Privacy policy

DATA MANAGEMENT NOTICE

01.01.2021 effective from

PREAMBLE

The purpose of this information is to record the data protection and management principles applied by the website www.cinedaft.com, which the operator of the website, i.e. SCHWINDL VIDEOSTÚDIÓ Kereskedelmi és Szolgáltató Karlátolt Aneleszégő Társaság, as data manager, recognizes as binding for itself.

This information is in accordance with Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR"), CXII of 2011 on the right to information self-determination and freedom of information. Act ("Infotv"), Act V of 2013 on the Civil Code ("Ptk"), and Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising. is based on the provisions of the Act ("Grtv").

INFORMATION AND CONTACT INFORMATION OF THE DATA PROCESSOR AND DATA PROCESSOR:

DETAILS OF DATA PROCESSOR AND DATA PROCESSOR:

SCHWINDL VIDEOSTÚDÍÓ Trading and Service Provider Limited Liability Company

Headquarters: 6100 Kiskunfélegyháza, Deák Ferenc utca 2. 1st floor. 1

Company registration number: 03-09-106128

Tax number: 11573043-2-03

Internet address: www.cinedaft.com

Email:

Data of the hosting provider:

Name: ArtMagister Kft.

Headquarters: HU- 1213 Budapest, Kórus utca 38.

Contact:

  1. INTERPRETATION PROVISIONS

In Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR") and CXII of 2011 on the right to information self-determination and freedom of information. Act ("Infotv"), based on the provisions of:

"data subject": any natural person identified or - directly or indirectly - identified on the basis of personal data;

"personal data": any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;

"data management": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;

"special data":

  1. a) personal data relating to racial origin, nationality, political opinion or party affiliation, religious or other worldview beliefs, interest-representation organization membership, sexual life,
  2. b) personal data relating to health status, pathological addiction, and criminal personal data;

"consent of the data subject": the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;

 "data controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;

Pursuant to these regulations, it is considered a data controller

"data processor": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

According to these regulations, Ideart Investment Limited Liability Company is considered a data processor

"data management": regardless of the procedure used, any operation performed on the data or a set of operations, including, in particular, collection, recording, recording, organization, storage, alteration, use, query, transmission, disclosure, alignment or connection, locking, deletion and destruction , as well as preventing the further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprint or palm print, DNA sample, iris image);

"restriction of data management": designation of stored personal data for the purpose of limiting their future management;

"profiling" means any form of automated processing of personal data in which personal data is used to evaluate certain personal characteristics of a natural person, in particular work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement used to analyze or predict related characteristics;

"pseudonymisation": processing of personal data in such a way that, without the use of additional information, it is no longer possible to determine which specific natural person the personal data refers to, provided that such additional information is stored separately and by taking technical and organizational measures it is ensured that this personal data cannot be linked to identified or identifiable natural persons;

"registry system": a file of personal data in any way - centralized, decentralized or divided according to functional or geographical aspects - which is accessible based on specific criteria

"recipient": the natural or legal person, public authority, agency or any other body to whom or with which the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the handling of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the data management;

"third party": the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who, under the direct control of the data controller or data processor, are authorized to process personal data they received;

"data protection incident": a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled;

  1. SCOPE OF PERSONAL DATA, PURPOSE, TITLE AND DURATION OF DATA PROCESSING
  2. WEBSITE REGISTRATION

The purpose of data management is for the data controller to manage the data voluntarily provided by the registrant in case of registration on the website.

The legal basis for data management: data management in all cases with the voluntary consent of the person concerned, and Eker. TV. 13/A. It is based on paragraphs (1) – (3) of § 6 and point a) of Article 6 (1) of the GDPR.

Scope of managed data: Email address, Name, Telephone number, Delivery address, Billing address

Duration of data management: if an order is received from the user account, then with regard to the accounting documents that directly and indirectly support the accounting, Account. TV. Based on § 169, subsection (2), at least eight years.

Data transfer:

  • if a bank card payment method is selected, the payer's identifier, the amount, date and time of the transaction have been forwarded to the data controller, with regard to the accounting document that directly and indirectly supports the bookkeeping, Account. TV. Based on § 169, paragraph (2), the data will be kept for at least eight years.
  • if the delivery takes place via a courier service, the delivery address, telephone number and e-mail address will be forwarded to the courier service.
  • the individual receipts are forwarded to the data controller's accountant for the purpose of submitting the necessary returns.

