BalaSys IT Zrt. (1117 Budapest, Alíz utca 4., company registration number: 01-10-141679) (hereinafter: the Company ) handles various personal data in the course of its day-to-day business operations.
The purpose of these regulations is to define the scope of personal data managed by the Company and the method of data processing, as well as to ensure the enforcement of data protection and data management principles and data security requirements, in particular Regulation (EU) 2016/679 of the European Parliament and the European Council (hereinafter: GDPR ) and Act CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: Privacy Act).
a natural or legal person who, within the framework of a law or a binding act of the European Union, determines the purposes and means of the processing of personal data, either individually or in association with others.
any operation on personal data or files, whether automated or non-automated, in particular the collection, recording, systematization, storage, alteration, interrogation, use, transmission, restriction or even deletion, or any combination of such operations.
any information relating to an identified or identifiable natural person ("data subject").
a natural or legal person who, within the framework and under the conditions laid down by law or a binding act of the European Union, processes personal data on behalf of or at the direction of the data controller.
a voluntary, specific and duly informed and unambiguous statement of the will of the data subject, by which he or she indicates his or her consent to the processing of personal data concerning him or her by means of a statement or an act which unequivocally expresses the confirmation.
the persons, bodies with whom the natural data have been or will be communicated.
Data management prior to the establishment of the employment relationship is carried out in connection with the previous tendering procedure.
Legal basis: consent of the data subject
Objective: to evaluate the application, to conclude an employment contract
Relevant data: name, address, place of birth, time, education, professional qualifications, telephone number, email address, photo of data subject
Data subjects: persons applying for the job
Duration: Once an employee has been selected, the purpose of data processing for non-selected candidates will cease, which means that applicants' personal data must be deleted immediately, unless the person concerned has explicitly consented to the retention of his or her data and his or her personal contact for possible future employment.
Recipient: the person exercising the employer's authority, the employee(s) performing the human resources policy task
Legal basis: legitimate economic interest of the Company, taking into account the results of the balancing test required by the GDPR (GDPR Article 6 paragraph 1) point f))
Purpose:
Data in question:
Data subjects: persons entering the territory of the Company
Duration: Three working days in the absence of use in connection with the camera system [2005 CXXXIII. Act., otherwise known as SzVMt. Pursuant to Section 31 (2)]. Use is considered to be the use of recorded image, sound or image and sound recordings and other personal data as evidence in court or other official proceedings.
In connection with the access control system:
Recipient: the Company's senior executives, system administrator, employees performing personal and property protection tasks, data processors
Legal basis: fulfillment of a legal obligation, (Section 159 (1) of Act CXXVII of 2007)
Purpose: to determine the mandatory data content of an invoice, to issue an invoice, to perform related accounting tasks.
Data in question: the name, address and tax number of the Company's natural person's customers, buyers and suppliers
Data subjects: the Company's natural person's customers, buyers and suppliers
Duration: 8 years from the termination of the contract (business relationship)
Recipient: employees issuing invoices as job responsibilities, employees performing accounting activities, data processors, senior official
Legal basis: fulfillment of a legal obligation (Section 50 (1) of Act CL of 2017)
Purpose: to prepare tax and contribution returns
Data in question: senior official of the Company, employees, their family members as defined in Article 50 Section (2), Highlighting the natural identification data of the natural person (including the previous name and title), gender, citizenship, tax identification number of the natural person sign, social security identification sign
Data subjects: senior executives of the Company, employees, their family members
Duration: 8 years from the end of the legal relationship
Recipient: employees, data processors, senior executives of the Company performing accounting and payroll activities as job responsibilities
A cookie is a packet of variable content, alphanumeric information sent by a web server that is stored on a user's computer and stored for a predetermined period of time. The cookie allows the web server to recognize the device used to browse and the history of browsing the website. With the help of cookies, the Company can get an idea of the user's website visits, internet usage habits and history. Cookies do not contain any personal data that can be used to identify users of the Website, they are only used to identify the user's computer.
