(hereinafter the “Information”, the “Policy” or the “Data Protection Policy”)
1. Basic Provisions
The new data protection Regulation (EU) 2016/679 of the European Union will/has become directly applicable in Hungary as well (General Data Protection Regulation, GDPR, hereinafter “Regulation” or “GDPR”). Pursuant to the Regulation the Company qualifies as a data controller, i.e. the Regulation is applicable to data processed by the Company.
1.2 Purpose of the Policy
The Purpose of this Information is to establish the data protection and data processing standards and principles followed and applied by and governing WAE Autóforgalmazási és Szolgáltató Limited Liability Company (hereinafter the “Controller” or the “Company”), the Company’s data protection and data processing policy.
1.3 Legal Background
In determining the contents of this Policy, in addition to the Regulation, the Company considered the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the “Info Act”), Act V of 2013 on the Civil Code (the “Civil Code”) and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (the “Advertisement Act”).
The scope of the Policy covers data processing in connection with the Company’s sales activities (including the website operated under the http://www.wae.hu/, www.ssangyong.hu, www.isuzu4x4.hu domain - hereinafter the “Website”).
Services and data processing by those entities and websites to which any reference points on the Website(s) operated by the Company are not subject to this Policy, nor is the data processing by entities whose information, newsletter or advertisement the Data Subject accessed from the Website.
1.5. Amendment of the Policy
1.5.1 The Company reserves the right to amend the Policy by way of a unilateral decision.
1.5.2 By accessing the Website the Data Subject accepts the contents of the Policy, no further consent of the Data Subject is required.
The concepts appearing in this Data Protection Policy shall have the following meanings:
2.1. Data Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.2. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
2.3. Personal Data or data means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.4. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
2.5. Data Subject means any natural person who registers on the Website and in doing so provides their data listed in clauses 8 and 9 below.
2.6. Outside Party: any third-party service provider partners used either directly or indirectly by the Controller or the operator of the Website for providing the various services, to whom Personal Data is or may be transferred for the provision of their services or who may transfer Personal Data to the Company. Any service providers that are not in cooperation with either the Company or the operator of services, but which, by having access to the Website, collect data on Data Subjects that may be suitable either independently or connected with other data to identify the Data Subject, shall also be qualified as Outside Parties. During the provision of hosting services, the Company shall also consider the Data Subject as an Outside Party for the purposes of data processing activity carried out on the hosted space used by it.
2.7. Policy: this Data Processing Policy of the Company.
3. Name and Activity of the Controller
Name: WAE Autóforgalmazási és Szolgáltató Limited Liability Company
Registered office: 2051 Biatorbágy, Budai út 16.
Company registration number: Cg.13-09-174957, registered by the Budapest Court of Registration
Telephone: +36 1 451-4851, +36 1 550-0185
4. Basic Standards of Data Processing
4.1 Lawfulness, Fairness
Data shall be processed lawfully, fairly and in a transparent manner for the Data Subject. The Company shall only process data defined by law or provided by Data Subjects, for the below-defined purposes. The set of Personal Data processed shall be proportionate to the aim pursued by the processing and shall not extend beyond that.
Data should be necessary and relevant for the purposes for which they are processed, as well as accurate and kept up to date.
4.3 Purpose limitation
Where the Company intends to process Personal Data for a purpose other than that for which they were collected, the Company should inform the Data Subject thereof and obtain their explicit prior consent, as well as provide the Data Subject an opportunity to prohibit use of the data.
The Company does not verify Personal Data provided to it. Solely the person providing the Personal Data shall be liable for the accuracy of such Personal Data.
4.5 Storage limitation
Data shall be stored in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
4.6. Protection of data of persons below the age of 16 years
Where a person is below the age of 16 years, processing of their Personal Data shall be lawful only if and to the extent that consent is given by the holder of parental responsibility over the child. The Company is unable to verify the entitlement of the consenting person or the contents of their statement, therefore the Data Subject and the person holding parental responsibility shall be liable to ensure that such consent complies with the laws. In the absence of a statement of consent the Company shall not collect any Personal Data with regard to a Data Subject below the age of 16 years.
