Privacy Policy

EFFECTIVE:
FROM 01.04.2023 UNTIL REVOCATION

1. Data Controller’s Details:
Company Name: BIO-VET Kft.
Registered Office: 1045 Budapest, Berlini út 47-49. Company Registration Number: 01-09-379319
Tax Number: 10333370-2-41
Representative: Dr. Tibor Sándor Managing Director Phone Number: +3630/813 0360
E-mail Address: info@biovetkft.hu

2. Purpose of the Data Management Notice:
The data controller acknowledges as binding upon itself the content of this legal notice. The purpose of this Data Management Notice is to inform its clients, customers, and partners regarding the processing of their personal data.

The data controller processes personal data exclusively in accordance with the provisions of applicable legislation, strictly observing the requirements of data management and data protection regulations, taking into account the principles of lawfulness, fair procedure and transparency, purpose limitation, data minimization, accuracy, and limited storage.

The data controller takes all technical and organizational measures to process the personal data of its partners securely, in a manner prescribed by Regulation (EU) 2016/679 of the European Parliament and of the Council.

In accordance with the above, the data controller has transformed its everyday activities and developed its regulations, records, and document templates.

The data protection guidelines relating to the data controller’s data processing operations are continuously available at the data controller’s registered office and on its websites. The data controller reserves the right to change this notice at any time. Naturally, it will notify its audience of any changes in due time.

The data controller is committed to protecting the personal data of its clients and partners, considers respect for its customers’ right to informational self-determination as particularly important. The data controller treats personal data confidentially and takes all security, technical, and organizational measures that guarantee the security of the data. The data controller describes its data management practice below.

3. Personal, Material, and Temporal Scope of the Data Management Notice:
The personal scope of this Data Management Notice extends to the data controller, as well as to those natural persons whose data are contained in the data processing operations falling under the scope of this Notice, and also to those persons whose rights or legitimate interests are affected by the data processing.

The material scope of the Notice extends to all data processing arising during the data controller’s activities, except for so-called internal (e.g., employee-related) data processing operations, which are regulated in the data controller’s Data Management Policy.

This Notice enters into force on the date of approval and is valid until further notice, for an indefinite period.

4. Definition of Important Concepts:
Personal data: any information relating to an identified or identifiable natural person. An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Special data: all data belonging to special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation.

Data processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure.

Data controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.

Joint controllers: where the purposes and means of processing are determined jointly by two or more controllers, they shall be joint controllers.

Third party: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Data subject’s consent: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

5. Lawful data processing at the data controller:

Personal data are processed at the data controller exclusively in the following cases:

if the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
the processing is necessary for the performance of a contract to which the data subject is party,
the processing is necessary for compliance with a legal obligation to which the data controller is subject,
the processing is necessary in order to protect the vital interests of the data subject or of another natural person,
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.

The data controller examines the lawfulness of data processing in every phase of its activity and processes only such data and only for such time for which it can justify the purpose and legal basis. In the event that any legal basis ceases to exist, data processing may only continue if the data controller is able to justify another appropriate legal basis.

As a main rule, the method of proving the legal bases is in writing, and in the case of a legal basis created by implied conduct it must also be examined whether it can be clearly proven afterwards. In case of doubt, with regard to the aspects of reasonableness and cost-effectiveness, efforts must be made to obtain written confirmation of data processing created by implied conduct.

In the case of data processing based on consent, the data subject gives written consent to the processing of his or her personal data. Consent is not subject to any formal requirements, but for the purposes of subsequent proof, written consent on paper or in electronic form is required.

Data processing based on the legal basis of compliance with a legal obligation is independent of the data subject’s consent, as the data processing is defined by law.

Regardless of the mandatory nature of the data processing, the data subject must be informed before the start of the data processing that the data processing is mandatory and cannot be avoided, and the data subject must be clearly and in detail informed, before the start of the data processing, of all significant facts relating to the processing of his or her data.

Under the GDPR (General Data Protection Regulation), it is also possible to process personal data where processing is necessary for the performance of a contract to which the data subject is party, or where the processing and collection of data are necessary in order to take steps at the request of the data subject prior to entering into a contract. The data controller may process personal data on the legal basis of performance of a contract for the purposes of entering into, performing, and terminating the contract.

6. Processing of personal data at the data controller:
The data controller manufactures and distributes food supplement products, veterinary medicinal products with therapeutic effect, and feed supplement products. In the course of carrying out these activities, it comes into contact with the personal data of natural persons. It carries out the following data processing activities:

A. In connection with its commercial activities, the data controller accepts orders in person, by telephone, by e-mail, via its website (www.synoguard.hu) or through its social media page. Buyers may be both natural persons and legal entities. In the case of an order, the data controller requests the buyer’s name, address, e-mail address, and telephone number. The legal basis for the processing of personal data is the performance of contractual obligations (General Data Protection Regulation Article 6(1)(b)). In the case of a legal entity, the personal data of the contact person are processed on the basis of the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice for the consideration of the products it distributes. The invoice contains the buyer’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

B. The data controller also cooperates with resellers, in which context its contractual partners may be both natural persons and legal entities. The conclusion of the contract is preceded by a request for a quotation by telephone, by e-mail, by using the contact form available on the websites (www.biovetkft.hu, www.synomax.hu), or by a message received via the social media page. The person requesting the quotation provides his or her name, telephone number, and e-mail address, to which the data controller sends the relevant quotation. If the quotation is rejected, the data subject’s personal data are deleted immediately, but no later than within 30 days. The legal basis for the processing of personal data is the creation of a contract (General Data Protection Regulation Article 6(1)(b)). If the quotation is accepted, a contractual relationship is established between the parties. The legal basis for the processing of personal data during the contractual relationship is the performance of the obligations undertaken in the contract (General Data Protection Regulation Article 6(1)(b)), and in the case of the contact person of a legal entity, the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice for the consideration of the products sold. The invoice contains the client’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

C. The commercial partners of the data controller also have the possibility to obtain the products distributed by the data controller within the framework of consignment sales. In such cases, the consignee carries out the sale in its own name but for the benefit of the principal (the data controller). The data controller concludes a consignment contract with the partner. The contract contains the partner’s name, address, e-mail address, and telephone number. In the case of a contract concluded with a natural person (sole entrepreneur), the legal basis for the processing of personal data is the performance of the obligations undertaken in the contract (General Data Protection Regulation Article 6(1)(b)). In the case of a legal entity, the personal data of the contact person are processed and the legal basis of the processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice to the consignee partner for the consideration of the products sold. Issuing the invoice is a statutory obligation, therefore the legal basis for the processing is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)).

