Register
or Sign in
0 Your
Cart 0 Item(s) 0,00 
Settings
Menu

PRIVACY AND PRIVACY POLICY

The data provided by the User upon registration will be treated confidentially by the Service Provider (cbdbase.eu), will not be disclosed to third parties and will be deleted after the expiry of the 10-day buy-back guarantee required by law.

 

Application of the data protection and data management policy

Name of the organization: Hun Medical Kft.
Seat of the organization: Name of the organization: 1136 Budapest,

Pannonia u 36. Fszt 3.
Company registration number: 01 09 338339
Date of entry into force of the Regulations: 08/01/2019

This Regulation lays down rules on the protection of individuals with regard to the processing of personal data and on the free movement of personal data. The provisions of the policy shall be applied during specific data management activities and when issuing instructions and information regulating data management.

The obligation to employ (designate) the Data Protection Officer extends to all public authorities or other bodies performing public tasks (regardless of the data they process) and to other organizations whose main activity is the systematic, large-scale monitoring of individuals or special categories of personal data. treated in large numbers.

The organization does not employ a data protection officer.

Scope of the Regulations

These policies shall remain in effect until revoked, and shall apply to the officers, employees and data protection officers of the Organization.

Date: 08/08/2019

Hun Medical Kft.

Purpose of the regulations

The purpose of these rules is to harmonize the provisions of the organisation’s other internal rules on data processing activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the proper processing of personal data.

In the course of its activities, the organization intends to comply fully with the legal requirements for the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.

Another important purpose of issuing the policy is to enable the employees of the organization to process the data of natural persons lawfully by getting to know and complying with them.

Relevant concepts, definitions

  • the General Data Protection Regulation (GDPR) is the new Data Protection Regulation of the European Union
  • “controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of the processing are defined by Union or Member State law, the controller or the specific criteria for the designation of the controller may be determined by Union or Member State law;
  • data management: any set of operations or operations on personal data or files, whether automated or non-automated, such as collecting, recording, organizing, segmenting, storing, transforming or altering, retrieving, accessing, using, communicating, transmitting or otherwise by making available, harmonizing or linking, restricting, deleting or destroying;
  • data processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • personal data: any information relating to an identified or identifiable natural person (data subject); identify a natural person who, directly or indirectly, in particular by reference to one or more factors such as name, number, location, online identifier or physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
  • third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who have been authorized to process personal data under the direct control of the controller or processor;
  • the data subject’s consent: a voluntary, specific and well-informed and unambiguous statement of the data subject’s consent to the processing of personal data concerning him or her by means of a statement or unambiguous statement of consent;
  • Restriction of data processing: marking of stored personal data in order to limit their future processing;
  • pseudonymisation: the processing of personal data in such a way that it is no longer possible to determine to which individual the personal data relate without the use of additional information, provided that such additional information is stored separately and technical and organizational measures are taken to ensure that this personal data may not be linked to identified or identifiable natural persons;
  • “registration system” means a set of personal data which is accessible in any way, whether centralized, decentralized or functionally or geographically, and which is accessible according to specified criteria;
  • data protection incident: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled;

Privacy Policy

The processing of personal data must be carried out lawfully and fairly and in a way that is transparent to the data subject.

Personal data may only be collected for specified, explicit and legitimate purposes.

The purpose of the processing of personal data must be appropriate and relevant and only to the extent necessary.

Personal information must be accurate and up to date. Inaccurate personal data must be deleted immediately

Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary. Personal data may be stored for a longer period only if the storage is for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes.

The processing of personal data must be carried out in such a way as to ensure adequate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by means of appropriate technical or organizational measures.

The principles of data protection shall apply to all information concerning an identified or identifiable natural person.

The data processing employee of the organization is liable for disciplinary, damages, violations and criminal liability for the lawful processing of personal data. If the employee becomes aware that the personal data processed by him / her is incorrect, incomplete or out of date, he / she is obliged to correct it or to initiate the correction with the employee responsible for recording the data.

Management of personal data

Because natural persons may be associated with online identifiers provided by the devices, applications, devices, and protocols they use, such as IP addresses and cookie identifiers, this information, when combined with other information, is suitable and used to create a natural person profile and identify that person. to identify.

