FAIR PROCESSING NOTICE
KACSUKPATENT EURÓPAI SZABADALMI ÉS VÉDJEGY IRODA KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG
I. Data controller
Data controller: KACSUKPATENT Európai Szabadalmi és Védjegy Iroda Korlátolt Felelősségű Társaság, abbreviated as KACSUKPATENT Kft. (hereinafter: “KACSUKPATENT Kft.” or “Office” or “our Office”).
Representative: Dr. Zsófia Kacsuk Office Director, Patent Attorney
Headquarters: 1139 Budapest, Üteg utca 11. building A, floor 2, door 17
E-mail address: firstname.lastname@example.org
Telephone number: +3617855691
More information may be found about our Office on the main page of our website.
II. Purpose, content and scope of the Fair Processing Notice
The purpose of this Fair Processing Notice (hereinafter: Notice) is to allow our clients, partners, as well as visitors to our website and Facebook, LinkedIn and Google+ pages to reassure themselves that their personal data are secure at our Office, and to provide information on how we use their personal data. In all cases our Office takes all the technical and organisation measures necessary for legal, compliant and secure data processing.
The Notice includes the types of personal data we collect, how we collect the data, what we use them for, and when and for what purposes we share the personal data with other organisations, and the Notice also includes details on the data protection rights and procedural possibilities of the data subjects.
The scope of the present Notice extends to contact via the Office’s website, Facebook, LinkedIn and Google+ pages, as well as to contact with our Office in person, by telephone and e-mail, as well as to data processing activities performed in the course of the fulfilment of commissions given to our Office and of other contracts, and to the processing of data our Office becomes aware of in any other way, and to the private individuals affected by the data processing.
The Fair Processing Notice enters into force when published on our Office’s website.
If you have any question or observation in connection with the Notice, before you use any of our services or give any data in any way to our Office, please contact us via the channels given in the CONTACT menu option.
KACSUKPATENT Kft. reserves the right to unilaterally amend this Notice without preliminary, general notice, with validity after the amendment.
If at any time the Notice cannot be accessed on our website for technical reasons, we will send the currently valid Notice by e-mail at the subject’s request.
III. The legislative background of the data processing
The most important legislation relating to the processing of personal data performed by our Office:
· Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”);
· Act CXII of 2011 on information self-determination and freedom of information;
· Act XXXII of 1995 on patent attorneys (hereinafter: Patent Attorneys Act).
Terms are used in the Notice and during the processing of personal data according to the definitions stated in Article 4 of the GDPR.
The following terms have special significance during the data processing performed by us:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘Enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
‘Supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51.
V. The fundamental rules relating to the data processing performed by our Office
V.1. General provisions
Our Office processes personal data if our clients, partners or visitors to our website contact us in one way or another, or make use of our services. The frequent or predetermined forms of data processing are described in detail in section VI of the Notice.
Our Office does not verify the personal data provided to it by the data subject, he or she is exclusively responsible for them being factual.
Our website may contain links pointing to websites operated by third parties, and the websites of third parties may also contain links pointing to our website. We undertake no liability for the content found on websites operated by third parties.
We do not collect information to an unnecessary extent, nor do we collect information that is superfluous or not suitable for achieving the specific objective. Data processing is in all cases bound to the objective.
Our Office does not collect the special categories of data described in Article 9 of the GDPR, and we ask you not to send us such data.
During its operations our Office does not perform automated decision-making or profiling, nor do we use related services.
When using our website the visitors IP address is not saved.
Our Office does not use/uses Google Analytics, Google AdWords remarketing, Facebook Custom Audience services.
V.2. The possible legal bases of data processing
The legal basis of data processing in the course of the operations of our Office, according to Article 6 of the GSPR, may include the consent of the data subject [Article 6(1)a) of the GDPR], the fulfilment of a contract [Article 6(1)b) of the GDPR], the taking of certain necessary steps at the request of the data subject prior to entering into a contract [Article 6(1)b) of the GDPR], compliance with the legal obligation [Article 6(1)c) of the GDPR], protecting the vital interests of the data subject or of another natural person [Article 6(1)d) of the GDPR], realising the legitimate interests of our Office or third parties [Article 6(1)f) of the GDPR], and public interest data processing [Article 6(1)e) of the GDPR]. Should any condition be fulfilled the data processing is legal.
