DATA PROTECTION REGULATION NOTICE
By complying with the principles and rules set out in this notice, Xperion Üzleti Innovációs Kft. (registered office: H-1087 Budapest, Könyves Kálmán krt. 76., Hungary, company registration number: 01-09-290529, hereinafter referred to as: “Company”) intends to respect and protect the personal data of anyone getting into contact with it by using the QBoard application developed by the Company.
Data processing registration number of the Company: NAIH-87885/2015
The purpose of the data processing conducted by the Company is to keep the customer records prescribed by the laws applicable to out activity and to provide the services we undertake towards our customers. The main activity of the Company is to provide IT services.
I. The Controller
Name: Xperion Üzleti Innovációs Kft.
Registered office: H-1087 Budapest, Könyves Kálmán krt. 76.
VAT number: 25812705-2-42
Company registration number: 01-09-290529
Person of the Company responsible for data processing: Attila Berényi
Phone number: 443-3711
II. Scope of the data processed by the Company, including personal data
a/ The Company collects and processes the following data via using the QBoard application:
- App Analytics: Google Firebase – no personal data collected, only information on the use of the app (in particular: which interface was activated and on how many occasions, etc.);
- App Crash Report: security and integrity (e.g. detection of binary data manipulation, identification of errors) – the type of the device is identified,
- Network communications log: security and integrity (e.g. identification of attack, performance test, identification of errors);
- Tutorial mode: the above data are not collected in tutorial mode.
The data under point a/ do not contain data qualifying as personal data. The purpose of processing of the data under point a/ per type of data:
- App Analytics: Analysis of utilisation habits;
- App Crash Report: Analytics, Security, Integrity;
- Network communications log: Analytics, Security, Integrity.
b/ Personal data processed for conclusion, maintenance and termination of the contract in the subject of use of the QBoard application and provision of the service:
- IP address of the device;
- URL request – the user name is displayed when logging in;
- URL response;
- user profile: the customer may set his/her personal data, which are encrypted and sent to the server for storage or stored on the device in encrypted form;
- error reporting: errors detected can be reported to a hotline via a form. An email is generated from the form based on a template. The email is stored and managed by the hotline. The error report may contain the following personal data: IP address of the device, email address, username, attached images, personal data typed in, which the Company has no influence over.
- feedback: Microsoft HockeyApp: the customers can send feedback, to which the Company responds via chat. If the customer enabled this in the settings, the entire name is used for identification. The messages are stored by the HockeyApp framework system;
- password: saved via asymmetric encryption in an encrypted memory space for the purpose of automatic login (if enabled by the customer). Only the server is capable of decrypting the encryption via the appropriate private key. This function can be disabled at any time when logged in.
- documents: documents and declarations, as well as a list of the documents accepted earlier.
The purpose of processing of the data under point b/ per type of data:
- user profile: simpler communication via the application: managers using the app can receive performance and contact information regarding the persons reporting to them and can contact them directly from the app. Information can be set regarding the businesses/regions associated with the customer.
- error reporting: enabling assistance and support;
- feedback: analytics in order for improving customer satisfaction;
- password: in order to make automatic login possible;
- documents: stored in order to evidence that the user accepted the conditions.
c/ Personal data processed (based on the consent of the data subject) in order for the sending of newsletters:
- IP address of the device
III. Fundamental rules of the data processing activity of the Company, purpose and legal basis of the processing
Definition of personal data: Data linked to a natural person data subject pursuant to Act CXII of 2011 on the Right to Informational Self-Determination and the Freedom of Information (hereinafter referred to as: “Info Act”) – in particular the data subject’s name, identifier, or any information relating to one or more of his/her physical, physiological, mental, economic, cultural or social identity – and any deductions concerning the data subject that may be made from the data, as well as any data defined as personal data in Regulation (EU) 2016/679 of the European Parliament and of the Council.
The Company will only transfer your personal data to any third party individual or organisation if a law expressly requires this.
