1 Purpose of the Privacy Policy
The goal of our Privacy Policy is to provide all necessary information about processing your personal data related to the Sheet2Mail e-mail campaign system available on sheet2mail.com in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and assist the Data subjects in exercising their rights under Section 5.
In the Privacy Policy, we may define you as “data subject”, or “contact person of our business partners” in the following. You may find further definitions concerning your personal data within the Appendix of the current Privacy Policy.
The legal basis of our duty to communicate information is Article 12 of Regulation 2016/679 of the European Parliament and Council (hereinafter referred to as: GDPR), Section 16 of Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as Information Act) and Section 4 of Act CVIII of 2011 on electronic commerce and on information society services (hereinafter referred to as Electronic Commerce Act).
The Privacy Policy was prepared by taking into account the GDPR, the Information Act and further legal acts relevant from the viewpoint of specific data processing. The list of the legal acts is detailed in Annex 10.1, the main concepts and definitions are determined in Annex 10.2 and the detailed information on the right of the data subject is included in Annex 10.3 of the Privacy Policy.
During the drafting and applying this Privacy Policy, we proceeded in the spirit of the findings of the recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information and Article 5 of the GDPR, especially the principle of accountability laid down in Article 5, Paragraph 2 thereof.
We also monitor the practice of the European Union with regard to the protection of personal data, accordingly, we shall also implement the findings of Article 29 Working Party of the European Commission in its Guideline on Transparency into our data processing practice.
2 Data of the Controller
| Name | Linkensphere Informatikai Tanácsadó és Szolgáltató Korlátolt Felelősségű Társaság (Linkensphere Kft.) |
| Registry number | 01-09-343555 (Hungarian Company registry) |
| Registered seat | 1134 Budapest, Bulcsú utca 21B. 3. em. 4. |
| [email protected] | |
| Telephone number | +36 20 9696627 |
| Tax number | 26764722-2-41 |
| DPO | [email protected] |
3 Definitions
|
Description and the purpose of data processing |
Registration of the customer on the website https://sheet2mail.com/, or in any other available way for the purpose of providing the Service, making payments, etc.), performance and execution of the contract. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (b) GDPR2 - the processing is necessary to comply with the provisions of the GENERAL TERMS AND CONDITIONS, which are available at https://sheet2mail.com/ and which the customer has agreed to. |
|
Scope of the processed data and their source |
Minimum registration requirements: email address, billing address, and payment details. Data related to customer registration: Information on acceptance of the GENERAL TERMS AND CONDITIONS, the PRIVACY POLICY, information on payments, date of registration, information on the order history. Data source: data provided by customer. |
|
Period of data processing |
Company deletes all personal data and all information about the customer within 30 (thirty) days from the customer’s request. The Company will keep the personal data for 1 year period, because claims against the Company can be made, if: (i) The Company terminates the customer’s participation in the Service, or terminate the Service itself (data retention begins on the termination date). (ii) The Company deactivates the Customer's account in the website (1 year data retention period begins after 30 days from the deactivation). |
|
Addressee of data transfer |
Company. The data recipient is also the data processor.