4.7 The Company shall not disclose Personal Data processed by it to any third parties other than Processors and Outside Parties defined in this Policy. Data shall be processed such as to ensure the security of Personal Data through the application of adequate technical and/or organisational measures.
An exception from the rule in this clause shall be use of data in a statistically aggregated form, which may not contain any other data in any form that is suitable for identification of the Data Subject.
In certain cases - official court or police request, violation of the Company’s interests, jeopardisation of provision of the service due to a legal proceeding for infringement of copyright, economic or other rights or on a reasonable suspicion thereof - the Company shall disclose the accessible Personal Data of the Data Subject to third parties.
4.8. The Company shall notify the Data Subject and all recipients to whom the data was earlier transferred for Data Processing of the rectification, limitation or erasure of Personal Data processed by it. Notification is not required if this does not violate the rightful interests of the Data Subject in light of the purpose of Data Processing.
4.9 Under the Regulation the Company is not required to appoint a data protection officer because the Company is not classified as a public authority or body, the activities of the Company do not consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale or of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
5. Lawfulness of Data Processing
5.1 Article 6 of the GDPR establishes in which cases the Personal Data of Data Subjects can be processed:
“(a) the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child.”
5.2 Considering the nature of the Company’s activity, the legal basis of data processing is primarily the freely given, informed and explicit consent of the Data Subject (Info Act Section 5(1) a), after the conclusion of any contract between the Company and the Data Subject, the above point 5.1 b) of the Regulation and point 5.1 c) of the Regulation). The Data Subject contacts the Company freely, registers freely and uses the services of the Company freely. In the absence of the consent of Data Subjects the Company only processes data where unambiguously authorised to do so by law.
5.3 Where processing is based on consent, the Controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
5.4 The Data Subject shall have the right to withdraw his or her consent at any time in respect of all data processing that is based on point a) of the above clause 5.1 of the Regulation. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal and data processing pursuant to point b) and/or c) of the above clause 5.1 of the Regulation.
5.5 Data Transfer to Processors defined in the Policy may be performed without the specific consent of the Data Subject. Disclosure of Personal Data to third parties or authorities - unless otherwise provided by law - shall be allowed solely based on a final official decision or the prior explicit consent of the Data Subject.
6. Purpose of Data Processing
Data shall be processed lawfully, fairly and in a transparent manner for the Data Subject. The Company shall endeavour to ensure that only Personal Data which is essential for the purpose for which it was recorded be processed, and it must be suitable to achieve that purpose. Personal Data may be processed to the extent and for the duration necessary to achieve its purpose.
Purpose of Data Processing based on the above:
● identification of the Data Subject, communication with the Data Subject;
● provision of concise, easily accessible and easy to understand information to the Data Subject;
● creation and performance, between the Company and the Data Subject, of legal transactions within the scope of the Company’s activities;
● in the case of services provided for a fee, collection and invoicing of the fee;
● performance of the obligations directed to the Controller, exercising of the rights to which the Controller is entitled;
● production of analyses and statistics or the development of services - the controller shall only use anonymous data or aggregates not suitable for identification;
● protection of the rights of the Data Subject.
7. Source of the Data
The Company solely processes Personal Data provided by the Data Subjects and does not collect data from other sources.
8. The Set of Data Being Processed
The Company solely processes Personal Data provided by Data Subjects. The set of data being processed is as follows:
The data processed by the Company can be categorised in the following groups based on the purpose of data processing:
● Data required for registration. During registration the Data Subject provides his or her name, the name of the company, his or her e-mail address and the type of the current car. Lawfulness of Data Processing is the consent of the Data Subject, the primary purpose of data processing is Data Processing is registration, provision of the services of the Website.
