Privacy Notice – Serenity Hungary by Tar Renáta

PRIVACY NOTICE

With respect to the commitment of Renáta Tar sole enterpreneur (hereinafter: the Data Controller or the Service Provider) to the heightened protection of personal data, this privacy notice (hereinafter: the Notice) aims – to provide You with plain and transparent information about the details of the processing of Your personal data, what personal data will be collected during (and prior to) the business relationship and for what purposes, how and for how long it will be processed and stored, in line with the Data Controller’s commitment to the protection of your personal data. This Notice also aims to provide information on what are Your rights connection with the processing of Your personal data, and how You can exercise them.

The Data Controller makes this Notice available on its website (www.serenityhungary.com), and upon Your request provides to You also in a paper form. Please read this Notice carefully, bearing in mind that this Notice will primarily govern matters relating to the processing of Your personal data!

1 Definitions

Definitions applied within the frames of this Notice are set out in Annex 1 to this Notice.

2 The Data Controller and the contact information of the Data Controller

For more information, relating to the content of this Notice and Your rights, please contact:

Name of the data controller: Renáta Tar sole entrepreneur

Address: 2113. Erdőkertes, Bacsó Béla utca 12.

Tax number: 42984748-1-33

Registration Number: 58203116

E-mail: hello@serenityhungary.com

Phone number: +36 70 752 41 11

Website: https://www.serenityhungary.com/

Your personal data will be processed by the Data Controller in line with this Notice, the applicable laws and guidelines of the supervisory authority.

3 Principles governing the processing of personal data

The Data Controller is committed to ensuring that its personal data process activity is carried out in accordance with the following principles:

lawfulness, fairness and transparency: the data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
limitation of purpose: the data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
data minimization: the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accuracy: the data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
storage limitation: the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
integrity and confidentiality: the data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

4 Lawfulness of date processing

The data processing activity of the Data Controller shall be lawful only if and to the extent that at least one of the following is met:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) a) of the GDPR);
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6 (1) b) of the GDPR);
processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6 (1) c) of the GDPR);
processing is necessary in order to protect the vital interests of the data subject or of another natural person (Article 6 (1) d) of the GDPR);
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 (1) e) of the GDPR);
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Article 6 (1) f) of the GDPR).

The Data Controller examines the lawfulness of data processing at all stages of its activities, and processes data solely for which the Data Controller is in the position to justify the purpose and legal basis. In the event that the conditions of a legal basis cease to apply, the processing may only be resumed if the controller can demonstrate an adequate alternative legal basis. In this respect, further detailed information is provided in Annex 2 to this Notice.

5 Data collected by the Data Controller and the management thereof

Collecting and processing Your data is necessary to ensure that the Service Provider (Data Controller) can provide You with proper services (or, where applicable, to sell product(s) to You). In order to receive comprehensive information about the processing of Your personal data, categorised along with the purposes for which the collected data are processed, please refer to Annex 2 to this Notice.

6 Legal bases for data management

The processing and the provision of personal data is necessary for the provision of the services to You (or, where applicable, to sell of product(s)) and for the performance of the obligations relating to them. The categories of Your personal data processed by the Data Controller and their legal bases are set out in Annex 2 attached to this Notice.

In principle, the provision of personal data is voluntary, however, in certain cases it is required to comply with legal requirements and, where applicable, to the extent necessary for the conclusion or performance of the agreement. Annex 2 of this Policy provides further information about each categories of Your personal data processed, also about the respective data processing purpose.

In addition to the above, Your personal data may also be processed, where appropriate, on the basis of your voluntary consent, in particular for services that are provided at Your request or at Your choice (for example, newsletter).

7 Retention of data

Data collected for the purposes specified in this Notice may only be processed for the duration necessary for the processing. In case of civil law claims (in line with Subparagraph (1) of Paragraph 6:22 of the Act V of 2013 on the Civil Code) data is processed until the 5-year civil law limitation period. In order to meet its regulatory obligations, the Data Controller shall, under the conditions set out therein, process the documents issued by it, or in its possession or otherwise being at its disposal, and the personal data contained therein, in order to ensure that the tax assessment is complete and correct, until the right of tax assessment expires, or in the case of deferred tax, for 5 years from the last day of the calendar year in which the given tax becomes due, or in the case of a dispute, for 5 years after the dispute has been resolved (in accordance with the Articles 78 and 202 of the Act CL of 2017 on the Rules of Taxation). In case of accounting documents, the retention period is 8 years counted from the date of the given accounting entry (in line with Paragraph 169 of the Act C of 2000 on Accounting).

