Toto sa skutočne vráti!

Privacy Notice

Table of contents

1. Purpose of the Privacy Notice

The goal of our Privacy Notice is to provide all necessary information about processing the personal data of natural persons and representatives of legal entities (hereinafter: Users) in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and assist Users in exercising their rights under Section 4. Our services are available at www.flatloop.sk and its associated websites.

The legal basis of our information obligation is Article 12 of Regulation 2016/679 of the European Parliament and Council (hereinafter: GDPR), Section 16 of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Privacy Act), and Section 4 of Act CVIII of 2001 on e-commerce and certain issues regarding information society services (hereinafter: E-commerce Act).

This Notice was made in consideration of the GDPR, Privacy Act and other regulations applicable to individual data processing activities. The applicable regulations are enclosed in Annex 10.1, the definition of key terms is enclosed in Annex 10.2, and data subjects’ rights are defined in detail in Annex 10.3.

This Notice was created and is applied in the spirit of the findings in the recommendation of the National Authority for Data Protection and Freedom of Information (NAIH) on the privacy requirements of prior information, Article 5 of the GDPR, particularly Article 5(2) on accountability.

The personal data protection practices of the European Union are also observed, accordingly the guidelines of Working Party 29 of the European Commission are also adopted in our processing practices.

Our activities are governed by Hungarian law, however, in the case of cross-border sales, the law at the customer’s jurisdiction shall apply to consumer protection and warranty matters.

2. Data of the controller

  • Name: Multinvent Kft.
  • Registered seat: 2030 Érd, Ciklámen utca 3/A.
  • Company registration number: 13-09-168291
  • Tax number: 24832827-2-13
  • E-mail: info@flatloop.sk
  • Phone: +36209806314

3. Data processing

This section details the key conditions of procession required by the GDPR and other relevant regulations from controllers.

3.1. Data processing concerning contacting and communication

You can contact us via our contacts on the website. Also, by communicating with our business partners, we process the personal data of their contact persons. The details of these processing are described hereunder.

3.1.1. Processed personal data and purpose of processing
personal datapurpose of processinglegal basis of processing
nameidentification of the User, or the contact person of our business partnerthe data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]; in the case of contact person of our business partner processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR]
phone numbercontacting and communication with the User, or the contact person of our business partnerthe data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]; in the case of contact person of our business partner processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR]
e-mail addresscontacting and communication with the User, or the contact person of our business partnerthe data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]; in the case of contact person of our business partner processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR]
3.1.2. Legal basis of processing

If you contact us, we process your personal data for the purpose in Section 3.2.1. based on your freely given consent implied by way of contacting us by phone or email (article 6 (1) a) of GDPR).

Where we use Users’ data for purposes other than they were collected, we inform the Users thereof in advance and obtain their prior consent, and give an opportunity to object to processing (cf. Section 9.1.).

If you, as the representative of our business partners provide your personal data to communicate with us, the legal basis of processing personal data is our legitimate interest and our business partners (Article 6 (1) f) of GDPR). It is each Party’s legitimate interest to maintain effective business communication during the use of the Website and the communication between partners, and to be able to inform each other’s representatives about all key circumstances concerning our contract. Since it is the part of your scope of duty as the representative of our business partner, in our view, processing your name and contact data does not restrict disproportionately your privacy and freedom of self-determination. The contact persons of our business partners may object to such processing.

3.1.3. Duration of processing

If you contact us through our website, we process your personal data until the withdrawal of your consent. You have the right to withdraw your consent at any time via email. The withdrawal of consent does not affect the legal basis of processing based on consent before its withdrawal.

 

In relation to the processing of the personal data of our business partners’ contact persons, we process their personal data until the personal data are no longer necessary in relation to the purposes for which they were collected or as long as it is permitted by the relevant legal provisions (5 years after the performance or the termination of the contract pursuant to the Hungarian Civil Code,  or 8 years after invoicing, in accordance with the Hungarian Accounting Act).

3.1.4. Mode of processing

Electronic.

3.1.5. Data protection clause for business partners

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing concerning communicating with our business partners, we, as data controllers, while performing the contracts concluded with our business partners, both at the time of the determination of the means for processing, and at the time of the processing itself, implement appropriate technical and organizational measures, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of GDPR.

