1. General Information
The owner and operator of the www.metripond-m93.hu website (hereinafter: “Website”) is METRIPOND-M 93 Scale Manufacturing Ltd. (METRIPOND-M 93 Ltd., Address: 6800 Hodmezovasarhely, Bajcsy-Zs. u. 70., Company registration number: 06 09 002507, Tax number: 11087199206 hereinafter: “Service Provider”).
The purpose of this Policy is to set out the data protection and data management principles and policies applied by the Service Provider.
We inform you that Section 20 (1) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: “Info Act”) stipulates that the data subject (hereinafter: user) must be informed before the commencement of data processing whether data processing is based on consent or is mandatory.
The data subject must be clearly and in detail informed before the commencement of data processing about all facts relating to the processing of their data, in particular the purpose and legal basis of data processing, the person authorised to process and handle data, and the duration of data processing.
Furthermore, pursuant to Section 6 (1) of the Info Act, the data subject must also be informed that personal data may also be processed if obtaining the data subject’s consent is impossible or would involve disproportionate costs, and the processing of personal data is
- necessary for the fulfilment of a legal obligation applicable to the data controller, or
- necessary for the enforcement of the legitimate interest of the data controller or a third party, and the enforcement of this interest is proportionate to the restriction of the right to the protection of personal data.
If the data subject is unable to give their consent due to incapacity or for any other insurmountable reason, the data subject’s personal data may be processed to the extent necessary to protect the vital interests of the data subject or another person, and to avert or prevent an immediate threat to the life, physical integrity or property of persons, while the obstacles to consent persist.
The validity of a legal declaration containing the consent of a minor data subject who has reached the age of 16 does not require the agreement or subsequent approval of their legal representative.
According to the Info Act, the above information must also extend to the data subject’s rights and legal remedies related to data processing.
However, if personal notification of the data subjects is impossible or would involve disproportionate costs, the notification may be provided by making the following information publicly available:
a) the fact of data collection,
b) the scope of data subjects,
c) the purpose of data collection,
d) the duration of data processing,
e) the identity of possible data controllers authorised to access the data,
f) a description of the data subjects’ rights and legal remedies related to data processing, and
g) if data processing is subject to registration in the data protection register, the registration number of data processing.
Based on the above preliminary information, please carefully read the following Policy, noting that the Service Provider is unilaterally entitled to modify its data processing principles, having regard to the applicable legislation.
The amended data processing principles shall become effective upon being uploaded to the website.
We inform you that the Service Provider manages, stores and processes the data of the above website in compliance with all applicable and effective statutory data protection provisions at all times. The relevant rules can be read in this Data Protection and Data Management Policy, which also sets out the measures relating to data protection and the secure handling of personal data, in addition to data management methods.
The Service Provider assumes responsibility for the protection of the personal rights of visitors to the Website, which is of paramount importance to us. Please note, however, that the security of information transmitted over the internet cannot be fully guaranteed.
2. Statutory definitions and interpretations of terms used in this Policy pursuant to Section 3 of the Info Act
personal data: data that can be associated with the data subject – in particular the data subject’s name, identification mark, and one or more characteristics specific to their physical, physiological, mental, economic, cultural or social identity – as well as any conclusion that can be drawn from the data with respect to the data subject;
data subject/user: any natural person identified, or identifiable – directly or indirectly – on the basis of specific personal data;
consent: a voluntary and definite expression of the data subject’s will, based on appropriate information, by which they give their unambiguous consent to the processing of personal data relating to them – in full or limited to certain operations;
data controller: a natural or legal person, or an organisation without legal personality, which alone or jointly with others determines the purpose of data processing, makes and implements decisions regarding data processing (including the tools used), or has them implemented by a data processor commissioned by it;
data processing: any operation or set of operations performed on data, regardless of the procedure applied, including in particular the collection, recording, organisation, storage, alteration, use, retrieval, transfer, disclosure, coordination or combination, blocking, deletion and destruction of data, and the prevention of further use of data, the taking of photographs, sound or video recordings, and the recording of physical characteristics suitable for the identification of a person (e.g. fingerprint or palm print, DNA sample, iris image);
data transfer: making data accessible to a specific third party;
data deletion: rendering data unrecognisable in such a way that their recovery is no longer possible;
data processing (technical): the performance of technical tasks related to data management operations, regardless of the method and tools used to perform the operations, and the place of application, provided that the technical task is performed on the data;
data processor: a natural or legal person, or an organisation without legal personality, which processes data on the basis of a contract concluded with the data controller – including a contract concluded on the basis of a statutory provision;
third party: a natural or legal person, or an organisation without legal personality, who or which is not identical to the data subject, the data controller or the data processor;
objection: a declaration by the data subject objecting to the processing of their personal data and requesting the cessation of data processing or the deletion of the processed data;
disclosure: making data accessible to anyone;
data set: the totality of data managed in a single registry;
3. Legal basis and purpose of data processing
Personal data may only be processed for a specified purpose, for the exercise of rights and the fulfilment of obligations. At every stage of data processing, the processing must comply with the purpose of data processing, and the recording and processing of data must be fair and lawful.