Our Office hereby notifies the data subjects that with regard to data processing based on consent, this consent may be withdrawn at any time on the basis of Article 7(3) of the GDPR. The withdrawal of consent to data processing does not affect the legitimacy of the data processing performed on the basis of consent before the withdrawal. The data subject may withdraw consent in writing, in a documented manner, with indication of the data the withdrawal of consent relates to. Our Office hereby informs the data subjects that the withdrawal of consent will only result in the requested erasure of data, if the processing of the data was exclusively based on the consent of the data subject, and if there was no other legal basis for the data processing.
V.3. Data storage
At the time the Notice enters into force our Office stores the personal data in the following ways:
· on server (local);
· on office desktop computers/laptops;
· via cloud-based backup (Microsoft Azur);
· on cloud-based mail server (Microsoft O362);
· on webserver (website content);
· on the server operating the website (temporary storage of mail sent via the website until forwarded);
· on paper documents;
· data required for telephone communication (name, telephone number) on our administrator’s mobile phone;
· mail arriving to the company e-mail account is stored either on the SIM card or in the memory of our administrator’s telephone via the mail program installed on it, for the duration corresponding to the settings;
· in the cloud in case the data recorded on mobile telephone is saved to the cloud (such as Google’s cloud servers, Apple iCloud servers).
Our Office reserves the right to store personal data in other legal and secure ways in the future.
V.4. Our Office’s internal data processing
Our own internal data protection regulations describe the processes the employees of our Office perform in connection with the processing of personal data.
In our Office the patent attorneys, the deputy patent attorneys, the assistants of the patent attorneys acting in the individual cases, the assistants of deputy patent attorneys, as well as the other employees and collaborators of our Office may access the personal data to the extent necessary to achieve the data processing objectives determined by way of example in section VI. The members and employees of our Office may only use the personal data stored by us for the purposes of the Office, and are obliged to maintain confidentiality while performing their work, as well as with respect to the data they become aware of during the operation of our Office, including personal data.
VI. The typical cases, objectives, and the legal basis of the data processing performed by our Office
Our Office processes personal data especially, but not exclusively, in the following cases:
VI.1. Establishing contact
Only persons over the age of 16 years may establish contact with our Office, via the client contact datasheet on our website, by telephone, e-mail or in person, with respect to that the permission of the legal guardian is required in order for the legal statement containing the consent to the data processing to be valid in the case of a person under the age of 16 years. By using the website’s client contact datasheet, or contacting our Office in any other way, the data subject makes a statement that he or she is over the age of 16 years. Our Office is unable to verify the age or entitlement of the person providing the consent, therefore the data subject is liable for and guarantees that the data provided are factual.
In the case a data subject contacts us for the purpose of requesting an appointment or to obtain an answer to a question we process the following data: e-mail address, name, telephone number. The legal basis of the data processing is the consent on the basis of Article 6(1)a) of the GDPR.
We also process data if our Office initiates the communication while we are performing our services or in relation to them, for the purpose of fulfilling contracts, dealing with affairs, and operating our Office. In such cases the legal basis of the data processing is the performance of the contract or our legitimate interest on the basis of Article 6(1)b) and f) of the GDPR.
VI.2. Drawing up quotes
When drawing up and sending quotes we process the following personal data in order to be able to draw up the quote and the contract in the case the quote is accepted by the data subject: name, residential address, correspondence address, e-mail address, telephone number. The legal basis of the data processing is the conclusion of the contract on the basis of Article 6(1)b) of the GDPR.
