Welcome on the website operated by the Nold Technologies Kft.!
Firstly, we would like to inform you that the Nold Technologies Kft. operates the websites www.nold.io, shop.nold.io, cloud.nold.io, as well as the application named Nold Open. Providing some of your personal data is necessary to benefit from the additional services available on these websites and also on the application concerned, in order to provide them for you on the highest possible standards.
Your personal data are collected from third parties in order to let you use the remote control of the electronic lock devices concerned via the application Nold Open.
The purpose of this Policy (hereinafter referred to as Policy) is to specify the principles, objectives and other facts of data processing according to the relevant legislation which defines the reason, the duration and the way of processing your personal data, and the enforcement rights and remedies you have related to the above.
The security and the rightful process of your personal data is extremely important to us, therefore we ask you to read the present Policy closely and carefully. If you have any questions or comments regarding this Policy do not hesitate to contact us on the following e-mail address: firstname.lastname@example.org or in the chat available on the website www.nold.io. Our colleagues will be happy to help you.
Concepts and definitions to be used in this Policy
The following is a brief summary of the most important definitions in this Policy.
- Data process: data process shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data. Data processing is currently only executed by the Controller.
- Data processing registration number: Data processing can be continued only with the data processing registration number requested from the Authority, which purpose is to identify the data processing. The Controller shall indicate the data processing numbers in every case when he/she forwards, discloses or releases to the Data Subject.
- Data processing: data processing shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings.
- Controller: shall mean Nold Technologies Korlátolt Felelősségű Társaság who has the exclusive right to make and implements such decisions in connection with the Data Subject’s personal data. The Controller’s data:
- Seat and mailing address: H-2142 Nagytarcsa, Szent Imre herceg utca 19.
- Company registration No.: 13-09-174198 (registered by the Budapest-Capital Environs Regional Court)
- Tax ID No.: 25145256-2-13
- E-mail: email@example.com
- Application: shall mean the application Nold Open which is downloadable for iOS and Android systems.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Grt.: Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.
- Authority: Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; e-mail: firstname.lastname@example.org; website: http://naih.hu; phone: +36 (1) 391-1400).
- Website: The Controller’s websites (nold.io, shop.nold.io, cloud.nold.io), which definition also includes the Application.
- Personal Data: Personal data provided by the Data Subject. Personal data shall mean every data relating to the Data Subject, all personal data which may be provided during such services shall be deemed as personal data.
- Personal Computer: shall mean any - electronic communications terminal equipment according to Article 188 section 21 in the act C of 2003 on electronic communications - IT devices available to the Data Subject, such as cell phones, PC, tablet which can receive cookies.
- Cookie: a file series, which may be created on the PC of the Data Subject by the host of the website, stores information about the Data Subject, and the relation between the Data Subject and his/her web server. The purpose of the usage of cookies is to identify the Data Subject’s PC, to provide simplified browsing and monitoring, furthermore to analyse and evaluate the use habits of the Website’s visitors, and to improve the user-experience.
- Service: means the services available on the Website, which are the followings:
- to purchase the control device on the website shop.nold.io;
- to use the service available on the website cloud.nold.io or on the Application in order to control remotely the electronic lock which is concerned by the control device;
- to use the newsletter service.
- Data Subject: any natural person using the services available as a guest after the confirmation process determined in this present Policy.
Principles of data processing
The following is a brief summary about the principles of data processing which the Controller entirely vindicates during the whole duration of data processing in accordance with the article 5 of the GDPR.
- Lawfulness, fairness and transparency: The Controller collects the personal data from the users registered on the Website and processes personal data during providing services partially through the Website. The personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. The Controller keeps the effective text of the Policy (and also its previous versions) available and known, constantly, without charges and obligations, and on the Website (downloadable in pdf-format).
- Purpose limitation: Personal data may be processed only for specified and explicit purposes indicated in the Policy. If the Controller wants to process the personal data for purposes other than the above, the Controller shall inform the Data Subject previously via e-mail.
- Storage limitation: The Controller shall ensure the system of storaging of the personal data that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Data minimisation: In order to provide the highest possible Services, the Controller shall be process only the most necessary personal data. In all cases this data is necessary for the use of the Services. The Controller shall act in accordance with the Policy, if it asks for further data from the Data Subject in addition to the Policy.
- Accuracy: The purpose of the Controller is to process timely data in order to provide the highest possible Services because, for instance, the Data Subject does not receive any information from a newsletter sent to an inactive e-mail address. Data Subject shall help to keep the data up-to-date by notifying or correcting the changes in his/her data.
- Principle of data security: The Controller provides priority to the security of the provided personal data, and in order to that it takes any necessary, technical and organisational steps and procedure adjusted to the current development of technology. Controller stores the data in an automated system. The Controller in order to avoid privacy incidents:
- prevent unauthorized access, input, correction and deletion to personal data with passwords and encryption procedures
- ensure that personal data processed in the Controller’s record shall not be connected to the Data Subject,
- ensure the restoration of data in case of data loss
- The servers of the Website are operated by the Amazon Web Services, which is provide a safety and developed cloud system for the data processing in the light of the current development of technology;
- The data collecting and processing shall be carried out only on https protocol, which provides a safety encrypting and authentication system;
- The Controller has PCI DSS certification in respect of the operating of the Website.