In all cases, the legal basis for data transmission is the voluntary consent of the data subject, points a and b of Article 6 (1) of the GDPR

  1. COMPLETING THE CONTACT FORM AND SUBSCRIBING TO THE NEWSLETTER

Filling out the contact form on the website

The Data Controller uses the data accessed through the contact form received via the website only for the purpose of maintaining contact and providing information, the data is not stored in a database.

Newsletter sending

The Data Controller declares that when subscribing to the newsletter, we are not able to verify the authenticity of the contact data and to establish that the data provided refers to natural persons or economic companies/civil organizations.

The purpose of data management is to send professional reviews, electronic messages containing advertising, information, and newsletters, from which you can unsubscribe at any time without any consequences.

The legal basis for data management is your consent. We would like to inform you that you can give your prior and express consent to the service provider contacting you with advertising offers, information and other mailings at the e-mail address provided during registration. As a result, you can consent to the service provider managing your necessary personal data for this purpose.

We would like to inform you that if you wish to receive a newsletter from us, you must provide the necessary data. If the data is not provided, we cannot send you a newsletter.

Duration of data management: Data management takes place until consent is withdrawn. You can withdraw your consent to data management at any time by sending a letter to the contact e-mail address.

Data is deleted when consent to data management is revoked. You can withdraw your consent to data management at any time by sending a letter to the contact e-mail address.

Consent can also be revoked based on the link appearing in the sent newsletters.

The persons entitled to access the data are: the data controller and its employees.

Data storage method: electronic.

Modification or deletion of data can be initiated by e-mail, phone or letter using the contact options provided above.

The data processor used: SCHWINDL VIDEOSTÚDIÓ Kft.

Please note that the e-mail address does not need to contain personal information. So, for example, it is not necessary that the e-mail address contains your name.

  1. COOKIES

Cookies are placed on your computer by the websites you visit and contain information such as page settings or login status.

Cookies are files created by visited websites. Saving browsing data improves user experience. With the help of cookies, the website remembers the website settings and offers locally relevant content.

The provider's website sends a cookie to the computer of the visitors of the website so that the fact and time of the visit can be established. The service provider informs the website visitor about this.

The scope of data processing: website visitors.

Purpose of data management: additional service, identification, tracking of visitors.

Legal basis for data management: The user's consent is not required if the service provider absolutely needs it to use cookies.

Scope of the data: unique identification number, time, setting data.

You have the option to delete cookies from your browsers at any time in the Settings menu.

Data controllers entitled to access the data: The data controller does not process personal data using cookies.

Data storage method: electronic.

  1. OTHER DATA MANAGEMENT

The court, the prosecutor's office, the investigative authority, the infringement authority, the public administrative authority, the National Data Protection and Freedom of Information Authority, or other bodies based on the authorization of the law, may contact the data controller in order to provide information, communicate or transfer data, or make documents available.

In the above case, the data controller may disclose the personal data to the competent authorities only to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.

III. RIGHTS OF THE DATA PARTIES

Hereby, we would like to inform you about the rights that you can exercise in connection with our data management.

Right of access

You have the right to receive feedback from the data controller as to whether your personal data is being processed, and if such data processing is underway, you are entitled to access the personal data and the following information. Based on this, you are entitled to receive information about the purposes of data management; about the categories of personal data concerned, the range of recipients or recipients to whom or to which we disclose personal data, the planned period of storage of personal data, or if this is not possible, the criteria for determining this period, and whether you can request from the data controller the personal data relating to you rectification, deletion or restriction of processing and may object to the processing of such personal data; and that you have the right to file a complaint.

The data controller is obliged to provide you with a copy of the personal data that is the subject of data management. If you request additional copies, the data controller may charge a reasonable fee based on administrative costs. If you submitted your request electronically, we must make the information available to you in a widely used electronic format, unless you request otherwise.

Right to rectification

You have the right to have inaccurate personal data corrected without undue delay upon your request. If the scope of data management justifies it, you are entitled to request the addition of incomplete personal data.

The right to erasure ("the right to be forgotten")

You have the right to request that the data manager delete your personal data without undue delay, and the data manager is obliged to delete your personal data without undue delay if one of the following reasons exists:

  1. a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
  2. b) You withdraw your consent, which is the basis of the data management, and there is no other legal basis for the data management, so all this does not apply to the period when the data controller is obliged to preserve the documents.
  3. c) You object to the processing of your data and there is no overriding legal reason for the processing
  4. d) personal data were handled unlawfully;
  5. e) personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller;
  6. f) personal data was collected in relation to a person under the age of 16.

