It is highly important for the Service Provider to ensure the protection of the personal rights and personal data, as well to safeguard the rights of informational self-determination of the Data Subject. In the interest of this, the Service Provider shall make every reasonable effort for the protection of personal data, and to support and help the Data Subject in understanding his rights and obligations, and enforcing his interests. In order to use the Xeropan© mobile application, with the exception of the Tutorial (“Introduction”), the Data Subject is required to register an account. In the course of the Data Subject’s use of the Service Provider’s services (hereinafter referred to as: Service) and in the course of the aforementioned registration, the Service Provider processes different types of data.
2. Acceptance of policy
The User declares that by using any elements of Xeropan© (particularly, but not exclusively through visiting, browsing, downloading and using the Xeropan© mobile application) has read, understood and expressly accepted the provisions of this Policy. The User acknowledges that in order to use Xeropan© it is necessary to accept both the Terms and conditions of use and the Policy.
a. Service shall mean ensuring the use of the features of the Xeropan© website and mobile application.
b. Data Subject shall mean any natural person determined or identified based on personal data, or directly or indirectly identifiable by reference to such data.
c. Personal data shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject. In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. The data subject shall - in particular - be considered identifiable if the data controller is in possession of the technical requirements which are necessary for identification.
d. Consent shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations.
e. Objection shall mean a declaration made by the data subject objecting to the processing of his personal data and requesting the termination of data processing, as well as the deletion of the data processed.
f. Data controller shall mean any natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor.
g. Data processing any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans).
h. Data transfer shall mean ensuring access to the data for a third party.
i. Disclosure shall mean ensuring open access to the data.
j. Data deletion shall mean making data unrecognisable in a way that it can never again be restored.
k. Data destruction shall mean complete physical destruction of the data carrier recording the data.
l. Data processor shall mean any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions.
m. Data process shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data.
n. Third party shall mean any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor.
o. Third country shall mean any State that is not an EEA State.
p. EEA Member State shall mean any Member State of the European Union and any State which is party to the Agreement on the European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States which are parties to the Agreement on the European Economic Area, based on an international treaty concluded between the European Union and its Member States and a State which is not party to the Agreement on the European Economic Area.
q. Data protection incident shall mean the unlawful processing or process of personal data, in particular the illegitimate access, alteration, transfer, disclosure, deletion or destruction as well as the accidental destruction or damage.
Personal data may be processed when the Data Subject has given his consent or in the case of mandatory data processing (if data processing is decreed by law or by a local government decree on authorization conferred by law carried out in the public interest).
Personal data may be processed only for specified purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing operations.
The Data Controller shall only process data which:
- is essential for the purpose for which it was recorded,
- is suitable to achieve the purpose,
and only for the duration determined by this Policy.
The Data Controller does not use and shall not use the collected personal data for other purposes than the purposes laid down below. The disclosure of personal data to third parties or authorities shall be made with the prior and explicit consent of the Data Subject, unless a regulation provides otherwise with binding effect.
In each case the Data Controller wishes to use the received data for other purposes than the original purpose for which it was collected, he shall inform the Data Subject of this and shall obtain the prior and explicit consent of the Data Subject, and shall provide the possibility for the Data Subject to object to such use.
The Data Controller shall be primarily entitled to be informed of the personal data, as well as his employees, and such data shall not be disclosed or transferred to third parties, except for third parties mentioned in this Policy, without the prior authorisation of the Data Subject.
Personal data may be transmitted by the Data Controller to a data controller or processor operating in a third country, or may be transferred to a data controller or processor operating in a third country if:
- the Data Subject has given his explicit consent,
- it is permitted by law and the adequate level of protection of the personal data have been ensured in the third country during the course of the process and processing of the data transferred. Transfer of data to EEA Member States shall be considered as if the transmission took place within the territory of Hungary
5. Validity of statements of consent
If the Data Subject is under the age of 14, his statement of consent shall be considered null and void and only the Data Subject’s legal representative shall be entitled to accept the Policy on the Data Subject’s behalf. If the Data Subject has reached the age of 14, the consent of the legal representative is necessary for the validity of the Data Subject’s statement of consent. If the Data Subject has reached the age of 16, the Data Subject is entitled to give his consent for the processing of his personal data, and the consent or subsequent approval of the legal representative is not necessary for its validity.