Purpose of the processing: The purpose of the processing activity of the Company is performance of the principal activity set out in the preamble of this notice and the further activities listed in Section II, as well as the sending of advertisements to natural persons by directly contacting the recipients of advertisements (hereinafter referred to as: “direct marketing”), in particular via email or other equivalent individual means of communication.
Legal basis of the processing: The processing activity of the Company is based mainly on the consent of the data subject, and the customer using the QBoard application provide the data to us voluntarily, and by using the QBoard application, they also consent to our recording of their data specified in this notice. Our Company processes the personal data only to the extent essential and appropriate for the purpose of the processing. The Company only processes the personal data until the purpose of the processing ceases or the period of storage of the data set out in law expires.
On data security: Please note that the data you submit are transmitted to our servers via an encrypted line, using SSL (Secure Socket Layer) Technology, which guarantees that the data transmitted via the internet do not become accessible by third parties. Our authentication relating to the encrypted connection was issued by Let’s Encrypt via Extended Validation. Extended Validation is a complex, comprehensive authentication validation conducted subject to application, in the scope of which, the applicant must pass the strictest checks in order so that any abuse or fraud can be detected.
Enabling, restricting or disabling cookies: The customer may enable or disable cookies. In addition, the customer may customise whether he/she wants to be notified when the website indents to place a cookie in the application, as well as the duration for the different types of cookies may be kept and whether they should be deleted upon closing the application. It is important to know that certain services are directly dependant on whether cookies are enabled, and therefore by disabling cookies, the user may experience unexpected operation in the application, and in the worst case, it may become impossible to use the services of the application.
Third party privacy notices:
Links: the Company is not liable for the content and data and information protection practices of the external websites accessible from the application as jump nodes. If the Company becomes aware of that the site linked by it infringes the rights of third parties or violates the effective legislation, it will remove the link from the application without delay.
IV. Further information regarding the processing activity of the Company
The Company stores the personal data for at maximum 8 (eight) years after their recording, or in the case of a contractual claim, the certified lapse of the limitation period.
The customer may request access to or rectification, erasure or restriction of processing of the personal data concerning him/her, and may object against the processing of such personal data, and is also entitled to data portability with regard to such data. The following options are available to the customer with regard to the different types of data:
- App Analytics: The customer may turn this option off within the application when logged in. As no personal data are sent, the Company can only provide information on the general usage habits and the types thereof, and will not be able to identify the customer. For further information, read the Google Firebase Privacy Notice.
- App Crash Reports: Microsoft HockeyApp crash reporting can be enabled/disabled on the occasion of the first crash. As the Company does not collect personal data, it is not able to supply data regarding its customers either. For further information, read the Microsoft HockeyApp Privacy Notice.
- Network communications log: As the Company does not collect personal data, it is not able to supply data regarding its customers either. The Company can only provide information regarding that a customer sent a login request. In tutorial mode, the server is not used, and therefore no log is collected there.
- User profile: The customer can delete his/her entire profile both from the device and the server via a single tap within the application when logged in. In tutorial mode, as there is no server, the data are only deleted from the device. The customers are entitled to view the data stored concerning them and may delete such data.
- Legal section: The customer can see the valid document and the list of accepted documents. This cannot be deleted. In tutorial mode, no server is used, and consequently the data are lost upon the deletion of the application (the conditions need to be accepted again on the occasion of the next installation).
- Error report: The customers may view the data and conditions of the report. These cannot be deleted.
- Feedback: The customer may turn name-linked feedback off within the application when logged in. As the customer is not clearly identified (the full name may be modified at any time), the Company can provide data inly if the customer can prove that he/she was the one who sent the feedback. For further information, read the Microsoft HockeyApp Privacy Notice.
In the case of data processing based on the customer’s consent, the customer may withdraw his/her consent at any time. The withdrawal does not affect the lawfulness of the data processing conducted based on the consent prior to the withdrawal.
