Privacy Policy

Please read our Privacy Policy carefully

Privacy Policy

1. SCOPE AND PURPOSE OF THIS PRIVACY STATEMENT

1.1. This Privacy Statement shall set down the data protection and data processing principles and policies as applied by X-Pharma Hungary Zrt. (hereinafter referred to as: „COMPANY” or „CONTROLLER”), to express consent by the Company as Controller to be bound by that principles and policies.

1.2. This Privacy Statement includes the principles applied when processing personal data as supplied on a voluntary basis by the Users on the Website or otherwise for the purpose of receiving certain services from the Company.

1.3. When drawing up this Privacy Statement, special attention was paid to the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: „GENERAL DATA PROTECTION REGULATION” or „GDPR”), to the Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as: „INFOTV”) as well as to the Act V of 2013 on the Civil Code (hereinafter referred to as „PTK”).

1.4. Unless otherwise stated, this Privacy Statement does not apply to services and data processing activities relating to promotions, services, campaigns or published contents of third parties (other than the Controller) who are publishing advertisements or appearing otherwise on the Website as referred to further below in this Privacy Statement.

1.5. Unless otherwise stated, this Privacy Statement does not apply to services and processing activities of websites and providers that can be accessed by clicking links placed on the Website as defined under this Privacy Statement. To this end, the privacy policy issued by the service provider or website operator shall be applicable, the Controller does not accept any liability for such data processing activities.

2. DEFINITIONS

2.1. „Processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.2. „Controller”: a person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2.3. „Personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

2.4. „Personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

2.5. „Website”: the website x-pharma.hu operated by the Controller.

2.6. „Service(s)”: the services operated and offered by the Controller.

2.7. „User(s)”: natural person(s) using the Services and supplying their personal data as listed below for this purpose.

2.8. „Privacy Statement”: the Privacy Statement at hand, issued by the Controller.

3. PERSONAL DATA SUBJECT TO PROCESSING ACTIVITIES

3.1. The IP-addresses of Users visiting the Website are automatically recorded in Controller’s system.

3.2. Upon Users’ decision, the Controller may have the right to process following data related to the use of certain Services:

3.2.1. Subscription to newsletters: e-mail address.

3.2.2. Contacting: If a User sends a message to the Controller per e-mail, by post or other means (e.g. using the Contact form on the Website), the Controller records the User’s name, company name, e-mail address and – if freely supplied by the User – phone number, as well as any further information communicated by the User. Such information shall be processed by the Controller to the extent and for the duration necessary for the provision of Services.

3.2.3 Partner Program: If a User sends a message to the Controller using the Partner Program form on the Website, the Controller records the User’s name, company name, job title, e-mail address and – if freely supplied by the User – phone number, as well as any further information communicated by the User. Such information shall be processed by the Controller to the extent and for the duration necessary for the provision of Services.

3.2.4 Career: If a User sends a message to the Controller using the Career form on the Website, the Controller records the User’s name, e-mail address as well as any further information communicated by the User and store the CV of the User.

3.3. Regardless of the above, providers technically involved in the operation of Services may perform data processing activities on the Website without informing the Controller thereof. Such activities are not to be considered as data processing performed by the Controller. The Controller shall make every effort to prevent and to detect that kind of processing activities.

4. ADDITIONAL DATA PROCESSED BY THE CONTROLLER

4.1. As a customization function, the Controller may set small data files („cookies”) on the computer of the User. Cookies are applied to ensure operation of the given website at the highest possible quality level, customization of the provided services and improvement of user experience. Users are able to erase cookies from their computer or configure their browser to prevent cookies. The User declares to be aware of that preventing cookies may cause incomplete operation of the given website.

4.2. Data recorded by technical means while operating the systems include data of the computer the User has logged on to, data generated while using the Service and recorded in the Controller’s system as a result of automated technical processes. In the absence of a specific statement or conduct by the User, automatically recorded information shall be logged by the system every time the User logs in or out respectively.

5. PURPOSE AND LEGAL BASIS OF PROCESSING ACTIVITIES

5.1. Purpose of processing activities performed by the Controller:
5.1.1. Subscription to newsletters:
– delivery of online content;
– contact with the User;
– fulfilment of services;
– direct communication for business or marketing purposes (e.g. newsletters, etc.);
– protection of Users rights;
– enforcement of Controller’s legitimate interests.

5.1.2. Contacting:
– contact with the User;
– fulfilment of services;
– handling and processing specific requests made by Users;
– protection of Users rights;
– enforcement of Controller’s legitimate interests.

