Data processing notice and policy
The purpose of the current data processing notice of Server Line Ltd. is to clearly and comprehensively inform visitors to and registrants on the website operated by the data controller ("data subject") about all facts related to the processing of their personal data, as well as their rights and legal remedies concerning data processing, before the processing begins.
The purpose of this data processing notice is also to clearly and comprehensively inform interested parties and clients ("data subjects")—who use the services of the data controller directly via phone, email, or in person at the customer service center located at 1087 Budapest, Asztalos Sándor str. 3.—about all facts related to the processing of their personal data, as well as their rights and legal remedies concerning data processing, before the processing begins.
This data processing notice also includes the internal regulations and measures applicable to the data controller, ensuring that data processing complies with the legal provisions specified in section 3. As such, it also serves as the data controller’s data processing policy for handling the personal data of data subjects.
This data processing notice also applies to the following websites operated by the data controller: www.serverline.hu, www.nevjegyexpressz.hu, www.mappa-keszites.hu, www.matrica-expressz.hu, www.rollup-expressz.hu, and www.qrstat.hu.
For the purposes of this data processing notice:
„personal data”: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
„data processing”: any operation or set of operations performed on personal data or data sets, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
„data controller”: the natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the data controller or the specific criteria for its designation may also be defined by Union or Member State law.
„data processor”: the natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller.
1. The data controller's information
Name: Server Line Szolgáltató Ltd.
Registered office: 2340 Kiskunlacháza, Sellő str. 140.
Branch office: 1087 Budapest, Asztalos Sándor str. 3.
Company registration number: 13-09-154514
Tax number: 23829808-2-13
Represented by: Zsolt Gerlich, Managing Director
Phone: +36 1 210 7260
Email: info@serverline.hu
2. Persons authorized for data processing
a. Details of the hosting service provider used for data processing:
Name: Tárhely.Eu Szolgáltató Ltd.
Phone: +36 1 789 2789
Email: support@tarhely.eu
Mailing address: 1538 Budapest, P.O. Box 510.
The personal data accessible to the hosting provider is listed in the table under point 4.
b. The data will be transferred to the following courier service for the purpose of delivering the ordered product:
NName: GLS General Logistics Systems Hungary Package-Logistics Ltd.
Registered office: 2351 Alsónémedi, GLS Európa str. 2.
E-mail: info@gls-hungary.com
The personal data accessible to the courier company is listed in the table under point 4.
c. In the case of online payment by bank card, the following financial service provider is involved:
Name: OTP Mobil Service Provider Ltd.
Registered office: 1093 Budapest, Közraktár str. 30-32.
Customer service: ugyfelszolgalat@simple.hu
Phone: +36 1/20/30/70 3-666-611
We inform you that in the case of online payment, the data controller does not transmit personal data to OTP Mobil Szolgáltató Ltd. You are required to provide your bank card details on OTP Mobil Szolgáltató Ltd's secure interface, and the data controller does not have access to this information. The data controller only transmits the service fee and the transaction identifier to OTP Mobil Szolgáltató Ltd.
d. In the course of fulfilling its reporting and accounting obligations, it gains access to the data on invoices and acts as an independent data controller.
Name: KKp Bt.
Registered office: 2340 Kiskunlacháza, Munkácsy M. Str. 27.
E-mail: kkpbt@vnet.hu
e. The data controller records customer and order data in a proprietary CRM system, which runs on the hosting provider's servers.
f. The data controller may employ system administrators responsible for installing and maintaining the programs and systems used.
3. The main laws governing data processing and their abbreviations
• Regulation (EU) 2016/679 of the European Parliament and the Council (“GDPR”)
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Infotv.”)
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (“Eker tv.”)
4. Principles of data processing
4.1. Fairness, lawfulness, and transparency
The data controller carries out the data processing operations specified in this notice (including the collection and processing of data) fairly, in compliance with the legal provisions governing the processing of personal data, and in a transparent manner for the data subject.
4.2. Purpose limitation
The data controller collects, processes, and uses personal data solely for the purposes specified in this notice and transfers them only to achieve these purposes, in accordance with this notice and the applicable legal provisions on personal data processing. The processed personal data may only be accessed by individuals involved in fulfilling the specified purposes.
4.3. Data minimization
The data controller requests only those personal data from the data subject that are appropriate, relevant, and strictly necessary for the specific data processing purpose. Without these data, the controller would not be able to provide its services or could not do so in accordance with its commitments.
