Privacy Notice on data processing regarding the Website
1. Processing of personal data
- The CEEC Scout Group as data controller (hereinafter: “Data Controller”) processes personal data of the users of the www.ceecsg.org website (hereinafter: “Website”) as personal data of data subjects concerning data processing of the Company, in compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”) and in compliance with other applicable law (The HMRC regulation for England and Wales).
2. Details of the Company regarding data processing
Data controller’s name: Helena Dobrova – CEEC Scout Group
Registered seat: 28 Finsen Road, London, SE5 9AX, UK
Represented by: Helena Dobrova
E-mail: contact@ceecsg.org
Web: www.ceecsg.org
3. Data processing regarding the Member Company’s Representative registration to the Website
- The CEEC Scout Group provides membership to companies based on the rules set forth by it. Registration on the Website as a “full member” is only available for those, who had been entered into a membership agreement with CEEC Scout Group and got invitation prior to the registration.
- In order to use certain services on the Website (e.g. connect or communication with other members) the members of the CEEC Scout Group (hereinafter referred to as: “Full Member”) shall register themselves to own a “full member” profile. On behalf of the Full Member, the contact person (hereinafter referred to as: “Contact Person”) has the opportunity to make a separate profile for the Full Member company, but also for himself or herself as Contact Person.
- The purpose of data processing is to create profile upon request of Full Member’s Contact Person and to make certain services available to him/her.
- The following personal data of the Full Member’s Contact Person are processed by Data Controller in connection with the registration: contact person’s name, company’s website, e-mail address, telephone number, profile picture, social media profile, biographical info, and the activity of the Contact Person on the Website under the profile name.
- In profile settings the personal data provided on the profile can be set and edited by the Contact Person. Personal data are not public and not visible for any visitor of the Website. Contact Person can decide whether or not his or her personal data are visible only for the Full Member’s Contact Persons or also for the Guests or Guests’ Contact Persons. Guests and Guests’ Contact Persons have access only to the basic personal data of the Full Member’s Contact Persons, such as contact person’s name, company website name, the status of “full member”. If a Guest or its Contact Person sends request to a Full Member’s Contact Person, in case of approval, more personal data (e-mail address, telephone number, profile picture) of the Full Member’s Contact Person will be available to the Guest.
- The legal ground of data processing is the consent of the Full Member’s Contact Person. Full Member’s Contact Person has the right to withdraw his or her consent at any time, which also means the removal of his/her profile and personal data from the Website. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Data Processor processes personal data on the above defined purpose up to the time when (1) Full Member’s Contact Person withdraws the consent, or (2) Full Member’s Contact Person requests to delete of the registered profile or personal data or, (3) the membership of the Full Member terminates (therefore the registered profile will be deleted) or (4) till any claim can be enforced regarding the data processing, but not more than 2 years following the registered profile was deleted, or in case of a dispute not more than 1 year following the final closing of the dispute.
4. Data processing regarding the Guest’s registration to the Website
- The CEEC Scout Group provides “guest” status to companies and natural persons based on the rules set forth by it. Registration as a “guest” on the Website is only available for those, who had been invited by CEEC Scout Group prior to the registration.
- In order to use certain services on the Website (e.g. connect or communication with other guest or connect to Full Members) the guests of the CEEC Scout Group (hereinafter referred to as: “Guest”, Full Member and Guest and those Contact Person together as: “Registered Users”) shall be registered with a “guest” profile. On behalf of the Guest company, its Contact Person has the opportunity to request a separate profile for the Guest company, but also for him or herself as Contact Person. Registration will be completed by the CEEC Scout Group only if the Contact Person attends to an event organised by the CEEC Scout Group and gives his or her name and e-mail address and asks the CEEC Scout Group to create a profile for him or her.
- The purpose of data processing is to create profile upon Guest’s, or if it is a Company, its Contact Person’s request and to make certain services available to the Guest or if Guest is a Company, its Contact Person.
- If Guest is a natural person, the following personal data are processed by Data Controller in connection with Guest’s registration: Guest’s name, website, e-mail address, telephone number, profile picture, social media profile and the activity of the Guest on the Website under the profile name.
- If Guest is a company, the following personal data are processed by Data Controller in connection with the registration of Guest’s contact person: contact person’s name, company website name, e-mail address, telephone number, profile picture, social media profile and the activity of the Contact Person on the Website under the profile name.
- In profile settings the personal data provided on the profile can be set and edited by the Guest or its Contact Person. Personal data are not public and not visible for any visitor of the Website. Guest or Contact Person can decide whether or not his or her personal data are visible for the Full Members or other Guests. Guests have access only to the basic personal data of the Full Member’s Contact Person or other Guests or its Contact Person, such as Guest name, contact person’s name, company website name, the status of “full member”. If a Guest sends request to a Full Member or its Contact Person, or to another Guest or its Contact Person, in case of approval, more personal data (e-mail address, telephone number, profile picture) of Guest or its Contact Person will be available to the Guest.
- The legal ground of data processing is the consent of the Guest or if Guest is a company, Guest’s Contact Person. Guest or the Guest’s Contact Person has the right to withdraw his or her consent at any time, which also means the removal of his/her profile and personal data from the Website. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Data Processor processes personal data on the above defined purpose up to the time when Guest or Guest’s Contact Person withdraws the consent, or requests to delete of the registered profile or personal data or till any claim can be enforced regarding the data processing, but not more than 2 years following the registered profile was deleted, or in case of a dispute, not more than 1 year following the final closing of the dispute.
5. Data processing regarding the Chat
- After signing in Registered Users have the opportunities to communicate each other. The purpose of data processing is to enable Registered Users to communicate each other on the Chat platform (hereinafter: “Chat”) of the Website.