5.1.3. Partner Program:
– delivery of online content;
– direct communication for marketing purposes
– contact with the User;
– fulfilment of services;
– handling and processing specific requests made by Users;
– protection of Users rights;
– enforcement of Controller’s legitimate interests.

5.1.4 Career:
– contact User with open position
– protection of Users rights;
– enforcement of Controller’s legitimate interests.

5.2. The Controller is not allowed to use the supplied personal data for purposes other than set out above.

5.3. Processing activities are based on an informed, voluntary statement made by Users, including express consent to the use of personal data supplied by them when visiting the Website or in an explicit message, as well as of personal data generated of them. In case of processing upon consent, the User shall have the right to withdraw his or her consent at any time. The withdrawal of consent, however, shall not affect the lawfulness of processing based on consent before its withdrawal.

5.4. Every time when a User logs in to the Website, his or her IP-address will be recorded by the Controller for the provision of Services, to protect Controller’s legitimate interests and to ensure lawful provision of Services (e.g. in order to detect unlawful use or unlawful content), even without prior consent of the User.

5.5. The User warrants to have legally obtained prior consent from other natural persons, whose personal data were supplied or made available by him or her during the use of Services.

5.6. The User shall be responsible for all user’s contents provided by him or her. By supplying the e-mail address and any information subject to recording, User warrants that from the supplied e-mail address or using other data provided by the User, the Services are used solely by him or her. Accordingly, any liability relating to the use of Services from a given e-mail address and / or using previously provided data shall be borne exclusively by the User who has supplied the e-mail address or provided the data.

6. PRINCIPLES AND MEANS OF PROCESSING

6.1. The Controller shall process personal data according to the principles of good faith, fairness and transparency, in compliance with law and with this Privacy Statement.

6.2. Personal data that are indispensably necessary to use the Services shall be processed by the Controller upon consent of the User and used only in a purpose- bound manner.

6.3. The Controller shall process personal data only for the purposes as specified in this Privacy Statement or in the relevant legislation. The scope of processed personal data must be proportionate to the purpose of data processing and must not go beyond it. Every time when the Controller is going to use personal data for purposes other than initially specified, the Controller shall inform the User accordingly, obtain User’s explicit prior content and give him or her the opportunity to prohibit the use of that data.

6.4. The Controller does not check the personal data supplied. The responsibility for the correctness of such personal data lies solely with the person who provides that data. Nevertheless, the Controller shall take all reasonable steps to immediately erase or rectify all personal data that are inaccurate for processing purposes.

6.5. Processing personal data of data subjects below the age of 16 years shall be lawful only if consent is given by the adult holder of parental responsibility over the child. The Controller is not able to check the authority of that person to give consent or the content of his or her statement. The User or the person exercising parental control over the User shall warrant that the given consent complies with law. In the absence of consent, the Controller is not allowed to collect personal data related to data subjects below the age of 16 years – with the exception of the IP-address used for accessing the Services, which, given the nature of Internet services, shall be recorded automatically.

6.6. The Controller is not allowed to disclose to third parties any personal data processed under this Privacy Statement.

6.7. As an exception to the above, the data can be used in aggregated form for statistical purposes. Such data must not include any information suitable for the identification of the User as data subject, therefore the use thereof for statistical purposes does not constitute a data processing or transmission.

6.8. The Controller shall notify the User of any rectification, restriction or erasure of personal data processed by Controller. A notification may be omitted if it does not hurt the legitimate interests of the User.

6.9. To ensure security of the personal data, the Controller must implement adequate safeguards, appropriate technical and organisational measures and adequate procedural rules to protect the recorded, stored and processed data, including protection against accidental loss, unlawful destruction, unauthorised access, unauthorised use, unauthorised amendment and unauthorised dissemination thereof.

7. DURATION OF PROCESSING

7.1. Automatically recorded IP addresses are stored by the Controller for up to 1 year of the recording.

7.2. Unless otherwise stipulated by law, in case of e-mails and post mails sent by the User for contacting purposes only, the Controller shall erase the e-mail address or any other addresses as may be specified in that mail within 1 year of closing the case referred to in the mail, with the exception of individual cases, where the Controller has a legitimate interest in further processing of personal data, until such legitimate interest of the Controller ceases to exist.

7.3. Personal data supplied by the User to receive newsletters shall be subject to processing activities until the User unsubscribes from the Service, requests the erasure of personal data, withdraws his or her consent, or the Controller stops providing that Service. In latter cases, the personal data shall be erased from the Controller’s system in an unrecallable manner.

