A T.EL.L. Rendszerszolgáltatások Kft.
DATA PROTECTION AND PRIVACY NOTICE
for
the operation of the easytrack.hu website and for the easyTRACK és TELL
Tacho UltraLINK services
1. Introductory provisions, Purpose and scope of the Notice
Purpose of the Notice: We hereby inform our Customers, partners and visitors to the websites
operated by us about our practices regarding the processing of personal data, the organisational and
technical measures taken to protect such data, as well as their rights in that regard and the means of
enforcing them.
The Controller attaches utmost importance to the processing of personal data of its natural person
partners and customers, and accordingly treats personal data confidentially and takes all necessary
technical and organisational measures to secure the data. In this context, the Controller undertakes to
ensure that the data processing recorded in this Notice complies with the relevant Hungarian and
European Union legislation, in particular with the provisions of the GDPR, which have been mandatory
since 25 May 2018.
In compliance with Article 13 (1) and (2) of the GDPR, the Controller hereby informs the data subjects of
the following information regarding the processing operations performed by the Controller or by a
processor acting on their behalf:
-
the contact details of the controller
-
the legal ground of the data processing,
-
the data subjects concerned
-
the data processed, the source of data collection
-
on the purpose of the processing,
-
on the duration of the processing,
-
the consequences of not providing data
-
the identity of the processor, the purposes of the processing
-
in the case of data transfer, the recipient of the transfer
-
the recipient and legal ground of international data transfers
-
the automated decision-making, profiling
-
the rights of the data subject, the legal remedies available to them
Other information listed in Article 13(1) and (2) of the GDPR (data subjects' rights, right to lodge a
complaint with a supervisory authority, right to apply to the courts, etc.) is summarised in Chapter 10 of
the Notice.
The Controller informs data subjects that they do not pursue any form of automated decisionmaking or profiling in relation to the personal processed by them.
In any case, the data processed by the Controller originate from the Data Subject or the User, and the
Controller does not use bulk data extraction from third parties.
Effective term of this Notice: From 01 February 2023 until revoked or until the Notice is amended.
Personal scope of the Notice: the personal scope of the Notice applies to the Controller and to all
natural persons affected by the processing of data by the Controller defined in this Notice.
The provisions of this Notice shall not apply to data relating to non-natural persons.
Material scope of the Notice: This Privacy Notice applies to the processing by the Controller of
personal data provided to the Controller in the course of commercial and transactional processes of Customers and parties having a contract with the Controller as well as of visitors to the Websites,
whether electronic or paper-based.
Amendments to this Notice: This Data Protection and Privacy Notice may be amended by the
Controller at any time. The Controller shall promptly publish the currently effective version of the Notice
on the website referred to in this Notice. The Controller shall accept the provisions of this Notice as
binding on it and shall act in compliance with them when processing personal data.
With respect to any personal data displayed in the easyTRACK and TELL TACHO UltraLINK
Service, the Controller is considered as a processor, the Customer as a controller and the data
processing relationship between the parties is governed by the Data Processing Agreement
attached to the Contract as an annex
2. Data Controller, Data Protection Officer:
Name: T.E.L.L. Rendszerszolgáltatások Kft.
Registered office: 4034 Debrecen, Vágóhíd u. 2.
Phone number: 1/8000-111
Fax: 52/530-131
Company registration
number: 09-09-022041
Court of registration: Court of Registration attached to the Regional Court of
Debrecen
Tax number: 23582196-2-09
Website address: https://easytrack.hu
E-mail address szolgaltatas@tell.hu
Statistical number: 23582196-6190-113-09
Authorised
representative: Péter Zoltán Gáll, Managing Director
hereinafter: Controller
Data Protection Officer: Melinda Mezei
email: mezei.melinda@tell.hu,
phone number: +06 30 925 5274
mailing address: 4034 Debrecen, Vágóhíd utca 2.
3. Legislation forming the basis of processing
When processing personal data, the Controller, as controller, proceeds, in order to protect personal
data, in accordance with the provisions of
- Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information
(Infotv.),
- Act VI of 1998 on the proclamation of the Convention for the Protection of Individuals with regard
to Automatic Processing of Personal Data, signed in Strasbourg on 28 January 1981,
Act CVIII of 2001 on Electronic Trading Services and Certain Issues Concerning Services in an
Information Society (Ekertv.),
- Regulation 2016/679 of the European Parliament and of the Council (GDPR, hereinafter:
Regulation) on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation),
- and other applicable Hungarian legislation on data processing.
When drafting this Data Protection and Privacy Notice and developing its data processing practices,
the Controller has, in addition to the above-mentioned legislation, also taken into account the
recommendations and notices of the Hungarian National Authority for Data Protection and Freedom of
Information (hereinafter ‘NAIH Authority’), in particular the Recommendation of 29 September 2015 on
the data protection requirements of prior information.
4. Definitions
personal data: any information relating to an identified or identifiable natural person (‘data subject’);
an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier
or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person;
data subject: Any natural person identified or identifiable, directly or indirectly, on the basis of specific
personal data.
rights of the data subject Based on GDPR: right to information, right of access to personal data,
right of rectification, right to erasure, right to restriction of processing, right to data portability, right to
object including profiling, right to apply to courts, Authorities, the time limits thereof, procedures,
compensation, restitution.
controller: the natural or legal person, public authority, agency or other body which, alone or jointly
with others, determines the purposes and means of the processing of personal data; where the
purposes and means of such processing are determined by Union or Member State law, the controller
or the specific criteria for its nomination may be provided for by Union or Member State law;
processing: any operation or set of operations which is performed upon personal data or on sets of
personal data, whether or not by automated means, such as collection, recording, organisation,
structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure,
transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction;
data transfer: making data available to a specified third party;
processor: means a natural or legal person, public authority, agency or other body which processes
personal data on behalf of the controller.
processing: the set of processing operations carried out by a processor acting on behalf of or under
the authority of the controller
erasure of data: the destruction or elimination of data sufficient to make them irretrievable;
destruction of data: the complete physical destruction of the medium containing data;
restriction of processing: the marking of stored personal data with the aim of limiting their
processing in the future;
pseudonymisation: the processing of personal data in such a manner that the personal data can no
longer be attributed to a specific data subject without the use of additional information, provided that
such additional information is kept separately and is subject to technical and organisational measures
to ensure that the personal data are not attributed to an identified or identifiable natural person;
recipient: a natural or legal person, public authority, agency or another body, to which the personal
data are disclosed, whether a third party or not. Public authorities which may receive personal data in
the framework of a particular inquiry in accordance with Union or Member State law shall not be
regarded as recipients; the processing of those data by those public authorities shall be in compliance
with the applicable data protection rules according to the purposes of the processing;
third party: a natural or legal person, public authority, agency or body other than the data subject,
controller, processor and persons who, under the direct authority of the controller or processor, are
authorised to process personal data;
consent of the data subject: a freely given, specific, informed and unambiguous indication of the
data subject's wishes by which they signifies, by a statement or by an act unambiguously expressing
their consent, that they signifies their agreement to the processing of personal data relating to them;
data set: all data processed in a single register;
record system: any structured set of personal data which are accessible according to specific criteria,
whether centralised, decentralised or dispersed on a functional or geographical basis;
personal data breach: means a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
otherwise processed; This may include, e.g., an external intrusion, such as a hacker attack, which
results in a breach of the data security system established by the Controller, as a result of which
unauthorised persons may gain access to the data.
website/homepage/web page: the website operated by the Controller at https://easytrack.hu.
social networking site: a Facebook page managed and maintained by the Controller
User: A person who uses any of the EasyTRACK and TELL Tacho UltraLINK services after
registration.
Visitor: Natural persons browsing the website, using the services of the website and ordering services
from the Controller.
5. Principles and duration of processing
5.1 Principles of processing
The Controller processes data in accordance with the following principles:
Principles of lawfulness, fairness and transparency: personal data must be processed legally and
fairly and in a transparent way for the data subject.
Principle of purpose limitation: personal data shall be collected for specified, explicit and legitimate
purposes and not further processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with
the initial purposes.
Principle of data minimisation: personal data must be adequate, relevant and limited to what is
necessary in relation to the purposes for which they are processed.
Principle of accuracy: personal data must be accurate and, where necessary, kept up to date; every
reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or rectified without delay.
Principle of storage limitation: personal data must be kept in a form which permits identification of
data subjects for no longer than is necessary for the purposes for which the personal data are
processed; personal data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical research purposes
or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate
technical and organisational measures required by this Regulation in order to safeguard the rights and
freedoms of the data subject.
