Privacy Policy

Effective from May 25, 2018 until revocation

The present Document (’Policy’) provides information relating to the processing of Your data and Your rights with regard thereto, in compliance with the Regulation (EU) 2016/679 of the European Parliament and the Council concerning the protection of natural persons with regard to the processing of Personal Data and rules relating to the free movement of personal data as well as the repeal of 95/46/EC (’GDPR’) and the current Hungarian legislation.

Definitions

The terms used in this Policy are meant to be understood as defined by the GDPR:

Personal Data: any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller: the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processor: the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller;

Consent of the Data Subject: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to them;

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

Data Subject: any natural person who is, or can be, identified, directly or indirectly by reference to any instance of Personal Data.

 

CHAPTER 1

THE CONTROLLER

For the purposes of the present Policy, with regards to the data processing described, ‘Controller’ shall refer to

KYAT EVENT Rendezvényszervező és Produkciós Iroda Korlátolt Felelősségű Társaság

(shortened: KYAT EVENT Kft.; registered office: 1048 Budapest, Homoktövis utca 118. 2. em. 9.; trade registry number: 01 09 197414; VAT number: 25060551-2-41; phone number: + 36 30 468 7891; e-mail address: info@kyat.hu; website: http://www.kyat.hu, ’Controller’ or ’KYAT’).

The Controller undertakes to, prior to processing any Personal Data, notify Data Subject in a clear, prominent, and unambiguous message about, among others, the method, purpose, and principles of data processing.

 

CHAPTER 2

METHOD AND PRINCIPLES OF DATA PROCESSING

The Controller considers it of paramount importance to respect the right to self-determination of its clients and is committed to the high-level protection of the Personal Data it processes. The Controller keeps Personal Data strictly confidential and takes any security, technical, and organizational measure to ensure the safety thereof and to prevent any accidental loss or unauthorized destruction, alteration, distribution, or access.

The Controller handles Personal Data, in accordance with the principle of good faith and fair dealing, in a transparent manner and for a specific purpose, conforming to the current legislation and the provisions set forth by the present Policy and does everything to facilitate the Data Subject’s exercise of their rights.

The scope of Personal Data processed is in proportion with the purposes of data processing; accordingly, the Controller does not process any Personal Data that is not essential with regard to the purposes of data processing or has no legal basis or that the Controller has no legal basis for processing.

In cases where the legal basis for processing data is constituted by the consent of the Data Subject, the Controller ensures that the revocation consent is no more complicated than giving consent was. Revocation of consent does not affect the lawfulness of data processing occurred prior to such revocation.

In cases where the legal basis for processing data is the legitimate interest of the Controller, the Controller conducted or will conduct a balancing test concluding that the legitimate interests of the Controller override the fundamental rights and freedoms of the Data Subject relating to data processing. Upon request, the Controller provides the Data Subject information concerning the provisions of this paragraph.

In cases when the Controller is processing Personal Data given by the Data Subject, the Controller does not verify the accuracy of the data provided. The person submitting such data is solely responsible for the accuracy thereof. The Controller does not process the Personal Data of those under the age of 16.

The Controller has not designated a Data Protection Officer, as it is legally exempted from having to do so.

 

Chapter 3

PROCESSORS

The Controller relies exclusively on Processors with whom it signed a data processing contract and who can provide sufficient guarantees to implement technical and organizational measures which will meet the requirements set forth by the current legislation on data processing and ensure the protection of the rights of the Data Subjects. The Processor does not transfer Personal Data to third parties unless legally required to do so.

The Controller authorizes the following persons to act as Processors on the behalf thereof:

  1. 1. As the IT service provider for hosting, operating and managing the website at http://kyat.hu (’Website’):

MAXER Hosting Kft. (registered office: 9024 Győr, Répce u. 24.; trade registry number: 08-09-013763; VAT number: 13670452-2-08)

First Voice Kft. (registered office: 8060 Mór, Kert u 18.; trade registry number: 07-09-018300; VAT number: 14277351-2-07)

  1. For postal services; ordinary and parcel delivery:

Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6.; trade registry number: 01-10-042463; VAT number: 10901232-2-44)