7.4 CVs will be stored by our company for 1 years in the case of successful and unsuccessful applications as well.

7.5. The right of User to use the Service remains unaffected by a User’s request to stop processing his or her data without unsubscribing from the Service. However, in the absence of personal data, Services may not be fully available.

7.6. If a User has supplied unlawful or misleading personal data, has committed a criminal offence or a system violation, the Controller shall have the right to immediately erase the personal data of that User. However, if there are indications of a criminal offense or of a violation of the Civil Code, the Controller shall have the right to retain that personal data for the duration of the proceedings to be conducted.

7.7. If courts or authorities make a final decision ordering the erasure of personal data, the Controller shall erase the data accordingly.

8. RIGHTS OF THE USER AND WAYS OF ENFORCEMENT

8.1. The User shall have the right to obtain from the Controller confirmation as to whether or not his or her personal data are being processed, and, where that is the case, access to the personal data, particularly to the information as listed below:
– the purposes of the processing;
– the categories of personal data concerned;
– the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
– where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
– the existence of the User’ right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
– the right to lodge a complaint with a supervisory authority;
– where the personal data are not collected from the data subject, any available information as to their source;
– the existence of automated decision- making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as about the significance and the envisaged consequences of such processing for the data subject.

8.2. Users may request the Controller anytime – by sending a registered letter with acknowledgment of receipt to Controller’s address or on contact page – to provide information about processing their personal data.

8.3. Information requests via post mails shall be deemed authentic by the Controller, if the User can clearly be identified based on that request. Information requests via e-mails shall be deemed authentic by the Controller, if sent from the e-mail box as supplied previously by the User.

8.4. Users shall have the right to have rectified or amended their personal data processed by the Controller.

8.5. Regarding the purpose of processing, Users shall have the right to have completed their incomplete personal data.

8.6. Personal data supplied by Users relating to use of Services can be amended by sending an e-mail request to Controller’s e-mail address as stated above, or by clicking the link placed at the bottom of each newsletter. Once the request to amend personal data has been satisfied, the old (erased) data can not be restored anymore.

8.7. Users shall have the right to have erased their personal data processed by the Controller. The request may be refused,
– if the Controller is authorized or required by law to process personal data; and
– processing is necessary for establishment, exercise or defence of legal claims.

8.8. The Controller shall notify the User of any refusal of erasure requests, including the reasons for refusal. Once the request to erase personal data has been satisfied, the old (erased) data can not be restored anymore.

8.9. Users can opt-out of Controller’s newsletters by clicking the unsubscribe link included in that newsletters. Upon unsubscription, the Controller shall erase in its database the personal data of the User.

8.10. The User shall have the right to obtain from the Controller restriction of processing if one of the following applies:
– the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of that personal data;
– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
– the data subject has objected to processing, pending the verification whether the legitimate grounds of the Controller override those of the data subject.

8.11. The User shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and/or to transmit those data to another controller.

8.12. If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the User without undue delay. The communication to the User shall not be required if any of the following conditions are met:
– the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those – such as encryption – that render the personal data unintelligible to any person who is not authorised to access that data;
– the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
– the communication of data breach would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure taken by the Controller whereby the data subjects are informed in an equally effective manner.

9. TRANSFER OF PERSONAL DATA

9.1. Any disclosure of personal data to third parties or to authorities – unless otherwise required by law – is only allowed on the basis of authorities’ decisions or upon explicit prior consent of User.

9.2. The Controller shall have the right and be obliged to transfer to the competent authorities personal data available to and stored by the Controller in a lawful manner, if required to do so by law or by final decisions of authorities. The Controller can not be hold responsible for such data transfer or for resulting consequences.

9.3. The Controller shall keep data transfer records for the purpose of checking the lawfulness of data transfer and of ensuring its proper communication to the User.

10. AMENDMENTS OF THE PRIVACY STATEMENT

10.1. The Controller reserves the right to make amendments to this Privacy Statement at any time by unilateral decision.

10.2. By using the Website, the User accepts the provisions of this Privacy Statement as may be amended from time to time. Obtaining any additional consent from the User is not required.

11. LEGAL REMEDY

11.1. The staff of the Controller can be contacted on contact page with any questions or concerns to data processing.

11.2. Users may lodge a privacy complaint directly with the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: 36-1- 391-1400; e-mail: ugyfelszolgalat@naih.hu web: www.naih.hu).

11.3. In case of infringement of their rights, Users may bring the matter before a court, which will then have jurisdiction. The case – at the option of the data subject – may be brought before the tribunal in whose jurisdiction the data subject’s permanent or temporary residence is located. Upon request, the Controller shall inform the User of the possibilities and means for seeking legal remedy.