● Documents uploaded. The Data Subject has an opportunity or, in certain cases, an obligation to upload photos of personal documents. The Company recommends that any personal data not required for the conclusion of the transaction between the parties and not requested by the Company should be erased from these documents (as provided in clause 10 below). If the Data Subject publishes a photo, the legal basis of data processing is the consent of the Data Subject. In the case of photos, the purpose of the data processing is the provision of the services of the Website.
● Billing data: If the Data Subject performs a consideration to the Company, the Company processes data related to payment and billing (mode of payment, tokenised data of means of payment, name, address and tax number of customer for billing purposes). The legal basis of data processing is partially the consent of the Data Subject and partially the laws applicable to taxation and accounting. The purpose of data processing is billing and collection of fees.
● Data and documents provided during authentication Data Subjects have an opportunity, as provided in clause 11 below. Documents will be handled in accordance with clause 11. The purpose of data processing is to check the contracting partner and the promoted car.
In addition to the above, the Company processes the technical data, including the IP address, as provided in clause 13 below.
9. Description of Data Processing Procedures
The source of the data is the Data Subject who supplies the data during registration or later, when entering the Website. Provision of the data on the registration form is mandatory, except where expressly provided otherwise.
The Data Subject provides the data independently and the Company gives no guidelines or sets no expectations in this respect. The Data Subject explicitly consents to the processing of the data provided by him or her. The Data Subject is entitled to provide data other than the data requested by the Company; the legal basis for the processing of data is the freely given consent of the Data Subject in this case as well.
If the Data Subject registers for a promotion organised by the Company (e.g. on Facebook) and provides the requested data, he or she accepts the data processing information related to such promotion. In this case by providing the data the Data Subject does not register on the Website, but consents to the processing of their data in accordance with the information on the promotion.
10. Data Processing Related to Documents
The Website offers an opportunity and in the case of a mandatory requirement, sets an obligation for the Data Subject to provide his or her personal documents to the Company in order to assist the creation of a legal transaction between the parties.
The Data Subject - except where required by the Company - has an opportunity to disclose the documents with a deletion of personal data. Where the Data Subject does not delete the data, during disclosure he or she consents to the publication of the data.
Where the Company does not require documents to be supplied with the personal data and allows an opportunity for deletion of the data, the Company shall not be liable for any publication whatsoever.
The purpose of the authentication process is to enable the Company to verify the identity of the Data Subject. The Company checks whether the Data Subject indicating an intent to conclude a contract is an actual natural person. Following the check, the Company erases the photos and data from the Website, however, it stores them in another location until the end of the legal basis of data processing. The purpose of data processing is the authentication of Data Subjects and the conclusion of the transaction and to aid its lawful performance following its conclusion.
12. Data Processing for Advertising Purposes, Newsletters
If the Data Subject consents, the Company will contact him or her at the contact details provided and send to the Data Subject an advertisement with the method of direct targeting. The advertisement may be sent by mail, telephone (including SMS message) or e-mail (including Messenger), subject in all cases to consent by the Data Subject. The Data Subject may withdraw their consent at any time without any explanation.
The Company’s system may automatically record the IP address of the Data Subject, the start time of the visit and in certain cases - depending on the settings of the computer - the type of browser and operating system. Data thus recorded shall not be linked with other personal data. Processing of the data serves solely statistical purposes.
Cookies allow the Website to recognise, identify and record earlier visitors. Cookies help the Company, as the operator of the Website to optimise the Website, to formulate the services offered by the Website in accordance with Data Subjects’ preferences. Cookies are furthermore suitable for
● remembering settings, so Data Subjects need not record them again when entering a new page;
● remembering data entered earlier, so they need not be retyped;
● analysing use of the website in order to make it work in accordance with the expectations of the Data Subject to the largest possible extent as a result of the improvements executed using the information gained, to enable the Data Subject to easily find the information she or he is seeking; and
● monitoring advertising efficiency.
14. Data Transfer
The Company transfers Personal Data to third parties if the Data Subject has unambiguously consented to such data transfer, knows the set of data and the recipient to whom it is being transferred or the data transfer is authorised by law.