If legal proceedings are initiated, the personal data may be kept until the proceedings are finally terminated, including the duration of any legal remedy, after which the data will be deleted following the expiry of the limitation period in civil law. In the case of processing based on consent, personal data will be processed until consent is withdrawn. The withdrawal of consent does not have impact on the lawfulness of data processing based on consent prior to its withdrawal. Details of the retention periods for each processing purpose are set out in Annex 2 to this Notice.

The Data Processor draws the attention to the fact that if the annex sets out a limitation period for the enforceability of a claim as a retention period of data processing, this should be interpreted as meaning that the period for processing the personal data is restarted from the act that interrupted the limitation period and extended until a new date on which the limitation period starts.

The Data Controller hereby provides the information that the visitors to the Website (You) have the opportunity to subscribe to newsletters (marketing letters) sent by the Data Controller (Service Provider). The purpose of newsletters is to share professional knowledge, articles and news with subscribers, where appropriate, newsletters are sent for marketing purposes. The subscription to the newsletter is subject to the express consent of the Website visitor (You) to the use of the visitor’s (Your) personal data for the mentioned purposes. In the case of a newsletter, the Data Controller will process Your data provided when You subscribe to the newsletter until you unsubscribe from the newsletter by using the “unsubscribe” function in the newsletter. In case of unsubscription, the Data Controller will no longer contact You with the newsletter. You may unsubscribe from the newsletter at any time, free of charge, and withdraw Your consent, also by sending an e-mail directly to the Data Controller.

8 Access to your personal data

Your personal data will be accessed only by the Data Controller and, where applicable, by the third parties involved by the Data Controller in the performance of the service, on the basis of the need-to-know principle, to the extent permitted by the applicable laws and necessary for the performance of the given tasks.

The Data Controller shall take all necessary measures to protect your personal data and to prevent unauthorised access, alteration, transmission, disclosure, erasure or destruction, accidental destruction or damage and inaccessibility resulting from changes in the technology used. Accordingly, inter alia, different access rights to the data are applied to ensure that only the appropriate authorised person has access to the data.

9 Disclosing of personal data

When processing Your personal data, it may be necessary to disclose or share Your data with other persons. Such persons may include, for example, a public authority, bodies exercising public authority, courts of Hungary, etc., to whom the transfer of Your data is necessary for the purposes of the Data Controller’s (the Service Provider’s) legal obligations.

For certain processing activities concerning Your data, the Data Controller uses the services of third parties, which process Your personal data on the basis of an agreement concluded with the Data Controller, on behalf of the Controller and for a specific purpose as determined by the Data Controller (hereinafter: Data Processors). However, to provide proper safeguards, the Data Controller will only use a Data Processor that provides adequate safeguards for the protection of Your personal data, and the Data Processors, unless otherwise required by the law, will only process personal data based on instructions given by the Data Controller.

The Data Processor shall not engage another processor without prior specific or general written authorisation of the Data Controller. In the case of general written authorisation, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of other processors, thereby giving the Data Controller the opportunity to object to such changes.

By establishing contractual terms and conditions providing guarantees and by taking appropriate organisational and technical measures, the Data Controller ensures that the rights of data subjects (You) are not violated in the course of the Data Processor’s activities and that the Data Processor may only access personal data if it is indispensable for the performance of its tasks.

Your personal data will be transferred electronically and, where applicable, on paper to the following Data Processors:

Name of the Data Processor	Activity of the Data Processor
Websupport Magyarország Kft. (head of seat: 1132 Budapest, Victor Hugo u. 18-22.)	The Data Processor is the domain and content provider of the website of the Data Controller (www.serenityhungary.com) and the provider of the mail server. The data provided in the forms completed on the website and provided by registered users are stored on the servers of the content provider and the cookies necessary for browsing the website and for convenience are placed by it. The personal data contained in electronic mail sent to and from www.serenityhungary.com are also stored by this service provider.
APROMONTERV BT. (seat: 1095 Budapest, Soroksári út 48. 10 ép. I/108.)	The Processor provides accounting services to the Data Controller. In this context, the Data Processor obtains the customer’s billing and contractual information (as main principle the contact information as provided in the agreement).
KBOSS.hu Kft. (seat: 1031 Budapest, Záhony utca 7.)	The Data Processor provides invoicing services to the Data Controller and assists in the recording of accounting documents. In doing so, the Data Processor will process Your billing data (name and address) to the extent necessary for accounting records, in accordance with the applicable provisions of the Accounting Act, and will then delete it.
The Rocket Science Group, LLC. (Mailchimp) (seat: 675 Ponce de Leon Ave NE Suite 5000Atlanta, GA 30308 USA)	The Data Controller sends its newsletters through Mailchimp as Data Processor. In doing so, the Data Processor processes the data (name and e-mail address) necessary for sending the newsletter. Your explicit consent is required to subscribe to the newsletter. The Data Controller hereby informs you that the Data Processor is an entity located in the United States of America, i.e. in a third country outside the European Union. The Rocket Science Group LLC. is a registered member of the so-called Privacy Shield Agreement between the United States of America and the Commission of the European Union, so that data transfers to it are presumed to be subject to a level of protection equivalent to that of the European Union, and therefore are not subject to any additional conditions.

10 Your rights

Based on the provisions of the GDPR, you may request the Data Controller to access, rectify, erase or restrict the processing of personal data concerning you and object to the processing of such personal data. You also have the right to data portability and the right to judicial remedy.

The Data Controller shall inform You without undue delay about the action taken upon Your request and at the latest within one month of receipt of Your request to exercise the rights under this article. When replying to the request, the Date Controller shall, where appropriate, take into account the complexity of the request and the number of requests. Taking into account the complexity of the request and the number of the requests, this deadline, with regard to the applicable laws, may be extended by further two months, if necessary. The Data Controller will notify You on the extension of the deadline by indicating the reasons of the delay, within one month from the receipt of the request. If You have submitted Your request electronically, the information will be provided electronically as long as possible, unless otherwise requested.

In the unexpected event that for any reason no action is taken in response to Your request, the Data Controller will inform You without delay, but no later than one month after receipt of the request, of the reasons for the failure to act, where You can lodge a complaint and what other remedies (judicial remedies) are available to You.

The information provided on the basis of requests concerning the rights under this point and the execution of the request shall be provided to You free of charge.

For the submission of written requests, the Data Controller provides You with a model request form by way of attaching Annex 3 hereto. By completing the model request form You can submit Your written request to the Data Controller. However, the Data Controller draws your attention to the fact that the use of the model request is not mandatory, i.e. the Data Controller will receive and process your request in accordance with the applicable laws even if it is not submitted by competing the such model request form.

The Data Processor draws the attention to the fact that if You have submitted Your request related to the processing of personal data contrary to the above and the Data Controller was not able to identify You, the Data Controller shall request You to provide further data, and upon a failure or non-fulfilment of such request, the Data Controller cannot guarantee to deliver an answer to the request. That period of time from the Data Controller’s request for the provision of the necessary personal data until the provision of the requested personal data shall not be included in the calculation of the due date for responding to the request.

For the purpose of ensuring the full exercise of your rights, the Data Controller will, in accordance with the respective provisions of the GDPR, inform all recipients to whom or with which your personal data have been disclosed by the Data Controller of any rectification, deletion or restriction of processing pursuant to the rights under this article, unless this proves impossible or would involve a disproportionate effort. Upon your request, the Data Controller will provide specific information about such recipients.

10.1 Right of access

You may request the Data Controller to provide information on whether the Data Controller processes your personal data (Article 15 of the GDPR). If so, the Data Controller will provide the following information to You:

the purpose(s) of the processing;
the categories of the personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
where possible (e.g.: storage of data), the envisaged period for which the personal data will be stored, or, provided that the planned period can not be determined at
the moment of the provision of information with respect to the exercise of the right of access, the criteria used to determine that period;
Your right to rectification, erasure, restriction of processing and to object;
Your right to lodge a complaint with a supervisory authority;
where the personal data are not collected from You, any available information as to their source.

If the Data Controller transfers Your personal data to a third county (or to an international organization), You have the right to receive information in line with the provisions of the GDPR about the safeguards of the data transfer.

Upon your request, the Data Controller will provide You with a copy of the personal data it processes. Additional copies may be subject to a reasonable charge based on the incurred administrative costs. If You have submitted Your request to exercise Your right described in this subsection by electronic means, the Data Controller will, unless You request otherwise, provide You with a copy of the personal data in a commonly used electronic format.