D. The data controller also sells its products at fairs and other events. In such cases, the buyer indicates the intention to buy and selects the product he or she wishes to purchase. The data controller issues an invoice for the consideration of the product. The invoice contains the buyer’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of personal data is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

E. In the course of performing its tasks, the data controller processes the e-mail addresses and telephone numbers of its clients, partners, and customers for the performance of its contractual obligations (General Data Protection Regulation Article 6(1)(b)), or on the basis of their individual consent (General Data Protection Regulation Article 6(1)(a)).

F. In the course of its work, the data controller is also in a contractual relationship with subcontractors, suppliers, and service providers, which also provides a basis for the processing of personal data. In this case, the legal basis for the processing of personal data (in the case of a natural person or sole entrepreneur) is the performance of the obligations undertaken in the contract (General Data Protection Regulation Article 6(1)(b)), and in the case of the personal data of the contact person of a legal entity, the data subject’s explicit consent based on prior information (General Data Protection Regulation Article 6(1)(a)).

G. Natural persons applying to the data controller submit a curriculum vitae to the company. Data processing is also carried out in connection with the personal data contained in the curriculum vitae. The purpose of the data processing is to fill the advertised position or to use it in the case of a possible vacancy in the future and to find an employee with the appropriate qualifications. The legal basis for data processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller stores the curriculum vitae and the personal data contained therein for 3 months, after which it destroys them, unless the data subject specifies a longer period in his or her consent.

H. On its websites (www.biovetkft.hu, www.synoguard.hu, www.synomax.hu), the data controller presents its activities and products. During the operation of the www.biovetkft.hu and www.synoguard.hu websites, cookies are used that also collect personal data about visitors. The legal basis of the data processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). During the operation of the www.synomax.hu website, no cookies are used, therefore no personal data processing of this nature takes place on this site.

I. On the www.synoguard.hu and www.synomax.hu websites, some opinions of former customers regarding the products sold by the data controller are displayed. The data subject’s personal data and opinion are displayed on the website only if the data subject has given written consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)).

J. On the www.biovetkft.hu and www.synomax.hu websites, visitors have the opportunity to contact the data controller using a contact form. On the form, the interested party must provide his or her name, e-mail address, and telephone number. The purpose of the processing of personal data is to establish contact with the visitor of the website and with the person interested in the data controller’s products and services. If, following the contact, no order is placed for a product or no service is used, the personal data of the interested party are deleted immediately, but no later than within 30 days. The data controller processes the personal data for the purpose of concluding a contract, on this legal basis (General Data Protection Regulation Article 6(1)(b)). By filling in the form, the data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents.

K. On the www.biovetkft.hu website, the data controller provides visitors with the opportunity to ask questions about the products by filling in a form. On the form, the interested party must provide his or her name, e-mail address, and telephone number. The purpose of the processing of personal data is to answer questions about the product and to establish contact with the person interested in the data controller’s products. If, following the contact, no order is placed for the product, the personal data of the interested party are deleted immediately, but no later than within 30 days. The data controller processes the personal data for the purpose of concluding a contract, on this legal basis (General Data Protection Regulation Article 6(1)(b)). By filling in the form, the data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents.

L. On the www.synomax.hu website, visitors have the opportunity to rate and review the products sold by the data controller. For the purpose of rating and reviewing, the data controller requests the data subject’s name and e-mail address. By recording the comment and personal data, the visitor gives consent to the processing of his or her personal data and to their publication on the website. The legal basis for the processing of personal data is the data subject’s consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents. If the data subject so requests, it is also possible to save his or her personal data. In this case, when recording a subsequent comment, it is not necessary to provide the data again. The data controller does not use the personal data for any other purpose and does not make them accessible to third parties. On the website, only the data subject’s name is published with the comment or rating. The data controller processes the personal data recorded in this way until the withdrawal of the data subject’s consent. If the data subject withdraws consent, the data controller deletes the recorded personal data from its system immediately, but no later than within 30 days.

M. On the www.synomax.hu website, there is also the possibility to download a free publication (e-book). For this purpose, the data controller requests the data subject’s name and e-mail address. The data controller processes the personal data for the purpose of sending the e-book and establishing contact. By recording the personal data, the visitor gives consent to the processing of his or her personal data. The legal basis for the processing of personal data is the data subject’s consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents. The data controller does not use the personal data for any other purpose and does not make them accessible to third parties. The data controller processes the personal data recorded in this way until the withdrawal of the data subject’s consent or until the free e-book is downloaded. If the data subject withdraws consent or the download has taken place, the data controller deletes the recorded personal data from its system immediately, but no later than within 30 days.

N. On the www.synomax.hu website, the data controller provides the possibility to search, by municipality, for veterinary practices that distribute its products. The name of the practice/company and the veterinarian’s personal data are displayed on the website. The data subject’s personal data are published on the website only if the data subject has given prior written consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)).

