TALENTUM Limited Liability Company PRIVACY NOTICE

Transcription

1 TALENTUM Limited Liability Company PRIVACY NOTICE I. Purpose and scope of the Notice 1.1 The purpose of this Notice is to lay down the data protection and processing principles of TALENTUM Ltd. and to describe the privacy policy of the company, which the company as a controller considers as binding. 1.2 This Notice contains the principles of processing of personal data provided by the Users on the websites of the Company or by the Customers in person. 1.3 The company relied especially on the provisions of the Regulation of the European Parliament and of the Council 2016/679 ( General Data Protection Regulation /GDPR/), Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information ( Infotv ), Act V of 2013 on the Civil Code ( Ptk. ) and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities ( Grtv. ) when establishing the provisions of this Notice. 1.4 Unless it is provided otherwise, the scope of this Notice does not extend to services or processing that relate(s) to promotions, prize games, services, other campaigns or contents disclosed by third parties other than the operator of the particular website and the Controller, advertising on the websites referred to in this Notice below or otherwise appearing on them. Similarly, unless otherwise stated, the scope of the Notice does not extend to services and processing of websites and service providers which are visited through a web link from websites falling within the scope of the Notice. Such services are governed by the provisions of the privacy notice of the third party operating the service and the Controller shall not be liable to any extent for such processing. II. Definitions 2.1. Processing: irrespective of the applied procedure any operation or set of operations which is performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making such data available, disclosure, alignment or combination, restriction, erasure or destruction. 2.2 Controller: the party which either individually or in co-operation with others defines the purpose and tools of Processing. For the purposes of the Services referred to in this Notice the Controller is TALENTUM Ltd. (registered office: A-9700 Oberwart, Wienerstrasse 10.; registering authority: Metropolitan Court of Eisenstadt, company registration number: FN ; tax number: ATU ). In addition, in the case of a number of services the operator of the service also pursues an individual processing activity, in the case of which the Service Operator is the controller. The processing activities pursued by the operators of the individual Services are governed by the provisions of the privacy notice published by the operator of the given Service on the website of the Service. 2.3 Personal Data or data: any data or information based on which a natural person, as a User, becomes directly or indirectly identifiable Processor: the service provider which processes personal data on behalf of the controller. For the purposes of the services referred to in this Notice, Processors may be: TALENTUM Ltd. (registered office: A-9700 Oberwart, Wienerstrasse 10.; registering authority: Metropolitan Court of Eisenstadt, company registration number: FN ; tax number: ATU ).

2 2.5 Service(s): publications and services operated by the Controller or by service providers contracted by the Controller, on the websites of which the Controller processes data. These publications and services are the services of the Controller, i.e., the group of services available and listed on the website at User: a natural person who registers for the Services or personally provides data listed in Section III to the Controller. 2.7 External Service Provider: third party service partners the service of whom is used by the Controller or the operator of the Service for the supply of specific services either directly or indirectly, to whom the Personal data are or may be transferred and who may transfer Personal data to the Controller in order to supply their services. Furthermore, External Service Providers are also service providers who do not have any cooperation with the Controller or the operators of the Services but as they access the websites of the Services and collect data about the Users which, either individually or consolidated with other data, may be suitable for identifying the Users. In addition, in the course of the hosting service the Controller also considers the User an External Service Provider in terms of the processing activity pursued on the post machine used by it. 2.8 Notice: this privacy notice of the Controller. III. Processed personal data: 3.1 If the User visits the Service interface, the Controller s system automatically records the User s IP address. 3.2 Depending on the User s decision, the Controller may process the following data in relation to the use of the Services: name, nickname, gender, home address, address of temporary residence, post code, place of birth, date of birth, phone number, address, second address, introduction, avatar, last login IP address, last login time. 3.3 If the User sends an to a Service provider (message, customer letter) the Controller records the User s address and processes it to the extent and for the period required for the supply of the Service. 