Privacy Notice
www.niin.hu
Effective from: 25 January 2021 until revoked.
Niin Design (registered office: 137 Szabadság Road, 2040 Budaörs, Hungary; tax number: 59717083-1-33) hereby fulfils its obligations relating to data processing within the framework of this Privacy Notice.
Introductory Provisions and Purpose of the Notice
In this Privacy Notice, the Data Controller sets out the applicable data protection rules and procedures in order to ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information, thereby expressing its commitment to respecting and protecting the principles laid down therein.
The Data Controller acknowledges this Notice as binding upon itself. The purpose of this Privacy Notice is to inform the Data Controller’s clients, partners, and principals about the processing of their personal data. Personal data shall be processed strictly in accordance with applicable laws and the principles set out in Article 5 GDPR, including:
• lawfulness, fairness and transparency,
• purpose limitation,
• data minimisation,
• accuracy,
• storage limitation.
The Data Controller is committed to the protection of personal data and to respecting the informational self-determination of data subjects. Personal data shall be treated confidentially and in compliance with applicable data protection legislation. The Data Controller shall implement all necessary technical and organisational measures to ensure data security and shall protect data against unauthorised access, alteration, disclosure, deletion, destruction, accidental loss or damage, and inaccessibility due to changes in technology.
Scope of the Privacy Notice
This Privacy Notice applies to the Data Controller and to all natural persons whose personal data are processed under its scope, as well as to persons whose rights or legitimate interests are affected by such processing.
Definitions
Personal data: any information relating to an identified or identifiable natural person (“data subject”).
Special categories of personal data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, health data, and data concerning a natural person’s sex life or sexual orientation.
Processing: any operation performed on personal data, whether automated or not, including collection, recording, organisation, storage, alteration, retrieval, use, disclosure, restriction, erasure, or destruction.
Data transfer: making personal data accessible to a specific third party.
Disclosure: making personal data accessible to anyone.
Erasure: rendering data irretrievable.
Filing system: any structured set of personal data accessible according to specific criteria.
Data Controller: the entity determining the purposes and means of processing.
Data Processor: an entity processing data on behalf of the Data Controller.
Data subject: an identified or identifiable natural person.
Recipient: any entity to whom personal data are disclosed.
Third party: any entity other than the data subject, controller, or processor.
Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes.
Data breach: a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
E-mail: Electronic mail. The name refers to the method of writing and transmitting, which takes place entirely electronically using computer networks.
Internet: The Internet (Internetworking System) is a global network of computer networks (so-called metanetwork) that spans the entire Earth, connecting government, military, commercial, business, educational, research, and other institutions, as well as individual users.
Website, Webpage, Web portal, Home page: an electronic interface suitable for displaying and communicating information, which is typically located on servers (Webserver) connected to the Internet. These pages, tabs, have a unique address (link), which can be entered into a browser application to navigate to the given page. The technology of Websites allows for forward and backward jumps between individual content elements and links (hypertext).
Cookies: A program component used to create convenience features on websites. There are two basic types. One is stored on your own computer, the other is stored on the server side, so-called session cookie. From a data management perspective, the handling of session cookies must be regulated. Websites must inform and declare to visitors about the use of cookies.
Electronic newsletter: Electronic mail, typically automatically generated and sent by an application set up for this purpose, sent to the e-mail addresses of persons subscribed to a mailing list, for transactional, advertising or other campaign purposes.
Legal Bases and Purposes of Processing
Personal data may only be processed where at least one of the legal bases under Article 6 GDPR applies, including:
• consent of the data subject,
• performance of a contract,
• compliance with a legal obligation,
• protection of vital interests,
• performance of a task in the public interest,
• legitimate interests pursued by the Data Controller or a third party.
The Data Controller shall assess the lawfulness of processing at all stages and shall process data only for as long as a valid legal basis exists.
Operation of the Website
Hosting provider: Rackforest Zrt.
Address: 1132 Budapest, Victor Hugo st. 11. 5. fl. B05001.
The server and hosting provider stores the personal data it has received and is not authorized to use it.
Cookies
Cookies are small files stored by websites to facilitate browsing and improve user experience.
• remember your website settings;
• they can offer you locally relevant content.
However, some cookies expire when you close the website, and some have a longer expiration date.
Legal basis:
session cookies – legitimate interest (Article 6(1)(f) GDPR),
other cookies – consent (Article 6(1)(a) GDPR).