Only personal data that is essential for the achievement of the purpose of data processing and is suitable for achieving that purpose may be processed. Personal data may only be processed to the extent and for the duration necessary for the achievement of the purpose.
Legal basis: Data processing takes place on the basis of the voluntary declaration, based on appropriate information, of the users of the internet content available on the Website, which declaration includes the users’ express consent to the use of the personal data provided during the use of the site.
The legal basis for data processing is the voluntary consent of the data subject pursuant to Section 5(1)(a) of the Info Act. We inform you that the user gives their consent to the Service Provider by using the Website, by registering, or by voluntarily providing the requested data, and thereby the user accepts the data processing principles applied by the Service Provider.
Purpose: We inform you that the data you provide will be stored and processed by the Service Provider (hereinafter: “Data Controller”) pursuant to the Info Act exclusively for the purpose of identifying the user as necessary for the use of services accessible through the Website during registration and/or ticket purchase, for concluding contracts with users and ensuring any related delivery, for subsequent proof of order conditions, for documenting the adequacy of performance, and for invoicing, sending newsletters, and ensuring the provision of other services available on the Website.
We inform you that data processing for the above purposes is carried out exclusively in the manner prescribed by law, to the extent and for the duration necessary for the achievement of the purpose, and only with those personal data that are indispensably necessary for the achievement of the above purposes and are suitable for achieving them.
4. Scope of processed personal data and the method of recording
The following data are primarily recorded during registration:
- surname and first name/company name
- e-mail address,
- billing address (billing name, street name, house number, city, postcode, tax number),
- delivery address (delivery name, street name, house number, city, postcode),
- telephone number
- password
- IP address at the time of registration
- date and time of registration
Data technically recorded during the operation of the system: data of the user’s connecting computer that are generated during the use of the service and which the data controller’s system automatically records as a result of technical processes. The automatically recorded data are automatically logged by the system upon login and logout, without any separate declaration or action by the user. These data cannot be linked to other personal user data – except in cases made compulsory by law. Only the data controller has access to the data.
The purpose of the automatically recorded data is to compile statistics, to develop the technical aspects of the IT system, and to protect the rights of users.
We inform you that the data controller does not and may not use the personal data provided for purposes other than those described in these points. The disclosure of personal data to third parties or authorities is only possible with the prior express consent of the user, unless the law provides otherwise.
We draw your attention to the fact that the data controller does not verify the personal data provided to it. The person providing the data is solely responsible for the accuracy of the data provided.
We inform you that every user, by providing their e-mail address, simultaneously accepts responsibility that only they will use the service from the e-mail address provided. In view of this acceptance of responsibility, all liability in connection with logins made using a given e-mail address rests solely with the user who registered the e-mail address.
We inform you that an IP address is a numeric sequence that identifies your computer when connecting to the internet service provider, or to a local area network (LAN) or a wide area network (WAN). Based on the IP address, web servers automatically identify your computer while you are online. The Service Provider may collect IP addresses for system administration and site usage monitoring purposes. However, users are not primarily associated with the IP address, meaning the user remains anonymous.