3.2. Processing related to orders

You can order any of our products shown in our website. The details of such processing are described hereunder.

3.2.1. Processed personal data and purpose of processing
personal datapurpose of processinglegal basis of processing
name (first name, surname, title)identification of the User or a business partner’s representativeprocessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]; if the customer is a legal person then processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR]
address (post code, city, street and number)identification of the place of transportationprocessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]
phone numberconnecting the purchaser or its representative and giving information about the servicesprocessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]; if the customer is a legal person then processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR]
e-mail addressconnecting the purchaser or its representative and giving information about the servicesprocessing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [article 6 (1) b) of GDPR]; if the customer is a legal person then processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party [article 6 (1) f) of GDPR]
a unique coupon code that can be linked to the Useridentification of the customer in order to take advantage of the individual discount we provideprocessing is necessary for the purposes of the legitimate interests pursued by the controller [article 6 (1) f) of GDPR]
3.2.2. Legal basis of processing

Performance of contract where the parties are the Controller and the User (Article 6 (1) b) of GDPR).

If the buyer is a legal entity and its representative provides his or her personal data for these purposes, the legal basis of processing – with regard to the relevant authority practice – is our legitimate interest and the purchaser company (Article 6 (1) f) of GDPR). It is each party’s legitimate interest to maintain effective business communication during order, and inform each other’s representatives about any relevant conditions pertaining to the contract between us. Since it is part of the representative’s scope of duty or contractual obligation to facilitate communication between the parties and provide his or her personal data, the processing of the mentioned personal data does not restrict disproportionately the privacy and freedom of self-determination of the buyer’s contact person.

 

All the personal data you give us when you order the available products are processed for the performance of the contract concluded between you and us (Article 6 b) of GDPR). It is our legitimate interest for processing unique coupons to incentivise purchases of Users who can uniquely be identified based on their coupon code (Article 6 (1) f) of GDPR).

3.2.3. Duration of processing

Eight (8) years after the invoice under the contract is issued (Section 169(1) of the Accounting Act having regard to Section 166(6) of the Accounting Act).

Personal data not required for fulfilling accounting obligations – having regard to Section 6:22(1) of Act V of 2013 on the civil code (Civil Code) – are stored for 5 years after fulfilling the order.

3.2.4. Mode of processing

Electronic.

3.2.5. Supplying your personal data

Since we cannot fulfil  orders without your personal data, supplying your personal data is a requirement for the conclusion of a contract.

3.3. Processing concerning invoicing

After fulfilling orders we – with regard to Act C of 2000 on accounting (hereinafter: Accounting Act) – issue an invoice. The details of the associated processing are described hereunder.

3.3.1. Processed personal data and purpose of processing
personal datapurpose of processinglegal basis of processing
nameproof of the fulfilment of orders for accountingprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. C. of 2000. on accounting 166. § (1)-(3)
address (post code, city, street and number) / also registered office for sole tradersproof of the fulfilment of orders for accountingprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), Act No. C. of 2000. on accounting 166. § (1)-(3)
tax number for sole tradersproof of the fulfilment of orders for accountingprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), Act No. C. of 2000. on accounting 166. § (1)-(3)
3.3.2. Legal basis of processing

Processing is necessary for compliance with a legal obligation; with regard to Article 6 (1) c) of GDPR, Section 5(1) b) of the Privacy Act and Section 166(1)-(3) of the Accounting Act.

3.3.3. Duration of processing

8 years after accounting based on Section 166(6) of the Accounting Act and Section 169(1) of the Accounting Act.

3.3.4. Mode of processing

Electronic.

The document issued electronically – in accordance with the provisions of the regulation on the rules of digital archiving – is preserved in such a way that the applied method ensures the immediate production and continuous readability of all data of the document, and excludes the possibility of subsequent modification.

3.3.5 Supplying your personal data

Since we cannot issue invoices without the personal data specified in this section, supplying your personal data is compliance with law.

3.4. Processing concerning complaint management

Users can contact us by email and phone with questions and complaints. The details of the associated processing is described below.