6. Description of personal data, the purpose, legal basis and duration of data processing
Processing of data relating to the users of the Xeropan© mobile application shall be made on the basis of the users’ freely given and informed consent, which shall contain the Data Subject’s explicit consent for the processing of personal data provided in the course of using the Website.
The processing of data by the Data Controller shall be made on the basis of the Data Subject’s voluntary consent pursuant to Section 5(1) Paragraph a) of Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as: Freedom of Information Act) and on the basis of Act CVIII of 2001 on certain issues of electronic commerce and information society services.
The Service Provider does not verify the authenticity of the personal data received. The provider of the personal data, the data subject or contracting party shall bear the exclusive responsibility for the accuracy of the data provided. The Data Subject undertakes to be the sole person using the services with the data provided. With respect to this, the Data Subject who registered the e-mail address shall bear all responsibility in relation to signing in with the data provided.
The processing of data by the Service Provider is based on the voluntarily given consent of the Data Subject, of which the Service Provider shall provide information in this paragraph, and on separate, incidental occasions.
If the Data Subject does not provide his own personal data to the Service Provider, the Data Subject shall be the one obligated to obtain the consent of the Data Subject.
a. Xeropan© website
i. The legal basis of data processing: the Data Subject’s voluntary consent pursuant to Section 5(1) Paragraph a) of the Freedom of Information Act, and section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce and information society services.
ii. Description of processed data: The computer identifier (IP address) of the Data Subject’s computer, the browser type, the date and time of visit, the content accessed, the website from where the visitor came from, and the site which the visitor accesses after exiting the website. These data are unsuitable for the personal identification of the Data Subject, and the Data Controller, except for when it is provided by law and with the observance of conditions laid down therein, shall not take steps to identify the owner of the IP address.
iii. The purpose of data processing: statistical data analysis, fulfillment of the Service, verification of the functioning of the Service, improvement of user experience, customisation of the Service.
iv. The duration of data processing: 3650 days starting from the accessing of the website.
The html code of the Data Controller’s website available at www.xeropan.com contains links from and to third-party servers, which are independent of the Data Controller. The providers of these links are able to collect data upon direct connection to their servers.
b. Downloading of the Xeropan© mobile application (IOS and Android platforms)
i. The legal basis of data processing: the Data Subject’s voluntary consent pursuant to Section 5(1) Paragraph a) of the Freedom of Information Act
ii. Description of processed data: the unique device identifier of the Data Subject’s mobile phone, the hardware type, the international identifier (IMEI number) of the Data Subject’s mobile phone, the operating system version number of the mobile phone, the name of the mobile phone, the e-mail address of the Data Subject (for joining with Facebook or Google+), the Data Subject’s location (based on IP address). The Data Controller uses an own identification number (Player ID) as well for the identification of the Data Subject in connection with the use of the application.
iii. The purpose of data processing: statistical data analysis, fulfillment of the Service, verification of the functioning of the Service, improvement of user experience, customisation of the Service, delivering the proper Xeropan© mobile application version depending on the location of the Data Subject, prevention of abuse.
iv. The duration of data processing: until the receipt of the Data Subject’s request for deletion sent to the Data Controller. The Data Controller shall delete the data from the system within 5 working days following the receipt of the request.
c. The use of the Xeropan© mobile application
i. The legal basis of data processing: the User’s voluntary consent pursuant to Section 5(1) Paragraph a) of the Freedom of Information Act. In order to use the Xeropan© mobile application, with the exception of the Tutorial (“Introduction”), the Data Subject is required to register an account. Registration can be made with the Data Subject’s existing Facebook or Google+ account. The processing of data by the Data Controller shall be made in accordance with the privacy policies of Facebook and Google+.
ii. Description of processed data: The full name of the Data Subject, his Facebook or Google+ identifier and/or username, e-mail address, location, gender, date of birth, profile picture or the URL of the picture, the identifier of the Data Subject’s Facebook or Google+ friends who have also registered in the application, the interactions of the Data Subject in connection with the Service via the log files, which can be related to the Data Subject’s Player ID, IP address or his mobile phone’s unique identification number.