Data processing shall only take place if the data subject gives his or her voluntary, specific, informed and unambiguous consent to the processing of the data by means of a clear confirmatory act, such as a written, including electronic, or oral statement.

Consent to the processing of data shall also constitute consent by the person concerned to tick a box when viewing the website. Silence, a pre-ticked box, or inaction do not constitute consent.

Consent shall also constitute consent if a user makes technical adjustments to the use of electronic services or makes a statement or action that clearly indicates the consent of the data subject to the processing of his or her personal data in that context.

Genetic data shall be defined as personal data relating to the genetic characteristics of a natural person, whether derived from or derived from the analysis of a biological sample taken from that person, in particular chromosome analysis or analysis of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA). the result of the examination of any other element which makes it possible to obtain the same information as the information.

Children’s personal data deserve special protection, as they may be less aware of the risks, consequences and guarantees and rights associated with the processing of personal data. This special protection should apply in particular to the use of children’s personal data for marketing purposes or for the purpose of creating personal or user profiles.

Personal data must be handled in such a way as to ensure an adequate level of security and confidentiality, inter alia, in order to prevent unauthorized access to and use of personal data and the means used to process them.

All reasonable steps must be taken to correct or delete inaccurate personal information.
További információ erről a forrásszövegről

Legality of data processing

The processing of personal data is lawful if one of the following is met:

  • the data subject has consented to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is subject or at the request of the data subject prior to the conclusion of the contract;
  • the processing is necessary to fulfill a legal obligation to the controller;
  • the processing is necessary to protect the vital interests of the data subject or of another natural person;
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public authority conferred on the controller;
  • the processing is necessary for the protection of the legitimate interests of the controller or of a third party, unless those interests take precedence over the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the child concerned.

In accordance with the above, the processing of data is considered lawful if it is necessary in the framework of a contract or the intention to enter into a contract.

If the processing is carried out in the context of the performance of a legal obligation on the controller or if it is necessary for the performance of a public interest task or the exercise of official authority, the processing must have a legal basis in Union law or in the law of a Member State.

The processing shall be considered lawful when it is for the protection of the life of the data subject or of the other natural person mentioned above. The processing of personal data on the basis of the vital interests of another natural person may in principle only take place if the processing in question cannot be carried out on other legal grounds.

Some types of personal data processing may serve both an important public interest and the vital interests of the data subject, for example where the processing is necessary for humanitarian reasons, including to monitor epidemics and their spread, or in a humanitarian emergency, in particular natural or man-made disasters. need.

The legitimate interest of the controller, including the controller to whom the personal data may be disclosed, or of a third party may create a legal basis for the processing. Such a legitimate interest may exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for example in cases where the data subject is a customer of or employed by the controller.

The processing of personal data which is strictly necessary for the prevention of fraud is also in the legitimate interest of the controller concerned. The processing of personal data for direct business purposes is also considered to be based on a legitimate interest.

In any event, in order to establish the existence of a legitimate interest, it must be carefully considered, inter alia, whether the data subject can reasonably expect, at the time and in the context of the collection of personal data, that the data may be processed for that purpose. The interests and fundamental rights of the data subject may take precedence over the interests of the controller if the personal data are processed in circumstances in which the data subjects do not expect further processing.

The processing of personal data by public authorities, the IT Emergency Response Unit, Network Security Incident Management Units, electronic communications network operators and service providers and security technology providers shall be in the legitimate interest of the data controller to the extent strictly necessary and proportionate to ensure network and IT security.

The processing of personal data for purposes other than the original purpose for which they were collected shall be permitted only if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, there is no need for a separate legal basis other than the one that allowed the collection of personal data.

The processing of personal data by public authorities for the purposes of officially recognized religious organizations as defined in constitutional law or public international law shall be considered to be in the public interest.

Consent of the person concerned, conditions

  • Where the processing is based on consent, the controller must be able to prove that he or she has consented to the processing of the data subject’s personal data.
  • If the data subject gives his or her consent in the form of a written statement relating to other matters, the request for consent shall be made in a manner which is clearly distinguishable from those other matters.
  • The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal. The data subject shall be informed before consent is given. Withdrawal of consent should be as simple as giving it.
  • In determining whether consent is voluntary, account shall be taken, as far as possible, of the fact that the performance of the contract, including the provision of services, is subject to consent to the processing of personal data which are not necessary for the performance of the contract.
  • The processing of personal data relating to information society services provided directly to children is lawful if the child has reached the age of 16. In the case of a child under the age of 16, the processing of children’s personal data is lawful only if and to the extent that the consent has been given or authorized by the person exercising parental control over the child.