VI.3. Concluding contracts
When entering into contracts we process the following personal data in order for the contract to be concluded with our Office: name, residential address, correspondence address, e-mail address, telephone number, and for special contracts, if the subject of the matter or legislative obligation actually requires it, the number of the data subject’s identity card or driving licence, mother’s maiden name, place and date of birth. The legal basis of the data processing is the conclusion of the contract on the basis of Article 6(1)b) of the GDPR.
VI.4. Issuing invoices
When an invoice is issued we process the following data on the payer of the invoice for the purpose of our Office being able to satisfy our legal obligations in connection with the issuing of invoices: name, address. The legal basis of the data processing is the fulfilment of legal obligations on the basis of Article 6(1)c) of the GDPR.
VI.5. Processing the data of adverse parties and their representatives
In our cases we process the following data of the adverse party and his or her representative for the purpose of fulfilling the commissions assigned to us: name, address and the other data given in the submittals. The legal basis of the data processing is our legitimate interest on the basis of Article 6(1)f) of the GDPR.
VI.6. The processing of the data of witnesses, experts, interveners, as well as of other participants in proceedings
In our cases we process the following data of witnesses, experts, interveners, as well as of other participants in proceedings for the purpose of fulfilling the commissions assigned to us: name, residential address, e-mail address, telephone number, and, if the subject of the matter or legislative obligation actually requires it, the number of the data subject’s identity card or driving licence, mother’s maiden name, place and date of birth, and the other data given in the submittals. The legal basis of the data processing is our legitimate interest on the basis of Article 6(1)f) of the GDPR.
VI.7. Data of contact persons
We process the following data of the contact persons of our clients, suppliers and of our partner offices abroad, as well as of the contact persons indicated in any contract concluded with our Office for the purpose of fulfilling our contractual obligations and cooperating with our partners: name, e-mail address, telephone number, and other unsolicited data. The legal basis of the data processing is our legitimate interest on the basis of Article 6(1)f) of the GDPR.
VI.8. Processing work applications
If we wish to recruit employees, or we are sent curricula vitae, or applications, we process the following data of the data subject before concluding any contract, in order for the contract to be concluded: name, residential address, date of birth, e-mail address, telephone number, as well as other data provided in addition to these in the curricula vitae and in the letters sent to our Office. The legal basis of the data processing is consent on the basis of Article 6(1)a) of the GDPR.
VI.9. Handling complaints
In the case that we process disputes or complaints, or we fulfil the requests of data subjects in this, we process the following personal data for the purpose of performing the administration in connection with settling the dispute: name, address, as well as any other unsolicited personal data given in the complaint or communication. The legal basis of the data processing is the fulfilment of our legal obligations on the basis of Article 6(1)c) of the GDPR.
We process the following personal data of the data subject for the purpose of recourse against him or her: name, address, as well as mother’s maiden name, identity card or driving licence number, place and date of birth, if these data were provided to us previously. The legal basis of the data processing is our legitimate interest on the basis of Article 6(1)f) of the GDPR.
VII. Forwarding of personal data, data processing
We do not make personal data accessible to third parties without the permission of the data subject.
Nevertheless, we may share personal data to the extent necessary with other organisations in the following cases:
· if the law or state authority obliges our Office to do so;
· in the interest of fulfilling commissions we may send personal data to, for example, public offices, courts, partner offices abroad, adverse parties participating in proceedings or other persons;
· if we need to share personal data to justify, exercise or protect our rights;
· in the interest of fulfilling our legal obligations we may send personal data to, for example, accountants, or, in the case of reporting invoices or filing tax returns, to the state or local government tax authority;
· if the Office or a part of it is reorganised, sold or transferred;
· if we use other service providers in order to perform our services, such as, for example, for the purpose of operating our website, using IT services, server operation, services for the storage of data or the handling of payment transactions.
We use the services of SalesNet Média Kft. (1174 Budapest, Aranykoszorú köz 6. A. ép. 2.) for the operation of the Office’s website.
Our Office’s data processors perform their service according to the instructions of our Office, they may not make any decisions on the substance of the data processing, they may only process the personal data made available to them according to the instructions given by our Office, furthermore, they are obliged to store, keep and delete the personal data in accordance with the instruction of our Office. The employees and collaborators of the data processor may become acquainted with the data during the data processing.
