For the visitors of the website https://heriuscapital.com/
The Data Controller pays special attention to the handling, storage and use of the personal data in its system in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the “Regulation”).
In connection with the data processing, the Data Controller hereby informs the visitors of the website (hereinafter: “the User”) about the personal data managed by it, its principles and practices in the management of personal data, and the way and possibilities of exercising the User's rights.
NAME OF DATA CONTROLLER
The data is managed by Herius Capital Zrt.
Data controller data
Name: Herius Capital Zrt.
Registered seat: 1022 Budapest, Árvácska utca 6.
Registration number: 01-10-141321
Legislation under which data management have been created
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Infotv.),
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: “the Regulation”),
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
- Act V of 2013 on the Civil Code (hereinafter: “the Civil Code”).
I. DATA PROCESSING CASES
1. Personal information logged by the system
Purpose of data management:
Identification number assigned by the Internet service provider to the User's device logging in to the system. It is managed by a Data Controller to ensure the IT security of the system.
Purpose of data management:
The html code sent in accordance with the browser type.
Legal basis for data processing: The User's voluntary consent pursuant to article 6 paragraph (1) point (a) of the Regulation.
Possible consequences of non-supplying of data: inaccuracy of analytical measurements, loss of user experience.
Duration of data management: The system stores the data listed herein for 6 months from the date of their emergence and then deletes them automatically.
2. Management of Cookies
Types of cookies and their name:
Scope of managed data:
Records the page visit
Purpose of data management:
For better user experience (e.g. providing optimized navigation, providing relevant advertisements). Browser cookies are stored for a longer period of time.
The duration depends on what setting the User enables in the browser. .
Legal basis of data management: The User's voluntary consent pursuant to article 6 paragraph (1) point (a) of the Regulation.
Sources of data: Recorded directly from the User.
When filling in the contact form on the website, the User can enter the name, company name, telephone number and e-mail address.
When subscribing to the newsletter, the User can enter the name and e-mail address.
Possible consequences of non-supplying of data: inaccuracy of analytical measurements, lack of relevant targeted advertisements.
By accepting cookies, the User activates the tracking performed by Google (analytics and adwords) and Facebook (pixel) as well as Linkedin. Tracking rules are governed by the privacy policies of Facebook, Microsoft, and Google.
3. Delete cookies
To find out more about what cookies your browser uses, please visit one of the following websites appropriate for your browser:
Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)
Mozilla Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amitweboldak-haszn )
Windows Internet Explorer (https://support.microsoft.com/hu-hu/help/260971/description-ofcookies)
Possible consequences of non-supplying of data: incomplete use of the Website's services, inaccuracy of analytical measurements.
II. ACCESS TO DATA AND DATA SECURITY MEASURES, DATA TRANSMISSION
1. Access to data, data transmission
Personal data may be accessed by the Data Controller and the employees of the Data Controller's Data Processor in order to perform their duties.
The Data Controller shall only transfer the personal data processed by it to other bodies or state bodies in the manner and for the purpose specified by law.
The Data Controller informs the User that the court, the prosecutor, the investigating authority, the infringement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law to provide information, communicate, transfer or make available documents they may contact the controller.
The Data Controller shall provide personal data to the authorities, provided that the authority has indicated the exact purpose and scope of the data, only to the extent and to the extent strictly necessary for the purpose of the request.
2. Data security measures
The Data Controller shall take all necessary measures to ensure the security of the data, ensuring an adequate level of protection, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage. The Data Controller shall ensure the security of the data by appropriate technical and organizational measures.
The Data Controller selects and operates the IT tools used to manage personal data during the provision of the service in such a way that the managed data:
• is accessible to those entitled to it (availability);
• is authentical and authenticated (authenticity of data management);
• has verified integrity (data integrity);
• is protected against unauthorized access (data confidentiality).
During data management the Data Controller retains the
• confidentiality: protects information so that only those can access it who have right to it;
• integrity: protects the accuracy and completeness of the information and the method of processing;
• availability: ensures that when an authorized user needs it, they can actually access the information they need and have the tools to do so.
III. USER RIGHTS
1. Information and access to personal data
The User may request written information from the Data Controller through the contact details provided above, so that the Data Controller informs:
• what personal information,
• on what legal basis,
• for what data management purpose,
• from what source,
• how long it treats.
To whom, when, on what legal basis, which personal data was granted access or to whom it transferred its personal data by the Data Controller.
The Data Controller shall provide the information to the User in a widely used electronic format, unless the User requests it in writing on paper. The Data Controller does not provide verbal information through telephone.
