BLUE BUSINESS Interior Kft.

 PRIVACY NOTICE

1 September 2019

Contents

1. Introduction

 

2. Scope of the personal data; purpose, ground and duration of processing

2.1 Logging of www.blue.hu server

2.2 Management of the Website’s own cookies and processing of users’ data

2.3 Data processing by external service providers on the Website

2.4 Newsletter

2.5 Failure notification

2.6 Other data processing

 

3. Way of storage of personal data, security of data processing

4. Data and contact details of the Controller

5. Legal remedies

5.1 Right to information

5.2 Right to access

5.3 Right to rectification

5.4 Rights to erasure

5.5 Right to restriction of data processing

5.6 Right to object

5.7 Rules of procedure

5.8 Right to contact the Controller

5.9 Right to access court

5.10 Procedure of the data protection authority

 

1.Introduction

BLUE BUSINESS Interior Kft (registered office: 1138 Budapest, Váci út 135-139/A., hereinafter referred to as Provider or Controller) meets its information obligations related to data processing by issuing this Notice. The Provider acknowledges the content of this legal notice as binding for itself and guarantees that all data processing operations related to its activities comply with the requirements defined in this Notice and the rules of law in force.

 

The Controller:

  • reserves the right to change this Notice;
  • is committed to the protection of the personal data of its clients and partners and considers respect of its clients’ right for informational self-determination particularly important;
  • will process personal data confidentially and take all security, technical and organizational measures to guarantee the security of such data;
  • will process personal data only for specific, explicit and legitimate purposes, for the purposes of exercising a right or fulfilling an obligation; will collect it taking the principle of fairness and legality into consideration and process it in adherence to such principles;
  • will process only personal data that is indispensable and suitable for the purposes of data processing. The Provider will process personal data to the extent and for the period necessary for implementing the purpose. Personal data will be stored in a form to enable identification of the data subject only for the period necessary for achieving the specific purposes, i.e. collection and further processing of the personal data.

 

The Controller’s data processing principles are in accordance with the legal regulations related to data protection, so in particular with:

  • Act CXII of 2011 on Informational Self-determination and Freedom of Information (Information Act)
  • Act V of 2013 on the Civil Code (Civil Code)
  • Act CLV of 1997 on Consumer Protection (CPA)
  • Act XC of 2017 on the Code of Criminal Proceedings (CCP)
  • Act C of 2000 on Accounting (Accounting Act)
  • Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Ecom Act)
  • Act C of 2003 on Electronic Communications (Elcom Act)
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (CAA)
  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

Data transfer to the Processor defined in this Notice may be performed without the data subject’s special consent. Unless otherwise provided in law, personal data may only be released to third parties or authorities on the basis of an official decision or with the preliminary explicit consent of the data subjects.

The data subject warrants that the he or she has legally obtained the consent of a natural person to the processing by the Controller of the personal data provided or made available by him or her on the other natural person.

Processing of the personal data of data subjects below the age of 16 years shall be lawful only if consent is given by the adult holding parental responsibility over the child. The Controller is not able to check the authority of the person giving the consent or the content of his or her statement, so the data subject or the person exercising parental control over him or her shall warrant that the given consent complies with law. In the absence of a statement of consent, the Controller is not allowed to collect personal data related to data subjects below the age of 16 years, with the exception of the IP-address used for use of the service, which, given the nature of Internet services, shall be recorded automatically.

To ensure security of the personal data, the Controller must implement appropriate technical and organizational measures and adequate procedural rules to protect the recorded, stored and processed data, including protection against accidental loss, unlawful destruction, unauthorized access, unauthorized use, unauthorized amendment and unauthorized dissemination thereof. The Controller will invite all third parties to meet this obligation to whom it transmits personal data.

Under the relevant provisions of the GDPR, the Controller has not appointed a data protection officer.