O. On the www.synomax.hu website, the data controller presents the management of the Kft., with the personal data of the data subjects. The personal data of the data subjects are displayed on the website only if they have given prior written consent based on appropriate information. The legal basis of the data processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)).

P. For the purpose of collecting customer experience, the data controller uses a questionnaire available on the www.synomax.hu website. In the questionnaire, the data subject’s name and e-mail address are requested, and in return for the opinion, rating, and sharing of experiences, the data controller grants the respondent a discount from the consideration of the next purchase. The data subject declares that he or she has read the contents of the data controller’s Data Management Notice and also declares whether he or she gives consent to the processing of his or her personal data for the purpose of sending the information entitling to the discount and for the publication of the opinion. The data subject is entitled to the rights set out in the Data Management Notice and has the possibility to exercise these rights in the manner and at the locations specified therein. Accordingly, the legal basis for the processing of personal data in the course of sending newsletters is the data subject’s prior consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data controller processes the personal data recorded in this way until the withdrawal of the data subject’s consent or, if the data subject has not consented to the publication of the opinion with the inclusion of his or her personal data, until the information relating to the use of the discount has been sent. If the data subject withdraws consent or the discount has been sent, the data controller deletes the recorded personal data from its system immediately, but no later than within 30 days.

Q. On the www.biovetkft.hu website, visitors have the opportunity to recommend a given product by filling in a form. On the form, the data controller requests the name and e-mail address of the person making the recommendation, as well as the e-mail address of the person to whom the visitor wishes to recommend the product. The legal basis for the processing of personal data, in the case of the person making the recommendation, is the data subject’s prior consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)); in the case of the person to whom the product is recommended, it is the enforcement of the legitimate interests of a third party (the recommender) (General Data Protection Regulation Article 6(1)(f)). For the use of this legal basis, the data controller has prepared the relevant legitimate interest assessment test, which is available to all recommenders and data subjects.

The data controller deletes the personal data entered into its system in this way within 30 days following the recommendation.

R. At the data controller, it is also possible to subscribe to a newsletter by providing a name and e-mail address. The purpose of the processing of personal data is to send newsletters, direct marketing messages, and individual discounts to the data subject. When subscribing to the newsletter, the data subject declares that he or she has read the contents of the data controller’s Data Management Notice and also declares whether he or she gives consent to the processing of his or her personal data for marketing purposes. The data subject is entitled to the rights set out in the Data Management Notice and has the possibility to exercise these rights in the manner and at the locations specified therein. Accordingly, the legal basis for personal data processing during newsletter sending is the subscriber’s explicit and written consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)).

S. The data controller also operates a social media page where personal data are also processed. The legal basis for the processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)).

T. The data controller occasionally organizes prize games. In such cases, the personal data of the participants and the winner are processed. The data controller does not store the participants’ data in any of its systems after the draw; the winner’s data are processed for the purpose of transferring the prize. The data controller processes the personal data on the basis of the data subject’s consent (General Data Protection Regulation Article 6(1)(a)) and retains them with regard to the retention period set out in the law.

U. The data controller occasionally takes photo or video recordings of its clients and customers, and it may happen that clients send images taken by them. If a recognizable natural person is visible in the recording, the recording and its use – on the data controller’s websites, social media page, or in connection with other appearances – shall take place exclusively with the written, prior, voluntary consent of the data subject (in the case of a person under 18, of the legal representative), based on appropriate information. The legal basis for the processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)).

V. In the course of complaint handling in connection with the data controller’s activities, the purpose of data processing is to make it possible to submit the complaint, to identify the data subject and the complaint, to record the data that must be recorded by law, and to investigate the complaint and maintain contact in connection with its settlement.

In the case of a lodged complaint, administration – and thus the processing of personal data – is mandatory under Act CLV of 1997 on Consumer Protection. Accordingly, the legal basis for the processing of personal data is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)).

The data controller keeps a record of the data processing activities described above. The record also contains the deadlines set for the deletion of personal data. The record forms an annex to this Data Management Notice.

7. Data processors in relation with the data controller:
If processing is carried out on behalf of the data controller by another party, the data controller may only use such data processors that provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the General Data Protection Regulation and ensure the protection of the rights of the data subjects.

The data controller hereby declares that in the course of its work it only enters into a relationship with such data processors that provide adequate guarantees of compliance with the GDPR and of implementing appropriate technical and organizational measures to ensure the protection of the rights of data subjects. The relevant declarations of the data processors are available.

By reading and acknowledging this Data Management Notice, data subjects accept that the data controller transfers their personal data to the data processors and joint controllers listed below.

– In connection with issuing invoices and operating the enterprise resource planning system, the partners of the data controller are:
▪ Kronos Trade Kereskedelmi és Szolgáltató Kft.
▪ 1054 Budapest, Alkotmány utca 20.
▪ info@actualugyvitel.hu
▪ (+36-1) 302-8888
▪ MiniCRM Zrt.
▪ 1075 Budapest, Madách Imre út 13-14.
▪ help@minicrm.hu
▪ +36 (1) 999 – 0402

– For the purpose of payment by bank card, the data controller’s data processor, who is also an independent data controller:
▪ OTP Mobil Szolgáltató Kft.
▪ 1143 Budapest, Hungária krt. 17-19.
▪ ugyfelszolgalat@simple.hu
▪ +36 1/20/30/70 3-666-611

The legal basis for the processing of personal data is the performance of the contract and, subsequently, compliance with the statutory retention obligation.

