Data Management Policy of the PEEK Commercial and Service Provider Limited Liability Company
On the basis of the Articles 13 and 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR), the PEEK Commercial and Service Provider Limited Liability Company provides all relevant stakeholders the following information on the management and processing of personal data:
1. Data Controller
Name: PEEK Commercial and Service Provider Limited Liability Company
Registered office: Beregszászi utca 20; 2040 Budaörs, Hungary
Registration number: 13-09-102488
Website: https://peek.hu, https://peektopower.com
Data Protection Officer: Mr. István Pokorádi István CEO
Phone number: +36-30-250-7559
2. Legal Background of Data Management
In particular, the provisions of the following legal acts shall govern the processing of data by the Data Controller:
- Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Hereinafter: GDPR),
- Act CXII of 2011 on Information Self-determination and Freedom of Information (Hereinafter: Act on Freedom of Information),
- Act CLV of 1997on Consumer Protection (Hereinafter: Act on Consumer Protection),
- Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity (Hereinafter: Act on Business Advertising Activity),
- Act C of 2000 on Accounting (Hereinafter: Act on Accounting),
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Hereinafter: Act on Electronic Commerce Activities),
- Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing
The table in section 6 of this document contains the legal provisions defining the legal basis of the data management for each data management purpose, if the data processing is related to the fulfillment of a legal obligation.
3. Data Processed During Data Management
According to the GDPR, "personal data" means any information related to an identified or identifiable natural person ("data subject". A natural person is identifiable who can be identified, directly or indirectly, in particular by an identifier such as name, number, location, online identifier or by one or more factors related to physical, physiological, genetic, intellectual, economic, cultural or social identity of the natural person.
3.1 Purpose of Management of Personal Data Processed
The table in Section 6 contains the legal basis of data management, its storage period, its listing, categories and source.
As stated in the table, data provision is based on legislation or free decision of the data subject. Where provision of personal data included in the table is based on legal or contractual obligation or is a prerequisite for the conclusion of the contract, the data subject shall be obliged to provide personal data. Failure to do so may result in the following legal consequences: failure to contract. In case of consent based data management, if the data subject withdraws their consent, according to Act on Freedom of Information the given data will not be deleted if further processing is necessary to enforce legitimate interest of Data Controller.
3.2 Information about automated decision making or profiling
This is not applied by Data Controller.
3.3. Who is allowed to transfer Customer's personal data to?
Customer's personal information is allowed to be disclosed to the following categories of recipients, based on the following legal authorizations and Customer's consent:
- to those who perform billing, debt management, distribution management or customer information activities on behalf of Data Controller,
- legal representative acting on behalf of the Data Controller and legally authorized bodies to settle billing and distribution disputes,
- according to Article 28 of the GDPR data processor has the right to transfer data – solely necessary for service provision – for data processing purposes to their representatives and subcontractors involved in service provision, in compliance with data protection rules and the obligation of confidentiality.
According to Customer's prior consent, Data Controller is allowed to transfer data to a third party as well for direct business or scientific purposes, or for public or market research purposes.
Authorities or other bodies:
- upon request, for the purpose of ensuring the fulfillment of tasks – defined by law – of an investigating authority, prosecutor's office, court and the National Security Service entitled by particular law to request data;
- bailiff, in accordance with the provisions of the Act on Judicial Enforcement;
- if the data subject is unable, for unavoidable reasons, to consent, to protect the vital interests of the data subject or other person or prevent or hinder a threat to lives, bodily integrities or properties of persons, at the request of a body authorized by particular law to have access to the data (Article 49 (1) (f) of the GDPR);
- National Bank of Hungary, acting in its role of supervising the financial intermediary system, with respect to insider dealing, market influence, and unauthorized service, failure to declare, disclose net short positions and restrictions on short trade, or in the context of proceedings initiated to inspect compliance with company acquisitions rules;
- misdemeanor authorities, in the case of a Client, its company name, registered office, sites and representative.
