The purpose of this Privacy Policy is to explain the data processing principles and key data processing policies of the EMKAPP mobile application and the https://emkapp.wixsite.com/emkapp website, describe the users’ data protection rights, and provide prior information on the basis of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter ‘GDPR’).

2. What is personal data? Who does the GDPR apply to?

Personal data means any information relating to a natural person (hereinafter ’data subject’) who can be identified by reference to one or many identifiers. Identification can be done directly (by reference to a name, date of birth) or indirectly (by reference to an identifier or code).

Accordingly, personal data may be an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Who does the GDPR not apply to?

GDPR does not cover the processing of personal data which concerns legal persons, including the name and the form of the legal person and the contact details of the legal person.

3. Who controls personal data?

Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (GDPR Article 4 Paragraph 7)

Data controller: Interaction Design Hungary Korlátolt Felelősségű Társaság (Interaction Design Hungary Limited Liability Company)

Address: 1119 Budapest, Mohai köz 7.

Tax number: 28774387-2-43

Registration number: 01 09 373520

Contact information:

Phone: +36 30 914 85 88

Email address: [email protected]

Website: www.emkapp.hu or

https://emkapp.wixsite.com/emkapp

The data controller may choose to use a data processor to carry out some of their activities more efficiently. In such cases, the service may include personal data processing and personal data may be shared with the data processor.

Data processor: the service provider which processes personal data on behalf of the data controller and according to the data controller’s guidance and instructions.

To carry out some of our activities, we use the services of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Such activities include operating an email system, hosting, Google Drive services – in Europe, Google Drive is provided by Google Ireland Limited (Seat: Gordon House, Barrow Street, Dublin 4, Ireland, registration number: 368047).

Google’s regulations and security measures for data processing may be found in Google’s Privacy Policy, available at https://policies.google.com/?hl=hu.

Our website is run by Wix.com. Wix.com Ltd. is a hosting platform based in Israel (Address: Wix.com Inc. Namal Tel Aviv St. 40. Tel Aviv, Israel.), which the European Commission considers a country that offers an adequate level of protection for EU data.

The GDPR shall be applied “to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union” (GDPR Art. 3 (2)), regardless of whether the processing takes place in the Union or not. (GDPR Recitals 22-25).

More details on processing of data are in Section 5 of this Privacy Policy.

4. Our principles of data processing

4.1. What is data processing?

“Processing means any operation or set of operations which is performed on personal data or onsets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” (GDPR Art. 4 (2))

4.2. How do we process personal data?

Ø Following the principles relating to the processing of personal data laid down in the GDPR (Art. 5) and with the regulations of the Hungarian Privacy Act, it is our priority to always process personal data fairly and lawfully. It is important to us that you find our data processing transparent and explicit. (principle of ‘lawfulness, fairness and transparency’);

Ø Our data processing applies the principle of purpose limitation, i.e. we only collect and process data for specified, explicit and legitimate purposes, limited to the extent necessary in relation to the purposes for which they are processed (principle of ’data minimisation’)

Ø When processing data, we strive to ensure accuracy and keep data up to date, inaccurate personal data are rectified or erased without undue delay (’accuracy’);

Ø When storing data, we keep in mind the principle of ’storage limitation’, i.e. we keep data for no longer than what is necessary to achieve the purposes, comply with legislation or until you have provided consent. (‘storage limitation’)

Ø We ensure appropriate security of the personal data by using appropriate technical or organisational measures and provide protection against personal data breach (’integrity and confidentiality’).

Ø We are responsible for compliance with the above principles (’accountability’).

5. What kind of personal data do we process?

5.1. Data processing in relation to ordering and running the mobile application

The purpose of data processing: executing the order (including invoicing operations/taxation) and ensuring the safe and comfortable use of the mobile application and website. Downloading the application and providing personal data are voluntary in all cases.

Circle of data subjects: clients using the application.

Processed personal data:

· User’s name

· User’s email address

· User’s phone number

Content of the invoice:

Name
Address
Tax code/tax number
Bank account number

Aggregate data about users’ age group and gender are gathered solely for statistical purposes.

Legal basis for data processing: compliance with legal obligations and with statutory tax and accounting obligations.

Data storage method: electronically (in case of invoices issued, also on paper).

Storage period: five years after termination of service (in case of invoices issued, eight years after termination of service in accordance with accounting rules)

Persons entitled to access the data: only the staff entrusted with the operation of services and providing accounting services may access the data to the extent necessary for the operation of the application and of the services.

5.2. Data processing when using the website

We used Wix.com website building platform to create https://emkapp.wixsite.com/emkapp. Wix.com is only in contact with the data collector and not with its clients.

For more information, please see Wix.com’s Privacy Policy at the following link: https://www.wix.com/about/privacy.

5.3. Managing the contact form on the website

The purpose of data processing:

Data controller provides an opportunity on https://emkapp.wixsite.com/emkapp for customers interested in buying the product to directly contact the data controller. The purpose of data processing is communication, receiving requests for quotation, providing information.

Processed personal data:

· Name

· Email address

Our contact form does not request any other personal data. Further personal data shared in the free-text field will be treated as confidential.

Legal basis for data processing: specific and freely given consent by the data subject

Data storage method: electronically

Storage period: until withdrawal of consent, but for a maximum of five years. Upon your request, we delete your personal data. You can ask for your personal data to be deleted by sending an email to [email protected].

