Bárdi Automobile Hungary Automotive Parts Trading Private Limited Company
Date of entry into force of the information: 25th May, 2018
1. General provisions and contact details
This Data Management Information (hereinafter: “Information”) refers to personal data about you which are collected and managed by Bárdi Automobile Hungary Car Parts Trading Private Limited Company as the user and customer of services of https://www.bardiauto.hu, https://cartarsblog.hu, https://garvisor.com, and https://autotechfuture.hu websites when you buy a product from the webshop as a Buyer (natural person) a personal contributor of the data subject (legal entity) and visitor of commercial premises (hereinafter collectively: “The Data subject”).
We place great emphasis on the protection of personal data. Therefore, we would like to familiarize you with the management and processing processes that we use in connection with our activities and the information we send you. Below we inform you about what data we collect, process, and what we do to protect your data and enforce your rights.
Bárdi Automobile Hungary respects the rights of the data subjects, the personal data related to them, as well as all data and facts coming to its knowledge are kept confidential, only for the performance of its activities, for the activities set out in the data management information, as well as for its own for research purposes and statistical reports.
We will take appropriate measures to provide the data subject with information on the processing of personal data in a concise, transparent, understandable and easily accessible form, in a clear and straightforward way.
1.1 Contact details of the Data Controller
Bárdi Automobile Hungary Automotive Parts Trading Private Limited Company
Headquarters of the Data Controller: 1089 Budapest, Orczy road 44-46.
Legal representatives of the Data Controller:
István Bárdi, member of the Board
Viktor Bárdi, member of the Board
Csaba Pete, member of the Board
Company registration No.: 01 10 043352
Tax number: 12229132-2-44
Contact details of the Data Controller through which the Data Subject may exercise his/her rights in this information:
E-mail: info@bardiauto.hu
Phone: +36 1 555 0050
The Data Controller reserves the right to modify this Information unilaterally. In view of this, it is recommended to regularly visit the https://www.bardiauto.hu operated by the Data Controller: website, where the current content of the information can be found and saved continuously. At the request of the Data Subject, a copy of the Information will be sent.
The requirements of the Data Protection Information are in accordance with the applicable legislation on data protection:
2. Updating of the information
The Data Controller reserves the right to modify this Information unilaterally. Therefore, it is recommended that you visit https://www.bardiauto.hu/ regularly to monitor changes. The current contents of the Information can be read and saved on a continuous basis. If your email address is available to us, we will send you an email notification on the changes upon request. At your request, we will send you a copy of the valid Information.
3. Understanding and accepting the information
By providing the given personal data, you agree that you have become aware of and expressly accepted the version of this Information in force at the time of the data supply.
4. Basic concepts of Data protection
4.1. Personal data
Any specific (identified or identifiable) data relating to the natural person (hereinafter: Data subject) from which conclusion can be drawn of the data subject. The personal data retains its quality during the processing as long as its relationship with the data subject can be restored. In particular, a person shall be regarded as identifiable if he/she can be directly or indirectly identified by name, number, location data, identification mark, or one or more factors characterising his/her physical, physiological, genetic, mental, economic, cultural or social identity;
4.2. Consent
A voluntary and firm statement of the wish of the data subject, based on appropriate information and giving his/her unambiguous consent to the processing of personal data relating to him/her, either in full or in particular operations;
4.3. Data Processing based on consent
We ask the consent of the visitors to the management of the data related to the visit of the website and to send targeted advertising information (newsletter). By providing a statement of consent, we process the personal data of the data subject until the consent statement is withdrawn. After the consent has been withdrawn, the data of the data subject will be deleted from the records. The legal basis for processing the data provided at our website is the consent of the data subject on the basis of the information provided.
4.4. Data Controller
A natural or legal person or body without legal personality who or which determines the purpose of personal data processing, takes and implements decisions concerning the processing (including the means used) or who have them executed by a processor entrusted by him/her;
4.5. Data Management
Any operation or set of operations performed with personal data, irrespective of the procedure used, such as collection, recording, organisation, storage, alteration, use, transmission, disclosure, coordination or linking, blocking, deletion and destruction, as well as preventing further use of data. Data processing includes the recording of photographs, sound or images and the recording of physical characteristics (e.g. fingerprints, palm prints, DNA) that can identify the person;
4.6. Data transfer
Where the data is made available to a specific third party;
4.7. Disclosure
If the data is made available to anyone;
4.8. Adattörlés
Az adatok felismerhetetlenné tétele oly módon, hogy a helyreállításuk többé nem lehetséges;
4.9. Data blocking
Making transfer, knowledge, disclosure, transformation, alteration, destruction, deletion, linking or coordination and use of data impossible finally or for a definite period of time;
4.10. Data Destruction
Total physical destruction of data or the media containing them;
4.11. Data Processing
Performing technical tasks related to data processing operations, irrespective of the method and means used to carry out the operations and the place of application, provided that the technical task is carried out on the data;
4.12. Data processor
A natural or legal person or an organisation without legal personality who, on behalf of the data controller, including ordering by law - implements processing of the personal data;
4.13. Third person
A natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who, under the direct authority of the controller or processor, is authorized to processing personal data;
4.14. EEA State
Member State of the European Union, other State being a party to the Agreement on the European Economic Area and the State whose citizen,- based on the international agreement between the European Community and a state not participating in the agreement on the European Economic Area enjoys the same legal position as the citizen of a state participating in the agreement on the European Economic Area;
4.15. Third country
Any State that is not an EEA State.
4.16. Data Protection Incident
A breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.
4.17. Biometric data
Personal data obtained by specific technical procedures relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm the individual identification of the natural person, such as a portrait or dactyloscopy data.
4.18. Health data
Personal data relating to the physical or mental health status of a natural person, including data on the provision of health services to a natural person, which carries information on the health status of the natural person.
4.19. Security Event
Any event that may have a detrimental effect on the confidentiality, integrity or availability of the IT device or the data stored thereon.
4.20. Confidentiality (secrecy)
The feature of the data is that only a predefined user circle (rightsholders) is allowed to access, and everyone else's access is illegal.
4.21. Integrity
Criteria for the existence, authenticity, integrity and completeness of the data, which ensures that the data, information or program can be changed only by the rightsholders and cannot be modified undetected.
4.22. Rules
Data Controller's Data Management Policy.
4.23. Security system for property protection
Electronic signalling and visual surveillance systems installed on property subject to the territorial scope of the Data Management Policy for property protection purposes. Here belong the electronic monitoring systems, unrecorded, operated for surveillance purposes, or enabling sound or image recording (field monitoring), electronic access control systems, burglar warning systems, remote monitoring systems, data and information technology security systems for protection and other electronic technical solutions enabling the transmission of signals and images or the indication of light or sound.
4.24. Guest
A natural person on property covered by the territorial scope of the Data Management Policy, who is not the same as the employee of the Data Controller.