The personal data of the data subject, as a rule, are allowed to be known by Data Controller's employees and contractual partners in order to perform their duties. Thus, for example, Data Controller's registry or service staff is entitled to manage data for business and contract fulfilment purposes, but data will also be processed in order to enforce a legitimate interest of Data Controller if this process is justified by failure to pay fee. Data Controller shall ensure, by appropriate information security measures, that the personal data of the data subject are protected against, inter alia, unauthorized access or alteration. For example, access to personal data stored on servers is logged, which allows Data Controller to always control who has accessed personal data, when and what kind of data were accessed. The Data Controller shall take appropriate organizational measures to ensure that personal data cannot be made available to an indefinite number of persons.
3.4 Data Transfer to a Third Country or International Organization
Name a third country or international organization: The Controller will not transfer personal data abroad.
3.5 Data Security Measures
Data Controller shall store personal data provided by the data subject at the data controller's headquarters. In order to manage the personal data of the data subject, the Data Controller is entitled to use the services of data processors described in Section 3.3. The Data Controller shall ensure, by appropriate information security measures, that the personal data of the data subject are protected against, inter alia, unauthorized access or alteration. Thus, for example, access to personal data stored on servers is logged, which allows Data Controller to always control who has accessed personal data, when and what kind of data were accessed. The Data Controller shall take appropriate organizational measures to ensure that personal data cannot be made available to an indefinite number of persons.
4. Customer's (Data Subject) Rights Related to the Management of Their Personal Data
4.1 Right of Access (Article 15 GDPR)
Data subject shall have the right to receive feedback from the Data Controller about the followings:
- if there is ongoing data management;
- purpose of the processing;
- categories of personal data;
- recipients (to whom data may be transmitted);
- duration of data storage or the criteria for its definition;
- rights of the data subject;
- means of legal remedy;
- source of data, if it is not from the data subject;
- fact of automated decision-making, including profiling;
- transfer data to foreign countries.
For the first time, Data Controller shall make available a copy of the personal data subject to data processing to the Customer, free of charge. For any additional copies requested by Customer, the Controller is entitled to charge a reasonable fee based on administrative costs. If the data subject subjected the request by electronic means, the information should be provided in a widely used electronic format, unless otherwise requested by Customer. The right to request a copy shall not adversely affect the rights and freedom of other parties.
4.2. Right to rectification (Article 16 GDPR)
Upon the Customer's request, Data Controller shall correct any inaccurate data subject related personal data without undue delay. With consideration of the purpose of data management, Customer is entitled to request – including by means of supplementary statement – the completion of incomplete personal data.
4.3. Right to Erasure (Article 17 GDPR)
Customer is entitled to request Data Controller to delete their related personal data.
Data Controller shall delete personal data of the Client concerned without delay for any of the following reasons:
- personal data is no longer needed;
- Customer has withdrawn their consent and there is no other legal basis for data processing;
- the Client protests against data management performed in order to public interest, exercise public authority or legitimate interest of the data controller (third party), and there is no higher-priority legitimate reason for data management;
- unlawful processing of personal data;
- personal data must be deleted in order to fulfill the legal obligation imposed on Data Controller;
- personal data were collected in connection with the provision of information society services.
Customer's cancellation rights can be limited only in case of existing any of the following exceptions, defined in the GDPR, that is, for the reasons set out above, further store of personal data can be considered lawful:
- if it is necessary for the exercise of the right to freedom of expression and information, or
- to comply with a legal obligation (i.e. in the case of an activity that has a legal obligation in the Data Processing Register for a period appropriate to the purpose of the data processing), or
- for the performance of a task that serves public interest, or
- for the exercise a public authority conferred on the controller, or
- for public interest in the field of public health, or
- for archival purposes that serve public interest, or
- for scientific and historical research purposes or for statistical purposes, or
- for the submission, enforcement or defense of legal claims.
