rekavago

Introduction

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter: GDPR ), the Data Controller provides the data subjects with the following information regarding the processing of personal data.

Contact details of the data controller

Data controller
Name:	Pinka 2003 Ltd.
Headquarters:	1047 Budapest, Karolyi István Street 10.
E-mail:	info@rekavago.com
Phone:	+36304066622
Website	www.rekavago.com

Legislation, definitions

Main legal acts governing data processing

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR)

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Infotv.)

Act C of 2000 on Accounting (hereinafter referred to as: Accounting Act)

[other, possibly sector-specific legislation]

Definitions

The content of the terms used in this information is the same as the content of the terms used in Article 4 of the GDPR and Section 3 of the Info.tv.

According to the GDPR, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The term "recipient" means the natural or legal person, public authority, agency or any other body to which personal data are disclosed , whether or not it is a third party. Public authorities which have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall be in accordance with the applicable data protection rules in accordance with the purposes of the processing.

The term "data processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

The concept of "health data": personal data relating to the physical or mental health of a natural person, including data relating to healthcare services provided to the natural person that contain information about the health status of the natural person.

Scope of personal data processed, purpose, legal basis and duration of data processing

In this chapter you can find out what personal data we process, for what purpose we process it, i.e. what we use this data for. This chapter also includes the legal bases for each data processing and their duration.

You can find information on each data processing method in a separate section for each data processing purpose.

Handling of customers' personal data

The Data Controller performs the following activities during Data Management: identifying you; drafting the contract to be concluded with you and other related documents; maintaining contact and communication with you and other third parties.

During the performance of the assignment, the Data Controller records and manages your data – if necessary – in its administrative and other IT systems.

Purpose of data processing: performance of the contract between you and the Data Controller.

Legal basis for data processing: data processing is necessary for the performance of a contract between you and the Data Controller or for taking steps prior to entering into a contract [GDPR. Article 6 (1) b)].

Scope of processed data :

• personal identification data: full name, address, place and time of birth, mother's name,

• contact details: telephone number, e-mail address,

• in the case of a sole proprietor: registration number, registered office, tax number,

• other data necessary for the fulfillment of the contract or order: bank account number, shoe size, shape and style

Source of data: your statement, personal documents; public registers (e.g. register of sole proprietors).

Duration of data management (planned duration): 5 years from the termination of the legal relationship; in the case of data recorded in an accounting document, 8 years from the issuance of the accounting document.

The consequence of failure to provide data is: failure to conclude a contract, refusal to cooperate.

Recipients : During the performance of the contract, the Data Controller must forward your data (by sending the invoice issued by you) to the business company that performs the Data Controller's accounting.

In addition to the above, recipients may also include: postal and courier services, authorities, courts, legal advisors, financial advisors.

Data processors : The data controller may communicate your data to data processors contracted with it during data processing. Such data processors are as follows.

Name	Contact information (mailing address, email address, phone number)	Activity
ACC-Assist Ltd.	office@acc-assist.hu	bookkeeping, accounting services
GLS Hungary Ltd. Hungarian Post Ltd. Google Ireland Ltd. UPS Hungary Ltd.	it@gls-hungary.com ugyfelszolgalat@posta.hu support-eea@google.com upshungary@ups.com	logistics, IT services (hosting, email service)

Recruitment, hiring

Purpose of Data Management: recruitment, preparation of an employment offer. This includes identifying you, assessing your suitability for the job, deciding on the position, maintaining contact, and communicating.

Legal basis for data processing: your consent [GDPR Article 6 (1) point a). You have the right to withdraw your consent to data processing at any time, which does not affect the lawfulness of data processing before the withdrawal of consent.

Scope of processed data :

• personal identification data: name, permanent address (place of residence), mother's name, place of birth, time

• contact details: phone number, email address

• other data related to employment and job suitability: data on qualifications, competencies, data on work experience, etc.,

• other data you voluntarily share (e.g. in your CV).

Data source : your statement

Duration of data processing (planned duration): we process your data until the day after the decision to fill the advertised position is made; in the case of a rejected application, we process the data until the day after the decision to reject.

If you specifically consent to this, we will process your data for a maximum of 6 months after the position has been filled, in order to contact you if the position becomes vacant again or with another job offer that is suitable for you.

We will process your data for withdrawal of consent if you withdraw your consent within the above deadlines.

The consequence of failure to provide data is: rejection or disregard of the application.

