Privacy policy
This data management information sheet (hereinafter: "Informational") explains in detail that it is Impact Design Limited Liability Company (short name: Impact Design Kft., registered office: 1141 Budapest, Szugló utca 125/D C. ép. B. house. 32. , registered by the Company Registry of the Capital City Court under the company registry number Cg 01-09-373407; His e-mail address: hello@impactbox.net; hereinafter: "Company", „Data controller" obsession "Impact Design") what personal data it collects about its users (hereinafter: "Front", „Affected", „User") is the Data Controller https://www.impactbox.net on his website
(hereinafter: "Website"), browsing, registration, contacting the Data Controller (hereinafter: "Contact"), order the Impact Box or other Product
(hereinafter: "Order"), and subscribing to a notification e-mail or other newsletter indicating the availability of the Impact Box or other Product (hereinafter: "Notification Service") during
The Information Sheet also sets out the rights and obligations related to the management of personal data, as well as other relevant provisions. This Information Sheet is subject to the General Terms and Conditions of Impact Design (hereinafter: "GTC"), is an integral part, therefore the definitions contained in the General Terms and Conditions are also applicable in this Information.
Personal data is collected and managed by the Data Controller in accordance with the directly applicable legislation of the European Union and the applicable Hungarian legislation. Regarding the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: "GDPR"), Act CXII of 2011 on the right to information self-determination and freedom of information, Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising, and Act 2001 on certain issues of electronic commercial services and services related to the information society Act CVIII ofNAIH")'s recommendations and the data protection practice established by it, as well as Article 29. Data Protection Working Group according to Article 68 of the GDPR. the recommendations of the European Data Protection Board according to Article
Based on the above, Impact Design is the data manager of all data that is considered personal data and is provided to the Data Manager during the Contact, Order or Notification Service.
Impact Design is commhereed to the protection of personal data, therefore it treats the received personal data confidentially and takes all measures to promote safe data management.
1. CONCEPTS
The following interpretive provisions have been determined based on the GDPR:
1.1 personal data: to an identified or identifiable natural person ("affected"), the natural person can be identified directly or indirectly, in particular by an identifier such as a name, number, location data, online identifier or the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable on the basis of one or more relevant factors;
1.2 consent of the data subject: a voluntary, concrete and well-informed and clear declaration of the data subject's will, with which the data subject indicates by means of a statement or an unmistakable act of confirmation that he/she consents to the processing of personal data concerning him/her;
1.3 data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;
1.4 data handling: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or making available in any other way through, alignment or connection, restriction, deletion or destruction;
1.5 data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;
1.6 third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who have been authorized to handle personal data under the direct control of the data controller or data processor;
1.7 data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmhereed, stored or otherwise handled;
1.8 addressee: the natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the management of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;
1.9 supervisory authority: in order to protect the fundamental rights and freedoms of natural persons with regard to the management of their personal data, as well as to facilitate the free flow of personal data within the European Union, one or more independent public authorities appointed or established by each member state of the European Union to monitor the application of the GDPR;
1.10 relevant supervisory authority: means the supervisory authority affected by the processing of personal data for one of the following reasons: a) the data controller or data processor has a place of business in the territory of the member state of the said supervisory authority; b) the data processing significantly affects or is likely to significantly affect data subjects residing in the supervisory authority's Member State; or c) a complaint has been submitted to the aforementioned supervisory authority.
2. SCOPE OF DATA COLLECTED BY IMPACT DESIGN
Information collected from Users enables us to enable Users to order Impact Box or other Products and to personalize and improve our services and marketing activities.
The Data Controller collects and manages your personal data exclusively for the purposes specified in this Information Sheet, and ensures that the data management is carried out in accordance with the purpose of the data management at all stages.
2.1 Data You Provide to Impact Design
2.1.1 Data provided during the Order
Data controller through the Website, 6 of the General Terms and Conditions. in order to fulfill the Order according to point
(A) If you, as an individual, order an Impact Box or other Product:
- Surname and first name,
- e-mail address,
- phone number,
- Delivery Address,
- billing address,
- payment data (card data, bank account number).