The Company is under obligation to transfer to the competent authorities all data available to and lawfully stored by it, the transfer of which Personal Data is prescribed by law or final official decision. The Company shall not be held liable for such Data Transfer and the consequences thereof.
The Company shall document and keep a record of all data transfers in each case.
15. Data Processors
The Company shall be entitled to engage a Processor for the performance of its activities. Processors shall not make an independent decision and shall act solely in accordance with the contract concluded with the Company and the instructions received. The Company checks the work of Processors. Processors shall be entitled to engage further processors solely with the Company’s consent. The Company shall only use Processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that data processing will meet the requirements and ensure the protection of the rights of Data Subjects.
The Processor shall not engage another processor without prior specific or general written authorisation of the Company. In the case of general written authorisation, the Processor shall inform the Company of any intended changes concerning the addition or replacement of other processors, thereby giving the Company the opportunity to object to such changes.
The Company shall designate the Processors concerned in the Policy.
The Processors engaged by the Company:
- Barcs-Car Kft.
- Fábián Kft.
- HO-SP Hungary Kft.
- Zakar és Társa Kft.
- Quick Autó Kft.
- KMI Autóház Kft.
- Nyitrai Autóház Kft.
- Tipp Autószerviz Kft.
- Marsal Kft.
- Auto Caro Kft.
- Wallis Motor Pest Kft.
- Wallis Kerepesi Kft.
- Körös Autócentrum Kft.
- Magisz Kft.
- Univer-Car Kft.
- Nyitrai Autóház Kft.
- Penthe Autóház Kft.
- Renniss Autó Kft.
- Autó Kontúr Kft.
- Pólus Autóház Kft.
- Bonus Kft.
- SpiritCom Kft.
- Mediator Group Kft.
16. Outside Parties
The Company engages Outside Parties, with which Outside Parties the Company shall cooperate.
The data protection policies of Outside Parties shall govern the use of Personal Data processed in the systems of Outside Parties. The Company shall do everything within its power to ensure that Outside Parties process Personal Data transferred to them in accordance with the laws and to use such Personal Data solely for the purpose determined by the Data Subject or set out below in the Policy.
The Company shall advise Data Subjects of the data transfer performed to Outside Parties within the Policy.
- dynamicline Bt.
- Zuriel Kft.
- Deninet Kft.
17. Data Security Requirement
The Company shall implement adequate safeguards and appropriate technical and organizational measures to protect data, as well as adequate procedural rules to enforce the provisions of the effective laws and other regulations concerning data protection and confidentiality. The Company shall protect data by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the Company and the Processor shall implement appropriate technical and organisational measures in order to ensure a level of data security appropriate to the risk.
Within the framework of the above the Company shall:
● ensure measures to protect against unauthorised access, including the protection of software and hardware tools and physical protection (access protection, network protection);
● carry out measures enabling the restoration of sets of data and ensure regular backup saves;
● arrange for protection against viruses.
18. Duration of Data Processing
The Company shall erase Personal Data where
a) it is revealed that data have been unlawfully processed, the Company shall promptly perform erasure;
b) the Data Subject so requests (with the exception of data processing based on statutory obligations);
The Data Subject may request erasure of data processed based on the freely given consent of the Data Subject. In such case, the Company shall erase the data. Erasure shall be denied only where processing of the data is authorised by statutory provision of an act. The Company shall provide information on the denial of the request for erasure and the law allowing data processing in each case.
c) if it is revealed that the data is incomplete or inaccurate, and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision of an act;
d) the purpose of data processing no longer exists or the legal time limit for storage has expired;
Erasure can be denied where Personal Data (i) is processed based on authorised granted by law and (ii) is required for the protection or enforcement of rights.
The Company shall inform the Data Subject in each case, indicating the reason for the denial of the request. Following performance of a request for the erasure of Personal Data the earlier (deleted) data cannot be restored.
Users can unsubscribe from newsletters sent by the Company through the link found therein. If the Data Subject unsubscribes, the Company deletes their Personal Data from its newsletter database.
e) so ordered by court or by the Hungarian National Authority for Data Protection and Freedom of Information.