Magyar Posta Csomaglogisztika Kft. (registered office: 1138 Budapest, Dunavirág utca 2-6.; trade registry number: 01-09-308326; VAT number: 26217299-2-41)

Tündér Tempo Clean Kft. (registered office: 1043 Budapest, Pozsonyi utca 6/A 1. em. 14.; trade registry number: 01-09-197604; VAT number: 24750383-2-41)

HAJTÁS PAJTÁS Kft. (registered office: 1074 Budapest, Vörösmarty utca 20.; trade registry number: 01-09-278553; VAT number: 11954161-2-42)

  1. As HR consultant and recruitment partner:

Gál Krisztina Edina EV. (registered office: 2086 Tinnye, Bocskai utca 9.; private entrepreneur register number: 37437285; VAT number: 66671921-1-33)

 

CHAPTER 4

SCOPE OF DATA PROCESSED

  1. Use of Cookies
  1. a) General Information

Cookies are data packages consisting of letters and numbers that websites place in the browser of the user to store certain settings, facilitate the use of the website, and help collect statistical data. Cookies do not contain personal information and cannot be used, in themselves, to identify the user. Some cookies disappear after the website has been closed, others may remain on the device for a longer period of time. The user can prevent any future activities related to cookies and can delete any cookies placed during pas visits to the website. Please visit the help site of your specific browser for more detailed instructions.

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer

Explorer, Edge: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies

  1. b) Functionality cookies – Cookies that are necessary for the proper functioning of the Website

The Controller may place cookies on the visitors of the Website for the proper functioning thereof. These cookies are essential: they are necessary for navigating on the Website and for certain functions to even work. Without these cookies, the Website, or certain elements thereof, may be displayed incorrectly, or not at all. Cookies store the IP address of the device used by the visitor, the time and date of the visit, the type of operating system used, and the specific subpages visited.

In the case of functionality cookies, the sole purpose of data processing is to ensure the proper functioning of the Website.

The duration of data processing is limited to the time spent on the Website by the Data Subject – after the session ends or the browser is closed, this type of cookie is automatically deleted from your device.

As the proper functioning of the Website is the legitimate interest of the Controller, the legal basis for data processing is this legitimate interest as defined by Article 6(1)(f) of the GDPR, which is also protected under Article 13/A(2) of the Act No. CVIII of 2001 on certain issues of electronic commerce services and information society services, according to which the service provider may process the Personal Data that constitute a technical necessity for the provision of the service in question.

Recipients of the Data are the employees and Processors of the Controller who are in charge of the operation of the Website.

  1. c) Other cookies

Upon downloading certain element of the Website, Google Inc.’s Google Analytics automatically stores small data files on the user’s device which may contain Personal Data in some cases. The IP number Google Analytics receives through the browser is always pseudonymized, which means that it can no longer be attributed to a specific user. Data is stored 26 months, but the retention period resets each time there is user activity (such as starting a new session). The Controller asks the user’s permission to use this type of cookie upon the user’s first visit to the Website via a tick box in a pop-up window. For further information on the file name (‘_ga’) and purpose of these data files please visit the following link:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

To prevent Google Analytics from collecting data about your visit to our Website, add the following extension to any browser:

https://tools.google.com/dlpage/gaoptout

If a user has cookies from Facebook on their device – either because they have a Facebook account or from a previous visit to Facebook.com – their browser sends data when they visit a website with the ‘Like’ button or any other social plugin (such as our Website). To read more about this, visit:

https://www.facebook.com/help/206635839404055?hc_location=ufi

The Website uses YouTube to store and display video content. These cookies are set up by YouTube to track the use of its services. YouTube cookies (‘VISITOR_INFO1_LIVE’; ’YSC’) are only placed on your device upon pressing the ‘play’ button. Follow the link below to learn more:

https://policies.google.com/privacy?hl=en&gl=uk

The Controller might further place other cookies on the user’s device which collect data for statistical purposes. Certain cookies might serve the purpose of enhancing user experience and comfort; these cookies detect and save the type of device that was used to visit the Website or how the user customized the display of the Website (i.e. changes in font size or style).

The legal basis for the data processing detailed in this section is the consent of the Data Subject, which is given by clicking on a button appearing in a pop-up window appearing upon visiting the Website. This is also where the Data Subject can accept or opt out of specific cookie types. By giving consent, the Data Subject affirms that they have read and understood the present Policy.

