Privacy Policy
HO-RA Ltd. (hereinafter referred to as the “Data Controller/Company”; Company Registration Number: 08 09 002161; Registered Office: 9151 Abda, Pillingerpuszta 0208/24.; represented by Róbert Radáni, Managing Director) as the Data Controller, is bound by the contents of this legal notice, but is committed to ensuring that all data processing in its operations complies with the requirements set out in this Policy and the applicable legislation. It attaches the utmost importance to respecting the right of information self-determination of its customers / partners. It guarantees the confidentiality of personal data through technical, security and organisational measures.
The privacy policy relating to its data processing is permanently available at the following website address: www.hora.hu
The Company reserves the right to modify this policy and will inform its partners and the public of any changes in due time. Our colleagues will be happy to answer any questions you may have about this notice.
Our data management principles are in accordance with the applicable data protection legislation, in particular the following:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR);
Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
Act V of 2013 – on the Civil Code (Civil Code);
Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (Eker. tv.);
Act C of 2003 – on Electronic Communications (Eht.);
Act XLVIII of 2008 – on the Basic Conditions and Certain Restrictions of Economic Advertising Activities (Act XLVIII of 2008).
1) Scope of the Privacy Notice, definition of terms
This privacy notice shall be valid from 25 May 2018 until its withdrawal.
The interpretative definitions set out in Article 4 of the General Data Protection Regulation (hereinafter referred to as GDPR) and the definitions in this Policy are as follows:
Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or the processor, are authorised to process personal data;
data subject’s consent: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data relating to him or her;
a personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2.) Principles governing the processing of personal data
The processing of personal data related to the business activities of HO-RA Ltd. is based on voluntary consent. However, the processing, storage and transmission of some of the data provided may be required by law. We will inform the data subjects of this separately.
Please note that the data subject is obliged to obtain the consent of the data subject in cases where the data subject does not provide the Company with his or her own personal data.
2.1 Personal Data:
a.) be processed lawfully and fairly and in a manner that is transparent to the data subject (“lawfulness, fairness and transparency”)
b.) collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes (“purpose limitation”)
(c) they must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimisation’)
(d) be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without delay (‘accuracy’)
2.2 The Privacy Notice
The Privacy Notice is permanently available on the Controller’s website. Acceptance of this notice constitutes consent to the processing. The visitor confirms his/her acceptance by ticking the corresponding checkbox. The processing may only take place if the data subject gives his or her freely given, specific, informed and unambiguous consent to the processing of personal data concerning the natural person by means of a clear affirmative action, such as a written declaration, including by electronic means.
The employee(s) of the Controller carrying out the processing or the employees of the companies involved in the processing or responsible for a part of the processing on behalf of the Controller shall keep the personal data they have obtained as business secrets.
In the course of their work, the employees of the Data Controller shall protect personal data from unauthorised inspection, access, disclosure, alteration or destruction.
3) Enforcement of the rights of data subjects
The data subject may request information about the processing of his or her personal data and may request the rectification of his or her personal data; the erasure of his or her data at the e-mail address info@hora.hu; the restriction of processing; and the right to data portability.
3.1 Right to information
The data subject has the right to obtain information from the Controller as to whether his or her personal data are being processed. The Company shall provide the information in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in accordance with the requirements of the GDPR.
3.2 Right of access of the data subject
Where the processing of personal data is in progress, the data subject has the right of access to the personal data and the following information:
a.) The right to know the purposes of the processing;
b.) the categories of personal data concerned;
c.) the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
(d) where applicable, the envisaged period of storage of the personal data or, where this is not possible, the criteria for determining that period.
(e) The right to be informed of the data subject’s right to obtain from the controller the rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of such personal data; or to lodge a complaint with a supervisory authority.
f) You also have the right to be informed if the data have not been collected from the data subject.
g.) You also have the right to be informed of the logic used in automated decision-making and the significance of such processing and its likely consequences for the data subject.
3.3 Right to rectification
The right of rectification entitles the data subject to obtain, upon his or her request, the rectification of inaccurate personal data relating to him or her by the Controller without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data (inter alia, by means of a supplementary declaration).
