1.1.Shiver Korlátolt Felelősségű Társaság (registered office: 3508 Miskolc, Csaba vezét út 129.) as data controller – hereinafter: Data Controller – informs data subjects about the following facts and circumstances based on Article 12(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC – hereinafter: GDPR, and Section 20 of Act CXII of 2011 on the freedom of information – hereinafter: Info Act, in order to implement the GDPR and the Info Act by way of this Data Privacy Statement before starting to control their personal data.
Data control that is subject to the GDPR and the Info Act applies only to the data of natural persons, they do not apply to controlling the data of legal persons and other business entities. Data control performed by natural persons only in the framework of their personal or home activities, that is, data control that cannot be associated with any professional or business activities, is not subject to the GDPR and the Info Act. The contents of this statement apply to automated data control, i.e. performed electronically, simply by computer, as well as to manual data control.
1.1. Data of the data controller
Company name |
Shiver Korlátolt Felelősségű Társaság |
Registered office |
3508 Miskolc, Csaba vezét út 129. |
Company registration number |
05-09-023947 |
Tax number |
23890833-2-05 |
Statistical number |
23890833-4511-113-05 |
Account managing bank, bank account number |
OTP Bank Nyrt. 11734004-20499598 |
Contact person’s name and contact details (e-mail) |
Ágnes Kovács, |
1.3. Websites where data control actually takes place
hereinafter: Websites
The data controller’s task is to respect the privacy of natural persons and to determine fundamental rules for data control in order to do so. The effect of the GDPR and the Info Act applies to all data controlling and data processing of data of natural persons. The provisions of the GDPR and the Info Act shall apply to data control and data processing both using a fully or partly automated tool and done manually. The provisions of the GDPR and the Info Act need not be applied to data control by natural persons solely for their personal purposes.
1.4. List of applicable legislation:
1.5. Definitions of terms
For the purposes of this statement:
1.6. The controller will not collect and control genetic data, biometric data and data related to health, that is, collectively: special data, and personal data of minors below the age of 16 years. The consent or subsequent approval of the legal representative of a minor who has reached 16 years of age is not required for the minor’s legal statement containing their consent to data controlling to be valid.
DATA CONTROL ACTIVITIES CARRIED OUT BY THE CONTROLLER:
2.1. Consent given in a contract concluded with the data subject
The controller operates a webstore at the following websites, through which a contract for the sale and purchase of products may be concluded electronically between the controller as seller and the data subject as buyer with or without registration in the webstore. The purpose of operating the webstore is the conclusion of a sale and purchase contract for a product electronically between the parties, and delivery of the sale and purchase contract. The procedure for the electronic conclusion of the sale and purchase contract, and the rights and obligations of the parties are governed by the General Terms and Conditions available on the controller’s web pages.
The webstores are accessible on the websites listed in section 1.3.
The purpose of data control
In the event that a contract for the sale and purchase of products is concluded electronically between the controller as seller and the data subject as buyer, the purpose of data control is the delivery of the contract concluded between the parties.
Legal grounds for data control:
Data subject’s consent according to Article 6(1)b) of the GDPR, Section 5(1)a) of the Info Act.
Scope of data controlled:
Details of the contracting party: |
Delivery details: |
Invoicing details: |
Other: |
a) name (family name, given name) |
a) recipient’s name |
a) name of person requesting the invoice |
a) IP addresses |
b) e-mail address |
b) delivery address (country, county, postal code, city, district, street name, street type, house number/topographic lot number, building, stairwell, floor, door number) |
b) invoicing address (country, county, postal code, city, district, street name, street type, house number/topographic lot number, building, stairwell, floor, door number) |
b) date of last visit |
c) phone number |
c) GEO code (based on delivery and invoicing address, to verify the correct address) |
Consequences of failure to provide data
The sale and purchase contract for the product is not concluded between the parties.