The Data Controller provides a copy of the personal data (in person at the customer service) to the User free of charge for the first time. For additional copies requested by the Data Controller, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Controller requests the release of a copy electronically, it shall provide the information to the Data Controller by e-mail in a widely used electronic format.
In case the User does not agree with the data management and the correctness of the processed data after receiving the information, it may request the rectification, supplementation, deletion, restriction of the processing of personal data concerning it, as specified in point III., it may object to the processing of such personal data, or may initiate the procedure set out in IV.
2. The right to correct or supplement processed personal data
Upon written request of the User, the Data Controller shall, without undue delay, correct the inaccurate personal data specified by the User, in writing or in person at one of the Data Controller's stores, or supplement the incomplete data with the content specified by the User. The data controller shall inform all recipients with whom the personal data has been communicated of the correction or addition, unless this proves impossible or requires a disproportionate effort. The User shall inform about the data of these recipients if it so requests in writing.
3. Right to restriction of processing
The User may request from the Data Controller to restrict the processing of its data by written request if the
• User disputes the accuracy of personal data, in which case the restriction applies to the period of time that allows the Data Controller to verify the accuracy of personal data,
• the data management is illegal and the User objects to the deletion of the data and instead requests a restriction on their use,
• the Data Controller no longer needs personal data for data management purposes, but a User requests them to file, enforce or defend legal claims,
• the User objects to the data management: in this case the restriction applies for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the User.
Restricted User's personal data, with the exception of storage, may be processed during this period only with the User's consent, or for the submission, enforcement or protection of legal claims or the protection of the rights of another natural or legal person or in the important public interest of the Union or a Member State. The Data Controller shall inform the User, at whose request it has restricted the data management, of the lifting of the data management restriction in advance.
4. Right to erasure (‘right to be forgotten’)
At the request of the User, the Data Controller shall delete the personal data concerning the User without undue delay if one of the specified reasons exists:
i.) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller;
ii.) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
iii.) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing,
iv.) User objects to the processing of personal data concerning him / her for the purpose of direct business acquisition, including profiling, insofar as it is related to direct business acquisition,
v.) the personal data have been unlawfully processed by the Data Controller;
vi.) personal data were collected in connection with the provision of information society services directly to children.
The User may not exercise its right to delete or forget if data management is necessary
i.) for exercising the right of freedom of expression and information;
ii.) for reasons of public interest in the area of public health;
iii.) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that processing;
iv.) for the establishment, exercise or defence of legal claims.
5. Right to data portability
If the data management is necessary for the performance of the contract or the data management is based on the voluntary consent of the User, the User has the right to request that the data provided by the User to the Data Controller be received in a machine-readable form. If technically feasible, you can request that the data be transferred to another data controller. In all cases, the right is limited to the data provided by the User, there is no possibility for the portability of other data. (eg statistics, etc.)
The User uses the personal data applicable to it in the Data Management System (eg during newsletter subscription):
• in an articulated, widely used, machine-readable format,
• is entitled to transfer to another data controller,
• request the direct transfer of data to the other data controller - if this is technically feasible in your Data Management system.
The Data Controller fulfils the request for data portability only on the basis of a written request written by e-mail or post. In order to fulfil the request, it is necessary for the Data Controller to make sure that the User is indeed entitled to exercise this right. Within the framework of this right, the User may request the portability of the data which it has provided to the Data Controller. The exercise of this right does not automatically lead to the deletion of the data from the Data Controller's systems, therefore the User will be registered in the Data Controller's systems even after the exercise of this right, unless it also requests the deletion of its data.
6. Object against the processing of personal data
The User may object to the processing of its personal data by submitting a statement to the Data Controller, if the legal basis of the data processing is
• The public interest referred to in Article 6 paragraph 1 e) of GDPR, or
• a legitimate interest referred to in Article 6 paragraph 1 f) of GDPR.
In the event of exercising the right to object, the Data Controller may not further process personal data unless it proves that the data processing is justified by compelling legitimate reasons which take precedence over the User's interests, rights and freedoms or related to the submission, enforcement or protection of legal claims. In connection with the determination that the data processing is justified by compelling legitimate reasons, the Data Controller shall decide. It informs the User in an opinion about its position in this regard.
The User can also object in writing (by e-mail or post) or, in the case of a newsletter, by clicking on the unsubscribe link in the newsletter.
7. Enforcement of the rights of the deceased affected User by another
Within five years of the death of the User concerned, the rights of the deceased in its lifetime, such as the right of access, rectification, erasure, restriction of data processing, data portability and object, shall be the person authorized to make the declaration is entitled to enforce it. If the deceased made more than one such statement to the Data Controller, the person named in the statement made at a later date may exercise these rights.
