CASTRUM SEC Gyengeáramú Tervező és Kivitelező Korlátolt Felelősségű Társaság, as the operator of the website accessible at www.castrumsec.hu domain name, hereby publishes information on data processing carried out within the framework of the Website, the services related to the Website, and other services provided by the Data Controller.
With regard to the fact that the purpose of certain data processing activities set out in this Notice, as well as the method of data processing are determined by the Data Controller, it is considered data controller pursuant to Regulation 2016/679 of the European Parliament and of the Council (GDPR) and Section 9(3) of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Information Act).
By accessing the Website and using the services of the Data Controller, users visiting the Website and using the services of the Data Controller (hereinafter: User or Data Subject) accept the terms and conditions set out in this Privacy Notice (hereinafter: Notice).
in the course of data processing, our Company adopts the following principles:
a) personal data are processed in a lawful and fair way that is transparent for you.
b) personal data are exclusively collected for the specified, explicit and legitimate purposes, and they are not processed in ways incompatible with the purposes.
c) the personal data we collect and process are appropriate and relevant for the data processing objectives, and are limited to the necessary extent.
d) our Company shall make all reasonable measures necessary to ensure that the data we process are accurate and up-to-date; any inaccurate personal data shall be erased or rectified.
e) personal data are stored in a way that they can be identifiable only for the duration necessary for achieving the objectives of the personal data processing.
f) the appropriate security of the personal data is ensured by suitable technical and organizational measures against unauthorized or unlawful processing, accidental loss, destruction or damage,
Our Company processes your personal data
a) on the basis of your prior informed and voluntary consent, only to the extent necessary, and always with a certain purpose; processing means collection, recording, organizing, storing and use.
b) in some cases the processing of your data is mandatory and based on regulatory requirements; in such cases your attention will be called to this fact.
c) furthermore, in some cases the processing of your personal data is in the legitimate interest of our Company or a third person; such case may be the operation, development or the safety of our website.
1. Data of the data controller
Company name: CASTRUM SEC Gyengeáramú Tervező és Kivitelező Korlátolt Felelősségű Társaság
Registered address: H-9700 Szombathely, Körmendi u. 92/B.
Email address: firstname.lastname@example.org
Phone number: +36 (94) 509-517
2. Purpose of data processing
2.1. The data processing serves the continuous relationship between the registered Users who use the services of the Website and the Operator, as well as public opinion research. Furthermore, it is used and processed solely for the purpose of providing a higher level of service to the User, in particular in the following areas:
• answering your questions asked on the Website;
• delivering our newsletters;
• for internal records;
• developing Website content;
• information on updates to the Website;
• customizing Website content;
• delivering to the User the publications ordered on our Website.
In case of a job application, the purpose of the processing is
• to contact the Data Subject in relation to the specific job offer;
• to transfer data and CV to the employer advertising the job offer on the basis of the Data Subject’s consent;
• to conduct the selection procedure in relation to the job posting published by the Data Controller;
• to facilitate creating and maintaining of an employment relationship;
• to identify the qualifications, skills and needs of the Data Subject that are relevant to the employment relationship to be created; to provide the Data Subject with a job offer that matches his or her interests and qualifications, skills and needs
2.2. The Data Controller uses the data for the following purposes in relation to the services it provides:
a) The purpose of the data processing is to provide the services of the Website,
b) to contact the Service Provider
2.3. The personal data provided by the User is also used by the Data Controller for statistical purposes, but only in such a way that the personal data are anonymized, so that they are no longer suitable for identification and cannot be linked to any natural person.
3. Scope of the processed data
3.1. We only ask our website visitors for personal data when they want to register or log in.
Personal data provided in connection with registration or using our marketing services may not be combined, and basically it is not our intention to identify our visitors.
Further information regarding data processing can be requested at the email address email@example.com, or at the postal address H-9700 Szombathely, Körmendi u. 92/B.; our response will be sent without delay, within 30 days to the contact details provided by you.
3.2. When the website is visited, the data controller's system automatically records the IP address of the computer of the data subject, the starting time of the visit and, in some cases, depending on the computer's settings, the type of browser and operating system and the geographical location that can be determined on the basis of the IP address. The data thus recorded cannot be linked to other personal data. The data are processed for statistical purposes only. The data controller reserves the right to place a file containing data and cookies on the computer of the data subject.
Some cookies do not require your prior consent. When you first visit our website, you will be provided a short description on them, such cookies are for example authentication cookies, media player cookies, load balancer cookies, session cookies for customizing the user interface, or user-centered secure cookies.