4.4. Customer’s Right to Restriction of Processing (Article 18 GDPR)
Customer is entitled to request the Data Controller to restrict data management upon request if any of the followings are met:
- Customer disputes the accuracy of the Personal Data; in this case limitation applies to the period of time that allows Data Controller to verify the accuracy of Personal Data;
- Data processing is unlawful and the Client is against the deletion of data; and instead requests a restriction on their use;
- Data Controller no longer needs personal data for the purpose of data management, but Customer requires it for the purpose of submitting, enforcing or defending legal claims; or
- Client has raised objection to the processing of data in the public interest, in order to exercise public authority or in the legitimate interest of the data controller (third party); in this case, the restriction applies to the period until it is ascertained whether legitimate reasons of Data Controller take precedence over the legitimate reasons of the data subject.
If data management is restricted as described above, such personal data, with the exception of storage, is allowed only to be processed with the Customer's consent, or for the purpose of submitting, enforcing or defending legal claims, or for protecting the rights of any other natural or legal person, or for important public interest of a Member State or the European Union.
4.5. Right to Object (Article 21 GDPR)
Customer shall have the right at any time to object, for reasons related to their own situation, to the processing of their personal data in the public interest, for the exercise of public authority or for the legitimate interest of the data controller (third party), including profiling based on it as well. In this case, Data Controller is no longer entitled to process personal data, except Data Controller demonstrates that the processing is justified by compelling legitimate reasons that prevail over the interests, rights and freedoms of the data subject, or relate to the submission, enforcement or defense of legal claims. If personal data is processed for direct business purposes, Client shall have the right at any time to object to the processing of personal data for such purpose, including profiling, if it is related to direct marketing. If Customer objects to the processing of personal data for the purpose of direct business, then personal data are no longer allowed to be processed for this purpose.
4.6. Right to data portability (Article 20 GDPR)
Customer is entitled to receive personal data provided to a data controller in a structured, widely used, machine-readable format, and has the right to transfer these data to another data controller without being hindered by the data controller to whom personal data have been provided, if: a) if data processing is based on the Customer's consent or the performance of the contract concluded with the Customer, (b) and data are processed in an automated way. In exercising the right to portability of data, Customer is entitled to request – if technically feasible – direct transfer of personal data between data controllers.
4.7 Right to Withdraw Consent (Article 7, Section 3 GDPR)
Customer is entitled to withdraw their consent at any time. Withdrawal of the consent shall not affect the legality of the consent based data management prior to the withdrawal. The consent can be withdrawn by Customer at Data Manager's contact details.
4.8. Measures to Exercise Customer Rights
Data Controller shall inform the Client of the action taken on their request without undue delay, but no later than within one month from the receipt of the request.
If necessary, taking into account the complexity of the requests and the number of requests, this time limit can be extended by an additional two months. Data Controller shall inform Client of the deadline extension, indicating the reasons for the delay, within one month from the receipt of the request. If the Customer has submitted the request electronically, the information shall, as far as possible, be provided by electronic means unless otherwise requested by the Customer. Data Controller shall provide Client with information and measures free of charge.
If Customer's request is manifestly unfounded or excessive or – in particular because of its repetitive character - Taking into account the administrative costs of providing the requested data or information or the requested measures, Data Controller:
- charges a reasonable amount, or
- shall refuse to act on the request.
Data Controller shall bear the burden of proving the manifestly unfounded or excessive character of the request. If Data Controller has reasonable doubts about the identity of the natural person who submitted the request, they may request additional information necessary to confirm the Customer's identity.