|
|
Description and the purpose of data processing |
Operation of the information centre and hotline in connection with the provision of services, handling of reclamations, suggestions and complaints from customers. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (b) GDPR - (processing is necessary for the performance of the terms of the contract) and Art. 6 (1) (c) GDPR - (processing is necessary for the performance of legal obligations), e.g. for the processing of reclamations. |
|
Scope of the processed data and their source |
Name, surname, account ID, email address Data source: data provided by the customer. |
|
Period of data processing |
For this purpose, personal data may be processed for a period of three (3) years from the moment the claim is settled (i.e. after sending out customer’s campaigns). Where the data are necessary for the establishment of legal claims or for the defence of any civil claim, the period of processing of the data shall be the time necessary for the conduct of the proceeding(s) and until the final conclusion of such proceeding(s). |
|
Addressee of data transfer |
Company. The data recipient is also the data processor. |
|
Description and the purpose of data processing |
Performance of the Company's obligations in the field of invoicing and accounting, and taxes |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (c) GDPR - processing is necessary for compliance with legal obligations |
|
Scope of the processed data and their source |
Name, billing address, customer's payment details, payment history information. Data source: data provided by customer. |
|
Period of data processing |
Tax obligations: data retention period is 10 years from the last day of the calendar year in which the relevant tax should have been declared or reported or, in the absence of such declaration or report, the tax should have been paid. Accounting documents: the data retention period is 10 years according to the relevant tax and accounting regulations. In practice, this means only when the data are included in documents which support the accountancy records such as an order or on an invoice. Other data retention periods may also apply, as described at the relevant data processing purposes below.. |
|
Addressee of data transfer |
Company. The data recipient is also the data processor |
|
Description and the purpose of data processing |
Sending newsletters via e-mail containing information related to the provision of the Service. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (a) GDPR (voluntarily consent of the customer). |
|
Scope of the processed data |
Customer's e-mail address. Data source: data provided by customer. |
|
Period of data processing |
For this purpose, the Company processes personal data until the consent is withdrawn. The customer can change his/her consent in the following ways:
|
|
Addressee of data transfer |
Company. The data recipient is also the data processor |
|
Description and the purpose of data processing |
Marketing activities (organisation of competitions on social media such as the Company's Facebook/Instagram profile, etc.). |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (a) GDPR (voluntarily consent of the customer). By entering the competition, the customer gives consent to the processing of personal data. |
|
Scope of the processed data and their source |
Customer's personal data in the scope of: name, surname, pseudonym and e-mail address, necessary for the evaluation of compliance with the conditions for participation in the competition. Data source: data provided by customer. |
|
Period of data processing |
For this purpose, the Company processes personal data until the consent is withdrawn. The customer has the right to consent at any time to the processing of personal data (relating to them) withdraw. The customer may withdraw his/her consent in writing at the address of the competition organiser and/or at e-mail address: [email protected] . |
|
Addressee of data transfer |
Company. The data recipient is also the data processor. |
|
Description and the purpose of data processing |
The exercise of legal claims by the Company. This includes, for example, defending legal disputes and proceedings with authorities initiated by customers in connection with the provision of services or pursuant to Article 17 (3) (e) of the GDPR. Source of data: listed under each point. |
|---|---|
|
Legal basis of the data processing |
Art. 6 (1) (f) GDPR (data processing is necessary for the purposes of fulfilling the legitimate interests of the Company: to exercise of legal claims and the successful defence of any legal or official proceedings (e.g. legal proceedings initiated by the customer, administrative or out-of-court proceedings, etc.). |
|
Scope of the processed data and their source |
Name, e-mail, telephone number (only if the dispute concerns the lawfulness of its processing), data on the use of the services, if necessary to exercise rights or resolution of the legal disputes. |
|
Period of data processing |
The general period of data processing is defined in case of each data processing operation. If the data are needed to exercise legal claims or for defence against any civil law claims, the period of data processing is the time necessary to conduct the proceeding(s) and until the definitive conclusion of such proceedings or achievement of the legitimate interest by other means (e.g. conclusion of an out-of-court settlement). |
|
Addressee of data transfer |
Company. |
|
Data processor and its activity |
The Company is a sole Data Controller whereby it determines the purpose and the scope of the data processing individually and it is liable only for its own data processing activity.
In addition to the above, under Article 6 (1) (f) of GDPR (based on the legitimate interest of the Company), the Company may use the services of its lawyer partners to manage and successfully exercise its claims and transfers the required personal data to such lawyers for this purpose. Such lawyers act as independent controllers in accordance with the provisions of their own privacy notices. In case of engagement of lawyer partners for their specific case, and at the request of the individual, the Company shall provide information on the lawyer partner involved in a particular data processing operation, as well as the contact details and activities of that lawyer partner and the data processed in connection therewith.
Name and contact details of the Data Controller
Address for correspondence: Linkensphere Kft., with registered seat at Bulcsú utca 21B. 1134 Budapest, Hungary
Name and registered seat of data processors and other entities receiving data from the Data Controller
Data processors:
Where the Company uses service providers as data processors, it must ensure that appropriate personal data contracts/agreements are in place in accordance with Article 28 GDPR. The purpose of these contracts is, inter alia, to ensure that the processing of personal data is carried out by the data processor on behalf of the Company, solely on the basis of instructions provided by the Company.