The data controller draws your attention to the fact that the e-mail address provided does not need to contain personal data, such as your name. You are free to choose to provide an email address that contains information that identifies you.
(B) If you, as a representative of a legal entity, order an Impact Box or other Product:
- Surname and first name,
- if the specified e-mail address contains your name, in that case e-mail address,
- if the given telephone number is not the central telephone number of the legal entity you represent, or the telephone number provided to you by the legal entity, then telephone number.
2.1.2 Data provided during Contact
The Data Controller manages the following personal data of you during Contact via the Website:
- Surname and first name,
- e-mail address,
- phone number,
any other personal data communicated to the Data Controller in the message.
2.1.3 Data provided during the Notification Service
In order to provide the Notification Service available on the Website, the Data Controller manages the following personal data of you:
- Surname and first name,
- e-mail address,
- telephone number.
2.2 Personal data of third parties provided by you to Impact Design
In the course of providing the services, Impact Design also processes the personal data of third parties received from its Users, including the name, address, telephone number, e-mail address or any other personal data of third parties, which are securely stored by Impact Design on its servers.
In the event that the provisions of the GDPR apply to the personal data of third parties, the User is considered a data controller for these third parties, while Impact Design is a data processor, and therefore you, as a client of Impact Design, are also responsible for complying with the provisions of the GDPR. Please note that in this case, the data management relationship between the data manager and the data processor must be regulated by a written contract, which must comply with Article 28 of the GDPR. of the requirements contained in Article In order to comply with the provisions of the GDPR, the data processing legal relationship between you, as a data controller, and Impact Design, as a data processor, is attached to this Information 1. in appendix no (which forms an inseparable part of this Information) the provisions of the Data Processing Agreement are applicable.
2.3 Automatically collected data
When viewing the Website of the Data Controller, due to the technical operation, the start and end time of the user's visit is automatically recorded, and in some cases, depending on the settings of the Data Subject's computer, the browser, the operating system data and the user's IP address, as well as the name of the page from which the Affected received. The system automatically generates statistical data from this data.
The recording and storage of the time of the visit, the IP address, as well as the browser and operating system data is a feature of the system's operation, their management is technically essential, it is done exclusively for statistical purposes, the Company does not carry out further data management with these data.
3. COOKIES
A "cookie" is a small file that stores your computer's browsing history. The content of these files can be checked, especially to make browsing more efficient. These cookies do not contain any data from which we could identify you. Anonymized data may include user session data, such as IP address, browser type, time the User spends on the Website and the buttons you click. The detailed cookie information itt you can read it.
4. HOW DOES IMPACT DESIGN USE YOUR DATA?
Your personal data - managed for different purposes and on different legal bases - is used by the Data Controller as follows:
4.1 Fulfillment of the contract, for the purpose of providing Impact Design's service and on its legal basis (GDPR 6. Article (1) point b) manages your following personal data:
- Surname and first name,
- e-mail address,
- phone number,
- Delivery Address,
- billing address,
- payment data (card data, Bank account number).
4.2 The following personal data with your consent (as a legal basis for processing, GDPR. 6. (1) point a) of Article (1) a) the Data Controller uses for marketing purposes (sending newsletters, sending coupon codes, displaying personalized advertisements) and for sending e-mails:
- Surname and first name,
- e-mail address
- telephone number.
You are entitled to withdraw your consent to data processing for marketing purposes at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.
4.3 Personal data indicated in point 4.1 of this Notice for the purposes of legal compliance and compliance with relevant legal obligations (which is also the legal basis for data management, GDPR 6. Article (1) point c) is managed by the Data Controller in order for Impact Design to be able to comply with the requirements of certain laws (for example, the requirements of the Accounting Act), as well as to prevent fraudulent transactions, check thefts and otherwise protect its customers and its own himself, and to assist law enforcement and respond to subpoenas and official requests.
