Privacy Policy on the Processing of Personal Data in the Quotation Application

Download  : Oxygen Privacy Policy for Quotation Application.pdf

Data Controller Information:

Data Controller: Oxygen SMD Ltd.
Headquarters: 1097 Budapest, Gubacsi út 6/D
Company Registration Number: 01-10-047568
Tax Number: 23288940-2-43
Email Address: office@oxygensmd.hu
Phone Number: +36 1 456 3600
Representative: Péter Borbély, Managing Director

1. General Provisions

Oxygen SMD Ltd. has established this Privacy Notice (hereinafter referred to as the “Notice”) to define its internal data protection processes, ensure the rights of individuals, and prevent data protection incidents. Oxygen SMD Ltd. conducts its data processing activities in compliance with the applicable internal rules, technical, and organizational measures to adhere to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (commonly referred to as the General Data Protection Regulation or GDPR), as well as Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Info Act”).

The objective of this Notice is to provide clear and comprehensible information to data subjects regarding the personal data collected, processed, or managed by Oxygen SMD Ltd. and its processors. It details the sources of data collection, the purpose and legal basis of processing, potential retention periods, the identity and contact details of data controllers, data processing activities, and the purpose, legal basis, and recipients of data transfers.

The scope of this Notice applies to the personal data processed by Oxygen SMD Ltd. concerning natural persons who are in a contractual relationship with, or involved in a contractual offer with, the company (including employees, sole proprietors, individual companies, natural person buyers, sellers, suppliers, and other natural persons engaged in contractual relations). The scope also extends to the contact information of representatives of legal entities connected to Oxygen SMD Ltd. For definitions, the terms outlined in Article 4 of the GDPR are applicable, along with additional definitions provided in specific chapters of this Notice.

Oxygen SMD Ltd. is engaged in design, manufacturing, SMT and CNC contract manufacturing, as well as creating customized decorative lighting for advertising and architectural purposes. Additionally, the company offers consultancy services to provide unique and comprehensive solutions tailored to its clients’ needs.

2. Definitions and Framework

The purpose of these definitions is to clarify the subjects of regulation and the specific meanings of various terms used in the system of rules. Below are the key definitions:

Data Processor:
A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.

Data Processing:
Any operation or set of operations performed on personal data or on sets of personal data, whether automated or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Restriction of Data Processing:
The marking of stored personal data with the aim of limiting their future processing.

Definitions and Terminology

Data Controller:
A natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Protection Impact Assessment (DPIA):
The evaluation of the impact of processing operations on the rights and freedoms of data subjects, particularly when using new technologies.

Data Protection Incident:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Data Protection Officer (DPO):
An individual who monitors the data controller’s or processor’s activities to ensure compliance with data protection regulations. (See Section 7: Security of Personal Data)

Pseudonymization:
The processing of personal data in such a way that the data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Criminal Personal Data:
Personal data relating to criminal convictions, offenses, or related security measures (as per Article 10 of the GDPR).

Recipient:
A natural or legal person, public authority, agency, or other body to which personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data in the framework of a specific inquiry in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities must comply with applicable data protection rules.

Third Party:
A natural or legal person, public authority, agency, or other body other than the data subject, data controller, data processor, and persons who, under the direct authority of the data controller or processor, are authorized to process personal data.

Consent:
A freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.

Supervisory Authority:
An independent public authority established by a Member State pursuant to Article 51 of the GDPR.

GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Filing System:
Any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

Personal Data

Personal Data:
Any information relating to an identified or identifiable natural person (data subject). A natural person is identifiable directly or indirectly, for example, by reference to a name, an identification number, location data, online identifier, or specific factors related to physical, genetic, economic, or social identity.

Special Categories of Personal Data:
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation (as per Article 9(1) of the GDPR).

• Biometric Data:
  Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person that allows or confirms unique identification, such as facial images or fingerprint data.

• Health Data:
  Personal data related to the physical or mental health of a natural person, including information about the provision of health services that reveals information about their health status.