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the unique identification of natural persons, health data and personal data concerning the sexual life or sexual orientation of natural persons shall be prohibited, unless the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes.

Decisions on criminal liability and the processing of personal data relating to criminal offenses and related security measures may only take place if the data are processed by a public authority.

Data management that does not require authentication

If the purposes for which the controller processes the personal data do not or no longer require the identification of the data subject by the controller, the controller is not obliged to keep additional information.

If the controller can prove that he is not in a position to identify the data subject, he / she shall, as far as possible, inform him accordingly.

Information and rights of the person concerned

The principle of fair and transparent data management requires that the data subject be informed of the fact and purposes of the data processing.

If personal data are collected from the data subject, the data subject must also be informed of whether he or she is obliged to disclose the personal data and of the consequences of not providing the data. This information may be supplemented by standardized icons in order to provide the data subject with general information on the intended data processing in a visible, easily understandable and legible form.

Information relating to the processing of personal data concerning the data subject shall be provided to the data subject at the time of data collection or, if the data were collected from sources other than the data subject, within a reasonable time, taking into account the circumstances of the case.

The data subject shall have the right to access the data collected concerning him or her and to exercise this right at simple and reasonable intervals in order to establish and verify the lawfulness of the data processing. All data subjects should have the right to know, in particular, the purposes for which the personal data are processed and, where possible, the period for which the personal data are processed,

In particular, the data subject shall have the right to have his or her personal data deleted and not further processed if the collection or other processing of personal data is no longer necessary for the original purposes of the processing or if the data subjects have withdrawn their consent to the processing.

Where personal data are processed for the direct acquisition of business, the data subject should have the right to object at any time, free of charge, to the processing of personal data concerning him or her for that purpose.

Review of personal information

In order to ensure that the storage of personal data is limited to the time required, the controller shall set time limits for erasure or regular review.

Deadline for regular review set by the head of the organization: 1 year.Az adatkezelő feladatai

The data controller shall apply appropriate internal data protection rules in order to ensure lawful data management. This regulation covers the powers and responsibilities of the data controller.

It is the responsibility of the controller to take appropriate and effective action and to be able to demonstrate that the data processing activities comply with applicable law.

Such regulation shall take into account the nature, scope, circumstances and purposes of the processing and the risk to the rights and freedoms of natural persons.

The controller shall take appropriate technical and organizational measures, taking into account the nature, scope, circumstances and purposes of the processing and the variable probability and severity of the risk to the rights and freedoms of natural persons. Under these rules, it reviews and, if necessary, updates other internal rules.

The controller or processor shall keep adequate records of the data processing activities carried out under its authority. All controllers and processors shall cooperate with the supervisory authority and make these records available upon request for the purpose of verifying the data processing operations concerned.

Rights related to data management

Right to request information

Any person may request information on the data provided by the organization, on what legal basis, for what purpose, for how long, and for how long. Upon request, information must be sent immediately, but no later than 30 days, to the contact details provided.

Right to rectification

Any person can request a change to any of their details through the contact details provided. This must be dealt with immediately upon request, but within a maximum of 30 days, and information should be sent to the contact details provided.

Right of cancellation

Anyone can request the deletion of their data via the contact details provided. Upon request, this must be done immediately, but no later than 30 days, and information must be sent to the contact details provided.

The right to lock and restrict

Anyone can request that their data be locked through the contact details provided. The lock lasts as long as the indicated reason necessitates the storage of the data. Upon request, this must be done without delay, but no later than 30 days, and information must be sent to the contact details provided.

Right to protest

Any person may object to the data processing through the contact details provided. The protest shall be examined as soon as possible, but not later than within 15 days from the submission of the application, a decision shall be made on the merits thereof and the decision shall be notified to the contact details provided.

Possibility of data management enforcement

Nemzeti Adatvédelmi és Információszabadság Hatóság / National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, Pf.: 5.

