PRIVACY AND DATA PROTECTION NOTICE
AND STATEMENT

1. Data controller’s information
2. Privacy Statement
3. Terminology
4. Basic principles of data management
5. Managed Data
5.1 Contact
5.2 Registration
5.3. Log in
5.4. Protection contract
5.5. Reporting damage
5.6 Partner program

5.7 System messages
5.8. Accounts management
5.9. Newsletter
6. Data security
7. Transmission and transfer of data
8. Rights of data subjects
8.1. Right to advance information
8.2. Right to access
8.3. Right to rectification
8.4. The right to erasure (“the right to be forgotten”)
8.5. The right to restrict data processing
8.6. The right to a notification related to the correction or deletion of personal data or the limitation of data processing
8.7. Right to data portability

8.8. The right to protest
8.9. Automated decision-making, profile creation
8.10. The data subject’s right to information about the data protection incident
8.11. The data subject’s right to file a complaint with the supervisory authority
8.12. The right to an effective judicial remedy against the supervisory authority

1. Data controller’s information

Name of data controller: QProtection Protect Zrt.
Headquarters: Hungary, 1054 Budapest, Honvéd utca 8. 1/2.
Representative: Fekszi Vivien
Tax number: 32121012-2-41
Company registration number: 01-10-142082
The person responsible for data management: Bándli Renátó
E-mail: renato.bandli@millionstarter.com
Telephone: +36 30 157 5711
Website: www.qprotectionpro.hu

2. Privacy Statement

This Data Protection Information and statement (hereinafter: Information) contains the rules, data protection, and data management principles, as well as information on data management arising during the use of the www.qprotectionpro.hu website operated by Qprotection Protect Zrt. (hereinafter: Data Controller).

When using our website, you provide your personal data We handle this data with the greatest care, following the provisions of the law, and we always try to meet your data management needs and expectations. We always take special care when handling data and protect data from unauthorized access. We consider this to be of utmost importance.

The laws governing our data management activities:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons about the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation – General Data Protection Regulation – GDPR, hereinafter: Regulation)
  • CXII of 2011 on the right to information, self-determination, and freedom of information. law (Info tv.)
  • 2001. CVIII of 2001 Act on certain issues of electronic commercial services and services related to the information society (“Eker. TV”)
  • 2008. XLVIII of 2008 Act on the basic conditions and certain limitations of economic advertising activity

The purpose of the Information Sheet is to explain the rights and obligations of persons registering on our website or visiting our website about data transfer, data management, data protection, the scope of the data we manage, the principle and methods of data management, its purpose, legal basis, and duration.

3. Terminology

GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons concerning the processing of personal data and the free flow of such data, and the repeal of Regulation 95/46/EC (general data protection regulation)

Personal data: any information about the data subject, such as an identifier, name, number, location data, online identifier, or data about the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person.

Special data: personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs, or trade union membership, as well as genetic and biometric data aimed at the unique identification of natural persons, health, and personal data relating to the sex life or sexual orientation of natural persons.

Data handling: regardless of the procedure used, any operation performed on personal data or data files or the set of operations, including in particular the collection, recording, organization, segmentation, storage, change, transformation, use, query, transmission, disclosure, coordination or connection, blocking, deletion and destruction, access to the data and prevention of further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprints or palm prints).

Data controller: any natural or legal person or organization without legal authority who, independently or together with others, determines the purpose and means of personal data management, makes and implements decisions regarding data management, or implements them through a data processor.

Data processor: any natural or legal person or organization without legal authority who manages personal data on behalf of the data controller.

Data subjects: any natural person who is identifiable based on specific personal data – directly or indirectly, based on one or more factors. A natural person who can be identified directly or indirectly, especially based on an identifier such as name, number, location data, online identifier, or one or more factors

Data transfer: making personal data available to specific third parties. Data transfer to EEA member states and the bodies of the European Union is considered data transfer within the territory of Hungary.

Data erasure: making the data unrecognizable by deleting content or in a way that enables an equivalent result.

Data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise handled.