Principle of integrity and confidentiality: personal data must be processed in a manner that
ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage, using appropriate technical or
organisational measures.
Principle of accountability: the controller is responsible for compliance with the principles listed
above and must be able to prove such compliance.
Principle of necessity and proportionality: essentially the same as the principle of data
minimisation.
5.2 Legal ground of the processing based on GDPR
The Controller processes data in the course of the processing activities described in this Notice based
on the following legal grounds:
❖ the data subject has given consent to the processing of his or her personal data for one or
more specific purposes; [Processing pursuant to Article 6(1) a) of the Regulation]
Where the legal ground for the processing is based on voluntary written consent (either
electronically or by post on paper), the data subject may withdraw their voluntary consent
at any time by sending a written statement to any of the contact details of the Controller
provided in Section 2.
Withdrawal of consent is free of charge and not subject to any conditions but the
withdrawal of consent shall not affect the lawfulness of processing before its withdrawal.
❖ processing is necessary for the performance of a contract to which the data subject is party or
in order to take steps at the request of the data subject prior to entering into a contract;
❖ processing is necessary for compliance with a legal obligation to which the Controller is
subject;
❖ processing is necessary for the purposes of the legitimate interests pursued by the controller
or by a third party, except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of personal data, in particular
where the data subject is a child.
The Controller indicates the legal ground for the processing of personal data in Chapter 7 of this
Notice for each processing activity separately, regardless of whether the processing is based on the
data subject's voluntary consent, necessary for the performance of a contract, or required by law.
5.3 Duration of the processing(s)For the personal data, the duration of the processing is the same as the existence of the purpose of
the processing.
The personal data are erased immediately and permanently once the purpose of the processing
ceases to exist.
Similarly to the legal ground for processing, the duration of the processing is also indicated in the
Notice for each processing activity separately, regardless of whether the processing is based on the
data subject's voluntary consent, the performance of a contract, or mandatory processing required by
law.
6. Visitor processing on websites managed by the
Controller
This Policy applies to the following websites managed by the Controller:
https://easytrack.hu
For the purposes of this Policy, Visitors are: Natural persons browsing the website, using the services
of the website and ordering services from the Controller.
6.1 General information on the role of a Cookie
A cookie is a small piece of data (a variable alphanumeric packet of information) that is sent to the
Visitor's device by the server of the website being browsed. The cookie is stored in the browser
program of the Visitor's computer, phone or tablet and can later be read by the sending server. The
cookie cannot be read by any other website, only the one that installed it. Cookies give information
about Visitors' habits when using the website. Cookies can be used for a variety of purposes, such as
to measure the number of visitors to the site or to facilitate browsing by remembering pages previously
visited within the site. None of the cookies contain any personal data that would directly allow anyone
to contact the Visitor by e-mail, telephone or post. By themselves, cookies are not able to identify the
Visitor, they are only able to recognise the Visitor's device. If the Visitor does not wish to accept the
use of cookies on the website, they can also configure the web browser used to inform them of the
installation of cookies or to prevent the installation of cookies.
Functioning of cookies
When visiting the website of the Controller, the Controller installs cookies on the device (computer,
phone or tablet) used to visit the website. At the start of browsing the websites, the Controller informs
the Visitors about the use of cookies in a pop-up window when the main page loads.
The Visitor's consent is not required for the installation of cookies necessary to ensure the functionality
and user friendliness of the websites operated by the Controller. Anonymous visit analysis does not
involve the processing of personal data and therefore does not require consent.
The Visitor's consent is required for cookies used for additional purposes, such as statistical and
marketing data collection, to function. The Visitor provides their consent in a pop-up window.
The Visitor may at any time choose to disable and delete cookies in their Internet browser settings.
Please note, however, that without the use of cookies, you are not able to access many of the features
that make browsing easier, and some of our services may not function properly.
Managing cookie settings in browsers
Visitors can change their cookie settings via their browser. They can disable the use of cookies by
activating a setting in their browser that allows them to refuse all or some cookies. These settings are
usually available in the ‘settings’ or ‘preferences’ menu of their browser. For more information, visit the
following links:
• Chrome: https://support.google.com/chrome/answer/95647?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-informacio-amelyet-weboldalak-tarolnakszami?redirectlocale=en-US&redirectslug=Cookies
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/deletemanage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/deletemanage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-managecookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-managecookies#ie=ie-8
Safari: visit https://support.apple.com/hu-hu and type ‘cookies’ in the search bar.
• Opera: http://help.opera.com/Windows/10.50/hu/cookies.html
• Microsoft Edge: https://support.microsoft.com/hu-hu/windows/a-microsoft-edge-ab%C3%B6ng%C3%A9sz%C3%A9si-adatok-%C3%A9s-az-adatv%C3%A9delem-bb8174ba-9d73-
dcf2-9b4a-c582b4e640dd
However, please also note that certain site features or services may not function properly without
cookies.
The cookies used on the website are not in themselves capable of identifying the user.
Types of cookies
Cookies can be either temporary or session cookies, which are valid for the duration of the session, or
persistent or saved cookies, and can be first-party (internal) or third-party (external) cookies.
Cookies valid during the browsing session
Browsing session cookies enable the Visitor to be recognisable during a visit to the website and thus
allow the browser to remember any page changes or selections made during the browsing session
from page to page within the website. These cookies make it quick and easy for you to navigate
through many pages on a website and go back without having to identify yourself on each page you
visit or repeat processes (such as completing a form). Such cookies are automatically deleted from
your device when you finish browsing the site or close your browser.
Persistent cookies
Persistent cookies are cookies that remain ‘persistent’ on the Visitor's device for a certain period of
time (their validity period is defined in days, weeks, months or years) after the browsing process has
expired, and therefore allow the recall of the user's preferences or actions during a subsequent visit to
the site (e.g. they can be used to store the data entered in a form on a given page). Saved cookies are
stored on the Visitor's device until the expiry date, but may be deleted by the Visitor before the
predefined deadlines expire.
Cookies from the website operator
Cookies from the server of the browsed website. In the present case, these are cookies from the
server hosting the website operated by the Controller, which ensure functionality and user friendliness,
the general characteristics and operation of which are described above. These cookies record the IP
address of the Visitor's device, the pages visited during the use of the website, and possibly (based on
the Visitor's decision) the data entered.
Cookies are used by the Controller to ensure that users registered on its websites are granted the
appropriate permissions; once the User has accessed the website, the necessary permissions are
granted. No other information is stored by these cookies in this context, including when they were
accessed, who accessed them, the Controller simply verifies the access rights by using them.
These cookies are session cookies, i.e. they are valid during the browsing session. This means that
when someone starts browsing the site, the cookie is activated and then persists for up to 15 minutes
after the user's last activity, or expires when the user exits.
An exception to this is the cookie that is stored on the Visitor's browsing device for 365 days, based on
the Visitor's decision.
Third-party cookies
Third-party cookies do not originate from the Controller or the server hosting the website. These
cookies are also saved on your computer, phone or tablet when you visit the site, as described below.
6.2 Processing performed by the cookies used by the Controller on the easytrack.hu
website
The Controller informs its Visitors that the following cookies are used by the Controller to measure
the traffic on the www.easytrack.hu website and its sub-sites and to monitor the behaviour of its
visitors, to compile statistics and to improve the effectiveness of its advertising:
- Google Analytics
- Google AdWords conversion tracking:
- Hotjar and
- Facebook Remarketing.
Google cookies
Google AdWords displays the easytrack.hu page on the Google advertising platform. When a Visitor
clicks on a Google ad and enters our website, Google Adwords places a cookie ("conversion cookie")
on the device used by the Visitor. This cookie expires after 30 days. The cookie is not used by the
data controller for personal identification. As long as the cookie is in effect, when the Visitor visits
certain pages, the Controller and Google will see that someone has clicked on the advertisement that redirected the user to our own site. Each AdWords customer receives a different cookie. Cookies may
therefore not be tracked through the websites of AdWords customers. The information collected by the
conversion cookie is used to generate conversion statistics for AdWords customers who opt for
conversion tracking. AdWords customers can see how many users clicked on their own
advertisements and were redirected to a specific page using the conversion ID.
