eHACCP.hu
Privacy statement

1 Introduction

Maxíz Kft., as the owner of the eHACCP.hu website and the maintainer of the online HACCP logging system (8315 Gyenesdiás, Petőfi Sándor u.12., in the following: eHACCP, eHACCP.hu provider, or data manager), as data manager, looking upon itself acknowledges the content of the present legal notice as mandatory. It assumes obligation that the handling of the data in connection with its service complies with the expectations specified in the present regulations and applicable legislations.

The data protection guidelines emerging in connection with the eHACCP.hu android application and the online www.ehaccp.hu website are continuously available on the footnote of the www.ehaccp.hu website. The provider maintains itself the right to change the present informative at any time, in which case it publishes an announcement of the changes with corresponding content on the www.ehaccp.hu website. In case the user might have such a question for which the answer from this present statement is not, or is not clearly found out, they may present it to the personnel of the provider in written form. Although the team of eHACCP.hu does everything within their possible reach in order to guarantee that the quality of service provided by them is unobjectionable, it does not take responsibility for any accidental harms done by the inefficient use of the system. The data management is committed towards the protection of its partners and users' personal data, and finds it especially important to respect the autonomous informational rights of its clients. The operator of the eHACCP system handles the personal information at its disposal discreetly, and commits to every such security, technical and organizational measures which guarantee the safety of data („data security”).

eHACCP describes its data management principles below, presenting the expectations which it has formulated, as data controller, against itself and to which it complies. The data controller declares, that its basic data management principles are in correspondence with the always applicable data protection laws.

2 Definitions

1. personal data: data, which can be connected to any specified (identified or identifiable) natural person („affected”) is a conclusion deductible from the data concerning the affected person. Personal data during the process of data management always keeps this quality as long as its connection with the affected person is restorable. The person may in particular be considered identifiable, if they can be identified - directly or indirectly - by name, identification mark, respectively one or more physical, physiological, mental, economic, cultural or social identity factor.

2. consent: The voluntary and definite statement of the concerned person's will, which is based on appropriate information and with which they give their unambiguous consent to the handling of personal data related to them, covering complete or partial specific operations;

3. objection: The statement of the affected person, with which they object to the handling of their personal data, and request for cancellation of the handling of data or deletion of the handled data:

4. data controller: That natural or legal person, or an organisation without a legal personality, which or who either specifies the goal of the handling of data, makes and performs decisions concerning the handling of data(including the used device), or orders it to be carried out by the data processor appointed by them;

5. data handling: The total of any operation or operations performed upon the data regardless of the procedure applied, thus for example the collection, recording, logging, organization, storage, alteration, application, forwarding, disclosure, synchronization or interconnection, blocking, deletion and destruction, as well as the prevention of further usage of the data. The recording of pictorial, audio or video material as well as the physical characteristics suitable for the identification of a person (eg. finger- or palm print, DNA sample, iris image) also count as data handling;

6. data forwarding: if the data is made available to a specific third party;

7. disclosure: if the data is made accessible to anyone;

8. data deletion: the rendering of data unrecognizable in such a way, that their restoration is no longer possible;

9. data blocking: the flagging of data with an identification mark in order to prevent or limit further handling of it permanently

or for a specified amount of time;

10. data destruction: the physical destruction of the data carrier containing the data;

11. data processing: the completion of the technical tasks in connection with the data handling processes, regardless of the

procedure or instrument used for the execution of said operations and place of application;

12. data processor: that natural or legal person, or organization without a legal personality, which or who performs the processing of data commissioned by the data processor;

13. third party: such a natural or legal person, or organization without a legal personality, which or who is not identical with the affected person, the data handler or data processor;

14. third country: every such country which is not part of the European Economic Area.

15. af ected: any specified identified or identifiable person - indirectly or directly - based on personal data.

Any other concept used in the present document, which is not defined separately is interpretable by the eHACCP General Terms and Conditions.

3 Basic principles during the data handling of eHACCP

Personal data is manageable, if

a. the affected contributes to it, or

b. it is ordered by law - by virtue of the law, in the circle defined therein - by a local government decree on a public interest basis ("mandatory data management").

For the contribution of an underage person incapable of or with a limited ability to act the contribution of their legal representative is not necessary, since the statement targets registration occurring in mass numbers in everyday life, and does not require particular consideration (Civil Code. 2:14.§ (2) paragraph).

Personal data may only be handled for a specific purpose, for the practice of rights and the fulfillment of obligations. The data handling must, in its every stage, comply with the goal of the data handling.

Only such personal data may be handled, which is indispensable for the realization of the data handling, is suitable for reaching the goal, and only up to the extent and time required for the realization of the goal.

Personal data may only be handled with appropriate informed consent.

