The SONEAS Chemical Ltd. (hereinafter referred to as the Organization) manages the personal data of natural persons visiting the website www.soneas.com (hereinafter referred to as the Website), registering on the Website, or providing their personal data in other ways (hereinafter collectively referred to as Data Subjects). In relation to data processing, the Organization hereby informs the Data Subjects about the personal data processed by it, the principles and practices it follows in data processing, and the methods and possibilities of exercising the rights of the data subjects. The Data Subject accepts the provisions of this Privacy Notice and consents to the data processing specified below by giving their consent.
Company name: SONEAS Chemical Ltd.
Address and mailing address: 1097 Budapest, Illatos út 33.
Phone: (06 1) 347 5060
Email: info@soneas.com
Tax number: 14098253-2-43
Company registration number: 01-09-888779
The Organization considers the relevant and currently effective legislation.
The data processing principles published in this notice are in accordance with the following legislation:
– Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Public Interest Data; – Act VI of 1998 on the Protection of Individuals with regard to Automatic Processing of Personal Data;
– Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
Personal Data: Any information relating to an identified or identifiable natural person (data subject) – in particular, the name, identification number, and one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of the data subject – and any conclusion drawn from the data concerning the data subject.
Consent: The data subject’s freely given, specific, informed, and unambiguous indication of wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Objection: The data subject’s declaration objecting to the processing of his or her personal data and requesting the termination of the data processing or the deletion of the processed data.
Data Controller: The natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processing: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data: Transfer Making data accessible to a specific third party.
Public Disclosure: Making data accessible to anyone.
Data Erasure: Rendering data unrecognizable in such a way that their restoration is no longer possible.
Data Blocking: Marking stored data with the aim of limiting their processing in the future.
Data Destruction: Complete physical destruction of the data carrier containing the data.
Data Processing: Performing technical tasks related to data processing operations, regardless of the method and tools used for performing the operations, and the place of application, provided that the technical task is performed on the data.
Data Processor: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller.
Third Party: A natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor, and persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
Third Country: Any country that is not a member of the European Economic Area.
Cookie: A text file stored on a computer by an internet browser through the visited website, functioning to make browsing more convenient and personalized by storing various personal data and passwords. Cookies can also be used to carry out targeted/personalized advertising campaigns.
Personal data can only be processed for specific purposes, for the exercise of rights and fulfillment of obligations. Data processing must meet its purpose at all stages, and data collection and processing must be fair and lawful. Only personal data that is essential for achieving the purpose of data processing and suitable for reaching that purpose can be processed. Personal data can only be processed to the extent and for the duration necessary to achieve the purpose. Data accuracy, completeness, and – if required for the purpose of data processing – timeliness must be ensured during data processing, as well as ensuring that the data subject can only be identified for the time necessary for data processing purposes. The data subject is responsible for the correctness, completeness, and accuracy of the provided data. The Organization is not liable for damages arising from incorrect data provision, even if it could have recognized the incorrect nature of the data. If someone provides data on behalf of another person, the data provider is responsible for having the consent of the data subject in line with this Privacy Notice, and for proving this consent if necessary. Personal data can only be processed with the appropriate prior information-based consent, except when processing is mandated by law or justified by the legitimate interests of the parties. The personal data that comes into the data processing is not disclosed by the Organization and is not transferred to third parties beyond the mentioned subcontractors. The subcontractors are not authorized to retain or transfer the provided personal data to further third parties. Personal data may only be transferred to a data controller or processor conducting data processing in a third country if the data subject has explicitly consented to it. Data transfers to member states of the European Economic Area are considered as data transfers within Hungary. Before starting data processing, the data subject must be informed whether the data processing is based on consent or mandatory. The data subject must be clearly and comprehensively informed of all facts related to their data processing, including the purpose and legal basis of the data processing, the person authorized for data processing and processing, the duration of data processing, and who may access the data. The information must include the data subject’s rights and remedies regarding data processing. The Organization ensures the security of the data and takes all necessary technical measures and establishes the procedural rules needed to enforce data protection regulations in line with the legislation detailed in point 2.