No information suitable for personal identification is passed to the Visitor or the Controller. If the Visitor
does not wish to participate in the tracking process, they can refuse to allow the system to place the
necessary cookies - for example, they can set their browser not to allow cookies to be placed
automatically. Visitors can also prevent the placement of conversion cookies by setting their browser
to block cookies from the "googleadservices.com" domain.
Google Analytics© files are used to help monitor the site and to obtain information about how the site
is used (such as the number of visitors to the site, the pages viewed, the country region of the visitors -
where the user is browsing from, where the User "comes from" - from which other site -, the browser
used, the operating system, the Internet service provider and the resolution of the monitor used, the
time the page was browsed, when the page was left). We use this information to compile statistics and
to further improve the site.
During the visit analysis, the Controller does not collect the data in a way that would allow the
identification of the Visitor's browsing device, so we cannot identify the Visitor based on their browsing
habits. No personal data are managed during the visit analysis.
The anonymous data collected in this way is also accessible by Google Ireland Ltd (Gordon House,
Barrow Street, Dublin 4, Ireland), which is the owner and operator of the Google Analytics tools.
If the Visitor has consented to the collection of browsing data for marketing purposes, Google Ireland
Ltd will also use this data for its own purposes to deliver targeted advertising to the browsing user. In
that activity Google Ireland Ltd. combines the data collected by the cookies with the IP address of the
browsing device to determine the interests that can be identified based on the browsing patterns on
that particular device, and then delivers targeted advertising to that device.
Cookies used for marketing purposes only work with the Visitor's consent, by also identifying the
Visitor's device when the data is collected.
Further information:
• https://www.google.com/analytics
• https://support.google.com/analytics/answer/2838718?hl=hu
Google Analytics© cookies are permanent cookies and are stored for a maximum of two years, but in
practice this is between two hours and six months, depending on the type of cookie.
For more information about cookies, including the viewing, managing and deleting cookies placed,
please visit http://www.allaboutcookies.org. You can opt-out of tracking by Google Analytics on all
pages at https://tools.google.com/dlpage/gaoptout.
Facebook cookies and pixel
On the website the Controller uses the "Facebook pixel" of the Facebook social network operated by
Facebook Inc. (1 Hacker Way, Menlo Park, CA 94025, USA) or, if you live in the EU, by Facebook
Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (the "Facebook"). The
Facebook pixel allows Facebook to manage the visitors to the website as a target group to display ads
(called Facebook ads). Accordingly, the Controller uses the Facebook pixel to ensure that the
Facebook ads embedded by them only appear to Facebook users who have shown an interest in the
Controller's offers. In other words, the Facebook pixel is designed to ensure that Facebook ads match
the potential interest of users and do not cause a distraction. The Facebook pixel also allows the
Controller to analyse the effectiveness of ads on Facebook for statistical and market research
purposes, such as e.g., whether users have reached our website by clicking on a Facebook ad.
Facebook embeds the Facebook pixel directly when our website is opened and then it may place a socalled cookie, i.e. a small file on the visitor's device. If you later log in to Facebook or visit Facebook
pages while logged in, then it will register your visit to the site in your profile. The data obtained about
visitors are anonymous to us, which means that we cannot use it to determine your identity. At the
same time, the data are stored and processed by Facebook, so they can be linked to the user profile.
Facebook processes the data in accordance with its own privacy policy. So, for more information
about the operation of the remarketing pixel and the display of Facebook ads in general, please see Facebook's privacy policy at https://www.facebook.com/policy.php. You can opt out of the recording of
data by Facebook pixel and the use of your data for the purpose of displaying Facebook ads. To do
that, open the Facebook page and follow the instructions on the settings of your personal ads:
https://www.facebook.com/settings?tab=ads, the US page is http://www.aboutads.info/choices/ and
the EU page is http://www.youronlinechoices.com/. The settings are platform-independent, i.e., they
apply to both desktop computers and mobile devices.
When displaying targeted advertisements, we can use Google's and Facebook's tools to display our
own advertisements on the Visitor's device, but Google and Facebook also use the data necessary for
that for their own purposes, i.e. to display third-party advertisements. The display of such
advertisements is based on the interests of the Visitor concluded from their browsing habits.
In that activity, Google Ireland Ltd. (Gordon House, Barrow Street, Dublin 4, Ireland) and Meta
Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) determine the
interests that can be identified by combining browsing habits data with your browser's ID based on
your browsing habits from that browser, and then deliver targeted advertisements to that device. So
the data are not directly linked to the person of the Visitor, but to their device used for browsing,
primarily the browser.
Google and Meta (Facebook) do not have access to any data other than the data described in this
clause.
To find out more on the above, visit the Facebook page: https://developers.facebook.com/products.
Such cookies only work on the site with the Visitor's consent.
The Controller also uses Hotjar's analytics service: Hotjar Ltd. („Hotjar“) (http://www.hotjar.com, 3
Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe). With Hotjar's analysis, the
Controller can understand and evaluate the habits of the Visitors on the website (e.g. how much time
they spend on certain subpages, which links they click on, etc.). During the operation of this feature,
the information collected about the visit to this website is transmitted to Hotjar's servers in Ireland,
where it is stored by Hotjar.
The following information may be recorded by the visitor's device and browser:
- IP address of the user's device (collected and stored in an anonymous format)
- Screen size of the user's device
- The type of device and browser used by the user
- User location (country only)
With Hotjar, visits to and use of the website are analysed and reported on separately. Hotjar also uses
the services of third parties such as Google Analytics and Optimizely in this function. These third
parties mentioned in relation to the data transfer may store information that the user's browser sends
when viewing the website (e.g. cookies, IP bid requests, etc.). The cookies used by Hotjar are not
deleted for different periods of time, some cookies are automatically deleted after the current visit, but
there are also cookies that are kept for up to 365 days.
If you wish to opt-out of Hotjar's logging of data, please visit https://www.hotjar.com/opt-out.
Hotjar's privacy policy can be found here (https://www.hotjar.com/legal/policies/privacy).
Data subjects affected by the data processing: all Visitors, Users visiting the websites operated by
the Controller, regardless of the use of the services available on the website.
Legal ground of the processing:
In the case of processing of data which is technically necessary for the provision of the service
(session ID), the legal ground for the processing of the data is the legitimate interest of the Controller
pursuant to Article 6(1)(f) of the GDPR, given that the processing of data does not entail any risk for
the Visitor, while at the same time the usability of the website, as the availability of our services by
electronic means can only be ensured in this way.
On this legal ground, the Controller only processes data (e.g. IP address, browser type and screen
resolution used, language displayed, current country) which are necessary for the operation of the
website, for its user-friendliness, for providing essential functions and for the security of the computer
system.
The Controller will not transfer the data to third parties or process them for any other purpose.
The Controller performs general visit analysis by collecting anonymous data, so no personal data are
processed in this context.
Purpose of the processing: ensuring the proper functioning of the website
Cookies requiring consent:
Legal ground for the data processing Consent of the Visitor pursuant to Article 6(1)(a) of the GDPR.
You can consent to the collection of data for statistical and marketing purposes by setting the slider in
the Special cookie settings window that pops up when you start browsing the website and by clicking
on the "Save" button.
Purpose of the processing:
Google Adwords: The information collected by the conversion cookie is used to generate conversion
statistics for AdWords customers who opt for conversion tracking.
Google Analytics: Processing of data on browsing habits ("Visit Analytics" category in the pop-up
window): Visit analysis is performed by collecting anonymous data, so no personal data are processed
in this context.
Facebook pixels: for online marketing activities
Hotjar: Understanding and evaluating visitors' habits.
Processed data:
The Controller performs general visit analysis by collecting anonymous data, so no personal data are
processed in this context.
The data related to the following purposes are processed on easytrack websites in a manner that can
be linked to the Visitor, but the Controller only has access to them for technical purposes during the
login, otherwise they may be stored on the Visitor's device:
• the User's e-mail address or username and password, and their possible storage for easier
access (at the Visitor's choice, stored on the Visitor's device)
• the User's e-mail address (as username) or username and password (in encrypted form, the
password cannot be known by the Controller), the IP address of the browsing device used by the
User for the verification of the User’s access rights.
Duration of processing:
The data necessary to ensure the user-friendliness of the website (IP address, order of the pages
visited on the website during browsing) are recorded for the duration of the browsing session (i.e. the
duration of the browsing of the website) and are deleted once it finishes. Such data are processed by
the Controller's IT system using its own tools and are not accessible for third parties.
The visit analysis is performed by the Controller by collecting anonymous data, so no personal data
are processed in this context.