The Controller processes this data until, in the case of third-party cookies, the end of the retention period defined by the third party or until the deletion of the cookie, and in any other case, for a maximum of 6 months.

Recipients of the Data are the employees and Processors of the Controller who are in charge of the operation of the Website.

 

  1. Data Processing with relation to the ‘Career’ Subpage of the Website

Visitors may apply for an open position at the Controller by filling out the application form that can be found in the menu under ‘Career’. For the purpose of contacting the applicant, the Controller processes the name and e-mail address of the Data Subject. Data Subject may also add their phone number or upload their CV.

The Personal Data provided is processed exclusively for the purpose of contact insofar as it relates to the position advertised and the application, and solely if the Data Subject has consented to such processing by ticking the appropriate box on the application form. The legal basis for data processing in this case is constituted by the consent of the data subject (Article 6(1)(a) of the GDPR). The Controller retains this data for 3 months after the expiration date of the job posting (or, in lack thereof, until the deletion of the posting from the Website), after which the data is deleted.

If the Data Subject is not offered a position by the Controller after submitting their application, they may be contacted in a separate e-mail or letter by the Controller wherein Controller asks for consent to retain the CV of the Data Subject as well as other data necessary for contacting them (i.e. name, e-mail address, phone number) for a period exceeding the aforementioned time in case of a future opening in the position in question. The Data Subject can preemptively consent to this by ticking the corresponding box on the application form. The legal basis for data processing in this case is constituted by the consent of the Data Subject (Article 6(1)(a) of the GDPR). With the consent of the Data Subject, the Controller continues to process the data for 5 years, after which it is deleted.

By filling out the other form that can be found in the menu under ‘Career’, the Data Subject may express their wish to be added to the Controller’s database in order to be notified of any future openings. In this case, the Controller processes the name and e-mail address of the applicant (applicants may also add a phone number or upload their CVs). The submitted personal data is processed exclusively for the purpose of contacting the Data Subject in the event of a job opening, insofar as it relates to such opening, if the Data Subject has consented to such processing by ticking the corresponding box on the application form. The legal basis for data processing in this case is constituted, again, by the consent of the Data Subject (Article 6(1)(a) of the GDPR). The Controller processes the data for 5 months after submission, after which it is deleted.

Recipients of the data and entitled to be apprised of the data are the chief executives of the Controller and the employees in charge of human resources.

 

  1. Applications Received Via E-mail or by Other Means

The Controller may enlist the help of third-party service providers such as HR consultants or recruitment agencies for the advertising of its job openings as well as to contact possible candidates. For the purposes of this Policy, these third-party service providers also qualify as Processors. The Data Subject may apply for the position advertised via e-mail or using the online interface of the third-party service provider. By doing so, the Data Subject affirms that they have read and understood the present Policy and consents to having their name, e-mail address and any further data they provided (such as their phone number or CV) processed by the Controller and/or the Processor.

The data submitted is used exclusively for the selection process and for contacting the applicant insofar as it relates to the position advertised and the application. The legal basis for data processing in this case is constituted by the consent expressed by submission of this data via e-mail or given on the online interface of the processor (Article 6(1)(a) of the GDPR). By submitting their data via e-mail, Data Subject also affirms that they have read and understood the present Policy.

The Controller processes the data for 3 months after the expiration date of the job posting, after which it is deleted. Recipients of the data and entitled to be apprised of the data are the chief executives of the Controller and the employees in charge of human resources.

If the Data Subject is not offered a position by the Controller after submitting their application, they may be contacted in a separate e-mail or letter by the Controller wherein Controller asks for consent to retain the CV of the Data Subject as well as other data necessary for contacting them (i.e. name, e-mail address, phone number) for a period exceeding the aforementioned time in case of a future opening in the position in question. The legal basis for data processing in this case is constituted by the consent of the Data Subject (Article 6(1)(a) of the GDPR). With the consent of the Data Subject, the Controller continues to process the data for 5 years, after which it is deleted.