Data – processing objectives, progress of data processing
We hereby summarise the cases (objectives) below, when the processing of the Data Subject’s personal data actually happens. Certain objectives shall only be happened on certain websites or on the application (shop.nold.io, cloud.nold.io, nold.io, Application) which are shown separately below.
- Provision of the services and customer relationship-management: The personal data of the Data Subject shall be provided by the user after previous notification of the Data Subject. The previous notification shall be taken by the user who provides the personal data in accordance with the General Contract. The Data Subject shall be entitled to manage remotely the electronic locking device after the following confirmation process. After the user gives the personal data of the Data Subject the Controller shall send a request e-mail for the Data Subject’s confirmation. In case the Data Subject objecting to the processing, the Controller shall be obliged to delete the personal data of the Data Subject without undue delay, other cases the Controller shall have the right to process these data stated below in accordance with this Policy until the Data Subject’s registration has deleted by any reason.
The personal data which are processed in respect of this present objective are the followings:
- First name
- Last name
- E-mail address
- Date of use
- Attendance measurement: Our website uses Google Analytics and Facebook Pixel, as web analysis services of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA and the Facebook Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). These programs uses small text files saved on your computer which make it possible to analyse your use of the website. These record information, for instance, on your operating system, browser, IP address, the website accessed previously by you (referrer URL), and the date and time you visited our website. The information generated through these text files on your use of our website is transmitted to a Google and Facebook server. These companies will use this information to analyse your use of our website in order to assemble reports on website activity for the website operator and to provide further services associated with website use and internet use.
Recording technical data (cookies)
- While using the Website, your computer’s data which was generated during the use of the Website will be also recorded (cookies), and which was recorded, blogged (without any statement or action of the Data Subject) during the visit and leaving of the Website. This data should be used for producing records and statistics in connection with the visitors and the usage of the Website, furthermore the comprehensive development of the Website. The Controller shall not connect these data with the Data Subject’s personal data (except the cases by law), and only the Controller and his/her co-workers have access to them. Data Subject can delete the cookies from his/her computer anytime (with the help of the browser’s menu item for this), and he/she can set up the restriction of the cookies in the browser (typically with using of the “Help” button). The Data Subject acknowledges that without using cookies, the using of the website will not be complete.
- The chat-service available on the Website is provided by the Crisp IM (seat: 149 Rue Pierre Semard, 29200 Brest), as a provider of electronic communication services, which is acknowledged by the Data Subject by the acceptance of this present Policy. The Data Subject shall not be obliged to provide personal data in connection with the use of the chat-service.
- The support services and customer relationship-management service available on the Website provided and operated by the Help Scout Inc. (seat: 131 Tremont Street, 3rd floor, Boston, MA 02111, USA) via the HelpScout system. The Data Subject shall not be obliged to provide personal data in connection with the use of the chat-service. The Controller hereby declares that this transferring shall be deemed it conforms to the GDPR, because the Council stated in an adequacy decision that the USA as a third country ensures an adequate level of protection (2016/1260 implementing decision).
Enforcement and legal redress
The following is a summary about the rights of the Data Subject which may be validated against the Controller.
- Communication with the Controller: The communication between the Controller and the Data Subject happens via telephone or e-mail. The Controller’s e-mail address: email@example.com, postal address: H-2142 Nagytarcsa, Szent Imre herceg utca 19.
- Any e-mail, in connection with data processing shall be only examined and answered by the Controller, if it has been sent from the registered e-mail address of the Data Subject (expect the Data Subject submits in the e-mail that his/her registered e-mail address has changed, and the Data Subject can be identified easily).
- The Controller notifies the Data Subject via e-mail about all the actions he/she made (especially correction, blocking or deletion of personal data), in connection with his/her personal data within 8 (eight) days after the action.
- The Controller shall take appropriate measures in order to process to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- Request for information: The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- Notification of changes in data: Data Subject is entitled to notify the Controller about the changes in his/her data without undue delay (according to the above via e-mail or by post) in writing.
- Right to object: The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing: The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing, in this case the processing is pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
- Proceeding of the Authority: The Data Subject is entitled to request an investigation from the Authority on the grounds or the risk of infringement in connection with data processing. The investigation of the Authority is free of charge, the Authority shall advance the funds of the No one shall suffer prejudice on the account of notifying the Authority. Having submitted a notification to the Authority may not entail any discrimination against the notifier. The Authority may reveal the person of the notifier only if the inquiry cannot be carried out otherwise. If so requested by the notifier, the Authority may not disclose his identity even if the inquiry cannot be carried out otherwise.
- Judicial remedy: In the event of any infringement of his/her rights, the Data Subject may turn to court action against the Controller, the case falls within the jurisdiction of the General Court. The law suit can be commenced – according to the Data Subject’s decision – before the competent court of the Data Subject’s domicile or residence. The competence of the court can be verifiable on the birosag.hu website with the use of the “Court Search” application. The court shall hear such cases in priority proceedings.
