We welcome you as the user of www.thesafeskin.com website or the application named Safeskin which are operated by the Traqle Zrt.!
Granting some of your personal data is necessary to benefit from the services available on the website and also on the application concerned.
The security and proper management of your personal data you provide is exceptionally important to us so we would like to kindly ask you to read this Policy carefully and closely. In case you have any questions or comments regarding the content of the Policy, please feel free to contact us before accepting the Policy and our colleagues will be happy to assist you.
Concepts and definitions usedin this Policy
The following is a brief summary of the most important definitions in this Policy.
- Data process: means any operations which is performed on personal data in connection with the processing operations acts on behalf of the Data Controller, notwithstanding the method, the means or the place of the processing, provided that the operations taken in respect of personal data. Accordingly, the referred data processor shall be any legal or natural persons, public authority, agency or any other constitution who processes personal data on behalf of the Data Controller.
- Data processing:means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Controller: the personal data submitted by the Data Subject is processed byTraqle Zártkörűen Működő Részvénytársaságwhohas the exclusive right to make and implement decisions in connection with the Data Subject’s personal data.The Controller’s data:
- Seat and mailing address: H-8000 Székesfehérvár, Kinizsi utca 20.
- Company registration No.: 1307-10-001494(registered by the Székesfehérvár Regional Court)
- Tax ID No.: 26135281-2-07
- E-mail: firstname.lastname@example.org
- phone no.: +36309919750
- Áfatv.: Act CXXVII of 2007 on the value added tax.
- Terms and Conditions: the general terms and conditions made available on the Website by the Controller which are concluded when the Data Subject (customer) orders the Services of the Data Controller (provider).
- Authority: Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; e-mail: email@example.com; website: http://naih.hu; phone: +36 (1) 391-1400).
- Website: means the thesafesin.com website, which is operated by the Data Controller as well as any other websites connected to the Data Controller (especially on facebook), jointly or separately as the context requires.
- Application: means the application Safeskin which is downloadable from the Apple Store. The Application is only compatible with iOS-system. This Application provides an opportunity to monitor the purchased Eye and provides remote access to it.
- Eye: means the Bluetooth based tool which provides positioning information (geolocation tracking) and which is manufactured and distributed by the Data Controller.
- Grt.: Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Personal Data: means any information which identifies the Data Subject or makes them identifiable. Identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The Data Controller collects only the personal data in relation to the Data Subject that are listed in the Policy below.
- Personal Computer: shall mean any - electronic communications terminal equipment according to Article 188 section 21 in the act C of 2003 on electronic communications - IT devices available to the Data Subject, such as cell phones, PC, tablet which can receive cookies.
- Cookie: a file series, which may be created on the PC of the visitor of the Website or the Application by the host of the website and which stores information about the Data Subject and the connection between the Data Subject and the web server. The purpose of the usage of cookies is to identify the PC of the Data Subject in order to provide simplified browsing and monitoring and also to analyse and evaluate the usage patterns of the visitors of the Website and the Application in order to improve the user-experience based on the result.
- Service: depending on the contexts, it can either mean the web shop available on the Website or the other additional services of the Website and also the services available in the Application.
- Szt.: Act C of 2000 on theaccounting.
- Data Subject:any natural person who is identifiable or identified based on the personal data processes by the Data Controller.
Contact of the Controller
This section specifies the contact data of the Controller, as well as the representative of the Controller.
- Contact of the Controller:
a) Registered seat and mailing address: HU-8000 Székesfehérvár, Kinizsi utca 20.
b) E-mail address: firstname.lastname@example.org
c) Phone number: +36309919750
- Contact of the representative person of the Controller:
a) Name: Csongor Sohajda
b) Mailing address: HU-8000 Székesfehérvár, Kinizsi utca 20.
c) E-mail: email@example.com
Principles of data controlling
You can find a summary of the principles of data controlling below, completely enforced by the Controller during the entire term of data controlling, and considered obligatory on behalf of the Controller.
- Lawfulness, fairness and transparency: The Controller collects and processes personal data during providing services exclusively from the Data Subject. Processing of the personal data of the Data Subject shall only be performed for lawful and fair purposes, in a manner that provides transparency for the Data Subject. The Controller makes available the Policy in effect on the Website and on the Application free of charges and obligations, continuously and publicly. The Controller shall not process the provided personal data for unfair purposes or any additional purposes not specified herein, except if the GDPR or the Infotv. includes derogations. In the course of its data processing (controlling) activities it constantly acts according to this present Policy, as well as the applicable legislation. The Data Controller shall ensure for the Data Subject the understanding of this present Policy.
