Data protection notice on the processing of personal data on the websites intersnack.hu, chio.hu and pombar.hu
1. Purpose of the policy:
Intersnack Hungary Kft. /1117 Budapest, Alíz utca 1. hereinafter referred to as the Company/, as a data controller, carries out its data processing activities in accordance with the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information / Info tv. / and Regulation 2016/679 of the European Parliament and of the Council (“GDPR”). The purpose of the notice is to provide natural persons visiting the Company’s websites with information about the data processed by the Company and other activities related to data processing. The terms used in this notice are the same as those defined in EU Regulation 2016/679 (“GDPR”).
2. Definitions:
• “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
• “processing”: any operation or set of operations which is performed on personal data or on data sets, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “restriction of processing”: the marking of stored personal data with a view to restricting their future processing
• “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
• “pseudonymisation”: the processing of personal data in such a way that the personal data can no longer be identified without further information, provided that such additional information is stored separately and technical and organisational measures are taken to ensure that the personal data cannot be attributed to an identified or identifiable natural person
• “filing system”: a set of personal data, whether centralised, decentralised or organised according to functional or geographical criteria, which is accessible on the basis of specific criteria; 7.
• “controller” means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law; 8. “processor” means the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller
• “recipient” means the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which, in the context of an individual investigation, may have access to personal data in accordance with Union or Member State law shall not be considered recipients; the processing of such data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing
• “third party”: any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or the processor, are authorised to process personal data
• “consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her.
• “data breach”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
• “genetic data”: any personal data relating to the inherited or acquired genetic characteristics of a natural person, which contain unique information concerning the physiology or state of health of that person and which result primarily from the analysis of a biological sample taken from that natural person
• “biometric data”: any personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures, which allow or confirm the unique identification of the natural person, such as facial image or dactyloscopic data
• “health data”: personal data relating to the physical or mental health of a natural person, including data relating to health services provided to the natural person, which contain information about the health of the natural person
• ‘establishment’ means:
(a) in the case of a controller with establishments in more than one Member State, the place of its central administration within the Union; however, where the decisions concerning the purposes and means of the processing of personal data are taken in another establishment of the controller within the Union and the latter establishment has the power to implement those decisions, the establishment where those decisions are taken shall be considered the centre of its administration;
(b) in the case of a processor with establishments in more than one Member State, the place of its central administration within the Union or, where the processor does not have a central administration within the Union, the establishment of the processor within the Union where the main processing activities carried out in the context of the activities carried out at the establishment of the processor take place, where the processor is subject to obligations laid down in this Regulation
• “representative” means a natural or legal person established or resident in the Union and designated in writing by the controller or processor pursuant to Article 27 who represents the controller or processor in relation to the obligations incumbent on the controller or processor under this Regulation
• “undertaking” means a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activities
• “group of undertakings” means the controlling undertaking and the undertakings it controls
• “binding corporate rules” means rules on the protection of personal data which a controller or processor established in the territory of a Member State of the Union follows in relation to a transfer or a series of such transfers of personal data to one or more third countries by a controller or processor within the same group of undertakings or the same group of undertakings engaged in a common economic activity
• “supervisory authority” means an independent public authority established by a Member State in accordance with Article 51
• “supervisory authority concerned” means a supervisory authority concerned by the processing of personal data for one of the following reasons:
a) the controller or processor has an establishment in the territory of the Member State of that supervisory authority;
b) the processing significantly affects or is likely to significantly affect data subjects residing in the Member State of that supervisory authority; or
c) a complaint has been lodged with that supervisory authority
• “cross-border processing of personal data”:
a) processing of personal data in the Union in the context of activities carried out in several Member States by a controller or processor established in more than one Member State; or
b) processing of personal data in the Union in the context of activities carried out in a single establishment of a controller or processor which significantly affects or is likely to significantly affect data subjects in more than one Member State
• “relevant and substantiated objection”: objection to a draft decision as to whether this Regulation has been infringed or whether the intended measure concerning the controller or processor complies with it; the objection must clearly demonstrate the significance of the risks that the draft decision presents to the fundamental rights and freedoms of the data subjects and, where applicable, to the free movement of personal data within the Union
• ‘information society service’ means a service within the meaning of point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1)
• ‘international organisation’ means an organisation governed by public international law or its subordinate bodies, or any other body established by or on the basis of an agreement between two or more countries.
3. Principles regarding the processing of personal data:
The Company shall process personal data lawfully and fairly, purpose-bound, data-saving, accurately, with limited storage, confidentially and in a manner that is accountable and transparent to the data subject.
Personal data:
• may only be collected for specified, explicit and legitimate purposes
• may only be processed in a manner that is compatible with those purposes
• must be adequate and relevant
• must be limited to the minimum necessary
• must be accurate and, where necessary, kept up to date
• must be stored in a form that permits identification of data subjects only for the time necessary to achieve the purposes for which the personal data are processed
• appropriate security of the data must be ensured during processing, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage
4. Data processing through a contact point:
Purpose of data processing: The Company's websites provide the opportunity for website visitors to establish direct contact with the company's designated employees. The use of the customer contact point requires acceptance of the data protection statement displayed on the websites.
Scope of data subjects: Visitors who have given consent through the company's contact point.