4.25. Recognition, use and transfer of data
Only the person who needs it for the exercise of his obligations shall have the right to know the personal data stored about the data subjects. The name of the person handling the personal data, or for any other reason entitled to know it, the reason and the time of obtaining information shall be recorded in the log.
Use shall be deemed to be the use of personal data as an evidence in judicial or other administrative proceedings. The person whose right or legitimate interest is affected by the recording of his personal data may, within 3 (three) working days from the date of the recording of the personal data, request - confirming his right or legitimate interest - that the controller should not destroy or erase the data. At the request of a court or other authority, the personal data shall be sent immediately to the court or the authority. If a request is not made within 30 (thirty) days of the request for non-destruction, the recorded image and/or sound recordings and other personal data shall be destroyed or deleted.
Personal data may be transferred to third parties only with the prior written consent of the data subject. This does not apply to the processing described by the Data Processing Policy or to any data transfers that are mandatory under law, which can only be carried out in exceptional cases. We inform the data subjects that data processors are used for the processing and storage of data processed by the employer's human resources system. The Data Controller informs the data subjects about the identity of the data processors in this document.
4.26. Objection
Statement by the data subject, by which he objects to the processing of his personal data and requests the cessation of processing or the erasure of the processed data;
5. Data protection Principles
Personal data:
shall be managed lawfully and fairly and in a transparent manner to the data subject ('legality, fairness and transparency');
they shall be collected only for specific, clear and legitimate purposes and are not treated in a manner incompatible with these purposes; according to Art. 89 (1) GDPR, it is not considered incompatible with the original purpose for archiving targets in the public interest, scientific, research further processing or for statistical purposes (“purpose limitation”);
the purposes of data processing must be adequate and relevant and they must be limited to the necessary measure ('data saving');
they must be accurate and, where necessary, up-to-date; all reasonable measures must be taken to ensure that personal data that are inaccurate in terms of the purposes of processing are deleted or rectified without delay ('accuracy');
storage must comply with the requirement that identification of the data subjects should be made available only for the time needed for reaching the purpose of personal data management; longer storage of the personal data may only be permitted when the management of the personal data is performed for public archiving, scientific and historic research or statistical purposes, as per section (1) of article 89 of GDPR, with regard to the implementation of the appropriate, specified technical and organizational measures described by this decree for the protection of the rights and freedom of the interested persons. (“limited storability”)
they must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by the application of appropriate technical or organisational measures including “integrity and confidentiality”.
The controller is responsible for compliance with the above and should be able to demonstrate such compliance (“accountability”). The Data Controller does not collect personal data relating to minors.
6. Detailed rules of data processing
In order to ensure the services provided by the Data Controller, we may request information about you, and you may voluntarily provide certain data to us during your communication with the Data Controller. Part of the data we collect is based on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46/EC - (“GDPR”) in accordance with point (1) of Article 4 “personal data”:
The Data Controller undertakes strict confidentiality obligations with regard to the personal data processed and may not, differently from the Data Subject's consent, disclose them to third parties.
The withdrawal of consent shall not affect the legality of the previous processing.
6.1. Visiting the Website
When visiting https://www.bardiauto.hu, https://garvisor.com, https://cartarsblog.hu and https://autotechfuture.hu websites operated by the Data Controller, the data of the Data Subject's computer, which are generated and stored in the course of using the service and which are recorded by the Data Controller's system as an automatic result of technical processes.
The data recorded automatically shall be logged automatically at the time of entry or exit without a separate statement or action of the Data Subject. These data may not be combined with other personal user data, except in cases required by law. Only the Data Controller shall have access to the data.
The purpose of data processing
When using this website, the Data Subject (user of https://www.bardiauto.hu, https://garvisor.com, https://cartarsblog.hu or https://autotechfuture.hu website) may be informed about the services provided by the Data Controller.
The processing and storage of data is carried out for the following purposes:
Scope of processed data and detailed purposes of data processing
The Data Subject (user of https://www.bardiauto.hu, https://cartarsblog.hu and https://autotechfuture.hu websites):
Legal basis of data processing
The Data Controller's legitimate interest in the operation of the Website (point (f) of Art. 6 (1) of GDPR).
Identification of legitimate interest
Ensuring the service without interruption, high quality, managing the risks associated with the business.
Duration of data management
For the period necessary to achieve the statistical objectives. Identifiable data related to the visit will be deleted no later than 30 days after leaving the website..
6.2. Processing of data related to cookies placed on our website
The purpose of data processing
The Data Controller's services available on https://www.bardiauto.hu, https://garvisor.com, https://cartarsblog.hu and https://autotechfuture.hu websites place unique identifiers, so-called cookies, on the computer of the Data Subject (Users). These cover only the identification of the visitor's current session, the storage of the data provided during it, the prevention of data loss, and the anonymous analysis of the habits of the Data subject when using Google Analytics. Such data may include the IP address of the visitor, the time and duration of the visit, the pages visited, the type of browser, the operating system, etc. These data are stored; they are treated confidentially and are used only for the further development of the Data Controller's website and for the production of statistics.
Scope of processed data and detailed purpose of data processing
Legal basis of data processing
The legal basis for data processing is the consent of the Data Subject (GDPR. point (a) of section (1) of Article 6. The use of cookies can be approved by the visitor by clicking on the” AGREE” button in the pop-up window on the home page of the respective website. By visiting the website of the Controller and accepting the cookie, the Data Controller accepts the following conditions, even if the Data Subject has not registered.
Duration of data management
The Data Controller shall retain the personal data until the Data Subject's consent is withdrawn. The Data Subjects may withdraw their consent at any time and request the deletion of their personal data by mail sent to 1089 Budapest, Orczy road 44-46., and electronically to info@bardiauto.hu
6.3 Data management related to the re-use of data provided in connection with registration
The purpose of data processing
The Data Subject (user of the website) has the opportunity to register on https://www.bardiauto.hu, https://garvisor.com, and https://autotechfuture.hu for the purpose of making use of the services provided by the Data Controller on the given website.
Scope of processed data and detailed purposes of data processing
At https://garvisor.com you can access the possible Facebook account and the registration data of the Bárdi Car page.
Legal basis of data processing
Contribution of Data Subject (GDPR. point (a) of section (1) of Article 6.
Duration of data management
Personal data will be deleted when the consent given by the Data Subject has been withdrawn, or failing that, 5 years after the consent has been given..
6.4. Enter other user information at Garvisor.com
The registered Data Subject has the opportunity to provide additional personal data about himself when using the site.
The purpose of data processing
The aim of Garvisor.com is to provide usable information to motorists and to enable registered service stations to appear on the surface and to get evaluation. The data subject motorists and service stations appearing in the system may provide additional information about themselves accordingly.
Scope of processed data and detailed purposes of data processing
Upon registration, users can submit different data on themselves on https://garvisor.com depending on whether they want to use the services of the site as an interested motorist, or a service operator or owner.
Those interested and motorists are not obliged to provide additional data, they can use the services of the site without them.