3.4 Irrespective of the above provisions the service provider technically related to the operation of the Services may still pursue processing activities on any of the websites without notifying the Controller about it. Such activity is not construed processing by the Controller. The Controller shall take all reasonable efforts to prevent and eliminate such processing. IV. Other data processed by the Controller 4.1. In order to offer a personalised service, the Controller may place a small data package known as cookie, in the computer of the user. The purpose of the use of the cookie is to improve the quality of operation of a particular page, to facilitate personalised services and to enhance the user experience. Users can delete cookies from their own computers and may also set up their browser to block cookies. By blocking cookies, the User accepts that without the cookies the particular page will not function fully. 4.2 While providing personalised services the Controller uses cookies and processes the following Personal Data: demographic data (based on the data referred to in Sections 3.2 and/or 3.4 above) as well as interests, information, habits, preferences (based on the browser history). 4.3 Technically registered data during the operation of systems: data of the User s login computer which are generated during the use of the Service and which the Controller s system registers as the automatic result of the technical processes. The system logs the automatically recorded data without any specific User declaration or action, when the User logs in or out. V. Purpose and legal ground of the processing: 5.1 Purpose of the processing by the Controller:

3 a) to identify the User and to maintain contact with them, b) to identify User rights (services used by the User); c) to promote the customisation of the Services and advertisements used by the User and to use the comfort functions; d) to manage and implement individual user requests; e) to prepare statistical analyses; f) to contact users for direct and non-direct marketing purposes (e.g., newsletter, etc.) g) to organise and implement prize games, notify the winners and to supply the prizes to them in specific cases; h) to perform the technical development of an IT system; i) to protect the rights of Users; j) to enforce the legitimate interests of the Controller. The Controller declares not to use the provided Personal Data for purposes other than specified in this Notice. 5.2 Processing takes place on the basis of voluntary declaration of the Users that is provided on the basis of adequate prior information. The declaration contains the explicit consent of the Users to the use of their Personal Data provided by them and the Personal Data generated about them while they use the page. When processing is based on consent, the User may withdraw their consent at any time, but it will affect the lawfulness of processing prior to the withdrawal. 5.3 When the User logs in to various websites, the Controller registers the User s IP address in relation to the supply of the Service, the legitimate interest of the Controller and the lawful supply of the Service (e.g., in order to eliminate unlawful use or unlawful content) even without the User s specific consent. If the webshop service is used, the legal ground of processing also includes the conclusion and execution of the contract established by the User. 5.4 When the legal ground of Processing is a significant legitimate interest of the Controller, the Controller performs and will also perform in the future the interest balancing test in compliance with the applicable provisions of the GDPR, which confirms that the legitimate interest of the Controller in the particular Processing is stronger than the rights and freedoms of the data subject related to the Processing. If there is a specific request to do so, the Controller shall provide information to the data subject on the contents of this paragraph in accordance with this Notice. 5.5 Data may not be transferred to the Processors defined in this Notice without the User s specific consent. Unless the law provides otherwise, Personal Data may only be disclosed to third parties or authorities on the basis of an effective decision of an authority, or with the prior explicit consent of the User. 5.6 The User warrants having obtained the consent of the natural person data subject lawfully for the processing of personal data provided or made accessible by them about other natural persons during the use of Services (e.g., during the disclosure of the content generated by the User etc.). The User shall be fully liable for the shared User content uploaded into the Services by the User. 5.7 Whenever any User provides an address or other data during registration (e.g., user name, ID, password, etc.) they also undertake that only they will use the service from the specified address or by using the data provided by them. In view of that responsibility, any responsibility associated with any log-in made from the specified address and/or data shall lie with the User who registered the address and provided the data. VI. Processing principles and method 6.1 The Controller processes Personal Data in accordance with the principles of good faith, fairness and transparency, as well as the provisions of the effective legal regulations and the provisions of this Notice. 6.2 The Controller uses the Personal Data absolutely necessary for using the Service son the basis of the consent of the data subject User and only for the limited purpose.