 

2. Scope of the personal data; purpose, ground and duration of processing

The processing operations carried out by the Controller are based on statutory authorization or voluntary consent, so that if the data provider provides data other than his or her own personal data, it is the data provider’s duty to obtain the consent of the data subject. Should the data provider fail to consent to the processing of his or her data to be provided, the possible consequence of failure to provide data might be that the data provider will not be able to able to use or will not be able to use all of the services.

 

2.1 Logging of www.blue.hu server

The Controller is the operator of the blue.hu website (Website) and, on the one hand, it is engaged in media content provision and provides the services available there in relation to its such principal activity and, on the other hand, it performs the related IT services as well. For the purposes of this Notice, each individual who enters or visits the Website and provides his or her data referred to herein is considered a user (hereinafter referred to as User).

Upon visiting the Website, the webserver records no user data.

Processing of logging information by external service providers:

The Website’s html code contains references received from and pointing to an external server independent of the Provider. The external service provider’s server is in direct connection with the User’s computer. We draw our Users’ attention to the fact that the providers of such references are capable to collect users’ data (e.g. IP address, browser data, operation system data, address of the visited site and time of the visit) as a result of the direct connection with their own serves and their direct communication with the user’s browser.

The contents customized to the User (if any) are served by the external service provider’s server. Detailed information on the processing of the data by the external providers’ servers can be obtained from the controllers listed below.

The independent measurement and auditing of the site visit and other web analytics data of the Website are assisted by the server of Google Analytics as an external service provider. The service provider available at www.maps.google.com displays the map information on the Website as an external service provider.

The controller provides detailed information on the processing of measurement data at http://www.google.com/intl/hu/policies/. The document titled “How Google uses data when you use our partners’ sites or apps” is accessible at:  http://www.google.com/intl/hu/policies/privacy/partners/

The code of the service provider accessible at facebook.com, instagram.com and linkedin.com has been placed at the Website (see Processing of external service providers).

 

2.2 Management of the Website’s own cookies and processing of users’ data

In order to provide customized services, the Controller does not place a short data file, so-called cookie on the user’s computer and will not read it back during a future visit.

Purpose of processing: to identify and communicate with the User when he or she sends an e-mail to the Controller to any of the e-mail addresses indicated and to upgrade the IT systems.

Legal ground for data processing: the data subject’s voluntary consent under Article 6 (1) a) of the GDPR.

Scope of the data processed: the data, e-mail addresses, IP addresses recorded for the purposes of use of the services.

Duration of data processing: until the consent to data processing is withdrawn.

Data processors:

  • First Voice Szolgáltató Kft. (registered office: 8060 Mór, Kert utca 18.)
  • Tárhely.eu Kft. (registered office: 1097 Budapest, Könyves Kálmán krt. 12-14.)
  • Web-hosting and e-mail services

 

2.3 Data processing by external service providers on the Website

External service provider: the Controller may, in connection with operation of the Website or the provision of the services provided there – either directly or indirectly – employ third party service providing partners to whom the personal data are or may be transferred, or who may transfer personal data to the Controller. Furthermore, service providers who are not in cooperation with the Controller but who collect data of the Users by having access to the websites of the Service that may be suitable to identify the User – either independently or combined with other data – shall also be considered external service providers.

The personal data processed in the systems of external service providers shall be subject to the provisions of the external service providers’ own privacy notices.

Certain service providing partners place short data files, so called cookies on the user’s computer for the purposes of identification and tracking of users and read them back in future use of Internet. If the browser returns a cookie saved previously, the service provider managing the cookie is allowed to combine the user’s current visit with the previous ones in respect of the websites which use the cookie of the external service provider.

The user can delete the cookies from his or her own computer and block use of cookies in his or her browser. As a rule, cookies can be managed in the settings menu of browsers, under cookies or tracking.

In the event during a visit to the Website the User’s browser returns the cookies saved previously on the hard drive, the sending external service provider can combine the current visit with the previous ones, however, as cookies are linked to a domain, it can do so only in respect of its own content.  Cookies in themselves are not capable to identify the user and are suitable to recognize the visitor’s computer only.