In case of cookies requiring consent – in case data processing starts at the same time of visiting the site – you will be informed by our Company at the time of your first visit, requesting you to accept them.
Our Company does not apply or allow cookies suitable for third persons to collect data without your consent.
Accepting the cookies is not mandatory; however, in this case our Company may not be held liable for the incomplete usability of the website.
The types of cookies we use:
|Cookie name||Legal basis||The purpose and function of data processing||Scope of the processed data||Cookie duration|
|Legitimate interest of the Service Provider.||Ensuring the proper functioning of the website||Technical data necessary for the proper functioning of the website.||The period until the end of the relevant visitor session|
|Consent of the data subject||Collects information about how our visitors use our website.||Data necessary to identify the user and analyze page usage patterns. Details||2 years|
|fr||Consent of the data subject||Cookie used by Facebook, supporting a number of third-party advertising services. ||IP address, cart contents, data about products viewed||3 months|
|_fbp [x3]||Consent of the data subject||Facebook uses this cookie to display third-party advertisements.||IP address, cart contents, data about products viewed||3 months|
|tr||Consent of the data subject||Facebook uses this cookie to display third-party advertisements.||IP address, cart contents, data about products viewed||session|
|IDE||Consent of the data subject||A cookie used by Google's DoubleClick that monitors visitor activity after clicking on an advertisement on a page. its purpose is to measure the effectiveness of advertisements and to personalize advertisements ||IP address, cart contents, data about products viewed||1 year|
|ads/ga-audiences||Consent of the data subject||A cookie used by Google AdWords that interacts with users in order to encourage them to make a purchase based on their activity across different sites. ||IP address, cart contents, data about products viewed||session|
For more information about third-party cookies see: https://www.google.com/policies/technologies/types/ for data protection see: https://www.google.com/analytics/learn/privacy.html?hl=hu olvashat.
4. Duration of data processing
4.1. Personal data shall be deleted immediately upon the termination of the purpose of processing or upon the User's request, except for data that the Data Controller is obliged to keep for the period specified in the legislation imposing mandatory data processing.
4.2. In case of applying for a job posting, the Data Controller shall process the personal data for the duration of the purpose of the processing, that is, in case of a specific job offer, until the time of the administration of the job offer, and in the case of a job offer to the Data Subject that matches his interest or choice, until the purpose of the processing is fulfilled or until the Data Subject requests the deletion of the data or withdraws his consent.
5. Data transfer
5.1. We are only entitled to transfer your data within the framework specified by legislation; in case your data are processed by our data processors, contractual terms are specified to ensure that your personal data may not be used for purposes other than the ones you consented to.
5.2. Our Company does not transfer data abroad.
5.3. The Court of Justice, the public prosecutor’s office, or other authorities (e.g. police, tax authority, National Authority for Data Protection and Freedom of Information) may request information, data or documents from our Company. In such cases we are required to comply with our data reporting obligation, but only to the extent necessary for fulfilling the purpose of the request.
6. Data processing
6.1. Scope of the processed data
|Description of the activity, and purpose of data processing||Legal basis||Data processed||Duration||Registration number|
|Visiting the webpage|
The purpose is to ensure the proper and high-quality functioning of the website, to monitor and improve the quality of our services, to identify malicious visitors who attack our website, to measure the number of visitors, and for statistical purposes
|Legitimate interest of our Company||IP address, the time of visiting based on the visited subpages, type of the operating system and browser you use||1 month|
|Registration on the website|
The purpose is to provide our visitors with a more complete user experience, notification of downtime, changes in the availability of our Company, etc.
|consent||last name, first name, email address||until the deletion of registration or until consent is withdrawn|
Purpose: maintaining contact, informing you about new promotions, new products
|consent||full name, email address, other optionally provided data, e.g. area of interest, place of residence, etc.||until newsletters are unsubscribed|
|Direct marketing service|
we create and send you personalised offers based on our analysis of your consumer habits, contact you for marketing purposes, send you information about our products and services
|consent||full name, email address, telephone number (optional) other optional data such as your interests, place of residence, etc.||until direct marketing services are unsubscribed|
response to comments and complaints
|legal obligation||full name, email address, telephone number, mailing address, other personal message||5 years|
6.2 Data processing on our Website
You provide your personal data voluntarily during registration or communication with our Company, therefore we kindly ask you to pay particular attention to the authenticity, correctness and accuracy of the entered data, as this is your responsibility. Any incorrect, inaccurate or incomplete data may inhibit the use of our services.
In case you enter the personal data of another person instead of your own, it is presumed that you have the necessary consent of such person.