On the contrary, in connection with service stations, the site can only provide a real service if the corresponding data are fully included in the system, so this is necessary for the service station to be included in the system.
Legal basis of data processing
Consent of the Data Subject (point (a) of section (1) of Article 6. of GDPR).
Duration of data management
Personal data will be deleted when the consent given by the Data Subject has been withdrawn, or failing that, 5 years after the consent has been given.
6.5. Ordering or receiving a product or service
The registered Data Subject has the opportunity to order various products, parts, accessories, other items, provided services from the webshop at https://www.bardiauto.hu . At https://autotechfuture.hu/, the Data Controller provides a ticket purchase option for those interested.
The purpose of data processing
In the case of ordering a product or service, the purpose of data processing is to allow the Data Subject (or its personal contributor) to receive the ordered goods or services. If, during the provision of the service, the contracting party intends to provide the personal data of other Data Subject (s), he/she shall make a separate statement regarding the provision of the data.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
The legal basis for data processing is the fulfilment of a contractual obligation (point. 1 (b) of Art. 6. of GDPR), fulfilment of a legal obligation in relation to invoicing (point 1 (c) of Art. 6 of GDPR), during the period of limitation: legitimate interest (point 1) (f) of Art. 6 of GDPR). The processing of data related to any other beneficiary of the order is carried out by Elkertv. regulated by § 13/A (1) and Elkertv. § 13/A.
(3) and the related violations are governed by Article (1) 6:11 of the Civil Code and point (1) of § 6:14 of the Civil Code..
Description of legitimate interest
Informing the customer about the order or performance of the contract and the fulfilment of the contract itself. Claiming during the period of limitation.
Duration of data management
The data are deleted after 5 years from the termination of the relationship with the Data Subject pursuant to § 6:22 of the Civil Code. If we are obliged to retain the data pursuant to § 169 of Act 100 of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of the relationship with the Data Subject. In practice, this is the case where the data form part of the documents supporting accounting processes, for example in documents relating to the conclusion of the contract (if applicable, in the contract itself) or in the invoice issued. The data of other persons provided by the Client will only be processed for as long as necessary in connection with the provision of the service, but at the same time the declaration about the management of personal data given of other persons by the Client will be deleted after 5 years from the termination of the contact with the Data subject as per § 6:22 of the Civil Code.
The purpose of data processing
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
Contract performance (point B, section (1) of Art. 6. of GDPR)
Duration of data management
The data are deleted after 5 years from the termination of the relationship with the Data Subject pursuant to § 6:22 of the Civil Code. If we are obliged to retain the data pursuant to Section 169 of Act 100 of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of contact with you. In practice, this is the case where the data form part of the supporting documents, for example in documents relating to the conclusion of the contract (if applicable, in the contract itself) or in the invoice issued..
6.6. Sending messages, newsletters, DM activity, telephone contacts
Bárdi Automobile Hungary sends newsletters for the natural persons, clients of natural persons, natural persons and clients of legal entities who subscribe to the newsletter at https://www.bardiauto.hu , https://garvisor.com and https://autotechfuture.hu operated by Bárdi Automobile Hungary.
The purpose of data processing
The Data subject has the opportunity to subscribe to the marketing newsletter of the Data Controller. Accordingly, the Data Controller is entitled to send direct marketing newsletters to the data subjects who have subscribed to their given e-mail address and, if applicable, subsequently modified, with the regularity and content specified by the Data Controller. The newsletter contains awareness-raising information about new products, promotions, and other information related to the activities of the Data Controller.
Scope of processed data and Purpose of data processing
Legal basis of data processing
Pursuant to Act 48 of 2008 (“Grt”) § 1 point (1) on the Basic Conditions and Certain Limitations of Economic Advertising (Grt.) the prior, unambiguous and explicit consent of the Person data subject and the consent in compliance with point a) section (1) of Article 6 of the GDPR.
Categories of the data subjects
The natural person clients, the natural persons subscribing to the newsletter, the contact persons of the legal entities.
Duration of data management
Until withdrawal of the consent given by the Data subject, failing that, after 5 years from granting of consent the personal data will be deleted. The Data subjects may withdraw their consent at any time and request the deletion of their personal data by mail sent to 1089 Budapest, Orczy road 44-46., or electronically to info@bardiauto.hu.
6.7. Recording an error report (e.g. ticketing system)
The purpose of data processing
Possible errors noticed by the Data Subject when registering and ordering from the webshop
may be reported through the ticketing system.
Legal basis of data processing
Consent of the Data Subject or in case of registered Data subjects, fulfilment of a contractual obligation (point (b) of Art. 1 of § 8 of the GDPR),
Scope of managed data and detailed purpose of data management
The Data subject’s:
Duration of data management
In case of consent given by the Data subject the personal data will be deleted until its revocation or, in the absence of withdrawal, 30 days after the correction of the error. The Data subjects may withdraw their consent at any time and request the deletion of their personal data by mail sent to 1089 Budapest, Orczy road 44-46., or electronically to info@bardiauto.hu.
6.8. Contact, answering questions, fulfilment requests for information
The purpose of data processing
The registered Data subject has the opportunity to ask questions to the staff of the Data Controller and to some of its offices. By storing the data provided, the Data Controller is able to identify the interviewer and provide the answer or the information necessary for the data subject.
Scope of managed data and detailed purpose of data management
Legal basis of data processing
The legal basis for data processing is the consent of the Data subject (point (a) section (1) of § 6 of the GDPR).
Duration of data management
Until withdrawal of the consent given by the Data subject, failing that, after 5 years from granting of consent
The personal data will be deleted after 30 days. The Data subjects may withdraw their consent at any time and request the deletion of their personal data by mail sent to 1089 Budapest, Orczy road 44-46., or electronically to info@bardiauto.hu.
6.9 Joining the Bárdi Automobile Club
At the Bárdi Automobile webshop, in the mobile application or at any Bárdi Automobile representation ,the Data subject has the opportunity to register in the Bárdi Automobile Club, by which various discounts will become available.
The purpose of data processing
Ensuring the possibility of registration for the Data subjects and enforcing special discounts in the future.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
Consent of the Data Subject (point (a) of section (1) of Article 6. of GDPR).
Categories of the data subjects
The contact persons for natural persons or contacts of legal entities registered in the webshop or at any Bárdi Automobile representation.
Duration of data management
Personal data will be deleted when the consent given by the Data Subject has been withdrawn, or failing that, 5 years after the consent has been given.
6.10. Fulfilment of an inquiry
The purpose of data processing
The registered Subject Person has the opportunity to request a quotation on parts, accessories, other items and products at https://www.bardiauto.hu/.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
Consent of the Data Subject (point (a) of section (1) of Article 6. of GDPR).
Duration of data management
Personal data will be deleted when the consent given by the Data subject has been withdrawn and, failing that, 30 days after the consent is given, or in the case of an offer made within the framework of a contract, when the contract is performed (point b) of section (19 of Art. of the GDPR).