The data on which the website usage patterns are mapped are stored for a maximum of two years.
The cookies that enable that are stored on your browsing device. You can erase these cookies or
prevent them from working at any time by turning off the "Marketing" categories in your browser
settings and in the window at the bottom of the website by clicking on "Cookie settings".
Method of data storage: On separate processing lists in the Controller's IT system. The data
necessary to ensure the user-friendliness of the website (IP address, order of pages visited on the
website during browsing) are not stored. Cookies that provide data are stored locally on the Visitor's
device.
For more information about the information technology processing using Google Analytics, Facebook's
tools, please visit Google Analytics https://www.google.com/intl/hu_ALL/analytics/support and
Facebook https://developers.facebook.com/products.
Use of processors
The Controller uses the following companies as processors for the display of targeted advertising and
visitor analysis:
Google Ireland Ltd.
Company registration number: 11603307
Tax number: IE 6388047V
Registered office: Gordon House, Barrow Street, Dublin 4, Ireland
Postal address: Gordon House, Barrow Street, Dublin 4, Ireland
Phone: +353 1 436 1000
Website: https://www.google.ie/
Meta Platforms Ireland Ltd.
Company registration number: 462932
Tax number: IE 9692928F
Registered office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Business site: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Postal address: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Phone: +001 650 543 4800
Message: https://facebook.com/help/contact/540977946302970
Website: https://www.facebook.com/privacy/explanation
Hotjar Ltd. („Hotjar“)
Company registration number: C65490
Tax number: 996834623
Registered office: 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe
Phone: +1 (855) 464-6788
Website: http://www.hotjar.com
Data subject to processing: the browsing data described above in this notice and preferences, and the
conclusions that can be drawn from them about the interests of the Visitor.
Purpose of the use of processors: to provide the Visitor with the information technology solutions used
to display targeted advertising.
Duration of processing: the Processors have access to the data processed for the different purposes
for the periods described above.
Nature of processing: collection of information technology data using online IT solutions.
There is no processing for other purposes.
The Controller does not use any processors other than the Processors identified above.
7 Data processed for the purposes of contracting and performance
Processing for the purposes of contracting and performance in more detail:
7.1 Contact
Processing
A contact is established when the Customer contacts the Controller, e.g., by email, contact form or phone, with a query about the easyTRACK or TELL Tacho UltraLINK Service. Prior contact is not
mandatory; the Customer may enter into a contract for the use of the Service at any time without it.
Purpose of the processing
To facilitate contact with the Controller.
Scope of processed data
Data provided during the contact (name, phone number, employer's company name, position, email address, subject of the communication, content of the communication, vehicle data).
Data subjects
Natural persons establishing contact with the controller.
Legal ground of data processing
The voluntary consent of the data subject, which they grant to the controller by contacting the controller. [Processing pursuant to Article 6(1)(a) of the Regulation]. The User the right to withdraw their consent at any time. Withdrawal of consent is free of charge and not subject to any conditions but the withdrawal of consent shall not affect the lawfulness of processing before its withdrawal.
Duration of the processing
The Controller shall process the data until the purpose is achieved; if the contact does not lead to a contract, the processing shall continue until the message is answered or the Data Subject's request is fulfilled.
If the exchange of information takes place by exchanging several messages on related subjects, the Controller shall erase the data 1 month after the end of the exchange of information or after the request
has been fulfilled. If the exchange of messages leads to the conclusion of a contract and the content of the messages is relevant to the contract, the legal ground and duration of the processing is as described in Clauses 7.2 and 7.3 (processing related to the use of the service).
Recipients: employees of the Controller performing customer service tasks, the hosting service provider of the Controller as a processor, employees of the hosting service provider.
Consequence of the failure to provide the required data: the Data Subject cannot contact the Controller.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor.
Processor
Hosting service provider pursuant to Clause 8.1, service providers pursuant to Clause 8.10. Powr (https://www.powr.io/) and Wix (https://www.wix.com/)
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.2 Processing of data of contracting partners
Description of the processing
Processing of data of partners who have entered into a contract with the Controller for the performance of the contract.
Purpose of the processing
Conclusion, performance, termination of the contract
Scope of processed data
The Controller processes the name, name at birth, date of birth, mother's name, address, tax identification number, phone number, e-mail address, ID card number, bank account number, signature of the natural person who has entered into a contract with the Data Controller to the extent necessary for the performance of the contract. For the EasyTRACK and TELL Tacho UltraLink service, the Controller
processes the tachograph operator's registration card ID and the size and composition of the fleet.
Data subjects
Natural persons having a contractual relationship with the Controller.
Legal ground of data processing
Article 6(1)(b) of the Regulation, according to which processing is necessary for the performance of a contract to which the data subject is a party. Such processing is also lawful if it is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract.
Duration of the processing
5 years after the termination of the contract. The Controller shall keep the data processed in connection with the performance of the contract, including messages with substantial content relating to the contract, for 5 years after the termination of the contract, which is the general limitation period applicable to civil law claims. Information on the processing of data for the fulfilment of related
accounting obligations is provided in Clause 7.4.
Recipients: Recipients of the personal data: the employees of the Company performing customer service tasks, the employees performing accounting and taxation duties and processors.
Consequence of the failure to provide the required data: the Data Subject cannot enter into a contract with the Controller.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor.
Processor
Hosting provider of the Controller (8.1.), CRM system (8.3.)
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.3 Processing of data of natural person representatives of legal person customers,
buyers, suppliers
Description of the processing
Processing of data of partners acting on behalf or organisations as contact persons who have entered into a contract with the Controller for the performance of the contract.
Purpose of the processing
Performance of a contract with a partner of the controller legal person, business relations.
Scope of processed data
the natural person’s name, address, phone number, e-mail address, place of work, position, signature.
Data subjects
The natural person representative, contact person of Customers who have a contractual relationship with the Controller.
Legal ground of data processing
The personal data are processed by the Controller on the basis of Article 6 (1) (f) of the GDPR, on the basis of the legitimate interest of the Controller in establishing and maintaining a business relationship.
In addition, the legitimate interest of the organisation contracting with the Controller is the use of the ordered service, which it can do through its natural person representative.
Duration of the processing
five years from the start of the business relationship and the representative status of the data subject.
Recipients: employees of the Controller performing customer service tasks, the hosting service provider of the Controller as a processor, employees of the hosting service provider.
Consequence of the failure to provide the required data:
the Data Subject cannot enter into a contract with the Controller
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor. Processor Hosting service provider (clause 8.1), CRM system 8.3.
Data transfer - none
Automated decision making, profiling
the Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.4 Processing for the fulfilment of an accounting obligation
Description of the processing
The processing is performed for the purpose of issuing invoices in accordance with the law and for the fulfilment of the obligation to keep accounting records. Pursuant to Section 169 (1) to (2) of the Accounting Act, companies are required to keep accounting documents that directly and indirectly support the accounts in the books.
Purpose of the processing
To fulfil accounting obligations, record keeping and document retention obligations related to the contract with the Processor.
Scope of processed data
name, address, tax number, taxpayer status, e-mail address, additional data recorded on the accounting document.
Data subjects
Natural persons having a contractual relationship with the Controller.
Legal ground of data processing
Fulfilment of a legal obligation [Processing pursuant to Article 6(1)(c) of the Regulation, performance of a legal obligation] Pursuant to Article 159 (1) of Act CXXVII of 2007 on Value Added Tax, the issue of an invoice is mandatory and invoices must be kept pursuant to Section 169 (2) of Act C of 2000 on Accounting.
Duration of the processing
Invoices issued must be kept for 8 years from the date of issue in accordance with Section 169 (2) of the Accounting Act.
Recipients: Employees of the Controller performing invoicing tasks.
Consequence of the failure to provide the required data:
the Data Subject cannot enter into a contract with the Controller.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor. Processor Freshdesk Ticketing System (8.8) Processor of the Controller performing accounting and auditing tasks.
Data transfer - none
Automated decision making, profiling
the Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.5 Data processed in relation to the justifiability of consent
Description of the processing
When you visit the website and when you make a declaration in relation to the use of cookies or when you subscribe to the newsletter, accept the GTC, conclude a contract, the IT system stores the IT data relating to the consent for the purpose of subsequent verifiability.
Purpose of the processing
Proof of the data subject's consent
Scope of processed data
Date of consent and declaration and IP address of the data subject.
Data subjects
Visitors to websites operated by the Controller
Legal ground of data processing
Article 6 (1) c) of the Regulation. This obligation is provided for in Article 7(1) of the Regulation.