You are free to withdraw your consent to data processing at any time
• by cancelling the registration,
• by withdrawing consent to the data processing, or
• by withdrawing any consent to the processing or use of any data entered in the mandatory fields during registration, or by requesting the blocking thereof.
Due to technical reasons, we commit to registering the withdrawal of such consent within 30 days, however, please note that we are entitled to process certain data after the withdrawal of your consent, in case it is required in order to fulfill our legal obligations, or to enforce our legitimate interests.
In case misleading personal data are used, or if any visitor commits a criminal offense or attacks the system of our Company, the registration of such visitor will be terminated, and at the same time any relevant data will be deleted without delay, or - if deemed necessary - the data will be preserved during the period of conducting the procedures for determining civil liability or during any criminal proceedings.
7. Data security
7.1. The Data Controller obliges to ensure the security of the data, to take technical and organisational measures and to establish procedural rules to ensure that the data recorded, stored or processed are protected, and to prevent their destruction, unauthorised use or unauthorised alteration. It also obliges to require all third parties – to whom it transfers or discloses data on the basis of the consent of the Data Subject – to comply with the requirements of data security.
7.2. The Data Controller ensures that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The processed data may only be accessed by the Data Controller, its employees and the Data Processor(s) it employs, and shall not be disclosed by the Data Controller to third parties who are not entitled to access the data.
7.3. The Data Controller makes every effort to ensure that the data are not accidentally damaged or destroyed. The Data Controller shall also enforce compliance with the above obligation in respect of its employees involved in the processing activity.
7.4. The Data Subject agrees and accepts that – despite the fact that the Data Controller has state-of-the-art security measures in place to prevent unauthorised access to or interception of the data – the protection of the data cannot be fully guaranteed on the Internet when providing personal data on the Website. In the event of unauthorised access or disclosure despite our efforts, the Data Controller shall not be liable for any such data acquisition or unauthorised access or for any damage suffered by the Data Subject as a result thereof. In addition, it may also occur that the Data Subject provides his personal data to third parties who may use it for unlawful purposes or in unlawful ways.
7.5. The Data Controller ensures data security of in the most state-of-the-art way possible. The Data Controller obliges to immediately suspend the service and publish a statement in the event of a personal data breach despite the measures set out above, until such incident is resolved, and to keep records of the personal data breach and the measures taken.
8. Persons authorized to have access to the personal data, data processing
8.1. The Data Controller and those Employers are entitled to access the Data Subject’s data in respect of which the Data Subject has explicitly consented to the transfer of his personal data.
8.2. The Data Processors engaged by the Data Controller are entitled to access the personal data in accordance with the applicable legislation.
8.3. The data are processed by the following data processors acting on behalf of the Data Controller:
In order to provide high quality service to our customers, our Company – in the course of data processing – engages the following data processors:
|IT Revolution Hungary Kft.||9700 Szombathely Szent István király u. 83.||IT services|
|Klausz Kft.||1026 Budapest, Gábor Áron u. 61.||database maintenance and processing, report preparation|
In case the scope of the data processors is modified, the appropriate modifications shall also be made in this Policy.
8.4. The Data Controller reserves the right to engage additional data processor in the future in the data processing, of which it will inform the Users by amending this Notice.
8.5. Unless expressly provided for by law, the Data Controller shall only disclose to third parties personally identifiable information with the express consent of the User concerned.
9. Rights of the User
9.1. Upon the User’s request, the Data Controller shall provide information concerning the personal data relating to him and processed by the Data Controller, the sources from where they were obtained, the purpose, grounds and duration of processing, the name and address of the data processor and its activities relating to the data processing, the circumstances and effects of the personal data breach and measures taken with a view to eliminate them and – in case of personal data transfer of the data subject – the legal basis of the transfer and the recipient. Information can be requested by providing proof of identity and providing a mailing address. The Data Controller shall respond in writing within 25 (twenty-five) days following receipt of the request.
9.2. The User has the right to request the rectification of his personal (indicating the correct data). Rectification by providing proof of identity and mailing address. The Data Controller shall immediately carry out the rectification and shall notify of such fact the Data subject in writing.
9.3. In addition to the above, the User may at any time request the deletion or blocking of his data, in whole or in part, without giving any reason, by providing proof of his identity and a mailing address. Upon receipt of the request for erasure, the Data Controller shall, without undue delay, but no later than within 3 (three) working days, ensure the cessation of the data processing, except for any personal data specified in the law imposing mandatory processing, and shall erase the User from its records.
based on the above, the Data Controller deletes the provided data if:
• they are managed unlawfully, or their deletion is required by law;
• it is requested by the data subject;
• the data are incomplete or incorrect, which renders their use impossible;
• the purpose of data processing no longer exists;
• it is so ordered by any authority or court of justice.
