Privacy policy

Z-Wolf Audit Ltd.

Introduction

Z-Wolf Audit Ltd. (registered office: 1143 Budapest, Ilka Street 25-27, Building B, 3rd floor, No. 6, company registration number: 01-09-404206, tax number: 32044896-2-42) (hereinafter: Service Provider, Data Controller) submits to the following regulations:

According to the protection of natural persons concerning the processing of personal data and the free movement of such data, as well as the repeal of Directive 95/46/EC (General Data Protection Regulation), we provide the following information in accordance with the EUROPEAN PARLIAMENT AND COUNCIL (EU) REGULATION 2016/679 (April 27, 2016).

This privacy policy regulates the data processing of the following websites/mobile applications: https://www.zwolfaudit.hu

The data management information can be accessed from the following page: https://zwolfaudit.hu/en/privacy-policy/

Amendments to the regulation take effect by publishing at the above address.

Data Controller and Contact Information

Name: Zoltán Farkas
Address: 1143 Budapest, Ilka Street 25-27, Building B, 3rd floor, No. 6
Email: info@zwolfaudit.hu
Phone: +36-30-515-50-27

Definitions

 „personal data“: any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

1. “processing“: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction;
2. “data controller“: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
3. “processor“: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
4. “recipient“: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing;
5. “consent of the data subjec“: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
6. “personal data breach“: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Principles relating to the processing of personal data

Personal data must be:

1. processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness, and transparency”);
2. collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (“purpose limitation”);
3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The Data Controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).

The Data Controller declares that data processing is carried out in compliance with the principles set out in this section.

Contact

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
Name	Identification	Article 6(1)(a) of the GDPR
Email address	Contact, sending reply messages
Phone number	Contact
Message content if it contains personal data	Necessary for responding

It is not necessary for the email address to contain personal data.

2. Scope of data subjects: All individuals who send messages via the contact form.

3. Duration of data processing, deadline for data deletion: The Data Controller processes personal data until the purpose of data processing is achieved, but no longer than 2 years. If any of the conditions of Article 17(1) of the GDPR are met, data processing continues until the deletion request of the data subject.

4. Potential data controllers entitled to know the data, recipients of personal data: Personal data can be processed by the authorized employees of the Data Controller.

5. Information on data subjects’ rights regarding data processing:

• The data subject can request access to their personal data, request rectification, deletion, or restriction of processing, and
• The data subject has the right to data portability and the right to withdraw consent at any time.

6. The ways to initiate access, deletion, modification, or restriction of processing, and data portability:

• by postal mail to 1143 Budapest, Ilka Street 25-27, Building B, 3rd floor, No. 6,
• by email to info@zwolfaudit.hu,
• by phone at +36-30-515-50-27.

7. Legal basis for data processing: the data subject’s consent, Article 6(1)(a) of the GDPR. By contacting us, you consent to the processing of the personal data (name, phone number, email address) provided during the communication, in accordance with this policy.

8. We inform you that

• This data processing is based on your consent and is required for providing an offer.
• You are required to provide personal data to contact us.
• Failure to provide data results in the inability to contact the Data Controller.
• Withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal.

Client Relationship

1. The fact of data collection, the scope of data processed, and the purpose of data processing:

Personal data	Purpose of data processing	Legal basis
Name, email address, phone number.	Contact, identification, contract fulfillment, business purpose.	Article 6(1)(b) of the GDPR.

2. Scope of data subjects: All individuals who communicate with the Data Controller via phone/email/in person or are in a contractual relationship.

3. Duration of data processing, deadline for data deletion: Letters containing inquiries are retained until the deletion request of the data subject, but for a maximum of 2 years.

4. Potential data controllers entitled to know the data, recipients of personal data: Personal data may be processed by the authorized employees of the Data Controller, respecting the principles outlined above.

5. Information on data subjects’ rights regarding data processing:

• The data subject can request access to their personal data, request rectification, deletion, or restriction of processing, and
• The data subject has the right to data portability and the right to withdraw consent at any time.

6. The ways to initiate access, deletion, modification, or restriction of processing, and data portability:

• by postal mail to 1143 Budapest, Ilka Street 25-27, Building B, 3rd floor, No. 6,
• by email to info@zwolfaudit.hu,
• by phone at +36-30-515-50-27.

7. We inform you that

• Data processing is required for contract fulfillment and providing offers.
• You are required to provide personal data to fulfill the contract/other requests.
• Failure to provide data results in the inability to fulfill the contract/process your request.