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (kukac) naih.hu
Url:  https://naih.hu
coordinates: É 47°30’56”; K 18°59’57”

In the event of a breach of the data subject’s rights, the data subject may take legal action against the data controller. The court is acting out of turn in the case. The action may also be brought before the court having jurisdiction over the place of residence or stay of the person concerned.

Tasks of the organization for proper data protection

  • Privacy Awareness. Professional training must be provided to comply with the law. It is essential to train the staff professionally and to know the regulations.
  • The purpose and criteria of data management and the concept of personal data management must be reviewed. Legitimate data processing and data processing must be ensured in accordance with the data protection and data management regulations.
  • Appropriate information to the data subject. It should be noted that, if the processing is based on the data subject’s consent, in case of doubt, the controller must prove that the data subject has consented to the processing.
  • The information provided to the person concerned shall be concise, easily accessible and easy to understand and shall be worded and presented in clear and comprehensible language.

The requirement of transparent data management is that the data subject is informed about the fact and purposes of the data processing. The information shall be provided before the data processing begins and the data subject shall have the right to the information during the data processing until its termination.

The main rights of the data subject are:

  • access to personal data concerning him / her;
  • correction of personal data;
  • deletion of personal data;
  • restrictions on the processing of personal data;
  • protest against profiling and automated data processing;
  • the right to data portability.
  • The controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this period may be extended by a further two months. The obligation to provide information can be ensured by operating a secure online system through which the data subject can easily and quickly access the necessary information.
  • The data management performed by the organization must be reviewed, and the right to information self-determination must be ensured. At the request of the data subject, his or her data shall be deleted without delay if the data subject withdraws the consent on which the processing is based.
  • The consent of the data subject must unequivocally indicate that the data subject consents to the processing. If the processing is based on the data subject’s consent, in case of doubt, the data controller must prove that the data subject has consented to the data processing operation.
  • In the case of personal data processing of children, special attention must be paid to the observance of data processing rules. The processing of personal data relating to information society services provided directly to children is lawful if the child has reached the age of 16. In the case of a child under the age of 16, the processing of children’s personal data is lawful only if and to the extent that the consent has been given or authorized by the person exercising parental control over the child.
  • In the event of unlawful handling or processing of personal data, there is an obligation to notify the supervisory authority. The controller shall, without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, notify the supervisory authority, unless the data protection incident is not likely to pose a risk to the rights of the natural person.
  • In some cases, it may be appropriate for the controller to carry out a data protection impact assessment prior to the processing. The impact assessment should examine how the protection of personal data is affected by the planned data processing operations. If the data protection impact assessment finds that the processing is likely to involve a high risk, the controller should consult the supervisory authority before processing the personal data.
  • Where the main activities involve data processing operations which, by their nature, their scope or their purposes, require regular and systematic, extensive monitoring of data subjects, a Data Protection Officer shall be appointed. The appointment of a Data Protection Officer is intended to strengthen data security.

Data security

The data shall be protected by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, and from becoming inaccessible as a result of changes in the technology used.

In order to protect the data files processed electronically in the registers, an appropriate technical solution should ensure that the data stored in the registers cannot be directly linked and assigned to the data subject.

The state of the art must be taken into account when planning and applying data security. Of the several possible data management solutions, a higher level of protection of personal data should be chosen, unless this would be a disproportionate burden for the controller.

Data Protection Officer

The appointment of a Data Protection Officer is mandatory on the basis of the following criteria:

  • the processing is carried out by public authorities or other bodies performing public functions, with the exception of courts acting in their judicial capacity;
  • the main activities of the controller or processor include data processing operations which, by their nature, their scope or their purposes, require regular and systematic monitoring of data subjects;
  • the main activities of the controller or processor concern the processing of a large number of personal data in criminal decisions and criminal offenses.

Where the appointment of a Data Protection Officer is mandatory, the following rules shall apply:

The Data Protection Officer shall be appointed on the basis of his / her professional competence and in particular his / her knowledge of data protection law and practice at expert level and his / her ability to handle data processing.

  • The Data Protection Officer may be an employee of the controller or processor, but may also perform his or her duties under a service contract.The controller and the processor shall be required to publish the name and contact details of the data protection officer, which shall also be communicated to the supervisory authority.