 

3.4.1. Processed personal data and purpose of processing
personal datapurpose of processinglegal basis of processing
nameidentification of the Userprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. CLV. of 1997. on consumer protection
e-mail addresscommunication with the User and providing informationprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. CLV. of 1997. on consumer protection
phone numbercommunication with the User and providing informationprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and the Act No. CLV. of 1997. on consumer protection
3.4.2. Legal basis of processing

We process the personal data we collect from you to comply with legal obligations (with regard to Article 6 (1) c) and (2) of GDPR, based on Section 5(1) b) of the Privacy Act and Act CLV of 199. on consumer protection (CPA)

3.4.3. Duration of processing

5 years after the receipt of a complaint based on Section 17/A(7) of the Consumer Protection Act.

3.4.4. Mode of processing

Electronic.

3.5. Processing related to processing warranty claims

If the costumer enforces supplies warranty for material defects and product warranty claim for a product defect according to the Hungarian Civil Code (hereinafter: warranty claim), then we are required to write a report according to NGM Decree 19/2014 (IV.29.) on the procedural rules of processing warranty claims between consumers and businesses. The details of the associated data processing is described below.

3.5.1. Processed personal data and purpose of processing
personal datapurpose of processinglegal basis of processing
nameidentification of the User and write the reportprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and 19/2014 (IV.29) NGM regulation 4. § (1)
addressidentification of the User and write the reportprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and 19/2014 (IV.29) NGM regulation 4. § (1)
information on consent to processingwrite the reportprocessing is necessary for compliance with a legal obligation to which the controller is subject [article 6 (1) c) and (2) of GDPR] based on the Act No. CXII. of 2011. on the right to information self-determination and freedom of information 5. § (1) b), and 19/2014 (IV.29) NGM regulation 4. § (1)
3.5.2. Legal basis of processing

We process the personal data we collect from you to comply with legal obligations (Article 6 (1) c) and (2) of GDPR) based on Section 5. § (1) b), and Section 4(1) of NGM Decree 19/2014 (IV.29).

3.5.3. Duration of processing

3 years after the completion of the report based on Section 4 (1) and (6) of the NGM Decree.

3.5.4. Mode of processing

Electronic.

3.6. Processing related to prize draw

We advertise games on our Facebook page and on the website. We draw prizes among the Users who comment on the given entry or perform a specific activity. The associated processing activities are described in this section. There may be more detailed information on processing on the individual prize draw pages.

3.6.1. Processed personal data and purpose of processing
personal datapurpose of processinglegal basis of processing
nameidentification of the winner.the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]
e-mail addressidentification of the winner.the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]
winningidentification of the winner .the data subject has given consent to the processing of his or her personal data for one or more specific purposes [article 6 (1) a) of GDPR]
3.6.2. Legal basis of processing

You give your consent to the processing of you’re your personal data for one or more specific purposes by participating in the prize draw [Article 6 (1) a) of GDPR]

3.6.3. Duration of processing

Until the goal is achieved; until the prize draw is completely closed.

3.6.4. Mode of processing

Electronic.

4. What are your rights?

It is important for us that our data processing operations comply with the requirements for fairness, lawfulness and transparency. Accordingly, we briefly present your rights, which are further detailed in Annex 3 of this Privacy Notice.

You may request free information on the details of processing your personal data, and in cases specified by law, you may request your personal data to be corrected, erased, blocked, restrict their processing and object to processing. Please send your requests for information and the request for matters below to our contacts under Section 2.

4.1. Right to access

You can request information on the processing of your personal data, and may access to the processed data and the details of processing.

4.2. Right to rectification

You have the right to request the rectification of your inaccurate personal data without undue delay. You have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.3. Right to erasure

You have the right to request the erasure of your personal data if they are no longer needed for processing, or if you withdraw your consent, or if you object to processing or if processing is unlawful.

4.4. Right to be forgotten

If your personal data become public and you request your data to be erased, at your request we inform all controllers that became or may have become aware of your disclosed personal data.

4.5. Right to the restriction of processing

You have the right to request us to restrict processing if the accuracy of your personal data is contested, or if processing is unlawful, or if you object to processing, or if we no longer need your personal data.

