Papkolbaszmuhely
Papkolbaszmuhely

PRIVACY POLICY

Date of last modification: 20.11.2020

1. GENERAL INFORMATION

Pap Kolbászműhely Kft. (hereinafter referred to as „Pap Kolbászműhely” or „Controller”) processes information on its clients, other contractual partners, their representatives, contact persons and other persons (jointly as “data subject(s)”) described in this privacy policy (“Policy”), which are regarded as “personal data” in accordance with Art. 4 (1) of the General Data Protection Regulation (EU) Nr. 2016/679 (“GDPR”). 

This Policy provides information on the processing of the above referred personal data and on the data subjects' rights and remedies in relation to data processing.

Contact data of the Controller:
Pap Kolbászműhely Kft.
The Controller’s seat: 2013 Pomáz, Május 1. utca 9.
The Controller’s company registration number: 13-09-176519
The Controller’s e-mail address: pk@pk.hu
The Controller’s website: https://adesign.hu/pk/fooldal2/
Representative and contact details of the Data Controller: Krisztián Pap, managing director, see contact details above.

Which data are regarded as personal data?

Personal data is any information about an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Thus, for example, the name of the data subject (for example: a customer or a contractual partner's representative), his e-mail address and data related to the given contract and its performance (for example: the subject of the contract, contractual tasks and their performance) are considered personal data.

What personal data are regarded as special categories of personal data?

Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Who can be regarded as data subject?

The Controller may, in particular, but not exclusively, process the data of the following natural persons:
- (potential) customer, its proxies, representatives, contact persons, employees;
- suppliers or other contractual partners, as well as their proxies, representatives, contact persons;
- parties inquiring about the Controller’s services and others affected by the Controller's data processing.

2. THE PURPOSE AND THE LEGAL BASIS OF PROCESSING PERSONAL DATA

Below we describe the purposes for which we collect and use your personal data and how long we store the various personal data collected for each purpose. Please note that the following data processing does not always apply to everyone, so please read them carefully and if you have any questions, please feel free to contact us.
2.1. Fulfilling contracts with our customers, suppliers and other contractual partners, maintaining contractual relations, sending business newsletters
For what purpose do we process your data?
For the purpose of performing contracts with you or an organization you represent (e.g. a company that employs you or a company you represent), including the exercise of contractual rights and complying with contractual obligations, as well as contractual relations and data processing during pre-contract negotiations.
On what legal basis we process your data?
The Controller processes your data for the above purpose because
• in case of contracts concluded with our natural person clients, suppliers and with other natural persons: processing is necessary for the performance of a contract concluded with you or in order to take steps at your request prior to entering into a contract (Art. 6 (1) b) of the GDPR).
• processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g. keeping invoicing data for tax and accounting purposes) (Art. 6 (1) c) of the GDPR).
• if you are acting on behalf of a legal entity or other organization (for example: the company that employs you or a company of which you are an executive officer) or another person (for example: proxy) and we process your personal data in connection with that, the legal basis of our data processing is the legitimate interest of the Controller and the above legal person, other organization or other (possible) partner (Art. 6 (1) f) of the GDPR). The legitimate interest: the establishment and proper performance of the contract between the parties, the exercise of contractual rights and the fulfillment of obligations, the promotion of the economic interests and contractual cooperation of the parties.
• it is necessary for the purpose of sending newsletters to the current contractual partners of the Controller or to the former contractual partners of the Controller who are likely to use the Controller's products and related services in the future as well; in this case, the legal basis for our data processing is our legitimate business interest (Art. 6 (1) f) of the GDPR). The legitimate business interest: promoting the Controller and its products, cultivating contractual relations, promoting the economic interests of the Controller, concluding a new contract with previous contractual partners. In this respect, we emphasize that in many cases the Controller sends a newsletter only to a company e-mail address that does not contain personal data, which thus does not implement data processing, while in other cases it provides information only about the Controller, its new products, promotions and related news, i.e. provides information that may be of interest to the Controller's current or former contractual partners. We also emphasize that no newsletter will be sent to the contractual partners of the Controller for whom a new contract is not expected or who have objected to the data processing.
Are you obliged to provide your data?
If you are a natural person acting as our contractual partner, you are free to enter into a contract with the Controller, in which case the Controller will process your personal data to the extent necessary to perform the contract and take steps at your request beforehand. In view of this, the provision of your personal data is necessary for the fulfillment of the contract concluded with the Controller, the exercise of the contractual rights and the fulfillment of the obligations of the parties, taking into account that without such data processing, the Controller cannot perform its services for you. If you are acting on behalf of a legal entity, another organization or another person, the performance of the contract and the exercise of the parties' contractual rights and obligations also require that you provide your contractual, other contact and other personal data (for example: signature on the certificate of completion and on the contract), without which the contract could not be properly performed. In addition, the Controller processes your data necessary for compliance with a legal obligation to which the Controller is subject (Art. 6 (1) c) of the GDPR) (including: fulfillment of tax and accounting obligations), in which case data processing is mandatory.
We also emphasize that in the case of sending our newsletter, the data subject may at any time object to our related data processing.
What data do we process?
We process the following personal data in connection with the above referred contracts (including the preparation of contracts) and in connection with the exercise of the contractual rights of the parties and the fulfillment of their obligations:
- your name and contractual contact details (in particular: name, address, e-mail address, telephone number, if used by the parties in the contractual relationship or indicated in the relevant contract), gender (to properly address you);
- data related to the legal entity, organization or other person you represent (in particular (company) name, address / registered office, tax number) and your relationship with this legal entity, organization, other person and position held there (e.g. executive officer) , proxy, contact person, etc.);
- information contained in the contract, related contract documents and invoicing documentation;
- the current or previous contractual relationship, the fact of objecting or other circumstance that makes it unnecessary or impossible to send the newsletter (for example: a dispute with a given contractual partner, a current or previous contractual relationship where the Controller does not sell its products to that partner, and does not provide related services), the range of products and related services previously used by the contractual partner (for the proper selection of the content of the newsletter). It should be emphasized that profiling for the purpose of sending newsletters or for other purposes is not performed by the Controller, however, the above information and circumstances may be taken into account when sending newsletters in order to deliver content that may be of interest to the recipient.
How long do we retain your personal data?
The above personal data will be stored for 5 years from the termination of the contract or, in the absence of a contract, from the last contractual communication, with regard to the general civil law limitation period (Art. 6:22 (1) of Act V of 2013 on the Civil Code (“Hungarian Civil Code”)).
In connection with the sending of newsletters, the relevant personal data will be processed until the right to object is exercised. The right to object can be exercised in the statement sent to our contact details according to this Policy.
You have the right to object even beyond the above cases (for example: the change of the contractual contact person was indicated lately or not indicated at all by the given partner, and the previous contractual contact person requests the deletion of his contact details). In this case, the Controller shall delete your personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (for example: the Controller must prove the identity of the contact person or the contracting party in connection with a particular dispute).
If your data is necessary for the fulfillment of the tax obligations applicable to the Controller: 5 years from the last day of the calendar year in which the tax should have been declared, reported or, in the absence of a return, paid (Art 78 (3), 202 (1) of Art. CL of 2017 on Taxation).