6.11. Giving the data of the vehicle
In connection with the use of the services provided by the Data Controller, the Data subject has the opportunity to provide the data of his vehicle at, for example, https://www.bardiauto.hu/ and https://garvisor.com.
The purpose of data processing
The registered Data subject has the opportunity to provide the details of his vehicle.
Legal basis of data processing
Consent of the Data Subject point a) of section (1) of Art. 6 of the GDPR or performance of the contract (point (b) of section of Art. 6 of the GDPR (1) in case a contractual commitment is connected to the vehicle.
Scope of managed data and detailed purpose of data management
Details of the Driving Document of the Data subject:
Details of the vehicle of the registered Data subject:
Duration of data management
In case of consent given by the Data Subject, personal data will be deleted until its withdrawal or at the latest 5 years after the consent has been given. The Data subjects may withdraw their consent at any time and request the deletion of their personal data by mail sent to 1089 Budapest, Orczy road 44-46., or electronically to info@bardiauto.hu .
In case of fulfilment of a contractual obligation, the data will be deleted after 5 years from the terminal of relation with the Data subject, Pursuant to § 6:22 of the Civil Code. If we are obliged to retain the data pursuant to § 169 of Act 100 of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of the relationship with the Data Subject. In practice, this is the case where the data form part of the supporting documents, for example in documents relating to the conclusion of the contract (if applicable, in the contract itself) or in the invoice issued.
6.12. Data management related Customer Purchase and Personal Service
The purpose of data processing
The Data subject (Buyer) has the opportunity to purchase various parts, accessories and other items in the store of the Data Controller.
Scope of managed data and detailed purpose of data management
Legal basis of data processing
The legal basis for data processing is the performance of a contract (Art. 6 para. 1 b) GDPR).
Duration of data management
The data are discontinued after the termination of the relationship with the Data Subject Pursuant to § 6:22 of the Civil Code. If we are obliged to retain the data pursuant to § 169 of Act 100 of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of the relationship with the Data Subject.
6.13. Drawing up minutes in respect of an error
The purpose of data processing
The Data Subject (Buyer) must provide these personal data in order for the Protocol of objection to be completed and the Data Controller can correct any error.
Legal basis of data processing
Contract performance (point B, section (1) of Art. 6. of GDPR) Article 6 (1) (b).
Scope of processed data and detailed purposes of data processing
Duration of data management
The data are discontinued after the termination of the relationship with the Data Subject Pursuant to § 6:22 of the Civil Code. If we are obliged to retain the data pursuant to Section 169 of Act 100 of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of contact with you. In practice, this is the case where the data form part of the supporting documents for accounting, namely they are included in the documents relating to the conclusion of the contract (the contract itself, if applicable) or in the invoice issued.
6.14. Data management related to the minutes drawn up
The purpose of data processing
The Data Subject (Buyer) must provide these personal data in order for the Protocol of objection to be completed and the Data Controller can correct any error.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
The legal basis for data management is the fulfilment of the legal obligation (Point (1)(c) of Article 6 of the GDPR. Companies are obliged to investigate - on the merit - the complaints received by them on the basis of Act 155 of 1997 on Consumer Protection and Act 165 of 2013 on Complaints and Notices of Public Interest.
Duration of data management
The Data Controller manages personal data for 5 years from the date of the complaint.
6.15. Data management related to camera surveillance
The purpose of data processing
The Data Controller manages the data recorded by the surveillance cameras for the following purposes:
Scope of processed data and detailed purposes of data processing
Portrait: Protection of persons and property
Cameras Location
| Camera identifier |
Camera Location | Area visible on the record | Data subjects shown on the records | The camera’s purpose of use |
| K01 | Entrance | The front door and the hall | Employees, Customers, Suppliers, Subcontractors | Protection of persons and property |
| K02 | Client space | Direct environment of the customer service | Employees, Customers, Suppliers, Subcontractors | Protection of persons and property |
ALegal basis of data processing
The legal basis for data processing is the legitimate interest of the Data Controller (point (1) (f) of Art. 6 of the GDPR).
Examination of legitimate interest
Interest of the Data Controller
The Data Controller uses the camera surveillance system in order to protect human life, physical integrity, business, payment, bank secrecy and property protection and in case of complaints effectively investigates them.
Examination of the legality of the interest
Under Act CLV of 1997 on Consumer Protection and Act CLXV of 2013 on Complaints and Notices of Public Interest, undertakings are obliged to investigate the complaints received by them in substance.
Pursuant to section (1) of § 1. of the 54th Act of 2018 about the protection of business secret - in order to ensure secrecy of business secret, fact, information and other detail of property value as well as a composition made thereof - the secret hold shows behaviour usually expectable in the given situation.
Pursuant to section (1) of § 31 of the 133rd Act of 2005 on the rules of personal and property protection and private detective activity any form of electronic surveillance system enabling for making image, voice or picture and voice recording may be used in order to protect human life, integrity and personal freedom; safeguarding of dangerous materials, protection of business, payment, bank and security secrecy, as well as for property protection.
The data manager and controller performs appropriate technical and organizational measures pursuant to section (1) of article 32 (thereinafter the GDPR), with respect to the state of art of science and technology, the costs of implementation, the nature, scope, conditions and purposes of data management, the variable probabilities and seriousness of risks to the rights and freedom of the natural persons in order to grant data security complying with the measure of the risk.
Duration of data management
The Data Controller keeps records of the data for 8 days. In the event of a personal and property incident, the Data Controller is entitled to manage the recordings for more than 8 days.
6.16. Facebook / Instagram
By clicking on the Facebook page of the Data Controller - the “like” link, the data subject agrees to the publication of news and offers prepared by the Data Controller on his Facebook message board.
The Data Controller on the Facebook pages used by him(https://www.facebook.com/bardiauto, https://www.facebook.com/garvisorszervizkereso, and https://www.facebook.com/cartars17) and on the Instagram interfaces operated by him or https://www.instagram.com/cartars_official) allows the Data subjects to express their opinion by clicking on the “like” link or publish the news and offers prepared by the Data Controller on their own pages. The operators of social networks are separate data controllers independent of the Data Controller, so the activities carried out there are data processing documents independent of the Data Controller.
The operators of social networks are separate data controllers independent of the Data Controller, so the activities carried out there are data processing documents independent of the Data Controller.
Information on the data management of the Facebook page can be found at the Facebook website - www.facebook.com privacy policies and regulations.
The purpose of data processing
● Communication on channels operated by Facebook.com
The Data Controller communicates with the Data subjects through Facebook and Instagram social networks only, - and thus the purpose of the scope of the processed data becomes relevant - if the data subject has previously contacted the Data Controller via the social network.
● Sharing and dissemination of information
The purpose of the presence at the social media portals and data management is to share, publish and promote the content on the social network. The social networking site provides information on the latest possibilities for Data subject.