Nevertheless, if the Service Provider determines that it becomes necessary for the enforcement of the Website’s terms of use, for the protection of services or other users, then the IP addresses may be used to identify users.
5. Duration of data processing, modification and deletion of data
The processing of personal data mandatorily provided during registration begins with registration and lasts until its deletion or until the purpose has been achieved, or until another date specified by law. In the case of non-mandatory data, data processing lasts from the time the data is provided until the deletion of the data in question or until the purpose has been achieved, or until another date specified by law.
We inform you that you may at any time request information about your data processed by the Service Provider. You may at any time, without justification or limitation, request free of charge the modification of your data, as well as their deletion from the Service Provider’s database, at the following contact details:
- by e-mail: merleg@metripond-m93.hu
6. Use of cookies
We inform you that the Website operated by the Service Provider uses so-called “cookies” to collect profile and status data, to identify registered users of the Website, to maintain a “shopping cart”, and to track visitors. Cookies are data that are temporarily placed on the hard drive of your computer from the browser programme when you visit the Website, and they are necessary for visiting the Website. However, they cannot by themselves be used to identify the visitor’s personal identity. Cookies provide additional functionality to the Website and help us to more accurately assess the use of the Website.
Pursuant to the Info Act, the use of cookies is only possible with your prior consent. You therefore have the option to enable or reject cookies. By modifying your browser settings, you can reject cookies or, if you wish, receive a warning before a cookie is stored. If you would like to learn more about these features and fine-tune your cookie settings, please consult the instructions or help screen of your internet browser. Please note that if you choose to reject cookies, you may not be able to take full advantage of the interactive features of our Website or other websites.
7. Newsletter, direct marketing (DM)
We inform you that pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities, the user may give their prior and express consent for the Service Provider to contact them at the contact details provided during registration (e.g. e-mail address or telephone number) for the purpose of informing them about current promotions, information, and new services, and to process the personal data necessary for sending promotional materials and newsletters. The user is entitled to decide on this at the time of registration or when modifying their registered data.
We inform you that the Service Provider processes the following data for its DM activities: name, e-mail address, (telephone number). Any visitor to the Website may subscribe to the newsletter. The data provided by the user are processed until unsubscription. Only the employees of the data controller are authorised to process user personal data.
The Service Provider does not send unsolicited promotional messages or newsletters to its visitors and users. Users are entitled at any time, without justification and without any restriction, to unsubscribe free of charge as indicated in the newsletter and/or promotional offer. We inform you that in the event of unsubscription, the Service Provider deletes the user personal data necessary for sending newsletters and promotional materials from its records and will not contact the user with further promotional offers.
8. Data transfer
Pursuant to the Info Act and Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services, the Service Provider may use data processing services for the processing of the personal data it manages. During the provision of its services, the data processor is obliged to comply with the provisions of this Data Management Policy, the applicable legislation in force, and the contract governing its relationship with the Service Provider. By visiting the Website or using the services of the Website, the user consents to the transfer of their personal data to data processors potentially used by the Service Provider for data processing purposes. The persons authorised to access the data as possible data controllers: Metripond-M93 Scale Manufacturing Ltd.
Data transfer:
Scope of transferred data: user’s name, telephone number, e-mail address, residential address/registered seat, billing name and address, delivery address
Purpose of data transfer: provision of server services including for data storage purposes
The personal data transferred by the Service Provider are processed until the user’s payment and settlement of the service and the delivery of the product, as well as the processing of invoicing, and until unsubscription from the newsletter or the termination of the newsletter service, unless applicable statutory regulation provides otherwise.
We inform you that you may at any time request the deletion of your personal data from the above data processors or data controllers.
9. Data security
The Info Act, as a data security requirement, stipulates that the data controller is obliged to plan and execute data management operations in such a way as to ensure the protection of the data subjects’ privacy. The data controller and, within its scope of activities, the data processor are obliged to ensure the security of data, and are further obliged to take the technical and organisational measures and establish the procedural rules necessary for the enforcement of the Info Act and other data and confidentiality protection rules. Data must be protected by appropriate measures against, in particular, unauthorised access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage, and against becoming inaccessible due to changes in the applied technology.