5. Information on Remedies
Without prejudice to any other administrative or non-judicial remedy, each Client shall have the right to bring a charge at a supervisory authority – in particular in the Member State of normal residence, place of employment or the place where the alleged infringement was committed – if Customer considers that personal data processing concerning them violates this regulation. The competent supervisory authority in Hungary and its contact details are as follows: National Authority for Data Protection and Freedom of Information (NAIH) Address: Szilágyi Erzsébet fasor 22, H-1125 Budapest, Hungary / c; postal address: 1530 Budapest, P.O. Box: 5, Hungary; e-mail: www.naih.hu.; phone: +36-1-391-1400; fax: +36-1-391-1410; website:
In the event of any unlawful data processing, Customer is entitled to initiate civil action against Data Controller. Civil action falls within the jurisdiction of the court of law. Civil action may, at the Client's option, be initiated in the court of law of residence (list and contact details of the courts are available at http://birosag.hu/torvenyszekek). Data Controller shall indemnify for damage caused to other parties due to unlawful processing of Customer's data or breach of data security requirements. Data Controller shall not be liable if they prove that the damage was caused by an unavoidable cause beyond the scope of data management. There is no need to compensate for the damage to the extent that it is the result of intentional or grossly negligent behavior on the part of the injured party.
6. Scope, Purpose, Duration, Legal Basis, Source and Transmission of Data Managed by the Data Controller
|No.||Purpose of Data Management||Title of Personal Information||Duration of Data Management||Legal Basis of Data Management||Source of Data|
|1.||Monitoring customer contracts (supply and sales contracts), contact details suitable for communication||
||5 years after expiry of contract (limitation period)||Consent of Data Subject||Customer (Data Subject) or their legal representative|
|2.||Invoicing and collection of related fees, issuing and storing vouchers and certificates in accordance with the Act on Accounting||
||8 years after the document creation||Consent of Data Subject||Customer (Data Subject) or their legal representative|
|3.||Reporting to authorities||
||1 year after termination of the Client Contract||Fulfillment of a legal obligation||Customer (Data Subject) or their legal representative|
|4.||Complaint management, registration||
||The minutes of the complaint and the copy of the response are stored for 5 years||
Fulfillment of a legal obligation
Act on Consumer Protection, Article 17/A, Section 7 and Article 17/B, Section 3
|Customer (Data Subject) or their legal representative|
|5.||Malfunction notification related complaint management||
||5 years from the date the error was recorded||Data management based on a legitimate interest, according to Article 6, Section 1, subsection f of the GDPR||Error Reporting Registry|
|6.||Monitoring client contract, communication||
||After termination of the Client Contract, until the claim under the Agreement expires or the statement of consent is withdrawn||Consent of Data Subject||Customer (Data Subject) or their legal representative|
|7.||Tendering, advertising, other consumer information||
||Campaign period + 3 months / until withdrawal of contribution||Consent of Data Subject||Customer (Data Subject) or legal representative based on purchased database|
Scope of Managed Data
While viewing of this website, due to technical operational reasons, the start and end time of the user's visit is automatically recorded, and in some cases – depending on the user's computer configuration – browser, operating system information, user IP address and the name of the page from which the user came are also stored. The system automatically generates statistical data from this data. The operator does not link this data to any other personal data, and uses it solely for statistical purposes. It sends a cookie to visitors' computers. The cookie is necessary, among others, to display automatic messages to users. Cookies are not used for commercial purposes by Data Controller, but they are used to promote donation by means of remarketing tools (Google tracking code, Facebook pixel).
Anyone can visit the site without having to enter any personal information beyond technically automatic data management.
In the cases of newsletter requests, questions, legal assistance, support and other inquiries, user's name, address, telephone number and e-mail address will be used solely for contact purposes by Data Controller. Data Controller does not make any personal information available to other visitors of the website.
Legal Basis of Data Management
Data management provided for the use of this website is performed with the user's voluntary consent, and with the awareness of the provision of this information. The legal basis of this personal data management is the voluntary consent of users.
Purposes of Data Management
Website visitor data – Date and time of visit, IP address, record and storage of browser and operating system data are specific to system operation, their management is technically indispensable and these data are used only for statistical purposes.