5.4. Newsletter services

The purpose of data processing:

If you are interested in more of our products and our programmes, you may subscribe to our newsletter services on https://emkapp.wixsite.com/emkapp. Our newsletter service is of an occasional nature, we do not send regular newsletters.

Processed personal data:

· Name

· Email address

· Time of subscription

Legal basis for data processing: specific and freely given consent by the data subject and pursuing the legitimate interests of the data controller and the data subject

Data storage method: electronically

Storage period: We will store and process your data until you withdraw your consent. You can unsubscribe from our newsletter by sending an email to [email protected].

5.5. Managing cookies

The application uses cookies in certain cases.

Cookie: a small amount of data generated by websites visited and saved on users’ computers. Cookies may provide comfort services to users or serve statistical analysis purposes.

For more information on cookies, please see:

https://support.wix.com/en/article/cookies-and-your-wix-site

You may manage cookies by changing the settings on your browser, so you may delete cookies from your computer or block the use of cookies in your browser.

If you prohibit the use of cookies, certain functions may not work, reducing browser performance and the quality of browsing experience.

6. Data security

We take every step necessary to protect our users’ and clients’ personal data from unauthorized access and prevent unauthorized transfer, disclosure, corruption and accidental destruction of data.

During data processing, we implement the appropriate technical and organisational measures whose purpose is on the one hand to implement data protection principles, such as data minimisation, in an effective manner and on the other hand to integrate the necessary safeguards into data processing in order to meet the requirements of the GDPR and protect the rights of data subjects.

7. What is a personal data breach and what steps do we take if it happens despite our data security measures?

Personal data breach: a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (GDPR Art. 4 (12))

For example, personal data breach may be the loss of personal data due to a destroyed data storage medium or a software failure, the unlawful disclosure of personal data or a stolen information technology device which contained personal data.

If any type of security beach comes to our attention, we will investigate all cases to find out if it was a personal data breach.

We will notify the competent authorities of any personal data breach without undue delay and no later than 72 hours after having become aware of the breach (see Section 10).

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will contact the data subject without undue delay via their email address so they can take the necessary precautions.

The communication to the data subject shall contain

· the nature of the personal data breach;

· the name and contact information about where to obtain more information;

· the likely consequences of the personal data breach;

· the measures taken or planned by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8. Special protection of children’s personal data

We recommend our products for adult education; our current products are not developed for children.

If a user under the age of 16 wishes to use the application, we will require a written consent and authorisation from the holder of parental responsibility.

9. What are the rights of the data subjects and how do we safeguard these?

9.1. Right to be informed

You have the right to receive information about the processing of your personal data prior to the processing; this Privacy Policy ensures this right. You also can obtain information about the processing of your personal data throughout the entire data processing period.

9.2. Right of access

Are you entitled to receive confirmation if your personal data are being processed?

Upon your request, we provide information within 30 days on:

a) if your personal data are being processed;

b) if your personal data are being processed, we provide you with the following information:

i) the purposes of processing;

ii) the categories of personal data concerned;

iii) if the personal data are disclosed, and if so who are the recipients;

iv) the predicted period for which the personal data will be stored;

v) how you can exercise your data subjects’ rights;

vi) the right to lodge a complaint with a supervisory authority;

vii) any available information as to the source of the personal data (where the personal data are not collected from the data subject);

viii) the existence of automated decision-making (including profiling) in relation to the data processing, and information on its methods and technologies.

We give you a free copy of personal data subject to processing. Administrative costs are charged for additional copies.

9.3. Right of rectification

You can ask us to correct your personal information by sending us an email to [email protected] and we will correct your personal data without undue delay.

9.4. Right to erasure (right to be forgotten)

We ensure your right to erasure without undue delay, in other words we erase your personal data upon your request unless it is necessary for us to comply with a legal obligation or to exercise the legitimate interests of the data controller.

9.1

9.2

9.3

9.4

9.1.

9.2.

9.3.

9.4.

9.5. Right to restrict processing

You have the right to request the data controller restrict the processing in the following cases:

• the data subject contests the accuracy of the personal data; in this case the restriction applies for the period enabling the controller to verify the accuracy of the personal data;

• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

• the data subject has objected to processing, in this case the restriction applies for the period while it is verified whether the legitimate grounds of the controller override those of the data subject.

9.5

9.6 Right to data portability

You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which your personal data have been provided.

9.7 Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data.

10. What legal remedies do you have in case of a problem?

We are endeavouring to ensure we co-operate with you during the entire data processing period, and if a dispute concerning the data processing, we will try to settle the dispute with you.

Should you have any questions, comments or complaints, please feel free to contact us!

Email address: [email protected]

Pursuant to Article 77 of the GDPR, every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

You may contact the following authority:

Name: Hungarian National Authority for Data Protection and Freedom of Information

Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C

Postal address: 1530 Budapest, Pf.: 5

Telephone: +36 (1) 391-1400 Fax: +36 (1) 391-1410

Email address: [email protected]

Pursuant to Article 79 of the GDPR, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR.

11. Other provisions:

This document is available in several languages. In case of divergence, the Hungarian text shall prevail over texts in other languages.

No part of this document can be used for resale in any format.