Privacy Notice on Personal Data Processing on the Patent Group’s www.securitypatent.hu Website
1. Purpose of the Policy:

Members of the Patent Group:

PATENT VÉDELEM SECURITY Ltd. 9024 Győr, Mécs L. Street 7. Tax ID: 26540575-2-08

S.P. Asset Management Ltd. 9024 Győr, Mécs L. Street 7. Tax ID: 11698799-2-08

Patent Őr Plc. 9024 Győr, Mécs L. Street 7. Tax ID: 26173247-2-08

Patent Security Technology Ltd. 9024 Győr, Mécs L. Street 7. Tax ID: 23500941-2-08

Patent Remote Monitoring Ltd. 9024 Győr, Mécs L. Street 7. Tax ID: 14996474-2-08

Hereinafter referred to as: Company / as data controllers, conduct their data processing activities in compliance with the provisions of Act CXII of 2011 on informational self-determination and freedom of information (Info Act) and Regulation (EU) 2016/679 of the European Parliament and Council (“GDPR”). The purpose of this notice is to inform visitors registered on the Group’s website about the data processed by the Group and other activities related to data processing. The terms used in this notice are consistent with those defined in the EU Regulation 2016/679 (“GDPR”).

 

2. Definitions:

  • “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • “data processing”: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration or retrieval, consultation, use, disclosure, transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • “restriction of processing”: marking stored personal data to limit their future processing.
  • “profiling”: any form of automated processing of personal data that evaluates certain personal aspects related to a natural person, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • “pseudonymization”: the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.
  • “record-keeping system”: any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or functional or geographical in nature.
  • “recipient”: a natural or legal person, public authority, agency, or any other body to whom or with whom the personal data is disclosed, regardless of whether they are a third party. Public authorities that, under an individual investigation, may access personal data in accordance with EU or Member State law, do not qualify as recipients; the processing of such data by these public authorities must comply with applicable data protection rules in line with the purposes of the data processing.
  • “third party”: a natural or legal person, public authority, agency, or body other than the data subject, the data controller, the data processor, and persons who, under the direct authority of the data controller or processor, are authorized to process personal data.
  • “Consent of the data subject”: a voluntary, specific, informed, and unequivocal expression of the data subject’s will, through a statement or a clear affirmative action, by which the data subject indicates agreement to the processing of their personal data.
  • “data breach”: a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
  • “genetic data”: personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information about the person’s physiology or health, primarily derived from the analysis of a biological sample from the person.
  • “biometric data”: personal data resulting from specific technical processing related to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person, such as facial images or fingerprint data.
  • “health data”: personal data related to the physical or mental health of a natural person, including data about the provision of health services to the person, which reveal information about their health status.
  • “Activity center”: a) In the case of a data controller with a place of activity in more than one Member State, it refers to the location of the central administration within the Union. However, if decisions regarding the purposes and means of processing personal data are made at another place of activity within the Union, and the latter place has the authority to implement those decisions, the place where the decisions are made should be considered the activity center.
    b) In the case of a data processor with a place of activity in more than one Member State, it refers to the location of the central administration within the Union. If the data processor does not have a central administrative location in the Union, it refers to the place of activity within the Union where the main data processing activities related to the activities carried out at the processor’s place of activity occur, provided the processor is subject to obligations set out by this regulation.
  • “representative”: a natural or legal person within the Union, designated in writing by the data controller or processor, to represent them regarding their obligations under this regulation.
  • “enterprise”: a natural or legal person engaged in economic activities, irrespective of its legal form, including partnerships and associations regularly engaged in economic activity.
  • “Group of companies”: the parent company and the companies it controls.
  • “binding corporate rules”: policies concerning personal data protection, followed by controllers or processors within a corporate group or joint economic activities that govern transfers of personal data to third countries.
  • “supervisory authority”: an independent public authority established by a member state pursuant to Article 51 of the regulation.
  • “Supervisory authority concerned”: The supervisory authority that is affected by the processing of personal data based on any of the following reasons:
    a) The data controller or the data processor has a place of activity in the Member State of that supervisory authority;
    b) The data processing significantly affects or is likely to significantly affect data subjects residing in the Member State of the supervisory authority; or
    c) A complaint has been submitted to the mentioned supervisory authority.
  • “Cross-border processing of personal data”: a) The processing of personal data within the Union that takes place in connection with activities conducted by a data controller or data processor with places of activity in more than one Member State, involving activities carried out at locations in several Member States; or b) The processing of personal data within the Union that takes place in connection with activities conducted at a single place of activity by a data controller or data processor, where it significantly affects or is likely to significantly affect data subjects in more than one Member State.
  • “relevant and reasoned objection”: an objection submitted in response to a draft decision, relating to the potential violation of this regulation or whether the proposed measures concerning the controller or processor align with the regulation.
  • “information society service”: a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535.
  • “international organization”: an organization or its subordinate bodies under international law, or another body established by or based on an agreement between two or more countries.