Duration of data control:
The controller will store the data until the following goals are met:
Processor:
Company name |
Registered office, website |
Data processing activity |
Scope of data processed |
Billingo Technologies Zrt. |
1133 Budapest, Árbóc utca 6. 3rd floor, https://billingo.hu/ |
Invoicing of the products ordered to the data subjects. |
Details listed in the "Details of the contracting party" and "Invoicing details" columns of the "Scope of data controlled" table set out in section 2.1. |
N-Ware Informatikai és Tanácsadó Kft |
1139 Budapest, Gömb utca 26., https://billzone.eu/ |
Invoicing of the products ordered to the data subjects. |
Details listed in the "Details of the contracting party" and "Invoicing details" columns of the "Scope of data controlled" table set out in section 2.1. |
GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. |
2351 Alsónémedi GLS Európa u. 2., https://gls-group.eu/ |
Delivery of the products ordered to the data subjects. |
Details listed in the "Details of the contracting party" and “Delivery details" columns of the "Scope of data controlled" table set out in section 2.1. |
UPS Magyarország Kft. |
2220 Vecsés, Lőrinci utca 154. Airport City Logistic Park, G épület, https://www.ups.com/hu/ |
Delivery of the products ordered to the data subjects. |
Details listed in the "Details of the contracting party" and “Delivery details" columns of the "Scope of data controlled" table set out in section 2.1. |
DHL Express Magyarország Szállítmányozó és Szolgáltató Kft. |
1185 Budapest, BUD International Airport airport building 302, http://www.dhl.hu/hu/ |
Delivery of the products ordered to the data subjects. |
Details listed in the "Details of the contracting party" and “Delivery details" columns of the "Scope of data controlled" table set out in section 2.1. |
DPD Hungária Kft. |
1134 Budapest, Váci út 33. 2nd floor, https://www.dpd.com/hu/ |
Delivery of the products ordered to the data subjects. |
Details listed in the "Details of the contracting party" and “Delivery details" columns of the "Scope of data controlled" table set out in section 2.1. |
Data processing technology: manual and automated data processing.
Data transmission: In order to enforce its claim, the processor may transmit personal data - name, address, e-mail address, phone number - to the following third parties:
2.2. Recording of phone conversations
Based on the data subject’s consent, the controller will record conversations with the call centre based on acceptance of the verbal information provided upon receiving the call.
Purpose of controlling and call registration:
Data subjects may request a copy of the voice recording. The controller shall fulfill requests within 15 days of receiving a request for each request, free of charge, and send the copy of the voice recording by mail, on single-write media. Data subjects have the possibility of listening to the voice recording at the controller’s customer service.
Legal grounds for data control: Data subject’s consent according to Article 6(1) paragraphs a) and b) of the GDPR, Section 5(1)a) of the Info Act.
Article 6(1)b) of the GDPR:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
The consent granted to data controlling on the basis of Article 6(1)a) of the GDPR may be withdrawn at any time. The withdrawal will not affect the lawfulness of data control carried out on the basis of consent before the withdrawal.
Scope of data controlled:
Duration of data control:Voice recordings are stored by dynamic use of the available storage capacity in the IT system developed especially for this purpose. When the storage capacity is full, the voice recording recorded earliest will be deleted. The controller will store the voice recordings made for 5 years from the closure of the claim or termination of the contractual relationship.
2.3. PAYMENT BY BANK CARD
Purpose of data control: in case of payment by bank card, the controller will control and transmit to its account managing bank, if necessary, the following data based on the data subject who is the payer:
Legal grounds for data control: Data subject’s consent according to Article 6(1)b) of the GDPR, Section 5(1)a) of the Info Act.
Processor:
Company name |
Registered office, website |
Data processing activity |
Scope of data processed |
SimplePay - OTP Mobil Kft. |
1093 Budapest, Közraktár u. 30-32., https://simplepay.hu |
Payment page operator, execution of payment transaction. |
Details shown in section 2.3. paragraphs a), b), c) and d) |
Adyen online payment - ADYEN NV |
1011 DJ Amsterdam, Simon Carmiggeltstraat 6-50, P.O. Box 10095, 1001 EB AMSTERDAM, The Netherlands https://www.adyen.com/ |
Payment page operator, execution of payment transaction. |
Details shown in section 2.3. paragraphs a), b), c) and d) |
Google Pay - Google Ireland Limited. |
Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland https://payments.google.com/ |
Payment page operator, execution of payment transaction. |
Details shown in section 2.3. paragraphs a), b), c) and d) |
Duration of data control: the controller controls the above data for the purposes of enforcing claims, in line with the requirements of the Accounting Act, for the period specified in the Act. The account managing bank will control the above data for the purpose and duration defined in effective legislation and its own regulations.
2.4. Website visitor data
Website visits are realised by clicking on the controller’s web pages.
The purpose of data control: During visits to the website, the controller records visitor data in order to verify the functioning of services, to ensure custom service and to prevent abuse.
Legal grounds for data control:Data subject’s consent according to Article 6(1)a) of the GDPR, Section 5(1)a) of the Info Act and Section 13/A(3) of the Eker tv.