The Data Controller also publishes text content, images and video recordings at its social media pages in connection with marketing events organised by the Data Controller, which may subsequently be posted to other social networks in accordance with the rules of the Community portal. After publication, the Data Controller is not able to supervise and control further publications in any way. However, the Data Controller always asks the written consent of the data subject prior to the publication of the pictures - if they are not crowd scenes or records made of a public figure.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
Use and contacts made through the community sites operated by the Data Manager (https://www.facebook.com/bardiauto, https://www.facebook.com/garvisorszervizkereso, https://www.facebook.com/cartars17, and https://www.instagram.com/bardiauto,orhttps://www.instagram.com/cartars_official) and other operations permitted by the community site are based on voluntary consent. The operators of social networking sites are separate data controllers independent of the Data Controller, so the activity carried out there is contained in the data processing documents belonging to the community site independent of the Data Controller.
Information on the data management of the Facebook page can be found at the Facebook website - https://www.facebook.com/legal/terms - and you can get information from the Data Protection Principles and Regulations.
The Data subject voluntary consents on the basis of the conditions of the community site to follow-up and liking of the contents published at the sites operated by the Data Manager. By way of example, the Data subject may subscribe to a news feed posted on a Facebook message board by clicking on the “like” link on the page, thereby contributing to the posting of the Data Controller’s news and offers on his or her own message board and may unsubscribe by clicking “dislike” at the same page and may delete non-desired news feed from his message board, too.
The scope of the data subjects
Natural persons who voluntarily follow, share and like the social media pages of the Data Controller and the content published by the Data Controller on Facebook and Instagram pages.
Duration of data management
Until unsubscribing of the data subject, at his request, until cancellation.
6.17. LinkedIn
The Data Controller operates its own interface - https://www.linkedin.com/company/bárdi-autó-zrt - on a business-focused social networking site called LinkedIn. In the interface, the Data Controller primarily includes professional content, i.e. articles, posts, to which anyone can access - regardless of the follow-up of the LinkedIn page - and can comment. It is possible to contact the Data Controller, or more specifically the administrator of the LinkedIn Site, through the messaging function of LinkedIn.
The purpose of data processing
The purpose of the operation of the social network is to enable those interested to express their opinion on the content placed there, to put questions, make comments, or to contact the Data Controller in the form of a private message.
The Data Controller also aims to publish vacancies and receive applications related to this.
Scope of processed data and detailed purposes of data processing
The Data Controller can see the followers of the LinkedIn social networking site and, in particular, the followers and subscribers to https://www.linkedin.com/company/bárdi-autó-zrt - website, as well as, those, who connect to it, i.e. the public information place on the profiles of the Data subjects.. The Data Controller shall also have access to the information related to the activities and expressed by the Concerns person at:
Personal data posted by the Data subject on the LinkedIn Group or LinkedIn Site may be accessed by anyone based on the principle and rules of operation of the social networking site. The Data Controller has no control over who exactly gets to know the data published on the social network or does not have the right to erase the data.
The data posted in the LinkedIn Group is also known only to the members of the LinkedIn Group, the personal data provided in private messages or job applications can only be found by the recipients of the private message or the Data Controller.
Legal basis of data processing
LinkedIn Ireland Unlimited Company (Gardner House, Wilton Plaza, Wilton Place, Dublin 2, Ireland, hereinafter referred to as: LinkedIn Ireland), as an independent data controller, processes the data of persons who interact with or submit a job application on the LinkedIn Group or LinkedIn page in accordance with its own privacy policy. The LinkedIn Site can be visited by anyone, our content and job advertisements can be viewed by anyone.
LinkedIn Ireland's general privacy policy is available at https://www.linkedin.com/legal/privacy-policy?src=li-other&veh=www.linkedin.com#use.
If we obtained your data directly from you, on the LinkedIn website, through a recommendation or in any other context in which you can count on our request (e.g. previous customer contact, meeting at a professional event or contacting a professional site), we will manage your data based on our legitimate interest, but in this case we also fulfil the obligation to provide information and strive to obtain consent.
Description of legitimate interest
It is our legitimate interest to contact you or the company or organization you represent using the social networking platform. We do not restrict your interests or fundamental rights in any way during the process.
Duration of data management
Profile data, that is publicly announced personal data of the Data subjects may only be deleted and removed by LinkedIn Ireland Unlimited Company Gardner House, Wilton Plaza, Wilton Place, Dublin 2, Ireland, thereinafter: LinkedIn Ireland), operating the community site.. However, the Data Controller may remove activities, reactions, opinions and contents published at the LinkedIn site at page https://www.linkedin.com/company/bárdi-autó-zrt- . The Data Controller reserves the right to moderate, delete and remove certain posts on the LinkedIn Site if it considers that they violate the terms and conditions of use of the LinkedIn or LinkedIn Site (e.g. violent, sexual content) and ban (block) people who are severely offending the conditions of use.
Job applications submitted through LinkedIn and the recruitment process are evaluated in accordance with the Data Management Information.
6.18. Twitter
The Data Controller operates a separate Twitter channel https://twitter.com/bardiauto and shares information there, which users who registered on Twitter can view, evaluate and comment.
The purpose of data processing
The Data Controller will share information on a community site, promote its products, promotions or other messages intended for its potential customers. By sharing information, it acts in its own business interests, its aim is to receive quick feedback from the Data subjects regularly visiting its social networking site and to contact them directly, if appropriate.
Scope of data managed
Users registered on Twitter social networks
● username,
● public profile picture.
The scope of the data subjects
All concerned who registered on the Twitter social networking site and “liked” the https://twitter.com/bardiauto social channel.
Legal basis of data processing
Voluntary consent of the data subject to the processing of his personal data on social networks.
Duration of data processing, deadline for deletion of data
Data processing is carried out on social networking sites, so the duration, method of data processing and the possibilities of deletion and modification of data are governed by the regulation of the relevant social networking site!
6.19. Youtube.com
The Data controller operates independent Youtube account by sharing videos - at which surface https://www.youtube.com/user/bardiautozrt anybody may view the uploaded records or can subscribe to this channel.
When the Visitor starts playing of an embedded Youtube video, a program of short digits or characters (cookie) will be installed on its device, which collects information on his habits of use. Youtube (and its owner, the Google) performs independent data management. The information collected is intended, inter alia, for the production of statistics aimed at facilitating user-friendliness and preventing abuse.
Purpose of data collection
Share or “like”, promote, manage subscriptions, recruit subscribers, or manage information that supports business on social media sites, products, promotions or the website itself.
Scope of data managed
Username registered on Youtube community sites, or public profile picture of the user.
The scope of the data subjects
All data subjects who have registered and “liked”, “commented” on the relevant social networking sites or otherwise interacted with the site and its published content.
Legal basis of data processing
Voluntary consent of the data subject to the processing of his personal data on Youtube.