There are external service providers with whom none of the Controllers is in contractual or cooperation relationship intentionally in respect of the relevant data processing, but who nevertheless have access to the Website – either with or without contribution of the user – and so collect data on the Users or user activities on the websites of the Services, which may be suitable – either independently or combined with the data collected by such other external service provider – for identifying the User. Such external service providers might be, in particular but not limited to:  Facebook Ireland LTD., Google LLC, Instagram LLC., Infogram Software Inc, PayPal Holdings Inc., Pinterest Europe Ltd., Playbuzz Ltd., Twitter International Company, Viber Media LLC, Vimeo INC., YouTube LLC.

Such external service providers process the Personal Data forwarded to them according to their own privacy policies.

 

2.4 Newsletter

When subscribing to newsletters at the Controller’s website, the data subject will provide personal data, which will be processed by the Controller in accordance with the relevant legal regulations. Data are provided entirely on a voluntary basis and nobody is required to provide such personal data, however, in the absence of such data the Controller will not be able to provide the newsletter service.

Scope of the data processed: full name, e-mail address, other personal data indicated

Purpose of data processing: The data are requested with the aim to send you in the future e-mails containing business advertising, direct marketing or communication for marketing purposes (e.g. newsletters and eDMs) relating to our products/services.

Period of data processing: Until withdrawal of the User’s consent. The consent may be withdrawn at any time in an e-mail sent to info@blue.hu. or clicking on the link in the newsletter.

Legal ground for data processing: voluntary, based on the data subject’s consent according to Section 5(1)a) of the Information Act, Article 6(1)a) of the GDPR, Section 13/A of the Ecom Act and Section 6(1) of the CAA.

Data processor:

  • com (The Rocket Science Group, LLC [675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA.
  • providing newsletter service
  • performing database-related tasks

 

2.5 Failure notification

When using the Failure notification service at the Controller’s website, the data subject will provide personal data, which will be processed by the Controller in accordance with the relevant legal regulations Provision of the data in respect of the Failure notification service is mandatory as in the absence of such data the Controller will not be able to provide the service.

Scope of the data processed: full name, e-mail address, other personal data indicated

Purpose of data processing: The data are requested to enable provision of the Failure notification service.

Period of data processing: Until withdrawal of the User’s consent. The consent may be withdrawn at any time in an e-mail sent to info@blue.hu. or clicking on the link in the newsletter.

Legal ground for data processing: voluntary, based on the data subject’s consent according to Section 5(1)a) of the Information Act and Article 6(1)a) of the GDPR.

 

2.6 Other data processing

You will be informed concerning data processing not mentioned in this Notice at the time of registration. We inform our clients that, based on the authorization of courts, prosecutors, investigating authorities, authorities dealing with administrative offences, administrative authorities, the National Authority for Data Protection and Freedom of Information, or of law, other bodies may request the controller to provide information, to disclose and transfer data or to make data available.

The Provider may provide personal data to authorities – provided that the authority has specified the precise purpose and scope of data – only to an extent as is necessary for the purpose of the request.

 

3. Way of storage of personal data, security of data processing

The computer systems of the Provider and its other places of data retention are located at its seat, places of business and the premises of data processors.

The Provider will select and operate the IT devices used during providing of the service so that the data processed:

  • is available exclusively to the duly authorized persons (availability);
  • is authentic and its authentication is provided (authenticity of data processing);
  • its integrity is verifiable (data integrity);
  • is protected against unauthorized access (confidentiality of data).

The Provider will protect the data with adequate measures especially against unauthorized access, transformation, transmission, disclosure, erasure or destruction, and further against accidental loss or damage, as well as against disabled access occurring due to changes in the technology applied.

The Provider will protect the security of data processing with technical and organizational measures providing suitable protection level against risks of data processing, while bearing the current state of development of technology in mind.