4.4. Accuracy
The data subjects are responsible for ensuring that the data provided on the website are accurate, true, and up to date. Furthermore, it is the responsibility and obligation of the data subject to obtain prior consent from the relevant individual if they provide personal data that do not belong to them.
If the data subject notifies the data controller that their data are inaccurate, the data controller will promptly ensure the deletion or correction of such data in accordance with the provisions of this notice.
4.5. Limited storage period
The data controller ensures that personal data are stored in a manner that allows the identification of the data subject only for the period necessary to achieve the purposes of data processing. Accordingly, the data controller determines the storage period of the data based on this principle.
4.6. Data security
The data controller takes all necessary measures to ensure the secure and intact processing of data and the establishment and operation of the required data management systems. In this context, antivirus and firewall protection are applied on computers, and the physical security of data and data storage devices is ensured.
The data controller ensures that unauthorized persons cannot access, disclose, transmit, modify, or delete the processed data. The data controller takes all reasonable measures to prevent data from being accidentally damaged or destroyed. This commitment is also imposed on employees involved in data processing activities and any data processors engaged by the data controller.
Notwithstanding the above, the data subject is responsible for their own account after registration and for all actions performed with or within it. This includes, among other things, ensuring an adequate level of protection for the password associated with their name and any disclosure of it to third parties.
5. Based on article 13 of the GDPR, we provide the following transparent table detailing the categories of personal data processed by the data controller for each data processing purpose and legal basis. Additionally, we inform you about the persons authorized to access the data and the duration of data processing.
Data processing purposes: registration / order form, customer account creation
Legal basis for processing: consent of the data subject - GDPR article 6(1)(a)
Categories of data subjects: registering customers
Scope of processed data: Email address, password
Who can access the data within the organization: management
Duration of data processing: until the data subject withdraws consent
Data transfer: hosting provider, system administrator
Consequences of failure to provide data: the data subject cannot register or place an order on the website
Data processing purposes: issuance of accounting documents
Legal basis for processing: necessary for compliance with a legal obligation* - GDPR Article 6(1)(c)
Categories of data subjects: customers who place an order
Scope of processed data: billing name, billing address (county, city, postal code, street name, house number, floor, door, doorbell), payment method, issuance date, fulfillment date, payment date, product name, net and gross prices of products, total order amount
Who can access the data within the organization: management, customer service
Duration of data processing: eight years, in accordance with Section 169(2) of the Accounting Act
Data transfer: accountant, hosting provider, system administrator
Consequences of failure to provide data: the data subject cannot receive an invoice issued in their name.
Data processing purposes: order fulfillment, delivery
Legal basis for processing: necessary for the performance of a contract - GDPR Article 6(1)(b)
Categories of data subjects: customers who place an order
Scope of processed data: customer name, shipping address (county, city, postal code, street name, house number, floor, door, doorbell), email address, phone number, additional comments related to the order, payment, and delivery method
Who can access the data within the organization: management, customer service, production, and sales department
Duration of data processing: 5 years following the fulfillment of the contract
Data transfer: hosting provider, courier service, system administrator
Consequences of failure to provide data: the data subject cannot place an order
Data processing purposes: communication for order fulfillment
Legal basis for processing: necessary for the performance of a contract - GDPR Article 6(1)(b)
Categories of data subjects: customers who place an order
Scope of processed data: contact person's name, email address, phone number
Who can access the data within the organization: management, customer service
Duration of data processing: data is deleted after contract fulfillment (unless the contact person has given consent for further data processing)
Data transfer: hosting provider, system administrator
Consequences of failure to provide data: the data subject cannot place an order
Purposes of data processing: maintaining records of contact persons for contractual partners.
Legal basis for data processing: consent of the data subject - GDPR Article 6(1)(a).
Categories of data subjects: customers who place an order.
Scope of processed data: contact person’s name, email address, phone number.
Who can access the data within the data controller’s organization: management, customer service.
Duration of data processing: until the data subject withdraws their consent.
Data transfers: hosting provider, system administrator.
Consequences of not providing data: the data controller will be unable to maintain contact with the data subject for fulfilling future orders and services.
Data processing purposes: sending newsletters
Legal basis for data processing: consent of the data subject – GDPR Article 6(1)(a)
Categories of data subjects: customers who have consented to receiving newsletters
Scope of processed data: name, email address
Who can access the data within the data controller’s organization: management, marketing department
Duration of data processing: until the data subject withdraws their consent
Data transfers: hosting provider, system administrator
Consequences of not providing data: the data subject will not receive newsletters or information about current discounts, promotions, and newly introduced products.