Newsletter subscription – The purpose of the processing of personal data submitted to the Data Controller is to request newsletters by Data Subject, and Data Controller may send them newsletters. The processing of personal data is performed both for the purpose of providing the newsletter service and for communicating with the data subject. Data Controller will not use personal data for any other purpose and will keep them confidential.
These data will be used for statistical purposes. Data Controller will not process personal data for purposes other than those stated. The data provided in this way will be managed according to the user's voluntary consent.
Duration of Data Management
Session IDs are automatically deleted when the browser is closed. Users can delete their own cookies at any time. Cookies are automatically deleted depending on the browser settings. If the User has consented to the use of his or her data for the purposes of a newsletter, sponsor communication or legal assistance, such data will be stored by Data Controller until otherwise provided / the consent is withdrawn by the User.
Scope of Data Accessors, Data Processors
Personal data provided by users, as well as data automatically accessed due to technical operation, shall be accessible only to the personnel of the data controller.
Personal Data will not be disclosed to third parties by the Data Controller unless the User has provided personal data for such purpose. In case of statutory, mandatory data transfers, Data Controller shall, before completing each request for authority data, examine for each data whether the legal basis for the data transfer really exists and, if necessary, request the opinion of the data protection authority.
Users have the right to change their provided data at any time. In case of newsletter subscriptions, in order to provide new e-mail address, the User need to unsubscribe and then sign up with the new email address. The email address of the data subject is not public and it is not accessible to a third party.
7. Concepts and Definitions
Data Processing shall mean the technical operations involved in data control, irrespective of the method and instruments employed for such operations and the venue where it takes place, provided that such technical operations are carried out on the data.
Data Processor shall mean any natural or legal person or unincorporated organization who or that is engaged under contract with data controller in the processing of personal data, including when the contract is concluded by virtue of law.
Data Control shall mean any operation or set of operations which is performed upon personal data, irrespective of the applied procedure, such as particularly collection, obtaining, recording, organization, storage, alteration, use, retrieval, transfer, making public, alignment or combination, blocking, deletion and destruction, as well as the barring of their further use, photographing, sound or image recording, as well as the recording of physical (biometric) characteristics suitable for personal identification (such as fingerprints, and palmprints, DNA samples and iris images).
Data Controller: PEEK Ltd. shall be deemed to be a data controller, in respect of the tasks set out in this data processing policy data controller shall mean any person or any organizational unit who or that determines the purpose of the processing of data, makes decisions on data processing (including those as to the means of the processing) and implements these decisions or has them implemented by the technical data processor he/she has commissioned;
Referencing shall mean the marking of stored data for the purpose of identification.
Destruction of data shall mean the complete physical destruction of the data carrier containing data.
Data transfer shall mean making data accessible for a specific third party.
Deletion of data shall mean making data unrecognizable sufficient to make them irretrievable.
Data protection incident: personal data breach or privacy incident shall mean the unlawful control or processing of personal data meaning, in particular, accidental or unlawful deletion, destruction, damage, alteration, transfer, disclosure by transmission resulting unauthorized access.
Blocking of data shall mean the marking of stored data with the aim of limiting their processing in future permanently or for a predetermined period.
Data subject shall mean a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly.
Third person shall mean any natural or legal person or unincorporated organization, other than the data subject, the data controller or the data processor.
Consent shall mean any freely and expressly given, specific and informed indication of the wish of the data subject by which the data subject signifies their unequivocal agreement to the processing, either wholly or partially, of personal data relating to them.
Public disclosure shall mean making data accessible to the general public.
Pprofiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Personal data: any information relating to the data subject, in particular by reference to their name, an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject.
Natural identifiers: natural person's first and last name, birth's first and last name, place and date of birth, mother's first and last name.
Objection shall mean the statement of the data subject by which they object to the processing of their personal data and request termination of the data processing and/or deletion of the processed data.
25th May, 2018, Budaörs
Mr. István Pokorádi
CEO, data protection officer