In order to protect electronically managed data sets in different registries, it must be ensured by an appropriate technical solution that the data stored in the registries cannot be directly linked or assigned to the data subject – unless permitted by law.
During the automated processing of personal data, the data controller and the data processor shall take further measures to prevent unauthorised data entry; the use of automated data processing systems by unauthorised persons using data transmission equipment; to verify and establish to which bodies personal data have been or may be transmitted using data transmission equipment; to verify and establish which personal data have been entered into automated data processing systems, when and by whom; the recoverability of installed systems in the event of malfunction; and to ensure that errors occurring during automated processing are reported.
When determining and applying measures to ensure data security, the data controller and the data processor must take into account the current state of technology. Of several possible data management solutions, the one that ensures a higher level of protection of personal data must be chosen, unless this would place a disproportionate burden on the data controller.
10. Rights of data subjects/users
Pursuant to the provisions of the Info Act, the data subject may request the data controller to
a) provide information about the processing of their personal data,
b) rectify their personal data, and
c) delete or block their personal data (except for mandatory data processing).
At the request of the data subject, the data controller shall provide information about the data processed by it or by a data processor commissioned by it, the source of such data, the purpose, legal basis and duration of data processing, the name and address of the data processor and its activities related to data processing, and – in the case of transfer of the data subject’s personal data – the legal basis and recipient of the data transfer.
The data controller shall maintain a data transfer register for the purpose of verifying the lawfulness of data transfers and informing the data subject, which contains the time of transfer of personal data managed by it, the legal basis and recipient of the data transfer, the definition of the scope of transferred personal data, and other data specified in the legislation prescribing data processing.
The data controller is obliged to comply with the information request in writing, in an understandable form, within the shortest possible time from the submission of the request, but no later than within 30 days. The information is free of charge if the person requesting the information has not yet submitted an information request to the data controller regarding the same data scope in the current year. In other cases, a cost reimbursement may be charged.
If the personal data does not correspond to reality and the correct personal data is available to the data controller, the data controller shall rectify the personal data.
Personal data must be deleted if
a) its processing is unlawful;
b) the data subject requests it pursuant to Section 14 of the Info Act;
c) it is incomplete or inaccurate – and this condition cannot be lawfully remedied – provided that deletion is not excluded by law;
d) the purpose of data processing has ceased, or the statutory time limit for data storage has expired;
e) it has been ordered by a court or the Authority.
Instead of deletion, the data controller shall block the personal data if the data subject requests this, or if it may be assumed on the basis of available information that deletion would harm the legitimate interests of the data subject. Personal data so blocked may only be processed as long as the data processing purpose that excluded the deletion of the personal data persists.
The data subject and all those to whom the data was previously transferred for data processing purposes must be notified of the rectification, blocking, marking and deletion. Notification may be omitted if this does not harm the legitimate interest of the data subject, having regard to the purpose of data processing.
If the data controller does not comply with the data subject’s request for rectification, blocking or deletion, it shall communicate in writing, within 30 days of receipt of the request, the factual and legal grounds for rejecting the request for rectification, blocking or deletion. In the event of rejection of the request for rectification, deletion or blocking, the data controller shall inform the data subject of the possibility of judicial remedy and of recourse to the Authority.
11. Legal remedies
We inform you that you, as a user, may object to the processing of your personal data pursuant to the Info Act if
- the processing or transfer of personal data is necessary solely for the fulfilment of a legal obligation applicable to the Service Provider, or for the enforcement of the legitimate interest of the Service Provider, the data recipient or a third party, unless data processing was ordered by law;
- the use or transfer of personal data is for the purpose of direct business acquisition, public opinion polling or scientific research;
- in other cases specified by law.