The consent granted to data controlling on the basis of Article 6(1)a) of the GDPR may be withdrawn at any time. The withdrawal will not affect the lawfulness of data control carried out on the basis of consent before the withdrawal.
Scope of data controlled:
The controller will not link the data arising in the course of checking log files with other information and will not attempt to identify users.
Duration of data control: 1 year
Data control by external service providers: The portal’s html code contains links coming in from and pointing to external servers that are independent from the controller. Servers of external service providers are connected directly to the user’s computer, so the providers of these links are able to collect user data due to direct communication with the user’s browser. Custom contents are served by the servers of external service providers. The connection between the servers of the controller and of the external service providers extends solely to the insertion of the codes of the latter, so that no personal data are transferred or transmitted.
The following controllers are able to provide detailed information on the controlling of data by servers of external service providers: Independent measurement and audit of website visits and other web analytics data are assisted by the servers of Google Analytics, Hotjar, Smartlook and Facebook. Detailed information on the treatment of measurement data is available to the controller from www.google-analytics.com, www.hotjar.com, www.smartlook.com and facebook.com In order to track users and to display customised recommendations, the tracking codes of Google Analytics, Hotjar, Smartlook and Facebook were embedded in the website code.
In order to ensure customised service, external service providers place and read a small data package, a so-called cookie. If the browser returns a cookie saved earlier, the service providers managing that cookie have an opportunity to link the user’s current visit to their earlier visits, but only in respect of their own content.
The user is able to delete the cookie from their own computer or may block the use of cookies in the browser. In general, cookies can be managed in the Tools/Settings menu of the browser under Privacy settings, under the label Cookies.
2.5. Website cookies management
In order to ensure customised service, the website operator installs and reads a small data package, a so-called cookie, on the user’s computer. If the browser returns a cookie saved earlier, the service providers managing that cookie have an opportunity to link the user’s current visit to their earlier visits, but only in respect of their own content. Users may delete the cookie from their own computers, or may block the use of cookies in the browser. In general, cookies can be managed in the Tools/Settings menu of the browser under Privacy settings, under the label Cookies.
The controller as seller does not use cookies to transmit personal data.
Scope of data controlled:
The purpose of data control: Identification and distinction of users, identification of the user’s current session, storage of the data provided during the session, prevention of data loss.
Legal grounds for data control:Data subject’s consent according to Article 6(1)a) of the GDPR, Section 5(1)a) of the Info Act.
The consent granted to data controlling on the basis of Article 6(1)a) of the GDPR may be withdrawn at any time. The withdrawal will not affect the lawfulness of data control carried out on the basis of consent before the withdrawal.
Duration of data control: duration of the session launched by the visitor on the website, 1 year for registered users.
2.6. Registrations on websites
Purpose of data control: to improve and accelerate user experience, facilitate information related to orders, display order history.
In the course of online registration, only personal data absolutely necessary for registration may be controlled.
You have the option to register in the webstore using your Facebook or Google account. In the event you decide to make use of either of these options, the link selected will redirect you to the Facebook Admin/Google LLC page, where the service provider concerned will inform you about the manner in which your data provided to us by them are handled. You may learn about the data privacy guidelines of Facebook or Google by clicking the following link: https://www.facebook.com/about/privacy, https://policies.google.com/privacy
Scope of data controlled:Details listed in the "Scope of data controlled" table set out in section 2.1.
Legal grounds for data control:Data subject’s consent according to Article 6(1)a) of the GDPR, Section 5(1)a) of the Info Act.
The consent granted to data controlling on the basis of Article 6(1)a) of the GDPR may be withdrawn at any time. The withdrawal will not affect the lawfulness of data control carried out on the basis of consent before the withdrawal.
2.7. Building data bases for marketing and commercial purposes
The website operated by the controller offers an opportunity for data subjects to consent to being recorded in the controller’s commercial data base, and to be contacted with relevant offers at the contact details provided by the data subject.
Scope of data controlled:
The purpose of data control: Building a data base, contacting data subjects with the controller’s offers using the contact details provided by the data subject.
Legal grounds for data control:Data subject’s consent according to Article 6(1)a) of the GDPR, Section 5(1)a) of the Info Act.
The consent granted to data controlling on the basis of Article 6(1)a) of the GDPR may be withdrawn at any time. The withdrawal will not affect the lawfulness of data control carried out on the basis of consent before the withdrawal.
Duration of data control: Until the purpose of data control is achieved, for 24 months after the last contact.