10.2 Right to rectification

You may request, that your inaccurate personal data processed by the Data Controller to be rectified without delay or, to complete the incomplete personal data in connection with the purpose of Data Processing, including by means of providing a supplementary statement (Article 16 of the GDPR).

10.3. Right to erasure (right to be ‘forgotten’)

You may request the Data Controller to delete the personal data processed about You without undue delay

where the personal data are no longer necessary for the purposes for which they were originally processed by the Data Controller,
in the case of processing based on consent, where you have withdrawn your consent and there is no other legal basis for the processing;
You successfully object to the processing of Your personal data in accordance with article 10.6 of this Notice,
there are no overriding legitimate grounds for the processing;
the processing of personal data was unlawful;
the personal data must be erased by the Data Controller in order to comply with a legal obligation under applicable European Union or Member State law.

Where the Data Controller has made the personal data public and is obliged pursuant to this article to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that the You have requested the erasure by such controllers of any links to, or copy or replication of, those personal data (Article 17 of the GDPR).

You may not exercise Your rights set out in this article to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by the Europen Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance the respective provision of the GDPR in so far as the right to herein is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for reasons of public interest in the area of public health;
for the establishment, exercise or defence of legal claims.

10.4 Right to restriction of processing

You shall have the right to obtain from the Data controller restriction of processing where one of the following applies:

You contest the accuracy of the personal data is contested by the data subject, for a period enabling the Data controller to verify the accuracy of the personal data;
the processing is unlawful and You oppose the erasure of the personal data and requests the restriction of their use instead;
the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by You for the establishment, exercise or defence of legal claims;
You have successfully objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the Data Controller prevail over Your legitimate grounds.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with Your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State (Article 18 of the GDPR).

10.5 Right to data portability

You shall have the right to receive the personal data concerning You, which You have provided to the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, where:

processing is based on Your consent or is necessary for the performance of an agreement to which You are a party or is necessary for the purposes of taking steps at Your request prior to entering into that agreement; and
the processing is carried out by automated means. Where technically feasible, You may request the direct transfer of personal data between controllers.

The exercise of the right referred to this article shall be without prejudice to right to erase mentioned under Article 10.3 of this Notice. That right shall not apply to processing necessary for the performance of a task carried out in the public interest (Article 20 of the GDPR). The right referred to herein shall not adversely affect the rights and freedoms of others.

10.6 Right to object

You have the right to object at any time, on grounds relating to Your particular situation, to the processing of Your personal data that is necessary for the public interest or for the purposes of the legitimate interests pursued by the Data Controller or a third party, including profiling based on the respective provisions of the GDPR (Article 21 of the GDPR). In such a case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of Yours or for the establishment, exercise or defence of legal claims.

10.7 Rights related to automated individual decision-making

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You (Article 22 of the GDPR).

This rules shall not apply if the decision:

is necessary for entering into, or performance of, an agreement between You and the Data Controller;
is authorised by the European Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard Your rights and freedoms and legitimate interests; or
is based on Your explicit consent.

In the cases referred to in points a) and c), the Data Controller shall take appropriate measures to protect Your rights, freedoms and legitimate interests, including at least Your right to obtain human intervention by the Data Controller, to express Your opinion and to object to the decision.

Subject to the foregoing, the Data Controller informs You that currently no decision-making on automated processing takes place at the Data Controller.

10.8 Right to withdraw consent

If the processing is based on Your consent, You have the right to withdraw Your consent at any time (Article 7 of the GDPR). Withdrawal of consent does not affect the lawfulness of the data processing based on consent prior to the withdrawal. The Data Controller shall ensure that You can withdraw your consent in the same simple way as you gave it.

11 Legal remedies

11.1 Complaint submitted to the supervisory authority

If you consider that the processing of personal data relating to You infringes the provisions of the applicable legislation, You have the right to lodge a complaint to the supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. The national supervisory authority in Hungary is the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information, seat: 1055 Budapest, Falk Miksa utca 9-11.; mailing address: 1363 Budapest, Pf.: 9.; phone + 36 (30) 683-5969, +36 (1) 391 1400; email: ugyfelszolgalat@naih.hu ).