Recipients : the Data Controller does not transfer the data to third parties.

During data processing, the Data Controller uses data processors :

Name	Contact information (mailing address, email address, phone number)	Activity
ACC-Assist Ltd.	office@acc-assist.hu	HR services, payroll
Google Ireland Ltd.	support-eea@google.com	IT services (hosting, email service)

Obligation to keep accounting documents

This includes the Data Controller retaining the invoice for the service fee and other costs, as well as the accounting documents directly and indirectly supporting the accounting settlement (e.g. order, contract).

The purpose of data management is to fulfill the obligation to preserve accounting documents prescribed by the Accounting Act.

Legal basis for data processing: data processing is necessary for the fulfillment of the Data Controller's legal obligation (GDPR. Article 6 (1) point c), the law prescribing data processing: Act C of 2000 on Accounting (hereinafter: Accounting Act ) Section 169.

The scope of the data processed: name, address; tax number; in the case of accounting documents, other personal data contained in the given document.

Source of data: your statement, personal documents, the Data Controller's financial records.

Duration of data management (planned duration): 8 years from the date of issue of the given invoice or receipt.

During data processing, the Data Controller uses data processors :

Name	Contact information (mailing address, email address, phone number)	Activity
ACC-Assist Ltd.	office@acc-assist.hu	bookkeeping, accounting services
Google Ireland Ltd.	support-eea@google.com	IT services (hosting, email service)

Claim enforcement

If a legal dispute arises between the Data Controller and you, the Data Controller may initiate legal proceedings in order to enforce its claims and recover its claims, during which it may contact a legal advisor, court, or authorities.

The purpose of data management is to enable the enforcement of claims and the collection of receivables.

Legal basis for data processing: data processing is necessary for the purposes of the legitimate interests of the Data Controller [GDPR. Article 6 (1) point f). The Data Controller has a legitimate interest in pursuing its financial claims and in using third-party expert services for this purpose.

The scope of the data processed: personal identification data, address or place of residence, financial settlement data.

Source of data: your statement, personal documents, the Data Controller's financial records.

Duration of data processing (planned duration): 1 year after the final completion of the claim enforcement procedure or the statute of limitations of the claim.

Recipients : In order to successfully enforce your claim, the Data Controller must forward your personal data to the law firm or other legal advisor providing legal representation; to a business company engaged in debt management.

In addition to the above, the following may also be recipients: postal and courier services, authorities, courts.

Website – contact form

The Data Controller operates a website at the web address www.rekavago.com. On the website, those interested in the Data Controller's services have the opportunity to contact the Data Controller. The contact form must include the name and e-mail address of the interested party, as well as the subject of the request and the message intended for the Data Controller.

The condition for sending the request is that the visitor declares that he has read the data processing information and gives his consent to data processing, which he can do by checking a checkbox. ^[1]

The purpose of data management is to enable contact with the Data Controller by sending the data necessary for contact.

Legal basis for data processing: data processing is based on your consent [GDPR. Article 6 (1) point a). You have the right to withdraw your consent to data processing at any time, which does not affect the lawfulness of data processing carried out before the withdrawal of consent.

The scope of the data processed: name, e-mail address, and possibly other personal data voluntarily provided in the text of the message.

Data source : your statement.

Duration of data management (planned duration): the Data Controller processes the data until the matter involved in the contact is closed (e.g. providing information, making an offer) or until the consent is withdrawn.

The consequence of not providing data: without providing the required data, the contact form cannot be submitted and contact cannot be made.

Data processors : the data controller may communicate your data to data processors contracted with it during data processing.

Name	Contact information (mailing address, email address, phone number)	Activity
LanceCom Communication	cs.mariann@lancecom.hu	marketing and communication service
Google Ireland Ltd.	support-eea@google.com	IT services (hosting, email service; website operation)

Data processing related to direct marketing

If you consent to this, the Data Controller may send you direct marketing inquiries about its services and promotions by email.

Purpose of data management: increasing professional trust in the Data Controller, marketing

Legal basis for data processing: data processing is based on your consent [GDPR. Article 6 (1) point a). You have the right to withdraw your consent to data processing at any time, which does not affect the lawfulness of data processing carried out before the withdrawal of consent.

Scope of processed data : name, e-mail address.

Data source : your statement.

Duration of data processing (planned duration): the Data Controller processes the data until the consent is withdrawn.