4 6.3 The Controller processes Personal Data only for purposes defined in this Notice and the applicable legal regulations. The scope of processed Personal Data is proportionate with the purpose of processing, and may not exceed it. Whenever the controller intends to use the Personal data for any purpose other than the intended purpose, it shall inform the User and obtain prior explicit consent from the User for that, also providing an opportunity to prohibit the use of data for such purposes. 6.4 The Controller does not verify the Personal Data supplied to it. Only the person supplying the data is responsible for the accuracy of the provided Personal Data. 6.5 Personal Data of data subjects who have not yet completed 16 years of age may only be processed with the consent of the person of major age exercising parental supervision over them. The Controller may not verify the eligibility of content of the declaration of the person providing consent, and therefore the User or the individual exercising parental supervision over them warrants that the consent complies with the laws and regulations. Without a declaration of consent the Controller does not collect any personal data about the data subjects who are under 16 years of age, with the exception of the IP address used during the Service, which is registered automatically given the nature of online services. 6.6 The Controller does not transfer the Personal Data managed by it to any third party other than the Processors defined in this Notice and to third parties other than External Service Providers in certain cases referred to in this Notice. The use of data in a statistically aggregated form, which may not contain in any form the name or any other data suitable for the identification of the User concerned, therefore is not deemed data control or data transfer, is an exception from the rule stated in this section. The Controller makes accessible the available Personal Data of data subject Users to third parties in certain cases such as an official request from a court or the police, legal proceedings based on the violation of copyrights, property rights or other rights or a thorough suspicion thereof, infringement of the Controller s interests, threat to the supply of Services, etc. 6.7 The Controller s system may collect data about the Users activity, which may not be interconnected with the other data provided by the Users during registration or with the data generated during the use of other websites or services. 6.8 The Controller informs the data subject User of the rectification, restriction or erasure of the Personal Data processed by it to whom it transferred Personal Data for processing purposes before. Notification is not required if it does not violate the legitimate interest of the data subject in light of the purpose of processing. 6.9 The Controller ensures the security of Personal Data and to take all technical and organisational measures and put in place the procedural rules that ensure the protection of all collected, stored and processed data, as well as to prevent the accidental loss, unlawful destruction, unlawful access to, unlawful use and unlawful alteration as well as distribution of data. The Controller instructs each third party to perform that obligation to whom it transfers Personal Data In view of the applicable provisions of the GDPR, the Controller is not obliged to appoint a data protection officer. VII. Duration of processing 7.1. The Controller stores the automatically registered IP addresses for no more than 7 days. 7.2 If the User is not registered, the Controller erases the address from which the User sent an e- mail, on the 90 th day from the closing of the case referred to in the inquiry, unless in individual cases it is in the legitimate interest of the Controller to continue processing the Personal Data as long as that legitimate interest prevails. 7.3 The Personal Data provided by the User will be processed until the User de-registers from the Service with the particular user name or otherwise requests the erasure of their Personal Data. In such cases the Personal Data will be deleted from the Controller s systems. The Personal Data provided by the User may be processed by the Controller until the User expressly requests the termination of Processing in writing

5 even if the User does not de-register from the Service, or by cancelling the registration only the login option was terminated but the comments contained and the content uploaded there are retained. The User s request to terminate Processing or de-register from the Service does not affect the User s right to use the Service but unless Personal Data are supplied, the User may not be able to use certain Services. 7.4 Whenever unlawful or deceiving Personal Data are used or the User commits a crime or attempts an attack against the a system the Controller shall, simultaneously with the termination of the User s registration, have the right to immediately erase the User s Personal Data however, if a crime or civil liability is suspected, the Controller may also keep the Personal Data for the duration of the proceedings to be conducted. 