Scope of data processed: Name, address, telephone number, e-mail address, subject of the message
Legal basis for data processing: Article 6 (1) a.) of Regulation (EU) 2016/679 ("GDPR"). / voluntary consent /
Duration of data processing: Until the data subject withdraws their consent. The data subject may withdraw their consent to the storage of their personal data at any time, using the contact details provided in the data security and data protection regulations.
Persons authorized to access: Personal data provided during registration may be processed by persons authorized to represent the Company, employees of the customer service group, and the data protection officer.
5. Creation of visitor statistics:
Purpose of data management: Any external visitor can access the Company's website and the information provided by the Company. During the visit to the websites, the hosting provider of the given website records the visitor data in order to monitor the operation of the service, prevent abuse, and ensure proper operation. The purpose of the recording is to collect information regarding the use of the website, to prepare statistics and analyses on attendance and internet usage. External service providers place and read back a so-called cookie on the user's computer. If the browser sends back a previously placed cookie, the service providers managing it have the opportunity to link the user's current visit with previous ones.
Scope of data subjects: Visitors who have given consent on the website
Scope of data processed: The previous page from which the new page or file was opened, Name of the opened file or page, Date and time of opening, success of opening and server utilization at the time of opening, Amount of data traffic, IP address provided by the service provider, In case of login with a user account, login information to the corresponding web service, The device used (mobile phone, desktop computer, etc.) and operating system, The browser software used
Legal basis for data processing: Article 6 (1) a.) of Regulation (EU) 2016/679 (“GDPR”)/ voluntary consent/
Duration of data processing: Until the consent is withdrawn, but at the latest for a period of 1 year from the date of viewing the website.
Persons authorized to access: Personal data provided during registration may be processed by persons authorized to represent the Company, employees of the customer service group, employees of the strategic and IT directorate, and the data protection officer.
6. Rights of data subjects:
• Right of access
The data subject shall have the right to obtain from the controller information as to whether or not his or her personal data is being processed and, where such processing is taking place, access to the personal data collected by the controller.
• Right to rectification
The data subject shall have the right to obtain from the controller, at his or her request, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to obtain from the controller the completion of incomplete personal data, including by means of a supplementary statement.
• Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data without undue delay where the conditions laid down in Article 17(1) of Regulation (EU) 2016/679 apply.
• The right to be forgotten
Where the controller has made personal data public and is obliged to erase them, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, the personal data concerned.
• Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following conditions is met:
- the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data
- the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead
- the data controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims
- the data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override those of the data subject.
• Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) of Regulation (EU) 2016/679 and the processing is carried out by automated means.
• Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (a) of Article 6(1) of Regulation (EU) 2016/679, including profiling based on those provisions. In such a case, the controller shall no longer process the personal data.
• Automated decision-making in individual cases, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The previous paragraph shall not apply where the decision:
- is necessary for entering into, or the performance of, a contract between the data subject and the controller
- is permitted by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
- is based on the data subject's explicit consent.
7. Deadlines for actions related to the processing of data on the website:
The Company shall provide information on the actions taken in response to requests related to data processing within 1 month of receipt of the request. This deadline may be extended by 2 months in the event of a legitimate reason. The data controller shall provide information on the extension of the deadline, indicating the reasons for the delay, within 1 month of receipt of the request. If the data controller does not take action in response to the request of the data subject, it shall provide information without delay, but no later than one month of receipt of the request, on the reason for the failure to take action and on the method of complaint handling that can be submitted to the supervisory authority and the court.
8. Security of data processing:
The controller and the processor shall implement appropriate technical and organizational measures, taking into account the state of the art and the costs of implementation, the nature, scope, circumstances and purposes of the data processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the degree of risk, including, inter alia, where applicable:
a) pseudonymisation and encryption of personal data
b) ensuring the continued confidentiality, integrity, availability and resilience of systems and services used to process personal data
c) the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident
d) a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures taken to guarantee the security of data processing.
9. Informing the data subject about the data breach and reporting the incident to the supervisory authority:
The controller shall notify the data breach to the competent supervisory authority without undue delay and no later than 72 hours after having become aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall inform the data subject about the data breach without undue delay.
10. Person entitled to erasure, rectification or restriction of processing of personal data:
• Dr. László Péter Erős Data Protection Officer
• Postal address: 9027 Győr, Hűtőház utca 27.
• Email address: chio@chio.hu
• Phone number: +36 30 650 1718
11. Legal remedies:
In the event of a violation of the rights of the data subject or a comment, you can make a statement at the following contact details:
• By post: at Intersnack Magyarország Kft. /1117 Budapest, Alíz utca 1./
• By e-mail at chio@chio.hu
• By phone at 06 1 204 5945
In the event of a violation of the rights of the data subject, you can contact the following authorities:
• The Győr Court of Justice competent according to the registered office of the Company as the data controller or the Court of Justice competent according to the place of residence of the data subject, or the Court of Justice competent according to the place of residence of the data subject.
The competent courts can be found at https://birosag.hu/birosag-kereso.
• National Data Protection and Freedom of Information Authority: 1055 Budapest, Falk Miksa u. 9-11. Postal address: 1363 Budapest, Pf. 9. E-mail: ügyfelszolgalat@naih.hu
Online case initiation: www.naih.hu