4.4 The following personal data is In order to assert the legitimate interests of the Data Controller and for the purpose (which is also the legal basis for data management, GDPR 6. Article (1) point f) is managed by the Data Controller in order to increase the efficiency of its services, Website and marketing efforts, as well as to carry out research and analysis, including focus groups and surveys, and to carry out other business activities as necessary , or perform other activities as described in this Notice.
Personal data collected when visiting the Website and using the Data Controller's services:
- Usage information;
- Actions performed on the Website;
- The time, place and regularity of visiting the Website;
- Technical parameters of the browser;
- The visited content.
Impact Design may use the following software and programs to collect, compile statistics and analyze the aforementioned data:
Name |
Registered office |
Country |
Google Analytics |
1600 Amphitheatre Parkway, Mountain View, California 94043 |
USA |
Facebook Inc. (Facebook Pixel) |
1601 Willow Road Menlo Park, California 94025 |
USA |
Shopify Inc. |
2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32 |
Ireland |
Impact Design also uses the personal data listed above and the derived, aggregated data for statistical purposes.
4.5 Integrity and purposefulness: The data manager only collects and stores personal data that is relevant to the purposes of data collection, and does not use them in a way that is incompatible with the stated purposes, unless you have authorized this use. We take reasonable steps to ensure that personal information is reliable for its intended use and is accurate, complete and up-to-date. Impact Design may occasionally contact you to ensure that your information remains accurate and current.
5. PERSONAL DATA STORAGE PERIOD
Your personal data will be retained by Impact Design as long as it is necessary to achieve the purposes described in this information sheet, or until you withdraw your consent to data management, unless the law allows or requires a longer retention period (for example, for tax, accounting or other legal reasons ). If the Data Controller has no or no longer has a legal basis for processing your personal data, we will either delete or anonymize your personal data, or, if this is not possible (because, for example, your data is stored on Impact Design's backup), then Impact Design will keep your personal data securely and separately store until they cannot be deleted.
6. SHARING OF PERSONAL DATA COLLECTED BY IMPACT DESIGN
6.1 The data controller does not allow third parties to access your personal data without your prior consent, except in cases where the data transmission is necessary for the fulfillment of the contract, necessary for the enforcement of the Company's legitimate interests, or based on a legal requirement.
6.2 The Data Controller may share certain personal information with third-party service providers located in the European Union or third countries who provide software applications, website operation and other technologies, as well as specific services for Impact Design (hereinafter: "Data processor"). The Data Processor may only access personal data collected by the Data Controller that is necessary to perform its work or to comply with the law. The Data Processor will never use this information for any other purpose, except for the performance of its services to Impact Design. During data processing, the Data Processor must also comply with the provisions of this Notice, the applicable laws in force, and the existing contracts between it and Impact Design.
Impact Design uses the data processing activities of the following companies:
Name |
Registered office |
Country |
Activity (data processing service) |
Weiszbart and Associates Law Firm |
1052 Budapest, Kristóf tér 3. III. floor |
Hungary |
Provision of legal services. |
Facebook, Inc. (Facebook Pixel is Instagram) |
1601 Willow Road Menlo Park, CA 94025 |
USA |
Measuring the effectiveness of Facebook and Instagram ads. |
Google, LLC (Google Drive, Google Analytics, Google Tag Manager, Google Adwords, G Suite, YouTube) |
1600 Amphitheatre Parkway Mountain View, CA 94043 |
USA |
Hosting service, mail system service, video embedding and statistical service. |
Shopify International Ltd. |
2nd Floor, 1-2 Victoria Buildings, Haddington Road, Dublin 4, D04 Xn32 |
Ireland |
Web hosting service. |
MailerLite |
Jonas Basanavičius st. 15, Vilnius 03108, Lithuania |
Lithuania |
Newsletter sending. |
OTP Mobile Service Limited Liability Company (SimplePay platform) |
1143 Budapest, Hungária körút 17-19. |
Hungary |
Credit card payment |
GLS General Logistics Systems Hungary Parcel-Logistics Limited Liability Company |
2351 Alsónémedi, GLS Európa utca 2. |
Hungary |
package delivery |
6.3 Google, LLC and Facebook, Inc. participate in the EU-US and Switzerland-US Privacy Shield programs, therefore the transfer of personal data to these companies in 2020. July 16 were deemed legal prior to Please note that based on the decision of the Court of Justice of the European Union No. C-311/18, these companies will no longer be regarded as companies providing adequate security for the personal data of Europeans. The full sentence itt can read it.
