Personal Data processed by the Controller, the Controller shall notify the concerned User and all of the parties to whom the Personal Data was transmitted earlier for Processing. This notification may be omitted if no injury is caused to the lawful interest of the data subject with respect to the purpose of Processing.
The Controller shall take care of the safety of Personal Data, they shall make the technical and organizational measures and design the procedural rules to ensure the protection of the recorded, stored and processed Personal Data, and prevent it from being lost, illegally destroyed, accessed to, altered or disseminated. The Controller shall require all of the third parties to comply with this obligation to whom Personal Data is transmitted for Processing.
With respect to the relevant provisions of the GDPR, the Controller shall not be liable to appoint a data protection officer.
Duration of Processing
7.1 The Processor shall store automatically registered IP addresses for no longer than 7 days upon their recording.
In the case of e-mails sent by the User, the Controller requested shall erase the e-mail address referred to in the request within 90 days upon closure of the case referred to in the request except when, in an individual case, the lawful interest of the Controller justifies the further processing of Personal Data, until such lawful interest of the Controller exists.
The Processing of Personal Data provided by the User shall continue until the User unsubscribes from the Service with the given user name or otherwise requests the erasure of his or her Personal Data. In that case the Personal Data shall be erased from the systems of the Controller.
The Personal Data provided by the User—even if he or she does not unsubscribe from the Service or terminates only the possibility of entry by his or her de-registration and the comments and uploaded contents remain—may be processed by the Controller until the User expressly requests termination of the Processing thereof in writing. The User’s right to using the Service shall not be affected by his or her request for the termination of Processing without de-registering from the Service, but it may occur that he or she will not be able to use certain Services without his or her Personal Data.
If unlawful or deceptive Personal Data is used or the User commits a crime or carries out an attack against the system, the Controller shall be entitled to immediately erase the User’s Personal Data along with terminating his or her registration or to preserve it for the period of the proceedings to be carried out if a crime or civil liability is suspected.
Data recorded automatically in the course of the operation of the system shall be stored on the system from their generation until it is required for the operation of the system. The Processor shall ensure that this automatically recorded data cannot be connected to other Personal Data except where it is required by law. If the User has withdrawn his consent to the processing of his or her Personal Data or unsubscribed from the Service, his or her person shall not be identifiable by the technical data except for investigative bodies or experts.
If a court or an authority orders the erasure of Personal Data with a final effect, erasure shall be performed by the Controller. Instead of erasure, along with the notification of the User, the use of Personal Data shall be restricted if so requested by the User or if, based on the information available, it may be assumed that such erasure would injure the User’s lawful interest. The Personal Data shall not be erased by the Controller until the processing purpose that has excluded the erasure of the Personal Data exists.
Rights of the User and the means of their enforcement
The User may request any Controller to inform him or her whether his or her Personal Data is processed, and if yes to provide access to the Personal Data processed by the Controller.
The Personal Data provided by the User in connection with the given Service can be viewed either at the settings of the access control system of the Services and/or on the profile pages belonging to the individual Services.
Irrespective of this, the User may at any time request information on the processing of his or her Personal Data in writing in a registered letter or a letter with acknowledgement of receipt sent to any of the Controllers or in an e-mail sent to the e-mail address info@ravatherm.com. The Controller shall consider the request for information authentic if the User can be clearly identified on the basis of the request. If a request is sent by e-mail, the Controller shall consider it authentic if it is sent from the User’s registered e-mail address, but this shall not exclude that the Controller identifies the User by other means as well before providing the requested information.
The information request may involve the User’s data processed by the Controller, their source, the purpose, the legal basis and the duration of Processing, the name and address of possible Processors, the activities related to the Processing and, in case the Personal Data are forwarded, the persons who received or will receive the User’s Personal Data and for what purposes.
The User may request the rectification or amendment of his or her Personal Data processed by the Controller. In respect of the purpose of the Processing, the User may also request the completion of incomplete Personal Data.
The Personal Data provided by the User with respect to the given Service may be modified at the access control settings of the Services and/or on the profile pages belonging to the individual Services. After a request for amending Personal Data is fulfilled, the earlier (erased) data may no longer be restored.