4.6. Right to data portability

You have the right to receive the personal data concerning you, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

4.7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data(see: point 3.1. and 3.2. of this Notice). In such case, we may no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims. Upon your objection, your personal data may not be processed for this purpose as a main rule.

4.8. Response to requests

We investigate your request as soon as possible, but not later than in 30 day – or 15 days in the case of objections – and decide whether it is substantiated, and inform you thereof in writing. If your request is not fulfilled, we inform you of the factual and legal reasons of rejection.

4.9. Legal remedies

Personal data protection and respecting your informational self-determination right is key for us, therefore, we do our best to answer all requests in a fair and timely manner. In this respect, please contact us with any questions or complaints to let us find the earliest solution before seeking to enforce your right with the authorities or at court.

If your inquiry with us is not resolved, you may

5. Measures and notification

5.1. Notification of recipients

We communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We also inform you about those recipients on the request of yours.

5.2. Mode and deadline of notification

We provide information on action taken on a request under Articles 15 to 22 of GDPR to you without undue delay and in any event within one month of receipt of the request unless you request otherwise. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. We inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, we provided the information by electronic means where possible, unless you request it otherwise. We inform you verbally at your request provided that you identify yourself in another manner.

If we do not take action on your request, we inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with NAIH and seeking a judicial remedy (see point 4.7.).

5.3. Monitoring

If we have reasonable doubts concerning the identity of the natural person making the request, we may request the provision of additional information necessary to confirm the identity of the data subject. This is necessary to promote the confidentiality of processing specified in Article 5 (1) f) of the GDPR, that is to prevent unauthorised access to personal data.

5.4. Costs of measures and notifications

We provide you information and take the necessary measures regarding the requests under point 4. free of charge.

If your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or we refuse to act on your request.

6. Possible recipients, data processors

6.1. Related to the operation of our website

Our website’s hosting provider (data processor) can have access to the personal data you provide while using the website. The data processor’s data are the following:

 

 

6.2. Delivery of the ordered products

In order to deliver the ordered products, we use fulfilment companies as data processors. These service providers enter into contracts with transport companies to deliver the products ordered by the user, so in this respect these additional service providers are considered sub-data processors. We ensure that sub-data processors also comply with legal requirements regarding the handling and protection of personal data in the course of their activities

6.3. Payment of your order

The order can be paid through the payment service provider’s data processing interface.

6.4. Social media

Our website has several social media profiles (for example: Facebook, Instagram, YouTube) so that if you „like” us on Facebook or „follow” us on YouTube, we may learn all the personal data which is public on your profile. You can find relevant information on data processing of these sites in the privacy notice of the relevant providers.

6.5. Invoicing

In connection with invoicing, the data processor gets to know the personal data provided by the Users for this purpose.

7. Data security

We and the employees of the data processors have the right to get to know the personal data of the User to the extent necessary for the performance of the tasks belonging to their job. We take all security, technical and organizational measures that guarantee the security of the data.

7.1. Organizational measures

We provide access to our IT systems with personal permission. The principle of “necessary and sufficient rights” applies to the allocation of access, ie all employees may use our IT systems and services only to the extent necessary for the performance of their duties, with the appropriate rights and for the required period of time. Access to IT systems and services should only be granted to a person who is not restricted for security or other reasons (eg conflicts of interest) and who has the professional, business and information security knowledge necessary to use it securely.

We and the data processors undertake strict confidentiality rules in a written statement and we are obliged to act in accordance with these confidentiality rules in the course of our activities.

7.2. Technical measures

We store the data – with the exception of the data stored by our data processors – on our own devices, in a data center. The IT tools, that stores the data are stored in a separate, separate closed server room, protected by a multi-stage access control system.

We protect our internal network with multi-level firewall protection. In all cases, a hardware firewall (border protection device) is located at the entry points of the applied public networks. The data is stored redundantly – i.e. in several places – in order to protect it from destruction, loss, damage and illegal destruction due to the failure of the IT device.

We protect our internal networks from external attacks with multi-level, active protection against complex malicious code (eg virus protection). We implement the essential external access to the IT systems and databases operated by us via an encrypted data connection (VPN).

We do our best to ensure that our IT tools and software continuously comply with the technology solutions generally accepted in the operation of the market.

During our development, we design systems in which logging can be used to control and track the operations performed, and to detect incidents, such as unauthorized access.