Personal data can be processed (Article 6(1) GDPR) if
If data processing is carried out with the voluntary consent of the data subjects (according to Section 5(1) of the Infotv. and Section 13/A(3) of Act CVIII of 2001), the provision of consent implies acceptance of the terms described in this Privacy Notice. According to Section 20(1) of the Infotv., the data subject must be informed about all facts related to data processing, including the purpose and legal basis of data processing, the person authorized to carry out the processing, and the duration of data processing. According to Article 7(3) GDPR, the data subject has the right to withdraw their consent to the processing of their personal data at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject can withdraw their consent as easily as they gave it.
The scope, type, purpose, legal basis, and duration of personal data processing are as follows:
Data in CVs: For possible employment contracts.
Data subjects: Job applicants.
Legal basis: Article 6(1)(a) GDPR.
Data type: Personal, educational, career, and other necessary data for assessment.
Data access: HR Manager, HR Business Partner
Data retention: Until one year after the application period or in the employee’s file.
Consequence of not providing data: May affect the assessment.
Data in contract agreements: For tax and financial matters.
Data subjects: Representatives of partners.
Legal basis: Article 6(1)(b)(c) GDPR, Act V of 2013 on the Civil Code.
Data type: Name, address, contact details.
Data access: Financial Director.
Data recipients: ICT Europa Holding Zrt.
Data retention: Until eight years after the last issued invoice.
Consequence of not providing data: Administrative errors may occur.
Data in invoices: For tax and financial matters.
Data subjects: Representatives of partners.
Legal basis: Article 6(1)(b)(c) GDPR, Act CXXVII of 2007 on VAT.
Data type: Personal data of customers (name, address, phone number, email address).
Data access: Financial Director the members of the Finance Department
Data recipients: ICT Europa Holding Zrt.
Data retention: Until eight years after the last issued invoice.
Consequence of not providing data: Administrative errors may occur.
Data of company contacts: For business activities.
Data subjects: Representatives and employees of partners.
Legal basis: Article 6(1)(f) GDPR.
Data type: Name, address, contact details.
Data access: Financial Director and the members of the Finance Department
Data retention: Until a deletion request.
Consequence of not providing data: The data subject will not be reachable.
Data of website visitors: For monitoring the operation of the service and preventing abuses during website visits.
Data subjects: Website visitors.
Legal basis: Article 6(1)(f) GDPR, Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce Services and Certain Aspects of Information Society Services.
Data type: Date, time, IP address of the user’s computer, visited page URL, previous page URL, user’s operating system and browser data.
Data access: IT Manager
Data recipients: INC-Global Holding Ltd.
Data retention: 30 days from viewing the website.
Consequence of not providing data: No information on the data subject’s activity.
Data in ethical reports and complaints: For handling complaints and ethical issues.
Data subjects: Employees.
Legal basis: Article 6(1)(f) GDPR.
Data type: Personal data if provided.
Data access: Local compliance officer responsible for the ethical channel.
Data recipients: Possibly authorities.
Data retention: Until the case is closed.
Consequence of not providing data: Investigation is not possible.
Camera recordings: For property protection, accident prevention, and life protection.
Data subjects: Employees, clients, guests.
Legal basis: Article 6(1)(f) GDPR, Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation Activities.
Data type: Recordings.
Data access: Production and Technical Director, HSSE Manager.
Data recipients: Gyémánt 2001 Property Protection Ltd.
Data retention: According to camera regulations.
Consequence of not providing data: Incidents cannot be checked.
The data is primarily accessible to the Organization, its employees, and the contractors (registered in the third-party registry and Data Controller registry) with a contractual relationship with the Organization for data processing. However, the data is not disclosed to third parties, and third parties are not authorized to retain or transfer the provided personal data to further third parties. The transfer of personal data concerning the Data Subject is only possible in cases stipulated by law or based on the Data Subject’s consent.
The Organization reserves the right to unilaterally modify these data processing rules by notifying users in advance. By using the service after the modification takes effect, you accept the modified data processing rules.
Their Personal Data Processing The data subject can request information about their personal data processing and request the rectification or deletion of their personal data, except as required by law. Upon request, the Organization provides information about the data it processes, the purpose and legal basis of the processing, the duration of the processing, and who can access the data (details in Article 15 GDPR). The data controller must provide this information in writing, in an understandable form, within the shortest possible time, but no later than 30 days from the submission of the request. This information is free of charge. Requests for information should be sent to gdpr@gdprtanacsadas.eu, and a response will be provided within eight working days.