6.4 Personal data collected from private individuals within the EU will be transferred by Impact Design to a third party with a registered office outside the EU without the necessary safeguards only based on your consent or in order to fulfill the contract. The Data Controller makes every effort to ensure that the personal data provided is secure and that the personal data is processed in accordance with the provisions of the GDPR.
7. YOUR RIGHTS
Impact Design will respond to the Data Subject's request to exercise their rights within a maximum of one month from its receipt. The date of receipt of the application is not included in the deadline.
7.1 Right of access
The Data Subject is entitled to hello@impactbox.net via e-mail address, request information from the Data Controller on whether your personal data is being processed, and if such data processing is underway, you are entitled to know whether
(a) Data controller
- what personal data;
- on what legal basis;
- for what purpose of data management;
- how long
handles; furthermore, that
(b) to whom, when, on the basis of which legislation, to whom did the Data Controller provide access to his personal data or to whom did he transmit his personal data;
(c) the source of your personal data;
(d) whether the Data Controller uses automated decision-making and its logic, including profiling.
Impact Design will provide a copy of the personal data that is the subject of data management at the Data Subject's request free of charge for the first time, after which it may charge a reasonable fee based on administrative costs.
In order to meet the data security requirements and protect the Data Subject's rights, the Data Controller is obliged to make sure that the identity of the Data Subject and the person wishing to exercise their right of access match, and for this purpose, information, access to the data, and the issuance of a copy of the data are also subject to the identification of the person concerned.
7.2 Right to rectification
You can request that the Data Controller change any of your personal data via the e-mail address hello@impactbox.net. If the Data Subject can creditably prove the accuracy of the corrected data, the Data Controller will fulfill the request within a maximum of one month and will notify the Data Subject of this at the contact information provided by the Data Controller.
7.3 Right to erasure (forgetfulness).
You have the right to request that Impact Design delete your personal data without undue delay, and the Data Controller is obliged to delete the personal data concerning the Data Subject without undue delay. If the processing of personal data is based on a legal obligation (for example: compliance with the provisions of the Accounting Act), or is based on the legitimate interests of the Data Controller or other Users (for example: enforcement of legal claims), then the Data Controller is entitled to further process personal data as defined by law.
If a deletion request is received by the Data Controller, the Data Controller will first check whether the deletion request really originates from the right holder. To this end, the data controller may request data to identify the existing contract between the Data Subject and the Data Controller (for example, contract number, contract date), the identification number of the document issued by Impact Design for the Data Subject, and the personal identification data registered about the data subject, however, the Data Controller may not request such additional data as identification , which is not kept on record by the Data Subject.
7.4 The right to restrict (block) data processing
You can request that the processing of your personal data be limited by the Data Controller (by clearly indicating the limited nature of data processing and ensuring separate processing from other data) if
- disputes the accuracy of your personal data (in this case, the Data Controller limits data processing to the period of time it checks the accuracy of your personal data);
- the data processing is illegal and the Data Subject opposes the deletion of the data and instead requests the limitation of its use;
- Impact Design no longer needs the personal data for the purpose of data management, but the Data Subject requires them to submit, enforce or defend legal claims; obsession
- the Data Subject objected to data processing (in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the Data Subject).
7.5 The right to object to data processing
With regard to the processing of your personal data - for the purpose of asserting legitimate interests - you may be entitled to object to the processing of your personal data if, in your opinion, the Data Controller would handle your personal data inappropriately in connection with the purpose indicated in the Information Sheet. The Data Controller examines the legality of the Data Subject's objection, and if it determines that the objection is well-founded, it terminates the data management and locks the managed personal data, and also notifies all those to whom the personal data affected by the objection were previously transmitted about the objection and the measures taken based on it.