Our server is located on the hosting provider’s separate dedicated server, protected and closed.

Taking into account of the NAIH recommendation about the parts we use https protocol which provides a higher level of data security than the http protocol.

8. Cookies

Similarly to other modern websites, in certain cases we place small data files on Users’ devices to ensure the proper operation of our website.

8.1. Cookies in general

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

Cookies can be used by web servers to identify and track users as they navigate different pages on a website and identify users returning to a website.

List of the cookies we use on the website

Source

Name

Function

Expiration

Facebook

Facebook pixel

Facebook advertising data collection

180 days

Google

Google Analytics

Anonymous analysis of visitor data

More information in the  8.2.1. point.

Hotjar

Hotjar

Analyze visitors’ website usage

365 days, more information https://help.hotjar.com/hc/en-us/articles/115011640427-How-long-does-Hotjar-keep-my-data-

8.2. Google Analytics

  1. Our website uses Google Analytics, the web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies – small text files – saved on your device to enable the analysis of the website you visit. Detailed information: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage#gtagjs_and_analyticsjs_-_cookie_usage.
  2. The information generated with the cookies from the website Users visit are usually stored on a Google server in the USA. By activating IP anonymisation on the website, Google shortest Users’ IP address within the EU member states and other states that are parties to the agreement on the European Economic Area.
  3. The full IP address is forwarded to and shortened on Google’s server in the USA only in exceptional cases. We engaged Google to use this information to assess how you use our website, create reports on website activity, and provide other services regarding website and internet use.
  4. Your IP address forwarded by your browser is not compared with other Google data in the framework of Google Analytics. You may block the storing of cookies by setting your browser accordingly, however, in this case some functions of our website may not be fully available. It may also prevent Google from collecting and processing your data related to website use (including your IP address), if you download and install the plugin from this site: https://tools.google.com/dlpage/gaoptout?hl=h

8.3. Facebook Pixel

Facebook Custom Audience is an online analytics and advertising service of Facebook, Inc. (Facebook) through which the Data Controller obtains information about how visitors to the Website use the Website. You can read more about Facebook Custom Audience or Facebook Pixel cookies here: https://www.facebook.com/policies/cookies/.

Facebook Pixel requires cookies to be placed on user devices. We also use Facebook Pixel on the Website, both for advertising and Website analytics. Facebook pixels place cookies on the Website browser for the purpose of generating the right advertising audience, measuring conversions between devices, targeting ads, optimizing the right audience, displaying personalized advertisements, advertisements and reports, reporting on the Website and application traffic data.

This data management activity of Facebook may be regulated and set up by the User in his Facebook and Google accounts, and the collection of data by Facebook cookies on the Website may be authorized by the User. On Facebook, the User can view these cookies in the Facebook Ads Settings by logging into their account, and there they can also set or change their preferences regarding cookies. On the Website, the User may give his consent to cookies in groups according to their type.

8.4. How to manage cookies?

Cookies can be deleted (detailed information: www.AllAboutCookies.org) or blocked by most browsers today. In this case, however, when using our website, certain settings will need to be reconfigured each time and certain services may not work.

Detailed information on deleting and blocking cookies can be found at www.AllAboutCookies.org (in English) and on the browser used by the User at the following links:

9. Miscellaneous

9.1. Processing for different purpose

If we intend to further process the personal data for a purpose other than that for which the personal data were collected, we inform you prior to such further processing requesting your prior express consent and give you the opportunity to prohibit processing.

9.2. Record of processing

To comply with Article 30 of GDPR, we maintain a record of processing activities under our responsibility.

9.3. Data breaches

Data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In case of data breach, we are obliged to act according to Article 33 and 34 of the GDPR. We log data breaches, indicating the associated facts, their impacts and our measures for remedy.

9.4. Changes to our Privacy Notice

We have the right to amend this Privacy Notice unilaterally at any time. We encourage you to periodically review this Policy to be informed of how we are protecting your information.