If erasure is ordered by court or by the Hungarian National Authority for Data Protection and Freedom of Information, erasure shall be performed by the Controller.
Instead of erasure - with the information of the Data Subject - the Company shall block personal data if so requested by the Data Subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the Data Subject. Blocked Personal Data shall be processed only until the data processing purpose which prevented their erasure exists. The Company marks the Personal Data processed by it where the Data Subject contests the correctness or accuracy thereof, but the accuracy or inaccuracy of the Personal Data cannot be ascertained beyond doubt.
In the case of data processing ordered by statute erasure of data shall be governed by the provisions of such statute.
If data are erased, the Company shall render the data unsuitable for personal identification. If required by statute the Company shall destroy any data carrier containing Personal Data.
19. Rights of Data Subjects in Connection with Data Processing
19.1 The Company shall inform the Data Subject of the processing of their data simultaneously with the first contact. The Data Subject shall be entitled to request information on the data processing at any time.
The Data Subject shall have the right to obtain from the Company confirmation as to whether or not Personal Data concerning him or her are being processed, and, where that is the case, access to the Personal Data and information on the purposes of the processing, the categories of Personal Data concerned, the recipients or categories of recipient to whom the Personal Data have been or will be disclosed, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period. The Data Subject has the right to request from the Controller that Personal Data concerning him or her rectified, erased or their processing restricted and may object to the processing of such Personal Data. The Data Subject furthermore has the right to lodge a complaint with a supervisory authority or, where data was not collected from the Data Subject, they have the right to all available information on the source of the data.
19.2 The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her. Taking into account the purposes of the data processing, the Data Subject shall have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
19.3 With the exception of data processing required by law, the Data Subject shall have the right to obtain from the Company the erasure of Personal Data concerning him or her without undue delay. The Company shall inform the Data Subject of the erasure.
19.4 The Data Subject may object to the processing of his or her Personal Data as defined by the Info Act.
19.5 The Data Subject may lodge a request for information, rectification or erasure in writing, in a letter addressed to the Company’s headquarters or site or by sending an e-mail to email@example.com (in case of JRL it is firstname.lastname@example.org).
19.6 The Data Subject shall have the right to obtain from the Company restriction of processing of his or Personal Data where the accuracy of the Personal Data is contested by the Data Subject. In such case the restriction applies to a period enabling the Company to verify the accuracy of the Personal Data. The Company marks the Personal Data processed by it where the Data Subject contests the correctness or accuracy thereof, but the accuracy or inaccuracy of the Personal Data cannot be ascertained beyond doubt.
The Data Subject shall have the right to obtain from the Company restriction of processing of his or her Personal Data also where the Data Processing is unlawful, but the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead.
The Data Subject shall have the right to obtain from the Company restriction of processing of his or her Personal Data also where the purpose of Data Processing was realised, but the Data Subject requires processing of the data by the Company for the establishment, exercise or defence of legal claims
19.7 The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided.
19.8 Where the Company fails to perform the request of the Data Subject for the rectification, blocking or erasure, it shall inform the Data Subject of the reason for denial of the request for rectification, blocking or erasure within 30 days of receipt of the request. Where the request for rectification, blocking or erasure is denied, the Controller shall advise the Data Subject of the possibility to obtain legal remedy or turn to the Hungarian National Authority for Data Protection and Freedom of Information.
19.9 The Data Subject may submit its above statements in connection with exercising his or her rights at the contact details of the Controller provided in clause 2.
19.10 The Data Subject may also lodge a complaint directly with the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telefon: +36-1-391-1400; e-mail: email@example.com; website: www.naih.hu). In the event of any infringement of his or her rights, the Data Subject may turn to court action based on Section 22(1) of the Info Act. The regional courts have jurisdiction in the court action. At the election of the Data Subject the action may be brought before the regional court in whose jurisdiction the data subject’s home address or temporary residence is located. Upon request, the Controller shall regularly inform the Data Subject of the possibilities and means of legal remedy.