Inaccurate or inaccurate data shall be corrected by the Company without undue delay at the request of the data subject. For the period of time during which the Company verifies the accuracy of the personal data, the personal data in question may be restricted in accordance with point 3.5 of this notice.
3.4 Right to erasure (“right to be forgotten”)
The data subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Controller shall be obliged to erase personal data relating to him or her without undue delay if one of the following grounds applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed
(b) the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
(c) the data subject objects to the processing on the basis of Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing or the data subject objects to the processing on the basis of Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data have been collected in connection with the provision of information society services.
3.5 Right to restriction of processing
The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller where one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the controller to verify the accuracy of the personal data;
b.) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to the processing pursuant to Article 21(1), in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override those of the data subject. The head of the department responsible for the processing shall suspend the processing for the duration of the assessment, but for a maximum of 5 days, examine the grounds for the objection and take a decision, which shall be notified to the applicant.
If the objection is justified, the head of the department shall restrict the data, i.e. only storage as processing may take place, as long as
e) the data subject consents to the processing;
f.) the processing of personal data is necessary for the exercise of legal claims;
g.) the processing of personal data is necessary in order to protect the rights of another natural or legal person; or
(h) processing is required by law in the public interest.
The controller shall inform the data subject at whose request the processing has been restricted in advance of the lifting of the restriction of processing.
3.6 Right to data portability
The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Company in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, if:
(a) the legal basis for the processing is the consent of the data subject or the processing was necessary for the performance of a contract to which the data subject is a party or for the purposes of taking steps at the request of the data subject prior to entering into that contract [Article 6(1)(a) or (b) or Article 9(2)(a) GDPR]; and
(b) the processing is carried out by automated means.
3.7 Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) or (f), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The Managing Director of the Company is responsible for determining whether processing is justified by compelling legitimate grounds. He/she shall inform the data subject of his/her views on this matter in an opinion.
3.8 Automated decision-making in individual cases, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The above paragraph shall not apply where the decision:
(a) necessary for entering into, or performance of, a contract between the data subject and the controller;
(b) is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
(c) is based on the explicit consent of the data subject.
3.9 Right of withdrawal
The data subject has the right to withdraw his or her consent at any time. This does not affect the lawfulness of previous processing based on consent.
3.10. Procedural rules
The Controller shall inform the data subject of the action taken on the request under the right of information without undue delay and in any event within one month of receipt of the request.
In view of the complexity of the request and the number of requests, this time limit may be extended by a further two months in justified cases. In such a case, the controller shall inform the data subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay. The information shall, as a general rule, be provided free of charge and the Controller shall charge a fee only in the cases provided for in Articles 12(5) and 15(3) of the GDPR.
Where the Data Subject’s request is manifestly unfounded or excessive, the Company may charge a fee taking into account the following cost elements:
a.) in the case of paper copies, the direct cost of the medium;
b.) in the case of a copy on optical media, the direct cost of the medium itself;
c.) for copies on other media for electronic use, the direct cost of the medium itself;
(d) in the case of postal delivery to the data subject, the cost of the postal service for a registered letter sent by registered post with an additional delivery service;
(e) the cost of the labour input (the actual labour cost of searching for, aggregating and organising the data, making a copy of the data medium on which the data are requested and making the data on the copy unrecognisable) involved in fulfilling the data request, calculated as the time required to fulfil the data request multiplied by the sum of the regular hourly rates of remuneration of the staff involved in fulfilling the data request.
If the controller does not take the necessary action on the data subject’s request without delay, it shall inform the data subject of the reasons for its failure to act and of the possibility to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy within one month of receipt of the request at the latest.
Any previous recipient who has held the personal data shall be informed by the controller of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of these recipients upon request. Such notification may be dispensed with where, having regard to the purposes of the processing, this would not be against the legitimate interests of the data subject.
3.11. Compensation and damages
The Data Controller shall also compensate for any damage caused to others by unlawful processing of the data subject’s data or by a breach of data security requirements, as well as for any damage fee in the event of a personal data breach caused by the Data Controller or by a data processor engaged by the Data Controller. The controller shall be exempt from liability for the damage caused and from the obligation to pay the damage fee if it proves that it is not in any way responsible for the event giving rise to the damage.