Legal basis for cookies:
The legal basis for data processing is Article 6(1)(f) of the GDPR in the case of session cookies, and your consent in accordance with Article 6(1)(a) of the GDPR in the case of other cookies (e.g. security, analytical) and Section 5(1)(a) of the Infotv. We inform you that the data subject declares on the Data Controller's website that he or she has reached the age of 16 in relation to accepting the use of cookies. A person under the age of 16 may not declare his or her acceptance or rejection of the cookies used by the website. Pursuant to Article 8(1) of the GDPR, the consent of his or her legal representative is required for the validity of the legal declaration containing his or her consent to data processing. The data controller is not able to verify the age and entitlement of the person giving the consent, so the data subject guarantees that the data provided is true.
The website uses the following cookies:
This website does not use cookies.
Contact and Enquiries
Users may contact the Data Controller via the contact details provided or through the contact form.
Processed data:
• email address
• first name
• message
Purpose: communication and provision of quotations.
Legal basis: consent (Article 6(1)(a) GDPR),
pre-contractual steps (Article 6(1)(b) GDPR).
Retention period:
until response is provided, or up to 5 years in case of legal claims.
In the event of an inquiry or contact, the Data Controller will no longer retain the data after the necessary information has been provided, unless a legitimate claim can be asserted regarding the subject of the ad hoc contact, in which case it will be retained for a maximum of 5 years for the purpose of its verification.
In the case of providing a price quote, the data retention period is the existence of the binding nature of the offer, which is governed by Sections 6:64-69 of the Civil Code.
In the event of a business relationship, the data must be retained for 8 years pursuant to Section 169 (2) of the Accounting Act.
Newsletter Subscription
Users may subscribe by providing their email address.
Purpose: sending newsletters.
Legal basis: consent (Article 6(1)(a) GDPR).
Retention period: until withdrawal of consent.
Processed data:
• email address
Retention period:
until response is provided, or up to 5 years in case of legal claims.
Data processing related to Facebook page:
The website operator also promotes and describes the service it provides through its social media page (NiiN – Niké Interior Design), and provides the opportunity to contact you via Messenger. The Data Controller treats personal data obtained through its Facebook page confidentially and uses it exclusively to maintain contact with the data subject, answer questions, and provide quotes. The Data Controller shares photos of the work it has created on its Facebook page.
The purpose of data processing is to promote and advertise services and provide information to interested parties.
Legal basis:
Pursuant to Article 6(1)(a) of the GDPR, it is based on voluntary consent, which shall be deemed to have been given by the data subject liking, following the page, commenting on posts, or contacting the page operator in the form of a message.
Joint data controller: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The operator of the site does not assume responsibility for previous pages that have already been deleted but have nevertheless been archived by Internet search engines. The operator of the search engine must ensure their removal.
You can read more about Facebook's data management by clicking on the link below: https://www.facebook.com/privacy/explanation
Data processing related to Instagram page:
The website operator also promotes and describes the service it provides through its Instagram social page (niin.interior.design), and provides the opportunity to contact you via Messenger. The Data Controller treats personal data obtained through its Instagram page confidentially and uses it exclusively to contact the data subject, answer questions, and provide quotes. The Data Controller shares photos of the work it has created on its Instagram page.
The purpose of data processing is to promote and advertise services and provide information to interested parties.
Legal basis:
Pursuant to Article 6(1)(a) of the GDPR, it is based on voluntary consent, which shall be deemed to have been given by the data subject liking, following the page, commenting on posts, or contacting the page operator in the form of a message.
Joint data controller: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
The operator of the site does not assume responsibility for previous pages that have already been deleted but have nevertheless been archived by Internet search engines. The operator of the search engine must ensure their removal.
You can read more about Instagram's data management by clicking on the link below: https://help.instagram.com/519522125107875
Data processing related to LinkedIn page
The website operator also promotes and describes the service it provides through its social media page (NiiN – Niké Interior Design), and provides the opportunity to contact you via LinkedIn. The Data Controller treats personal data obtained through its LinkedIn page confidentially and uses it exclusively to maintain contact with the data subject, answer questions, and provide quotes. The Data Controller shares photos of the work it has created on its LinkedIn page.
The purpose of data processing is to promote and advertise services and provide information to interested parties.
Legal basis:
Pursuant to Article 6(1)(a) of the GDPR, it is based on voluntary consent, which shall be deemed to have been given by the data subject liking, following the page, commenting on posts, or contacting the page operator in the form of a message.
Joint data controller: LinkedIn Corporation, Sunnyvale, California, USA.