Users of the Website have the opportunity to set what types of cookies the Website may use. During the visit, the Website collects data using cookies. By visiting the Website, the user can accept with one click that the Website uses cookies in accordance with our privacy policy. If the user disables or deletes cookies on their computer in their own browser, thereby restricting the usability of the Website (or certain parts thereof), the settings previously specified on the Website may be lost.
The user can also change the cookie settings in their browser at any time later.
The Required Cookies are absolutely necessary for the basic operation of the Website, they facilitate its use and collect information about its use without identifying the users.
The Company handles these cookies in the legitimate interest of the Website.
With the help of Performance Cookies, the Company analyzes the habits and behavior of visitors in tomorrow in order to improve and improve the services and content of the Website.
COOKIE NAME (DOMAIN) | PURPOSE OF APPLICATION | STORAGE TIME | LEGAL BASIS |
---|---|---|---|
YSC (youtube.com) | The YouTube cookie is used to measure views of videos inserted with the EMBED code. | Session | A legitimate interest in analyzing user habits anonymously. |
The Website uses the cookies of the following service providers for statistical purposes:
Google Analytics - Google LLC
Google Analytics can be used to track Website activity, such as session duration, pages per session, bounce rate, etc., and information about the source of traffic.
Detailed information about Google Analytics is available at the following link: https://www.google.com/analytics/terms/us.html
Hotjar
A service used for heat map analytics that collects information about the location of clicks and the movement of the mouse
Detailed information about the Hotjar service is available at the following link:
https://www.hotjar.com/cookies
With the help of functional cookies, the Website remembers the users' previous settings, data, information and other website usage habits, so that they do not have to be entered again the next time and the use of the website is more convenient. Cookies that facilitate the operation of certain functions of the Website (e.g. the sharing of content published on the Website via social media interfaces) are considered functional cookies.
COOKIE NAME (DOMAIN) | PURPOSE OF APPLICATION | STORAGE TIME | LEGAL BASIS |
---|---|---|---|
na_id (addthis.com) | Addthis.com's cookie allows you to share links on social sites like Facebook and Twitter. | 1 year 24 days | User consent |
ouid (addthis.com) | Issued by Addthis, it aims to allow the sharing of the content of a website across various networking and social media interfaces. | 1 year 24 days | User consent |
Anj (adnxs.com) | The anj contains cookie data that indicates whether the cookie ID is in sync with users. | 3 months | User consent |
These cookies provide the opportunity to display advertisements to the user that are relevant to the user's interests, as well as to display and send personalized content and advertisements to the user by analyzing the use of the Website.
Within this, the purpose of the use of cookies related to advertisements is to enable the Company to select the advertisements that are most interesting or important to the users of the Website, and to be able to measure the success of the Company's campaigns.