3.12. Procedure before the data protection authority
The data subject may lodge a complaint regarding the data processing procedure of the Data Controller with the supervisory authority – in Hungary, the National Authority for Data Protection and Freedom of Information (NAIH) (headquarters: 1055 Budapest, Falk Miksa utca 9-11. Website: www.naih.hu)
3.13. Right to apply to the courts
The data subject may, at his or her option, pursue his or her claims in court. The court of law has jurisdiction to hear the case. The action may also be brought, at the option of the data subject, before the court of the place of residence or domicile of the data subject.
4.) Data processing in the course of the Data Controller’s business activities
4.1. Data processing in the course of the use of the Controller’s website (www.hora.hu)
4.1.1.1.
When visiting the website www.hora.hu, the web server does not record any user data. The code of the website contains links from an external server independent of the Company and pointing to an external server. This external server is connected to the user’s computer. We hereby inform our visitors that the providers of these links are able to collect data when directly connected to their server. The user’s browser may provide them with user data (e.g. IP address, operating system data, address of pages visited, time of visit, mouse pointer movement).
An IP address is a sequence of numbers that uniquely identifies the computers of users connected to the Internet. It can even be used to determine the geographical location of the user of a particular computer. The address of the pages visited, as well as the date and time data alone are not suitable for identifying the visitor (data subject), but when combined with other data (e.g. data provided during registration), it is possible to draw conclusions about the user.
Purpose of data processing: during the visit of the website, the provider records the visitor’s data in order to monitor the functioning of the services, to refine and complete the visitor’s searches, to provide personalised service and to prevent abuse.
Data processed: identification number, IP address of the user’s computer, date and time of the visit, address of the page visited, operating system and browser type.
legal basis for processing: the data subject’s consent and Article 13/A (3) of the Eker. tv.
Data retention period: thirty days
Method of data storage: electronic
4.1.2. cookie management by external service providers www.hora.hu
On the website www.hroa.hu, software is running to evaluate the data on visits to the website. This automatically generated visitor information: the visitor’s IP address, the pages visited, the time of the visit, the browser name used.
In order to identify and track users, the service partners place a small data package, a so-called cookie, on the user’s computer, which is read back during subsequent use of the Internet. A cookie is a variable alphanumeric packet of information sent by a web server, which is stored on the user’s computer and stored for a predetermined period of time. The use of cookies allows the visitor’s individual data to be retrieved and his Internet usage to be monitored. When the browser returns a previously saved cookie, the cookie provider may link the user’s current visit to previous visits to websites where the cookie of the external provider is used.
Cookies can therefore be used to determine the exact interests, internet usage habits and website visit history of the user concerned.
If, during a visit to a website, the user’s browser returns a cookie previously saved on the hard disk, the service provider sending the cookie can link the current visit to previous visits, but since cookies are domain-linked, it can only do so in respect of its own content. Cookies are not in themselves capable of identifying the user, they are only capable of recognising the visitor’s computer.
When you visit www.hora.hu, Google Analytics uses a cookie to operate its web analytics system. For more information about the processing of data by www.google.com/analytics, please contact http://www.google.com/intl/hu/policies.
The document “How Google uses data when you use one of our partners’ sites or applications” is available at http://www.google.com/intl/hu/policies/privacy/partners/
The information generated by the cookie about your use of the website (the IP address of the website visitor) will be transmitted to and stored by Google on servers in the United States of America. Google does not associate the information generated by the cookies with any other data – therefore, Google does not process any personal data under the applicable data protection legislation.
You can delete the cookie from your computer or disable the use of cookies in your browser. The management of cookies is usually possible in the Tools/Preferences menu of browsers under Privacy/Preferences/Custom settings, under the menu item cookie, cookie or tracking.
The following third party service providers have placed the listed cookies on the website:
Cookie name – From – Expiry – Description
_ga .hora.hu (Google analytics) 2 years The main cookie used by Google Analytics is the _ga cookie. This is the cookie used by Google for Google.hora.hora.com.
_gat .hora.hu (GA) 1 minute Controls the number of requests to doubleclick.net.
_gid .hora.hu (GA) 24 hours Used to distinguish users
1P_JAR .google.com 1 week Google cookie, used to collect statistics for the site.
DSID .doubleclick.net Session See IDE
IDE .doubleclick.net Main advertising cookie name IDE, stored by the browser under the doubleclick.net domain.
