- Data Controller's data
The data controller is ExNB Certification Institute Limited Liability Company
E-mail address: email@example.com
Phone number: +36 30 966 0223
- Scope of data processed
When ordering a specialist book
The User may order a textbook published by the Data Controller via the Website. When ordering, the following data must be provided (data marked with * are mandatory):
billing address (country, city, street, house number, postal code)*;
shipping address (to be provided if different from billing address) *;
invoice postal address*;
other information to be provided*.
When contacting us
The User has the possibility to contact the Data Controller through the interface provided on the Website, in order to do so, the following personal data must be provided (data marked with * are mandatory):
When subscribing to the newsletter
On the Website, the User has the possibility to subscribe to the newsletter of the Data Controller through a dedicated interface. To subscribe to the newsletter, the following personal data must be provided (data marked with * are mandatory):
Only persons aged 18 or over are entitled to submit data on the Website.
Purpose and duration of data processing
The Data Controller uses the data for the following purposes in connection with the provision of services available from the Website:
During the use of the Website: the purpose of the processing is to ensure the use of the Website and the ordering of specialist books through the Website, such as the fulfillment of the request for quotation, the registration and performance of the contract for the purchase, the delivery of the purchased products, the contact with the Users in connection with the purchase; In case of subscription to the newsletter on the Website: the sending of advertising messages about products, services, actions, promotions related to the Data Controller to the e-mail address provided by the User (hereinafter collectively referred to as "Newsletter").
In case of contact: the purpose of the processing is the electronic exchange of messages with the Data Controller, the maintenance of contact.
The Data Controller processes personal data for the duration of the purpose of the processing, i.e. in the case of ordering books on the Website, contacting the User and sending the Newsletter, until the User requests the deletion of his/her data or withdraws his/her consent to the processing of his/her personal data or to contacting the User and receiving the Newsletter.
The personal data shall be deleted immediately upon the termination of the purpose of the processing or upon the User's request, except for the data that the Data Controller is obliged to keep for the period of time specified in the legislation imposing the mandatory processing.
In case of ordering a textbook through the Website, the Data Controller shall process the necessary data for the enforcement of claims and rights arising from the contract between the User and the Data Controller for a period of 5 (five) years after the purchase, in accordance with Act V of 2013 on the Civil Code, Act 6:22. § In addition, in order to comply with the retention obligation of the Data Controller, the Data Controller shall retain the name and address of the User on the accounting voucher for 8 years, solely for the purpose of fulfilling the accounting obligation, pursuant to Article 169 of Act C. on Accounting (hereinafter referred to as the Accounting Act).
Legal basis for processing personal data
Regarding the personal data processed during the ordering and purchasing process on the Website, the legal basis for the processing of personal data is the statutory provision imposing mandatory data processing, i.e. Section 169 of the Accounting Act, irrespective of the consent of the data subject (or its withdrawal).
The User may only enter his/her own personal data on the Website. If the data subject does not provide his/her own personal data, the data provider is obliged to obtain the consent of the data subject.
The Data Controller undertakes to ensure the security of the data, to take technical and organisational measures and to establish procedural rules to ensure that the data collected, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require all third parties to whom it transfers or discloses data on the basis of the consent of the Users to comply with the requirement of data security.
The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The processed data may only be accessed by the Data Controller, its employees and the Data Processor it has engaged, and shall not be disclosed by the Data Controller to third parties who are not entitled to access the data.
The Data Controller shall make every effort to ensure that the data are not accidentally damaged or destroyed. The Data Controller shall impose the above undertaking on its employees involved in the processing activity.
The User acknowledges and accepts that, in the event of providing his/her personal data on the Website, despite the fact that the Data Controller has state-of-the-art security measures in place to prevent unauthorised access to or interception of the data, the data cannot be fully protected on the Internet. In the event of unauthorised access or disclosure of data despite our efforts, the Data Controller shall not be liable for any such acquisition or unauthorised access or for any damage suffered by the User as a result thereof. In addition, the User may also provide personal data to third parties who may use it for unlawful purposes or in unlawful ways.