The Website uses the cookies of the following service providers for advertising purposes:
COOKIE NAME (DOMAIN) | PURPOSE OF APPLICATION | STORAGE TIME | LEGAL BASIS |
---|---|---|---|
__ss (balasys.hu) | SharpSpring cookie of the marketing automation platform. It is used to track users and submitted forms (such as questionnaires). | 1 day | User consent |
__ss_referrer (balasys.hu) | SharpSpring cookie of the marketing automation platform. It is used to track users and submitted forms (such as questionnaires). | 1 hour | User consent |
__ss_tk (balasys.hu) | Perfect Audience's cookies. Websites with the same ad space are used to display ads on other ad slots within the network. | 25 years | User consent |
IDE (doubleclick.net) | Google DoubleClick uses information to store information about how a user uses the website and any other advertisements before they visit the website. Its purpose is to encounter relevant ads based on the user's individual profile. | 1 year 24 days | User consent |
koitk (.marketingautomation.services) | SharpSpring cookie of the marketing automation platform. It is used to track users and submitted forms (such as questionnaires). | 10 years | User consent |
pa_crosswise_ts (.prfct.co) | The Perfect Audience cookie is used for advertising purposes based on user behavioral data. | 2 years | User consent |
pa_google_ts (.prfct.co) | The Perfect Audience cookie is used for advertising purposes based on user behavioral data. | 2 years | User consent |
pa_openx_ts (.prfct.co) | The Perfect Audience cookie is used for advertising purposes based on user behavioral data. | 2 years | User consent |
pa_rubicon_ts (.prfct.co) | The Perfect Audience cookie is used for advertising purposes based on user behavioral data. | 2 years | User consent |
pa_twitter_ts (.prfct.co) | The Perfect Audience cookie is used for advertising purposes based on user behavioral data. | 2 years | User consent |
pa_uid (.prfct.co) | Perfect Audience's cookies. Websites with the same ad space are used to display ads on other ad slots within the network. | 2 years | User consent |
pa_yahoo_ts (.prfct.co) | The Perfect Audience cookie is used for advertising purposes based on user behavioral data. | 2 years | User consent |
personalization_id (.twitter.com) | Used by Twitter.com. Allows you to integrate page sharing options. It is also used to store information that shows how a user uses the website for tracking and targeting. | 2 years | User consent |
test_cookie (.doubleclick.net) | Published by doubleclick.net. Its purpose is to determine whether a user's browser is suitable for handling and using cookies. | 15 minutes | User consent |
uid (.addthis.com) | It measures website traffic and visitation habits based on anonymous data. This data identifies the number of visits, average length, number of views of subpages, etc. to refine your preference-based ads. | 1 year 24 days | User consent |
uuid2 (.adnxs.com) | An AppNexus cookie that stores information that helps you distinguish between devices and websites. This information is used to filter out the ads offered by the platform, summarize the performance of the ads, and assign payment features to them. | 3 months | User consent |
VISITOR_INFO1_LIVE (.youtube.com) | The cookie used by Youtube.com allows you to track information about videos inserted with EMBED code on external websites. | 5 months 27 days | User consent |
CONSENT (.youtube.com) | |||
16 years 8 months | User consent | ||
i (.openx.net) | |||
1 year | User consent |
LinkedIn is a social media interface for building business and professional relationships. The Company uses LinkedIn primarily for recruiting and accessing human resources.
Detailed information about LinkedIn is available at the following link:
https://www.linkedin.com/legal/cookie-policy
A system used when using Sharpspring marketing automation services.
Detailed information about the Sharpspring service is available at the following link:
https://help.sharpspring.com/hc/en-us
Xandr offers online infrastructure and technology for data management, optimization, financial accounting, and support for directly coordinated advertising campaigns.
Detailed information about the Xandr service is available at the following link:
https://www.xandr.com/privacy/cookie-policy/
An integrated advertising platform that enables the Company to more effectively create, manage, and distribute digital marketing campaigns.
Detailed information about Google Doubleclick is available at the following link:
https://www.google.com/intl/hu/policies/privacy
Video-sharing portal. The Company uses the portal to share video content (product videos, presentations, tutorials) and to stream online events.
Detailed information about YouTube (Google Group) is available at the following link:
https://policies.google.com/?hl=en
Modern browsers allow you to change "cookie settings". Some browsers automatically accept cookies by default, but this setting can also be changed to prevent the user from automatically accepting them in the future. In the event of a switch, the browser will continue to offer the option to "set cookies" each time.
The Company draws the users' attention to the fact that since the purpose of cookies is to support and facilitate the usability and processes of the Website, by disabling cookies, the Company cannot guarantee that the user will be able to fully use all functions of the Website. In this case, the Website may work differently in the browser than planned.
Information about the cookie settings of the most commonly used browsers can be found at the following links:
https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=hu
https://support.google.com/accounts/answer/32050?co=GENIE.Platform%3DAndroid&hl=hu
https://support.microsoft.com/hu-hu/help/4027947/microsoft-edge-delete-cookies
https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito
https://support.apple.com/hu-hu/guide/safari/sfri11471/mac
https://support.apple.com/hu-hu/HT201265
Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by filling in the registration form and ticking the text "I register".