VIII. Duration of the storage of personal data
On the basis of Article 20(2) of the Patent Attorneys Act, our Office is obliged to keep the documents of concluded cases for five (5) years from their conclusion. In such cases the personal data appearing in the files are stored for at least five (5) years from the termination of the commission as a consequence of our legal obligation, then we delete them on the next occasion when we destroy documents, or before that if requested.
In other cases our Office processes personal data until the contract is fulfilled, but until the next occasion when we destroy documents at the latest, however, if requested we will delete data before this time.
In the case of job applications or other applications our Office processes the personal data until the applications are evaluated, but until the next occasion when we destroy documents at the latest, however, if requested we will delete data before this time. An exception to this is if a contract is concluded with the applicant as a result of the evaluation.
Our Office destroys documents every 5 years. Data stored digitally is deleted after five (5) years.
Messages sent to our Office via the contact menu option on our website are stored temporarily, then promptly sent to our Office’s e-mail addresses and deleted from our website’s storage.
After the durations specified above we only store the personal data for the amount of time necessary depending on the purpose of the data collection or data processing, whether there is any other legal obligation to store the data, or on how long storage is necessary in order to protect the vital interests of the data subjects or other persons, or realise the legitimate interests of our Office or third parties.
IX. Data protection rights
IX.1. Request for information, access right
If requested our Office will provide information to data subjects especially about:
· the purpose of the planned processing of the personal data, and the legal basis of the data processing;
· the categories of the processed personal data, the processed personal data, their recipients and the categories of the recipients to whom or to which our Office has or will transmit the personal data;
· the planned duration of the storage of personal data or the criteria of the determination of this duration;
· the data subject’s right that he or she may request the correction or erasure of the personal data pertaining to him or her, or the restriction of its processing, as well as object to the processing of such personal data;
· the right to submit a complaint with the supervisory authority;
· information on the source of the personal data if the data do not originate from the data subject.
IX.2. Right to correction of data
The data subject is entitled to request that our Office rectify any personal data pertaining to him or her that is inaccurate, and furthermore, with consideration to the purpose of the data processing, to request the completion of any incomplete personal data.
IX.3. Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of his or her personal data based on Article 6(1)e) or f) of the GDPR. In this case our Office may no longer process the personal data except if it proves the existence of compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or that are related to the establishment, exercise or defence of legal claims.
IX.4. Right to erasure (“right to be forgotten”)
The data subject has the right to request our Office to erase the personal data concerning him or her without undue delay, and our Office is obliged to erase the personal data concerning the data subject without undue delay if any of the grounds contained in Article 17 of the GDPR applies.
IX.5. Right to restriction of processing
The data subject has the right to request that our Office restrict the data processing if any of the conditions contained in Article 18 of the GDPR applies.
If data processing is restricted such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.
IX.6. Right to data portability
The data subject is entitled to obtain the personal data concerning him or her, which he or she has provided to our Office in a structured, commonly used and machine-readable format, and is entitled to transmit these data to another data controller in accordance with the conditions set down in Article 20 of the GDPR.
In the course of exercising the right to data portability the data subject has the right to ask for the personal data to be transmitted directly between data controllers, if technically possible. The exercise of this right may not adversely affect the rights and freedoms of others.
X. Handling requests and complaints
In response to any written request according to section IX submitted via any of the communication channels contained in this Notice, our Office will provide the requested information, perform rectification, or erase the data if consent is withdrawn without undue delay, however, within a maximum of thirty (30) days of receipt of the request. If our Office is unable to comply with the data subject’s request, it will inform the data subject of this within thirty (30) days.
Data subjects have the right to submit a complaint to the data protection authority in connection with the processing of his or her personal data performed by our Office:
Hungarian National Authority for Data Protection and Freedom of Information
Address: 1055 Budapest, Falk Miksa utca 9-11.
14th June 2018