Under no circumstances will the Data Controller collect sensitive data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data and biometric data for the purpose of uniquely identifying natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.
The Data Controller shall ensure the security of the data in the most up-to-date manner possible. The Data Controller undertakes to immediately suspend the service and publish a statement in the event of a data protection incident despite the measures set out above, until the incident is resolved, and to keep a record of the data protection incident and the measures taken. If the incident has resulted in a risk to the rights and freedoms of Users, it will act in accordance with point 7 of the Notice.
Who has access to personal data, processing of data
The Data Controller and its Data Processors are entitled to access personal data in accordance with the applicable legislation.
The data shall not be processed by any data processor on behalf of the Data Controller.
The Data Controller reserves the right to involve additional processors in the future, which it will inform Users of by amending this Notice.
Unless expressly provided for by law, the Data Controller shall only disclose personally identifiable information to third parties with the express consent of the User concerned.
[d1]Rights of the User
Access to personal data
The Data Controller shall, upon the User's request, inform the User whether the Data Controller is processing his/her personal data and, if so, give the User access to the personal data and inform the User of the following information:
the purpose(s) of the processing; the types of personal data concerned by the processing; the legal basis and the recipient(s) of the transfer of the User's personal data, if the User's personal data are transferred; the envisaged duration of the processing; the User's rights in relation to the rectification, erasure and restriction of processing of personal data and to object to the processing of personal data; the possibility to apply to the Authority; the source of the data; relevant information on profiling; the names and addresses of the processors and their activities in relation to the processing.
The Data Controller shall provide the User with a copy of the personal data subject to processing free of charge. For additional copies requested by the User, the Controller may charge a reasonable fee based on administrative costs. If the User has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.
The controller shall provide the information in an intelligible form at the request of the User without undue delay and at the latest within one month of the request. The User may submit a request for access by e-mail to firstname.lastname@example.org and by post to the following postal address.
Correction of processed data
The User may request the correction of inaccurate personal data or the completion of incomplete data, taking into account the purpose of data processing, at the e-mail address email@example.com or at the postal address Kozák tér 13-16, 1154 Budapest. The Controller shall carry out the rectification without undue delay.
Erasure of processed data (right to be forgotten)
The User may request that the Controller erase personal data relating to him/her without undue delay and the Controller shall be obliged to erase personal data relating to the data subject without undue delay if one of the following grounds applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the User withdraws his or her consent and there is no other legal basis for the processing;
(c) the User objects to the processing of his or her personal data;
(d) the processing of the personal data is unlawful;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data were collected on the basis of consent in connection with the provision of information society services to children.
Where the Controller has disclosed (made available to a third party) the personal data and is obliged to delete it on the basis of the above, it shall take reasonable steps and measures, taking into account the available technology and the cost of implementation, to inform the controllers of the personal data concerned that the User has requested them to delete the links to or copies of the personal data in question.
Personal data need not be deleted where processing is necessary:
for the exercise of the right to freedom of expression and information; for compliance with an obligation under Union or Member State law to which the controller is subject to fulfil an obligation to process personal data or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; on grounds of public interest in the sphere of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or for the establishment, exercise or defence of legal claims.
Furthermore, the User may at any time decide that the Controller shall no longer send him/her marketing communications. The Subscriber may withdraw his/her consent to receive marketing communications at any time, free of charge and without any justification or limitation, by sending an e-mail to firstname.lastname@example.org or by post to 1154 Budapest, Kozák tér 13-16. (indicating his/her exact personal data). Upon receipt of the unsubscription request, the Data Controller shall immediately delete the unsubscribed User's data from its direct marketing database and shall no longer send the User marketing communications, and shall be entitled to continue to process the User's data in order to provide the Services used by the User.