– A data processor (and an independent data controller in the course of performing its tasks) is the courier company used by the data controller:
▪ GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.
▪ 2351 Alsónémedi, GLS Európa u. 2.
▪ info@gls-hungary.com
▪ https://gls-group.eu/HU/hu/kontakt/elerhetoseg

– The company providing the hosting of the data controller’s websites also qualifies as a data processor:
▪ Websupport Magyarország Kft.
▪ 1132 Budapest, Victor Hugo u. 18-22.
▪ +36 1 700 2323
▪ info@mhosting.hu

– The following partner of the data controller also provides a data analytics and marketing automation platform:
▪ Klaviyo, Inc.,
125 Summer Street, Floor 6,
Boston, MA, 02110,
United States of America,
▪ The contact person of the data recipient can be reached at privacy@klaviyo.com.

– A partner that has access rights to the data controller’s website also qualifies as a data processor:
▪ @ ÜSZI-SOFT @ Számítástechnika
Gabriella Bertók
3000 Hatvan, Hatvanas utca 4. 1/1.
▪ Emese Pócsik
8248 Nemesvámos, Kossuth Lajos u. 256.

– The provider of the data controller’s e-mail system also qualifies as a data processor:
▪ Websupport Magyarország Kft.
▪ 1132 Budapest, Victor Hugo u. 18-22.
▪ +36 1 700 2323
▪ info@mhosting.hu

– Due to the use of the Facebook page, a data processor and joint controller partner is:
▪ Meta Platforms Ireland Ltd.
▪ 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

– A partner that has access rights to the data controller’s social media page also qualifies as a data processor:
▪ Ágnes Fekete-Katona sole entrepreneur
▪ 2131 Göd, Alsógöd, Béke út 37.
▪ agdesign.hu@gmail.com

– Due to the Google Analytics service used by the www.biovetkft.hu website and the use of Google Forms, a data processor is:
▪ Google Ireland Limited
▪ Gordon House, Barrow Street, Dublin 4, Ireland

– Due to the use of the Facebook page, a data processor and joint controller partner is:
▪ Meta Platforms Ireland Ltd.
▪ 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

The contracted data processor and data controller partners process the personal data of the partners exclusively on the basis of the instructions given by the data controller (unless applying a legal requirement), subject to a confidentiality obligation.

8. Processing of data in relation to contracts concluded by the data controller:
Customer contracts:
In connection with its commercial activities, the data controller accepts orders in person, by telephone, by e-mail, via its website (www.synoguard.hu) or through its social media page. The buyers may be both natural persons and legal entities. In the case of an order, the data controller requests the buyer’s name, address, e-mail address, and telephone number. The legal basis for the processing of personal data is the performance of contractual obligations (General Data Protection Regulation Article 6(1)(b)). In the case of a legal entity, the personal data of the contact person are processed, which is carried out on the basis of the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice for the consideration of the products it distributes. The invoice contains the buyer’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

The data controller also cooperates with resellers, in which context its contractual partners may be both natural persons and legal entities. The conclusion of the contract is preceded by a request for a quotation by telephone, by e-mail, by using the contact form available on the websites (www.biovetkft.hu, www.synomax.hu), or by a message received via the social media page. The person requesting the quotation provides his or her name, telephone number, and e-mail address, to which the data controller sends the relevant quotation. If the quotation is rejected, the data subject’s personal data are deleted immediately, but no later than within 30 days. The legal basis for the processing of personal data is the creation of a contract (General Data Protection Regulation Article 6(1)(b)). If the quotation is accepted, a contractual relationship is established between the parties. The legal basis for the processing of personal data during the contractual relationship is the performance of the obligations undertaken in the contract (General Data Protection Regulation Article 6(1)(b)), and in the case of the contact person of a legal entity, the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice for the consideration of the products it has sold. The invoice contains the client’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

The commercial partners of the data controller also have the possibility to obtain the products distributed by the data controller within the framework of consignment sales. In such cases, the consignee carries out the sale in its own name but for the benefit of the principal (the data controller). The data controller concludes a consignment contract with the partner. The contract contains the partner’s name, address, e-mail address, and telephone number. In the case of a contract concluded with a natural person (sole entrepreneur), the legal basis for the processing of personal data is the performance of the obligations undertaken in the contract (General Data Protection Regulation Article 6(1)(b)). In the case of a legal entity, the personal data of the contact person are processed, and in such cases the legal basis of the processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice to the consignee partner for the consideration of the products sold. Issuing the invoice is a statutory obligation, therefore the legal basis for the processing is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)).

The data controller also sells its products at fairs and other events. In such cases, the buyer indicates the intention to buy and selects the product he or she wishes to purchase. The data controller issues an invoice for the consideration of the product. The invoice contains the buyer’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of personal data is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

Supplier contracts:
The data controller also processes the contact details (name, e-mail address, telephone number) of its suppliers and is in contact with service provider and subcontractor companies as well. For the purpose of maintaining contact with partners, personal data are also processed in these cases (the personal data of the contact person or the natural person, sole entrepreneur). The legal basis for the processing of personal data is the performance of the obligations undertaken in the contract (General Data Protection Regulation Article 6(1)(b)), or the contact person’s consent (General Data Protection Regulation Article 6(1)(a)).

The data controller completes a consent declaration with the contact persons of the companies, in which it informs them of their rights relating to personal data and requests their consent to process their data. In such cases, the legal basis for the processing of personal data is the data subject’s explicit written consent, based on appropriate information, to the data processing (General Data Protection Regulation Article 6(1)(a)). If the contract concluded with the partner has been terminated and there is no statutory retention obligation regarding the retention of the data and documents, the telephone numbers and e-mail addresses are deleted. The data controller stores the personal data contained in the contract and on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

9. Processing of invoices issued to buyers and the personal data contained therein:
The data controller issues invoices to its buyers for the consideration of the products it sells. The invoice contains the buyer’s name, address and, where applicable, tax number. The data controller issues the invoice in order to comply with a legal obligation. The legal basis for the processing of the personal data on the invoice is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

10. Children’s data, processing of special categories of personal data:
The data controller sells its products exclusively to persons over 18 years of age.