Cookie Management

1. Cookies used for “password-protected sessions”, “shopping carts”, “security cookies”, “necessary cookies”, “functional cookies”, and cookies responsible for “website statistics” do not require prior consent from the data subjects.
2. The fact of data processing, the scope of data processed: Unique identification number, dates, times.
3. Scope of data subjects: All individuals visiting the website.
4. Purpose of data processing: Identifying users, tracking visitors, ensuring customized operation.
5. Duration of data processing, deadline for data deletion:

   Cookie name	Provided data and function of the cookie	Cookie duration
   cookieyes-consent	Technical function: Cookie supporting the function of allowing or rejecting the privacy policy	1 year
   wordpress_test_cookie	Checks whether the user allows cookies	until the website is closed (Session)

6. Possible data controllers entitled to know the data: The Data Controller may know personal data.
7. Information on data subjects’ rights regarding data processing: Data subjects have the option to delete cookies in the browser’s Tools/Settings menu, typically under the Privacy settings.
8. Most browsers used by our users allow cookie management, and cookies can be deleted again. Restricting cookie storage on certain websites or disallowing third-party cookies may result in the website not being fully usable in some cases.
9. Here you can find information on how to customize cookie settings for common browsers:
   • how to delete, disable, or allow cookies in Google Chrome
   • how to delete cookies in Firefox
   • how to delete, disable, or allow cookies in Microsoft Edge
   • how to delete, disable, or allow cookies in Internet Explorer

The Data Processors Used

Hosting Service Provider

1. Activity performed by the data processor: Hosting service
2. Name and contact details of the data processor:
   HU-KA Minor Ltd.
   2699 Szügy, Petőfi u. 17
   Email: web@tbweb.hu
3. The fact of data processing, the scope of data processed: All personal data provided by the data subject.
4. Scope of data subjects: All individuals using the website/mobile application.
5. Purpose of data processing: Making the website/mobile application available and operating it properly.
6. Duration of data processing, deadline for data deletion: Until the termination of the agreement between the Data Controller and the hosting provider, or until the deletion request of the data subject to the hosting provider.
7. Legal basis for data processing: Article 6(1)(c) and (f) of the GDPR, and Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services. Legitimate interest in the proper operation of the website, protection against attacks and fraud.

Other Data Processors

We have no other data processors.

Client Relations and Other Data Processing

1. If you have any questions or problems during the use of our services, you can contact the Data Controller through the methods provided on the website (phone, email, social media, etc.).
2. The Data Controller deletes the received emails, messages, phone numbers, and any other voluntarily provided personal data (such as name and email address) within a maximum of 2 years from the date of data disclosure.
3. Information on any data processing not listed in this notice will be provided at the time of data collection.
4. In the event of an exceptional authority inquiry or a request based on legal authorization, the Service Provider is obliged to provide information, disclose data, or make documents available.
5. In such cases, the Service Provider will only disclose personal data to the requesting party to the extent necessary for the fulfillment of the request.

The Rights of the Data Subjects

1. Right of Access

You have the right to receive confirmation from the Data Controller as to whether or not personal data concerning you is being processed, and if so, to access the personal data and the information listed in the Regulation.

2. Right to Rectification

You have the right to obtain from the Data Controller the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to Erasure (“Right to be Forgotten”)

You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay, and the Data Controller is obliged to erase personal data without undue delay in certain circumstances.

4. Right to be Forgotten

If the Data Controller has made personal data public and is obliged to erase it, taking into account available technology and the cost of implementation, the Data Controller will take reasonable steps to inform other controllers that the data subject has requested the erasure of any links to, or copies or replications of, the personal data in question.

5. Right to Restrict Processing

You have the right to obtain from the Data Controller the restriction of processing where one of the following applies:

• You contest the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data;
• The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of its use instead;
• The Data Controller no longer needs the personal data for the purposes of processing, but you require the data for the establishment, exercise, or defense of legal claims;
• You have objected to processing pending verification of whether the legitimate grounds of the Data Controller override yours.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data were provided, if the processing is based on consent or a contract (to some extent) and if the processing is carried out by automated means.

7. Right to Object

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

8. Objection in case of direct marketing

If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, including profiling related to direct marketing. If you object to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The previous paragraph does not apply if the decision:

1. is necessary for entering into, or the performance of, a contract between you and the Data Controller;
2. is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
3. is based on your explicit consent.