Purpose:
Data in question: name, email address, telephone number, job title, country
Data subjects : any natural person who registers on the Website as described above
Duration: until withdrawal of consent, but not exceeding 5 years
Recipient: the Company's customer relations and event management staff, data processors, senior executive
Legal basis: consent of the data subject
Purpose: identification, contact, quotations
Data in question: name, telephone number, email address, job title, country
Data subjects: all natural persons who request information, an offer and provide their personal data in connection with the services and products of the Company through the Website.
Duration: up to 1 year after the information has been provided or the offer made
Recipient: customer service staff, data processors, senior official
Legal basis: prior and explicit consent of the data subject
Purpose: to send email newsletters containing commercial advertising to those interested, to display marketing messages, to provide information on current information and promotions related to the Company's products and services, direct marketing inquiries,
Data in question: name, email
Data subjects: individuals who contribute to the sending of newsletters
Duration: personal data must be deleted immediately after unsubscribing from the newsletter or withdrawing the data subject's consent
Recipient: marketing staff, senior executives, contributors used to send newsletters
Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by completing and submitting the contact form.
Purpose: contact, request for information, preparation for concluding a contract
Data in question: name, email address, telephone number, job title, country
Data subjects: any natural person who fills in and sends the contact form on the Website as described above
Duration: until withdrawal of consent, but not exceeding 5 years
Recipient: the Company's customer relations staff, data processors, senior executive
Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by completing and submitting the contact form.
Purpose: to test a trial version of a product
Data in question: name, email address, telephone number, country
Data subjects: any natural person who completes and submits the Trial Request Form on the Website as described above
Duration: until withdrawal of consent, but not exceeding 5 years
Recipient: the Company's customer relations staff, data processors, senior executive
Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by filling in and submitting the training registration form.
Purpose: To participate in specific training
Data in question: name, email address, telephone number, country, company name, position, company address, contact form
Data subjects: any natural person who fills in and sends the training registration form on the Website as described above
Duration: immediately after the training
Recipient: the Company's customer relations staff
Legal basis: the prior and express consent of the data subject, which the data subject gives on the Company's Website by using the chatbot application, providing and sending personal data.
Purpose: To answer specific questions
Data in question: name, email address
Data subjects: any natural person who fills in the chatbot application available on the Website and sends his/her questions as described above
Duration: deleted immediately after the question has been answered on the merits
Recipient: the Company's customer relations staff
Balasys IT Zrt. uses the software of SharpSpring (https://sharpspring.com/contact-us/) in its sales activities. The data controller stores in this system the personal data of the data subjects indicated above and re-listed below:
We collect the following personal information:
Pursuant to Article 13 Paragraph f) of the GDPR, the data controller Balasys IT Zrt. informs its affected customers that during the application of the SharpSpring software, the data controller transfers the personal data indicated above to a third country. The data controller also informs data subjects that the transfer is possible under Article 46 (1) of the GDPR, given that the processor has provided the following appropriate guarantees: The controller has entered into a model contract with SharpSpring containing general data protection clauses: https://sharpspring.com/legal/eu-standard-contractual-clauses/ Stored data is stored primarily in data centers in the United States, and this data can be accessed by both U.S. and SharpSpring international resources during the customer relationship. In addition, we would like to draw the attention of our esteemed affected customers to the fact that they may exercise their rights listed in Section 3 of the Policy as affected at any time.
Pursuant to Article 22 of the GDPR, Balasys IT Zrt., as data controller, informs the affected customers that in order to make automated decisions, using the SharpSpring software:
Here again, we draw the attention of our esteemed affected customers to the fact that they may at any time exercise the rights listed in Section 3 of the Regulations as affected.
The Company handles the personal data of the natural persons contracting with it – customers, customers, suppliers – in connection with the contractual relationship.