• Genetic Data:
  Personal data relating to the inherited or acquired genetic characteristics of a natural person, which provides unique information about the person’s physiology or health and is derived primarily from the analysis of a biological sample from the natural person.

Profiling:
Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict characteristics concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Enterprise:
A natural or legal person engaged in economic activity, regardless of legal form, including partnerships or associations regularly engaged in economic activities. In this case, Oxygen SMD Ltd. acts as the Data Controller.

3. Principles of Data Processing

Oxygen SMD Ltd. processes personal data according to the following principles:

• Lawfulness, Fairness, and Transparency:
  Personal data must be processed lawfully, fairly, and in a transparent manner for the data subject.

• Purpose Limitation:
  Data collection must be for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

• Data Minimization:
  Data processing must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

• Accuracy:
  Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data, considering the purposes of processing, are erased or rectified without delay.

• Storage Limitation:
  Personal data must be stored in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed. Longer storage is only allowed for archiving in the public interest, scientific or historical research, or statistical purposes under Article 89(1) of the GDPR, provided that appropriate technical and organizational measures are implemented to protect the rights and freedoms of data subjects.

• Integrity and Confidentiality:
  Data processing must be conducted in a way that ensures the appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.

• Voluntary and Informed Consent:
  The Data Controller processes personal data solely based on the voluntary, explicit, and informed consent of users, in accordance with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act), Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising (Grt.), and this Data Processing and Privacy Policy.

4. Web Data Processing

Protecting the personal data of visitors and ensuring transparent and lawful data processing are of paramount importance to the operation of our website. The following information details the types of personal data we collect, the purposes for which we use them, and the rights of the data subjects. Our data processing practices comply with current data protection regulations, particularly the EU General Data Protection Regulation (GDPR), ensuring the adequate protection of personal data.

4.1. Use of Cookies

Definition and Purpose of Cookies:
Cookies, or anonymous visitor identifiers, are files or pieces of information stored on a user’s computer, internet device, smartphone, or tablet when visiting the website. Unless explicitly provided by the user, the Data Controller does not collect or process any personal data that could personally identify the user.

These data are not linked to other personal data, meaning the user cannot be identified based on this information. Access to the data is strictly limited to the application operated by Oxygen SMD Ltd. and the data is not processed for any purposes other than those explicitly defined.

Legal Basis:
This application uses strictly necessary cookies required for the performance of core functionalities, including secure user authentication and session management. In accordance with Article 6(1)(f) of the GDPR, these cookies are processed based on the legitimate interests of the data controller. As they are essential for the operation of the service, they cannot be disabled by users.

Types of Data Collected:

• Cookies: Short text files sent by the website to the user’s computer’s hard drive, containing information about the user.

Usage and Limitations of the Information Collected:

The collected data is used solely for essential technical purposes, including user authentication, session management, and ensuring the secure operation of the application.

4.2 Use of Personal Information in the Quotation System

Purpose of Processing:
Personal and company-related information voluntarily provided by the user is stored and processed for the sole purpose of generating automated quotations, based on the user's explicit request and consent.

Data Retention and Deletion:
Files uploaded in relation to quotations that are not finalized or are explicitly rejected are automatically deleted on a daily basis. In the event of user account suspension or deletion, all related data and files are irreversibly removed from the system.

Purpose of Data Processing:
To generate tailored quotations and provide the user with comprehensive cost estimations throughout the quotation and project preparation phases.

Legal Basis:
Data is processed pursuant to Article 6(1)(a) of the GDPR (data subject’s consent) and Article 6(1)(b) (processing necessary for the performance of a contract or for taking steps at the request of the data subject prior to entering into a contract).

Type of Data Collected:

• Pre-agreed industrial data formats (e.g., technical drawings) intended to define the physical characteristics of the product concerned.

• Structured input forms (‘questionnaires’) completed by the user containing parameter specifications that influence the cost estimation and manufacturability of the requested product.

