1. 1. Name of the data controller
Data Controller: Bastion Protection Llc. (hereinafter referred to as: the “Company”)
Representative of the Data Controller: István Hajós, Managing Director
Registered office: H-1034 Budapest, 81 Bécsi Road
E-mail: info@bastion.hu
Website: www.bastionprotection.com
2. Regulations serving as basis for data management
Regulation (EU) No. 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as: the General Data Protection Regulation (GDPR)).
3. The specific data managements
3.1. Processing of data related to electronic contact and sending newsletters
3.1.1. The scope of personal data managed and the purpose of data management
Personal information:First and last name
Purpose of data management:The name is used for the purpose of communication between the Company and the notifier, as well as for the personalisation of the service.
Personal information: E-mail address
Purpose of data management: The e-mail address is used for communication between the Company and the notifier.
3.1.2. The legal basis of data management
The legal basis for the processing of the above data is the consent of the data subject (Article 6(1)(a) of the GDPR).
3.1.3. Duration of data management
The Company will process the contact data provided when sending the message until the user’s consent is withdrawn. Registration can be cancelled by clicking on the “Cancel registration” icon within the system. The personal data will then be destroyed.
3.2. Personal data related to the completion of online testsk
3.2.1 The scope of personal data managed and the purpose of data management
Personal information: First and last name
Purpose of data management:The Company carries out complex personality and behavioural analyses based on tests completed online. Providing your first name and last name is part of completing the test
Personal information: Date of birth
Purpose of data management: The Company carries out complex personality and behavioural analyses based on tests completed online. Providing the date of birth is part of completing the test.
Personal information: Results of the evaluation
Purpose of data management: The Company carries out complex personality and behavioural analyses based on tests completed online
3.2.2 The legal basis of data management
The legal basis for processing the above data provided when completing the online tests is the consent of the data subject (Article 6(1)(a) of the GDPR).
3.2.3 Duration of data management
The Company will store the data indicated herein for a period of 4 (four) months from the date of their creation, after which they will be automatically deleted.
3.3. Other personal data logged by the system
3.3.1. The scope of personal data managed and the purpose of data management
Personal information: IP address
Purpose of data management: The identification number assigned by the Internet Service Provider (ISP) to the device of the user logging on to the system. The Company manages it to ensure the IT security of the system.
IP address: IP address
Purpose of data management: The time the user logged on to the system. The Company manages it to ensure the IT security of the system.
3.3.2. The legal basis of data management
The legal basis for data management is the legitimate interest of the Company to protect the security of the data processed in the system and the IT infrastructure ensuring the operation of the system (Article 6(1)(f) of the GDPR). In order to detect possible malicious or abusive use and to take appropriate data and information security measures (e.g. vulnerability and load testing), logging of the above data is essential in the system. The legitimate interest in ensuring the secure operation of the system is proportionate to the processing of the above personal data logged in connection with logins. An Interest Assessment Test demonstrating this finding is set out in Annex 1 to this Privacy Information Note.
3.3.3. Duration of data management
The system will store the data indicated here to the extent necessary and proportionate to achieve the purpose for a period of 3 (three) months from the date of their creation, after which they will be automatically deleted.
4. Access to data and data security measures
4.1. Access to and transmission of data
4.1.1. The identity of potential data controllers authorized to access data
The Data Controller’s employees, for the time and to the extent necessary for the performance of their duties.
4.1.2. Data processors
Processors not mentioned for each processing operation:
Name of the Data Processor: Colibree Design & Development Llc
Registered office: H-1027 Budapest, 2 Máté Street
Purpose of data processing: Website developer and maintainer
Name of the Data Processor: EZIT Llc.
Registered office: H-1132 Budapest, 18-22 Victor Hugo Street
Purpose of data processing: The hosting provider
4.2. Data security measures
The Company stores the personal data provided in the notification on servers located at the Company’s headquarters (H-1026 Budapest, 122 Pasaréti Road, 5th Floor). The Company takes appropriate IT, technical and personnel measures to protect the personal data it processes against, inter alia, unauthorised access or unauthorised alteration. The Company handles personal data with the utmost care and in strict confidence.
5. Rights in relation to data management
5.1. The right to request information
The data subject may request information in writing from the Company, through the contact details provided under Article 1, about which personal data are processed, on what legal basis, for what purpose, from what source, for how long, to whom, when, under what legal basis, to which personal data the Company has granted access or to whom the personal data have been disclosed. The Company shall comply with the data subject’s request within a maximum of one month by letter or e-mail to the contact details provided by the data subject.
5.2. The right to rectification
The data subject may request in writing, via the contact details provided in Article 1, that the Company amend any of his or her personal data (for example, he or she may change his or her e-mail address or postal address at any time). The Company shall comply with the request within a maximum of one month and shall notify the data subject thereof by letter or e-mail to the contact details provided by him or her.
5.3. The right to data erasure
The data subject may request the erasure of his or her personal data by writing to the Company using the contact details provided in Article 1. The Company will reject the request for data erasure if the Company is legally obliged to continue to store the personal data (Article 6(1)(c) of the GDPR). However, in the absence of such an obligation, the Company shall comply with the request within a maximum of one month and shall inform the data subject thereof by letter or e-mail to the contact details provided for this purpose.
5.4. The right to blocking (limiting data management)
The data subject may request in writing, via the contact details provided in Article 1, that his or her personal data be blocked by the Company (by clearly indicating the limited nature of the processing and ensuring that it is kept separate from other data). The blocking lasts as long as the reason indicated by the data subject makes it necessary to store the data. The data subject may request the blocking of data, for example, if he or she believes that his or her submission has been unlawfully processed by the Company, but it is necessary for the purposes of the official or judicial proceedings initiated by the data subject that the submission is not deleted by the Company. In this case, the Company will continue to store the personal data (e.g. the submission in question) until requested by the authority or court, after which it will delete the data.
5.5. The right to object
The data subject may object in writing to the processing of personal data, if the Company would transfer or use the personal data for purposes such as public opinion polls or scientific research, using the contact details provided in Article 1.
6. Law enforceability related to data management
6.1. Initiation of legal proceedings
The data subject may bring a civil action against the Company if he/she considers that the processing of his/her personal data is unlawful. The tribunal court has jurisdiction to adjudicate the case. The civil action can also be brought before the tribunal court of the person’s domicile (for a list of tribunal courts and their contact details, please see the link below: http://birosag.hu/torvenyszekek).
6.2. NAIH proceedings
The data subject may lodge an online complaint with the National Authority for Data Protection and Freedom of Information (NAIH) if he or she experiences unlawful processing of his or her personal data. Link: https://www.naih.hu/online-uegyinditas.html.
You can book a personal appointment on Tuesdays and Thursdays between 9:00-12:00 and 13:00-16:00 by calling +36 (1) 391-1400.
Please note that the Authority will investigate complaints only if the data subject has already contacted the data controller (our Company) about the complaint prior to lodging it with the Authority and the contact has not led to any result.
Annex: Interest assessment test
Budapest, 6 November, 2020