 

3. Principles regarding the processing of personal data:

Personal data at the Company must be processed lawfully and fairly, for specified purposes, in a data-saving manner, accurately, with limited storage, confidentially, and in an accountable and transparent way for the data subject.

Personal data:

  • may only be collected for specified, clear, and lawful purposes
  • must be processed in a manner consistent with these purposes
  • must be adequate and relevant
  • must be limited to the necessary minimum
  • must be accurate and, where necessary, kept up to date
  • must be stored in a form that allows identification of data subjects only for as long as necessary to achieve the purposes of processing
  • must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage

 

 

4. Data processing during the operation of the requestor interface:

The purpose of data processing: The Company operates an online quote request interface on the website www.securitypatent.hu, which aims to facilitate the ordering of services provided by the Company. Acceptance of the privacy statement provided on the website is required to activate the quote request interface.

Categories of data processed: Name, email address, phone number, city, other personal data provided by the user in the message.

The legal basis for data processing through the quote request interface: According to Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) 2016/679, the data subject’s voluntary consent.

Duration of data processing: Until the data subject withdraws their consent. The data subject can withdraw their consent to data processing at any time using the contact information provided in the privacy notice.

Data processing by a data processor: Not applicable.

The identity of the data controllers who are authorized to access the personal data and the recipients of the personal data: Authorized representatives of the Company, the Marketing department staff, and the Data Protection Officer.

 

5. Data processing during the operation of the career page:

The purpose of data processing: The Company operates a career page on the website www.securitypatent.hu, which aims to provide information about the Company’s current job openings. On the career page, applicants can upload their resumes and job-related data. To upload a resume to the career page, the acceptance of the privacy policy stated on the website is required.

Categories of data processed: Name, phone number, email address, and other personal data contained in the resume uploaded during the application. The Company does not store sensitive data or criminal personal data during the processing of resumes. If the resume submitted through the career page contains such data, the Company will immediately delete it.

Legal basis for data processing: The voluntary consent of the data subject, in accordance with Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) 2016/679.

Duration of data processing: Until the applicant withdraws their consent, but no longer than 1 year from the submission of the resume. The applicant can withdraw their consent to the storage of their resume at any time using the contact details provided in the data security and privacy policy.

Data processing by a data processor: Not applicable.

Persons authorized to access personal data and recipients of the personal data: The personal data provided during registration will be accessed by persons authorized to represent the Company, staff of the human resources department, and the Data Protection Officer.

 

6. The use of Google Analytics:

  • During the operation of the website, the data controller uses the Google Analytics application, which is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies,” text files that are stored on the user’s computer to help analyze how the user interacts with the visited website.
  • The information created by cookies related to the website the user visits is transferred and stored on Google’s servers in the USA. By activating IP anonymization on the website, Google shortens the user’s IP address within the member states of the European Union or other states that are parties to the European Economic Area Agreement.
  • The full IP address will only be transferred to Google’s servers in the USA and shortened in exceptional cases. On behalf of the website operator, Google will use this information to evaluate how the user used the website, to generate reports related to website activity, and to provide additional services related to website and internet usage.
  • Within Google Analytics, the IP address transmitted by the user’s browser will not be linked with other data held by Google. The user can prevent cookies from being stored by adjusting the settings of their browser. The user can also prevent Google from collecting and processing data generated by cookies regarding their website usage (including the IP address) by downloading and installing the browser plugin available at the following link: [https://tools.google.com/dlpage/gaoptout?hl=hu](https://tools.google.com/dlpage/gaoptout?hl=hu).

