Cezar Winery Kft. (Headquarters: H-8800 Nagykanizsa, Kazanlak körút 14/d, Company Reg. No.: 20-09-060606; Managing Director: Stefan Császár; hereinafter: Controller) as a controller agrees to the content of this legal notice. The company undertakes to ensure that the data processing related to its operation meets the requirements set out in this regulation and the applicable legislation.
In establishing the provisions of this Information, the Data Controller has taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council (General Data Privacy Regulation or GDPR) and the provisions of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
In order to protect the personal data of the Data Controller’s dedicated clients/partners/guests/employees, the controller considers that the respect for the clients/partners/guests/employees' right of informational self-determination is paramount. The Data Controller manages the personal data in confidence and takes all security, technical and organizational measures that guarantee the security of the data.
The data controller describes the data processing practice below.
The purpose of this Information is to determine the law and order of records held by the Data Controller and to ensure the application of the constitutional principles of data protection, the right of information self-determination and data security. Another objective of this Information is to record the data protection and processing principles adopted by the Cezar Winery Kft., the data protection and processing policy of the Cezar Winery Kft., which is recognized by the Cezar Winery Kft. as the Data Controller as compulsory.
The informative annexes for each data processing activity are an integral part of this Information.
Name: Cezar Winery Kft.
Headquarters: H-8800 Nagykanizsa, Kazanlak körút 14/d
E-mail: krisztian@cezarwinery.com
Phone: +36 93 589-022
I. Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
II. Processing: irrespective of the method used, any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transferring, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
III. Controller: the person who determines the purposes and tools of data processing, independently or with others.
IV. Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
V. Information: this information on data protection of the Controller;
VI. Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
E-mail: Electronic mail. Its name refers to the way of writing or transferring, which is done electronically via computer networks.
GPS: the Global Positioning System is an advanced positioning system that enables 3-dimensional positioning, timing and speed measurement on land, water, or air.
Internet: The Internet (Internetworking System) is a world-wide network of computer networks that connect the whole world, linking government, military, commercial, business, education, research, and other institutions as well as individual users.
Security camera: Cameras specially developed for security applications are low energy devices with stable, reliable image quality. Depending on the task, it is usually black-and-white or colour, if required, mainly day-time or more sensitive night-time use and so on, they can move on a very wide scale of resolution, light sensitivity, distortion etc. values.
Access Control System: A device, which is controlled by a computer system, built from mechanical and electronic components to control entrance and exit of persons, vehicles through a particular object, gate. Identification is needed for the access. Other technical devices (card, PIN code, biometric identifier, other identifying solution) are required for identification. Access rights for those persons are recorded in the database of the computer application.
Website, Web Page, Web Portal, Home Page: An electronic interface for publication, information purposes which is typically disclosed on servers connected to the Internet (Webserver). These sites, pages have a unique address (hyperlink), which can be used to navigate to the page by typing in a browser application. Web site technology allows for jumping back and forth between the content elements and hyperlinks (hypertext).
Webshop: An ecommerce application on a web site.
Cookies: A program component for creating comfort features for websites. 2 basic types exist. One is stored on its own machine, the other is a session cookie stored on the server side. In terms of data processing, session cookie management should be regulated. Websites should inform and disclose visitors about the use of cookies.
Electronic Newsletter: Typically, an automatically generated e-mail, transactional, advertising or other campaign information sent by a dedicated application to the email address of the persons who are subscribed to the address list.
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
g) The controller shall be responsible for, and be able to demonstrate compliance with the above (‘accountability’)
Processing shall be lawful only if at least one of the following applies:
Possible purpose of data processing (see annexes):
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In performing its activity, the Controller requisitions the Data Processor(s) specified in this Informative Annex.
The Data Processor shall make no own decision, it shall proceed exclusively according to the orders received and included in the contract. After 25 May 2018, the Data Processor shall record, handle and process the data transmitted and handled or processed by the Controller in accordance with the provisions laid down by the GDPR, and shall make a declaration about it to the Controller.
The Controller shall supervise the Processor’s work.
The Processor may requisition further processors only with the Controller’s consent.
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 of the GDPR relating to processing to the data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The right to information may be practiced via the contacts specified in Section 3.
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in the resolution:
The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay in case of specific circumstances:
Where the Controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, those personal data.
The data subject shall have the right to obtain from the Controller restriction of processing where one of the following conditions applies:
Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
The Controller shall inform the data subject in advance on the lifting of the restriction.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
For reasons concerning his own situation, the data subject is, at any time, entitled to protest against the data processing of his personal data carried out in the public interest or the exercise of public powers assigned to the controller for the compliance with the task or in the framework of the exercise of duties performed, or the management of data required for enforcing the legitimate interests of a third party, including the profiling based on the aforementioned dispositions.
In case of an objection, the controller shall no longer process the personal data if compelling legitimate grounds for the processing override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The previous paragraph shall not apply if the decision:
In case of data processing based on voluntary consent, the data subject may at any time withdraw his contribution. This will not affect the legality of the data processing based on the consent performed before the withdrawal.