By participating in prize games, by subscribing to the newsletter on the data controller’s websites www.biovetkft.hu and www.synomax.hu, by rating products on the www.synomax.hu website, by downloading the free e-book and filling in the Google questionnaire, as well as by giving consent to the operation of cookies on the websites www.biovetkft.hu and www.synoguard.hu, the data subject declares that he or she has reached the age of 16. A person under the age of 16 may not participate in prize games, may not subscribe to the newsletter, may not rate the product, may not download the free e-book, may not fill in the questionnaire, and may not consent to the data collection by cookies used by the websites (www.biovetkft.hu, www.synoguard.hu), in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

The data controller does not record any special data that is brought to or comes to its knowledge. If such data has entered any of its systems without the data controller’s knowledge, it will be deleted from the system immediately after its detection.

11. Retention of e-mail addresses and telephone numbers at the data controller:
In the course of its activities, the data controller also becomes aware of the e-mail addresses and telephone numbers of its partners, buyers, and clients. The personal data that enter its system in this way are processed primarily for the purpose of fulfilling its contractual obligations (General Data Protection Regulation Article 6(1)(b)). If the contract concluded with the partner has been terminated and there is no statutory retention obligation regarding the retention of the data and documents, the telephone numbers and e-mail addresses are deleted. In some cases, the data controller still has a legitimate interest in retaining the data; in such cases, it requests the data subject’s explicit written consent to the retention of his or her personal data (General Data Protection Regulation Article 6(1)(a)).

12. Processing of applications and curricula vitae received by the data controller:
Natural persons applying to the data controller submit a curriculum vitae to the company. If the curriculum vitae is submitted because the data controller is looking for an employee and has advertised a position, the curriculum vitae may be used exclusively in relation to that position.

If the applicant does not meet the requirements relating to the advertised position and another candidate is selected, the curriculum vitae is destroyed immediately. The data controller may retain the application only on the basis of the data subject’s explicit, unambiguous, and voluntary consent (General Data Protection Regulation Article 6(1)(a)), provided that its retention is necessary for the achievement of the purpose of data processing.

The data controller does not place “anonymous” job advertisements (those job advertisements in which the employer does not indicate its name and therefore, at the time of sending the application, applicants cannot know which employer they are applying to), as this would be contrary to the requirement of prior information concerning the identity of the data controller. Whenever the data controller places a job advertisement, it informs data subjects of its identity.

If the applicant has sent a curriculum vitae to the data controller voluntarily, without a job advertisement, the data controller asks the applicant to declare whether he or she consents to the processing of his or her personal data by the data controller. Sending the curriculum vitae does not mean that the data subject also consents to the retention of the application material by the data controller. It is also important that the data controller may use the curriculum vitae exclusively in relation to vacancies in the positions specified by the job applicant. As a general rule, curricula vitae are stored for 3 months, unless the data subject specifies a longer period in his or her consent.

In the course of assessing the job application, the data controller checks and obtains information from the applicant’s profile page on social media only if the data subjects have been informed of this in advance. Even in such cases, it only views public data and takes into account in the selection process exclusively such information that is relevant to the job application or the position. The profile page of the applicant is under no circumstances saved or stored, and is not forwarded to third parties.

If the data subject is not selected for the given position, the data controller informs him or her of this fact and of the reason for the rejection.

13. Taking photographs and video recordings at the data controller:
The data controller occasionally takes photo or video recordings of its clients and customers, and it may occur that clients send images taken by them. If a recognizable natural person is visible in the recording, the recording and its use – on the data controller’s websites, social media page, or in connection with other appearances – shall take place exclusively with the written, prior, voluntary consent of the data subject (in the case of a person under 18, of the legal representative), based on appropriate information. The legal basis for the processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)).
If the data subject withdraws consent and requests the termination of the use of the recording or its deletion, the data controller complies with this request without delay.

14. Websites of the data controller:
The data controller presents its activities and the products it distributes to interested parties on its own websites (www.biovetkft.hu, www.synoguard.hu, www.synomax.hu).
The www.biovetkft.hu and www.synoguard.hu websites of the data controller use cookies during their operation. The legal basis for the processing of the personal data obtained by them is the visitor’s consent (General Data Protection Regulation Article 6(1)(a)). The www.synomax.hu website does not use cookies during its operation, therefore no personal data processing of this nature takes place on this site.

On the www.biovetkft.hu website, the following cookies are used during operation:
– UN_cookie_allow
▪ duration: 1 year
▪ type: strictly necessary

– UN_cookie_close
▪ duration: 1 year
▪ type: strictly necessary

– UN_cart_0
▪ duration: 1 year
▪ type: strictly necessary

– UN_last_prod
▪ duration: 2 months
▪ type: strictly necessary

– UnasID
▪ duration: until the end of the browsing session
▪ type: strictly necessary

– UnasServiceProxyID
▪ duration: until the end of the browsing session
▪ type: strictly necessary

– _ga
▪ duration: 2 years
▪ type: statistical – Google Analytics

– _ga_5XRNG35B1S
▪ duration: 2 years
▪ type: statistical – Google Analytics

On the www.synoguard.hu website, the following cookies are used during operation:
– woocommerce_cart_hash
▪ duration: until the end of the browsing session
▪ type: strictly necessary

– woocommerce_items_in_cart
▪ duration: until the end of the browsing session
▪ type: strictly necessary

– wp_woocommerce_session_b2eebdd515dca18f47444181d17f256d
▪ duration: 2 days
▪ type: strictly necessary

Cookies:
Tasks of cookies:
– They collect information about visitors and their devices.
– They remember visitors’ individual settings, which may be used.
– They facilitate the use of the websites.
– They provide a quality user experience.