- Purpose limitation: Personal data may be processed only for specified and explicit purposes indicated in this Policy. If the Controller wants to process the personal data for purposes other than the above, the Controller shall inform the Data Subject previously primarily via e-mail. In order to ensure the transparency of the specific purposes of data processing, the Controller herein provides information regarding the purposes, duration and legal basis for processing different personal data. These requirements shall be applied by the Controller as binding.
- Storage limitation: Personal data of the Data Subject shall be kept in a form which permits identification of Data Subjects for no longer than its necessary for the purposes for which the personal data are processed or than what is permitted by the applicable legislation.Personal data processed exclusively according to Article 6 (1) item a) of the GDPR, based on the explicit and voluntary consent of the Data Subject shall be processed by the Controller until the Data Subject’s deletion request.
In respect of purchasing products by the Data Subjects the Controller shall be obliged to process the accounting records and relating documents, and other accounting materials for 8 years after the transaction in accordance with the article 169. (1) and (2) item of the Szt.
- Data minimisation: In order to provide the highest possible services and level of data security, the Controller shall be process only the most necessary personal data. In all cases this data is necessary for the use of the Services. The Controller shall act in accordance with the Policy, if it asks for further data from the Data Subject in addition to the applicable provisions of Policy.
- Accuracy: In order to provide the highest possible services and level of data security the Controller shall ensure that the recorded personal data are continuously kept updated. This purpose is justified e.g. by the case of the Data Subject not being informed about the contents of a newsletter sent to a terminated e-mail address. The Data Subject shall also support the accuracy of the provided personal data, and thus the Data Subject shall inform the Controller about any changes to the data provided.
- Principle of data security:The Controller provides priority tothe security of the provided personal data, and in order to that it takes any necessary, technical and organisational steps and procedure adjusted to the current development of technology. Controller stores the data in an automated system.
Purposes of data processing, process of data controlling
The ranges of cases (purposes of data controlling) applied in practice to process the personal data of the Data Subject are summarised below.
- The Data processing purposes materializing on the website
- Purchasing products, concluding the contract, customer relationship:The purpose of the Data processing is to allow the Data Subject to practice the rights resulting from the legal relationship concluded by the purchase and to perform the contractual obligations applied by the Data Controller after the acceptance of Terms and Conditions (which especially includes the obligation to perform cooperation, information exchange, transport and warranty of products). The further purpose of Data Processing is to provide information in connection with client contacts.
The processed Personal Data: First name, last name, address, phone number, e-mail address.
The legal basis of the Data processing is the contract established in accordance with point b) of the first paragraph in Article 6 of GDPR between the Data Controller and the Data Subject by the purchasing.
The aforementioned personal data will be processed for a period of 5 years from the performance of the purchase contract. This period is established on the basis of the applicable period of prescription in case of any possible claim which arise from the concluded contract.
Without the provision of the personal data stated above, the purchase contract shall not be concluded. The delivery of the ordered product to the shipping address indicated by the Data Subject will be carried out by the contractual partner of the Data Controller, (especially UPS Magyarország Kft., Amazon), which will act as Data Processor. In order to be able to deliver the purchased products, the Data Controller will provide the following Personal Data to the Data Processor: name, shipping address, e-mail address.
- Issuing invoices: During a purchase made on the webshop available on the Website, the Data Controller is liable for issuing an accounting document in accordance with provision of Article 165 of Szt. In order to be able to fill the aforementioned invoice, the Data Controller demands certain Personal Data to be provided. Subsequently, concerning the data contained in the invoice, certain Personal Data of the Data Subject are recorded under the obligation of Article 169 of Áfatv. The invoice can only be issued after the aforementioned data is submitted.
The processed Personal Data: First Name, last name, address.
The legal basis of the Data processing in terms of name and address is the legal obligation under Article 169 of Áfatv [point c) of the first paragraph in Article 6 of GDPR] The duration of the data processing is 8 years in this case as it is determined by the first and second paragraph in Article 169 of Szt.
In order to fulfil the legal obligations stated above the Data Controller shall carry out the determined personal data provided by the Data Subject to the contractual partner of the Data Controller, which will act as Data Processor. This Data Processors activity is to grant the technical background and system of issuing the invoices.