During the provision of the IT service, personal data are recorded from the company registry and based on the customer’s declaration in order for the performance of the service and for liaising.
In the case of an IT service, the provision of personal data is based on contractual obligation. In the case of providing data based on contractual obligation, the customer is obliged to provide the personal data in order so that the contractual obligations can be fulfilled. In the case of failure of providing data, the Company may decide not to establish the contractual relationship.
The Company generates its advertising mails and newsletters and decides on whether to offer the different services provided by it or not via automatic decision making. The result of the automatic decision making is the sending of advertising mails and newsletters and the offering of services provided by the Company.
The Company wishes to process the personal data recorded in the course of conclusion of the contracts made in the subject-matter of IT services for the purpose of sending advertising mails and newsletters, as well as for auxiliary services related to the IT service, as a different purpose of data processing.
If the Company did not obtain the personal data from the data subject, then in addition to those set out in Section I, it also provides the following information to the data subject:
a) purpose of the planned processing of the personal data and legal basis of the processing;
b) categories of personal data concerned;
c) recipients of the personal data, and the categories of the recipients (where applicable);
d) source of the personal data;
e) where applicable, the fact that the Company wishes to transmit the personal data to a recipient located in a third country or an international organisation, as well as whether the Commission has made an adequacy decision regarding it.
V. Rights and remedies of the data subjects
The data subject’s right to access
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to the Regulation relating to the transfer.
Upon the data subject’s request, the Company must provide a copy of the personal data processed to the data subject. The Company may charge a reasonable fee for any further copies requested by the data subject based on the administrative costs. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Right to rectification and erasure
The data subject has the right to obtain from the Company rectification of any incorrect personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject has the right to obtain from the Company the erasure of personal data concerning him or her without undue delay and the Company has the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing based on reasons originating from his or her situation, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing due to direct marketing;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject;
(f) the personal data have been collected in relation to the offer of information society services.
Where the Company has made the personal data public and is obliged pursuant to the foregoing to erase the personal data, the Company, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The provisions governing the data subject’s right to erasure are not applicable where the data processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
(c) for reasons of public interest in the area of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the data subject’s right to deletion is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
Right to restriction of processing
The data subject has the right to obtain from the Company restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing in connection with reasons originating from his or her own situation, pending the verification whether the legitimate grounds of the Company override those of the data subject.
Where processing has been restricted based on the data subject’s request, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The Company is obliged to notify the data subject before the restriction of processing is lifted.
Right to data portability
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(a) the processing is based on the data subject’s voluntary consent or contract; and
(b) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Exercise of the right to data portability must be without prejudice to the right to the erasure of data. The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to object and automated individual decision-making
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the Regulation, including profiling based on those provisions. The Company may no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where personal data are processed for statistical purposes, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Upon the data subject’s request, the Company will provide information regarding the data of the data subject processed by the Company or a processor on behalf of the Company, as well as the source of such data, the purpose, legal basis and duration of the processing, the processor’s name, address and activity related to the processing, and, where the personal data of the data subject are transmitted, the legal basis and recipients of the data transmission.
The Company must provide the information as soon as possible after the submission of the request, but at the latest within 30 days, in clear language, and, if so requested by the data subject, in writing. If the Company refuses to provide information to the data subject, it must inform the data subject in writing regarding the provision of the law based on which the information was refused. If the Company refuses to provide information, it must inform the data subject regarding the possibility of judicial remedy and of turning to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as: “Authority”).
The personal data must be erased if
a. it is processed unlawfully;
b. the data subject requests this;
c. it is deficient or incorrect, and this situation cannot be remedied lawfully, provided that the law does not exclude the possibility of erasure;
d. the purpose of the processing ceased or the period of storage of the data set out in law expired;
e. the court or the Authority ordered this.