For the purpose of personalized service, a small data package, a so‑called cookie, is placed on the user’s computer and read back during a later visit. If the browser sends back a previously saved cookie, the service provider handling the cookie has the opportunity to link the user’s current visit with previous ones, but only in relation to its own content.

Strictly necessary, session cookies:
The purpose of these cookies is to allow visitors to browse the websites completely and smoothly, to use their functions and the services available there. The validity period of such cookies lasts until the end of the session (browsing); when the browser is closed, this type of cookie is automatically deleted from the computer or other device used for browsing.

The data subject’s choice regarding cookies:
Browser cookies:
In the browser settings, the data subject can accept or reject new cookies and delete existing cookies. It is also possible to set the browser to notify the user each time new cookies are placed on the computer or other device. Further information on managing cookies can be found in the browser’s help function.
If the visitor decides to disable some or all cookies, he or she will not be able to use all functions of the websites.

Third‑party cookies (analytics, statistics):
Use of Google Analytics (analytics, statistics):
The www.biovetkft.hu website of the data controller also uses third‑party cookies from Google Analytics. By using the Google Analytics web analytics and statistical service, the data controller collects information on how visitors use the website. The data are used for the purpose of developing the website and improving the user experience. These cookies also remain in the visitor’s browser on the computer or other device used for browsing until they expire or until the visitor deletes them.

If websites or applications use the Google Analytics service together with other Google advertising products – such as Google Ads – they may also collect additional advertising identifiers. Users can disable this service in the Ads Settings and can modify the settings relating to the use of cookies.

Google Analytics collects users’ IP addresses in order to protect the security of the service and to provide website owners with an idea of the countries, regions, or cities from which their visitors come (this is also called IP geolocation). Google Analytics offers the possibility of masking the IP addresses collected; however, website owners can still see users’ IP addresses even if they do not use the Google Analytics service.

Within Google Analytics, the IP address transmitted by the visitor’s browser is not merged with other Google data. The storage of cookies can be prevented by appropriate browser settings; however, in this case the visitor may not be able to fully use all functions of the website.

In addition, the visitor can prevent Google from collecting and processing data generated by cookies and relating to the use of the website (including the IP address) by downloading and installing the browser plug‑in available at the link below. The current link is: http://www.google.com/policies/privacy/ads/.

Google acts as a data processor in Google Analytics and thus in relation to the data controller. Under the provisions of the General Data Protection Regulation (GDPR), Google Analytics is the data processor because Google Analytics collects and processes data on behalf of its customers (such as the data controller), in accordance with the instructions of these customers. Google may use the data only under the terms of the contracts concluded with Google Analytics customers and in accordance with the settings specified by customers in the interface of its products.

Google Analytics collects first‑party cookies, device/browser data, IP addresses, and activities performed on the website/application. It collects these data because they enable it to measure and record in statistical reports the actions users perform on websites and/or in applications that use the Google Analytics service. Customers can customize cookies and the scope of data collected using functions such as cookie settings, User‑ID, Data Import, and Measurement Protocol.

For customers using the Google Analytics SDK for applications, Google collects an app instance identifier. This is a number that the system generates randomly when the user first installs an application. Google Analytics uses IP addresses to infer visitors’ geographical location and to protect the service and its customers. Customers can enable a function called IP masking, in which case Google Analytics uses only part of the IP address collected instead of the full IP address. Furthermore, if required, customers can override IP addresses using the IP override function.

Google uses the data managed in the Google Analytics service to provide its customers with the Google Analytics measurement service. With the help of identifiers – such as cookies and app instance identifiers – it measures what actions users perform on customers’ websites and/or applications. IP addresses are used to maintain the security of the service and to provide website owners with an overview of the geographical areas from which their users arrive.

By accepting the use of cookies on the data controller’s websites (www.biovetkft.hu, www.synoguard.hu), the data subject declares that he or she has reached the age of 16. A person under the age of 16 may not make a statement on the acceptance or rejection of cookies used by the websites, in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

Processing of personal data during purchases on the website:
In connection with its commercial activities, the data controller also accepts orders through its website (www.synoguard.hu). The buyers may be both natural persons and legal entities. In the case of an order, the data controller requests the buyer’s name, address, e‑mail address, and telephone number. The legal basis for the processing of personal data is the performance of contractual obligations (General Data Protection Regulation Article 6(1)(b)). In the case of a legal entity, the personal data of the contact person are processed, which is carried out on the basis of the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller issues an invoice for the consideration of the products it distributes. The invoice contains the buyer’s name, address and, where applicable, tax number. Issuing the invoice is a statutory obligation of the data controller. The legal basis for the processing of the personal data on the invoice is compliance with a legal obligation (General Data Protection Regulation Article 6(1)(c)). The data controller stores the personal data on the invoice for 8 years in order to comply with the retention obligation laid down in Section 169 of the Accounting Act.

Processing of personal data when publishing reviews:
On the www.synoguard.hu and www.synomax.hu websites of the data controller, some opinions of former customers regarding the products sold by the data controller are displayed. The personal data and opinion of the reviewer are displayed on the website only if the data subject has given written consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data controller processes the personal data until the withdrawal of the data subject’s consent.

Processing of personal data when using the contact form:
On the www.biovetkft.hu and www.synomax.hu websites, visitors have the opportunity to contact the data controller using a contact form. On the form, the interested party must provide his or her name, e‑mail address, and telephone number. The purpose of the processing of personal data is to establish contact with the visitor of the website and with the person interested in the data controller’s products and services. If, following the contact, no order is placed for a product or no service is used, the personal data of the interested party are deleted immediately, but no later than within 30 days. The data controller processes the personal data for the purpose of concluding a contract, on this legal basis (General Data Protection Regulation Article 6(1)(b)). By filling in the form, the data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents.