Usage and Limitations:
All data is used strictly for computational purposes related to the active quotation and for visual representation of the proposed final product. Data is not reused or repurposed for any other activity beyond the scope of the specific project.

4.3. Email Communications
In the course of using the quotation system, the Data Controller may send the following types of email notifications to users:

• System-generated quotations created on the basis of user submissions.

• Important updates regarding the status of ongoing quotation projects.

• Administrative notices, such as changes to the Terms and Conditions or Privacy Notice.

All such emails are strictly service-related and are sent based on the data subject’s consent or legitimate interest under Article 6(1)(a) or (f) of the GDPR. No promotional or marketing emails are sent without prior, explicit consent.

4.4. Hosting Information
The operation of the Oxygen SMD Ltd. application relies on a hosting service provider, which solely provides the server infrastructure required to run the application. The hosting provider does not engage in any data processing or manipulation beyond the provision of storage and system availability, and it has no access to or control over the data stored or processed by the application.

Hosting Provider:
• Name: Contabo GmbH
• Address: Germany, 81549 Munich, Aschauer Strasse 32a
• Contact Website: https://contabo.com/

5. Data Processing

The custom-developed quotation application does not involve any external parties in the processing of data.
Access to the processed data is strictly limited to the respective data subjects and OXYGEN SMD Ltd., in accordance with applicable data protection regulations.
OXYGEN SMD Ltd. reserves the right to involve additional data processors in the future. Users will be informed of any changes through updates to this Notice.

6. Quotations

Quotations generated by the automated system are for informational purposes only and do not constitute legally binding offers, confirmations of order, or invoicing documents. Each quotation is subject to manual review and may be refined in accordance with the specific needs and instructions of the data subject.

The personal and corporate data provided during the quotation process is processed exclusively for the purpose of generating and tailoring quotations in line with the data subject’s request.

Legal Basis:
The processing of personal data in connection with quotation generation is carried out on the basis of the data subject’s explicit consent pursuant to Article 6(1)(a) of the GDPR, and, where applicable, for the performance of pre-contractual measures in accordance with Article 6(1)(b).

Further information regarding the processing of personal data in the quotation context is available in the Company’s General Privacy Notice, with additional clarification provided in Section 4.2 – Use of Personal Information in the Quotation System.

7. Security of Personal Data

The Data Controller and Data Processor employ advanced technical and organizational measures to ensure the security of personal data, taking into account technological advancements, implementation costs, the purpose of data processing, and associated risks. These measures are proportionate to the severity of risks and aim to guarantee data security. These include pseudonymization, encryption, and ensuring the continuous security, integrity, and availability of systems. Additionally, in the event of an incident, the Data Controller is equipped to promptly restore access to the data and ensure system functionality. Security measures are regularly monitored, tested, and evaluated to ensure their effectiveness.

OXYGEN SMD Ltd. has not appointed a Data Protection Officer (DPO) as none of the cases listed in Article 37(1) of the GDPR apply:

1. OXYGEN SMD Ltd. is not a public authority or body performing public tasks.

2. Its primary activities do not include data processing operations requiring regular and systematic monitoring of data subjects on a large scale.

3. Its primary activities do not involve the large-scale processing of special categories of personal data under Article 9 or data relating to criminal convictions and offenses under Article 10 of the GDPR.

7.1. Digitally Stored Data

To ensure the protection of personal data stored on computers and networks, the Data Controller enforces the following measures and safeguards:

• Computers used for data processing are owned by the Data Controller or are subject to equivalent ownership rights.

• Access to data stored on computers is only granted via valid, personalized, and identifiable credentials, which include at least a username and password. The Data Controller ensures regular password updates.

• Continuous antivirus protection is provided for networks handling personal data.

• Available IT tools are employed to prevent unauthorized access to the network by external individuals.

8. Data Subject Rights

The rights of data subjects regarding the processing of their personal data are as follows:

Right to Information (GDPR Article 15):

• Data subjects have the right to request and receive accurate information about the processing of their personal data within 30 days.