According to Article 16 GDPR, the data subject has the right to request the rectification of personal data concerning them. Upon request, the data controller must rectify inaccurate personal data concerning the data subject without undue delay. Considering the purpose of the data processing, the data subject has the right to request the completion of incomplete personal data, including through a supplementary statement. According to
Article 17 GDPR, the data subject has the right to request the deletion of personal data concerning them as follows:
(1) The data subject has the right to request the deletion of personal data concerning them, and the data controller is obligated to delete such personal data without undue delay if any of the following grounds apply:
(2) If the data controller has made the personal data public and is obligated to delete it under (1), taking into account available technology and the cost of implementation, the controller shall take reasonable steps, including technical measures, to inform other data controllers processing the personal data that the data subject has requested the deletion of any links to, or copies or replications of, those personal data.
(3) The right to erasure does not apply to the extent that processing is necessary for:
According to Article 18 GDPR, the data subject has the right to obtain from the data controller the restriction of processing where one of the following applies:
(1) The data subject contests the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data;
(2) The processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(3) The data controller no longer needs the personal data for the purposes of processing, but the data subject requires the data for the establishment, exercise, or defense of legal claims;
(4) The data subject has objected to processing pending the verification of whether the legitimate grounds of the data controller override those of the data subject. If processing has been restricted under the above conditions, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State. The data controller shall inform the data subject whose request resulted in the restriction before the restriction is lifted.
According to Article 21 GDPR, the data subject has the right to object to the processing of personal data concerning them as follows:
(1) The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or for the purposes of the legitimate interests pursued by the data controller or a third party, including profiling based on those provisions. In such a case, the data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
(2) Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
(3) The right to object shall be explicitly brought to the data subject’s attention at the latest at the time of the first communication with the data subject and shall be presented clearly and separately from any other information.
(4) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.
(5) Where personal data is processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to their particular situation, shall have the right to object to the processing of personal data concerning them unless the processing is necessary for the performance of a task carried out for reasons of public interest.
According to Article 20 GDPR, the data subject has the right to data portability as follows:
(1) The data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data has been provided, where:
(2) In exercising their right to data portability, the data subject shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible.
(3) The right to data portability shall not adversely affect the rights and freedoms of others.
Data subjects can indicate their claims to the Organization at the contact details provided in point 10. In this case, the Organization will inform the data subject in writing of its decision. If the data subject disagrees with the decision, they can go to court (tribunal) to enforce their rights, in which case the court will act expeditiously. The data controller must examine the claim within the shortest possible time from the submission of the request, but no later than 25 days, and make a decision regarding its substantiation, and inform the claimant in writing about its decision. If the data subject disagrees with the decision or if the data controller fails to meet the 25-day deadline for conducting the examination, the data subject can go to court within 30 days from the notification of the decision or the last day of the deadline.
The data controller declares that it considers the content of this notice binding and commits to ensuring that its data processing related to its services complies with the expectations defined in this notice.
The data subject has the following rights and remedies related to data processing:
The data subject can request information about the data processing from the Organization at its contact details (person responsible for data protection: Dr. Zsombor Sümegi; email: gdpr@gdprtanacsadas.eu; postal address: 1097 Budapest, Illatos út 33.; phone: (06 1) 347 5060), during which the Organization provides information about the processed data, the purpose, legal basis, and duration of data processing, as well as any data processing or data transfer.
The Organization must provide the information in writing within 25 days at the latest, which can only be refused for reasons defined by law. The data subject can seek judicial remedy and lodge a complaint with a supervisory authority. The data subject can initiate a civil lawsuit against the data controller in case of unlawful data processing. The case is under the jurisdiction of the tribunal. The lawsuit can also be initiated before the tribunal of the data subject’s residence. Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority – particularly in the Member State of their habitual residence, place of work, or the place of the alleged infringement – if the data subject considers that the processing of personal data relating to them infringes the GDPR.
The data subject can lodge their complaint with the NAIH:
National Authority for Data Protection and Freedom of Information
Postal address: 1374 Budapest,Pf.: 603.
Address: 1055 Budapest, Falk Miksa utca 9-11
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
© 2022 SONEAS Chemicals Ltd. All rights reserved