You can read more about LinkedIn's data management by clicking on the link below: https://www.linkedin.com/legal/privacy-policy
Data processing related to Pinterest page
The website operator also promotes and describes the service it provides through its Pinterest social network, and the social network provides the opportunity for the data subject to contact the data controller indirectly via email. The Data Controller treats the personal data obtained via the Pinterest website in the form of email confidentially and uses it exclusively for communicating with the data subject, answering questions, and providing quotes.
The purpose of data processing is to promote and advertise services and provide information to interested parties.
Legal basis:
Pursuant to Article 6(1)(a) of the GDPR, it is based on voluntary consent, which shall be deemed to have been given by the data subject following the Data Controller on the social network or indirectly contacting the Data Controller by email.
Joint data controller: Pinterest Inc., 808 Brannan Street San Francisco, CA 94103 USA
You can read more about Pinterest's data management by clicking on the link below: https://policy.pinterest.com/hu/privacy-policy
Data Breach
The Data Controller shall implement appropriate measures to detect, manage, and report data breaches.
Notification to the supervisory authority:
Notification to the supervisory authority shall be made within 72 hours where required.
The notification shall include at least:
(a) describe the nature of the data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the breach;
(b) the name and contact details of the data protection officer or other contact person for further information must be provided;
c) the likely consequences of the data protection incident must be described;
d) describe the measures taken or planned by the controller to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
If and to the extent that it is not possible to communicate the information simultaneously, it may be communicated in parts at a later date without further undue delay. The controller shall keep records of data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements of this Article.
Obligation to inform the data subject according to Article 34 of the GDPR
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe the nature of the personal data breach in a clear and intelligible manner and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.
The data subject does not need to be informed if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, in particular measures that render the data unintelligible to persons not authorised to access the personal data, such as the use of encryption;
(b) the controller has taken further measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is no longer likely to materialise;
(c) the provision of information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.
If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the above-mentioned conditions is met.
The rights of the data subject according to the GDPR:
In connection with data processing, through the Data Controller:
– you can request information about data processing and access to the data processed concerning you,
– in the event of inaccurate data, you may request correction or completion of incomplete data,
– you may request the deletion of data processed based on your consent,
– you may object to the processing of your personal data,
– you can exercise your right to data portability
– you can request restriction of data processing.
Upon request for information, the data subject may – provided that it is not subject to restriction for reasons of interest specified by law – find out whether the data controller is processing his/her personal data and is entitled to receive information regarding the data processed concerning him/her.
– for what purpose is it treated,
– what authorizes you to process the data (legal basis),
– when and for how long you process the data (duration),
– what data it processes and provides a copy of it to the data subject,
– the recipients of personal data and the categories of recipients,
– transfer to a third country or international organization,
– about the rights of data subjects related to data processing,
– about legal remedies.
The employer, as the data controller, shall respond to requests for information and access within 30 days at the latest. For additional copies of the personal data processed by the data subject, the data controller may charge a reasonable fee based on administrative costs. In some cases, the data controller may refuse to provide information based on statutory authorization – for example, in order to prevent or prosecute crimes – in which case the response shall include information on the statutory provision justifying the refusal to provide information and on the possibility of legal remedies. In the event of a request for correction (amendment) of data, the data subject must substantiate the reality of the data requested to be amended and must also prove that the person entitled to do so is indeed requesting the amendment of the data. If it is not clear whether the processed data is correct or accurate, the data controller shall not correct the data, but shall only mark it, i.e. indicate that the data subject objected to it, but it may not be incorrect. After confirming the authenticity of the request, the data controller shall, without undue delay, correct the inaccurate personal data or complete the data concerned by the request. The data controller shall notify the data subject of the correction or marking.
The data controller will comply with your request to restrict data processing if one of the following is met:
– the data subject disputes the accuracy of the personal data, in which case the restriction applies for a period of time that allows the controller to verify the accuracy of the personal data,
– the data processing is unlawful and the data subject opposes the deletion of the data and instead requests the restriction of their use,
– the data controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or against the data processing relating to him or her.
If the data is subject to restriction, then personal data, with the exception of storage, will only be processed:
– with the consent of the person concerned,
– to assert, exercise or defend legal claims,
– in order to protect the rights of another natural or legal person, or
– it can be processed in the important public interest of the European Union or a Member State.
The data controller shall inform the data subject in advance of the lifting of the restriction on data processing.
Legal Remedies
Complaints may be submitted to the Hungarian supervisory authority: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH), Budapest. Data subjects may also seek judicial remedy before competent courts. In relation to Meta platforms, complaints may be submitted to the Irish Data Protection Commission.