iii. The purpose of data processing: statistical data analysis, fulfillment of the Service, verification of the functioning of the Service, improvement of user experience, customisation of the Service, prevention of abuse.
iv. The duration of data processing: Until the receipt of the Data Subject’s request for deletion sent to the Data Controller. The Data Controller shall delete the data from the system within 5 working days following the receipt of the request.
i. The legal basis of data processing: the User’s voluntary consent pursuant to Section 5(1) Paragraph a) of the Freedom of Information Act
ii. Description of processed data: Player ID, full name of Data Subject, his e-mail address, the date and time of subscription.
iii. The purpose of data processing: sending of newsletters and other advertisements, communication of current information, sending of system messages and notifications regarding the use of the Service.
iv. The duration of data processing: Until the unsubscription of the Data Subject.
For the analysis of the Data Subject’s interactions with the newsletter, the Service Provider uses newsletter tracking codes (mailgun, MailChimp), which provide feedback to the Service Provider if the Data Subject opened, read, or clicked on the newsletter.
In the process of registration in the Xeropan© mobile application via Facebook or Google+ accounts, the Data Subject can subscribe to newsletters and other advertisements sent by the Data Controller. The Data Subject is entitled, at any time and at no charge, to withdraw his consent by clicking on the “Unsubscribe” link located at the bottom of the newsletter. After unsubscribing, the Data Subject will not receive any newsletters or other advertisements from the Data Controller, and the Data Controller shall delete the Data Subject’s data from the list of subscribed users.
e. Customer correspondence, complaint-handling
i. The legal basis of data processing: the User’s voluntary consent pursuant to Section 5(1) Paragraph a) of the Freedom of Information Act.
ii. Description of processed data: The full name, e-mail address and other information provided voluntarily by the Data Subject.
iii. The purpose of data processing: Recording the observations and questions of the Data Subject for the development and verification of the functioning of the Service, the handling of the Data Subject’s complaints.
iv. The duration of data processing: up to 5 years commencing from the solving of the case.
f. Other data processing
Data processing not covered by this Policy shall be notified by the Data Controller upon the recording of the data.
The court, the prosecutor, the investigating authority, the misdemeanor authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, and other bodies, based on authorization conferred by law, may request the Service Provider to disclose information, transmit and disclose data, and hand over documents.
The Data Controller shall only disclose personal data to the authorities -- where the purpose and description of data has been specified -- to the extent and for the purposes necessary for the fulfillment of the objective of the request.
7. Cookies and other tracking technologies
The Data Controller can offer the possibility to third-party advertising service providers to share advertisements during the use of the Service. These advertising service providers can place cookies on the computer and/or mobile phone of the Data Subject in order to track browsing data, viewed advertisements and to customise their services based on the interests and needs of the Data Subject. This Policy does not apply to and the Data Controller shall not be liable for the privacy practices of these third-party advertising service providers.
8. Methods of storing personal data, security of data processing
Computing systems and other data storing places of the Data Controller are located at its branches, its data processors, and on the servers operated by WEB-SERVER Kft.
The Data Controller implements appropriate technical, organisational measures for the adequate safeguarding of the security of data processing, and the Data Controller provides protection in particular against:
- unauthorized access,
- disclosure to the public,
- deletion or destruction, and
- accidental destruction and damage, and
- the inaccessibility due to the changes in the technology used.
With regard to ongoing technical developments, the Data Controller and the data processor(s) shall select data security measures that provide adequate levels of protection against the risks that arise during data processing, and, when faced with more options, shall apply the option that provides a higher level of security of personal data, except if such measure would represent a disproportionate burden for the Service Provider.
The Data Controller employs personal data security measures on a server-side and application level.
9. Rights of Data Subject, remedies
The Data Subject may request from the Data Controller:
- information on his personal data being processed,
- the rectification of his personal data,
- the deletion or blocking of his personal data (except for mandatory data processing).
The Data Controller shall provide information concerning:
- the data relating to the Data Subject, including those processed by a data processor on the Data Controller’s behalf or according to his notice, the sources from where they were obtained,
- the purpose, grounds and duration of processing.