Legal basis: performance of contract
Purpose: to maintain contact, to enforce claims arising from the contract, to ensure compliance with contractual obligations
Data in question: name, address, registered office, telephone number, email address, tax number, bank account number
Data subjects: all natural persons who enter into a contractual relationship with the Company.
Duration: 8 years from the end of the legal relationship
Recipient: Customer service and accounting staff, data processors, senior executives
After subscribing to an attendance sheet or event available at events organized by the Company, newsletters will only be sent if the subscribers have expressly consented as individuals, or the email address provided at the time of subscription is an email address of a legal entity and cannot be linked to a natural person and does not contain personal information.
In other cases, sending a newsletter or invitation is only possible with the consent of the contract or the existence of a direct partnership, if no personal data can be linked to the partner's email address.
The Company is obliged to provide information on data processing not listed in these regulations when recording the data.
The Company shall provide personal data to the authorities, provided that the authority has indicated the exact purpose and scope of the data, only to the extent and to the extent strictly necessary to achieve the purpose of the request.
The data subject may request information on the handling of his or her personal data, as well as request the correction of his or her personal data, - with the exception of mandatory data processing - deletion, revocation, exercise the right to carry data and protest in the manner indicated at the time of data collection.
Right to information: The Company shall take appropriate measures to provide the data subject with all information concerning the processing of personal data referred to in Articles 13 and 14, Articles 15 to 22 and Article 34 of the GDPR shall be provided in a concise, transparent, comprehensible and easily accessible form, in a clear and understandable manner.
The right to be informed can be exercised in writing through the contact details of the Company written in these regulations. Upon request, the data subject may be provided with oral information upon verification of his or her identity.
Right of access of the data subject: The data subject has the right to receive feedback from the Company as to whether the processing of his or her personal data is in progress, and if such data processing is in progress, he or she has the right to access the personal data and the following information:
The Company shall provide the information within a maximum of one month from the submission of the application.
Right of rectification: The data subject may request the correction of inaccurate personal data concerning him or her handled by the Company without undue delay and the addition of incomplete data.
Right of cancellation: The data subject has the right to have his or her personal data deleted without undue delay at the request of the Company if one of the following reasons exists:
Deletion of data cannot be initiated if data management is required:
Right to restrict data processing: At the request of the data subject, the Company restricts data processing if one of the following conditions is met:
Where processing is restricted, personal data may be processed, with the exception of storage, only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the European Union or a Member State.
The Company shall inform the data subject in advance of the lifting of the restriction on data management.
Right to data: The data subject has the right to receive personal data concerning him or her made available to the Company in a structured, widely used, machine-readable format and to transfer this data to another data controller if the data processing is based on consent or contract and data management is automated.
Right to protest: The data subject has the right to object at any time, for reasons related to his or her situation, to the processing of personal data in the public interest or in the exercise of public authority or to the legitimate interests of the Company or a third party, including provisions-based profiling. In the event of a protest, the Company may no longer process personal data unless it is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims.
Where personal data are processed for the purpose of direct business acquisition, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for that purpose, including profiling, in so far as it relates to direct business acquisition. In the event of an objection to the processing of personal data for the purpose of direct business acquisition, the data may not be processed for this purpose.
Automated decision-making in individual cases, including profiling: The data subject has the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects or would be similarly significant for him or her.
The above authority does not apply if the data management
Right of withdrawal: The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of the data processing prior to withdrawal.
Right to redress:
In the event of a violation of his or her rights, the data subject may apply to a court, as a result of which, in the event of a violation of the law, the data subject may claim compensation or damages in addition to the court enforcing the data subject's obligations. The court is acting out of turn in the case.
Complaints can be lodged with the National Data Protection and Freedom of Information Authority:
Name: National Data Protection and Freedom of Information Authority
Headquarters: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf .: 9.