Processing of personal data when using the product information form:
On the www.biovetkft.hu website, the data controller provides visitors with the opportunity to ask questions about the products by filling in a form. On the form, the interested party must provide his or her name, e‑mail address, and telephone number. The purpose of the processing of personal data is to answer questions about the product and to establish contact with the person interested in the data controller’s products. If, following the contact, no order is placed for the product, the personal data of the interested party are deleted immediately, but no later than within 30 days. The data controller processes the personal data for the purpose of concluding a contract, on this legal basis (General Data Protection Regulation Article 6(1)(b)). By filling in the form, the data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents.

Processing of personal data when rating products:
On the www.synomax.hu website, visitors have the opportunity to rate and review the products sold by the data controller. For the purpose of rating and reviewing, the data controller requests the data subject’s name and e‑mail address. By recording the comment and personal data, the visitor gives consent to the processing of his or her personal data and to their publication on the website. The legal basis for the processing of personal data is the data subject’s consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents. If the data subject so requests, it is also possible to save his or her personal data. In this case, when recording a subsequent comment, it is not necessary to provide the data again. The data controller does not use the personal data for any other purpose and does not make them accessible to third parties. On the website, only the data subject’s name is published with the comment or rating. The data controller processes the personal data recorded in this way until the withdrawal of the data subject’s consent. If the data subject withdraws consent, the data controller deletes the recorded personal data from its system immediately, but no later than within 30 days.

The data subject declares, in connection with rating products on the data controller’s website, that he or she has reached the age of 16. A person under the age of 16 may not post a rating of the data controller’s products, in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

Processing of personal data when downloading the free e‑book:
On the www.synomax.hu website, there is also the possibility to download a free publication (e‑book). For this purpose, the data controller requests the data subject’s name and e‑mail address. The data controller processes the personal data for the purpose of sending the e‑book and establishing contact. By recording the personal data, the visitor gives consent to the processing of his or her personal data. The legal basis for the processing of personal data is the data subject’s consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data subject declares that he or she has read the Data Management Notice of the data controller and has acknowledged its contents. The data controller does not use the personal data for any other purpose and does not make them accessible to third parties. The data controller processes the personal data recorded in this way until the withdrawal of the data subject’s consent or until the free e‑book is downloaded. If the data subject withdraws consent or the download has taken place, the data controller deletes the recorded personal data from its system immediately, but no later than within 30 days.

The data subject declares, in connection with downloading the free e‑book on the data controller’s website, that he or she has reached the age of 16. A person under the age of 16 may not download an e‑book from the website in this way, in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

Processing of personal data when listing veterinary practices distributing the products:
On the www.synomax.hu website, the data controller provides the possibility to search, by municipality, for veterinary practices that distribute its products. The name of the practice/company and the veterinarian’s personal data are displayed on the website. The data subject’s personal data are published on the website only if the data subject has given prior written consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data controller processes the personal data until the withdrawal of the data subject’s consent.

Processing of personal data when presenting the management:
On the www.synomax.hu website, the data controller presents the management of the Kft., with the personal data of the data subjects. The personal data of the data subjects are displayed on the website only if they have given prior written consent based on appropriate information. The legal basis of the data processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)). The data controller processes the personal data until the withdrawal of the data subject’s consent.

Processing of personal data when completing the questionnaire used to collect customer experience:
For the purpose of collecting customer experience, the data controller uses a questionnaire available on the www.synomax.hu website. In the questionnaire, the data subject’s name and e‑mail address are requested, and in return for the opinion, rating, and sharing of experiences, the data controller grants the respondent a discount from the consideration of the next purchase. The data subject declares that he or she has read the contents of the data controller’s Data Management Notice and also declares whether he or she gives consent to the processing of his or her personal data for the purpose of sending the information entitling to the discount and for the publication of the opinion. The data subject is entitled to the rights set out in the Data Management Notice and has the possibility to exercise these rights in the manner and at the locations specified therein. The legal basis for the processing of personal data is the data subject’s prior consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)). The data controller processes the personal data recorded in this way until the withdrawal of the data subject’s consent or, if the data subject has not consented to the publication of the opinion with the inclusion of his or her personal data, until the information relating to the use of the discount has been sent. If the data subject withdraws consent or the discount has been sent, the data controller deletes the recorded personal data from its system immediately, but no later than within 30 days.

The data subject declares, in connection with completing the questionnaire available on the data controller’s website, that he or she has reached the age of 16. A person under the age of 16 may not complete the questionnaire, in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

Processing of personal data when recommending a product:
On the www.biovetkft.hu website, visitors have the opportunity to recommend a given product by filling in a form. On the form, the data controller requests the name and e‑mail address of the person making the recommendation, as well as the e‑mail address of the person to whom the visitor wishes to recommend the product. The legal basis for the processing of personal data, in the case of the person making the recommendation, is the data subject’s prior consent based on appropriate information (General Data Protection Regulation Article 6(1)(a)); in the case of the person to whom the product is recommended, it is the enforcement of the legitimate interests of a third party (the recommender) (General Data Protection Regulation Article 6(1)(f)). For the use of this legal basis, the data controller has prepared the relevant legitimate interest assessment test, which is available to all recommenders and data subjects. The data controller deletes the personal data entered into its system in this way within 30 days following the recommendation.

15. Subscription to the newsletter:
At the data controller, it is also possible to subscribe to a newsletter. When subscribing to the newsletter, the data subject declares that he or she has read the contents of the data controller’s Data Management Notice and also declares that he or she gives consent to the processing of his or her personal data for marketing purposes (for the purpose of sending newsletters). The data subject is entitled to the rights set out in the Data Management Notice and has the possibility to exercise these rights in the manner and at the locations specified therein. Accordingly, the legal basis for personal data processing during newsletter sending is the subscriber’s explicit and written consent (General Data Protection Regulation Article 6(1)(a)).