- the name and address of the data processor and on its activities relating to data processing,
- the circumstances of the data incident and measures taken with a view to eliminate them, and
- the legal basis of transmission and the recipients (in case of the transfer of the Data Subject’s personal data)
The Data Controller must comply with the request for information without any delay, and provide the information requested in an intelligible form, in writing at the Data Subject’s request, within not more than 25 days. The requested information shall be provided free of charge if the Data Subject has not requested information from the Data Controller for that category of data in the current year. In other cases the Data Controller shall set a charge.
The Data Controller may refuse to provide information to the Data Subject in the cases provided by law. Should a request for information be denied, the Data Controller shall inform the Data Subject in writing as to the legal provisions serving as grounds for refusal. Where information is refused, the Data Subject shall be entitled to seek judicial remedy or lodge a complaint with the National Authority for Data Protection and Freedom of Information.
The Service Provider – by means of an internal data protection officer, if the Data Controller has appointed one, and with the view to control measures relating to data incidents and to inform the Data Subject – shall keep records containing the personal data affected, the personal scope affected by the data incident, the time, circumstances and effects of the data incident and measures taken to eliminate thereof as well as other information determined by law.
The Data Controller shall erase personal data if:
- it was processed unlawfully,
- it is requested by the User,
- data is incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not excluded by law,
- the purpose of processing has ceased to exist,
- the legal time limit for storage has expired,
- it was ordered by court or by the National Authority for Data Protection and Freedom of Information.
Personal data shall be blocked instead of erased if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the Data Subject. Blocked data shall be processed only for the purpose which prevented their erasure.
When data is rectified, blocked, marked or erased, the Data Subject and all recipients to whom it was transmitted for processing shall be notified by the Data Controller. Notification is not required if it does not violate the rightful interest of the Data Subject in light of the purpose of processing.
The Data Subject shall have the right to object to the processing of data relating to him:
- if processing or disclosure is carried out solely for the purpose of discharging the Data Controller’s legal obligation or for enforcing the rights and legitimate interests of the Data Controller, the recipient or a third party, unless processing is mandatory;
- if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
- in other cases prescribed by law.
In the event of objection, the Data Controller shall investigate the cause of objection within the shortest possible time, but inside a 15 day time period, adopt a decision as to merits and shall notify the Data Subject in writing of its decision.
If the Data Controller shall find that the Data Subject’s objection is justified, the Data Controller shall terminate all processing operations (including further data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.
The User shall have the right to seek remedy with the National Authority for Data Protection and Freedom of Information:
Postal address: 1530 Budapest, PO box: 5.
Address: 1125 Budapest, 22/c Szilágyi Erzsébet Alley
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail address: email@example.com
If the Data Subject disagrees with the decision of the Data Controller or if the Data Controller fails to meet the deadline specified above, the Data Subject may refer the matter to the court within 30 days of the date of delivery of the decision or from the last day of the deadline.
In the event of any infringement of the Data Subject’s rights, the Data Subject may turn to court action against the data controller. The court shall hear such cases in priority proceedings.
10. Compensation and restitution
If the Data Controller causes damage to a data subject as a result of unlawful processing or by any breach of data security requirements, they shall pay for such damage.
If the Data Controller, by unlawful data processing or by breaching data security rules, violates the personal rights of the Data Subject, the latter may demand restitution from the Data Controller.
No compensation shall be paid and no restitution shall be demanded where the damage or the violation of rights was caused by intentional or serious negligent conduct on the part of the aggrieved party or the Data Subject.
11. Company data and contact data of the Data Controller
Name: Xeropan International Kft.
Registered office: 4028 Debrecen, 14 Simonyi Road
VAT number: 26304706-2-09.
Company registration number: 09-09-029639
Branch: 4028 Debrecen, 2 Kassai Road
E-mail address: firstname.lastname@example.org
Data protection registration number: Before request.
12. The company data and contact data of the data processor
Name: CodeYard Kft.
Registered office: 4026 Debrecen, 1 Mester Street 3rd floor, No. 6
E-mail address: email@example.com
Name: Forensys Kft.
Registered office: 4400 Nyíregyháza, 60 Toldi Street 5th floor, No. 46.
E-mail address: firstname.lastname@example.org
Name: WEB-SERVER Kft.
Registered office: 4025 Debrecen, 2 Pásti Street, 1st floor, No. 5.
E-mail address: email@example.com
Activity: Web hosting services
13. Other provisions