7.6 The right to data portability
In relation to data processing for the purposes set out in points 4.1 and 4.2 of this Privacy Notice - subject to their legal basis - you are entitled to receive the personal data relating to you that you have provided to the Data Controller in a segmented, widely used, machine-readable format, and you are also entitled to that these data are transmitted by Impact Design to another data controller without the Data Controller preventing this.
8. PROTECTION OF PERSONAL DATA OF MINORS
Impact Design does not collect the personal data of minors - in accordance with the General Terms and Conditions of the Data Controller. If you suspect or find out that a child under the age of 16 has registered on the Website, please notify the Data Controller at the following e-mail address: hello@impactbox.net.
9. COMPLAINT, REMEDY
If you consider that Impact Design has violated the applicable data protection requirements when handling your personal data, or if the Data Controller does not provide an adequate response to your request, then:
- can submit a complaint to NAIH (National Data Protection and Freedom of Information Authority, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, postal address: 1530 Budapest, Pf.: 5. E-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu), obsession
- in order to protect your data, you have the option to go to court, which will act out of turn in the case. In this case, you can freely decide whether to submit your claim according to your place of residence (permanent address) or your place of stay (temporary address). You can contact the court of your place of residence or stay at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso page.
10. CHANGE OF NOTIFIER
The Data Controller has the right to modify this Information Sheet and the information related to the use of the Website from time to time, due to various updates, unilaterally without prior notification. Amendments to the Notice shall enter into force upon publication. With this in mind, it is recommended to regularly visit the Website and monitor the acceptability of changes.
11. FURTHER INFORMATION
If you have any questions about this Notice or Impact Design's services, please contact us at hello@impactbox.net at e-mail address.
DATA PROCESSOR AGREEMENT
This data processing agreement (hereinafter: "Contract") is Impact Design Kft. (seat: 1141 Budapest, Szugló utca 125/D C. ép. B. house. 32., registered by the Company Registry of the Capital City Court under company registry number Cg. 01-09-373407; hereinafter: "Data processor") is an integral or inseparable part of its Privacy Notice and General Terms and Conditions. This Agreement regulates the data processing legal relationship between the Data Processor and the User of the Website, which Agreement the User accepts at the same time as accepting the Data Protection Notice and the General Terms and Conditions.
Preamble
of the General Data Protection Regulation of the European Union ("EU") (hereinafter: "GDPR") 28. subject to the provisions of Article (3), the Parties shall record in writing their rights and obligations regarding their data processing relationship. The terms used in this Agreement shall be interpreted with the content according to the definition contained in this Agreement.
Terms not defined in this Agreement have the meaning given in the Privacy Notice. Apart from the following amendments, the conditions for data processing by the Data Processor contained in the Data Protection Information remain in effect.
Taking into account the mutual obligations defined in this Agreement, the Parties agree that the conditions defined below must be taken into account as an amendment to the Privacy Policy. Unless otherwise indicated by the context, references to the Privacy Notice contained in this Agreement refer to the Privacy Notice supplemented by the content of the Agreement.
1. Concepts
2. Data management related to the personal data of the data controller
2.1 The Data Processor is obliged to:
to the extent necessary to fulfill the provisions of the Services and this Agreement.
2.3 A GDPR 28. in accordance with the requirements set forth in paragraph (3) of this Agreement 1. attachment no contains the information regarding the processing of the Data Controller's Personal Data by the Contracted Data Processors. The Data Processor can unilaterally make reasonable changes to the 1. in the content of attachment no. with the simultaneous notification of the Data Controller in order to comply with the legal regulations. The 1. attachment no. does not grant any rights or impose any obligations on the Parties.