Instead of erasure, the controller blacks the personal data if the data subject requests this or if based on the information available to it, it can be assumed that erasure would harm the data subject’s legitimate interests. The personal data blocked in this manner may be processed as long as the purpose of processing that excluded erasure of the personal data exists. The data subject and anyone to whom the data was transmitted for processing must be notified regarding rectification, blocking, marking and erasure. The notification may be omitted if this does not harm the legitimate interests of the data subject, having regard to the purpose of the processing. If the controller fails to fulfil the data subject’s request for rectification, blocking or erasure, it must provide notice in writing of the factual and legal reasons of refusal of the request for rectification, blocking or erasure within 30 days upon receipt of the request. In the case of refusal of the request for rectification, erasure or blocking, the controller must inform the data subject regarding the possibility of judicial remedy and of turning to the Authority. The data subject’s rights set out above may be restricted by law in order for the external and internal security of the state, including for defence, national security, prevention and prosecution of crimes and the security of the enforcement of penalties, as well as economic and financial interests of the state or municipality, significant economic or financial interests of the European Union, for the prevention and investigation of disciplinary and ethical misdemeanours related to the practice of occupations and breaches of labour law and work health and safety obligations – including auditing and supervision in each case –, as well as for protecting the rights of the data subject or others.
The data subject may object against the processing of his or her personal data,
a. where the processing or transmission of the personal data is only necessary for the performance of a legal obligation of the controller or the enforcement of the legitimate interest of the controller, the data importer or a third party, except in the case of mandatory processing;
b. where the personal data is used or transmitted for the purpose of direct marketing, public opinion polls or scientific research; and
c. and the other cases set out in law.
The data controller will examine the objection, decide whether it is justified and notify the data subject of the decision in writing as soon as possible, but at the latest within 15 days after the submission of the request.
If the data controller finds the objection of the data subject justified, it terminates the processing – including any further recording and transmission of data –, blocks the data, and notifies of the objection and the measures taken based thereon all parties to whom the personal data concerned by the objection it sent previously, which parties are obliged to take measures for enforcing the right to object. If the data subject does not agree with the data controller’s decision or if the data controller fails to meet the deadline, the data subject may turn to court within 30 days after the communication of the decision or the deadline. The litigation falls into the competence of the regional court. The litigation may, at the data subject’s discretion, also be started before the court with territorial competence over the domicile or place of residence of the data subject.
Anyone may initiate an investigation at the National Authority for Data Protection and Freedom of Information (H-1125 Budapest, Szilágyi Erzsébet fasor 22/C., www.naih.hu, firstname.lastname@example.org) on the grounds of infringement of the rights related to the processing of personal data and the right to access public interest data and data public for the public interest, or the immediate threat thereof. If the data controller causes harm to someone by processing the data subject’s data unlawfully or violating the requirement of data security, it is obliged to pay compensation for such damage. If the data controller infringes the personality right of the data subject by processing the data subject’s data unlawfully or violating the requirement of data security, the data subject may claim compensation for grievances from the data controller. The data controller is liable towards the data subject for damages caused by the data controller, and must also pay the compensation for grievances due to the data subject in the case of violating his or her personality rights. The data controller is exempted from the liability for damages caused and the obligation to pay compensation for grievances if it can prove that the damage or violation of the data subject’s personality right was caused by an unavoidable circumstance outside the scope of the processing. The damage does not need to be paid and no compensation for grievances may be claimed if the damage or infringement caused via violation of personality rights resulted from the wilful or grossly negligent misconduct of the data subject.
VI. Further information
The following third parties may access the data collected and stored via use of the application:
- App Analytics: Google Firebase
- App Crash Reports: Microsoft HockeyApp
- Feedback: Microsoft HockeyApp
The Company is entitled to conclude contracts with certain legal or natural persons in order so that those legal or natural persons perform tasks and provide services on its behalf (e.g.: system administrator tasks, software development, messaging and call centre tasks).
Upon logging in, the application verifies whether the customer has already agreed to the latest effective legal documents. The customer may only proceed after agreeing to these. The documents can also be accessed prior to logging in, so that the customer can decide whether he or she wishes to log in or not.