The User may request the erasure of his or her Personal Data processed by the Controller.
The request may be refused (i) for the purpose of exercising the right to freedom of expression and to information, or (ii) if the processing of Personal Data is authorized by law; and (iii) for the purposes of submitting, enforcing or protecting legal claims.
The Controller shall always notify the User if the request for erasure is refused and shall indicate the reason for the refusal. After a request for the erasure of Personal Data is fulfilled, the earlier (erased) data may no longer be restored.
The User may request the Controller to restrict the processing of his or her Personal Data if the User contests the accuracy of the Personal Data. In this case the restriction shall affect the period during which the Controller can check the accuracy of Personal Data. The Controller shall mark the Personal Data processed by the Controller if the User contests the correctness or accuracy of the data but the incorrectness or inaccuracy of the contested Personal Data cannot be established clearly.
The User may request the Controller to restrict his or her Personal Data also if the Processing is unlawful but the User opposes the erasure of the Personal Data processed and requests the restriction of their use instead.
The User may also request the restriction of the processing of his or her Personal Data by the Controller if the purpose of Processing has been realized, but the User wants his or her data to be processed by the Controller for the purpose of submitting, enforcing or protecting his or her legal claims.
The User may request that the Controller transmits the Personal Data made available to it by the User and processed automatically in structured, widely used, machine-readable format and/or forwards it to another Controller.
The User may object against the processing of his or her Personal Data (i) if the processing of Personal Data is required exclusively for fulfilling a legal obligation of the Controller or for the enforcement of the lawful interest of the Controller or a third person; (ii) if the purpose of the processing is the direct solicitation of business, opinion poll or scientific research; or (iii) if the Processing is performed in the public interest. The Controller shall investigate the lawfulness of the User’s objection, and, if it is found well-founded, the Processing shall be terminated, the data that has been processed shall be locked, and all of the parties to which the Personal Data affected by the objection were forwarded earlier on shall be notified about the objection and the measures taken with respect to it.
Processing
For performing its activities, the Controller employs the Processors named above in this Privacy Policy.
The Processors shall not make independent decisions; they shall be entitled to act exclusively on the basis of the contract concluded with the Controller and the instructions received. After 25 May 2018, the Processors shall record, handle and/or process the Personal Data transmitted to them by the Controller in compliance with the provisions of the GDPR, and they shall make a statement in this regard for the Controller.
The work of the Processors shall be controlled by the Controllers.
The Processors may use further Processors only with the consent of the Controller.
External service providers
In order to provide its services, the Controller may in many cases use External Service Providers who shall cooperate with the Controller.
With respect to the Personal Data processed in the systems of External Service Providers, the provisions set forth in the privacy policies of the External Service Providers shall govern. The Controller shall make every reasonable effort so that the External Service Providers process the Personal Data in compliance with the rules of law and use it exclusively for the purpose determined by the User or the purpose set out in this Privacy Policy below. After 25 May 2018, External Service Providers shall record, handle and/or process the Personal Data transmitted to them by the Controller in compliance with the provisions of the GDPR, and they shall make a statement in this regard the Controller.
The Controller shall notify the Users if data transfers to External Service Providers in the context of this Privacy Policy takes place.
External service providers facilitating registration or login
With respect to the provision of services, the Controller shall cooperate with External Service Providers providing applications to facilitate registration and logging in for the Users. In the context of this cooperation, certain Personal Data (such as IP address, e-mail address, registered name) may be transmitted through these External Service Providers to the Controller and/or the Processor. These External Service Providers shall collect, process and forward the Personal Data according to their own privacy policies.
External Service Providers facilitating registration or logging in, cooperating with the Controller: Facebook Inc.
Web analytics and ad serving External Service Providers
The Controller shall cooperate with web analytics and ad serving External Service Providers in connection with the webpages of the Services.