Data processors : the data controller may communicate your data to data processors contracted with it during data processing.

Name	Contact information (mailing address, email address, phone number)	Activity
LanceCom Communication	cs.mariann@lancecom.hu	marketing and communication service
Google Ireland Ltd.	support-eea@google.com	IT services (hosting, email service)

Processing of your personal data during social marketing communication

The Data Controller operates social media pages in order to promote its activities, inform customers and business partners, and as part of its marketing activities. The Company regularly publishes content on these pages that contains personal data (in particular images and audio recordings).

As part of this, we will collect your data recorded below, record it, take photos and videos, and publish this data on social media.

Purpose of data processing: promotion of the Data Controller's activities, informing customers and business partners, marketing

Legal basis for data processing: your consent [GDPR. Article 6 (1) point a). You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.

The scope of data processed: name, image, image and sound recording.

Source of data: your statement, image, or image and audio recording provided by you or made by the Data Controller.

Duration of data management (planned duration): the Data Controller processes the data until the content is deleted or consent is withdrawn.

Recipients : the Data Processor does not transfer the data to third parties.

Data processors : the Data Controller employs data processors during data processing:

Name	Contact information (mailing address, email address, phone number)	Activity
SocialPro Ltd.	store@rekavago.com	marketing and communication service
Meta Platforms Ireland Ltd.	4 Grand Canal Square, Dublin 2, Ireland	operating a social media page

You can access the publicly available data processing information of the data processor Facebook and Instagram here: https://www.facebook.com/privacy/policy/ and https://privacycenter.instagram.com/policy

Processing of personal data during marketing communication on the website

The Data Controller operates a website at www.rekavago.com in order to promote its activities, inform customers and business partners, and as part of its marketing activities.

In connection with this activity, the Data Controller publishes content on its website that also contains personal data of natural persons (typically photographs, video recordings). In this context, we collect your data recorded below from you, record it, take photographs, video recordings and publish this data on the website.

Purpose of data processing: promotion of the Data Controller's activities, informing customers and business partners, marketing

Legal basis for data processing: your consent [GDPR. Article 6 (1) point a). You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.

The scope of data processed: name, image, image and sound recording.

Source of data: your statement, image, or image and audio recording provided by you or made by the Data Controller.

Duration of data management (planned duration): the Data Controller processes the data until the content is deleted or consent is withdrawn.

Recipients : the Data Processor does not transfer the data to third parties.

Data processors : the Data Controller employs data processors during data processing:

Name	Contact information (mailing address, email address, phone number)	Activity
LanceCom Communication SocialPro Ltd.	cs.mariann@lancecom.hu store@rekagavo.com	marketing and communication service
Google Ireland Ltd.	support-eea@google.com	IT services (hosting, email service)

Data processing related to the prize draw organized by the Data Controller

Processing of data of participants in the prize draw for the purpose of conducting the prize draw

If the Data Controller, as the organizer, organizes a prize game, then for the purpose of conducting it, it must process the data of the participants in the prize game as players. The conditions of this data processing are as follows:

The purpose of data processing is to conduct the prize draw.

The legal basis for data processing is your consent [GDPR. Article 6 (1) point a). You have the right to withdraw your consent at any time, which does not affect the lawfulness of previous data processing.

The scope of the data processed: full name; telephone number; e-mail address.

Data source : your (participating player) statement.

Duration of data processing (planned duration): the Data Controller will destroy the documents containing the data of those players (e.g. participation ticket, lottery ticket, game coupon) that did not win on the day following the prize draw. The processing of the data of these players will continue until the end of the prize draw.

Consequences of failure to provide data: if data is not provided, the player cannot participate in the prize draw.

Recipients : the Data Controller does not transfer the data to third parties.

Data processors : the data controller may communicate your data to data processors contracted with it during data processing. These include the following:

Name	Contact information (mailing address, email address, phone number)	Activity
LanceCom Communication SocialPro Ltd.	cs.mariann@lancecom.hu store@rekagavo.com	marketing and communication service
Google Ireland Ltd.	support-eea@google.com	IT services (hosting, email service)

Processing of the winner's data for accounting and bookkeeping purposes

The Data Controller is obliged to issue an accounting document regarding the transfer of the prize, which must be kept for the period prescribed by law. This requires the processing of the winner's personal data (name, address, tax identification number) for purposes other than those mentioned above, as follows:

The purpose of data processing is: issuing an accounting document certifying the transfer of the prize, fulfilling tax obligations, and preserving the accounting document.