In this context, we would like to draw your attention to the fact that in the event that the deletion request must be fulfilled due to one of the above reasons, the data controller will take all necessary steps to delete it as soon as possible and completely.

However, if data processing is necessary for the following reasons, the deletion request is mandatory based on the fulfillment of legal requirements and not on the basis of the individual decision of the data controller. These cases include:

  • for the purpose of exercising the right to freedom of expression and information;
  • for the purpose of fulfilling the obligation according to the EU or Member State law applicable to the data controller, which prescribes the processing of personal data, or for the execution of a task carried out in the public interest or in the context of the exercise of public authority conferred on the data controller;
  • if the preservation of the relevant data is justified by the public interest in the field of public health;
  • for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, if the right to erasure would likely make this data management impossible or seriously endanger it; or
  • to present, enforce and defend legal claims.

The right to restrict data processing

You are entitled to have the data controller restrict data processing at your request if one of the following is true:

You dispute the accuracy of the personal data, in which case the limitation applies to the period that allows the data controller to verify the accuracy of the personal data;

  • the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use;
  • the data controller no longer needs the personal data for the purpose of data management, but you require them to present, enforce or defend legal claims; or
  • You objected to data processing; in this case, the limitation applies to the period until it is established whether the legitimate reasons of the data controller take precedence over your legitimate reasons.

Therefore, if your data is subject to restrictions, such personal data, with the exception of storage, may only be used with your consent, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a member state handle.

If the restriction of data management is lifted, we will inform you in advance.

The data controller is obliged to inform all recipients to whom the data was previously disclosed in relation to the correction or deletion of personal data, or the limitation of data management, unless this would entail disproportionate difficulty.

The right to data portability

You have the right to receive your personal data, which you have provided to the data controller, in a segmented, widely used, machine-readable format, and you are also entitled to forward this data to another data controller, provided that you specifically give your consent to this contributed.

ARC. LEGAL REMEDIES

  1. Right to protest

You also have the right to object to the processing of your personal data, if it is proven that neither a public interest reason nor any other statutory obligation imposed on the data controller requires data processing, in which case we will grant your request and delete your data. We hereby inform you that we do not process any of your data for direct marketing purposes.

The data controller examines the objection as soon as possible, but no later than 15 days after the submission of the request, and makes a decision and informs you of its decision in writing.

If the data controller determines that your protest is well-founded, it will terminate the data management - including further data collection and transmission - and block the data, as well as notify all those to whom the personal data affected by the protest was previously transmitted about the protest and the measures taken based on it. and who are obliged to take measures to enforce the right to protest.

If you do not agree with the data controller's decision, or if the data controller misses the 15-day deadline, you can appeal to the court within 30 days of the communication of the decision or the last day of the deadline.

The data controller cannot delete your data if the data management is ordered by law or other mandatory legislation. However, the data may not be forwarded to the data recipient if the data controller has agreed to the objection, or the court has established the legitimacy of the objection.

  1. Court Enforcement

In the event of a violation of their rights related to data management, the data subject may appeal to the court against the data controller. The court acts out of sequence in the case.

The data controller is obliged to prove that the data management complies with the provisions of the law.

The adjudication of the lawsuit falls within the jurisdiction of the court. At your option, the lawsuit can also be brought before the court of your place of residence or residence.

A person who otherwise does not have legal capacity can be a party to the lawsuit. The Authority may intervene in the lawsuit in order to win the case for the person concerned.

If the court approves the request, it obliges the data controller to provide information, correct, block, delete the data, annul the decision made by automated data processing, take into account the data subject's right to protest, and release the data requested by the data recipient.

The court may order the publication of its judgment - by publishing the identification data of the data controller - if it is required by the interests of data protection and the rights of a larger number of stakeholders protected by this law.

  1. Damages and Damages

If the data manager causes damage to others by illegally handling your data or violating data security requirements, he is obliged to compensate you.

If the data controller violates the data subject's right to privacy by illegally handling your data or violating data security requirements, you can demand damages from the data controller.