In order to be able to deliver the purchased products, the Data Controller will provide the following Personal Data to the Data Processor: name, shipping address, e-mail address.
- Database processed to send newsletters: The goal of the Data Controller is, in accordance with the provision of Grt. 6 § in connection with the Service, to contact the Data Subject periodically to share the current promotions, offerings and discounts of the Data Controller as well as to provide other information in connection with their Services via the e-mail address of the Data Subject. The legal basis of this data processing is the explicit and voluntary consent of the Data Subject [in accordance with point a) of the first paragraph in Article 6 of GDPR] and can be done by the following processes:
- Registration in the Application
- Entering your e-mail address on the interface of the Website provided for this purpose.
By completing one of the aforementioned processes, the Data Subject gives their explicit and voluntary consent based on the information provided to have their data processed in accordance with this paragraph. By giving their consent, the Data Subject also agrees to receive direct marketing messages from the Data Controller via the contact details they shared.
In accordance with the third paragraph in Article 6 of Grt., the Data Controller is entitled to process the personal data of the Data Subject until the withdrawal of consent by the latter.
The processed Personal Data in order to provide newsletter service: Name, e-mail address.
The subscription can be cancelled free of charge at any time and without justification by the Data Subject by clicking on the “Unsubscribe from the newsletter” button at the bottom the newsletter sent to their e-mail address as well as by sending an e-mail to firstname.lastname@example.org labelled with the same subject.
- The materialization of goals in the Application
- Registration, login, customer relationship:After purchasing the Eye manufactured and distributed by the Data Controller, the Data Subject is entitled to connect the Eye to their mobile device via the Application in order to activate the Bluetooth-powered remote tracking and remote access features of the Eye. In order to provide the adequate level of security for the utilization of the service, the Data Subject creates a personal user interface after installing the Application. The services within the Application are only available after the technical steps of the registration are completed. While creating the user interface necessary to utilize the services of the Application, the Data Subject provides certain personal data to the Data Controller, which are explicitly processed in accordance with the ability to provide the services (identification, communication) of the Application.
The processed Personal Data: e-mail address.
The legal basis of processing the e-mail address is the performance of the contract in relation with the provision of the services within the Application [point b) of the first paragraph in Article 6 of GDPR]. Within this framework, personal data will be processed as long as the registration is intact.
In order ensure safety, the Data Subject has to provide a numerical code as a password when logging into the user interface they created in the Application.
- Processing geolocation data: As the main purpose of the Eye and the Service connected to it in the Application, the Data Controller provides the Data Subject with the ability to follow and monitor the current position of the Eye (and the properties the Eye is attached to) realistically and in real time. In order to achieve that, the Data Controller records the map coordinates of the Eye’s current location and logs the GPS-coordinates of the mobile device the Eye is connected to. The purpose of the Data processing is to comply with the fulfilment of the Services utilized by the Data Subject as determined in the Terms and Conditions and the Data Controller may only process the recorded Personal Data exclusively in connection with the fulfilment of that purpose.
The processed Personal Data: the current location of the Eye, the current location of the mobile device connected to the Eye, GPS-coordinates.
The legal basis of the Data processing is the Terms and Conditions accepted by the Data Subject by purchasing the Eye and utilizing the Application [point b) of the first paragraph in Article 6 of GDPR]. By connecting the Eye to any Computer the Data Subject gives his consent for this Data Process voluntarily and explicitly, so the further legal basis of the data processing in this case is the Data Subject’s consent [point a) of the first paragraph in Article 6 of GDPR].
Personal data will be processed until the end of the contractual legal relationship.
Recording technical data (cookie) and data processing in relation to statistics
- Beside the personal data of the Data Subject, their technical data is also recorded which are generated (without the explicit consent by the Data Subject and without requiring any further action on their side) by the cookies on their Personal Computer when they enter or leave the Website or the Application as well as during using the aforementioned interfaces. The purpose of collecting these data is to produce statistics about the attendance and usage of the website and the Application as well as to allow expansive upgrade of their IT systems. The Data Controller does not connect the collected data to the personal data of the Data Subject (with the exception of cases where law enforces them to do so) and the aforementioned data will only be accessed by the associates of the Data Controller and the Administrator. The Data Subject may delete cookies from their own computer anytime (by using the according feature of their web browser) and they can also prohibit the usage of cookies entirely in their browser (typically by using “Help” function). However, by prohibiting the usage of cookies, the user acknowledges that the Website will not be able to work at its full capacity. For more information, please visit one of the websites below:
Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-managecookies#ie=ie-11
- The following Data processing cookies are also placed on the Website by third parties in order to provide data processing Service:
- Google Analytics: Google Analytics cookies are applied on the Website and in the Application by the Data Controller. By using the services of Google Analytics in order to produce statistics, the Data Controller collects anonymous data (which cannot be used to identify the user or their IP-address and location) about how the visitors use the Website and the Application. The data collected this way are used by the Data Controller to upgrade the Website and the Application and to improve the user experience. These cookies will remain on the computer of the Data Subject until their expiration or deletion.