EEA member state: a member state of the European Union and another state party to the Agreement on the European Economic Area, as well as the state whose citizen is a citizen of the European Union and its member states, and a state party to the Agreement on the European Economic Area based on an international treaty concluded between a state that is not a party to the Agreement on the European Economic Area and enjoys the same legal status as a citizen of a state.

Third country: any state that is not an EEA member state.

NAIH: National Data Protection and Freedom of Information Authority, supervisory authority under the GDPR in relation to Hungary.

4. Basic principles of data management

Personal data:

  • is handled legally and fairly, as well as in a transparent manner for the data subject (“legality, fair procedure, and transparency”);
  • it can only be collected for a specific, clear, and legal purpose (“purpose limitation”);
  • must be appropriate and relevant for data management and must be limited to necessary information (“data sparing”);
  • during its processing, all reasonable measures are taken to ensure that the data is accurate and up-to-date, personal data that is inaccurate in terms of the purposes of data management will be immediately deleted or corrected. (“accuracy”);
  • it is stored in a way that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management (“limited storage”);
  • processing is carried out in such a way that adequate security of personal data is ensured by applying appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage of data (“integrity and confidentiality”).

As data controllers, we are responsible for compliance with the above, if necessary, we verify compliance (“accountability”).

5. Managed Data

5.1 Contact

Data subjects: all natural persons who write us a message under the contact menu on our website or to our e-mail address.

Purpose of data management: contact.

Type of data

Legal Basis

Duration of storage

name

GDPR 6. article (1) a)

consent

Until withdrawal of consent

e-mail address

phone number

The process of data management:

If you provide us with your contact details via the form on our website or via e-mail, we use them to keep in touch and to perform our service.
Providing the above data is not mandatory, but we cannot contact you if they are not provided. You can withdraw your consent at any time without giving any reason, but this does not affect the previous data processing based on consent.

5.2. Registration

Data subjects: any natural person who registers on our website
Purpose of data management: Creating and operating a user account

Type of data

Legal Basis

Duration of storage

name

GDPR 6. article (1) a)

consent

Until withdrawal of consent, or if no contract is concluded, up to 1 year after registration.

phone number

e-mail address

password

The process of data management:

We send feedback regarding registration by electronic mail to the specified e-mail address.
Entering the above data is not mandatory, but in its absence, a user account cannot be created. You can withdraw your consent at any time without giving any reason, but this does not affect the previous data processing based on consent.

5.3. Log in

Data subjects: any natural person who logs into our website with their registered data.
Purpose of data management: User account operation

Type of data

Legal Basis

Duration of storage

e-mail address

GDPR 6. article (1) a)

consent

Until withdrawal of consent, or if no contract is concluded, up to 1 year after the last login.

password

The process of data management:

To log into the user account, you need to enter the above data. In the account, the Data Subject can view their contract, subscription data, and related invoices.
Entering the above data is not mandatory, but in its absence, a user account cannot be created. You can withdraw your consent at any time without giving any reason, but this does not affect the previous data processing based on consent.

5.4. Protection contract

Data subjects: any natural person who enters into a protection contract on our website.
Purpose of data management: Conclusion and performance of a protection contract.

Type of data

Legal Basis

Duration of storage

name

GDPR 6. article (1) b)

Fulfillment of contract

For 5 years after the termination of the contractual relationship

address

billing address

phone number

e-mail address

The process of data management:

The above data is used to conclude and fulfill the contract. Entering the data is not mandatory, but the contract will not be concluded if they are not provided.

5.5. Reporting damage

Data subjects:
Purpose of data management:

Type of data

Legal Basis

Duration of storage

name

GDPR 6. article (1) b)

Fulfillment of contract

For 5 years after the administration related to the claim

phone number

e-mail address

place of residence

The process of data management:

We process the data provided to carry out the necessary measures regarding the damage report and to keep in touch with the Data Subject.