Phone: 06.1.391.1400
Fax: 06.1.391.1410
Email: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu
The Company will protect the processed data (such as name, e-mail address, telephone number, job title, country, email address) with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction by third parties, as well as against accidental destruction and damage and inaccessibility due to changes in the technology used.
In case of questions, remarks or complaints related to data management, or if they wish to exercise any of the above rights, they may do so by sending an email to info@balasys.hu or by post to the Company. (1117 Budapest, Alíz utca 4.)
The Company shall, without undue delay, but in any case within one month from the receipt of the request, inform the data subject of the action taken on the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Company shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.
If the Company does not take action at the request of the data subject, without delay, but no later than within one month from the receipt of the request, inform the data subject of the reasons for non-action and that the data subject may file a complaint with the supervisory authority and have legal remedies.
The Company shall provide information in accordance with Articles 13 and 14, Articles 15 to 22 and Article 34 of the GDPR (feedback on the processing of personal data, access to processed data, rectification, supplementation, deletion, restriction of data processing, data portability, protest against data processing, information on the data protection incident) to the data subject free of charge.
If the data subject's request is manifestly unfounded or, – in particular due to its repetitive nature – excessive, the Company may charge a reasonable fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or action or taking the requested action. The burden of proving that the application is manifestly unfounded or excessive is on the Company.
If the Company has reasonable doubts as to the identity of the natural person submitting the application, it may request the provision of additional information necessary to confirm the identity of the data subject.
If the data subject has complaints about the processing of personal data that have not been resolved by the Company, the data subject may contact the National Data Protection and Freedom of Information Authority in Hungary (see Data Protection Authority procedure above).
The Company uses an external data processor in connection with the personal data it manages in order to perform the following tasks:
The list of data processors is contained in Annex 1 to these Regulations.
In the course of their activities, data processors do not have the competence to make a substantive decision on data management, they may not perform data processing for their own purposes.
Principles for implementing data security
The Company may process personal data only in accordance with the activities set out in these regulations, in accordance with the purpose of data management.
The Company ensures the security of data, in this context it undertakes to take all technical and organizational measures that are essential for the enforcement of data security legislation, data and confidentiality rules, and to establish the procedural rules necessary for the enforcement of the legislation specified above.
The Company shall protect the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, as well as becoming inaccessible due to changes in the technology used.
The Company keeps records of the data it manages in accordance with the applicable legislation, ensuring that the data can be accessed only by those employees and other persons acting in the Company's interest who need it in order to perform their job or duties.
Protection of the Company's IT records
The Company shall take the following necessary measures for the implementation of data security with regard to its IT records: a. Provide permanent protection against the computer files it manages (uses real-time anti-virus software). b. Provide physical protection for IT system hardware devices, including protection against elemental damage. c. Ensure the protection of the IT system against unauthorized access, both in terms of software and hardware devices. d. Take all measures necessary to restore the data files, perform regular backups, and perform separate, secure management of the backups.
Protection of the Company's paper records
The Company will take the necessary measures to protect the paper records, in particular with regard to physical security and fire protection.
The Company's manager, employees and other persons acting on behalf of the Company are obliged to securely store and protect the data carriers they use, including personal data, regardless of the method of recording the data, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and against accidental destruction and damage.
Incident management procedure
The purpose of the procedure is to facilitate the handling of events that violate data protection in connection with the operation of the Company in a unified system. To this end, the Rules of Procedure set out the concepts, procedures and measures that ensure how an event that violates data protection during the operation of the Company is handled, and promotes the prevention of the recurrence of such an event. (Annex 3)
The adoption and amendment of these regulations is the responsibility of the Company's management.
Budapest, 2021.
BalaSys IT Zrt. rep. Sándor Cseledi, CEO
Annexes:
NAME OF DATA PROCESSOR | DATA PROCESSOR CONTACT | ACTIVITY |
---|---|---|
Fabo-Markt Kft. | 1097 Budapest, Vaskapu u. 1/E., +36-1-246-1357 | Fulfillment of tax and accounting obligations |