Withdrawal of the consent given to registration in the data base and the deletion or modification of personal data may be requested at:
Name |
Shiver Kft. |
Address: |
3508 Miskolc, Csaba vezér út 129. |
Phone number |
+36705779707 |
|
|
2.8. Data control for newsletter subscription
According to Section 6 of the Advertising Act, the subscriber may clearly and expressly consent in advance to be contacted by the service provider on contact details provided at the time of registration with advertising offers and other correspondence, and to the controlling of subscriber’s personal data required for sending commercial offers by the service provider. Subscribers may unsubscribe from receiving offers without restriction and without having to give reasons, free of charge, by clicking on the link included in the e-mail message or in an e-mail sent to . In case of unsubscribing, the service provider will not contact the subscriber with any more advertising offers and will delete the subscriber’s personal data from the register.
Scope of data controlled:
The purpose of data control: Despatch of electronic messages containing advertising, on a custom basis, and information on current promotions, information, products, new products and new functions.
Legal grounds for data control: Data subject’s consent according to Section 6 of the Advertising Act, Section 13/A(4) of the Eker tv., Article 6(1)a) of the GDPR, Section 5(1)a) of the Info Act.
The consent granted to data controlling on the basis of Article 6(1)a) of the GDPR may be withdrawn at any time. The withdrawal will not affect the lawfulness of data control carried out on the basis of consent before the withdrawal.
Duration of data control: Until withdrawal of consent, i.e. unsubscribing from the newsletter.
Withdrawal of the consent given to newsletter subscription and the deletion of personal data may be requested by clicking on the link in the message, and modification of personal data may be requested at the following address:
Name |
Shiver Kft. |
Address: |
3508 Miskolc, Csaba vezét út 129. |
Phone number |
+36705779707 |
|
|
Processor:
Company name |
Registered office, website |
Data processing activity |
Scope of data processed |
SendGrid, Inc. |
1801 California Street, Suite 500, Denver, Colorado 80202 USA |
Newsletter mailing service provider. |
name (family name, given name); |
2.9. Mandatory data control
2.9.1. Provisions of accounting and tax legislation
Purpose and legal grounds of data control:The data controller controls the accounting documents containing the name and address of the data subject/payer and the data to be indicated mandatorily based on law as mandatory data control based on Article 6(1)c) of the GDPR, Section 5(1)b) of the Info Act, on the basis of Section 169 of the Accounting Act.
Source of data: the data provided by the data subjects.
Scope of data required for achieving the purpose of data control:
Duration of data control: The controller shall control data for 8 years from the date when the data were generated according to Section 169(2) of the Accounting Act.
Data transmission: Hungarian Tax and Customs Authority
Data processing technology: manual and automated data processing.
2.9.2. Complaint management
Purpose and legal grounds of data control:The data controller manages consumer complaints regulated in Section 17/A of the Fgy tv. as mandatory data control based on Article 6(1)c) of the GDPR and Section 5(1)b) of the Info Act.
Source of data: the data provided by the data subjects.
Scope of data required for achieving the purpose of data control:
Duration of data control:The controller shall retain the minutes recorded about the complaint and a copy of the reply for 5 years and present it if requested by auditing authorities, based on Section 17/A(7) of the Fgy tv..
Data transmission:The controller shall retain the minutes recorded about the complaint and a copy of the reply for 5 years and present it if requested by auditing authorities, based on Section 17/A(7) of the Fgy tv..
Data processing technology: manual and automated data processing.
2.10. Other data control
Unless otherwise provided by law, the Hungarian Central Statistical Office (KSH) may receive personal data controlled in the framework of mandatory data control in a manner suitable for individual identification, and may control it in the manner defined by law. Unless otherwise provided by law, personal data recorded, received or processed for statistical purposes may only be controlled for statistical purposes. The detailed rules on control of personal data for statistical purposes are set out in separate law.
The controller will release personal data to authorities only to the extent absolutely necessary for realising the purpose of the inquiry, provided that the authority has indicated the exact purpose and the scope of data.
3.1. Right of access by the data subject
3.1.1.The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
3.1.2 The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
3.2. Right to rectification
3.2.1.The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3.2.2. If the personal data is incorrect and the correct personal data is available to the controller, the controller will rectify the personal data.