Action deadlines

The Data Controller informs you without undue delay and, in any event, within one month of receipt of the request about the actions taken regarding your request.

If necessary, this period can be extended by two more months. The Data Controller informs you of any such extension within one month of receiving the request, together with the reasons for the delay.

If the Data Controller does not take action on your request, it informs you without delay, and at the latest within one month of receiving the request, of the reasons for not taking action, and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Data security

The Data Controller and the data processor take into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, and implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among others:

1. the pseudonymization and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Personal data must be stored in a way that unauthorized individuals cannot access them. For paper-based media, this means establishing a secure physical storage system. For electronic data, this means using a centralized access management system.

The method of electronic storage must allow for the deletion of data upon reaching the deadline for deletion or if deletion is otherwise required. The deletion must be irreversible.

Paper-based data carriers must be destroyed either by a paper shredder or by using an external service specializing in document destruction. For electronic data carriers, the physical destruction or secure and irreversible deletion of data must follow the rules for decommissioning electronic data carriers.

The Data Controller implements the following specific data security measures:

For the security of personal data handled on paper, the Service Provider applies the following measures (physical protection):

1. Documents are stored in a secure, lockable, dry room.
2. If personal data handled on paper are digitized, the rules for digitally stored documents must be applied to the digitalized data.
3. During work, the employee responsible for handling personal data can only leave the room where the data is being processed by locking up the data carriers or locking the room.
4. Personal data can only be accessed by authorized persons, and third parties are not allowed access.
5. The buildings and rooms of the Service Provider are equipped with fire and property protection equipment.

IT protection

1. The computers and mobile devices (other data carriers) used for data processing are the property of the Service Provider.
2. The computer system used by the Service Provider that contains personal data is equipped with virus protection.
3. For the security of digitally stored data, the Service Provider applies data backup and archiving.
4. Access to the central server is restricted to authorized personnel with appropriate permissions.
5. Access to data on computers is protected by username and password.

Notification of the data subject about a data protection incident

If a data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall notify the data subject without undue delay.

The notification to the data subject shall describe in clear and plain language the nature of the data protection incident and shall contain at least the information and measures specified in the GDPR, such as the name and contact details of the data protection officer or other contact point for further information, the likely consequences of the data protection incident, and the measures taken or proposed by the Data Controller to address the data protection incident.

The data subject does not need to be informed if any of the following conditions are met:

• The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data protection incident, in particular those measures—such as encryption—that render the personal data unintelligible to any person who is not authorized to access it.
• The Data Controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
• It would require disproportionate effort to inform the data subjects. In such cases, public communication or a similar measure may be used to inform the data subjects in an equally effective manner.

If the Data Controller has not yet informed the data subject about the data protection incident, the supervisory authority, after considering the likelihood of the incident resulting in high risk, may require the Data Controller to inform the data subject.

Reporting a data protection incident to the authority

The Data Controller shall report a data protection incident to the competent supervisory authority under Article 55 of the GDPR without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless the incident is unlikely to result in a risk to the rights and freedoms of natural persons.

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Review of mandatory data processing

If the duration of mandatory data processing or its periodic review is not defined by law, local government regulation, or a binding act of the European Union, the Data Controller shall review the necessity of the data processing at least every three years from the start of the processing.

The circumstances and results of this review shall be documented by the Data Controller, and this documentation shall be retained for ten years after the review and made available to the National Authority for Data Protection and Freedom of Information (NAIH) upon request.

Possibility of lodging a complaint

If you believe that the Data Controller has violated any law on data processing or has not fulfilled any of your requests, you can initiate an investigation procedure with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa Street 9-11.
Mailing address: 1363 Budapest, P.O. Box 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

Closing remarks

In preparing this notice, we took into account the following legal regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (April 27, 2016);
• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.);
• Act CVIII of 2001 on certain issues of electronic commerce services and information society services (especially Section 13/A);
• Act XLVII of 2008 on the prohibition of unfair business-to-consumer commercial practices;
• Act XLVIII of 2008 on the basic conditions and certain restrictions of commercial advertising activities (particularly Section 6);
• Act XC of 2005 on the freedom of electronic information;
• Act C of 2003 on electronic communications (especially Section 155);
• Opinion No. 16/2011 on the EASA/IAB best practice recommendation on online behavioral advertising;
• The recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of preliminary information.