Legal basis for data processing: fulfillment of a legal obligation applicable to the Data Controller [GDPR. Article 6 (1) point c). The legislation prescribing data processing is in particular: Act C of 2000 on Accounting (hereinafter: Accounting Act) Section 169.

Scope of data processed: data included in the accounting document (transfer-receipt report): full name, address, tax identification number of the winner; signature of the recipient.

In the case of an authorized representative, the scope of the processed data includes the name and signature of the principal, as well as other personal data of the principal and the authorized representative that may be included in the authorization.

Source of data: your (winner) or your authorized representative's statement, authorization details.

Duration of data management (planned duration): 8 years from the date of issue of the given invoice or receipt.

Consequences of failure to provide data: in the event of failure to provide data, the winner may not receive the prize.

Recipients : the Data Controller does not transfer the data to third parties.

Data processors : the data controller may communicate your data to data processors contracted with it during data processing. These include the following:

Name	Contact information (mailing address, email address, phone number)	Activity
ACC-Assist Ltd.	office@acc-assist.hu	bookkeeping, accounting services
GLS Hungary Ltd. Hungarian Post Ltd. Google Ireland Ltd. UPS Hungary Ltd.	it@gls-hungary.com ugyfelszolgalat@posta.hu support-eea@google.com upshungary@ups.com	logistics, IT services (hosting, email service)

Data security measures – how we protect your personal data

Method of data processing

The Data Controller stores the personal data provided by the data subject on paper at the Data Controller's registered office or registered premises.

The electronically stored data is stored on the Data Controller's own devices, on bodies managed by external service providers, and in cloud storage.

Information security and organizational measures

The Data Controller shall ensure that the personal data of the data subject are protected by appropriate information security measures, including against unauthorized access or unauthorized modification. For example, the Data Controller shall keep its IT systems constantly up to date, ensure appropriate virus protection, use password protection in individual systems, and where available, double authentication. The Data Controller shall keep paper-based documents in a lockable room/cabinet, ensuring that only authorized persons have access to the documents.

The Data Controller shall take appropriate organizational measures to ensure that personal data are not made accessible to an unspecified number of persons. For example, it shall ensure that appropriate authorizations are assigned, thereby ensuring that only those who need access to the data, and to the extent necessary, to achieve the given purpose, have access to the data.

The Data Controller carefully selects the data processors it appoints and ensures the security of the data with an appropriate data processing contract.

Your rights

Exercising your rights

You may submit any requests or comments regarding the processing of your personal data to the Data Controller orally (in person) or in writing (in person or by means of a document delivered by an authorized representative, or by post), or – at least protected by an enhanced security electronic signature – electronically, using the above contact details of the Data Controller.

We will respond to your request as soon as possible, but no later than one month from the date of receipt, in writing or, if you submitted the request electronically, electronically. In the response, we will inform you of the action taken or the lack of action and your legal remedies.

Right of access

Pursuant to Article 15 of the GDPR, the data subject may request access to personal data concerning him or her as follows:

You have the right to receive feedback from the Data Controller as to whether your personal data is being processed and, if such processing is taking place, you have the right to access the personal data and the following information:

1. a) the purposes of data processing;

2. (b) the categories of personal data concerned;

3. (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;

4. (d) where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;

5. e) the right of the data subject to request from the Data Controller the rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data;

6. (f) the right to lodge a complaint with a supervisory authority;

7. g) if the data were not collected from the data subject, all available information on their source;

8. h) the fact of automated decision-making, including profiling, and at least in these cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

The Data Controller will provide you with a copy of the personal data subject to data processing upon request. For additional copies, the Data Controller may charge a reasonable fee based on administrative costs.

If you submit your request electronically, the information must be provided in a commonly used electronic format, unless you request otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

Right to rectification

Pursuant to Article 16 of the GDPR, the data subject has the right to request the Controller to correct the personal data concerning him or her.

Upon your request, the Data Controller shall rectify inaccurate personal data concerning you without undue delay. Taking into account the purpose of the data processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary statement.