NID .google.com 6 months Most Google browsers store a preferences cookie called “NID”. The NID cookie contains a unique identifier that Google uses to store your preferences, such as your preferred language, the number of search results you want to see (e.g. 10 or 20), or whether you want to turn on Google’s Safe Search filter, and other information.
_icl_current_language
www.hora.hu
(WPML) 24 hours The cookie used by WPML to store the code of the current language of the site.
_icl_visitor_lang_js .www.hora.hu (WPML) 24 hours Cookie used by WPML. The visitor’s language.
wfvt_XXXXXXX
www.hora.hu
(Wordfence) 24 hour cookie used by the Wordfence security add-on to track visitor sessions on the site.
wordfence_verifiedHuman
www.hora.hu
(Wordfence) 30 minutes A cookie placed by the Wordfence security plugin to prove that the user is not a robot.
Purpose of processing: to analyse the website’s traffic patterns, to facilitate contact with the Company
scope of the data processed: Internet Protocol (IP) address of the visitor, time of visit, details of the pages viewed, name of the browser program used
legal basis for processing: pursuant to Article 6(1)(a) GDPR: the data subject’s consent.
Data retention period: maximum 2 years from the date of the data collection
method of data storage: electronic
4.3. Customer management
The Company processes the name, e-mail address and telephone number of the contact persons of the legal person contracting with it for the purposes of the performance of contracts (conclusion, performance, termination). The legal basis for the processing is the consent of the data subject – the content of the relevant contracts is the consent obligations in order to obtain consent.
Purpose of processing: to maintain the necessary contacts to meet the needs of customers and partners.
scope of the data processed: name, e-mail address, telephone number, address of the customer’s contact person
legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) GDPR.
Data storage period: until the purpose is achieved, but if the data subject requests the deletion of his/her data, until that time.
means of data storage: electronic
4.4. Customer correspondence by electronic means
If you wish to contact the Company in writing, you can do so using the contact form provided in this notice or the contact form available on the website under “Contact”. Using the contact form, the system will generate an e-mail which will be sent to the info@hora.hu mailbox. HO-RA Ltd. will delete all e-mails it receives, including the sender’s name, e-mail address, date, time and other personal data provided in the message, after a maximum of five years from the date of the communication.
Purpose of processing: to keep in touch with customers and partners in order to meet their needs.
scope of the data processed: name, e-mail address, telephone number, company address of the customer’s contact person
legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) GDPR.
data retention period: maximum 5 years from the date of the data collection, but if the data subject requests the deletion of his/her data, until that date.
method of storage: electronic
4.5. Processing of invoices
purpose of processing: issuing and storage of invoices
scope of data processed: name, address, tax number, bank account number, amount of payment, date of payment
legal basis for processing: Article 6(1)(c) of the GDPR and Article 167 of Act C of 2000 on Accounting
data retention period: the Company is obliged to keep the accounting documents for at least 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting. The Company shall automatically delete the personal data of the data subject after 8+1 years.
method of data storage: electronic and paper-based
4.6. Other data processing
We will inform you of any other data processing that may occur when we collect data. We inform our customers that the court, the prosecutor, the investigative/law enforcement/administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law may request/oblige the controller to provide information, to disclose or transfer data, or to provide documents. In the event that the authority has indicated the exact purpose and scope of the data, Effix-Marketing Ltd. shall disclose personal data only to the extent and to the extent strictly necessary for the purpose of the request.
5) Data processors
The Company uses the following data processor for the processing of personal data for technical tasks only:
Data processor name: MediaCenter Hungary Kft.
Address: 6000 Kecskemét, Erkel Ferenc utca 5.
Company registration number: 03 09 114492
Purpose of data processing: hosting service provider
The Data Processors shall carry out the data processing in accordance with the instructions of the Company, shall not make any decision on the substance of the data processing, shall process the personal data they become aware of exclusively in accordance with the provisions of the Company, shall not process the data for their own purposes, and shall store and retain the personal data in accordance with the provisions of the Company.
Matters not covered by this Policy
In matters not covered by this Policy, the GDPR and, where permitted by the GDPR, the rules of the Infotv shall apply by way of derogation.