- Facebook remarketing pixel: For the purpose of remarketing, the Data Controller applies Facebook Pixel cookies on the Website and in the Application. These cookies allow the appearance of targeted advertisements for the Data Subjects who previously visited the Website, place an order on the Website or used the Application. These cookies also put limitation on certain advertisements made available for the Data Subject in order to avoid undue repetitions.
General Data Processors
In the following, the Data Processors, the third party persons who have access to Personal Data based on their legal relationship with the Data Controller, shall be detailed. The Data Processors are employed by the Data Controller in order to fulfil a certain purpose in terms of Data Processing.
The developer of the Website has access to the Personal Data collected on the Website and, therefore, acts as a Data Processor for the purpose of providing further development for the Website. The personal data provided based on the legal relationship with the Data Processor are identical with the personal data collected on the Website.
Enforcement of rights and legal remedy
The following is a summary of the rights of the Data Subject that can be exercised against the Data Controller.
- Communication with the Data Controller: The communication between the Data Subject and the Data Controller takes place through e-mail or by post. The Data Subject is entitled to ask for a feedback on whether their personal data are being processed at any given time, and in case it is, the Data Subject also has the right to access their personal data in the following scope.
Within the framework of the access, the following information could be provided by the Data Controller regarding the data processing:
- the purpose of the data processing;
- the processed Personal Data;
- the recipients of data forwarding;
- the expected duration of the data processing; or in case the length is unascertainable, the aspects based on which the length is determined;
- the rights that can be exercised by the Data Subject;
- the right to submit complaints to the Authorities;
- the source and the legal basis of the data collected by the Data Controller.
The Data Controller has to provide the requested information without any unjustified delay and within 25 days from the submission of the request at the latest. If necessary, taking the complexity of the request and the number of requests into account, this deadline can be extended in accordance with the applied legislation. The Data Controller has to notify the Data Subject about the extension of the deadline and the reason of the delay within 25 days from receiving the request. The Data Controller has to provide the copy of the processed personal data to the Data Subject on their request. For further copies requested by the Data Subject, the Data Controller may charge a reasonable administrative fee.
- The e-mail of the Data Subject will only be investigated and answered by the Data Controller if it was sent from the e-mail address previously submitted by the Data Subject (except if the Data Subject refers to a change of their address in the e-mail, or if the Data Subject is clearly identifiable from the e-mail).
- The Data Subject will be informed about every action that has been taken in relation with their personal data by the Data Controller without delay but within 25 days of performing the action at the latest. The Data Subject has to be informed immediately, but at least within one month of receiving their request, by the Data Controller if no actions are taken based on their request as well as providing the reasons of the lack of action and they must also be informed about their right to file a complaint at the Authority and their right to apply for judicial remedy.
- Rectification: The Data Subject has the right to inform the Data Controller about any change in their Personal Data (in e-mail or by post, as mentioned above). The Data Controller records the requested change of personal data within 8 days of receiving the request. If the Data Subject does not report the changes that occurred in their personal data without delay, the Data Subject will be held responsible for any consequences. The Data Controller automatically rectifies the submitted information in case it is incorrect and the Data Controller has access to the correct information.
- Erasure of data: The Data Subject is entitled to request the erasure of their personal data without any unjustified delay and the Data Controller is obliged to comply with the request without any unjustified delay, particularly if one of the following factors apply:
- the personal data are no longer needed for the purpose they were collected and processed;
- the Data Subject withdraws their consent to the data processing and, therefore, the processing loses its legal basis (the withdrawal does not affect the legality of the data processing retrospectively);
- the Data Subject objects the data processing based on legitimate interest;
- the personal data were handled unlawfully by the Data Controller;
- the personal data have to be erased in order to comply with the obligation of the national or European Union Law applying to the Data Controller.