Right to erasure

Pursuant to Article 17 of the GDPR, the data subject has the right to request the Controller to erase personal data concerning him or her as follows:

You have the right to request the Data Controller to delete personal data concerning you, and the Data Controller is obliged to delete personal data without undue delay if one of the following reasons applies :

1. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

2. b) the data subject withdraws his/her consent which forms the basis for the data processing and there is no other legal basis for the data processing;

3. c) the data subject objects to the processing of data in the public interest, in the exercise of official authority or in the legitimate interests of the data controller (third party), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of data for the purpose of direct marketing;

4. d) the personal data have been processed unlawfully;

5. e) the personal data must be deleted to comply with a legal obligation imposed on the Controller by EU or Member State law ( Hungarian law );

6. f) the personal data were collected in connection with the provision of information society services.

Your above right to erasure may only be restricted if the following exceptions set out in the GDPR apply, i.e. if the following reasons exist, the further retention of personal data may be considered lawful:

1. if the exercise of the right to freedom of expression and information, or

2. if compliance with a legal obligation, or

3. if the performance of a task carried out in the public interest, or

4. if due to the exercise of public authority vested in the data controller, or

5. if it is in the public interest in the field of public health,

6. if for archiving purposes in the public interest, or

7. if for scientific and historical research purposes or for statistical purposes, or

8. if necessary for the establishment, exercise or defense of legal claims.

Right to restriction of data processing

Pursuant to Article 18 of the GDPR, the data subject has the right to request the Data Controller to restrict the processing of personal data concerning him or her as follows:

You have the right to request that the Data Controller restrict data processing if one of the following applies:

1. a) You contest the accuracy of the personal data, in which case the restriction shall apply for a period of time that allows the Controller to verify the accuracy of the personal data;

2. b) the processing is unlawful and you oppose the erasure of the data and instead request the restriction of its use;

3. c) the Data Controller no longer needs the personal data for the purposes of data processing, but you require them for the establishment, exercise or defense of legal claims; or

4. d) You have objected to the processing of your data in the public interest, in the exercise of official authority or in the legitimate interests of the controller (third party); in this case, the restriction shall apply for the period until it is determined whether the legitimate grounds of the Controller override those of the data subject.

If processing is restricted as described above, such personal data may only be processed, with the exception of storage, with your consent, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

If you request the restriction of data processing, the Data Controller will inform you in advance of the lifting of the restriction of data processing.

Right to object

Pursuant to Article 21 of the GDPR, the data subject has the right to object to the processing of personal data concerning him or her by the Data Controller as follows:

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data for reasons of public interest or legitimate interest of the controller (or of a third party). In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Right to data portability

Pursuant to Article 20 of the GDPR, the data subject has the right to the portability of personal data concerning him or her as follows:

You have the right to receive the personal data concerning you, which you have provided to the Controller, in a structured, commonly used and machine-readable format and have the Controller transmit these data to another controller if:

1. if the legal basis for data processing is your consent or the performance of a contract with you

2. and data processing is done in an automated manner.

When exercising your right to data portability, you have the right to request the direct transmission of your personal data between data controllers, where technically feasible.

The right to data portability must not adversely affect the rights and freedoms of others.

Right to withdraw consent

6.8 Pursuant to Article 7(3) of the GDPR, the data subject has the right to withdraw consent to the processing of his or her personal data at any time as follows:

You have the right to withdraw your consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal. You can withdraw your consent in writing, or in the case of an electronic letter or declaration, at least in an electronic declaration with enhanced security, at the above contact details of the Data Controller.

Legal remedies

If you feel that your data has not been processed in accordance with the applicable laws or this notice, please let us know so that we can investigate the complaint and take the necessary measures. Please submit your request for legal redress verbally (in person) or in writing (in person or by means of a document delivered by an authorized representative, or by post), or - at least protected by an enhanced electronic signature - electronically, to our contact details above.

In the event of unlawful data processing experienced by you, you may initiate a civil lawsuit against the Data Controller and claim damages from the Data Controller. The court is competent to adjudicate the lawsuit. The lawsuit may also be initiated – at the choice of the data subject – before the court of his or her place of residence (you can view the list of courts and their contact details via the following link: http://birosag.hu/torvenyszekek ).

Without prejudice to other administrative or judicial remedies, each data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data concerning him or her infringes the GDPR.

National Data Protection and Freedom of Information Authority (NAIH)

address: 1055 Budapest, Falk Miksa street 9-11.

postal address: 1363 Budapest, P.O. Box: 9.

e-mail: ugyfelszolgalat@naih.hu

website: www.naih.hu

[1] This must always be ensured on the website.