Data processing purposes: telemarketing, marketing-related communication
Legal basis for data processing: consent of the data subject – GDPR Article 6(1)(a)
Categories of data subjects: customers who have consented to telemarketing
Scope of processed data: name, phone number
Who can access the data within the data controller’s organization: management, marketing department
Duration of data processing: until the data subject withdraws their consent
Data transfers: system administrator
Consequences of not providing data: the data subject will not receive phone notifications about current discounts, promotions, and newly introduced products.
Data processing purposes: complaint handling, investigation of warranty claims
Legal basis for data processing: necessary for compliance with a legal obligation – GDPR Article 6(1)(c)
Categories of data subjects: customers submitting complaints
Scope of processed data: unique complaint identification number, consumer's name, address, place and time of complaint submission, method of complaint submission, list of documents, records, and other evidence submitted by the consumer, description of the complaint, place and time of protocol recording, name and signature of the protocol recorder, and in case of product return, product details
Who can access the data within the data controller’s organization: management, customer service
Duration of data processing: for complaint records and copies of responses to written complaints: five years, according to Section 17/A (7) of the Consumer Protection Act (Fgytv.). For duplicate copies of entries in the customer complaints book: two years
Data transfers: no data transfers
Consequences of not providing data: the data subject will not be able to exercise their consumer rights
Data processing purposes: providing information, responding to inquiries
Legal basis for data processing: consent of the data subject – GDPR Article 6(1)(a)
Categories of data subjects: customers sending messages
Scope of processed data: name, email address, message content
Who can access the data within the data controller’s organization: management, customer service
Duration of data processing: messages will be deleted within 30 days after the communication ends (unless another data processing purpose applies)
Data transfers: no data transfers
Consequences of not providing data: the data subject will not be able to ask questions via email
* Act CL of 2017 on the order of taxation, section 9(e), section 77(1), accounting act, section 169(2)
** Act CLV of 1997 on consumer protection, section 17/A (3)-(7).
Attention!
If the legal basis for data processing is your consent, you can provide it by checking the checkbox on the website when entering your personal data, for each data processing purpose (e.g., during registration or ordering).
If personal data is provided outside the website, you can give your consent separately via email or in writing on paper.
Please note that if you contact the data controller via email for the first time to request information or clarification regarding a product or service before placing an order, the data controller will become aware of the personal data included in the email. By sending the message, you consent to the processing of this data (GDPR Article 6(1)(a)).
You may withdraw your consent at any time in accordance with section 9 of this privacy notice. Upon withdrawal of consent, your personal data will be deleted (see section 7.3).
According to the definitions outlined in the preamble, this privacy notice—in compliance with the legal regulations listed in section 3—protects the personal data of natural persons. This is because the data of sole proprietors, business entities, and civil organizations are publicly available in official registers (e.g., company register, sole proprietors’ register, civil organizations’ register).
Consequently, the processing of data from public registers for sole proprietors, business entities, and civil organizations does not require consent.
6. Information about cookies
A cookie is an alphanumeric information package sent by the web server, which is stored on the user's computer for a predetermined validity period. The use of cookies allows for the retrieval of certain user data and the tracking of their internet usage.
Cookies used by the data controller during the use of the website:
Cookie name: pop_up
Placed by: operator = serverline.hu
Accessible data: anonymous identification of the visitor, marked with a meaningless number
Lifetime: 365 days
Function: anonymous identification of the visitor
Cookie name: pop_up_fe
Placed by: operator = serverline.hu
Accessible data: anonymous identification of the visitor, marked with a meaningless number
Lifetime: 1 hour
Function: anonymous identification of the visitor
Cookie name: webgalamb
Placed by: external service provider = Webgalamb
Accessible data: anonymous identification of the visitor
Lifetime: until the browsing session ends
Function: enables newsletter subscription
Cookie name: cookieconsent_status
Placed by: external service provider = http://silktide.com/cookieconsent
Accessible data: anonymous identification of the visitor
Lifetime: 1 year
Function: acceptance of cookie usage
Cookie name: ssupp.chatid, ssupp.opened, ssupp.vid
Placed by: external service provider = www.smartsuppchat.com
Accessible data: the chat program recognizes the user's location data, browser type, operating system, IP address, and the number of times they have visited the site. This data is provided to the data controller.