3. Data processor
3.1 The Data Processor is obliged to take reasonable steps in order to ensure the reliability of all employees, agents or contractors of its Contracted Data Processors who have access to the Data Controller's Personal Data, and must also ensure that the Data Controller's Personal Data can only be accessed or known by those, for whom within the organization of the Contractual Data Processor it is absolutely necessary and must be ensured by Article 28 of the GDPR. fulfillment of the provisions of paragraph (3) of Article
4. Safety
4.1 The Data Processor shall take appropriate technical and organizational measures in relation to the Controller's Personal Data, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the variable probability and severity of the risk to the rights and freedoms of natural persons, including, if appropriate, Article 32 of the GDPR. (1) of Article 1, implements appropriate measures in order to guarantee a level of data security appropriate to the degree of risk.
4.2 When evaluating the appropriate level of security, the Data Processor takes into account the risks that may be associated with data processing, especially with regard to possible data protection incidents.
5. Further data processing
5.1 The Data Controller authorizes the Data Processor to use Additional Data Processors in accordance with this 5. in accordance with the provisions in point and the restrictions contained in this Agreement. The Additional Data Processor used before the entry into force of this Agreement may be used by the Data Processor even after the entry into force of this Agreement, if the agreement reached with the Additional Data Processor regarding further data processing can be met as soon as possible with the requirements contained in point 5.3.
5.2 The Data Processor is obliged to notify the Data Controller in writing about the details of the Data Processing to be carried out by the Additional Data Processor before the Data Processing of the Additional Data Processor used after the entry into force of this Agreement begins. If within 8 (i.e. eight) calendar days from the date of receipt of the notification, the Data Controller objects in writing to the Data Processor regarding the planned designation, as follows:
6.1 The Parties declare that by providing the Services, the Data Processor manages the personal data of the Data Controller's customers. A GDPR 12. (1), the Data Controller is obliged to inform its customers that the Data Controller transmits certain personal data to third parties in the course of data management.
6.2 Taking into account the findings contained in section 6.1 of this Agreement, the Parties agree that the Data Controller will only use the GDPR in accordance with Article 14. is obliged to inform its customers by providing the necessary information prescribed in section
6.3 THE DATA PROCESSOR HEREBY DISCLAIMS ALL LIABILITY UNDER THIS 6. ACCORDING TO THE SUBJECT POINT, THE DATA PROCESSOR IS INCLUDED IN RELATION TO DAMAGE, NON-PROPERTY INJURY AND/OR CONSEQUENTIAL DAMAGES RELATING TO THE FAILURE TO NOTIFY ITS CUSTOMERS AND THE DATA PROCESSOR 14 of the GDPR. IN CONNECTION WITH ANY LOSS OR LIABILITY RESULTING FROM FAILURE TO PROVIDE INFORMATION AS DESCRIBED IN ARTICLE.
6.4 THE DATA PROCESSOR IS OBLIGED TO INDEMNIFY AND INDEMNIFY THE DATA PROCESSOR IN THE CASE OF ANY DAMAGE, NON-PROPERTY INJURY, OR CONSEQUENTIAL DAMAGES ARISING FROM THE DATA PROCESSOR AS A RESULT OF 6. THIS AGREEMENT. IT BREACHES ITS OBLIGATIONS SET FORTH IN THE POINT.
6.5 THE PRESENT 6. VIOLATION BY THE DATA PROCESSOR OF THE OBLIGATIONS CONTAINED IN THIS SECTION IS CONSIDERED A SERIOUS CONTRACT BREACH, ON THE BASIS OF WHICH THE DATA PROCESSOR IS RIGHT TO TERMINATE THIS AGREEMENT WITH IMMEDIATE EFFECT, WITHOUT PRIOR NOTICE.
7.1 Taking into account the nature of the Data Processing, the Data Processor is obliged to assist the Data Controller with appropriate technical and organizational measures accepted by the Data Controller to the extent possible so that the Data Controller can respond to the Data Subject's requests related to the exercise of his rights contained in the Data Protection Law.
7.2 The Data Processor is obliged to:
8. Data Protection Incident
8.1 The Data Processor is obliged to notify the Data Controller without delay, but at the latest within 24 hours of detection, if the Data Processor or any Additional Data Processor detects a Data Protection Incident related to the Data Controller's Personal Data, and is obliged to provide the Data Controller with all necessary information without delay.
