PRIVACY POLICY
WWW.EUROTRADE.HU

About the rights of the natural person concerned and the processing of personal data

The operator of the website www.eurotrade.hu, Eurotrade Ltd. (hereinafter referred to as the Data Controller) informs visitors to the website, data subjects, of its policy and data protection practices.

It attaches the utmost importance to respecting the right to information self-determination of its customers.

The Data Controller declares that it conducts its activities by adopting the prescribed and specified internal rules, technical and organisational measures in such a way that it complies in all circumstances with Regulation (EU) 2016/679 of the European Parliament and of the Council of 29 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation), and with the provisions of the EU Regulation on the right to information, including the right to privacy and electronic communications (Directive 2011/46/EC of the European Parliament and of the Council of 29 April 2011 on the right to information). CXII of 2011 (hereinafter referred to as Infotv.).

Data controller’s data:

– Company name: Eurotrade Kft.

– Registered office: 2854 Dad, Fő út 54.

– Location: 2948 Kisigmánd, Eurotrade M1 Truck Centrum

– Tax number: 10448979-2-11

– Company registration number: 1109001429

– Telephone number: +36 556 655

– E-mail address: info@eurotrade.hu

 

Concepts:

Affected:

– Any natural person identified or identifiable, directly or indirectly, on the basis of personal data;

Personal data:

– Data that can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and the inference that can be drawn therefrom concerning the data subject;

Contribution:

– A voluntary and explicit indication of the data subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, whether in full or in part;

Data Controller:

– The natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or has the data processed by a processor

Data processing:

– Any operation or set of operations which is performed upon data, regardless of the procedure used, such as collection, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction, prevention of further use, taking of photographs, sound recordings or images, and recording of physical characteristics that can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, etc;

Data transmission:

– making data available to a specified third party; Disclosure: – making data available to anyone;

Deletion of data:

– rendering data unrecognizable in such a way that it is no longer possible to recover it;

Data processing:

– the performance of technical tasks related to data processing operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

Data Processor:

– The natural or legal person or unincorporated body who or which carries out the processing of data on the basis of a contract, including a contract concluded pursuant to a legal provision;

 

Data protection incident:

– unlawful processing or handling of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, and accidental destruction or damage.

The Regulation specifies that the Data Controller must take appropriate measures to provide the data subject with information on the processing of personal data and images in a concise, transparent, intelligible and easily accessible form, in clear and plain language, and to ensure that the Data Controller ensures the exercise of the data subject’s rights.

The Controller shall take all measures necessary to ensure the security of the data uploaded to the website (www.eurotrade.hu).

Data processing by the Controller concerning its business activities

Purpose of the processing Scope of the data processed:

The Data Controller processes personal data for the following purposes, based on consent, in order to exercise a right and fulfil an obligation:

In the case of promotions concerning the sale of vehicles:

– Name, company name, address, telephone number, e-mail address.

In the case of actions concerning the sale of vehicle parts:

– Name, company name, address, telephone number, e-mail address

For promotions concerning tyre sales:

– name, company name, address, telephone number, e-mail address

For promotions concerning service activities:

– name, company name, address, telephone number, e-mail address

For sales of new and used vehicles:

– name, telephone number, e-mail address

For the purchase of vehicles:

– name, company name, address, telephone number, e-mail address

For vehicle delivery services:

– name, company name, address, telephone number, e-mail address

For a quotation for vehicles and machinery:

– name, company name, address, telephone number, e-mail address

Vehicle rental on request for a quote:

– name, company name, address, telephone number, e-mail address

For a quotation for parts and services:

– name, company name, address, telephone number, e-mail address

Data will be collected and processed fairly, lawfully and with consent. The Data Controller shall endeavour to process only personal data which are based on the consent of the data subject and are adequate for the purpose

Legal basis for processing:

Voluntary and unambiguous consent of the data subject to the processing of his/her personal data (Article 6(1)(a) of Regulation 2016/679 of the European Parliament and of the Council)

Processing of data relating to a quotation (Article 6(1)(b) of Regulation 2016/679 of the European Parliament and of the Council, Act V of 2013 on the Civil Code, Section 6:64 [Binding Offers]).

In the case of data processing concerning invoicing (Article 6(1)(c) of Regulation 2016/679 of the European Parliament and of the Council)

The data subject shall have the right to withdraw his or her consent to the processing of his or her data at any time, where the processing is based on the legal performance of a legal obligation.

Source of data, duration of data processing:

The Data Controller processes personal data solely on the basis of the data subject’s consent and does not collect personal data from any other source.

The Controller does not process personal data relating to a data subject under the age of 16.

The data may only be processed to the extent and for the duration necessary for the purpose and until the withdrawal of the data subject’s consent.

In the case of data processing concerning a quotation, the general limitation period under civil law (Act V of 2013 on the Civil Code) is 5 years.