Lifetime: until the browsing session ends
Function: enables the functionality of the chat window
Cookie name: _hjIncludedInSample
Placed by: external service provider = https://www.hotjar.com/
Accessible data: heatmap-based visitor behavior analysis with anonymous data
Lifetime: until the browsing session ends
Function: monitoring online service, records visitor activities on the website
Cookie name: _ga
Placed by: external service provider = Google Analytics
Accessible data: style elements required for page display
Lifetime: 2 years
Function: used to distinguish users (Google Analytics)
Google analytics
The data controller primarily uses the Google Analytics program to generate statistics, including measuring the effectiveness of its activities. By using this program, the data controller mainly gathers information about the number of visitors to its website and the amount of time visitors spend on the website.
The program recognizes visitors' IP addresses, allowing it to track whether a visitor is new or returning. Additionally, it can monitor the visitor's navigation path on the website and which pages they accessed.
More information about the cookie can be found in the Google Advertising and Privacy FAQ at the following link: https://www.google.com/intl/hu/policies/technologies/ads/.
Google remarketing
By using the Google remarketing program, the data controller collects DoubleClick cookie data in addition to the standard data provided by Google Analytics. The DoubleClick cookie enables the use of remarketing services, primarily ensuring that visitors to the website later encounter the data controller’s advertisements on available Google advertising spaces.
The data controller utilizes the Google remarketing program for its online advertisements. Its advertisements are displayed on websites by external service providers, such as Google.
The data controller and external service providers, such as Google, use both first-party cookies (e.g., Google Analytics cookies) and third-party cookies (e.g., DoubleClick cookie) together to analyze users’ previous visits to the website, as well as to optimize and display advertisements accordingly.
Facebook remarketing
The data controller uses the Facebook remarketing pixel to enhance the effectiveness of Facebook advertisements and to build remarketing lists. This allows external service providers, such as Facebook, to display advertisements on various websites after a user has visited the website.
remarketing lists cannot be used for personal identification. They do not contain visitors' personal data; they only identify the browser software.
The purpose of using the above cookies is to measure website traffic and generate traffic analytics by collecting anonymized visit data. Based on this data, the data subject cannot be identified either directly or indirectly.
A pop-up sidebar will notify you about the use of the above cookies upon your first visit to the website. You can accept this notification by clicking the "OK" button. Not accepting the notification does not prevent you from visiting the website.
You can delete or disable cookies in your internet browser. Assistance for this can be found at the following links:
https://support.google.com/chrome/answer/95647?hl=en https://support.mozilla.org/en/kb/websites-store-cookies-remove-them https://support.microsoft.com/en/help/278835/how-to-delete-cookie-files-in-internet-explorer
7. The rights of data subjects
7.1. Right of access
The data subject has the right to request information from the data controller regarding the processing of their personal data, including, in particular, the purpose and legal basis of data processing, the processed personal data, the identity of the data processor, and the right to lodge a complaint. The data controller provides this information to the data subject free of charge. However, if the data subject's request is clearly unfounded or excessive—especially due to its repetitive nature—the data controller is entitled to charge a fee (for paper-based information: 10 HUF per page). Requests can be submitted electronically or by post, with the specific rules outlined in section 9.
The data controller will respond to the submitted request in an understandable format as soon as possible, but no later than 25 days from the date of submission.
7.2. Right to rectification
The data subject may request the rectification of their personal data if it does not correspond to reality. They are also entitled to request the completion of incomplete personal data.
For registered users, requests for rectification of personal data can be made by modifying the data within the account created during registration (under the Data Update menu). In all other cases, requests must be submitted as specified in section 7.
Upon receiving the request, the data controller will examine its validity as soon as possible. If the Data Controller deems the request unfounded and refuses to fulfill it, they will notify the Data Subject in writing within 25 days of receiving the request, providing the reasons for the refusal along with information on available legal remedies.
.3. Right to erasure
The data controller deletes the personal data related to the data subject if:
• the data processing is unlawful;
• the Data Subject withdraws their consent to the processing of personal data, and there is no other legal basis for the processing;
• the User's personal data is incomplete or incorrect, and this condition cannot be lawfully rectified, provided that no legal provision prohibits deletion;
• the purpose of data processing has ceased;
• it has been ordered by a court or the National Authority for Data Protection and Freedom of Information.
The deletion requested by the data subject can only apply to data processed based on their consent and does not affect data subject to mandatory data processing as required by law.