These External Service Providers may access the User’s IP address and, in a number of cases, ensure the personalization or analysis of the Services or the preparation of statistics by way of cookies, web beacons (a web marker for recording the IP address, the visited webpage used on webpages, sometimes in e-mails or mobile applications), click tags (a marking, measuring code identifying clicks on a given advertisement) or other click meters.
The cookies placed by these External Service Providers may be erased any time from the User’s device, and the use of cookies may be refused in general by the appropriate selection of the browser’s setting. Cookies placed by External Service Providers may be identified based on the domain connected to the given cookie. Web beacons, click tags and other click meters cannot be refused.
These External Service Providers shall process the Personal Data forwarded to them according to their own privacy policies.
Web analytics and ad serving External Service Providers cooperating with the Controller: Facebook Inc., Google LLC.
In the case of providing environment (storage space)
In the context of providing the Services, the Controller shall consider Users that use the environment provided by the Controller for storage, for publishing their own contents, as External Service Providers. The Users, at their own discretion, may upload Personal Data to the environment they use, or may use services to collect, record or process Personal Data on the storage space.
In all the cases where the Controller as service provider provides an environment for the User, the Controller shall not perform processing activity with respect to Personal Data processed in this environment. All responsibility with respect to the lawfulness of processing activities related to data processed here shall be borne by the user using the hosting service.
Other External Service Providers
There are External Service Providers that are not in contractual relationship with any Controller or, with respect to the given processing, the Controller does not cooperate with them on purpose, but, regardless of this, they have access to the Webpage/Services either by way of the Users’ intervention (for example by connecting their individual account to the Service) or without it, and collect data on the Users or on user activities performed on the webpages of the Services which, in some cases, may be suitable for the identification of the User on their own or combined with other data collected by such External Service Providers. Such External Service Providers may include in particular but not limited to: Facebook Ireland Inc., Google LLC, Instagram LLC., Pinterest Ltd., Infogram Software Inc, PayPal Holdings Inc., Playbuzz Ltd., Twitter International Company, Viber Media LLC, Vimeo Ltd., Yahoo! EMEA Ltd., YouTube LLC.
These External Service Providers shall process Personal Data transmitted to them according to their own privacy policies.
Possibility of data transmission
The Controller shall be entitled and obliged to transmit to the competent authorities all Personal Data available to and legally stored by the Controller the transmission of which is ordered by law or a final authority decision. The Controller shall not be held responsible for such data transmissions of the consequences arising therefrom.
If the Controller subcontracts the operation or utilisation of content services and hosting found on the webpages of the Services fully or partially to a third party, the Controller shall have the right to fully or partially transfer the Personal Data processed by the Controller to such third party—the new operator—without specifically requesting the Users’ consent, but based on an appropriate prior notification to them, with the proviso that this data transmission may not place the User into a less advantageous position than as set forth by the data processing regulations in the latest applicable version of this Privacy Policy. In the case of data transmission pursuant to this paragraph, the Controller shall offer the opportunity to the Users to object against the data transmission before it happens. If an objection is raised against the transmission, the transmission under this paragraph of the given User’s Personal Data shall not be allowed.
The Controller shall maintain records of its data transmission activities for the purpose of verification of the lawfulness of data transmission and for ensuring information to the User.
Amendment to the Privacy Policy
The Controller reserves the right to modify this Privacy Policy at any time by its one-sided decision.
By the fact of accessing the system the next time, the User shall accept all of the provisions in effect of this Privacy Policy, and, apart from that, no further consent requests shall be necessary from the individual Users.
Legal remedies
In case of any question or comment with respect to data processing, you may contact also the employees of the Controller at the-mail address info@ravatherm.com.
Users may address their complaints with respect to data processing directly to the Hungarian National Authority for Data Protection and Freedom of Information (“Nemzeti Adatvédelmi és Információszabadság Hatóság”, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone:
+36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; webpage: www.naih.hu).
In the case of a violation of the User’s rights, the User may apply to a court. The assessment of the case falls within the power of the Tribunal. The case may be filed also to the tribunal with competence by the User’s place of residence or place of abode. Upon request, the Controller shall inform the User on his or her possibilities and means of legal remedy.
Budapest, 17 May 2018