In the case of processing concerning invoicing, 8 years under Act C of 2000 on Accounting

Data storage and data security requirements:

The personal data processed on the website of the Data Controller is stored electronically on the website operator’s (Echo Soft Kanizsa Szolgáltató Bt) storage space in accordance with its IT security policy, general terms and conditions and privacy policy.

Data transmission, scope of data transmitted:

The Data Controller processes personal data such as name, address, telephone number, e-mail address for contact purposes. The data is only transferred to third parties if the data subject gives his or her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorised by law, unless otherwise provided by law, and only on the basis of a final decision of a public authority.

The Data Controller shall in all cases document the transfers and keep records of the transfers.

No transfer of data may be made without the consent of the data subject, except in the case of an official judicial or police request, legal proceedings or other infringement or reasonable suspicion thereof, or where the interests of the Controller are prejudiced or the provision of the service is jeopardised, where the data on the website concerned are made available to a third party.

Data processor:

The Data Controller uses a Data Processor in connection with the operation of the website.

Company name: Echo Soft Kanizsa Bt.

Address: 88 882 Kizizoft Ltd., 88 882 Kizoft Ltd.

Company registration number: 2006039147

Managing director: Zentai László Phone number: +36 30 407 97 79 E-mail address: laszlo.zentai@esk.hu

Data management on the Facebook page and Youtube channel of the Data Controller

The Data Controller does not process personal data, images, pictures and videos posted by visitors to its Facebook page and YouTube channel (except with consent) and is not responsible for the content of the data posted by visitors.

Facebook and Youtube visitors are subject to the Privacy and Terms of Service of the relevant websites.

In the event of publication of illegal or offensive content on Facebook and Youtube, the Data Controller may exclude the person concerned from membership or delete his/her posts without prior notice.

The Controller shall not be liable for any unlawful content or comments posted by users of Facebook or Youtube. The Data Controller is not responsible for any errors, malfunctions or problems resulting from changes in the operation of Facebook and Youtube.

Purpose of the processing:

Data processing for advertising and marketing purposes on the online platforms of the Data Controller’s services (Facebook, Youtube).

Scope of data processed:

Personal data, images, likenesses and moving images and actions of the data subject recorded during video recording.

Legal basis for processing:

Article 6(1)(a) of Regulation 2016/679 of the European Parliament and of the Council.

Source of data, duration of data processing:

The Data Controller processes personal data solely on the basis of the data subject’s consent and does not collect personal data from any other source.

The Controller does not process personal data relating to a data subject under the age of 16, except with the consent of the legal representative.

The data may be processed only to the extent and for the time necessary for the purposes for which they are collected and until the data subject’s consent is withdrawn.

In case of withdrawal of consent, the Data Controller will delete the images from its online platforms, but due to the nature of social media and website publishing, it cannot guarantee that no copies have been made. Following the withdrawal of consent to the processing of personal data, the data will be erased where the processing is based on the legal basis of compliance with a legal obligation.

Data storage and data security requirements:

The personal data, images, screenshots, video recordings processed on the Controller’s online interfaces are stored electronically and password-protected on the storage space of the website in accordance with the IT security policy, the general terms and conditions and the privacy policy, as well as on the Controller’s IT equipment.

Data transmission, scope of data transmitted:

The Data Controller processes personal data such as name, address, telephone number, e-mail address for contact purposes. The data is only transferred to a third party if the data subject gives his or her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorised by law, unless otherwise provided by law, and only on the basis of a final decision by a public authority.

In all cases, the Data Controller shall document the transfers and keep records of the transfers.

No transfer of data may be made without the consent of the data subject, except in the case of an official judicial or police request, legal proceedings or other infringement or reasonable suspicion thereof, or where the interests of the Data Controller are prejudiced or the provision of the service is jeopardised, in which case the data on the website concerned shall be made available to a third party.

Data Processor:

The Data Controller does not use a Data Processor.

Data processing in relation to the newsletter.

Purpose of processing:

The Data Controller sends out a newsletter to the data subject on the basis of the data subject’s consent, for the purposes of primary marketing activities, market research, information on current information, promotions, personalised offers and contact in connection with enquiries with direct marketing content

Scope of data processed:

Name and e-mail address of the data subject who subscribes to the newsletter.

Legal basis for processing:

Article 6(1)(a) of Regulation 2016/679 of the European Parliament and of the Council

Source of data, duration of data processing:

The Data Controller processes personal data solely on the basis of the data subject’s consent and does not collect it from any other source. The Controller does not process personal data relating to a data subject under the age of 16. The data may only be processed to the extent and for the duration necessary to achieve the purposes for which they are collected and until the data subject’s consent is withdrawn.

Data storage and data security requirements:

Data is stored in the Data Controller’s enterprise management system Progression.