Duration of data management, deadline for deletion of data, identity of authorised controllers: Data management is carried out on social networking site of YouTube, so the duration, method of data processing and the possibilities of deletion and modification of data are governed by the regulation of the relevant social networking site! You can find more information about the data protection measures of Youtube at the following link:https://www.google.hu/intl/hu/policies/privacy
6.20. Data management related to conclusion of contract with the partners
In order to fulfil the activities of Bárdi Automobile Hungary at a high level, it entrusts different partners with the performance of certain tasks and subtasks.
The purpose of data processing
The purpose of Data Processing is to conclude ad hoc contracts or framework agreements with the legal or natural person contracting the task or subtask.
Scope of processed data and detailed purposes of data processing
Scope of processed data and detailed purposes of data processing
(for the guarantor contract that may be necessary for the agreement)
Legal basis of data processing
Before the conclusion of the contract, the consent of the Data Subject (GDPR. point (1) a of Art. 6 of the GDPR), thereafter the legal basis for data processing is the performance of a contract (point (1) b. of Art. 6 of the GDPR).
Duration of data management
Data processed on the basis of consent shall be stored by the Data Controller until the withdrawal of consent or failing that, for a maximum of 5 years.
In case of fulfilment of a contractual obligation, the data shall be blocked after the termination of the relationship with the Data subject - based on § 6:22 of the Civil Code, within 5 years. If we are obliged to retain the data pursuant to § 169 of Act 100 of 2000 on Accounting (“Accounting Act”), the data will be deleted 8 years after the termination of the relationship with the Data Subject. In practice, this is the case where the data form part of the supporting documents, for example in documents relating to the conclusion of the contract (if applicable, in the contract itself) or in the invoice issued.
6.21. Data management related to found objects
The purpose of data processing
Administration of objects found on the territory of the site (s) operated by the Data Controller and on events organized and supervised by the Controller, notification of the suspected owner or the finder.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
Paragraphs 5:54. § 5:55, § 5:59 and § 5:61 of 5th Act on the Civil Code.
Duration of data management
For a statutory period, 1 year after the object was found.
6.22. Employees recruitment, reception of employees’ applications
The purpose of data processing
The Data Controller provides the possibility for the Data subject to apply for the job advertised him.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
The legal basis for data processing is the consent of the Data subject (point (a) section (1) of § 6 of the GDPR).
Duration of data management
After selecting the appropriate person for the position to be filled, the Data Controller sends information to the other relevant applicants that the employer has not chosen him for the given job, and at the same time requests his express and voluntary consent in writing to saving the resume and related personal documents containing data. The purpose of data processing is to enable the Data subject to participate in subsequent applications of the Data Controller in a simplified manner. The explicit consent of the data subject permits the processing of his personal data for a period of 5 years, after which the data will be anonymised.
If the Data subject does not consent to the retention of his application material or personal data, the data will be anonymized within 30 days and the CV will be destroyed.
The Data subjects may withdraw their consent at any time and request the deletion of their personal data by post to 1089 Budapest, Orczy road 44- 46., or electronically to info@bardiauto.hu . The Data Controller shall comply with the request if the desired operation is reasonably practicable.
6.23. Issuing of financial documents and invoices
The purpose of data processing
The Data Controller processes these data for the issuance of supporting documents and invoices relating to the Data subject (subcontractor or his personal contributor).
Legal basis of data processing
Contract performance (point B, section (1) of Art. 6. of GDPR)
Categories of personal data
Data directly required for billing.
Duration of storage
The data are discontinued after the termination of the relationship with the Data Subject Pursuant to § 6:22 of the Civil Code, it will be deleted in 8 years.
6.24. Data processing related to credit card data:
The purpose of data processing
In case of payment by credit card, the Data Subject must provide these data in order to ensure the financial performance of the service.
In the case of online payment transactions, part of the data from the individual partners is transferred to the Data Controller by data transfer.
Scope of processed data and detailed purposes of data processing
Legal basis of data processing
The legal basis for data processing is the performance of a contract (point (1) b) of Art. 6 of the GDPR).
Duration of data management
The Data Controller processes personal data for 8 calendar days after the departure of the data subject.
6.25. Application of an access control system
It is in the interest of the Data Controller to manage the risks associated with the entry of visitors, clients and partners, to take appropriate and proportionate measures and, where appropriate, to limit the reception of visitors. In order to ensure the safe conduct of visits, the Data Controller uses an electronic and paper-based entry system.
The purpose of data processing
Controlled entry of visitors and administration of entries and exits. The Data Controller processes the personal data of visitors for the following purposes:
Legal basis of data processing
The legal basis for data processing is the legitimate interest of the Data Controller (point (1) (f) of Art. 6 oof the GDPR).
The data controller has a legitimate interest in the protection of persons and property, banking secrecy, business information and the preservation of personal data at its premises. In order to achieve this interest, an electronic and paper-based access control system is operated.
Identification of legitimate interest
The data controller has a legitimate interest in the protection of persons and property, banking secrecy, business information and the preservation of personal data at its premises. In order to achieve this interest, electronic and paper-based access control systems are operated.
Proof of the legality of the interest
Legality is supported by Section (1) of § 32. of 133rd Act of 2005 on the Rules of Personal, Property Protection and Private Detection activity, according to which an access control system can be applied if the protected area is covered by law or by the provision of the right to use the territory then only those rightsholders may enter or stay therein.
The legitimate interest is real and topical, as the data controller actually and continuously receives a large number of external visitors, so it would pose a security risk if the entries were carried out unsupervised. The entry system therefore effectively and promptly reduces the security risks posed by a large number of entries..
Categories of personal data
The scope of the processed personal data has been established in such a way that the identity of the visitors can be identified and verified during the period of data processing.
Duration of storage
The personal data of the data subjects will be deleted after 1 year from the date of entry.
6.26. Use of body temperature measurement at entry
The Bárdi Automobile Plc. uses the body temperature measurement as a uniformly covering protection measure for all persons intending to enter the territory and buildings of its own and use.
It is not subject to the identification of the subject of body temperature measurement specifically for this purpose and does not entail the recording, further storage or transmission of data in any way. Subsequently, only those persons who can be allowed to enter through the body temperature measurement will take part in the entry process.
Reason
From the fact itself that a person has a higher body temperature it cannot be concluded that he is infected with a new type of coronavirus epidemic, so the controller cannot draw any conclusions about the health of the person based on the body temperature measurement at the entry status, so the controller is only entitled to authorise or refuse entry
The Data Controller therefore decides only to allow access to or deny access to the territory of all persons, whether having a legal relationship with him or any other person attempting to enter its territory (because, based on the results of the measurement, it carries a risk for other persons).
If the person acting on behalf of the controller refuses access, the Data subjects is responsible for further handling the situation (medical consultation, sick leave and sick money administration, informing the manager at work, etc.).
7. Persons authorised to process data, data transfer
The Data Controller shall use the data processors listed in the table below to perform the technical tasks related to data processing operations. The rights and obligations of the data processor in relation to the processing of personal data are determined by the Data Controller within the framework of the GDPR and the specific laws relating to data processing. The Controller shall be responsible for the legality of the instructions given by him. The data processor cannot make a substantive decision concerning the processing of data, it may process the personal data which he has become aware only in accordance with the provisions of the Controller, shall not carry out processing for its own purposes, and shall store and save personal data in accordance with the provisions of the Controller.