If your data is necessary for the fulfillment of the accounting obligations applicable to the Controller: 8 years (Art. 168-169. of Act C of 2000 on Accounting).
2.2. Data processing related to inquiries, enforcement of claims or defence against legal claims by the Controller
For what purpose do we process your data?
Responding to inquiries received by the Controller (for example: inquiries, complaints, comments related to the Controller's services), enforcing the Controller's legal claims (handling claims) or defending against such legal claims lodged by the data subject or third parties, or in court or official proceedings.
On what legal basis we process your data?
Processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6 (1) f) of the GDPR). The legitimate interest: handling of inquiries sent to the Controller, answering any questions, handling complaints, enforcing the Controller's possible claims, submitting such claims and related documents, defending against the claims of the data subject or third parties, defending in court or official proceedings.

We emphasize that in connection with our data processing, which is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (including in particular pre-contractual negotiations, contractual communication), you may find more information in section 2.1. above.
Are you obliged to provide your data?
You are not obliged to make the above requests, however, if you send a request to the Controller, the Controller will process your related data as described in this Policy and for the period specified therein, otherwise it would not be able to respond to the request or enforce its legal claims or to defend against such legal claims or to defend and act in legal or administrative proceedings.
What data do we process?
Personal data affected by the request to the Controller, contact details of the data subjects and the persons they represent (in particular: name, address, e-mail address), requests (complaints) submitted by the data subjects, content of the requests, steps taken in connection with the request management.
We emphasize that if you contact us through a social media site (including: Facebook, Youtube, Instagram), we will process the data needed to review and respond to your inquiry (including in particular: your message and the username you use on the given site).
In order to enforce a legal claim, we will process your name and other data necessitated by the given procedure in order to protect against such claims, including in particular the following:
- Identification data regarding a natural person specified under Art. 7 point 3 of the Act CXXX of 2016 on Civil Procedure (“Hungarian Civil Procedure Act”): place of residence (place of stay in the absence of residence), delivery address (if different from place of residence or stay), place and time of birth, mother's maiden name. In accordance with Art. 170 (1) b) of the Hungarian Civil Procedure Act, the introductory part of the application must state the names of the parties, their legal position, the identity of the plaintiff, the known identity of the defendant, and at least his place of residence. This list is supplemented by the defendant’s birthname according to subpoint 1.4. of the first annex of IM Decree Nr. 21/2017 (XII.22.);
- In accordance with Art. 20 (1) a) of Act L of 2009 on Payment Order Procedure, from the personal data of the debtors, the name of the debtor is required to initiate the payment order procedure, as well as his identification data under the Hungarian Civil Procedure Act, but at least his place of residence;
- Art. 11 (2)-(3) of Act LIII of 1994 on Judicial Enforcement specifies which personal data the person requesting enforcement is obliged to disclose when submitting the application for enforcement. These data are as follows: the name of the debtor, the data necessary for his identification (place and date of birth, mother’s maiden name), depending on the circumstances of the case, the debtor's place of residence, place of work and place of his enforceable property, and in case of a judicial enforcement procedure concerning a real estate, the real estate registration data. With this information, the bailiff can proceed with the enforcement proceedings;
- personal data arising or recorded in other court or official proceedings (for example: personal data recorded in a court or official decision, the processing of which is necessary for the protection of the Controller).
How long do we retain your personal data?
We store your data for 5 years from the time of recording (including, for example, the availability of the e-mail you send in the Controller's mailbox, the receipt of a message sent on the social media site to the Controller, the delivery of postal items) (Art. 6:22. (1) of the Hungarian Civil Code – unless the Hungarian Civil Code provides otherwise, claims lapse in 5 years).
In the case of court or official proceedings, the processing of data lasts until the final decision is made, to the extent necessary, with regard to the given procedure and the situation of the parties, the given claim, as well as the personal data required by the legal dispute.