5.6. Partner program

Data Subjects: Contact persons of companies participating in the partner program
Purpose of data management: Operating a partner program

Type of data

Legal Basis

Duration of storage

name

GDPR 6. article (1) a)

consent,

and in the case of an employee of the partner GDPR 6. article (1) f)

The legitimate interest of the data controller

Until the withdrawal of consent, but no more than 1 month after the termination of the relationship with the partner

e-mail address

phone number

The process of data management:

The data provided by the partner is used and managed for the duration of the partnership, solely to fulfill the conditions of the partner program and maintain contact.
If we also receive the personal data of the partner company’s employees, typically to maintain contact, we process this data based on legitimate interest. In this case, the enforcement of the legitimate interest of the contracting parties takes precedence over the employee’s right to dispose of their personal data, since the restriction is necessary and proportionate to the performance of the employee’s job (NAIH/2018/2570/2/V). Regarding the legitimate interest, we carried out an interest assessment test, as a result of which we found that the data management is legal.
The provision of data is not mandatory in any case, however, knowledge of personal data suitable for identification and contact is an essential condition for participation in the partner program.

5.7. System messages

Data Subjects: All natural persons who register on our website.
Purpose of data management: Sending system messages.

Type of data

Legal Basis

Duration of storage

Electronic mailing address

GDPR 6. article (1) f)

The legitimate interest of the data controller

1 month after the deletion of the user account

The process of data management:

System messages are occasionally sent to our users regarding service-related questions.
Regarding the legitimate interest, we carried out an interest assessment test, as a result of which we found that the data management is legal.
The Data Subject has the opportunity to object to the data management (for details, see point 8.8).
System messages are sent using Mailchimp.com.

5.8. Accounts management

Data Subjects: Any natural person who pays a fee to us.
Purpose of data management: Management of receipts according to the Accounting Act.

Type of data

Legal Basis

Duration of storage

name

GDPR 6. article c) (Compliance with legal obligations)

8+1 years after the termination of the contractual relationship

The process of data management:

In the case of private individuals, the documents may contain personal data. We keep these documents in accordance with the provisions of the Accounting Act.
Providing the data is mandatory based on the relevant legislation. Failure to do so will result in the invoice not being accepted.
We store the data electronically with the help of the service by the name of számlázz.hu.
In the event of an inspection, the data will be transferred to the competent body (NAV).
In data management, KBOSS.hu Kft. (szamlazz.hu) acts as a data processor.

5.9. Newsletter

Data Subjects: All natural persons who subscribe to our newsletter on our website.
Purpose of data management: sending newsletters

Type of data

Legal Basis

Duration of storage

Electronic mailing address

GDPR 6. article (1) a)

consent

Until withdrawal of consent

The process of data management:

Providing the above information is not mandatory, but if it is not provided, we will not be able to send the newsletter. The Data Subject may withdraw their consent at any time without giving any reason, but this does not affect the data processing previously carried out based on consent.
When sending newsletters, Renátó Bándli acts as a data processor.

6. Data security

We ensure the security of the personal data we manage through technical and organizational measures, as well as the development of procedures.
We protect the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion, destruction, accidental destruction, and damage, as well as against becoming inaccessible due to changes in the technology used.
Only our employees who need access to them to perform their duties can retrieve personal data.

To ensure data security

  • during the planning and operation of the IT system, we assess and take into account possible risks, striving to continuously reduce them
  • we monitor emerging threats and vulnerabilities (such as computer viruses, computer intrusions, denial-of-service attacks, etc.) so that we can take timely measures to avoid and eliminate them
  • IT devices and information handled on paper are protected against unauthorized physical access and environmental effects (e.g. water, fire, electrical surges)
  • by monitoring our IT system, we ensure the detection of possible problems and events
  • Reliability is a fundamental aspect in the selection of service providers participating in the operation

7. Transmission and transfer of data

The personal data of natural persons using our websites will only be forwarded or given to our partners and data processors defined in point 5, or to the authorities in the event of a request.
In all cases, we have entered into a written agreement covering the details of data management with the partners involved in our data management activities and with our data processors.
Data is not transferred to a third country or an international organization.
Our contractual partners involved in data management:

• DotRoll Kft. – server, hosting provider
Headquarters: 1148 Budapest, Fogarasi út 3-5.
Company registration number: 01-09-882068
Tax number: 13962982-2-42

• KBOSS.hu Kft. (szamlazz.hu) – billing
Tax number: 13421739-2-41
Company registration number: 01-09-303201
Headquarters: 1031 Budapest, Záhony utca 7.
Mailing address: 1031 Budapest, Záhony utca 7/C.