Processing special personal data for the purpose defined in this Privacy Notice
The Company does not process any special categories of personal data.
Transfer of personal data to third countries
The Company does not transfer personal data to third countries.
The existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual:
The Company will not make any decision based on automated data processing concerning you (Article 22(1) GDPR).
Data security measures:
The Company stores your personal data in a protected electronic data repository in order to ensure the secrecy, integrity and availability of your personal data in accordance with the IT security norms and standards. Within the framework of risk-proportionate protection and measuring the classification of personal and business data, the Company ensures the protection of data on a network, an infrastructural and an application level (with firewalls, antivirus programs, encryption mechanisms for storage and communication, content filtering and other technical and process solutions). The personal data breaches are constantly monitored and managed. In case of encryption, the encrypted data flow is not retrievable without the knowledge of the decryption code due to the asymmetric coding, in addition with content filtering and other technical and process solutions). Data breaches are constantly monitored.
Data security measures:
|
Information Security Management System |
To ensure the confidentiality, integrity and availability of organizational information by implementing policies, processes, process descriptions, organizational structures, software and hardware functions. |
|
Physical access |
To ensure physical asset protection containing information. |
|
Logical access |
To ensure that only approved and authorized users have access to data. |
|
Data access |
To ensure that only authorized users of the systems have access to data. |
|
Data transfer/ storage/ erasure |
To ensure that Company's corporate information is not transmitted, read, modified or erased by an unauthorized person while it is being transferred or stored. In addition, company data must be deleted promptly when the purpose of processing ceases. |
|
Confidentiality and integrity |
To ensure that corporate data is kept confidential and up-to-date, also preserves integrity. |
|
Availability |
To ensure that data is protected against accidental destruction or loss and, in the event of such an event, access to, and recovery of, relevant data is on time. |
|
Separation of data |
To ensure that data is handled separately from other client data. |
|
Incident management |
In the event of any breach of the information, the effect of the breach will be minimized and the owners of the Information will be notified immediately. |
|
Audit |
To ensure that the data processor periodically tests, examines and evaluates the effectiveness of the technical and organizational measures outlined above. |
Your rights concerning data processing:
The GDPR contains in detail your data protection rights, your possibilities of seeking a legal remedy and the restrictions thereof (especially Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79 and 82 of the GDPR). You can at any time request information about your personal data processed, you can request the rectification and erasure of your personal data or the restriction of their processing, furthermore you can object to the data processing based on a legitimate interest and direct marketing and you have the right to data portability. We summarize the most important provisions below. You may exercise rights and seek legal remedies by contacting any of the Company.
Right to information:
If the Company processes your personal data, it must provide you information – even without your special request thereof – concerning the main characteristics of the data processing including the purpose, legal basis and period of processing, the identity and contact details of the Company and its representative, the contact details of the data protection officer (if appointed), the recipients of the personal data (in case of data transfer to third countries indicating also the adequate and appropriate guarantees), the legitimate interests of the Company and/or third parties in case of a data processing based on a legitimate interest, furthermore your data protection rights and your possibilities of seeking a legal remedy (including the right of lodging a complaint with the supervisory authority), the source of personal data – if you are not the source – as well as the categories of personal data, in the case you have not had yet all this information. In case of automated decision-making and profiling you must be informed by the Company in an understandable way about the logic involved, as well as the significance and the envisaged consequences of such processing for you. The Company provides the abovementioned information by making this Privacy Notice available to you.
Right of access to data:
You have the right to obtain from the Company confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and certain information related to the data processing such as the purpose of the data processing, the categories of the personal data processed, the recipients of the personal data, the (envisaged) period of data processing, the individual’s data protection rights and possibilities of seeking a legal remedy (including the right of lodging a complaint with the supervisory authority), furthermore information on the source of the data where they are not collected from you.