In the event that the Data Subject makes a request the Controller via e-mail or by other means, the Controller, insofar as it is necessary for responding to such request, processes the name, e-mail address, and phone number of the Data Subject and communicates the processing of said data by including a link to the present Policy, or by other means.

The legal basis for such processing is the legitimate interest of the Controller, specifically the interest of the Controller in being able to respond to any incoming requests or complaints and to provide sufficient information to clients.

The duration of processing does not exceed that necessary for resolving the complaint or responding to or fulfilling the request submitted.

The Controller deletes the Personal Data when it is evident from the message that no further response or contact is needed, but at least within 6 months upon receipt of the message, unless the legitimate interest of the Controller necessitates the further processing of the Personal Data (e.g. in the case of complaints related to consumer protection), in which case, the Personal Data is deleted within 8 days after the legitimate interest no longer applies.

Recipients of the Data are the employees the Controller in charge of customer service.

 

  1. Data Processing in the Context of a Contract Between KYAT and a Client

For the purposes of entering into a contract or the retention, performance, and termination of its contracts, KYAT processes the Personal Data of its natural person client, such that is necessary for the implementation of the contracts (name, name at birth, date of birth, mother’s name, address, e-mail address, taxpayer identification number, ID card identification number, personal identification number, registered office, phone number, e-mail address, bank account number).

 

The legal basis of data processing in this case is the performance of the contracts (Article 6(1)(b) of the GDPR).

The duration of processing is limited to 5 years after the termination of the contract, unless otherwise required by legislation.

KYAT processes the Personal Data of the contact person representing a legal-entity partner necessary for contacting said person (name, phone number, e-mail address, address).

KYAT also processes the Personal Data of the contact person representing a legal-entity partner necessary for contacting said person (name, phone number, e-mail address).

The purpose of and legal basis for the processing is the performance of the contracts (Article 6(1)(b) of the GDPR), as well as the legitimate interest of the Controller with regard to the enforcement of any future claims to remedy or other claims arising in relation to the contracts and the legitimate interest to facilitate entering into future contracts and to maintain business relationships with the clients (Article 6(1)(f) of the GDPR).

The duration of processing is limited to 5 years after the termination of the contract, unless otherwise required by legislation.

Recipients of the data are, in all cases, the chief executives of KYAT, the employees in charge of sales and customer service, and the Processors of KYAT.

 

  1. Data Processing for the Purpose of Compliance with Accounting and Tax Obligations
    and Making Payments

For the purpose of fulfilling its accounting and tax obligations as prescribed by legislation, KYAT also processes the Personal Data of the natural persons entering into a contractual business relationship therewith, such that it is required to process by law.

As per Sections 169 and 202 of the Act no. CXXVII of 2017 on value-added tax, the data KYAT is required to process shall be the VAT number, name, address, tax status of the Data Subject; additionally, as per section 167 of the Act no. C of 2000 on accounting, KYAT is also required to process the name and address of the Data Subject, the name of the person or body ordering the economic transaction, the signature of person effecting payment and verifying execution, as well as, depending on the organization, the signature of the inspector; in documents of movements of inventories and liquid assets receipts, the signature of the recipient, and the signature of payer in counter-receipts; and, as per the Act no. CXVII of 1995 on personal income tax, the private entrepreneur license identification number or the small-scale producer license identification number of the Data Subject.

The legal basis of data processing in this case is the compliance with legal obligations (Article 6(1)(b) of the GDPR).

The Personal Data processed shall be retained for the period specified by legislation, usually for 8 years after the termination of the relationship constituting the legal basis of processing.

Recipients of the data are the chief executives of KYAT, the employees in charge of tax payment, accounting, remunerations and social security contributions and payments.

For the purpose of complying with the tax obligations and obligations to pay contributions (the determination of the advance tax, and contributions to be paid, payroll preparations, and administration related to social security) prescribed by legislation, KYAT processes the Personal Data of those Data Subjects – employees and the relatives thereof, employed workers, and others receiving remunerations from the Controller – with whom the Controller is in a disbursement relationship (Section 31 of Article 7 of the Act no. CL of 2017 on the rules of taxation), such that the Controller is required to process by tax legislation.

As per Section 50 of Article 7 of the Act on the Rules of Taxation, the Controller is required to process the person identification data (including the name and title), gender, nationality, tax identification number and social security identification number (‘TAJ’ number) of the natural person Data Subject. If the current tax legislation makes provisions for legal consequences for the absence of such processing, KYAT may process data concerning health (Section 40 of the Act on Personal Income Tax of 1995) and union membership (Section 47 of the Act on Personal Income Tax of 1995) for the purposes of complying with tax obligations and obligations to pay contributions (payroll preparations and administration related to social security).

The legal basis for such processing of Personal Data is the compliance with the aforementioned legal obligations (Article 6(1)(b) of the GDPR).

The Personal Data processed shall be retained for the period specified by legislation, usually for 8 years after the termination of the relationship constituting the legal basis of processing.

Recipients of the data are the chief executives of KYAT, the employees in charge of tax payment, accounting, remunerations and social security contributions and payments.

 

CHAPTER 5

ON THE RIGHTS OF THE DATA SUBJECT

  1. The Rights of the Data Subject

With regard to data processing performed by KYAT, the Data Subject has the following rights:

  • The right to transparent information, communication and modalities for the exercise of the rights of the data subject;
  • The right to be informed prior to having their data processed;
  • The right to be informed and have access to information where the personal data have not been obtained from the data subject;
  • The right to have access to information on data processing and the data processed (Right of Access, Article 15 of the GDPR);
  • The right to the rectification of inaccurate data and the completion of incomplete data (Right to Rectification, Article 16 of the GDPR);
  • The right to request the erasure of Personal Data and, if such data has been made public, to require the Controller to inform any other Controller processing said data of the request of the Data Subject (Right to Erasure, Article 17 of the GDPR);
  • The right to request the restriction of data processing (Right to Restriction of Processing, Article 18 of the GDPR);
  • The right to be notified of the rectification or erasure of Personal Data or the restriction of processing (Article 19 of the GDPR);
  • The right to receive the Personal Data concerning them in a structured, commonly used, and machine-readable format and to request the transmission of said data to a third-party Controller (Right to Data Portability, Article 20 of the GDPR);
  • The right to object to the processing of personal data to cease such processing (Right to Object, Article 21 of the GDPR);
  • The right not to be subject to a decision based on automated processing (Automated Individual Decision-making, Article 22 of the GDPR);
  • The right to be notified in the event of a data breach (Communication of a Personal Data Breach to the Data Subject, Article 34 of the GDPR);
  • The right of the Data Subject to filing a complaint with a supervisory authority if they consider that the data processing infringes upon the provisions of the GDPR (Right to Lodge a Complaint with a Supervisory Authority, Article 77 of the GDPR);
  • The right to an effective judicial remedy against a supervisory authority (Article 78 of the GDPR);
  • The right to an effective judicial remedy against the Controller or the Processor; (Article 79 of the GDPR);
  • The right to withdraw consent at any time to cease the processing of Personal Data where the legal basis of such processing is constituted by the consent of the Data Subject. The withdrawal of consent does not affect the lawfulness of processing prior to the withdrawal of consent. (Right to Withdraw Consent, Article 7 of the GDPR)

To facilitate the exercise of the aforementioned rights, the Data Subject may at any time, without restrictions to form or substance, make a request to KYAT, using the contact details provided in the present Policy.

The Dara Subject has the right to lodge a complaint with a supervisory authority if they consider that their rights have been violated or that the processing of Personal Data relating to them infringes upon the provisions of the GDPR.

The Hungarian supervisory authority is the Nemzeti Adatvédelmi és Információszabadság Hatóság [National Authority for Data Protection and Freedom of Information] (registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; postal address: 1530 Budapest, Pf. 5.; phone number: : 06 -1- 391-1400; telefax: 06-1-391-1410; e-mail: ugyfelszolgalat@naih.hu).

  1. Detailed Rights of the Data Subject

The Data Subject may make a request to KYAT to be informed whether any of their Personal Data is being processed by KYAT and if so, to be given access to any such data. The information requested may include the source of the data being processed, the purpose, duration and legal basis of processing, the identity and contact details of any Processors handling the data, any activity related to the processing and, in case of transmission of the Personal Data, the identity of the recipient or recipients and the purpose of the transmission.

The Data Subject has the right to be made aware of the facts and information related to the processing of their data before such processing takes place. This is the purpose of the present Policy. The information provided must at least include the contact details of KYAT and its representative, the intended purpose of the data processing operations, the legal basis for such operations and, in the case of data processing based on legitimate interest, the legitimate interest of KYAT or the third party concerned, the recipients of the Personal Data processed and the classification of the recipients (if applicable), and the fact that the controller intends to transfer the Personal Data to a third country or international organization (again, if applicable). The information provided, including that on the rights of the Data Subjects and any actions taken by KYAT shall be free of charge with the exceptions set out in the GDPR (Article 12).

In case of restriction of the processing of Personal Data, such Personal Data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Data Subject shall have the right to obtain from KYAT restriction of processing upon request where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

KYAT shall inform the Data Subject in the event that the restriction of processing is lifted.

The Data Subject has the right to receive the personal data concerning them, which they have provided to KYAT, in a structured, commonly used and machine-readable format and the right to transmit those data to another Controller, if the processing is based on the consent of the Data Subject or on a contract and if the processing is carried out by automated means (Right to Data Portability, Article 20 of the GDPR), provided that the exercise of this right does not adversely affect the rights and freedoms of others.

KYAT undertakes to, in the event that wishes to process the Personal Data for a purpose other than that for which they were originally collected, provide the data subject prior to that further processing with information on that other purpose and other necessary information.

In the case of data transfers to third countries or international organizations, the Data Subject has the right to be informed of the appropriate safeguards pertaining to such transfer of data.

The Data Subject has the right to obtain from KYAT, without undue delay, the rectification of inaccurate personal data concerning them.

Taking into account the purposes of the processing, the Data Subject has the right to have incomplete personal data completed – including by means of providing a supplementary statement.

The Data Subject has the right to obtain from KYAT the erasure of Personal Data concerning them without undue delay and KYAT has the obligation to erase Personal Data without undue delay if:

  1. the Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  3. the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. the Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  5. the Personal Data have been collected in relation to the offer of information society services offered directly to a child.

The right to erasure is not enforceable to the extent that processing is necessary for:

  1. exercising the right of freedom of expression and information;
  2. compliance with a legal obligation which requires processing by Union or Member State law to which KYAT is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. reasons of public interest in the area of public;
  4. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. the establishment, exercise or defense of legal claims.

KYAT undertakes to inform any recipients to whom the data has been disclosed of any rectification, erasure or restriction of processing unless this proves impossible or involves a disproportionate effort. Data Subject has the right to be informed of the identity of such recipients upon request.

The Data Subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of Personal Data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions in which case KYAT shall no longer process the Personal Data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

To be noted with regard to data processed for direct marketing purposes: where Personal Data are processed for direct marketing purposes, the Data Subject has the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the Personal Data shall no longer be processed for such purposes.

Where Personal Data are processed for scientific or historical research purposes or statistical purposes, the Data Subject has the right to, on grounds relating to his or her particular situation, object to processing of Personal Data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right is not enforceable where the decision is necessary for entering into, or performance of, a contract between the Data Subject and KYAT; is authorized by Union or Member State law to which KYAT is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent. In the aforementioned cases, KYAT shall implement suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of KYAT, and to express his or her point of view and to contest the decision.

  1. Requests Made by the Data Subject, Actions Taken by KYAT

If, to facilitate the exercise of their rights or for any other reason related to privacy, the Data Subject makes a request towards KYAT, KYAT shall, without undue delay, but at least within a month of receipt of the request, notify the Data Subject about the action taken on their request.

The period set forth above may be extended by an additional two months if the complexity of the request or the number of requests received justifies such an extension. KYAT shall inform the Data Subject of the extension, along with the reasons for the delay, within a month of receipt of the request.

Where the Data Subject makes the request by electronic means, if possible, the information shall be provided in an electronic form, unless otherwise requested by the Data Subject.

If KYAT does not take action on the request of the Data Subject, it shall inform the Data Subject without delay, but at least within a month of receipt of the request, informing the Data Subject of the reasons for non-action and on the possibility of filing a complaint with a supervisory authority or having recourse to a judicial remedy.

Close Menu
×
×

Cart

We use cookies for the better performance.