• PayPal (Europe) S.à r.l. et Cie, S.C.A., – online payments
Headquarter: 22-24 Boulevard Royal, 2449 Luxemburg, Luxemburg
• OTP Mobil Szolgáltató Kft. (SimplePay) – online payments
Tax number: 24386106-2-42
Company registration number: 01-09-174466
Headquarters: 1143 Budapest, Hungária krt. 17-19

• Stripe, Inc. (Stripe) – online payments
Headquarters: 510 Townsend Street, San Francisco, CA 94103, USA

8. Rights of data subjects

8.1. Right to advance information

The data subject has the right to receive transparent, comprehensible, clear, and easily accessible written information from the Data Controller before the processing of personal data begins. The information must be provided to the Data Controller at the time of obtaining the personal data at the latest.
If the data controller wishes to carry out further data processing on personal data for a purpose other than collection, they must inform the data subject of this different purpose and all relevant additional information before further data processing.

8.2. Right to access

The data subject is entitled to receive feedback from the Data Controller as to whether their personal data is being processed, and if such data processing is underway, they are entitled to access the personal data and the following information:

a) the purposes of data management;
b) categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data has been or will be communicated, including in particular recipients in third countries and international organizations;
d) where appropriate, the planned period of storage of personal data or, if this is not applicable, the criteria for determining this period;
e) the data subject’s right to request the correction, deletion, or restriction of processing of personal data concerning them and to object to the processing of such personal data from the Data Controller.
f) the right to submit a complaint to a supervisory authority;
g) if the data were not collected from the data subject directly, all available information about their source;
h) the fact of automated decision-making, including creating a profile, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management, and the expected consequences for the data subject.

The Data Controller makes a copy of the personal data that is subject to data management available to the data subject. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

8.3. Right to rectification

The data subject is entitled to have the Data Controller correct inaccurate personal data concerning them without undue delay upon request. Taking into account the purpose of data management, the data subject is entitled to request the completion of incomplete personal data, including using a supplementary statement.

8.4. The right to erasure (“the right to be forgotten”)

The data subject has the right to request that the Data Controller delete the personal data concerning them without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
b) the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management;
c) the data subject objects to the processing of their data and there is no overriding legal reason for the data processing
d) personal data has been processed unlawfully;
e) the personal data must be deleted to fulfill the legal obligation prescribed by EU or member state law applicable to the Data Controller;
f) the collection of personal data took place in connection with the offering of services related to the information society.

If the Data Controller has made the personal data public and is required to delete it per the above, they will take reasonable steps, including technical measures, taking into account the available technology and the costs of implementation, to inform the data controllers handling the data that the data subject has requested the deletion of the links to the personal data in question or the copy or duplicate of this personal data.

The above does not apply if data management is necessary:
a) to exercise the right to freedom of expression and information;
b) to fulfill an obligation under EU or Member State law applicable to the Data Controller requiring the processing of personal data, or for the execution of a task carried out in the public interest or the context of the exercise of public authority vested in the Data Controller;
c) based on the public interest in the field of public health;
d) to archive in the public interest, for scientific and historical research purposes, or statistical purposes, if the right to erasure would likely make this data management impossible or seriously jeopardize it;
e) for the presentation, enforcement, and defense of legal claims.

8.5. The right to restrict data processing

The data subject has the right to request that the Data Controller restricts data processing if one of the following conditions is met:

a) the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the Data Controller to check the accuracy of the personal data;
b) the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use;
c) the Data Controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims;
d) the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the Data Controller’s legitimate reasons take precedence over the data subject’s legitimate reasons.

If data management is subject to restrictions based on the above, such personal data, except for storage, will only be processed with the consent of the data subject, for the presentation, enforcement, or defense of legal claims, or the protection of the rights of another natural or legal person, or the purpose of important public interest of the Union or a member state.