To whom do we transfer your personal data?
For the above purpose, we may transfer your personal data to our legal representative, the acting court, another authority (e.g. a notary public).
It should be emphasized that if you contact us through a social media site, the provider of that social media site will also have access to that information, including the following:
- the following service provider has access to your data in connection with Facebook: Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for the data policy of Facebook, please see: https://www.facebook.com/privacy/explanation); Facebook acts as a joint data controller with the Controller in relation to the personal data processed in connection with the Facebook page of the Controller, and as an independent data controller in relation to the personal data processed by it in other respects;
- the following service provider has access to your data in connection with Instagram: Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, for the data policy of Facebook, please see: https://help.instagram.com/519522125107875), Facebook acts as a joint data controller with the Controller in relation to the personal data processed in connection with the Instagram page of the Controller, and as an independent data controller in relation to the personal data processed by it in other respects;
- the following service provider has access to your data in connection with Youtube: Google Ireland Limited (Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland, for the relevant guidelines of Google and Youtube, please see: https://policies.google.com/privacy?hl=huhttps://www.youtube.com/intl/hu/about/policies/#community-guidelines), which acts as a joint data controller with the Controller in relation to the personal data processed in connection with the Youtube channel of the Controller, and as an independent data controller in relation to the personal data processed by it in other respects.

2.3. Data processing related to the facilitation of the exercise of data protection rights, measures taken following requests from data subjects, data breach management
For what purpose do we process your data?
Management of data subjects 'requests submitted to the Controller, taking measures with regard to them, facilitating the exercise of data subjects' data protection rights, data processing related to data breach management.
On what legal basis we process your data?
Processing is necessary for compliance with a legal obligation to which the Controller is subject (Art. 6 (1) c) of the GDPR).

The Controller shall facilitate the exercise of data subject rights (Art. 12 (2) of the GDPR), and to investigate possible data breaches, to notify the supervisory (data protection) authority and the data subject according to the severity of the data breach (Art. 33-34 of the GDPR).
Are you obliged to provide your data?
In order to exercise your data protection rights, fulfill your related inquiries and manage possible data breaches (e.g. a cyber-attack), it may be necessary to process your personal data (especially your name and contact details provided to us). In this respect, the Controller may request the provision of the above personal data for your identification and, in case of requests sent electronically, if your identification is required, a copy of your identity card, passport or driving license (for example: e-mailing a PDF format copy) only for the purpose and for the duration of the verification of your identity. After the above verification of identity, such copy shall be immediately and irreversibly deleted.
What data do we process?
Request submitted to the Controller, your name and contact details (in particular: address, e-mail address).
In the case of requests sent by electronic means, if the verification of your identity is required, a photocopy of your identity card, passport or driver’s license, which will, however, be deleted immediately after viewing and will not be kept.
How long do we retain your personal data?
Your data will be stored for 5 years from the date of recording (Art. 6:22. (1) of the Hungarian Civil Code – unless the Hungarian Civil Code provides otherwise, claims lapse in 5 years). We do not store photocopies of your identity card, passport or driver's license.
To whom do we transfer your personal data?
Your personal data may be transferred to the competent data protection authority in the event of any relevant action taken by the competent data protection authority (especially in the event of a data breach, if the gravity and nature of this so require).
If it is absolutely necessary to prevent a data breach or otherwise provide IT support, the following hosting partner acting as a data processor will also have access to the related personal data (for example: personal data affected by the data breach): Initon Kft. (seat: 1118 Budapest, Budaörsi út 131/A, email address: info@initon.com).