Nevertheless, in case that the data processing is necessary, the Data Controller is not obliged to erase the processed personal data even if one of the aforementioned conditions occurs,:
- to practise the freedom of expression and to exercise the right of information;
- to comply with the obligation of the national or European Union Law applying to the Data Controller or to comply with public interest
- for statistical reasons or to have it archived; for scientific or historical reasons; or if the erasure would put the data processing under serious threat or make it impossible;
- to present, exercise or defend legal claims.
- Objection against data processing: The Data Subject is entitled to oppose the processing of their Personal Data based on legitimate interests (which includes observation by a camera, data collection by designers as well as processing data in order to acknowledge reception). In this case, the Data Controller is no longer allowed to process the Personal Data with the exception of the case where the Data Controller is able to certify legitimate reasons which override the interests, rights and freedoms of the Data Subject or which are required to present, exercise or defend the legal claims of the Data Controller.
- Right to restrict data processing:the Data Subject is entitled to request the processing of their Personal Data to be restricted by the Data Controller if one of the following conditions apply.
- the Data Subject challenges the accuracy of their Personal Data; in that case, the restriction applies to the duration required for the Data Controller to verify the correctness of the Personal Data;
- the data processing is unlawful, the Data Subject objects the erasure of the Personal data and requests the restriction of the usage of the Personal Data instead;
- the Data Controller no longer requires the Personal Data of the Data Subject to comply with the purpose of the data processing but the Data Subject needs the stored data to present, exercise or defend their legal claims;
- the Data Subject opposed the data processing; in that case, the restriction applies for the duration required to determine whether the legitimate reasons of the Data Controller override the legitimate reasons of the Data Subject.
If the data processing is restricted based on the aforementioned circumstances, Personal Data may only be processed (excepting storage) with the consent of the Data Subject to present, exercise or defend legal claims or to defend the rights of other natural or legal persons for important public interests. In case the restriction is lifted, the Data Controller has to inform the requesting Data Subject of that prior to the action.
- Right of data portability: In terms of processed personal data based on the consent of the Data Subject or in order to fulfil the contract, the Data Subject is entitled to request their personal data to be provided to them by the Data Controller in a structured, widely used and machine-readable form and the Data Subject is also entitled to forward these personal data to a different Data Controller without any contradictions from the original Data Controller for whom they provided their personal data. This right can only be exercised in relation to personal data digitally processed on the legal basis of consent or the performance of a contract.
- Initiation of public proceedings:The Data Subject may initiate an examination at the Authorities in connection with the handling of their Personal Data by referring to their legal right being impaired, or in danger of being impaired. The examination of the Authority is free of charge; the Authority bears and advances the cost of the examination. No one shall suffer prejudice on the account of their notification to the Authority. The Authority may only disclose the identity of the notifier in case the examination would be impossible to carry out without it. If the notifier requests, their personality are not to be disclosed by the Authority even if it renders the examination impossible.
- Enforcement of law before court:if their right is infringed, the Data Subject may turn to the court against the Data Controller and the judgement of the case will be passed by the General Court. In principle, the General Court of the headquarters of the Data Controller is competent in the case; however, the case can be initiated at the General Court of the residence or place of stay of the Data Subject as well, based on their choice. The competency of the General Court can be verified in the “Court search” application available at www.birosag.hu. The General Court gives priority to the case.
- Compensation and penalty:the Data Subject may demand a penalty to be paid by the Data Controller in case of processing the Personal Data of the Data Subject unlawfully or breaching the obligations of data protection:
- causes material injury to the Data Subject or others; they are obliged to compensate (compensation)
- invades the privacy of the Data Subject.
The Data Controller is exempted from the liability of the caused damage and the penalty if they prove that the damage or the invasion of the privacy of the Data Subject is owed to an occurrence of any event arising from any reason or cause beyond reasonable control and outside of the scope of Data processing. If the damage or the invasion of privacy is caused intentionally or by gross negligence of the Data Subject (injured party), no compensation shall be paid and no penalty can be demanded.
- Data Subjects under the age of 16 are only allowed to submit their personal data in case they bear the consent of their legal representative (parent).
- The Data Controller reserves the right to change this Policy unilaterally at any time.
- The Hungarian Law applies to this Policy.
- The Policy is effective from November 28, 2018. The Policy is available on the Websiteand in the Application.
Székesfehérvár November 28, 2018.