The Data Controller informs the data subject at whose request the data processing was restricted in advance of the lifting of the data processing restriction.

8.6. The right to a notification related to the correction or deletion of personal data or the limitation of data processing

The data subject has the right to ask the Data Controller to specify the recipients to whom their personal data was disclosed. The Data Controller is obliged to inform all recipients to whom the personal data has been disclosed of the correction, deletion, or restriction of personal data unless this is impossible or requires a disproportionately large effort.

8.7. Right to data portability

The data subject has the right to receive the personal data concerning them, that were provided to the Data Controller in a segmented, widely used, machine-readable format, and is also entitled to forward this data to another data controller if

a) data processing is based on consent or contract and
b) data management is automated.

When exercising the right to data portability, the data subject is entitled to – if this is technically feasible – request the direct transmission of personal data between data controllers.

The exercise of the data subject’s right to data portability must not adversely affect the rights and freedoms of others, if this fact exists, the Data Controller fulfills the exercise of the data subject’s right to data portability by omitting the release of personal data supported by this fact, of which they send justified information to the data subject.

8.8. The right to protest

The data subject has the right to object at any time for personal reasons to the processing of their personal data necessary for the performance of a task carried out in the public interest or within the framework of the exercise of public authority performed by the Data Controller, or the processing necessary to assert the legitimate interests of the Data Controller or a third party, including profile creation too that is based on the aforementioned provisions. In this case, the Data Controller may no longer process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights, and freedoms of the data subject, or that are necessary for the presentation, enforcement or defense of legal claims.

If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of personal data concerning them for this purpose, including profile creation, if it is related directly to a business acquisition.

If the data subject objects to the processing of personal data for direct business acquisition, then the personal data may no longer be processed for this purpose.

8.9. Automated decision-making, profile creation

The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have a legal effect on them or affect them to a similar extent. This does not apply if the decision is

a) necessary to conclude or fulfill the contract between the data subject and the data controller,
b) made possible by EU or Member State law applicable to the data controller, which also establishes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, or
c) based on the express consent of the data subject

In the cases listed in points a) and c), the Data Controller is obliged to take appropriate measures to protect the rights, freedoms, and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Data Controller, to express their point of view and to submit their objection to the decision.

8.10. The data subject’s right to information about the data protection incident

The data subject has the right to receive information about a data protection incident affecting them that occurs at the Data Controller if the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons.

8.11. The data subject’s right to file a complaint with the supervisory authority

Without prejudice to other administrative or judicial remedies, all data subjects have the right to complain to a supervisory authority – in particular in the Member State of their usual place of residence, place of work, or suspected infringement – if, in the opinion of the data subject, the processing of their personal data violates Regulations.

The supervisory authority to which the complaint is submitted is obliged to inform the customer about the procedural developments related to the complaint and its outcome, including whether the customer is entitled to a judicial remedy.

Hungarian supervisory authority:
National Data Protection and Freedom of Information Authority (postal address: 1363 Budapest, Pf. 9., registered office: 1055 Budapest, Falk Miksa utca 9-11., website: www.naih.hu, phone: 06-1-391-1400, e-mail address: ugyfelszolgalat@naih.hu).

8.12. The right to an effective judicial remedy against the supervisory authority

Without prejudice to other administrative or non-judicial remedies, all natural and legal persons are entitled to an effective judicial remedy against the legally binding decision of the supervisory authority.

Without prejudice to other administrative or non-judicial legal remedies, all data subjects are entitled to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject of the procedural developments related to the complaint or its result within three months.

Proceedings against the supervisory authority must be initiated at the court of the Member State where the supervisory authority is based.

Those concerned can exercise these rights in person using our contact details provided below, in writing, or in person by appointment. We try to respond to all inquiries as soon as possible, but no later than within 15 working days.

Contact information for the exercise of rights:

  • By mail: Hungary 1054 Budapest, Honvéd utca 8. 1/2.
  • In e-mail: renato.bandli@millionstarter.com
  • In-person: a +36 30 157 5711

We are unable to release information related to personal data over the phone, due to a lack of means to identify the caller.