7. Other rights of individuals affected by data processing:

  • The right of access
    The individual affected by data processing has the right to obtain feedback from the data controller on whether their personal data is being processed, and if such processing is ongoing, the individual has the right to access the personal data collected by the data controller.
  • The right to rectification
    The individual affected by data processing has the right to request the data controller to rectify inaccurate personal data concerning them without undue delay. Taking into account the purpose of the data processing, the individual has the right to request the completion of incomplete personal data, including through supplementary statements.
  • The right to erasure
    The individual affected by data processing has the right to request the data controller to erase their personal data without undue delay, and the data controller is obliged to erase personal data without undue delay under the conditions specified in Article 17(1) of EU Regulation 2016/679.
  • The right to be forgotten
    If the data controller has made the personal data public and is required to erase it, they will take reasonable steps – including technical measures – taking into account available technology and the costs of implementation, to inform other data controllers processing the data that the individual affected by data processing has requested the deletion of links to or copies or duplicates of the personal data in question.
  • The right to restriction of processing

The individual affected by data processing has the right to request the data controller to restrict the processing of their data if any of the following conditions are met:

  • The individual disputes the accuracy of the personal data; in this case, the restriction applies for the period necessary for the data controller to verify the accuracy of the personal data.
  • The data processing is unlawful, and the individual opposes the deletion of the data, instead requesting a restriction on its use.
  • The data controller no longer needs the personal data for processing purposes, but the individual requires it for the establishment, exercise, or defense of legal claims.
  • The individual has objected to the data processing; in this case, the restriction applies for the period necessary to determine whether the data controller’s legitimate grounds override the individual’s legitimate grounds.
  • The right to data portability
    The individual affected by data processing has the right to receive their personal data, which they have provided to a data controller, in a structured, commonly used, machine-readable format. Furthermore, they have the right to transmit this data to another data controller without being hindered by the original data controller, if the processing is based on the consent under Article 6(1)(a) of the EU Regulation 2016/679 and the processing is carried out in an automated manner.
  • The right to object
    The individual affected by data processing has the right to object at any time, on grounds related to their particular situation, to the processing of their personal data based on Article 6(1)(a) of the EU Regulation 2016/679, including profiling based on that provision. In such cases, the data controller shall cease processing the personal data.
  • Automated decision-making in individual cases, including profiling

The individual affected by data processing has the right not to be subject to a decision based solely on automated data processing – including profiling – that produces legal effects concerning them or similarly significantly affects them.

The previous paragraph does not apply in cases where the decision:

  • Is necessary for the performance of a contract between the individual and the data controller;
  • Is authorized by Union or Member State law applicable to the data controller, which also establishes suitable measures to protect the rights, freedoms, and legitimate interests of the individual; or
  • Is based on the explicit consent of the individual affected by the processing.

 

8. Legal remedies:

The data subject may request access to their personal data, correction of data, restriction of data processing, and is entitled to data portability, as well as the right to request deletion of personal data, except for data processing obligations defined by law, using the contact details provided in the notice.

The Company will provide information on the actions taken in response to data subject requests within one month of receiving the request. This deadline may be extended by two months in case of legitimate reasons. The Company will inform the data subject about the extension, specifying the reasons for the delay, within one month of receiving the request. If the Company does not take action based on the data subject’s request, it will inform the data subject without delay, but no later than one month from receiving the request, about the reasons for not taking action, as well as the procedure for lodging complaints with the supervisory authority and the court.

In case of violation of the rights of the data subject or if there are any concerns, the data subject can make a statement at the following contact details:

Dr. László Péter Erős
Email: [email protected]
Phone: +36 30 650 1718

Postal address: 9024 Győr, Mécs László Street 7.

In case of violation of the data subject’s rights or any concerns, the data subject may turn to the following authorities:

  • National Authority for Data Protection and Freedom of Information: 1055 Budapest, Falk Miksa u. 9-11. (Postal address: 1363 Budapest, P.O. Box 9.) www.naih.hu
  • The company, as the data controller, is subject to the jurisdiction of the Győr Court of Justice, or the court of the data subject’s/complainant’s place of residence, or the court of the data subject’s/complainant’s location. The competent courts can be found at the following website: [https://birosag.hu/birosag-kereso](https://birosag.hu/birosag-kereso).