Personal data shall be blocked instead of erasing if so requested by the Data Subject, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the Data Subject. Blocked data may still be processed as long as the purpose of data processing that has excluded the option to delete the personal data exists.
9.4. If the Data Controller does not fulfill the Data Subject’s request for correction, blocking or erasing, within 25 (twenty-five) days following the receipt of the request the factual and legal causes of the disapproval of the request for correction, blocking or erasing shall be communicated. Where correction, blocking or erasure is refused, the Data Controller shall inform the Data Subject of the possibilities for seeking judicial remedy or lodging a complaint with the National Authority for Data Protection and Freedom of Information.
9.5. The data subject has the right to object to the processing of his personal data
• if processing or disclosure is carried out solely for the purpose of discharging the Data Controller’s legal obligation or for enforcing the rights and legitimate interests of the Data Controller, the recipient or a third party, unless processing is mandatory;
• if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and
• in all other cases prescribed by law.
9.6. In the event of objection, the Data Controller shall investigate the cause of objection within the shortest possible time, but within 15 days at the latest, adopt a decision as to merits and shall notify the data subject in writing of its decision. If the Data Subject disagrees with the decision made by the Data Controller, or the Data Controller fails to meet the respective deadline, the Data Subject shall have the right to turn to court within 30 days following the communication of the decision or the last day of the deadline.
10. Managing and reporting a personal data breach
10.1. A personal data breach is any event that results in the unlawful handling or processing of personal data processed, transferred or stored by the Data Controller, in particular unauthorised or accidental access, alteration, disclosure, deletion, loss or destruction, accidental destruction or accidental damage to personal data.
10.2. Without undue delay, but not later than 72 hours after becoming aware of a personal data breach, the Data Controller shall report the personal data breach to NAIH, unless the Data Controller is able to demonstrate, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be made within 72 hours, the reasons for the delay should accompany the notification, and information may be provided in phases without undue further delay. reporting to NAIH shall include at least the following information:
• nature of the personal data breach, including the number and category of data subjects and personal data;
• name of the Data Controller, contact details;
• likely consequences of the personal data breach;
• measures taken or planned to manage, prevent or remedy the personal data breach
10.3. The Data Controller shall notify the data subjects of the personal data breach within 72 hours of the discovery of the personal data breach through the Data Controller's website. The notification shall contain at least the information specified in this point.
10.4. The Company shall keep record of any personal data breach for the purpose of supervising the measures taken in connection with the personal data breach, and for informing the data subjects. The records shall contain the following data:
• scope of the personal data concerned;
• scope and number of persons affected;
• time and date of the personal data breach;
• circumstances and impacts of the personal data breach;
• measures taken for remedying the personal data breach.
10.5. The Data Controller shall keep the data in the records for 5 years from the date of the personal data breach.
11. Legal remedies
11.1. The Data Controller shall make every effort to ensure that the processing of personal data is carried out in accordance with the law, however, if the Data Subject feels that this has not been complied with, he may write to the e-mail address: firstname.lastname@example.org or to the mailing address: H-9700 Szombathely, Körmendi u. 92/B.
11.2. If the Data Subject feels that his or her right to the protection of personal data has been infringed, he or she may, in accordance with applicable legislation, seek legal remedy from the competent bodies.
Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information
Registered address: H–1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: H–1530 Budapest, Pf.: 5.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
- in court (in this case the court shall act out of turn and the proceedings shall be free from charges). At the data subject’s own discretion, the data protection proceedings may as well be initiated at the tribunal court at the address or temporary place of residence of the data subject. A foreign national may also turn to the competent supervisory authority of his/her place of residence.
11.3. The National Media and Infocommunications Authority acts in relation to advertising sent by electronic means (Newsletter), the detailed regulations are available in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information and Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
12. Applicable law
- regulation 2016/679 of the European Parliament and of the Council on the processing of personal data of natural persons (GDPR)
- Act CXII of 2011 on informational self-determination and the freedom of information
- Act V of 2013 on the Civil Code
- Act CVIII of 2001 on certain issues concerning on electronic commerce and on information society services
- Act C of 2003 on electronic communication
- Act CLV of 1997 on consumer protection
- Act CLXV of 2013 on complaints and public interest disclosures .
- Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities
13. Validity, modification
This Notice is effective from 25 May 2018 The Notice is continuously available on the website of the Data Controller at /castrumsec.hu/. The Data Controller reserves the right to amend the Notice. The Data Controller shall publish any amendments to the Notice on the website, and any amendments shall only be effective after publication.