3. WHAT ARE YOUR RIGHTS AND REMEDIES IN RESPECT OF THE DATA PROCESSING ACTIVITIES PERFORMED BY THE CONTROLLER?

There will be no charge for responding to your privacy requests or for completing the request. When your request concerning the exercise of your data protection rights and remedies are manifestly unfounded or excessive (repeated) we may charge you an administrative fee to comply with the request, and – taking into account the administrative costs of providing the information or communication or taking the action requested – may refuse to act on the request. 

The data protection rights and remedies of data subjects (including you if your personal data are processed by the Controller) are detailed in the relevant provisions of the GDPR (including in particular GDPR 15, 16, 17, 18, 19, 21, 77, 78, 79, 80 and 82). The following is a summary of the most important provisions and, accordingly, the Controller provides information to those concerned about their data protection rights and remedies.
The Controller shall provide information on action taken on a request under Art. 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 

If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means (for more details, please see above).

In connection with the following, the Controller draws the attention of the data subjects to the possibility of exercising the right to object as follows ("Object") and that in relation to data processing based on a legitimate interest (Art. 6 (1) (f) of the GDPR), the data subject may request the Controller to present a balancing test.

The data protection rights and remedies of data subjects are detailed in the table below.
Right of access
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purpose of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed by the Controller, in particular recipients in third countries;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority; and
g) where the personal data are not collected from the data subject, any available information as to their source.

Where personal data are transferred to a third country, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right to rectification
You shall have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you and to have incomplete data completed, including by means of providing a supplementary statement.
Please note that reporting a change in your personal data helps the Controller to keep accurate information about you at all times.
Right to restriction of processing
You may obtain of Controller the restriction of processing of your personal data, if
- the accuracy of the personal data is contested by you, for a period enabling the Controller to verify the accuracy of the personal data,
- the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead,
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims,
- you have objected to processing pending the verification whether the legitimate grounds of the Controller override those of yours.
Withdrawal of consent
If the legal basis for your data processing is your consent, you are entitled to withdraw your consent at any time. We highlight that you have the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
For the cases in which the Controller bases data processing on your consent, please see "On what legal basis do we process your data?" section of this Policy.
Right to object
You may at any time object to the processing of your personal data if the processing is based on a legitimate interest of the Controller. For the cases in which the Controller bases data processing on its legitimate interest, please see "On what legal basis do we process your data" section of this Policy.
If you object to the processing of personal data, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him for such marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to erasure
You shall have the right to obtain from the Controller the erasure of personal data concerning you where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
- you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing,
- you object to the processing and there are no overriding legitimate grounds for the processing,
- the personal data have been unlawfully processed,
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.
Complaint and remedy
You shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes GDPR. For the contact details of the competent supervisory (data protection) authorities within the EU, please see: https://edpb.europa.eu/about-edpb/board/members_hu 
In Hungary, the competent supervisory authority is: Nemzeti Adatvédelmi és Információszabadság Hatóság (1055 Budapest, Falk Miksa utca 9-11; postal address: 1363 Budapest, Pf. 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu; Website: https://naih.hu/). You further have the right to an effective judicial remedy to enforce your rights. Such proceedings may be brought before the courts of the Member State where you have your habitual residence. In Hungary, such litigation falls within the jurisdiction of the competent tribunal. You may also choose to bring the case before the competent tribunal of your domicile or place of residence. Information on the jurisdiction and contact details of the court (tribunal) can be found at www.birosag.hu

4. AMENDMENTS TO THIS POLICY

In the event of a change in the processing of personal data, we will update or amend or supplement this Policy as necessary. We reserve the right to change our practices and this Policy at any time, so please check the site frequently for any changes to this Policy.
The data protection rights and remedies of data subjects are detailed in the table below.
Top cross-circle