The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within 1 month of receipt of the requests. That period may be extended by two further months where necessary. The controller shall inform the data subject of any such extension within 1 month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means, unless otherwise requested by the data subject.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The Controller shall provide the requested information free of charge. Where requests from a data subject are unfounded or excessive, in particular because of their repetitive character, the Controller may, in consideration of the administrative costs implied by providing the requested information or taking the requested measures, either charge a reasonable fee based on the administrative costs or refuse to act on the request.
The Controller reserves the right to make a unilateral decision on modifying this Information.
Information on data processing not listed in the annexes of this Information shall be provided when the data is recorded. All data subjects shall be informed that regulatory authorisation entitle the court, the prosecutor, the investigating authority, the authority dealing with offences, administrative authority, the Authority for Data Protection and Freedom of Information and other agencies to contact the Controller for the provision of information, communication and provision of data or for making documents available.
The Controller may disclose personal data to the authorities, should the authority indicate the exact purpose and the scope of data, in a quantity and to the extent indispensably required for the attaining of the purpose of the inquiry.
1) Any questions, observations or problems related to data handling can be addressed to the Data Manager at the contact details specified in Section 3.
2) The data subject, in case of the infringement of his rights, may seise the court. The action shall be heard by the competent general court. If so requested by the data subject, the action may be brought before the general court in whose jurisdiction the data subject’s home address or temporary residence is located.
3) The data subject may also contact the National Data Protection and Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, tel: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu, home page: www.naih.hu) directly with his/her complaint about the data processing.
The purpose of the processing: completion of orders and related administration (recording orders, invoicing, delivering).
Legal basis for the processing:
- The data subject’s consent, Article 6 (1) (a)
- In accordance with 13/A (3) of the Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter referred to as Elker act)
- In case of an invoice made in accordance with the laws in force, Article 6 (1) (c).
Controller: Cezar Winery Kft.
Processor: Cezar Winery Kft.
Scope of data processed: Username, invoicing made, invoicing address, email address, phone number
Location of stored data: H-8746 Nagyrada, Szelemi hegy 020/10 hrsz,
Addressee(s) of data transmission:
Term of data processing: Right after filling out the registration. Except in the case of accounting documents, as under Section 169 (2) of Act C of 2000 on Accounting, this information must be kept for 8 years.
Data transmission to a third country:
Description of the data subject’s rights concerning data processing:
Consequences of the failure to provide data: The failure of the completion of the order.
The Controller requires a curriculum vitae from the person applying to the published post for selecting the right employee. The data processing is required for the selection of the employee with the adequate abilities and qualifications and the assessment of the eligibility for the post.
Purpose: to apply for the post at the Controller, participate in the selection procedure
Legal basis: voluntary consent by the data subject pursuant to Article 6 (1) (a) of the GDPR
Controller: Cezar Winery Kft.
Processor: Cezar Winery Kft.
Addressee(s) of data transmission, categories of addresses:
Scope of data processed: personal data required for the assessment of suitability included in the application (e.g. name, home address, date of birth, educational attainment level)
Period of data processing: selection of the right person for the post advertised by the Controller
Data transmission to a third country:
Description of the data subject’s rights concerning data processing:
Consequences of the failure to provide data: The data subject cannot apply for the post advertised by the Controller.
During its operation, the Organisation processes personal data in order to assure the business processes with external service providers, suppliers, contracted partners and customers and their contact persons.
Purpose of the processing: contact with partners / customers
Legal basis for the processing: Article 6 (1) (b) of the GDPR: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
Controller: Cezar Winery Kft.
Processor: Cezar Winery Kft.
Scope of data processed: name, phone number, e-mail address
Term of data processing:
Data transmission to a third country:
Description of the data subject’s rights concerning data processing:
Potential consequences of the failure to provide data: The Controller cannot comply with its contractual requirements.
Data management process:
Purposes of the processing: Advertising of the specific product or service, the delivery of the additional information on those to the target audience and the category of customers in order to increase purchase intent.
Legal basis for the processing: data subject's consent, per Article 6 (1) (a), and the Section 6 (5) of the Act XLVIII of 2008 on the Fundamental Terms and Limitations of Economic Advertising Activity
Controller: Cezar Winery Kft.
Processor: Cezar Winery Kft.
Scope of data processed: name, e-mail address
Term of data processing: until the revocation of the declaration of consent.
Data transmission to the third country:
Description of the data subject’s rights concerning data processing:
Potential consequences of the failure to provide data: The Data Subject does not acquire information on the Controller’s novelties or new products.
Purposes of the processing: The unbiased and independent running of the prize competition. Drawing and notification of the winners. The purpose of the processing is to deliver the prize to the entitled person.
Legal basis for the processing:
- Act XXIV of 1991 on Gambling Operations
- Paragraphs (1) to (9) of Article 6 of Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising
- Section 6 (1) (a) of the GDPR on the contribution of the data subject
Controller: Cezar Winery Kft.
Processor: Cezar Winery Kft.
Data management process:
Scope of data processed: name, e-mail address
Term of data processing: until the drawing of the prize
Data transmission to the third country:
Description of the data subject’s rights concerning data processing:
Potential consequences of the failure to provide data: The data subject cannot participate in the prize competition.