Furthermore, the data controller remains entitled to process the user’s personal data even after receiving the deletion request, provided that the processing is necessary for the performance of a contract, compliance with legal obligations, or the enforcement of the data controller’s legitimate interests.
The request must be submitted as specified in section 9.
7.4. Right to restriction of processing
At the request of the data subject, the data controller will restrict data processing in the following cases:
a. The data subject disputes the accuracy of the personal data; in this case, the restriction applies for the period necessary for the data controller to verify the accuracy of the personal data.
b. The processing is unlawful, and the data subject opposes the erasure of the data and instead requests the restriction of their use.
c. The data controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims.
d. The data subject has objected to the processing; in this case, the restriction applies for the period necessary to determine whether the data controller’s legitimate grounds override those of the data subject.
The request must be submitted as specified in section 9.
7.5. Right to data portability
The data subject has the right to receive the personal data they have provided to the data controller in a machine-readable format and to have the data controller transfer these data to another data controller specified by the data subject, provided that the data processing is based on the data subject's consent or a contract (GDPR article 6(1)(a) and (b)). The request must be submitted as specified in section 9.
7.6. Right to object
The data subject has the right to object to the processing of their personal data if the processing or transfer of personal data is necessary solely for the enforcement of the legitimate interests of the data controller or a third party (except in the case of mandatory data processing). The data subject may submit their objection request to the data controller as specified in section 9.
If the data controller finds the data subject’s objection to be justified, the personal data will be deleted immediately.
8. Legal remedies
In the case of unlawful data processing or the rejection of a request for information, rectification, erasure, restriction, data portability, or objection, the data subject may contact the National Authority for Data Protection and Freedom of Information (NAIH). Address: 1125 Budapest, Szilágyi Erzsébet Boulevard 22/c.; Post address: 1530 Budapest, P.O. Box.:5; Email address: ugyfelszolgalat@naih.hu) or may turn to the court of their place of residence or habitual residence.
9. Rules regarding the request submitted by the data subject to the data controller
The data subject must submit the requests specified in this Privacy Notice, as well as the withdrawal of their consent to data processing, in writing to the following address:
Email: info@serverline.hu
Postal Address: 1087 Budapest, Asztalos Sándor Str. 3.
The data controller will promptly review the received requests and fulfill them no later than 25 days from the date of receipt. If the data controller deems the data subject’s request unfounded and refuses to comply, the refusal and its reasons, along with information on available legal remedies, will be communicated to the data subject in writing within 25 days of receiving the request.
The data controller will only send a written notification to the data subject in the case of a request refusal, except for requests specified in Section 7.1.
A request submitted via email will only be considered valid if it is sent from the email address previously provided by the data subject and recorded as personal data. If the data controller has doubts about the requester’s identity, it is entitled to request additional information for verification before processing the request.
10. Procedure in the event of a data protection incident
Data Protection Incident: The accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data.
If you become aware of a data protection incident as defined above in connection with the personal data processed by the data controller, please report it immediately using the contact details provided in section 9.
The data controller will report the data protection incident to the National Authority for Data Protection and Freedom of Information without delay and no later than 72 hours after becoming aware of it, unless the incident is unlikely to pose a risk to the rights and freedoms of the data subjects. Additionally, the Data Controller will take the necessary measures to remedy the incident.
11. Az Adatvédelmi tájékoztató elfogadása, módosítása
By using the website, the data subjects accept the terms of this Privacy Policy.
The data controller is entitled to unilaterally modify this Privacy Policy. The modified Privacy Policy will be published on the website.
12. Processing of job applicants' data
Purpose of data processing: Selection of prospective employees, organization of job interviews.
Legal basis for data processing: Consent of the data subject - GDPR Article 6(1)(a). The data subject provides their consent in a separate declaration when submitting their CV, the necessity of which is highlighted by the data controller in the job advertisement. Please note that if you do not consent to the processing of your data when submitting your CV, the Data Controller will not be able to consider your application, and your CV will be immediately deleted.
Categories of data subjects: Job applicants.
Scope of processed data: Name, birth name, place and date of birth, mother's name, residence, current address, other contact details provided by the applicant (phone number, email address), photograph, education details, professional experience.
Who can access the data within the employer’s organization? Managing Director.
Data transfer: No data is transferred to third parties.
Duration of data processing: Until the conclusion of the selection process.
Consequences of not providing data: The data subject will not be able to apply for the job position.
Effective from: May 25, 2018.