In case of withdrawal of consent, the Data Controller will delete the data subject’s data from the list of subscribers to the newsletter.

Data transmission, scope of data transmitted:

The Data Controller processes personal data, such as name, e-mail address, for contact purposes. The data is only transferred to third parties if the data subject gives his or her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorised by law, unless otherwise provided by law, and only on the basis of a final decision by a public authority.

The Controller shall in any case document the transfers and keep records of the transfers.

No transfer of data may be made without the consent of the data subject, except in the case of an official judicial or police request, legal proceedings or other infringement or reasonable suspicion thereof, or where the interests of the Controller are prejudiced or the provision of the service is jeopardised, where the data on the website concerned are made available to a third party.

Data processor:

The Data Controller does not use a Data Processor.

Processing of application documents received by the Data Controller.

Purpose of processing:

The Data Controller publishes and advertises its job opportunities on its own, online (on the Data Controller’s Facebook page and website), in job portals, magazines for recruitment purposes

Scope of data processed:

For CVs received:

– name, address, telephone number, e-mail address, marital status, education, previous jobs, jobs held, professional experience, other skills, driving licence, other data provided by the data subject

In the case of incoming CVs:

– name, address, telephone number, e-mail address, marital status, education, previous jobs, jobs held, other skills, driving licence, other data provided by the data subject

The registration of application documents submitted to the Data Controller, in order to monitor compliance with the retention period laid down in the duration of the processing:

– date of application, name, address, date of birth, telephone number, e-mail address

To send information letters to active jobseekers who are waiting for a job on the basis of application documents submitted to the Data Controller:

– name, e-mail address

For information by telephone to active jobseekers waiting for a job vacancy on the basis of application documents submitted to the Data Controller:

– name, telephone number

In the case of the Data Controller, for the purpose of recording in a register the details of applicants who are to be considered for future vacancies or for the purpose of increasing the number of staff required, with a view to the future establishment of an employment relationship:

– name, address, telephone number, e-mail address, marital status, education, previous jobs, jobs held, other skills, driving licence, other data provided by the data subject

Information to the Data Controller of applicants who have not been successful in obtaining a job:

– name, telephone number, e-mail address

Legal basis for processing:

Voluntary and unambiguous consent of the data subject for the purpose of processing his/her personal data (Article 6(1)(a) of Regulation 2016/679 of the European Parliament and of the Council)

Source of data, duration of processing:

The Data Controller processes personal data solely on the basis of the data subject’s consent and does not collect personal data from any other source.

The period of processing is 6 months, until the application is assessed, until the data subject’s consent is withdrawn or, on the basis of the data subject’s explicit, unambiguous and voluntary consent, until the curriculum vitae is kept for 6 months.

Data storage and security requirements:

The Data Controller will store the application documents received, backed up on its server, password-protected according to the level of authorisation. Only authorised persons may view and process them.

Data transmission, scope of data transmitted:

The Data Controller does not transfer personal data or application documents to third parties.

Data processor:

The Data Controller does not use a Data Processor.

Cookie Policy.

In order to make the website easier for you to use, we place data files on your computer or mobile device called cookies.

They allow the website to store a user’s preferences for a certain period of time, so that they do not have to provide all the information each time they visit the website.

Cookies are used to improve the user experience of the website, so that the website can “remember” the visitor, the length of the session (session cookies) or the number of subsequent repeat visits (persistent cookies).

The cookies are used to help you navigate between pages efficiently, store your preferences, remember the contents of your shopping cart when you place an order. Without the use of cookies, the website would treat each visitor as a new visitor each time they enter.

Cookies can come from two sources, among others. One part is our own cookies that we place, the other part is third party cookies that track your login through several websites, for example social media cookies (such as YouTube or Facebook cookies) that collect information about your social media usage and shares.

Essential cookies ensure the proper functioning of the website, without which some features would not work.

Analytical cookies collect information about the use of the website to help improve its functionality.

You can opt out of cookies, prevent your browser from collecting them, but by blocking or deleting cookies you will not be able to access certain parts of the website or certain features will not work properly.

 

Rights of data subjects

Right to prior information:

The data subject has the right to be informed of the facts and information relating to the processing before the processing starts (Articles 13-14 of the Regulation).

Right of access of the data subject:

The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to obtain access to the personal data and related information as specified in the Regulation (Article 15 of the Regulation).

Right to rectification:

The data subject shall have the right to obtain, upon his or her request, the rectification by the controller of inaccurate personal data relating to him or her without undue delay. (Article 16 of the Regulation).

The right to erasure (“the right to be forgotten”):

The data subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Controller shall be obliged to erase personal data relating to the data subject without undue delay if one of the grounds set out in the Regulation applies:

(a) the purpose of the processing has ceased

(b) withdraws consent

(c) objects to the processing

(d) if the processing is unlawful

(e) the storage period has expired

(f) where it is ordered by a public authority

(Article 17 of the Regulation)

Right to restriction of processing:

The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller if the conditions set out in the Regulation are fulfilled (Article 18 of the Regulation).