The data manager is liable to you for the damage caused by the data processor, and the data manager is also obliged to pay you the damages due in the event of a privacy violation caused by the data processor. The data manager is exempted from responsibility for the damage caused and from the obligation to pay compensation if it proves that the damage or the violation of your right to privacy was caused by an unavoidable cause outside the scope of data management. The data processor is only liable for damages caused by data processing if it has not complied with the obligations set out in the law, specifically burdening the data processors, or if it has ignored or acted contrary to the legal instructions of the data controller. If several data controllers or data processors or both the data controller and the data processor are involved in the same data processing according to the above, they are liable for the damages caused by the data processing, each data controller or data processor is jointly and severally liable for the total damage in order to ensure the effective compensation of the data subject.

There is no need to compensate the damage and no compensation can be claimed if the damage resulted from your intentional or grossly negligent behavior of the injured party or the violation of the right to privacy.

In any case, a request for compensation can only be enforced through a court of law.

Data protection official procedure

You also have the right to file a complaint with the supervisory body if you believe that the data is being processed illegally.

You can file a complaint with the National Data Protection and Freedom of Information Authority:

Name: National Data Protection and Freedom of Information Authority

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Pf.: 5.

Telephone: 06.1.391.1400

Fax: 06.1.391.1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

  1. SECURITY OF DATA MANAGEMENT

Measures taken by the data controller for data security

The data managed by the www.cinedaft.com webshop are stored at the headquarters/location of the data manager and the data processor.

The data manager is obliged to plan and implement data management operations in such a way as to ensure the protection of your privacy.

The data controller shall take all necessary measures to prevent unauthorized access, change, transmission, disclosure, deletion or destruction of the data it manages, as well as against accidental destruction and damage, as well as inaccessibility resulting from changes in the technology used. .

In order to protect the data files managed electronically in the various registers, the data controller ensures that the data stored in the registers cannot be directly linked and assigned to you, unless permitted by law.

During the automated processing of personal data, the data manager and the data processor provide additional measures

  1. a) preventing unauthorized data entry;
  2. b) preventing the use of automatic data processing systems by unauthorized persons using data transmission equipment;
  3. c) the verifiability and ascertainability of which bodies the personal data have been or may be transmitted using data transmission equipment;
  4. d) the verifiability and ascertainability of which personal data was entered into the automatic data processing systems, when and by whom;
  5. e) the restoreability of the installed systems in the event of a malfunction and
  6. f) that a report is prepared on errors occurring during automated processing.

When defining and applying measures for data security, the data controller and data processor must take into account the state of the art at all times. Among several possible data management solutions, the one that ensures a higher level of protection of personal data must be chosen, unless it would represent a disproportionate difficulty for the data controller.

Both the data manager and the data processor protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility resulting from changes in the technology used.

In order to protect the data files managed electronically in the various registers of the data controller and the data processor, it ensures with an appropriate technical solution that the stored data cannot be directly linked and assigned to the data subject, unless permitted by law.

The data manager and the data processor, in view of the current state of technology, ensure the protection of the security of data management with technical, organizational and organizational measures that provide a level of protection corresponding to the risks associated with data management.

The data controller and the data processor keep it during the data management

o confidentiality: it protects the information so that only those who have the right to access it can access it;

o integrity: protects the accuracy and completeness of the information and the method of processing;

o availability: it ensures that when the authorized user needs it, he can really access the desired information and that the related tools are available.

Data protection incident

The data controller must report the data protection incident to the supervisory body without undue delay and, if possible, no later than 72 hours after the data protection incident became known to the supervisory body, unless the data protection incident is likely to pose no risk to the rights and freedoms of natural persons.

If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the data controller shall inform you of the data protection incident without undue delay, unless:

  1. a) the data controller has implemented appropriate technical and organizational protection measures, so that the data cannot be interpreted by persons who have unauthorized access to it;
  2. b) after the data protection incident, the data controller takes such additional measures that the high risk referred to in paragraph (1) is likely to no longer materialize;
  3. c) direct information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.

The data controller keeps records of data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it. This register enables the supervisory authority to verify compliance with the requirements of this Article.

Legislation on which the data protection information is based:

  • Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR")
  • CXII of 2011. Act - on the right to self-determination of information and freedom of information (Infotv.);
  • Act V of 2013 - on the Civil Code (Ptk.);
  • XIX of 1998 law - on criminal procedure (Be.);
  • Act C of 2000 - on accounting (Accounting Act);
  • CVIII of 2001 Act - on certain issues of electronic commercial services and services related to the information society (Eker. tv.);
  • Act C of 2003 - on electronic communications (Eht.).
Development and hosting: Artmagister