3.3. Right to erasure (“right to be forgotten”)
3.3.1.The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
3.3.2.Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3.3.3. Sections 3.3.1 and 3.3.2 of the policy shall not apply to the extent that processing is necessary:
3.4. Right to restriction of processing
3.4.1.The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
3.4.2. Where processing has been restricted under section 3.4.1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3.4.3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
3.5. Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of the GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
3.6. Right to data portability
3.6.1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
3.6.2.In exercising his or her right to data portability pursuant to section 3.6.1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right shall be without prejudice Article 17 of the GDPR. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right referred to shall not adversely affect the rights and freedoms of others.
3.7. Right to object
3.7.1.The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
3.7.2.Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3.7.3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in sections 3.7.1 and 3.7.2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
3.7.4. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
3.7.5. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
3.7.6. The controller will investigate the complaint within the shortest time from the date of submitting the complaint but in no more than 15 days, decide whether it is well-founded, and inform the complainant about its decision in writing.
3.7.7. If the controller finds that the data subject’s complaint is well-founded, it will terminate data control - including additional collection and transmission of data - and lock the data, and will notify all parties to whom it has transmitted the personal data affected by the complaint earlier about the complaint and the measures taken on the basis of the complaint, and such parties must take measures to enforce the right to object.
3.7.9. If the data recipient fails to receive the data required for enforcing its rights due to the data subject’s objection, it may resort to court against the controller within 15 days of the communication of the notification based on section 3.7.7 - in the manner defined in Section 22 of the Info Act -in order to obtain the data. The controller may interplead the data subject as well in the lawsuit.
3.7.10. If the controller fails to give notification according to section 3.7.7, the data recipient may request information from the controller about the circumstances related to the failure of data transmission, and the controller must provide this information within 8 days following the receipt of the data recipient’s request. In case information is requested, the data recipient may resort to the court, contesting the controller, within 15 days of receiving the information but of the deadline for providing the information at latest. The controller may interplead the data subject as well in the lawsuit.
3.7.11. The controller may not delete the data subject’s data if data control was ordered by law. However, the data may not be transmitted to the data recipient if the controller agreed with the objection or a court has found that the objection was justified.
3.8. Automated individual decision-making, including profiling
3.8.1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
3.8.2.shall not apply if the decision:
3.8.3.In the cases referred to in points a) and c) of section 3.8.2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
3.8.4.Decisions referred to in section 3.8.2 shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
3.9. Communication of a personal data breach to the data subject
3.9.1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
3.9.2. The communication to the data subject shall not be required if any of the following conditions are met:
4.1. Right to lodge a complaint with a supervisory authority
4.1.1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
Contact details of the Authority:
National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c, phone: 1/391-1400, e-mail: ugyfelszolgalat@naih.hu)
4.1.2. No person may suffer any detriment on account of having lodged a complaint with the Authority. The Authority may disclose the identity of the complainant only if the investigation could not be conducted without it. If requested by the complainant, the Authority may not disclose the identity of the complainant even if the investigation could not be conducted without it. The Authority must inform the complainant about this consequence.
4.1.3. The Authority’s investigation is free of charge, the Authority shall advance and bear the costs of the investigation.
4.1.4. The Authority must inform the client about the developments of the procedure related to the complaint and the result of that procedure, including the fact that based on Article 78 of the GDPR, the client may seek legal remedy before the court.
4.2. Right to an effective judicial remedy against a controller or processor
The data subject may resort to the court contesting the controller where the data subject’s rights are infringed. The court will proceed in the case on an expedient basis. The data subject may initiate the lawsuit - at his or her discretion - before the court having competence at either the data subject’s permanent or temporary place of residence.
4.3. Representation of data subjects
The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights on his or her behalf, and to exercise the right to receive compensation on his or her behalf where provided for by Member State law.
4.4. Right to compensation and liability
4.4.1. Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.
4.4.2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
4.4.3. Where the controller violates the data subject’s personality rights by unlawfully controlling the data subject’s data or breaching the requirements of data security, the data subject may claim compensation.
4.4.4. The controller shall be liable for damage caused by the processor vis-a-vis the data subject, and the controller shall pay the compensation due to the data subject in the event of a violation of personality rights caused by the processor as well. The controller shall be released from liability for damage caused and payment of compensation if it proves that the damage or the infringement of the data subject’s personality rights was caused by an inevitable reason outside the scope of data control.
4.4.5. No damages shall be paid and no compensation may be claimed to the extent that the damage was caused by the aggrieved party, or the aggrievement caused by infringement of personality rights arose out of the wilful or seriously negligent conduct of the data subject.
4.4.6. The court procedure for enforcing damages or compensation shall be instituted before the court having competence according to the right of the Member State where the controller or processor pursues its activities.
Effective from 2022-05-01