Duration of the processing
Due to legal requirements, consent must be verifiable at a later stage, therefore the duration of the data storage will be for a period of limitation after the end of the processing.
Recipients: Recipients of personal data and recipient categories employees of the Controller performing technical support tasks, the hosting service provider of the Controller as a processor, employees of the hosting service provider.
Consequence of the failure to provide the required data: no consequence
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor.
Processor
the hosting service provider of the Controller (Clause 8.1)
Data transfer - none
Automated decision making, profiling
the Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.6 Processing on the Controller's Facebook page
The Controller maintains a Facebook page to promote its products and services: EASYTRACK GPS
Monitoring System.
The Controller does not process personal data posted by visitors to the Controller's Facebook page.
Visitors are governed by the Facebook Privacy and Terms of Service.
In the event of publication of illegal or offensive content, the Controller may exclude the data subject
from membership or delete their comments without prior notice.
The Controller is not responsible for any illegal content or comments posted by Facebook users.
7.7 Data processing for connecting to Facebook messenger
Description of the processing
Contact is established when the data subject contacts the Controller in a messenger message in relation to the easyTRACK or TELL Tacho UltraLINK Service. Prior contact is not mandatory; the Customer may
enter into a contract for the use of the Service at any time without it.
Purpose of the processing
To enable the User to exchange messages with the Controller.
Scope of processed data
the name of the User and the content of the message sent by them.
Data subjects
Users who send messages on the website using the Facebook
messenger application.
Legal ground of data processing
The consent of the User pursuant to Article 6(1)(a) of the GDPR. The User gives their consent by sending a message via the Facebook messenger application. The User the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing before its withdrawal.
Duration of the processing
The Controller processes the data until the purpose is achieved. Accordingly, in the case of Users sending a message, the duration of the processing shall be until the message is replied to or the User's request
is fulfilled. If the exchange of information takes place by exchanging several messages on related subjects, the Controller shall erase the data 1 month after the end of the exchange of information or after the request has been fulfilled.
If the exchange of messages leads to the conclusion of a contract and the content of the messages is relevant to the contract, the legal ground and duration of the processing is as described in Clauses 7.2 and 7.3 (processing related to the use of the service).
Recipients: Recipients of personal data and recipient categories: employees of the Controller performing customer service tasks, the hosting service provider of the Controller as a processor, employees of the hosting service provider.
Consequence of the failure to provide the required data:
the Data Subject cannot contact the Controller
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor.
Processor
The Controller uses Meta Platforms Ireland Ltd. as processor in connection with the use of the Facebook messenger application. For information on processing performed by the service provider Meta Platforms Ireland Ltd. on its own behalf when Facebook messenger is used, please refer to the relevant privacy notice of the service provider Meta Platforms Ireland Ltd. at https://www.facebook.com/privacy/explanation.
Data transfer - none
Automated decision making, profiling
the Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.8 Processing in the course of technical support tasks
Description of the processing
Solving technical problems encountered in the use of the Service
Purpose of the processing
Performance of the contract with the Controller's partner, technical support tasks, troubleshooting.
Scope of processed data
When investigating a report, technical support may, depending on the type of problem, examine: system logs, data added by the Customer to their account, account settings and any other data displayed.
Data subjects
Users reporting a technical problem to the Controller.
Legal ground of data processing
Article 6 (1) f) of the Regulation
Data are processed by the Controller on the basis of their legitimate interest in the performance of the contract.
Duration of the processing
the duration of technical support tasks, troubleshooting, after which the data will be erased without delay.
Recipients: Employees of the Controller performing technical support tasks.
Consequence of the failure to provide the required data:
The Controller is unable to fulfil its contractual obligations.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Processor shall not transfer data to third parties other than the data processor.
Processor the Controller's hosting service provider (Clause 8.1.), Arenim Tel (8.9.), Customer Service Calling System (8.4.)
Data transfer - none
Automated decision making, profiling
the Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.9 Processing of data provided when logging into easyTRACK.hu
Description of the processing
The Service can be used by the User after logging on to https://easytrack.hu orhttps://easytrack.hu/tacho-ultralink
Purpose of the processing
Purpose of the processing performance of the contract; within that, to enable the User to use the Service. The data are necessary for the identification of the User in the database and for the provision of the service, and for the maintenance of relations between the parties. The password is used for secure access to the User's account.
Scope of processed data
Data processed when accessing easytrack.hu and easytrack.hu/tachoultralink.hu: username, password.
The username is necessary to identify the User in the database. The password is used for secure access to easyTRACK and TELL Tacho UltraLINK.
Data subjects
Users of the easyTRACK and TELL Tacho UltraLINK services available on the website.
Legal ground of data processing
the Controller processes personal data on the basis of Article 6(1)(f) GDPR, on the basis of the legitimate interest of the Controller in the lawful use of their Services. In addition, the legitimate interest of an organisation contracting with the Controller is the use of the ordered service by an authorised person.
Duration of the processing
five years from the start of the business relationship and the representative status of the data subject.
Recipients:
employees of the Controller performing customer service tasks, the hosting service provider of the Controller as a processor, employees of the hosting service provider.
Consequence of the failure to provide the required data:
the Data Subject cannot use the service.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Processor shall not transfer data to third parties other than the data processor.
Processor
Hosting service provider (Clause 8.1)
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or
classify into categories data subjects according to any system, criteria,
etc.
Method of storage
In the Controller's IT system, in a separate file.
7.10 Processing for direct marketing purposes
Processing
Unless otherwise provided by specific other legislation, with the
exception provided for in Act XLVIII of 2008, advertisements may be
conveyed to natural persons by way of direct contact (direct marketing),
such as through electronic mail or equivalent individual communications,
only upon the express prior consent of the person to whom the
advertisement is addressed.
Purpose of the processing
To pursue direct marketing activities related to the activities of the
Controller, i.e. to send advertising publications, newsletters, current
offers in printed (postal) or electronic form (e-mail), on a regular or
periodic basis, to the contact details provided at the time of registration.
Scope of processed data
name, address, telephone number, e-mail address, online identifier of
the natural person.
Data subjects
Natural persons who consent to the processing of their data for direct
marketing purposes by the controller
Legal ground of data processing
The voluntary consent of the data subject given to the Controller by
means of an explicit declaration. [Processing pursuant to Article 6(1)(a)
of the Regulation]
The User the right to withdraw their consent at any time. Withdrawal of
consent is free of charge and not subject to any conditions but the
withdrawal of consent shall not affect the lawfulness of processing
before its withdrawal.
Duration of the processing
Duration of the processing: until consent is withdrawn
Recipients: Employees of the Controller performing customer service tasks,
marketing activities, employees of the IT service provider of the
Controller performing server services as processors, postal delivery.
Consequence of the failure to provide the required data:
the Data Subject is not informed of news and promotions related to the
activities of the Controller
Data transfer to a third country or to an international organisation
• While processing the data referred to in this Clause, the Controller shall
not transfer data to third parties other than the data processor.
Processor
The hosting service provider according to clause 8.1., T.E.L.L. Műszaki
Fejlesztő Kft. (8.2.)
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or
classify into categories data subjects according to any system, criteria,
etc.
7.11 Processing related to the newsletter service
Processing
The Controller operates a newsletter system to keep interested parties informed.
Purpose of the processing
1. To send newsletters about the products and services of the Controller
2. To send promotional material
3. Providing technical information (updates, new features, bug fixes)
Scope of processed data
name (last name, first name)), e-mail address of the natural person. Data subjects Natural persons subscribing to the newsletter
Legal ground of data processing
The voluntary consent of the data subject, which they grant to the controller by contacting the controller. [Processing pursuant to Article 6(1)(a) of the Regulation] The User the right to withdraw their consent at any time. Withdrawal of consent is free of charge and not subject to any conditions but the withdrawal of consent shall not affect the lawfulness of processing before its withdrawal. A natural person who registers for the newsletter service on the website may give his or her consent to the processing of his or her personal data by ticking the box "Consent to processing" and clicking on the button “Subscribe". The data subject may unsubscribe from the newsletter by using the “Unsubscribe” application or in a written declaration made via e-mail. Unsubscription also means the withdrawal of the user’s consent.
In such a case, all data of the unsubscribing user must be erased immediately.
The data subject may unsubscribe from the newsletter at any time by clicking on the "Unsubscribe" button in the footer of the newsletter, which will automatically erase their data stored in the system, or, upon their request by e-mail (info@tell.hu), the Controller will erase their without delay, but within 15 days at the latest.