7.5 Data registered automatically and by the use of technical means during the operation of the system are stored in the system for the period necessary for ensuring the operation of the system. The Controller guarantees that such automatically registered data may not be connected with other Personal Data with the exception of cases in which such interconnection is mandatory. If the User withdraws consent to the processing of the Personal Data or de-registers from the Service, their identity shall no longer be inferrable from the technical data, with the exception of identification carried out by law enforcement and their experts. 7.6 When a court or authority effectively orders the erasure of Personal Data, the Controller shall execute the erasure. Upon User request or if there are reasonable grounds to believe that erasure could violate the legitimate interest of the User, the Controller shall, instead of such mandatory erasure, restrict access and use of the Personal data and inform the User. The Controller shall not erase Personal Data as long as the processing objective that precluded the erasure of the Personal Data prevails. VIII. User rights, method of enforcement 8.1 The User may request the Controller to inform them whether they process the User s Personal Data and if so, to provide them with access to the Personal Data processed by the Controller. The Personal Data provided by the User in relation the particular Service may be checked in the settings of the login system of the Services and on the profile pages on the individual Services. Nevertheless, the User may also request information about the processing of Personal Data in writing at any time, in a letter sent to the Controller s address by registered mail or registered mail with acknowledgment of receipt or via sent to office@cheesesprachschule.at or in a letter mailed to the following address: A-9700 Oberwart, Wienerstrasse 10. The Controller considers any request for information received in a letter authentic if the submitted request is sufficient to clearly identity the User. The Controller considers any request for information sent by authentic only if it is sent from the User s registered address, but prior to providing the information the Controller may also identify the User in a different way. The request for information may be extended to include the data of the User processed by the Controller, their sources, the purpose and legal ground as well as duration of Processing, the name and address of Processors, the activities relating to processing and, when Personal Data are transferred, the parties who received or still receive data of the User and the related purpose. 8.2 The User may request the rectification or modification of their Personal Data processed by the Controller. If the purposes of the data processing warrants it, the User may also request the amendment of any incomplete personal data. The Personal Data provided by the User in relation to the particular Service may be modified in the settings of the login system of the Services and on the profile pages on the individual Services. No longer existing (erased) data can no longer be recovered after requests for the modification of personal data have been fulfilled. 8.3 The User may request the erasure of their Personal Data processed by the Controller. The erasure may be rejected on the following grounds: (i) exercising the right to the freedom of expressing an opinion and obtaining information, (ii) the law provides authorisation for the processing of Personal Data or (iii) for the presentation, enforcement or protection of legal claims. The Controller shall always inform the User of the rejection of the request for erasure and specify the reason for such rejection. No longer existing (erased) data can no longer be recovered after requests for the erasure of personal data have been fulfilled.

6 8.4 Subscription to newsletters sent by the Controller may be cancelled through the unsubscribe link included in them. In the case of such unsubscription the Controller erases the Personal Data of the User from the newsletter database. 8.5 The User may request the Controller to restrict the processing of their Personal Data if the User disputes the accuracy of their processed Personal Data. Such restriction shall only be maintained for the time the controller needs verify the accuracy of the personal data; If the accuracy of a personal data item is contested by the User and its accuracy or inaccuracy cannot be ascertained beyond doubt, the controller shall mark that personal data item for the purpose of referencing. The User may also request the Controller to restrict the processing of their Personal Data processing if it is unlawful but the User is against the erasure of the processed Personal Data, and instead requests the restriction of their use. Furthermore, the User may also request the Controller to restrict the processing of their Personal Data if the purpose of Processing has been achieved but the User requests the processing of data by the Controller for the presentation, enforcement or protection of legal claims. 8.6 The User may request the Controller to transfer Personal Data supplied by the User and processed by the User in an automated manner in a segmented, widely used, machine-readable format, and/or to transfer them to a different Controller. 