- Compensation and restitution: If the Controller cause damage to the Data Subject or someone else as a result of unlawful processing or by any breach of data security requirements he/she shall pay for such damages.
- If the Controller, by unlawful data processing or by breaching data security rules, violates the personal rights of the Data Subject, the latter may demand restitution from the Controller.
- If the Controller violates the rights of the personality of the Data Subject, the Data Subject has the right to demand compensation from the Controller.
- The consent of the legal representatives (parents) is required to provide personal data by the Data Subjects that are under the age of 16.
- Controller reserves the right to modify this Policy unilaterally anytime.
- This Policy shall be governed by the Hungarian law. In the case of matters not regulated in this Policy shall be governed by the provisions of the Privacy Act and other relevant Hungarian legislation.
Budapest, 2nd of May 2018.
Balance of interest
The Controller processes the aforementioned personal data of the Data Subject based on the f) point of the 1st paragraph of the 6th GDPR article - in accordance with the opinion No. 06/2014 of the No. 29 Data Protection Workgroup (hereinafter: Workgroup) and the following Test of Interest Consideration has been performed by the Controller and the results are provided to the Data Subject.
In accordance with the authoritative and issued standard contractual clauses, the Controller allows the contractual Parties to share the service of electronic lock management with a Third Parties that are known to them. To do that, the following steps shall be performed:
- Notifying the Data Subject about sharing their personal data with the Controller in advance;
- Share the name and the e-mail address of the previously notified Data Subject with the Controller in order to record it in cloud.nold.io or in the Application
Following that - in order to provide the contractually agreed services - the Controller contacts the Data Subject via e-mail and makes the lock accessible for the Data Subject. The contracting party, who provided the data of the Data Subject, will have the ability to keep track of the following in the database of the Controller:
- the name of the Data Subject who operated the lock;
- when the lock was operated;
The rightful interest emerges for all concerned parties as:
- the processing of the Data Subject’s personal data within the framework of the standard contractual clauses is the rightful economic and contractual interest of the Controller to provide the services and comply with the contractual agreement;
- the requisition of services in return for their payment, which is determined by the standard contractual clauses, is the contractual interest of the Party contracting the Controller
- By having their personal data processed, the Data Subject will be allowed to have resort to the remote controlling of the agreed lock without any further payment.
The processing of the e-mail address is unavoidable as it is necessary for the Controller to share the link with the Data Subject which allows them to access the service. It is forbidden to provide the Data Subject with the unique security link through other addresses.
In order to comply with the services agreed in the standard contractual clauses, the name and the date have to be recorded whenever the lock is accessed in order to provide the Controller with the necessary information to identify the time and person who accessed the lock. Otherwise the service agreed on this contract would lose its purpose.
The aforementioned data processing does not put any other burden on the Data Subject and their personal data will not be used by the Controller for any other reasons. In order to share the service, the personal data of the Data Subject is provided by the user who assigned the Data Subject to have access, and who collects the personal data of the Data Subject with special notification. In compilation with that, the Data Subject had prior notification about the data processing and could rationally expect the procedure as they agreed to have their personal data collected by the user and processed by the Controller in order to be able to share the service. The Controller never processes the aforementioned personal data without the Data Subject being notified beforehand by the contracting party.
The service is provided to simplify the routine of everyday life (electronic lock management). Should the data processing fail to materialize through the aforementioned steps, there would be no way to provide this innovative service to make the everyday routine of life easier.
Based on that, the Data Subject’s right of contradiction is not infringed as they were notified beforehand about their personal data being processed by the Controller during the provision of the service; and the Data Subject acknowledged that by sharing their personal data and by the appliance of the link received via e-mail afterwards.
In order to assure the rights of the Data Subject, the Controller agrees to provide every contractual right included in this regulation and takes on all responsibilities.
The interests of the Data Subject are granted by the Controller as their natural rights and are appropriately protected by the commitments taken on by the Controller. Moreover, the Data Subject has the right to refuse the data collection procedure implemented by the contracting party and they are not obliged to validate or use the link granted to them by the Controller (in this case, the processing procedure will halt and the Controller will delete the personal data of the Data Subject). The protection of the Data Subject’s right is also ensured as the data processing in this case will only have positive effect on the them in this legal relationship. Within the framework of this agreement, the subordination of the Data Subject can not occur.
The processed personal data is only used by the Controller in order to carry out their contractual commitments explicitly and specifically within the framework determined as rightful interest in No. 3/2013 Opinion of the Workgroup.
Finally, the implementation of the innovative activities similar to the Controller’s - along with the appropriate commensuration and the provision of the counterweights included in the current contract - is of national interest in order to invigorate the domestic startup-culture and establish new workplaces.
The Controller only processes the data that is essential to provide the sharing of the service and by that, the personal data of the Data Subject and their right of contradiction is commensurated and counterweighted. The Controller agrees to maintain the frameworks ensured in the current contract.