8.2 The notice must contain at least the following:
8.3 The Data Processor is obliged to cooperate with the Data Controller and, in accordance with the Data Controller's instructions, take all commercially reasonable steps to assist in the investigation, mitigation of consequences and compensation for individual Data Protection Incidents.
8.4 If the Data Processor does not fulfill or violates this 8. , such non-performance or breach of obligations is considered a serious breach of contract and, contrary to the provisions of this Agreement, the Data Controller may terminate this Agreement in writing with immediate effect.
9.1 The Data Processor is obliged to cooperate with the Data Controller in relation to all data protection impact assessments and preliminary consultations with the Supervisory Authority or other competent data protection authorities, which are reasonably necessary for the Data Controller to comply with Articles 35 and 36 of the GDPR. as contained in its articles.
10. Deleting or returning Personal Data of Data Controllers
10.1 The Data Processor, taking into account the provisions of points 10.2 of this point, the date of termination of any Service related to the Processing of Personal Data of the Data Controller (hereinafter: "Cessation Day"), without delay, but within 3 (i.e. three) calendar days at the latest, and at any time upon written request by the Data Controller, (i) must delete the Data Controller's Personal Data and all copies related to the deleted Data Controller's Personal Data, or (ii) must return the Data Controller is obliged to delete all Data Controller Personal Data and all related copies and (iii) the Data Controller Personal Data Processed at the Data Processor and Additional Data Processors, as well as all copies made of them.
10.2 All Contracted Data Processors are entitled to further process the Controller's Personal Data only to the extent that the Applicable Law requires this, and only for as long as the Applicable Law requires this. The Data Processor is also obliged to ensure that the further processing of such Data Manager's Personal Data is confidential, and is also obliged to ensure that the Data Manager's Personal Data will be processed only to the extent necessary for the purpose determined by the Applicable Law requiring further storage.
11. Audit Rights11.1 The Data Processor is obliged, upon the Data Controller's request, to make available to the Data Controller all data that proves the Data Processor's compliance with this Agreement, and is also obliged to enable and facilitate audits carried out by the Data Controller or an inspector commissioned by the Data Controller, including on-site inspections . The Data Controller shall endeavor to avoid or, if unable to avoid, to reduce damages and disruptions caused by the persons conducting the audit or control, in the premises of the Contracted Data Processor, to its employees and to its business operations.
12.1 Governing Law and Jurisdiction
12.3 Amendment of the Data Protection Law and amendment of the Agreement
12.3.1 The Data Controller is entitled to:
In the event that any point of this Agreement is invalid or unenforceable, the remaining parts of this Agreement shall remain valid and effective. Invalid or unenforceable provisions must either (i) be replaced by a provision that corresponds to the original will of the Parties for the sake of validity or enforceability, or (ii) interpret this Agreement as if the invalid or unenforceable provisions had never been contained.
• • •
DETAILS OF PROCESSING PERSONAL DATA OF DATA CONTROLLERS
Present 1. Annex No. 28 of the GDPR contains the processing of the Data Controller's Personal Data. the details prescribed in paragraph (3) of Article
1. Subject and duration of the processing of the Controller's Personal DataPersonal data relating to the Data Controller's customers will be processed by the Data Processor as long as they are necessary to fulfill the Data Processor's contractual obligations, or as long as their processing is in the legitimate interest of the Data Processor, or for the period prescribed by law.
2. The nature and purpose of the processing of the Controller's Personal DataThe Data Controller's Personal Data are necessary for the provision of the Data Processor's Services.
3. Types of Data Controller Personal Data to be managed
Personal data provided by the Data Controller, which are necessary to provide the Service.
4. Categories of Data Subjects to whom the Controller's Personal Data applyCustomers of the Data Controller whom the Data Controller wishes to gift with an Impact Box or other Products.
5. Rights and obligations of the Data ControllerThe Data Controller's rights and obligations are set out in the Data Protection Notice and this Agreement.