Duration of the processing
Duration of the processing: until consent is withdrawn As long as the newsletter service exists or until the data subject's consent is withdrawn (until the request for erasure is sent to info@tell.hu).
Recipients
Employees of the Controller performing customer service tasks and marketing activities, employees of the IT service provider of the Data Controller as data processors for the purpose of providing the hosting
service.
Consequence of the failure to provide the required data:
the Data Subject cannot contact the Controller
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor. Processor the hosting service provider pursuant to Clause 8.1
The Controller's newsletters are sent through the international newsletter system "Mailchimp" from abroad, so in addition to registration, the explicit consent of the Data Subject is required for the transfer of their personal data to a foreign controller. The Mailchimp system is operated by The Rocket Science Group, LLC (675 Ponce de Leon Avenue, Suite 5000, Atlanta, GA 30308 USA). The foreign operator ensures processing in compliance with European Union regulations under the provisions of the EU-U.S. Privacy Shield Framework data exchange agreement. For Mailchimp's most recent Privacy Policy, please visit https://mailchimp.com/legal/privacy/.
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.12 Customer service telephone recording
Processing The Controller records telephone communications with its customer
service for the purpose of providing information and fulfilling sales and
services as well as providing information in that regard.
Purpose of the
processing
quality assurance, preservation of the content of the conversation for
future evidential purposes
Scope of
processed data
phone number, time of the call, audio recording of the recorded
conversation, personal data provided during the conversation.
Data subjects Natural persons establishing contact with the controller
Legal ground of
data processing
The voluntary consent of the data subject, which they grant to the
controller by contacting the controller. [Processing pursuant to Article
6(1)(a) of the Regulation]
The User the right to withdraw their consent at any time. Withdrawal of
consent is free of charge and not subject to any conditions but the
withdrawal of consent shall not affect the lawfulness of processing
before its withdrawal.
The voice recording must be stated and consent must be requested at
the beginning of the call.
Duration of the
processing
Phone conversations will be kept for 1 year. The recorded audio
materials can be retrieved on the basis of the phone number and the
date of the conversation.
Recipients: Employees of the Controller performing customer service related tasks.
Consequence of
the failure to
provide the
required data:
the Data Subject cannot contact the Controller
Data transfer to a
third country or to
an international
organisation
While processing the data referred to in this Clause, the Controller shall
not transfer data to third parties other than the data processor.
Processor Hosting service provider according to Clause 8.1, Arenim Tel (8.9.)
Data transfer none
Automated decision
making, profiling
The Controller does not pursue such processing and does not score or
classify into categories data subjects according to any system, criteria,
etc.
7.13 Processing related to the use of the trial version
Processing
The Company provides the possibility to test the service on the website in order to get to know the service.
Purpose of the processing
To allow to test the service
Scope of processed data
name (surname, first name), e-mail address of the natural person. Data subjects Natural persons intending to try a trial version
Legal ground of data processing
The voluntary consent of the data subject. [Processing pursuant to Article 6(1)(a) of the Regulation]
A natural person who registers for a trial version of the service may give their consent to the processing of their personal data by ticking the box "Consent to processing" and clicking on the button "Request trial
version". The User the right to withdraw their consent at any time. Withdrawal of consent is free of charge and not subject to any conditions but the withdrawal of consent shall not affect the lawfulness of processing before its withdrawal.
Duration of the processing
As long as the test service exists or until the data subject's consent is withdrawn (until the request for erasure is sent to easytrackinfo@tell.hu).
Recipients: employees of the Controller performing customer service and technical support tasks
Consequence of the failure to provide the required data:
the Data Subject is unable to use the service on a test basis.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor. Processor the hosting service provider pursuant to Clause 8.1
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
7.14 Processing of data in the course of using the Driver App mobile application
Processing
In order to use the service, the user is required to provide certain personal data to the Company. These data will be processed by the Company in a confidential manner, in full compliance with the applicable
legislation and solely for the purpose of providing the service and operating the application.
The downloading and use of the application and the supply of personal data is always voluntary. The Data Subject accepts responsibility for having downloaded the application voluntarily and having been duly informed. Only the person providing the data is responsible for the accuracy of the provided personal data. With regard to this assumption of responsibility, the Company shall not be liable for any inaccuracy in the content of the data provided.
Purpose of the processing
The use of the Driver App Mobile Application services by the User.
Scope of processed data
- for the purpose of driver identification User name, password,
- photos uploaded by the Data Subject to the Document Store,
- content of conversations between drivers and dispatchers,
- the data of the User's log-in computer and mobile devices generated during the use of the service and recorded by the Company's system as an automatic result of technical processes.
Data subjects
Natural persons intending to try a trial version
Legal ground of data processing
Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Eker.tv.).
Duration of the processing
The Service Provider processes the data for the duration of the driver's registration.
Recipients: employees of the Controller performing customer service and technical support tasks
Consequence of the failure to provide the required data:
the Data Subject cannot use the service on a test basis.
Data transfer to a third country or to an international organisation
While processing the data referred to in this Clause, the Controller shall not transfer data to third parties other than the data processor. Processor the hosting service provider pursuant to Clause 8.1
Data transfer - none
Automated decision making, profiling
The Controller does not pursue such processing and does not score or classify into categories data subjects according to any system, criteria, etc.
Data storage location
on servers owned by the Service Provider and located in the serverhotel at Servergarden Kft., 1023 Bp, Lajos utca 28-32 and the storage space of the application.
8 Processors used by the Controller:
The Controller provides the following information regarding the data processors used by them:
The use of a processor does not require the prior consent of the data subject, but the data subject
must be informed.
Data may not be transferred to the Processors defined in this Notice without the Data Subject’s
specific consent. The Controller does not transfer the Personal Data managed by them to any third
party other than the Processors defined in this Notice.
The Processor does not adopt individual decisions, they may proceed only pursuant to the contract
concluded with the Controller and the received instructions. The Processor shall record, process and
handle personal data, processed, handled and transferred to it by the Controller, in accordance with
the provisions of the GDPR and shall make a declaration to the Controller to that effect. The Controller
shall monitor the work of the Processor.
The Processor shall be entitled to use any other processor only with the consent of the Controller.
The Data Controller informs the data subjects that it uses the following processors to perform its
activities:
8.1. Hosting service provider:
The Data Controller informs the data subject that the hosting service provider of the website indicated
in this Privacy Notice, from which the service provider rents the server machine, is a processor.
Data of the hosting service provider:
Name: Servergarden Kft.
Company registration number: 01-09-186097
Tax number: 24855608-2-41
Registered office: 1139 Budapest, Váci út 99-105 Balance Building 3rd floor.
Data centre: 1101 Bp, Expo tér 5-7
Phone: +36 (1) 432-3133
E-mail address:info@servergarden.hu
Website: https://servergarden.hu/
Hosting service provider’s privacy statement:
https://api.servergarden.hu/uploads/files/Dokumentumok/Servergarden_Adatkezelesi_Tajekoztato_20
220204.pdf
The data are stored by the processor exclusively on a server in Hungary and will not be transferred to
a foreign data controller or data processor.
The data affected by the processing: the processing potentially concerns all the data indicated in this
notice, the specific data are determined by the functions and services used by the User, as described
in the above chapters on specific processing.
Purpose of the use of the processor: to ensure the operation of the website in an information
technology sense, by using the necessary electronic storage facilities.
Duration of processing: the same as the processing periods indicated in this notice for the processing
for the purposes of each of the categories of data.
Nature of the processing: processing takes place by electronic means, the data are processed only for
the provision of the necessary storage space required for the operation of the website in the
information technology sense.
8.2. Processing activities related to marketing:
T.E.L.L. Műszaki Fejlesztő Korlátolt Felelősségű Társaság
Registered office: 4034 Debrecen, Vágóhíd utca 2.;
Company registration number: 09-09-027969
Court of registration: Regional Court of Debrecen
Tax number: 25590395-2-09
Phone number: +36-52/530-130
E-mail address: info@tell.hu
8.3. Processing activities related to the operation of the CRM system:
MiniCRM Zrt.
Company registration number: 01-10-047449
EU tax number: HU 23982273,
email address. help@minicrm.hu,
Phone number:+36 (1) 999 0401
The Processor contributes to the registration of orders on the basis of a contract with the Controller. In
doing so, the Processor processes the name, address, telephone number, number and date of orders
of the data subject within the limitation period under the civil law.