 

4. Contact details of the Controller

Data and contact details of the Controller

Name: BLUE BUSINESS Interior Kft

Registered office: 1138 Budapest, Váci út 135-139/A.

Phone: + 36 1 465 8060

E-mail: info@blue.hu

 

5 Legal remedies

 

The data subject may request information about the processing of his or her personal data and may request rectification or erasure or blocking of personal data (except compulsory data processing) in the way disclosed upon registration of data or via the controller’s customer service.

 

5.1 Right to information

 

Pursuant to the data subject’s request, the Provider as controller will provide information about the data processed by the data processor assigned by it, the sources thereof, the purpose of, legal ground for and duration of data processing, the name and address of the data processor and its activities related to data processing, the circumstances and effects of a personal data breach and the measures taken for its elimination, as well as the legal ground for and recipient of data transfer (if any). The controller will provide clear information at the data subject’s request in writing within the shortest possible period of time following the submission of the request, however, no later than within 30 days. The information will be provided free of charge if the individual requesting the information has not yet submitted a request for information in connection with the same range of data in the same year. Otherwise the Provider will establish a fee.

 

5.2 Right to access

The data subject will have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.

 

5.3 Right to rectification

The Provider will rectify the personal data if it is not true and the true personal data is available to it.

 

5.4 Right to erasure

The Provider will erase personal data if

  1. a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  2. b) the data subject withdraws consent on which the data processing is based and where there is no other legal ground for the data processing;
  3. c) the data subject objects to data processing and there are no overriding legitimate grounds for the data processing, or the data subject objects to data processing;
  4. d) the personal data has been unlawfully processed;
  5. e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. f) the personal data has been collected in relation to the offer of information society services.

 

Erasure of data cannot be initiated a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires data processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously jeopardize data processing; or e) for the establishment, exercise or defence of legal claims.

 

5.5 Right to restriction of data processing

The data subject will have the right to request the controller for restriction of data processing where one of the following applies:

  1. a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  4. d) the data subject has objected to data processing; pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

 

5.6 Right to object

The data subject will have the right to object, on grounds relating to his or her particular situation, at any time to processing of the personal data concerning him or her as necessary for enforcing the legitimate interests of the controller or a third party. In such a case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

5.7 Rules of procedure

The controller will provide information on actions taken on a request under the right to information to the data subject without undue delay and in any event within one month of receipt of the request referred to in Articles 15 to 22 of the GDPR.  That period may be extended by two further months where necessary, taking into account of the complexity and number of the requests. The controller will inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject filed the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the controller does not take actions on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. That period may be extended by further two months (60 days) where necessary, taking into account of the complexity and number of the requests.

The Provider will provide the information, communication and actions free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a reasonable fee taking into account of the administrative costs of providing the information or communication or the action requested or refuse to act on the request.

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR will have the right to receive compensation from the controller or data processor for the damage suffered. Any controller involved in processing shall be liable for the damage caused by processing which infringes the GDPR. A data processor will be liable for the damage caused by processing only where it has not complied with the obligations defined in the GDPR specifically directed to data processors or where it has acted outside or contrary to lawful instructions of the Controller. The Controller or data processor will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

The Provider will not be entitled to delete the data subject’s data unless data processing was stipulated in law.

 

5.8 Right to contact the Controller

The Controller may be contacted with any question or comment relating to data processing at the Controller’s mail address, by e-mail to info@blue.hu and on + 36 1 1 465 8060 phone number.

 

5.9 Right of access a court

In the event of infringement of his or her rights, the data subject will have the right to bring the matter before the court.  The court shall take immediate action in such cases.

 

5.10 Procedure of the data protection authority

Complaints may be filed to the National Authority for Data Protection and Freedom of Information:

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság / Hungarian National Authority for Data Protection and Freedom of Information

Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mail address:

1530 Budapest, Pf. 5