Obligation to notify the rectification or erasure of personal data or the restriction of processing:

The Controller shall inform each recipient of any rectification, erasure or restriction of processing to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients (Article 19 of the Regulation).

The right to data portability:

Subject to the conditions set out in the Regulation, the data subject has the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data (Article 20 of the Regulation).

Right to object:

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation (Article 21 of the Regulation).

Restrictions:

Union or Member State law applicable to the controller or processor may restrict by legislative measures in accordance with Articles 12 to 22 and Article 34 and the rights and obligations set out in Articles 12 to 22 (Article 23 of the Regulation)

Informing the data subject about the data breach:

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.

(Article 34 of the Regulation).

The right to lodge a complaint with a supervisory authority (right to official redress):

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.

(Article 77 of the Regulation)

The right to an effective judicial remedy against the supervisory authority:

Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her, or if the supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint (Article 78 of the Regulation).

The right to an effective judicial remedy against the controller or processor:

Every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

(Article 79 of the Regulation).

 

Data protection incident

Privacy incident:

A breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; (Article 4.12 of the Regulation)

The most common incidents reported may include, for example: unsecure storage of personal data, unsecure transmission of data, unauthorised copying and transmission of customer and customer partner lists, attacks against servers, hacking of website and mailing systems.

Handling data breaches

The Data Controller is responsible for the prevention and handling of data breaches and compliance with the relevant legal requirements.

Data breaches can be reported to the email address and telephone number of the Data Controller, where employees, contractors and data subjects can report the underlying events and security weaknesses.

If a data protection incident is detected, the Data Controller shall immediately ensure that it is remedied.

In the event of a data protection incident being reported, the Data Controller shall immediately examine the report, in the process of which the incident must be identified and a decision must be made as to whether it is a real incident or a false alarm.

The following must be examined and determined:

1. a) the time and place of the incident,
2. b) the description, circumstances and effects of the incident,
3. c) the scope and number of data affected by the incident,
4. d) the scope of persons affected by the compromised data,
5. e) a description of the measures taken to remedy the incident,
6. f) a description of the measures taken to prevent, remedy and reduce the damage.

In the event of a data protection incident, the affected systems, persons and data must be delimited and isolated, and evidence supporting the occurrence of the incident must be collected and preserved.

After this, the restoration of damage and the restoration of legal operations can begin.

 

Data protection incident records

A record must be kept of data protection incidents, which includes:

1. a) the scope of the personal data concerned,
2. b) the scope and number of those affected by the data protection incident,
3. c) the date of the data protection incident,
4. d) the circumstances and effects of the data protection incident,
5. e) the measures taken to remedy the data protection incident,
6. f) other data specified in the law prescribing data processing

The data relating to data protection incidents included in the record must be retained for 5 years

Informing the data subject about the data protection incident

If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the data protection incident without undue delay.

The information provided to the data subject must clearly and intelligibly describe the nature of the data breach and provide at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.

The data subject does not have to be informed as referred to in the previous point if any of the following conditions are met:

1. a) The Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data breach, in particular measures such as the use of encryption that make the data unintelligible to persons not authorised to access the personal data
2. b) The Data Controller has taken additional measures following the data breach to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise in the future;
3. c) Informing would involve a disproportionate effort. In such cases, the data subjects must be informed by means of publicly published information or a similar measure must be taken to ensure that the data subjects are informed in an equally effective manner.

If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the aforementioned conditions is met.

(Article 34 of the Regulation)

The controller shall notify the personal data breach to the supervisory authority competent pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

Right to lodge a complaint with a supervisory authority

Without prejudice to other administrative or judicial remedies, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or the place of the alleged infringement, where the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority to which the complaint has been lodged shall inform the customer of the progress of the procedure relating to the complaint and its outcome, including the customer’s right to a judicial remedy pursuant to Article 78 of the Regulation.

(Article 77 of the Regulation)

A complaint can be filed with the National Data Protection and Freedom of Information Authority.

Procedure in case of a complaint

The data subject may also file a complaint directly with the National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu).

The data subject has the right to file a complaint with the court in the event of a violation of his or her rights pursuant to Section 22 (1) of the Infotv.

The adjudication of the lawsuit falls within the jurisdiction of the court. The lawsuit may also be initiated – at the choice of the data subject – before the court of the data subject’s place of residence or residence.

Upon request, the Data Controller shall inform the data subject in detail about the possibility and means of legal remedy.

Amendment of the Data Management Statement

The Data Controller reserves the right to amend this Statement at any time by its unilateral decision.

The data subject is entitled to exercise his/her rights related to data management as stated in this Statement and in the laws in force at all times.