The Data Controller shall use the data processors listed in the table below to perform the technical tasks related to data processing operations.
| Name and contact details of the data processors | Personal data known by the data processor and the activity performed during data processing | Duration of data processing |
|
DPD Hungária Kft.
|
Personal data given by the Data subject |
In case of a contract with indefinite period of time until termination of the contract, or until deletion request of the Data subject submitted to the present data processor. |
|
Számlázz.hu
|
Access to billing information, transaction documents, and personal information processed on them. | In case of a contract with indefinite period of time until termination of the contract, or until deletion request of the Data subject submitted to the present data processor. |
|
Wanadis Trading and Service Co. Ltd.
|
Name and e-mail address given by the Data subject. |
In case of a contract with indefinite period of time until termination of the contract, or until deletion request of the Data subject submitted to the present data processor. |
7.1. Data transfer
The Data Controller performs the data transfers listed in the table below in relation to its activities.
| Data Processors Name and contact details | Activity performed in the course of data processing |
| Name of Law Firm Address: Phone: E-mail: Data management information: |
AAccess is allowed to the data necessary for the handling of legal matters and the personal data processed in connection with them. The lawyer is not a processor because he is entitled to dispose of the data independently in accordance with the legal and professional regulations applicable to him. |
| Name of the Bank/Payment Service Provider Address: Phone: E-mail: Data management information: |
In case of payment and charging by credit card, personal data will be transferred to the acquirer for the purpose of fulfilling the contract and handling chargeback claims. The card acceptor has the right to dispose of the data independently in accordance with the provisions of contracts concluded by the bank card holder with his own bank. The data processing of our card accepting partner as data controller is subject to its own privacy policy and rules. |
| Acting authority | The Data Controller transmits the records to the authority (e.g. police, national security authority, court, infringement authority, prosecutor's office) in cases specified by law (e.g. criminal offence or suspicion, etc.) based on the minutes drawn up of data supply. |
8. Analytical services, cookies
Data Controller may use cookies as well as follow-up codes of external service providers (in particular: Google, Facebook) to monitor user interest, demographic data, and behaviour on the website. The Data Controller does not use the collected data for profiling, does not use it in the context of automatic decision-making, collects it for statistical purposes and analyses it for the development of its services.
In addition, the Data Controller may use aggregated data obtained from interest-based advertising services or audience data (such as age, gender and interests) for the purpose of creating and developing general website reports and for use in advertising on marketing lists.
The aim of the foregoing is to continuously improve our internet interfaces, and to increase the effectiveness of our online interfaces and advertising related to our campaigns.
8.1. Google Analytics
External service providers support independent measurement and audit of website attendance and other web analytics data (see google.com/analytics/ for details.
The Google Analytics service enabled by Google may be banned at the website in case of Display-type ads and the advertisements of the Google Display Network can be customized.. All tracking performed by Google Analytics can be disabled using the browser module.
8.2. Facebook remarketing
We also use Facebook's remarketing code to display targeted ads. If you don't want to see ads based on page visits and interests, you can turn off the service.
8.3. Cookies
The Data subject agrees that the Controller shall place a file containing data (cookie) on the Data subject Party's computer. The purpose of cookies is to identify returning Data subjects, to provide services to them and to support the convenience of the website.
The Data Controller only uses cookies from external service providers (Google) on the Website. Cookies are short text files sent by the Website to the hard drive of the Data subject’s computer and contain relevant information.
The data processing of the above mentioned external service providers shall be governed by the data protection regulations laid down by these service providers and the Controller shall not assume any responsibility for such processing.
You can set your web browser to accept all cookies, reject all cookies, or notify you when a cookie arrives on your computer. Each web browser is different, so please use the “Help” menu of your search engine to change your cookie settings. For example, in Microsoft Internet Explorer, you can delete or disable cookies by selecting “Tools/Internet Settings” and changing your security settings. For more information on the nature of cookies and how to disable them, see http:// www.youronlinechoices.com/en/ . The Website is designed to work with cookies, so disabling them may affect the usability of the Website and prevent you from taking full advantage of it.
We do not exchange cookies with third-party websites or third parties.
8.4. Facebook pixels
The website also contains so-called Facebook pixels, which allow Facebook to collect or receive data from the site using cookies, web beacons and similar data storage technologies, and may use this data to provide measurement services, and show targeted ads.
9. Change or deletion of personal account data
Immediately after registration, the personal account of the Data subject will be completed, and the Data Subject will receive a notification to the e-mail address provided by him. The processing of the data recorded during registration is necessary for the performance of the service provided by the webshop and for the identification of the Data subject, so the Seller handles them until the personal account is deleted. The Data subject may modify the data provided during registration at any time in the relevant interface of the Website. The termination of the personal account of the Data Subject may be initiated by sending an e-mail message to the Customer Service. The Data Subject shall be notified by e-mail to the e-mail address given by the Data Subject within a maximum of 5 working days. By the termination of the personal account, the data recorded during registration of the Data subject will become inactive and their processing will be suspended by the Data Controller. The Data subject withdraws his consent to data processing by deleting the registration, in which case his personal data will be deleted from the system within 30 days.
10. Information related to children
Persons under the age of 16 may not provide personal data about themselves unless they have requested permission from a parent or guardian.
In the case of a Data subject under the age of 14, his legal representative or guardian may provide personal data and make a legal statement on his/her behalf.
Data subjects over the age of 14 but under 18 years of age may provide personal data only with the consent of their legal representative or guardian and with their consent.
By providing this information, you represent and warrant that you will act in the light of the foregoing, and your ability to act in connection with the provision of information is not limited. If you are not legally entitled to provide the information independently, you are obliged to obtain the consent of the Affected third parties (e.g. legal representative, guardian). In this context, you are obliged to consider whether the consent of a third party is required in connection with the provision of that information. The Controller may not have personal contact with you, so you are obliged to ensure compliance with this section and the Controller is not liable in this respect.
We will make every reasonable effort to delete any information that has been unauthorised and to ensure that this information is not transmitted to or used by us (for advertising or other purposes). Please inform us immediately if you find that a child has provided unauthorized information about himself. You can contact us using the contact details highlighted at the beginning of the Notice.
11. The handling of complaints
11.1. Oral complaint
Any oral complaint received from the customers by telephone or in person shall be immediately examined, registered and, if necessary, the required measures taken.
The record of the complaint shall contain the following data:
If the customer does not agree with the handling of the complaint, the Controller shall immediately record the complaint, its handling and his views of it, and provide or send a copy of it to the Customer.
Once the minutes have been drawn up, the case shall be treated in a manner similar to the written complaint and in accordance with the same rules.