Upon your request the Company shall provide a copy of your personal data undergoing processing. For any further copies requested by you, the Company may charge a reasonable fee based on administrative costs. Where you made the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
The Company gives you information on the possibility, the procedure, the potential costs and other details of providing the copy after receiving your request.
Right to rectification:
You have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary privacy notice.
Right to erasure:
You have the right to obtain from the Company the erasure of personal data concerning you without undue delay and the Company has the obligation to erase personal data without undue delay where certain grounds or conditions are given. Among other grounds the Company is obliged to erase your personal data upon your request for example if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; if you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing; if the personal data have been unlawfully processed; or if you object to the processing and there are no overriding legitimate grounds for the processing; if the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject; or if the personal data have been collected in relation to the offer of information society services.
If the data processing is based on your consent the consequence of the withdrawal of the consent: we do not send or offer tailored, personalised marketing (advertising) messages, promotional offers, coupons.
We inform you that the withdrawal of your consent does not affect the legality of the data processing carried out before the withdrawal, based on your consent.
Right to restriction of processing:
You have the right to obtain from the Company restriction of processing where one of the following applies:
|
(a) |
the accuracy of the personal data is contested by you, for a period enabling the Company to verify the accuracy of the personal data; |
|
(b) |
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; |
|
(c) |
the Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; |
|
(d) |
you have objected to processing, pending the verification whether the legitimate grounds of the Company override your legitimate grounds. |
Where processing has been restricted according to the abovementioned reasons, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
You shall be informed by the Company before the restriction of processing is lifted.
Right to data portability:
You have the right to receive the personal data concerning you, which you provided to the Company in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where:
|
(a) |
the processing is based on your consent or on the performance of a contract (to which you are a party); and |
|
(b) |
the processing is carried out by automated means. |
In exercising your right to data portability, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to data portability shall be without prejudice to the provisions governing the right to erasure; furthermore, it shall not adversely affect the rights and freedoms of others.
Right to object:
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on the legitimate interests of the Company or where the Company processes personal data in the public interest, including profiling based on those provisions. The Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where you object to processing, the personal data shall no longer be processed for such purposes.
Framework for the exercise of rights:
The Company shall provide information on action taken on a request based on your abovementioned rights without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where you make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by you.
If the Company does not take action on your request, the Company shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the competent data protection supervisory authority in Hungary: Hungarian National Authority for Data Protection and Freedom of Information and seeking a judicial remedy. Contact details of the Hungarian National Authority for Data Protection and Freedom of Information: Falk Miksa utca 9-11, 1055 Budapest, Hungary tel.: +36 (1) 391 1400, e-mail: [email protected], web: https://www.naih.hu/ .
This information must be provided by the Company in writing or by other means, including electronic means, where appropriate. If you so request, the information may be provided to you orally, as long as your identity is established by other means.
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. You can read about how to contact supervisory authorities within the EU here: https://edpb.europa.eu/about-edpb/board/members_en. You shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you. You shall further have the right to an effective judicial remedy where the competent supervisory authority does not handle your complaint or does not inform you within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, you shall have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in non-compliance with the GDPR. Proceedings against the Company or its partner company or processor partner shall be brought before the courts of the Member State where the Company, the partner´s company controller or the processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.
Such litigation falls within the competence of the general courts of Hungary.
The court may order the controller (the Company) to provide the relevant information, to rectify, block or erase it, to annul the decision taken by means of automated data processing or to respect your right to object. The court may order the publication of its decision, specifying the identity of the Data Controller or any other data controllers and the breach committed.
The data controller concerned is liable for any damage you suffer as a result of unlawful processing or any breach of data protection requirements. If any data controller infringes the data subject's personality rights as a result of unlawful processing or any breach of data protection requirements, the data subject has the right to claim compensation from the data controller concerned.
The Data Controller may be exempted from liability for damages or compensation if it proves that the damage was caused or the violation of the data subject's personal data protection rights was due to unavoidable causes beyond its reasonable control.
No compensation shall be paid and no restitution may be demanded where the damage was caused by or the violation of rights relating to personality is attributable to intentional or negligent conduct on the part of the data subject.