The Service Provider shall examine the objection within the shortest possible time from the submission of the request, but no later than within 15 days, make a decision on its merits, and inform the applicant of its decision in writing. If the Service Provider establishes that the data subject’s objection is well-founded, it shall cease data processing – including further data collection and data transfer – and block the data, and notify all those to whom the personal data affected by the objection was previously transferred and who are obliged to take action to enforce the right of objection. If the user does not agree with the decision made by the Service Provider, or if the Service Provider fails to meet the above deadline, the user may bring the matter before a court within 30 days of its communication. The user may also bring the matter before a court in the event of a breach of their rights. The court shall act with priority in the case.
The data controller is obliged to prove that data processing complies with the provisions of the law. The data recipient is obliged to prove the lawfulness of data transfer.
The case falls within the competence of the regional court. The case may also be brought before the regional court of the data subject’s domicile or place of residence, at the data subject’s choice.
A person who otherwise has no capacity to be a party to proceedings may also be a party to the case. The Authority may intervene in the proceedings in the interest of the data subject’s success.
If the court grants the request, it shall oblige the data controller to provide the information, rectify, block or delete the data, annul the decision made by automated data processing, take into account the data subject’s right of objection, or order the release of the data requested by the data recipient.
If the court rejects the data recipient’s request, the data controller is obliged to delete the data subject’s personal data within 3 days of the communication of the judgment. The data controller is also obliged to delete the data if the data recipient does not bring the matter before a court within the specified deadline.
The court may order the publication of its judgment – including the identifying data of the data controller – if required by the interests of data protection and the protected rights of a larger number of data subjects.
12. Damages
If the data controller causes damage to another person through the unlawful processing of the data subject’s data or by breaching data security requirements, it is obliged to compensate for the damage.
If the data controller violates the data subject’s personal rights through the unlawful processing of the data subject’s data or by breaching data security requirements, the data subject may claim compensation for non-pecuniary damage from the data controller.
The data controller is liable to the data subject for any damage caused by the data processor and is also obliged to pay the compensation for non-pecuniary damage due to the data subject in the event of a violation of personal rights caused by the data processor. The data controller is exempt from liability for the damage caused and from the obligation to pay compensation for non-pecuniary damage if it proves that the damage or the violation of the data subject’s personal rights was caused by an unavoidable cause outside the scope of data processing.
Damage need not be compensated and compensation for non-pecuniary damage may not be claimed to the extent that the damage or the violation of personal rights resulting from the violation of personal rights was caused by the intentional or grossly negligent conduct of the injured party.
13. Final provisions
We inform you that the information visible and found on the Website (text, image, video and other content) is the exclusive right of the Service Provider. The content and design of the Website are protected by international and Hungarian law. It is furthermore prohibited to sell, disclose, copy, alter in any form and republish, or distribute information, articles originating from the Service Provider or the Website. We reserve all further rights in relation to the published material and will enforce them, if necessary, through judicial or other legal proceedings.
If you do not agree with the above, please do not use the Website.
If you have any further questions regarding data protection or data management,
please contact our colleague at the following details:
- e-mail: merleg@metripond-m93.hu
- tel.: +36 62 246-450
As part of the services we provide to our users, the Service Provider offers various links to access further third-party websites. The data protection principles described herein do not apply to these sites. Please check the legal and confidentiality provisions of the websites you wish to visit through our links.
We inform you that the Service Provider reserves the right to unilaterally amend this Policy, which shall become effective upon being uploaded to the Website. We may also publish a notification on our Website regarding particularly important and significant changes.
In view of this, we recommend that you continuously monitor our Data Protection Policy. Please note that by continuing to use our Website, you accept our Data Protection Policy and any changes we implement.
The data controller’s data protection registration number:
14. Applicable legislation
The following legislation was primarily taken into account and applied in the preparation of the Data Protection and Data Management Policy:
Act V of 2013 – on the Civil Code
Act CXII of 2011 – on the Right of Informational Self-Determination and on Freedom of Information
Act CVIII of 2001 – on Certain Issues of Electronic Commerce Services and Information Society Services
Act XLVIII of 2008 – on the Basic Conditions and Certain Restrictions of Economic Advertising Activities
Act C of 2003 on Electronic Communications