8.7 The User may object to the processing of their Personal Data if any of the following criteria prevails: (i) processing of the data is required only for performing a legal obligation of the Controller or it is necessary for the enforcement of a legitimate interest of the Controller, the operator of a Service or a third party; (ii) the purpose of Processing is carrying out a direct marketing activity, a public opinion survey or scientific research; (iii) the purpose of the processing activity is to fulfil a task in the public interest. The Controller assesses the lawfulness of the User s objection and upon conclusion that the objection is justified, will stop the processing and block the Personal Data and shall notify all parties to whom the Personal Data affected by the objection were previously transferred, about the objection and the measures taken accordingly. IX. Data processing 9.1 The Controller uses the processors specified above in this Notice to perform its activities. 9.2 The processors do not adopt individual decisions, they may only proceed according to the contract concluded with the Controller, and the received instructions. After 25 May 2018 processors register, control and process the Personal Data controlled, processed and transferred to them by Controllers, in compliance with the provisions of the GDPR and shall issue a declaration about this compliance to the Controllers. 9.3 The Controller monitors the activities of the processors. 9.4 The Processors may only employ further processors with the Controller s consent. X. Third-Party Service Providers 10.1 The Service operators or the Controller frequently employ third-party Service Providers for the supply of the Services. The Controller cooperates with such third-party Service Providers. With regard to the Personal Data processed in the systems of third-party Service Providers the provisions of the privacy notice of the third-party Service Providers shall be applied. The Controller shall take all reasonable efforts to make sure that the third-party Service Providers process the Personal Data transferred to them in compliance with the legal regulations and use them only for the purpose defined by the User or specified in this Notice below. After 25 May 2018 third-party Service Providers shall register, manage and process Personal Data transferred to them by the Controllers and managed or processed by them in compliance with the provisions of the GDPR and shall issue a declaration about such compliance to the Controllers. The Controller informs the Users of the data transfer to third-party Service Providers in this Notice Third-party Service Providers to facilitate the registration/login process The Service operators and/or the Controller cooperate with third-party Service Providers who offer applications to facilitate the registration and login process for the Users of the Services. Within the framework of this cooperation certain Personal Data (e.g., IP address, registration name) are transferred to the Controller and/or Processor

7 by such third-party Service Providers. The collection, processing and transfer of Personal Data these thirdparty Service Providers carry out are governed by the privacy policies of the third-party Service Providers. XI. Data transfer facility 11.1 The Controller is entitled and obliged to transfer any personal data available and regularly stored by them, to the competent authorities, such transfer of which they are legally obliged to carry out, by the applicable law or an effective order of an authority. The Controller may not be held liable for such data transfer and any consequences thereof If the Controller passes on the content supply on the pages of the Services and the hosting service operation or utilisation to a third party either in part or in full, then the Personal Data processed by the Controller may also be transferred to such third party in part or in full without requesting any specific consent of the User but with adequate prior information to the Users, the data may be transferred to the new operator on condition that such data transfer may not create a situation worse for the User then the situation defined by the processing rules stated in the currently effective text of this Notice. In the case of data transfer under this Section, the Controller provides an opportunity to the Users to object to the data transfer prior to the commencement of the transfer. In the case of an objection the transfer of data of the particular User as per the provisions within this Section, cannot proceed The Controller keeps data transfer records to verify the legitimacy of data transfer and also to provide information to the User. XII. Modification of the Privacy Notice 12.1 The Controller reserves the right to modify this Notice with a unilateral decision at any time With the next login the User shall accept the currently effective provisions of the Notice and beyond that the consent of the individual Users will not be required. XIII. Law enforcement options 13.1 Should you have any question or remark about the processing of your data, please contact the members of staff of the Controller via at office@cheesesprachschule.at 13.2 Users may submit complaints relating to processing directly to the Austrian National Authority for Data Protection and Freedom of Information The User may seek legal remedy in court if they deem their rights to have been violated. Such disputes shall be settled by the competent general court. Depending on the choice of the data subject, such a dispute may also be litigated by the general court at the permanent or temporary residence of the data subject. Upon request the Controller shall inform the User of their options and instruments for seeking legal remedy. Oberwart, 2 May 2018 TALENTUM Ltd.