The purpose of data processing in connection with newsletter sending is to provide the recipient with comprehensive general or personalized information about new developments and latest news at the data controller, in accordance with the relevant and applicable legislation. Subscription to the newsletter and/or direct marketing mailings is based on voluntary consent; the data controller naturally provides the possibility for the data subject to withdraw consent at any time and unsubscribe from the newsletter.

By subscribing to the newsletter on the data controller’s websites (www.biovetkft.hu, www.synomax.hu), the data subject declares that he or she has reached the age of 16. A person under the age of 16 may not subscribe to the newsletter, in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

16. Social media page of the data controller:
The data controller also operates a Facebook page, where personal data are also processed. The data controller also promotes its activities and presents its products on its Facebook page.

https://www.facebook.com/synomax

The data controller also provides comprehensive personal support via Facebook. If someone addresses a question to it via Facebook, it endeavors to answer it as soon as possible. The data that come to its knowledge on the Facebook page are used exclusively to answer the question and not for further advertising purposes.

The purpose of using the Facebook page is: advertising on social media platforms, communicating information. Facebook may also use the data for its own purposes, including the profiling of the data subject and targeting him or her with advertisements.

In order to be able to contact the data controller via Facebook, one must log in. For this purpose, Facebook also requests, stores, and processes personal data as appropriate. The data controller has no influence on the nature, scope, and processing of these data and does not receive personal data from the operator of Facebook. Further information on this can be found on the Facebook page.

The data controller processes the personal data of followers on the Facebook page on the basis of their consent (General Data Protection Regulation Article 6(1)(a)); consent is deemed to have been given by the fact that the given person likes or follows the page or its posts, or writes a comment on them.

17. Prize games
The data controller occasionally organizes prize games. In such cases, the personal data of the participants and the winner are processed. The data controller does not store the participants’ data in any of its systems after the draw; the winner’s data are processed for the purpose of transferring the prize. The data controller processes the personal data on the basis of the data subject’s consent (General Data Protection Regulation Article 6(1)(a)) and retains them with regard to the retention period set out in the law.

The data subject declares, in connection with participation in online prize games, that he or she has reached the age of 16. A person under the age of 16 may not participate in a prize game, in view of the fact that, pursuant to Article 8(1) of the General Data Protection Regulation (GDPR), the validity of the legal statement containing his or her consent to data processing requires the permission of his or her legal representative. The data controller is not in a position to verify the age and legal capacity of the person giving consent, therefore the data subject warrants that the data provided are true.

18. Processing of personal data when using cloud-based applications:
The data controller uses cloud-based services primarily for storing, backing up, and sharing documents. The common feature of such services is that they are provided not by the user’s computer but by a remote server, a server center that can be located anywhere in the world. Online storage services also provide such services. The great advantage of cloud applications is that they provide information technology storage and processing capacity that is essentially independent of geographical location, highly secure, and flexibly expandable. In these cases, the cloud service provider is considered a data processor who processes personal data in the interest of the data controller. Cloud service providers are obliged to handle personal data confidentially and may only perform data processing on the instructions of the data controller.

The data controller selects its partners providing cloud services with the greatest possible care, takes all generally expected measures to conclude contracts with them that also take into account the data security interests of its clients and customers, ensures that their data management principles are transparent to it, and regularly checks data security.

Cloud-based storage spaces are password-protected; only the data controller can access the data stored there.

The partners of the data controller expressly consent to the data transfer necessary for the use of cloud-based applications by accepting this Data Management Notice. The legal basis of the data processing is the data subject’s consent (General Data Protection Regulation Article 6(1)(a)).

19. Complaint handling in connection with the data controller’s activities:
In the course of complaint handling in connection with the data controller’s activities, the purpose of data processing is to make it possible to submit the complaint, to identify the data subject and the complaint, to record the data that must be recorded by law, and to investigate the complaint and maintain contact in connection with its settlement.

The data controller retains the minutes taken of the complaint and a copy of the response for 3 years; accordingly, it also processes the personal data during this period.

20. Security of data processing:
The data controller undertakes to ensure the security of data and to take and maintain the technical and organizational measures and procedural rules that ensure that the data collected, stored, or processed are protected and prevent their destruction, unauthorized use, and unauthorized alteration. It also undertakes to call upon all third parties to whom it transmits or transfers data to comply with the requirement of data security.

The data controller ensures that unauthorized persons cannot access, disclose, transmit, modify, or delete the processed data. Only the data controller and the data processor(s) it uses may become aware of the processed data; it does not transfer them to third parties who are not authorized to become aware of the data.

The data controller pays particular attention to the security of the personal data of its clients and customers. It acts in full compliance with legal provisions and requires this from all its partners as well. The protection of personal data includes physical data protection (storage of documents in a lockable room) as well as IT protection (use of firewall, antivirus, password protection).

The data controller stores the personal data provided by the data subject primarily on the servers equipped with standard protection systems of the data processor(s) specified in this Data Management Notice, partly on its own IT devices, and in the case of paper data carriers at its registered office, appropriately locked away.

Data subjects acknowledge and accept that, in the case of providing their personal data, the protection of data cannot be fully guaranteed on the internet and in computer systems. In the event of unauthorized access or data disclosure – despite the data controller’s efforts – it is necessary to proceed as set out in this notice.

21. Rights of data subjects:
– Transparent information:
This Data Management Notice also serves the purpose of providing clear, concise, transparent, and understandable information about the data processing activities applied at the data controller.

– Right of access:
The data subject is entitled to obtain from the data controller confirmation as to whether personal data concerning him or her are being processed, and, where such processing is taking place, the data subject is entitled to access to the personal data and the following information:

the purposes of the processing,
the categories of personal data concerned,
the recipients to whom the personal data have been disclosed,
the envisaged period for which the personal data will be stored.