The affected must be - clearly, understandably and in detail - informed of every detail in connection with the handling of their data, thus especially about the goal of the data handling and legal basis, of the person entitled to the handling and processing of the data, of the time period of the data handling and about those who may learn about the data. The information must also extend to the affected person's rights in connection with the data handling and their possibilities of legal remedies. The handled personal data must comply with the following requirements:

a. their recording and handling must be fair and lawful;

b. that they be accurate, complete and, if necessary for the goals of the data handling, up-to-date;

c. that the affected person may only be identified up until the time necessary to reach the goal of the data handling.

The application of a general and unified identification sign which may be used without restriction is prohibited. Personal data may be forwarded, and different data handlings can be connected together if the affected person has contributed to that, or if the law allows it, and if the terms and conditions are met for each and every piece of personal data. Personal data (including special data as well) from the country - regardless of the data carrier or the method of data transfer - may be forwarded to a data handler or data processor in a third country if the affected person has especially contributed to it, or it is allowed by law, and the appropriate level of safety is guaranteed during the handling and processing of the handed over personal data in the third country. The data forwarding directed towards the member states of the European Economic Area must be perceived in the same way as if a data forwarding was taking place within the territory of Hungary.

4 The range of personal data, the goal of data handling, legal title and timespan

Within the services, the handling of every data in connection with the affected person is based on voluntary contribution.

4.1 The data of the website's visitors

The website of eHACCP.hu, www.ehaccp.hu can be visited freely without providing any information of personal nature. The services of eHACCP may be familiarized with on the website. The provider may place small data packages, so-called cookies on the user's computer for the sake of providing customized service and for keeping the settings saved by the user. The cookie may be deleted by the user from their computer, or they may change their browser's settings to prevent the usage of cookies. The code of the eHACCP website may contain references independent from eHACCP coming from and pointing to an external server, which supports the independent auditing of the website's views and other web-analytical data (Google Analytics). An external operator/supervisor of this external server may not access these personal details, eHACCP only supports the availability of aggregated data. Detailed information about handling of this data is provided by the external provider. Contact: www.google.com.

The user's IP address, time of access and the title of the viewed webpage may be recorded by eHACCP during the user's visit to the eHACCP.hu website for technical reasons and for the goal of creating statistics about its users' habits. The server stores the data for a year.

4.2 Data handling in connection with payment transactions

During the provision of eHACCP.hu services, usually no personal data of the user is stored. Nevertheless during the provision of eHACCP services, the following data provided on Vendor payment interface or stored by the Vendor may be transmitted for the purpose of transaction security (fraud) and tracking user transactions: (i) subscriber name and or organization name, (ii) username, (iii) billing address, (iv) phone number; (v) e-mail address. eHACCP stores these data for 5 years after the transaction.

Regarding the transaction, the eHACCP.hu may send notices to the provided email address.

4.3 Newsletter services

On the eHACCP.hu website you may subscribe for eHACCP.hu newsletter with your email address. In the context of newsletter services the provider regularly notices the users, who asked for newsletter, about its novelties. The content of the newsletter may differ regarding the information provided by the user. The eHACCP ensures the possibility to unsubscribe from the newsletter services. In the newsletters sent by the eHACCP, offers by companies with the same possessors as the eHACCP and offers of eHACCP clients may appear.

4.4 Contact, data handling regarding Client service

The provider may be contacted by sending the name, email address and message through the form on the eHACCP.hu website, via email.

The messages sent this way are used as intended and after the final solution of the case is archived and stored for 5 years. The eHACCP maintains a telephone Client service. The contacts of the telephone Client service are accessible on the www.ehaccp.hu website. The eHACCP telephone Client service records and archives the telephone conversation. From the user, the eHACCP telephone Client service, in case of oral contribution, may ask for name and email address. The eHACCP.hu telephone Client service is keeping these data for 1 year.

4.5 Other data handling

Regarding the data handling not mentioned in this manual, the eHACCP provides information at the time of data collection. The eHACCP hereby informs the user that courts, prosecutions, investigating authorities may contact the provider regarding information, data collection, provision and provision of documents (according to Par. 71. §).

The eHACCP - in case the authorities, within the context of legal proceedings, marked specific purpose and scope of information - provides only those information and only to such extent, which is indispensably required for the purpose of the matter.

5 Storage method of personal data, security of data management

The mainframe servers serving the eHACCP websites are placed in an environment supervised by the operating NEBET.HU Ltd. The serving of the eHACCP systems is handled by the Integrity Ltd. These organizations may access the data handled by the eHACCP as data processors only. The eHACCP for managing the personal data during the service provision, is choosing and managing the IT devices, so that the data:

a. is accessible for the authorized personnel (availability);

b. its authenticity and authentication is ensured (authenticity of data management);

c. its uniformity is verifiable (data integrity);

d. is protected against unauthorized access (confidential data).