If the deceased has not made such a declaration, the rights of the deceased in its lifetime and specified in the preceding paragraph may be asserted by a close relative of the deceased within five years of the deceased's death (in the case of several close relatives, exercise this right first).
According to section 8:1 paragraph (1) point 1. of the Civil Code, a close relative is the spouse, the relative in the ascending line, the adopted child, the step child and the foster child, the adoptive parent, the stepparent and the foster parent and the sibling. The deceased's close relative must prove:
• the fact and time of the deceased's death as determined by the death certificate or court order, and
• proves its own identity and, if necessary, its close relatives' status with a notarial deed.
The person enforcing the rights of the deceased is enforced during the enforcement of these rights, in particular against the Data Controller and before the National Authority for Data Protection and Freedom of Information or a court – according to Infotv. and the Regulation – have the rights and obligations of the deceased in life.
Upon written request, the Data Controller shall inform the close relative of the action taken, unless expressly prohibited by this in the deceased's statement.
8. Deadline for fulfilling the request
The Data Controller shall inform the User about the measures taken without undue delay, but in any case, within one month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by another two months, but in this case the Data Controller shall inform the User within one month of receiving the request and that the User may submit a complaint to the supervisory authority and may exercise its right of judicial review.
If the User's request is clearly unfounded or excessive (especially in view of its repetitive nature), the Data Controller may charge a reasonable fee for the fulfilment of the request or refuse to take action on the request. The burden of proof is on the Data Controller.
If the User has submitted the request electronically, the information shall be provided electronically by the Data Controller, unless otherwise requested by the User.
The Data Controller shall inform all recipients to whom it has communicated personal data of any rectification, erasure or restriction on the processing of personal data, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the User about these recipients.
9. Compensation and damages
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Regulation is entitled to compensation from the Data Controller or the data processor for the damage suffered. The data processor shall be liable for damages caused by the data processing only if it has not complied with the obligations specified by law, which are specifically imposed on the data processors, or if it has disregarded or acted contrary to the data controller's lawful instructions. The Data Controller or the data processor shall be released from liability if it proves that it is not liable in any way for the event that caused the damage.
IV. ENFORCEMENT POSSIBILITIES
The User may exercise its rights by e-mail or written request sent by post.
The User may not be able to enforce its rights if the Data Controller proves that it is not in a position to identify the User. If the User's request is clearly unfounded or excessive (especially in view of its repetitive nature), the Data Controller may charge a reasonable fee for the fulfilment of the request or refuse to take action. It is the responsibility of the Data Controller to prove this. If the Data Controller has doubts about the identity of the natural person submitting the request, it may request the provision of additional information necessary to confirm the identity of the requester.
According to Info.tv., the Regulation and the Civil Code, the User
• can contact the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11.; www.naih.hu) or
• can assert its rights in court. The lawsuit - according to the User's choice - can also be initiated before the court of the place of residence (the list and contact details of the courts are available through the following link: http://birosag.hu/torvenyszekek).
V. TREATMENT OF DATA BREACH
A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data that is transmitted, stored, or otherwise handled. In order to control the measures related to the data breach, inform the supervisory authority and inform the User, the Data Controller keeps a register containing the scope of personal data affected by the breach, the scope and number of persons involved, the date, circumstances, effects and measures taken to remedy it. In the event of a data breach, the Data Controller, unless it poses a risk to the rights and freedoms of natural persons, it shall inform the User and the supervisory authority of the data breach without undue delay, but not later than within 72 hours.
VI. BACK - UP MANAGEMENT PROCEDURE
Within the scope of its tasks related to IT protection, the Data Controller shall in particular ensure measures to ensure the possibility of restoring data files, including regular backup and separate, secure management of backups (backup).
Accordingly, in order to prevent the loss of electronically stored data, the data processor shall regularly back up the data of its database containing personal data to a separate data carrier three times a day.
The storage location for backups made from the website server is the registered office of the Data Controller.
The duration of the backup storage: 5 years.
Order of deletion of backups: in an anonymised registry, individual deletions can be tracked and automatic deletions are performed by setting.
Access to backup: Access to backups is restricted to people with specific privileges. The data can only be accessed after proper identification (at least a username and password).
VII. OTHER PROVISIONS
If the User has provided the data of a third party during the subscription to the newsletter or for other purposes in order to use the service, or if it has caused any damage during the use of the Website, the Data Controller is entitled to enforce compensation against the User.
The Data Controller does not check the personal data provided to it. The person providing it is solely responsible for the accuracy of the information provided. When providing any personal data of any User, it is also responsible for the fact that the provided data correspond to reality, its own personal data and using it exclusively it uses the service.