Restriction of processing
The User shall have the right to obtain from the Data Controller, upon his/her request, the restriction of processing instead of the rectification or erasure of personal data, if one of the following conditions is met:
the User contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data; the processing is unlawful and the User opposes the erasure of the data and requests instead the restriction of their use; the Controller no longer needs the personal data for the purposes of the processing but the User requires them for the establishment, exercise or defence of legal claims; or the User has objected to the processing; in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.
If the processing is restricted, such personal data, except for storage, may be processed only with the consent of the User or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
The Data Controller shall inform the User at whose request the processing has been restricted in advance of the lifting of the restriction on processing.
Obligation to notify the rectification or erasure of personal data or the restriction of processing
The Controller shall inform any recipient to whom or with whom personal data have been disclosed of the rectification, erasure or restriction of processing of personal data, unless this proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the User of these recipients.
Right to object
The User may object to the processing of his or her personal data if the processing is
necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.
In the event of the User's objection, the Controller may no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the User shall have the right to object at any time to the processing of personal data concerning him/her for such purposes. If the User objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.
The Controller shall inform the User of the measures taken in response to the request for access, rectification, erasure, restriction, objection and portability without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the User of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. If the User has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.
If the Data Controller does not take action on the User's request, the Data Controller shall inform the User without delay, but no later than one month after receipt of the request, of the reasons for the failure to take action and of the User's right to lodge a complaint with a supervisory authority and to seek judicial remedy.
At the User's request, the information, the information and the action taken on the basis of the request shall be provided free of charge. If the User's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller may, taking into account the administrative costs of providing the requested information or information or of taking the requested action, charge a reasonable fee or refuse to act on the request. The burden of proving that the request is manifestly unfounded or excessive shall lie with the Controller.
Handling and reporting of data breaches
A data protection incident is any occurrence that results in unlawful processing or processing of personal data processed, transmitted, stored or handled by the Controller, in particular unauthorised or accidental access, alteration, disclosure, deletion, loss or destruction, accidental destruction or accidental damage to personal data.
The Data Controller shall notify the National Authority for Data Protection and Freedom of Information of the personal data breach without undue delay and no later than 72 hours after becoming aware of the personal data breach, unless the Data Controller can demonstrate that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification cannot be made within 72 hours, it shall state the reason for the delay and may provide the required information in detail without further undue delay. The notification to the National Authority for Data Protection and Freedom of Information shall contain at least the following information:
the nature of the personal data breach, the number and category of data subjects and personal data;
Name and contact details of the data controller;
the likely consequences of the personal data breach;
the measures taken or envisaged to manage, prevent or remedy the personal data breach.
The Data Controller shall inform the data subjects of the personal data breach within 72 hours of the discovery of the personal data breach through the Data Controller's website. The notification shall contain at least the information specified in this point.
The Data Controller shall keep records of the personal data breach for the purposes of monitoring the measures taken in relation to the personal data breach and informing the data subjects. The register shall contain the following data:
the scope of the personal data concerned;
the scope and number of data subjects;
the date of the personal data breach;
the circumstances of the personal data breach, its effects;
the data protection incident, the circumstances of the data breach, the circumstances of the data breach, the circumstances of the data breach, the circumstances of the data breach, the circumstances of the data breach, the circumstances of the data breach, the data protection incident.
The Data Controller shall keep the data contained in the register for 5 years from the date of detection of the personal data breach.
The Data Controller will make every effort to ensure that the processing of personal data is carried out in accordance with the law, however, if the Data Subject feels that this has not been complied with, he or she may write to the e-mail address email@example.com or to the postal address at 1154 Budapest, Kozák tér 13-16.
If the Data Subject feels that his or her right to the protection of personal data has been infringed, he or she may, in accordance with the applicable legislation, seek redress from the competent bodies
The National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.), at a court.
The National Media and Infocommunications Authority is responsible for advertising sent by electronic means (Newsletter), the detailed regulations are set out in Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the "Infotv.") and Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
This Information Notice is governed by Hungarian law, in particular by the provisions of the Infotv. and by Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).