11.2. Written complaint
The Data Controller and its staff handle incoming complaints in the manner specified by law. A protocol is drawn up in respect of the complaints containing data similar to that of oral complaints. The Data Controller shall, unless otherwise provided for in the directly applicable legal act of the European Union, reply to the written complaint in writing and take action to communicate it within 30 days of its receipt.
The Head of the Data Controller or the administrator appointed by him may listen to the complainant (notifier) or contact external experts if the examination of the complaint or notification makes it necessary.
The Data Controller tries to act quickly and decide whether to investigate, rectify or reject the complaint in accordance with the applicable law. It shall send its decision to the notifier in a clear and unambiguous way and in response to all the problems raised.
In case of rejection of the complaint, the Data Controller informs the client in writing which authority or the conciliation body may initiate proceedings in respect of the nature of his complaint.
The Data Controller shall keep the record of the complaint and the copy of the reply for five years and present it to the controlling authorities at their request.
12. Transfers and guarantees of data to countries outside the EEA
The Controller does not transmit data in any way to other countries or to areas outside the European Union.
13. Data security measures
The Controller shall take all necessary measures to ensure the security of the data, ensure an adequate level of protection, in particular for unauthorised access, alteration, transmission, disclosure, deletion or destruction, and for accidental destruction and against injury. The Controller shall take care for adequate technical (e.g. logical protection, in particular encryption of passwords and communication channels) and organisational measures (physical protection, in particular training for data security of the Data Controller's employees, restriction of access to information).
The Data Controller ensures the security of the data and the lawful processing of the data in the manner described below:
Please help us protect this information by not using an overly obvious login name or password and changing your password regularly, and please do not make your password accessible to anyone else.
The Data Controller expects all employees who choose to work at home to apply the required security features on their workstation. Data Controller will provide all staff with the necessary IT support in order to ensure proper safe use.
14. Rights and remedies of the Data subject
The data protection rights and remedies of the Data subject and the relevant provisions and restrictions of the GDPR are detailed in the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR). Below is a summary of the most important provisions.
14.1. The Data subject 's right of access
The Data subject is entitled to receive feedback from us as to whether or not the processing of his/her personal data is in progress. If such data processing is in progress, the Data subject is entitled to access personal data and the following information:
If personal data are transferred to a third country, the Data subject shall have the right to be informed of the appropriate guarantees regarding the transfer.
Copies of the personal data which are the subject of data processing are made available to the Data subject. Where the Data subject has submitted an application by electronic means, the information shall be provided in a widely used electronic format, unless otherwise requested by the Data subject.
14.2. Right to rectification
The Data subject has the right to ask for rectification of inaccurate personal data concerning him/her without undue delay. The Data subject shall have the right to request the addition of incomplete personal data, by means of a supplementary statement.
14.3. Right of cancellation ("right to forget")
The Data subject shall have the right to request us to delete the personal data relating to him/her without undue delay if one of the following reasons applies:
If the Data Controller has already disclosed the personal data but is obliged to erase it, it shall take reasonable steps, including technical measures and taking into account the available technology and the cost of implementation, in order to inform the data managers, who also store or publish the data, that the Data subject has requested the deletion of links to such personal data or copies and duplicates of such personal data.
The above shall not apply where processing is necessary, including:
14.4. Right to restrict data processing
The Data subject has the right to restrict the processing at his request if one of the following is fulfilled:
Where processing is subject to restriction pursuant to paragraph 7.4.1, such personal data, except for storage, shall be used only with the consent of the Data subject, either for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person, or for the purposes of the Union or the important public interest of a Member State.
The Data Subject shall be informed in advance of the release of the restriction of data processing.
14.5. Notification obligation related to the rectification or deletion of personal data, or limitation of data processing
The Controller shall inform all recipients of any rectification, erasure or restriction of processing to whom the personal data has been disclosed, unless this proves impossible or requires disproportionate effort. At the request of the Data subject, he/she will be informed you of these recipients.
14.6. The right to data portability
The Data subject shall have the right to receive the personal data relating to the Data subject which he has provided to us in a structured, widely used, machine-readable format, and shall have the right to transmit such data to another controller without hampering this by the Controller if:
● the processing is based on consent or contract; and
● data processing is carried out in an automated manner.
In exercising the right to portability of data in accordance with paragraph 7.6.1, the Data subject shall have the right to request, if technically feasible, the direct transfer of personal data between controllers.
14.7. Right to protest
The Data subject has the right to object at any time to the processing of his/her personal data based on legitimate interests, including profiling. In this case, the personal data will no longer be processed unless we prove that the processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the Data subject or which relate to legal claims, to the enforcement or protection of the system.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data relating to the Data Subject for this purpose, including profiling, in so far as it relates to direct marketing.
If the Data subject objects to the processing of personal data for the purposes of direct marketing, the personal data may no longer be processed for that purpose.
In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the Data subject may exercise the right to object by automated means based on technical specifications.
Where personal data are processed for scientific and historical research or statistical purposes, the Data subject shall have the right to object to the processing of personal data relating to him/her for reasons of his own situation, unless the processing is carried out for reasons of public interest.
14.8. Right to complain to the supervisory authority
Based on the GDPR and the Civil Code, the Data subject may enforce his/her rights in court and turn to the National Authority for Data Protection and Freedom of Information (NAIH) (1125 Budapest, Szilágyi Erzsébet alley 22/C; mailing address: 1530 Budapest, P.O.Box: 5; telephone: +36 1 391 1400; e-mail: ugyfelszolgalat@naih.hu) in case of a complaint about the data controller's practices. Detailed rights and remedies for data processing are set out in Articles 77.79 and 82 of the GDPR.
14.9. Right to an effective judicial remedy against a supervisory authority
The Data subject is entitled to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him/her
The Data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the Data Subject within three months of the procedural developments or the outcome of the complaint lodged.
- Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
14.10. Right to an effective judicial remedy against the Data Controller or the Processor
The Data subject is entitled to an effective judicial remedy if he considers that his rights under the GDPR have been violated as a result of inadequate processing of his personal data in accordance with the GDPR.
Proceedings against the Controller or the processor shall be brought before the courts of the Member State in which the controller or processor is situated. Such proceedings may also be brought before the courts of the Member State of habitual residence of the Data subject.
It is recommended to send the complaint to the controller before initiating a procedure.
15. Legal remedy
In case of a request or a problem, please contact us; we will receive your request by post at 1089 Budapest, Orczy road 44-46 or electronically at info@bardiauto.hu , and we will endeavour to reply promptly and respond to your request as soon as possible. If you are not satisfied with something or feel that your rights have violated in relation to the processing of your personal data, you can also apply to the competent tribunal, the Metropolitan Tribunal in the capital, or initiate an investigation with the National Authority for Data Protection and Freedom of Information.
Chairman: dr. Attila Péterfalvi,
Address: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.,
Contact: ugyfelszolgalat@naih.hu, +36-1-3911400, www.naih.hu
Updated on 15th April 2021