8.4. Processing activities related to the customer service call system:
Quality Unit, s.r.o.,
Website: https://www.liveagent.com/
Phone number:+421 2 33456826,
E-mail: info@liveagent.com,
Registered office: Vajnorská 100/A, 831 04 Bratislava, SLOVAKIA
8.5. Processing activities related to customer service correspondence:
Live chat on the website
Chatra, Roger Wilco LLC,
Registered office: 501 Silverside Rd, Suite 105, Wilmington, DE 19809, USA,
Phone number: 1-703-232-1443
8.6. Processing activities relating to sending newsletters:
The Mailchimp system is operated by The Rocket Science Group, LLC
Registered office: 675 Ponce de Leon Avenue, Suite 5000, Atlanta, GA 30308 USA
The Processor contributes to the sending of newsletters under a contract with the Controller. In
doing so, the Processor processes the name and e-mail address of the data subject to the extent
necessary to send the newsletter.
8.7. Processing related to server operation:
T.E.L.L. SOFTWARE HUNGARIA Korlátolt Felelősségű Társaság
registered office: 4034 Debrecen, Vágóhíd utca 2.;
company registration number: 09-09-005193
court of registration: Regional Court of Debrecen
tax number: 12203949-2-09
phone number: +36-52/530-130,
e-mail address: info@tell.hu
8.8. Processing for billing and technical support:
Freshdesk Ticketing system –
Freshworks Inc.
Registered office: Germany, 10179 Berlin, Neue Grünstraße 17
8.9. Processing of data by recording calls to customer service:
ArenimTel – Arenim Technologies Kft.
Registered office: Millennium Tower 1 Office Building, 1095 Budapest, Lechner Ödön fasor 6. 7th
floor - Switchboard with recorded calls and customer contacts
8.10. Processing during the operation of the website:
The Controller informs the data subject that for the operation of the website indicated in this Privacy
Policy, it uses the services of the following service providers:
POWR Inc.
Registered office: 44 Tehama Street, San Francisco, California 94105.
Website: https://powr.io
Service Provider’s privacy statement:
https://www.powr.io/privacy
Wix Online Platforms Limited, 1 Grant’s Row, Dublin 2 D02HX96, Ireland.
Registered office: 1 Grant’s Row, Dublin 2 D02HX96, Ireland.
Website: https://wix.com
Service Provider’s privacy statement:
https://www.wix.com/about/privacy
The data affected by the processing: the processing potentially concerns all the data indicated in
this notice, the specific data are determined by the functions and services used by the User, as
described in the above chapters on specific processing.
Purpose of the use of the processor: to ensure the operation of the website in an information
technology sense.
Duration of processing: the same as the processing periods indicated in this notice for the
processing for the purposes of each of the categories of data.
Nature of the processing: processing takes place by electronic means, the data are processed only
for the provision of the necessary functions required for the operation of the website in the
information technology sense.
The transfer of personal data to the auditors authorised by the Service Provide, legal representatives,
persons involved in troubleshooting, contractors engaged by the Service Provider to perform tasks
related to the provision of the Service, or to public authorities or courts involved in the resolution of
disputes between the Parties does not constitute a breach of the rules on data processing.
9 T.E.L.L. Rendszerszolgáltatások Kft. as a processor
The above-mentioned Controller acts as a processor with regard to the personal data recorded in the
system of the Service during the use of the Service.
In that context, it ensures the security of the data and that they do not go beyond the operations
necessary for the performance of their service by processing such data.
In other respects, the lawfulness of the processing of data handled as a processor is the responsibility
of the Users acting in their capacity as controllers.
The legal relationship is governed by the data processing agreement attached to the contract as an
annex.
10 Information on the rights of the data subject
Right to prior information
The data subject has the right to obtain information regarding the facts and information about the
processing, prior to its start.
Right of access by the data subject
1. The Data Subject has the right to receive notification from the Controller regarding whether or not
their personal data are being handled, and if they are, the Data Subject has the right to access their
personal data and the following information:
a) the purposes of the processing activity;
b) the categories of the obtained personal data;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed,
in particular recipients in third countries or international organisations;
d) the intended retention period of the collected personal data or, if it is not possible, the aspects of
determining such a retention period;
e) the right of the data subject to request the Controller to rectify, erase or restrict the handling of the
personal data concerning them and to object to the handling of such personal data;
f) the right to lodge a complaint with a supervisory authority;
g) if the personal data of the data subject are obtained from other sources than the data subject
themselves, any available information regarding the data source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4)
of the Regulation and, at least in those cases, meaningful information about the logic involved, as well
as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data
subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the
Regulation relating to the transfer.
3. The Controller shall provide the Data Subject with a copy of the personal data subject to processing.
For any further copies requested by the Data Subject, the Controller may charge a reasonable fee
based on administrative costs. If the data subject submits the request via an electronic channel the
requested information shall be sent to them in a widely used electronic format unless the data subject
requests a different format. The right to obtain a copy shall not adversely affect the rights and
freedoms of others.
(Article 15 of the Regulation)
Right to rectification of personal data
Based on the right to rectification You have the right to obtain from the Controller, upon your request
and without undue delay, the rectification of inaccurate personal data relating to You and the right to
obtain the supplementation of your incomplete personal data.
Right to erasure (‘right to be forgotten’)
1. The Data Subject has the right to request of the Controller the immediate erasure of his or her
personal data and, upon receiving such a request, the Controller shall immediately perform the
requested erasure if any of the following criteria is fulfilled:
a) the personal data requested to be erased are no longer needed for the purpose they were obtained
for and processed in any way;
b) the data subject withdraws consent on which the processing is based according to point (a) of
Article 6(1), or point (a) of Article 9(2) of the Regulation, and where there is no other legal ground for
the processing;
c) the Data Subject objects to the processing of their personal data pursuant to Article 21 (1) of the
Regulation and there is no prevalent legitimate reason for the processing, or the Data Subject objects
to the processing of their personal data pursuant to Article 21 Section (2);
d) the processing of the personal data was unlawful;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member
State law to which the Controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred
to in Article 8(1) of the Regulation.
2. If the Controller has made the personal data publicly available, and in the context of the above
Clause 1 to erase it, they shall take the reasonable measures (including technical measures), taking
into consideration the available technology and implementation costs, to ensure the Controllers
processing the data are notified of the fact that the data subject has requested the erasure of the links
to the personal data in question, together with any copy or duplicate of such personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for the exercise of the right to freedom of expression and information;
b) for compliance with a legal obligation which requires processing of personal data by Union or
Member State law to which the controller is subject or for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of
Article 9(2) as well as Article 9(3) of the Regulation;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with Article 89(1) of the Regulation in so far as the right referred to in clause 1
is likely to render impossible or seriously impair the achievement of the objectives of that processing;
or
e) for the establishment, exercise or defence of legal claims.
(Article 17 of the Regulation)
Right to the restriction of processing
1. The Data Subject has the right to obtain, at their request, the restriction of processing by the
Controller if one of the following conditions is met:
a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply
for the period of time necessary to allow the Controller to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject opposes the erasure of the data and requests
instead the restriction of their use;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are
required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the
verification whether the legitimate grounds of the Controller override those of the data subject.
2. Where processing is subject to a restriction pursuant to clause (1), such personal data may be
processed, except for storage, only with the consent of the data subject or for the submission,
enforcement or defence of legal claims or for the protection of the rights of another natural or legal
person or for important public interests of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to clause 1 shall be informed by
the Controller before the restriction of processing is lifted.
(Article 18 of the Regulation)
Right to data portability
1. The data subject has the right to receive the personal data concerning them, which they have
provided to a Controller, in a structured, commonly used and machine-readable format and have the
right to transmit those data to another Controller without hindrance from the Controller to which the
personal data have been provided, where:
a) the data handling is based on consent pursuant to Article 6 (1) a) or Article 9 (2) a) or a contract
pursuant to Article 6 (1) b) of the Regulation; and
b) the processing is performed by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have
the right to have the personal data transmitted directly from one Controller to another, where
technically feasible.
3. The exercise of this right may not violate Article 17 of the Regulation. That right shall not apply to
processing necessary for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller.