Effective: 08 September 2021
Multinvent Kft.
Controller

10. Annexes

Annex 10.1. Applicable regulations

For this Privacy Notice, the Controller took into account the applicable regulations in effect and major international recommendations, particularly including:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
  • Act CXII of 2011 on the right of informational self-determination and the freedom of information (Privacy Act);
  • Act V of 2013 on the Civil Code (Civil Code);
  • Act CXXX of 2016 on the Code of Civil Procedure (CCP);
  • Act C of 2000 on accounting (Accounting Act);
  • Act CLV of 1997 on consumer protection (CPA);
  • Act CVIII of 2001 on certain matters of electronic commerce and information society services (E-commerce Act).

Annex 10.2. Definitions

  • ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  • ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  • ‘transfer’ means making data accessible to a specific third party;

  • ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • ‘erasure’ means making the data unrecognisable in a way that they cannot be restored any more;

  • ‘marking’ means attaching and identifier to data to distinguish them;

  • ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

  • ‘destruction’ means the full physical destruction of the carrier containing the data;

  • ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

  • ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

  • ‘cookie’ means a small data package (text file) sent by webservers and stored for a specific time on the user’s computer, which the server may complement subject to the type of the cookie, i.e. if the browser returns a previously saved cookie, the provider managing the cookie can connect the user’s current visit to the site with previous visits, but only concerning the provider’s own content;

  • ‘data subject/user’ means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;

  • ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

  • ‘IP address’ means the unique identifier of servers enabling the identification of individual computers in all networks where communication is made using TCP/IP protocol. All computers connected to a network have their own IP addresses that make them identifiable;

  • ‘personal data’ means any information concerning the data subject;

  • ‘objection’ means the data subject’s statement objecting to the processing of their personal data, and requesting the termination of processing and the erasure of the data processed.

Annex 10.3. Data subjects’ rights

Right to access

Upon a request submitted to us you have the right to access to the following information concerning the processing of your personal data:

  • whether your personal data are processed;
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • your rights;
  • your options for legal remedy
  • information on data sources.

You may also request a copy of your personal data processed. In this case, personal data are provided in a structured, commonly used and computer readable format (PDF/XML), and in hard copy. Copies are provided free of charge.

Right to rectification

You have the right to request us to rectify any of your inaccurate personal data and to complete incomplete data by way of submitting a request to any of our contacts. Where the information required to complete or rectify inaccurate information is not available, we may request you to resubmit supplemental data and verify the accuracy of the data. As long as the data cannot be specified or completed – in the absence of supplemental information – we shall restrict processing the relevant personal data, and temporarily suspend any operations with them, except for storing.

Right to erasure

You have the right to request us to erase your personal data by submitting a request to that effect if any of the conditions below prevail:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you have concerns about the lawfulness of processing.

If we establish based on your request that we are obliged to erase your personal data we process, we discontinue processing and destroy the previously processed personal data. We are also obliged to erase personal data if you withdraw your consent, exercise your right to object or in compliance with a legal obligation.

Restriction of processing

You have the right to obtain from us the restriction of processing your personal data in the following cases:

  • you have concerns about the lawfulness of processing and you request the restriction of their use instead of erasure;
  • we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims;

We automatically restrict processing personal data if you dispute the accuracy of personal data and when you exercise your right to object. This restriction lasts as long as the accuracy of personal data can be verified or – in the case of objecting to processing – until we can establish if the criteria for continuing processing prevail.

No processing operations may be performed on personal data during the restriction, data may only be stored. Personal data subject to restriction may only be processed in the following cases:

  • based on the data subject’s consent;
  • for the establishment, exercise or defense of legal claims;
  • to protect the rights of other natural persons or legal entities;
  • important grounds of public interest.

We inform you before lifting restriction.

Right to data portability

You have the right to receive your personal data for further use by submitting a request to us. You may also request us to transfer your personal data to another controller.

This right is restricted to personal data you provided and processed to fulfil a contract. No other data are portable. We supply your personal data in a structured, commonly used and machine-readable format (PDF/XML) and in hard copy.

Please note that exercising this right does not automatically delete your personal data from our systems. After exercising your right to data portability, you still have the right to contact and communicate with us.

Right to object

You have the right to object at any time to processing of your personal data for purposes specified in point 3.1. and 3.2. of this Privacy Notice by way of a request submitted to us. In such case, we no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Kontaktovať zákaznícky servis FlatLoop