• They can request confirmation from the Data Controller regarding whether their personal data is being processed and, if so, access to those data, including an electronic copy.

Right to Erasure (GDPR Article 17):

• Data subjects have the right to request the deletion of their personal data, especially if the processing is based solely on their consent and there is no other legal basis for processing.

• The data subject can withdraw their consent at any time without justification.

Right to Rectification (GDPR Article 16):

• Data subjects may request the correction of inaccurate personal data or the completion of incomplete data concerning them. The Data Controller must rectify the data without undue delay.

Right to Data Portability (GDPR Article 20):

• For data processing based on consent or contract, data subjects have the right to receive the personal data they provided to the Data Controller in a structured, commonly used, machine-readable format. They can also request the transfer of their data to another Data Controller. This right must not adversely affect the rights and freedoms of others.

Right to Object (GDPR Article 21):

• Data subjects have the right to object to data processing, particularly for processing based on legitimate interests. If an objection is raised, the Data Controller must cease processing unless compelling legitimate grounds exist that override the rights of the data subject, or the data processing is required for legal claims.

• For processing related to direct marketing or profiling, data subjects can object at any time, and their data must no longer be processed for these purposes.

Right to Restriction of Processing (GDPR Article 18):

Data subjects can request the restriction of data processing if:

1. The accuracy of personal data is contested, for a period enabling the Data Controller to verify its accuracy.

2. The processing is unlawful, but the data subject opposes erasure and requests restriction instead.

3. The Data Controller no longer needs the data, but the data subject requires it for legal claims.

4. The data subject has objected to processing; restriction applies while it is determined whether the Data Controller’s legitimate interests override the subject’s rights.

While processing is restricted, data may only be used with the data subject’s consent or for legal claims, protection of others’ rights, or important public interest.

Conditions for Erasure:

The Data Controller must delete personal data without undue delay if:

• The data is no longer necessary for the purposes for which it was collected.

• The data subject withdraws their consent and no other legal basis exists.

• The data subject objects to the processing.

• The processing was unlawful.

• Deletion is required to comply with legal obligations.

• The data was collected in connection with the provision of information society services to children.

Notification of Other Controllers:

If the Data Controller has made personal data public and is required to delete it, they must take reasonable steps to inform other controllers processing the data to delete links, copies, or replications of the data, considering available technology and implementation costs.

9. Management of Data Breaches

A data breach is any event involving the personal data processed, transmitted, stored, or handled by OXYGEN SMD Ltd., which results in the unlawful processing of personal data. This includes unauthorized or accidental access, alteration, disclosure, deletion, loss, or destruction of data, as well as accidental damage or destruction.

OXYGEN SMD Ltd. must report a data breach to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) without undue delay, and no later than 72 hours after becoming aware of the incident. An exception applies if OXYGEN SMD Ltd. can demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If the notification cannot be made within 72 hours, the reason for the delay must be provided, and the required information may be disclosed in stages without undue further delay.

The notification to the NAIH must include the following information:

• The nature of the data breach, including the categories and number of data subjects and personal data records affected.

• The name and contact details of the Data Controller.

• The likely consequences of the data breach.

• The measures taken or planned to address, mitigate, or remediate the breach.

OXYGEN SMD Ltd. will notify affected data subjects of the data breach within 72 hours via its website. This notification must include at least the information specified above.

To ensure proper documentation and management of data breaches, OXYGEN SMD Ltd. maintains a Data Breach Register, which includes:

• The scope of affected personal data.

• The number and type of affected individuals.

• The date and circumstances of the data breach.

• The effects of the data breach.

• Measures taken to address the breach.

The records in the Data Breach Register are retained for five years from the detection of the data breach.

10. Contact Information

If you have any comments, questions, or complaints regarding this Privacy Policy, please contact us in writing or via email at the following:

Data Controller: OXYGEN SMD Ltd.
Postal Address: 1097 Budapest, Gubacsi út 6/D
Email Address: office@oxygensmd.hu
Phone Number: +36 1 456 3600
Representative: Péter Borbély, Managing Director