4. The right referred to in clause 1 shall not adversely affect the rights and freedoms of others.
(Article 20 of the Regulation)
Right to objection
1. The data subject has the right to object at any time, on grounds relating to their particular situation,
to the processing of their personal data based on Article 6(1)(e) (processing necessary for the
performance of a task in the public interest or in the exercise of official authority vested in the
Controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the
controller or by a third party) of the Regulation, including profiling based on those provisions. The
Controller shall no longer process the personal data unless the Controller demonstrates compelling
legitimate grounds for the processing which override the interests, rights and freedoms of the data
subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the
right to object at any time to processing of personal data concerning them for such marketing, which
includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall
no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in
paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be
presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive
2002/58/EC, the data subject may exercise his or her right to object by automated means using
technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical
purposes pursuant to Article 89(1) of the Regulation, the data subject, on grounds relating to his or her
particular situation, shall have the right to object to processing of personal data concerning him or her,
unless the processing is necessary for the performance of a task carried out for reasons of public
interest.
(Article 21 of the Regulation)
Automated individual decision-making, including profiling
1. The data subject has the right to excuse themselves from the force of resolutions which are based
exclusively on automated data processing (including profiling) and would have legal effect on them or
would affect them in any other way to a similar extent.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a
Controller;
b) is authorised by Union or Member State law to which the Controller is subject and which also lays
down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests;
or
c) is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the Controller shall implement suitable
measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the
right to obtain human intervention on the part of the Controller, to express his or her point of view and
to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data
referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable
measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
(Article 22 of the Regulation)
Communication of a personal data breach to the data subject
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural
persons, the Controller shall communicate to the data subject without undue delay. on the personal
data breach
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in
clear and plain language the nature of the personal data breach and contain at least the information
and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the
following conditions are met:
a) the Controller has implemented appropriate technical and organisational protection measures, and
those measures were applied to the personal data affected by the personal data breach, in particular
those that render the personal data unintelligible to any person who is not authorised to access it,
such as encryption;
b) the Controller has taken subsequent measures which ensure that the high risk to the rights and
freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public
communication or similar measure whereby the data subjects are informed in an equally effective
manner.
4. If the Controller has not already communicated the personal data breach to the data subject, the
supervisory authority, having considered the likelihood of the personal data breach resulting in a high
risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are
met.
(Article 34 of the Regulation)
Right to lodge a complaint with a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the
right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that
the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall inform the complainant on
the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to
Article 78.
(Article 77 of the Regulation)
In Hungary, the supervisory authority is the National Authority for Data Protection and
Freedom of Information. The relevant detailed legal provisions are contained in Act CXII of
2011 on the Right of Informational Self-determination and Freedom of Information.
National Authority for Data Protection and Freedom of Information contact information:
1055 Budapest, Falk Miksa utca 9-11.
Phone:+36 1 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
website: www.naih.hu
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person
shall have the right to an effective judicial remedy against a legally binding decision of a supervisory
authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have
the right to a an effective judicial remedy where the supervisory authority which is competent pursuant
to Articles 55 and 56 of the Regulation does not handle a complaint or does not inform the data
subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against the supervisory authority shall be brought before a court of the Member State
in which the supervisory authority has its seat.
4. Where proceedings are brought against a decision of a supervisory authority which was preceded
by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall
forward that opinion or decision to the court.
(Article 78 of the Regulation)
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge
a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject
shall have the right to an effective judicial remedy where he or she considers that his or her rights
under this Regulation have been infringed as a result of the processing of his or her personal data in
non-compliance with this Regulation.
2. Legal procedures against the data managing or processing party shall be opened in the competent
court system of the member state which is the data managing or processing party’s country of
business. Alternatively, such proceedings may be brought before the courts of the Member State
where the data subject has his or her habitual residence, unless the controller or processor is a public
authority of a Member State acting in the exercise of its public powers.
(Article 79 of the Regulation)
SUBMISSION OF A REQUEST BY THE DATA SUBJECT,
MEASURES TAKEN BY THE CONTROLLER
The data subject may request information about the processing of their personal data.
1. The Controller shall, without undue delay and in any event within one month of receipt of the
request, inform the data subject of the action taken on the request for exercising their rights.
2. This deadline may, however, be extended by two months if warranted by the complexity of the
request or the number of requests. The Controller shall inform the data subject of the extension of the
time limit, stating the reasons for the delay, within one month of receipt of the request.
3. If the data subject submits the request via an electronic channel the notification shall preferably be
sent to them in an electronic format unless the data subject requests a different format.
4. If the Controller fails to act upon the Data Subject’s request they shall notify the Data Subject,
without delay but no later than within one month of receiving the request, of the reasons of such a
failure, and shall also inform the Data Subject that they may submit a complaint with a supervisory
authority, and may seek judicial legal remedy.
5. The Controller provides the information referred to in Articles 13 and 14 of the Regulation and
information on the rights of the data subject (Articles 15 to 22 and 34 of the Regulation) as well as the
measure free of charge. If the Data Subject's request is manifestly unfounded or excessive, in
particular because of its repetitive nature, the Controller may, taking into account the administrative
costs of providing the information or notification requested or of taking the requested action:
a) charge a fee of HUF 6,350, or
b) refuse to act on the request.
The Controller shall bear the burden of demonstrating the manifestly unfounded or excessive nature of
the request.
6. If the Controller has reasonable doubts as to the identity of the natural person making the request, it
may request additional information necessary to confirm the identity of the Data Subject.
11 Data security
The Service Provider shall take all measures necessary to ensure secure and damage-free handling
of data and the installation and operation of data processing systems required for this. The Service
Provider shall ensure that no unauthorised persons may access, disclose, transfer, modify or erase
the processed data. The processed data may only be accessed by the Service Provider or their
employees designated as recipients of the data, and shall not be disclosed by the Service Provider to
third parties who are not authorised to access the data.
The Service Provider shall take all reasonable measures to ensure the physical protection of the data.
The Service Provider shall also impose the above commitment on their employees involved in data
processing. The Service Provider shall under no circumstances collect special data revealing racial
origin or nationality, being part of an ethnic minority, political opinions and any affiliation with political
parties, religious or philosophical beliefs or trade union membership, or data concerning health
conditions, sex life, harmful addiction, sex life or a criminal record. If the Controller becomes aware
that a user has placed data in the database that qualify as special data under the provisions of Act
CXII of 2011, they shall delete such data without delay and shall be entitled to terminate the
registration of the data subject without delay.
Technical and organisational measures taken by the controller, including technical and organisational
measures to ensure the security of the data:
a. "Need to know" principle: to ensure that only those whose tasks require it have access to the data.
Access should be reviewed from time to time. Access should be personalised (avoiding the use of the
same username+password pair by the same group).
Technical blocking of data downloads.
b. Use of automatic screen savers to ensure that unattended devices cannot be accessed without
control.
c. Use of anti-virus software: In addition to installing the right software, regular updates are also of
paramount importance, as well as proper internal policies and awareness raising (e.g. not opening
suspicious attachments).
d. Firewalls: If the network has external connections (either to other networks or to the Internet), the use of firewalls is also essential, with proper configuration.
e. Software updates: The controller should ensure that the software used by them is properly updated,
as newer versions may contain improvements that could, for example, prevent external attacks.
f. Remote access: Remote accesses may pose a potential risk to the system, so securing them may
require increased caution and the introduction of further security measures.
g. Wireless networks: Connections to unknown, untrusted networks should be avoided where possible
and appropriate rules for their use are required. In addition, technical security measures are also
necessary (e.g. use of appropriate encryption).
h. Portable devices: When personal data are stored on portable devices (e.g. USB, laptop, phone, etc.),
appropriate encryption should be applied. In addition, a password of appropriate strength should be
required for access. The possibility of remote erasure is a good way to reduce risks.
i. Logging and audit: Use of intrusion detection systems with access logs and appropriate control of
accesses
j. Backups: When backups are made, data in the backup should be protected to the same high level as
the data in the live system.
k. Replacing used devices: For devices to be replaced, arrangements shall be made for erasing the
data. This obligation applies to all types of devices, i.e. it is always worth checking whether the device
may contain personal data. However, a simple erasure or formatting is not enough, as data may be
recoverable from it. A software solution must be in place to prevent this. In some cases, physical
destruction may be an alternative to erasure.
l. Physical security: In addition to technological security measures, the existence of appropriate
physical security measures must be guaranteed (e.g. alarm system, access control system, protection
of server rooms, proper placement of monitors, clean desk policy, etc.).
m. Human factor: The human factor is often the greatest risk in terms of security measures. In this
regard, awareness building, education, regular monitoring of compliance with rules are key to
maintaining data security.