    Legal status of the Data Protection Officer

    The controller shall ensure that the Data Protection Officer is involved in an appropriate and timely manner in all matters relating to the protection of personal data. It must be ensured that the necessary resources are available to maintain the expertise of the Data Protection Officer.

    The Data Protection Officer shall not take instructions from anyone in connection with the performance of his or her duties. The controller or processor may not dismiss or sanction the data protection officer in the performance of his or her duties. The Data Protection Officer shall report directly to the top management of the controller or processor.

    Data subjects may contact the Data Protection Officer with any questions relating to the processing of their personal data and the exercise of their rights.

    The Data Protection Officer shall be bound by the obligation of professional secrecy or confidentiality with regard to the performance of his or her duties.

    The Data Protection Officer may perform other tasks, but there shall be no conflict of interest in relation to those tasks.

    Duties of the Data Protection Officer

    Provides information and professional advice to the controller or processor and to the employees who process the data;

  • verify compliance with the controller ‘s or processor’ s internal rules on the protection of personal data;
  • provide expert advice on data protection impact assessments upon request and monitor the conduct of impact assessments;
  • provide expert advice on data protection impact assessments upon request and monitor the conduct of impact assessments;

Privacy Incident

A privacy incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal information that is transmitted, stored, or otherwise handled.

In the absence of appropriate and timely action, a data protection incident may result in physical, material or non-material damage to natural persons, including loss of control or restriction of their personal data, discrimination, identity theft or misuse of identity.

The data protection incident shall be reported to the competent supervisory authority without undue delay and at the latest within 72 hours, unless it can be demonstrated in accordance with the principle of accountability that the data protection incident is not likely to endanger the rights and freedoms of natural persons.

The data subject shall be informed without delay if the data protection incident is likely to pose a high risk to the rights and freedoms of the natural person, in order to be able to take the necessary precautions.

Data management for business and record keeping purposes

The organization may also process personal data in cases belonging to its activities and for administrative and record keeping purposes.

The processing shall be based on the voluntary and informed consent of the data subject. After detailed information covering the purpose, legal basis and duration of the data processing and the rights of the data subject, the data subject should be warned about the voluntary nature of the data processing. Consent to data processing must be recorded in writing.

Data management for administrative and record keeping purposes serves the following purposes:

  • data management of the members and employees of the organization, which is based on a legal obligation;
  • data management of persons in a contractual relationship with the organization for communication, accounting and record keeping purposes;
  • contact details of other organizations, institutions and businesses that have a business relationship with the organization, which may include contact and identification information of natural persons;

The processing of data as described above is based on a legal obligation on the one hand, and on the other hand that the data subject has expressly consented to the processing of his / her data (for example, registered as a partner on an employment contract, etc.)

In the case of documents sent to the organization in writing, including personal data (such as a CV, job application, other submissions, etc.), the consent of the person concerned shall be presumed. Once the case is closed, the documents must be destroyed in the absence of consent for further use. The fact of destruction shall be recorded in the minutes.

In the case of data processing for administrative purposes, personal data are only included in the case file and records. The processing of this data lasts until the document on which the treatment is based is discarded.

The processing of data for administrative and record keeping purposes shall be reviewed annually to ensure that the storage of personal data is limited to the time required, and inaccurate personal data shall be deleted immediately.

Compliance with the law must also be ensured in the case of data processing for administrative and registration purposes.

Data processing for other purposes

If the organization wishes to carry out data management that is not covered by these regulations, these internal regulations must be supplemented in advance and sub-rules corresponding to the new data management purpose must be attached.

Other documents related to the regulations

Documents and regulations that contain, for example, a written statement consenting to the processing of data or, for example, in the case of websites, describe the mandatory data management information, must be linked to and managed together with the data protection and data management policy.

Legislation underlying data management

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 Data Protection Regulation).
  • Act LXVI of 1995 on Public Documents, Public Archives and the Protection of Private Archival Material. law.
  • 335/2005 on the general requirements for the records management of bodies performing public tasks. (XII. 29.) Government Decree.
  • Act. CVIII. on Certain Issues in Electronic Commerce Services and Information Society Services.
  • Act C of 2006 on Electronic Communications.
SimplePay customer information
Main Menu x
X