If the Nemzeti Adatvédelmi és Információszabadság Hatóság does not deal with your complaint referred to in point 11.1, or does not inform You within three months of the progress or outcome of the complaint, or if You consider that the processing of personal data concerning You infringes your rights under the applicale laws, you have the right to take legal action. Proceedings against a supervisory authority must be brought before the courts of the Member State where the supervisory authority is established in respect of the Nemzeti Adatvédelmi és Információszabadság Hatóság that shall be the Budapest-Capital Regional Court (in Hungarian: Fővárosi Törvényszék)) or, in other cases, before the competent court where the Data Controller is established or before the court of Your domicile or habitual residence.

12 Use of cookies

The Data Controller hereby informs you that the Website of the Data Controller uses cookies. Cookies, with regard to the GDPR, may only be placed on the user’s device with the user’s consent. You can give your consent in the pop-up window that appears when You visit the Website and you can change it at any time in your browser. You can remove cookies by changing Your browser settings, using a cookie remover or by deleting Your browsing history. However, it is important to note that You may experience reduced functionality when You delete or disable cookies.

The Data Controller hereby informs You that the detailed rules on the use of cookies are published by the Data Controller on its Website in a separate document, in the document entitled “Cookie Policy“. The Data Controller will also provide a paper copy of this document upon Your request.

13 Management of data protection incidents

The Data Controller undertakes to ensure the security of the data, to take technical and organisational measures and to maintain procedural rules to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or unauthorised alteration. It also undertakes to require any third party to whom it transfers or discloses the data to comply with the requirements of data security.

In the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent authority (Nemzeti Adatvédelmi és Információszabadásg Hatóság), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The Data Controller shall keep a record of the personal data breaches, indicating the facts relating to the personal data breach, its impacts and the measures taken to remedy such impacts.

The following breaches are considered as data breach incidents, for example

leakage, corruption or loss of databases containing personal data;
access to all or part of databases containing personal data by unauthorised third parties (for example, missent mail or e-mails sent to the wrong recipients);
data leaked as a result of an external IT (hacking) attack on the Data Controller;
stolen or lost computers, phones.

When the personal data breach is likely to result in a high risk to Your rights and freedoms, the Data Controller shall communicate the personal data breach to You without undue delay.

The Data Controller shall communicate in a clear and plain manner:

the name and contact details of the data protection officer or other contact point where more information can be obtained;
the likely consequences of the personal data breach;
the measures taken or proposed to be taken by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Data Controller shall not provide information relating to the incident, if any of the following conditions are met:

the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to Your rights and freedoms of data subjects is no longer likely to materialise;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

14 Closing provisions

This Notice is effective from 20 June 2023, until it is withdrawn. The Data Controller reserves the right to unilaterally change this Notice at any time. If this Notice is amended, the Data Controller will post a notice on the website.

This Notice is made available by the Data Controller on its website also in the English language. The English translation has been prepared with the utmost care, however, in case of any discrepancy between the English and the Hungarian version, the Hungarian version shall prevail.

Annex 1

Definitions

For the purposes of this Notice, the following definitions shall have the following meaning:

personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future;

profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

processor or data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

personal data breach incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

supervisory authority concerned means a supervisory authority which is concerned by the processing of personal data because: (a) the controller or processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or (c) a complaint has been lodged with that supervisory authority;

cross-border processing means either: (a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or (b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