The eHACCP ensures the protection of data management with technical, organizational and institutional measures, which provide appropriate protection level regarding the risks of data management. The eHACCP, during data management, keeps

a. secrecy: protects the information, so that only authorized personnel may access it;

b. integrity: protects the precision and integrity of the information and processing method;

c. availability: when an authorized personnel is trying to access, it is ensured that he/she will be able to access the required information, and the regarding devices are available.

The IT system and network of eHACCP is protected against computer fraud, spying, sabotage, vandalism, fire and flood, computer viruses, computer break-ins and attacks leading to service refusal. The operator ensures security with server and application level protective methods.

The eHACCP hereby informs the users that electronic mail transmitted through the internet, irrelevant to protocol (email, web, ftp, etc.), are vulnerable to network threats which may lead to unfair activities, controversy or information disclosure, modification. To fend off these threats, the provider will take all reasonable precautions. The systems are monitored in order to record every security discrepancies, and provide proof in case of each security events. Besides that, the system monitoring allows efficient supervision of applied precautions.

6 Data, contacts of the data manager

Name: Maxíz Ltd.

Address: 8315 Gyenesdiás, Petőfi Sándor u.12.

E-mail: info@ehaccp.hu

Company registration number: 20-09-74897

Tax number: 12410671-2-20

Data protection registration number: in progress

7 Data transmission

The eHACCP transmits the personal data of users to the following companies/subcontractors:

Name of data manager: OTP Bank Nyrt.

Address: 1051 Budapest, Nádor u. 16.

Range of transmitted information: name, address, telephone, email address, data regarding transaction.

Purpose of data transmission: transaction security (fraud), for tracking the user transactions.

Name of data manager: Creditexpress Magyarország Pénzügyi Szolgáltató Ltd.

Address: 1146 Budapest, Hungária krt. 179-187.

Range of transmitted information: name, address, telephone, email address, data regarding claims

Purpose of data transmission: claim management

Name of data manager: KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság

Address: 2000 Szentendre, Táltos u. 22/b.

Purpose of data transmission: billing and sending automatic invoices through the system of szamlazz.hu.

8 Legal remedies

The affected person may request information about the management of his/her personal data, may require the correction of his/her personal data, and - except for the cases described in the regarding law - the deletion through the method indicated at the time registration, or through Client service.

At the request of the affected person, the eHACCP, as data manager, provides information regarding the managed data and the processed data processed by a data processor authorized by eHACCP, about the purpose of the data management, the legal basis, the duration of the data management, the name and address (seat) of the data processor and its activities regarding the data management, and about who and for what purpose received the data. The data controller shall provide the information in writing and in a legible form within the shortest possible time, but no later than 30 days from the submission of the request. This information is free of charge if the requesting person has not yet been submitted information request to the data controller for the same data during the same year. In other cases the eHACCP.hu may charge reimbursement.

The eHACCP deletes the personal data, if its management is illegal, the affected person asks for it, the purpose of the data management has been ceased or the statutory deadline for the storage of the data has expired, or it was ordered by court or the data protection authority (National Data Protection and Freedom of Information Authority).

The eHACCP will inform the affected person about the correction and deletion, as well as those who have previously been provided with the data for the purpose of data management. The notification may be omitted if it does not violate the legitimate interest of the affected person regarding the data management.

The affected person may object against the management of his/her data, if the management or transmission of personal data is only necessary to enforce the legal obligation of the data manager or the data receiver, or to enforce his/her legitimate interests, if the data management is prescribed by law (case of "compulsory data processing");

b. the use or transmission of personal data is done for direct business acquisition, polling or scientific research;

c. the exercise of the right of objection is otherwise permitted by law.

The eHACCP - while suspending the data management - will examine the objection within the shortest possible period of time but not later than 15 days after the submission of the request, and will inform the applicant in writing about the result (about the judgement of the basis of the objection). If the objection is valid, the data manager will discontinue the data management - including further data collection and data transfer -, locks the data and notifies all personas affected by the data transmission and those who are obliged to take action in order to enforce the right to object. If the affected person does not agree with the decision of the eHACCP, he/she may appeal to the court within 30 days from the date of its communication.

The eHACCP cannot delete the data of the affected person, if the data management is ordered by law. However, the data cannot be transmitted to the data receiver, if the data manager agrees with the objection, and the court has found the right to protest. In case of violation of his/her rights, the affected person may turn to the court against the data manager. The eHACCP reimburses any damage caused to others by unlawful management of data of affected person or violation of the requirements of data security. The data manager is also responsible for the damage caused to the affected person by the data processor. The data manager is exempted from liability if the damage is caused by an unavoidable cause outside the scope of data management. There is no need to reimburse the damage if it is caused by the intentional or gross negligence of the injured party. Regarding the data management of the eHACCP, notification may be made to the National Data Protection and Freedom of Information Authority, at the following contact details:

Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: +36 (1) 391-1400

Telefax: +36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu