Privacy Policy

PRIVACY POLICY

on the personal data processing of HolistiCrm Kft on its www.holsiticrm.com website

 

This Privacy Policy (hereinafter: “Policy”) introduces the details of the data processing carried out by HolistiCrm Kft (registered seat: 01-09-200582, hereinafter: “Data Controller”) in connection with the personal data provided by the visitors of the website www.holsitcrm.com for the purpose that before providing any personal data and consent for processing the visitors can have a clear picture of the purpose and the conditions of the data processing, as well as the possible risks and guarantees in relation thereof and also their rights as data subjects.

 

Registration is not a requirement for visiting the website. Other than the data processing described in this policy Data Controller do not collect personal data from the visitors of the website in any other way.

 

Data Controller undertakes to ensure the rights granted by the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: “Privacy Act”), as well as the General Data Protection Regulation 2016/679 of the EUROPEAN PARLIAMENT AND COUNCIL (EU) (April 27, 2016) (hereinafter: “GDPR”), furthermore Data Controller undertakes to comply with the requirements pertaining to the processing of the personal data of the Data Subjects.

 

1. Data Controller

 

Name: HolistiCrm Tanácsadó Korlátolt Felelősségű Társaság

Registered seat and mailing address: 1182 Budapest, Tarkő u. 62.

Registration number: 01-09-200582

Authority keeping the register: Metropolitan Court of Registration

Tax number: 25115486-2-43

Webpage: https://holisticrm.com

Person to contact: Fekete Csaba Csongor

E-mail: csongor.fekete@holisticrm.com

Tel.: +36304455446

 

2. Data processing on the website

 

Data Controller processes the persona data of the visitors of the website, as data subjects (hereinafter “Data Subjects”) as described under Sections 2.1-2.3 below. Data Controller shall under no circumstances collect sensitive personal data, including genetic, biometric, health-related, and criminal data. Data Controller shall under no circumstances collect personal data from children under 16 years of age.

No profiling or automated decision making takes place during the data processing by Data Controller.

 

2.1 Contact form

In the event the visitors of the website would like to get in contact with Data Controller for example to make inquiries or request offers from Data Controller they may voluntarily fill out and submit the contact form(s) available at https://holisticrm.com. By the submission of this contact form the Data Controller will receive and process the personal data indicated on the form.

 

The purpose of the processing

The personal data may only be processed for the purposes indicated by the data subject submitting the form. For example answering inquiries, sending information on services provided by Data Controller, or sending offers for services.

 

Data subjects:

Visitors of the website filling out and submitting the contact form.

 

The scope of personal data processed and the source of the data:

– First name, last name

– e-mail address,

– telephone number

– name of company represented (not compulsory),

– text written by the visitor in the contact form.

Source of the personal data: data directly provided by the Data Subjects.

 

The legal grounds of the processing:

The data processing is based on the voluntary consent of the Data Subject as per Article 6 section (1) subsection a) of the GDPR.

 

Term of the data processing

After contacting the Data Subject and sending answer to his/her inquiries if no legal relationship (e.g. agreement) is established between the Data Subject and the Data Controller, the Data Controller shall erase the data within 24 months from the date of the last communication received from the Data Subject. Data Subject may request the erasure of his/her data prior to this date also at any time.

 

In the event as a result of the contact legal relationship (e.g. agreement) is established among the Data Subject and the Data Controller then Data Controller may keep on processing the personal data of the Data Subject for other purposes and under different legal grounds of which Data Controller will notify the Data Subjects upon their occurrence.

 

Persons having access to the personal data

Persons having access to the data at Data Controller: such persons within the organization of Data Controller who will be involved in answering to the inquiries of the Data Subject.

Section 3 of this Policy contains the data processors and the data forwarding(s) applied by Data Controller.

 

2.2 Direct marketing communications

 

The purpose of the processing

The Data Controller wish to send, disclose to the natural persons applying through its website newsletters, direct marketing communications (advertisements), offers for the purpose to introduce, promote and enhance visibility of Data Controller’s services, products, activity, and to send invitations to the professional programs, events held by Data Controller. Data Controller will not send marketing communication of third parties.

Data Subjects may receive such direct marketing communication from the Data Controller upon their choice by:

– email and/or

– post and/or

– verbally (phonecalls) and/or

– by way of advertising (banners) appearing on platforms used by the Data Subjects such as Facebook, Google, Microsoft, Waze, LinkedIn, TikTok.

 

Data subjects:

Visitors of the website filling out and submitting the contact form and also consenting the direct marketing communication.

 

The scope of personal data processed and the source of the data:

– First name, last name

– e-mail address,

– Phone number

– name of company represented (not compulsory),

– choice of Data Subject regarding the method/platform of direct marketing communication – (Email, SMS, phone, Google/ Meta, Ads platform.).

Source of the personal data: data directly provided by the Data Subjects.

 

The legal grounds of the processing:

Under Hungarian law advertisements may only be disclosed to natural persons as addressees by way of direct contacting (especially by way of electronic mail or other similar individual communication tools) if the addressee of the advertisement has in prior unilaterally and specifically approved such disclosure [Act XLVIII of 2008]. Now therefore in connection with the direct marketing communication pursued by Data Controller the data processing is based on the voluntary consent of the Data Subjects as per as per Article 6 section (1) subsection a) of the GDPR.

 

The main legislation pertaining to the above data processing are the GDPR, the Privacy Act and the Act XLVIII of 2008 on the basic conditions and certain limitations of commercial advertisements.

 

Term of the data processing

Personal data processed with the consent of the Data Subject shall be erased upon the request of the Data Subject at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

We shall erase the processed personal data without delay if the purpose of the data processing has ceased to exist (Data Processor does not send direct marketing communication any more).

In the lack of withdrawal of consent by the Data Subject the data processing shall not exceed 10 years from Data Subject has provided his/her consent for the processing.

 

Persons having access to the personal data

Persons having access to the personal data at Data Controller: such persons within the organization of Data Controller who will be involved in the direct marketing activities of the Data Controller.

Section 3 of this Policy contains the data processors and the data forwarding(s) applied by Data Controller.

 

2.3 Cookies

 

Data Controller applies cookies on its www.holisticrm.com website, which have been described in details in the Cookie Policy available at www.holisticrm.com. The Cookie Policy among others describe how cookies process personal data, including the purpose of processing, its legal grounds, term and other conditions.

 

3. Data processors and data forwarding

 

Data Controller involves the following data processors – natural or legal persons carrying out personal data processing on behalf of Data Controller – in the course of the data processing defined in this Policy:

 

a. Name: Google Inc.

Seat: Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland

Activity: could service

Data processed: Data saved and stored in the cloud used by Data Controller, pertaining to all data processing of Service Provider

 

b. Name: Hubspot Inc.

Seat: Berlin, Am Postbahnhof 17

 

c. Name: Meta Inc

Address: 4 Grand Canal Quay, Square, Dublin, D02 X525, Ireland

 

Should Data Controller change the service providers/platforms used for communication, data storage and advertising then the data processors may change. Data Controller will inform the Data Subjects about the changes in the data processors by the modification of this Policy if the other terms of the processing remain the same.

 

Data forwarding to external recipients other than the data processors: personal data shall not be forwarded to external recipients (other data controllers).

 

Should the data processing require transfer of any of the personal data outside the European Union to third countries or international organizations, then any such transfer will only take place upon compliance with the prevailing provisions of the GDPR on such data forwarding and the level of protection guaranteed by the GDPR is also ensured.

 

4. Security of the data

 

Data Controller undertakes to ensure the protection of the personal data it processes, and to implement the technical and organizational measures required by legislation, as well as other privacy and confidentiality regulations. The data must be protected by appropriate measures, especially against unauthorized access, transformation, transfer, disclosure, deletion or destruction, accidental destruction or damage, as well as against becoming inaccessible due to changing the used technical solution.

 

5. Rights of the Data Subjects

 

With regard to their personal data processed by the Data Controller and its data processors the Data Subjects are entitled to the followings:

a) to receive information about the facts pertaining to the data processing (“right to prior information”);

b) to obtain their personal data and all information related to their processing from the data controller (“right to access the data”);

c) to have their personal data rectified or amended by Data Controller (“right to rectification”);

d) to have the processing of their personal data limited by Data Controller (“right to restriction”);

e) to have their personal data erased by Data Controller (“right to deletion”);

f) right to data portability;

g) right to object.

 

a) Right to information

Data Controller shall inform the Data Subjects about the data processing carried out by Data Controller or its processors prior to or promptly after starting the data processing procedure, specifically about the purpose, legal basis, and duration of the data processing, the source of the processed personal data, the name and contact information of the data controller, the data processor, their contact persons, its activities related to the data processing, about the circumstances, impact and the countermeasures taken related to any personal data breach, the rights of the Data Subjects and the methods for enforcing these, and where data transfer takes place, about the legal basis for and the recipient of the transfer of the Data Subject’s personal data, together with any other relevant circumstances. Data Controller may delay, limit, or disregard the Data Subjects’ right to prior information in the cases determined by the Privacy Act.

 

b) Right to access the data

Upon request of the Data Subject, Data Controller shall provide information about whether the Data Subject’s personal data are processed by Data Controller or by its processors. If the personal data of the Data Subject are processed by the Data Controller or its processors, Data Controller shall provide the Data Subjects their personal data subject to data processing, together with the information required by the GDPR (scope of data and their source, legal grounds of processing, recipients of data transfers, terms of processing, rights of the Data Subjects, any incidents, their impacts and repair). Data Controller may limit or disregard the Data Subjects’ right to access their personal data only in cases determined by the Privacy Act.

 

c) Right to rectification

Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Considering the purposes of the processing, the Data Subjects shall have the right to have incomplete personal data completed, including by means of providing supplementary statement.

 

d) Right to restriction

Data Controller shall restrict the data processing,

– if the Data Subject disputes the accuracy, correctness, or completeness of the processed personal data, and the accuracy, correctness, and completeness may not be established conclusively, for the period until the existing doubts are clarified;

– if the deletion of the data would be appropriate, but based on the written statement of the Data Subject or the information at Data Controller’s disposal there are reasonable grounds to assume that the deletion of the data would harm Data Subject’s legitimate interests, for the period until the legitimate interest serving as the basis for disregarding the deletion exists;

– if the deletion of the data would be appropriate, but it is required to retain the data as evidence in any investigations or procedures – especially criminal proceedings – carried out by or with the participation of Data Controller or any bodies with public function, until the investigation or procedure is concluded definitively or in a legally binding way.

During the restriction personal data affected thereby may only be subject to storage; other processing of the data may solely be carried out if it is necessary for the legitimate interests of the Data Subject, or in accordance with the requirements of the relevant legislation, international contracts or the binding legal measures of the European Union. When the data processing restriction is terminated, Data Controller shall inform the Data Subject about the end of the restriction in advance.

 

e) Right to deletion (right to be forgotten)

Data subjects shall have the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay and the Data Controller shall erase their personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) Data Subject withdraws consent on which the processing is based and there is no other legal ground for the processing;

(c) Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation under prevailing rules of law;

(f) the personal data have been collected in relation to the offer of information society services.

 

f) Right to data portability

Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means.

 

g) Right to object

Data Subjects shall have the right to object at any time to processing of their personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

 

6. Enforcement of rights, legal remedies in connection with data processing

 

6.1 Contacting the Data Controller

For the sake of enforcing your rights or if you have any questions, doubt about your data processed by the Data Controller or if you request information or wish to submit a complaint about your data or wish to exercise any of your rights under Section 5 you may do so as a request by a data subject in letter, e-mail sent to the availabilities of the Data Controller.

Upon receiving a request from Data Subjects the Data Controller without undue delay within the deadline defined by current legal regulations shall examine the case, take measures in connection with the request and provide information to the Data Subject. If required considering the complexity and number of requests this deadline may be extended according to law. If Data Subject has submitted its request by electronic means, then the information shall be provided to the Data Subject in a commonly used electronic form unless otherwise requested by the Data Subject.

Should the Data Controller fail to take measures without delay based on the request by the Data Subject at the latest within the deadline defined by law then it shall inform the Data Subject about the reason of the lack of measures, the reasons of denying the request and that the Data Subject may initiate a court or other administrative out of court procedure as follows.

 

6.2 Initiating a court procedure

Data Subject may initiate a lawsuit against the Data Controller, if in their view the Data Controller processes their personal data in a manner conflicting with the prevailing legal regulations. The lawsuit shall fall within the competence of the regional court (törvényszék). The lawsuit – as per the choice of the Data Subject – can also be initiated before the regional court having competence based on the home address or the residence address of the Data Subject.

 

6.3 Initiating administrative procedure of the supervisory authority

Data Subjects are entitled to request an investigation procedure or the conduction of an administrative procedure from the Hungarian National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u. 9-11., post address: 1363 Budapest, Pf. 9., telephone: +36-1-391-1400, fax: +36-1-391-1410, e-mail: ugyfelszolgalat@naih.hu) in order to enforce their rights with reference to the fact that infringement has occurred in connection with the processing of their personal data or the direct threat of such infringement occurred, such as in particular:

according the Data Subject’s opinion the Data Controller restricts the exercising of the rights of the Data Subject or rejects the request of the Data Subject regarding the enforcement of such rights (initiation of an examination), or

in view of the Data Subjects during the processing of their personal data the Data Controller infringe the provisions of law or the compulsory legal regulations (request for conducting an administrative procedure).

 

7. Encumbrances

 

This Policy can be found at https://holisticrm.com website.

The conditions of the data processing may change over time, and Data Controller may decide at its discretion to include a new data processing purpose for the existing data processing, so Data Controller reserves the right to unilaterally modify this Privacy Policy for the future at any time. Data Controller will notify the Data Subjects of the amendments on its website.

 

Issues not regulated in this Privacy Policy shall be governed by the provisions of the relevant legislation in force in Hungary, specifically the provisions of the Privacy Act and the GDPR.

 

Accepted: 03/01/2022

Last modified: 10/01/2022