GDPR means the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Annex 2

Circumstances of the processing of personal data as per purposes

#	Purpose of processing	Source of data	Legal basis of processing	Category of processed data	Period of processing	Recipients	Data transfer to a third country or international organization (Yes/No)	Is it mandatory to provide personal data by law or by contract? (Yes/No)
1	Establishing and performance of contract	Data Subject	Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract (point b) Article 6 (1) GDPR)	Personal identification data (name, position (title), mailing address), Contact information (name, position (title), phone, e-mail, mailing address)	Limitation period regarding contractual claims (5 years)	N/A	No	Yes
2	Complaint management	Data Subject	Processing is necessary for compliance with a legal obligation (point c) Article 6 (1) GDPR)	Name; contact information (phone, e-mail, mailing address), the complaint, the documents substantiating the complaint, and the answer to the complaint.	5 years following the submission of the complaint	N/A	No	Yes
3	Resolution of disputes regarding contracts	Data Subject	Legitimate interest (point f) Article 6 (1) GDPR)	Identification data	Limitation period regarding contractual claims (5 years)	External lawyer under an engagement (case-by-case basis)	No	Yes
4	Ensuring supervisory activities carried out by authorities	Data Subject	Processing is necessary for compliance with a legal obligation	Identification data, financial data	Until the termination of the business relationship	National Tax and Customs Administration (NAV)	No	Yes
5	Direct marketing (newsletter)	Data Subject	Consent (point a) Article 6 (1) GDPR)	Identification data and contact information (name, mailing address, e-mail, phone, date of consent)	Until withdrawl of consent	Mailchimps (see Section 9, Data Processor)	Yes (pls see Data Processor Part, newsletter)	No
6	Complaince with accounting and reporting requirements	Data Subject	Processing is necessary for compliance with a legal obligation in line with Paragraph 169 of the Act C of 2000 on Accounting (point c) Article 6 (1) GDPR)	Personal identification data, contact data, financial data	8 years	National Tax and Customs Administration (NAV)	No	Yes
7	Data processing relating to the enforcement of data protection rights of data subjects	Data Subject	Processing is necessary for compliance with a legal obligation (GDPR Art. 6 (1) c); allow to exercise data subject rights included in Articles 15-22 of GDPR and the documentation of other actions taken in connection with requests)	Personal data relating to data protection requests coming to the Data Processor: in case of natural persons/legal persons or other organizations applied to the Data Processor the data necessary to contact of the contact persons (especially: name, address, email address, phone number), content of the request, the actions taken towards the request, documents relating to the request.	Indefinite period, in the absence of any further data protection related official guidance.	There are no (except, if personal data was forwarded to other recipients – in case of separate data processors they can only exercise their rights relating to what is included in their privacy notice	No	Yes – the data subject to be identified and his/her rights to be exercised (e.g. to exercise the data subject’s right to access it should be marked personal data to have right to access to), in the absence of these the data subject’s rights cannot be ensured (in full)
8	Contribution of data subjects to data processing and archiving of possible withdrawal of declaration of contribution	Data Subject	Processing is necessary for compliance with a legal obligation (GDPR Art. 6 (1) c); according to GDPR Art. 7. (1), if the data processing is based on contribution, the Data Processor shall be able to certify that the data subject contributed to the processing of his/her personal data	If the data processing of the Data Processor is based on the contribution of the data subject, the Data Processor shall achieve the contribution with the aim to certify the legality of contribution at any time. If the data subject withdraws his/her contribution, the Data Processor retains the withdrawn declaration (and the related communication too) with the aim to keep the Data Processor informed if the data subject withdraws his/her consent to a defined data processing.	Indefinite period in the absence of any further data protection related official guidance	There are no (except, if personal data was forwarded to other recipients – in case of separate data processors they can only exercise their rights relating to what is included in their privacy notice	No	Yes, with regard to the Data Processor should be able to certify that the data subject contributed to the use of personal data, in case of the lack of data, the data processor cannot process the contribution and the withdrawal of contribution
9	Register of data protection incidents (including the documentation of actions to handle the incidents)	Data Processor	Processing is necessary for compliance with a legal obligation (GDPR Art. 6 (1) c); pursuant to GDPR Art. 33 (5) the Data Processor shall register the data protection related incidents indicating the relating facts, its effects, and the measures taken to remedying. (This registry allows the Data Protection	Personal data of data subjects related to data protection incident	In the absence of any further data protection related official guidance, indefinite period	There are no (except, if personal data was forwarded to other recipients – in case of separate data processors they can only exercise their rights relating to what is included in their privacy notice	No	Yes, with regard that the Data Processor is obliged to register the data protection incidents, indicating the relating facts, its effects and the measures taken to remedying. In default of processing data, the Data Processor is not able to comply with its obligations.
10	Agreements concluded with contractual parties	Data Subject	To take steps at the request of the data subject prior to the conclusion of the contract and to perform the contract (GDPR Art. 6 (1) b) and f);	Personal identification data (name, position (title), mailing address), Contact information (name, position (title), phone, e-mail, mailing address)	Limitation period regarding contractual claims (5 years)	N/A	No	Yes
11	Opinion, feedback (on website)	Data Subject	Consent (GDPR Art. 6 (1) a))	Name, address (city / country) e-mail address of the opining person (Based on Art. 7 (8) and points 34-35 annexed to the Act XLVII of 2008).	Until withdrawal	N/A	No	Yes

Download Annex 3