- The following personal data of the Full Member’s Contact Person are processed by Data Controller in connection with the Chat: the name of Full Member’s Contact Person, company website name, e-mail address, telephone number, profile picture, social media details, the status of “full member”, and the conversations made by Full Member’s Contact Person on the Chat under the profile name.
- The following personal data of the Guest or Guests Contact Person are processed by Data Controller in connection with the Chat: if Guest is a natural person the Guest’s name, if Guest is a company, the name of Guest’s Contact Person, company website name, e-mail address, telephone number, profile picture, social media profile, the status of “guest”, and the conversations made by Guest or Guests Contact Person on the Chat under the profile name.
- On the Chat platform Full Member’s Contact Person has access to personal data of other Full Member’s Contact Person, they can contact with each other. Guest and if Guest is a company, its Contact Person has access only to the basic personal data of other Registered Users, such as Contact Person’s name, company website name, social media profile, the status of “guest” or “full member”. If a Guest or Guest’s Contact Person sends request to other Registered User, in case of approval, more personal data (e-mail address, telephone number, profile picture) of Registered User will be available to the request sender.
- Registered User can also block the other Registered User, who doesn’t want to be in contact with anymore, in which case his or her personal data won’t be visible to the blocked users.
- The legal ground of data processing is the consent of the Registered User. Registered User has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Data Processor processes personal data on the above defined purpose up to the time when Registered User withdraws the consent or requests to delete of the registered profile or, if data subject is a Full Member’s Contact Person, the membership terminates (therefore the registered profile will be deleted) or till any claim can be enforced regarding the data processing, but not more than 2 years following the registered profile was deleted, or in case of a dispute, not more than 1 year following the final closing of the dispute. In his or her profile Registered User can chose the option not to archive Chat conversations, in which case by clicking the delete button, Chat-related-personal data will be deleted. By sending an expressed request to the Group Registered User can request the deletion of the Chat conversations, in which case Chat-related-personal data will be deleted from the servers.
6. Data processing regarding the Data Room
- After signing in registered Full Member’s Contact Person has the opportunity to use the online data room (hereinafter: “Data Room”) provided by the Website. Data Room lists the name of the Full Members and their Contact Person. The purpose of the data processing is to enable registered Full Members and their Contact Person to get familiar with each other’s business offers.
- Full Member’s Contact Person has access to personal data of other Full Member’s Contact Person which were provided by them and has the opportunity to contact with other Full Member’s Contact Person freely.
- The following personal data of the Full Member’s Contact Person are processed by Data Controller in connection with Data Room: the name of Full Member’s Contact Person, company name, job/position, e-mail address, telephone number, profile picture, the status of “full member”. Business deals are only visible for participating parties, and are not stored or viewed in any way by the website and the Data Controller.
- The legal ground of data processing is the consent of the Full Member’s Contact Person. Full Member’s Contact Person has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Data Processor processes personal data on the above defined purpose up to the time when Full Member’s Contact Person withdraws the consent or requests to delete of the registered profile or, if the Full Member’s membership terminates (therefore the registered profile will be deleted) or till any claim can be enforced regarding the data processing, but not more than 2 years following the registered profile was deleted, or in case of a dispute, not more than 1 year following the final closing of the dispute.
7. Data processing regarding the Newsletter
- On the Website any visitor has the opportunity to subscribe to the regular newsletter sent by the Data Controller via the Website (hereinafter: “Newsletter”). The purpose of data processing is to send regular Newsletter to the subscribers (hereinafter: “Subscriber”).
- The following personal data of the Subscriber are processed by Data Controller in connection with the Newsletter: name, e-mail address.
- The legal ground of data processing is the consent of the Subscriber. Subscriber has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Data Processor processes personal data on the above defined purpose up to the time when Subscriber withdraws the consent or till any claim can be enforced regarding the data processing, but not more than 5 years following the date of the subscription, or in case of a dispute, not more than 1 year following the final closing of the dispute.
8. Data processing regarding visitor’s messages
- On the Website any visitor has the opportunity to send messages to the CEEC Scout Group via the contact platform. The purpose of data processing is to identify and process visitors’ messages and to be able to reply to the messages.
- The following personal data of the visitor are processed by Data Controller in connection with the Newsletter: name, e-mail address, and other personal data provided by the visitor in the message sent.
- The legal ground of data processing is the consent of the visitor. Visitor has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- Data Processor processes personal data on the above defined purpose up to the time when visitor withdraws the consent or till any claim can be enforced regarding the data processing, but not more than 5 years following the date of the last message, or in case of a dispute, at least 1 year following the final closing of the dispute.
9. The recipients or categories of recipients of the personal data
- The following data processors are in contractual relation with the Data Controller:
- MS Energy Solutions Ltd. (registered seat: 3300 Eger, Csiky Sándor utca 9. 4. em. 11.) who is entrusted with developing and maintaining the Website and the servies related thereto (Chat, Data Room, Newsletter). MS Energy Solutions Ltd.. has access to the personal data processed by Data Controller in connection with the Website.
- Google LLC (registered seat: 1600 Amphitheatre Parkway, Mount View, CA, USA) who is entrusted with [email services of the Group]. Google LLC has access to the personal data processed by Data Controller in connection with [the emails sent from and to the Group].
- Pont ez Holding Ltd. (registered seat: 1025 Budapest, Zsindely utca 20.) who is entrusted with the operation and maintenance of the Group website’s server. Pont ez Holding Ltd. has access to the personal data processed by Data Controller in connection with Group website’s server.
- Data processors can only process personal data transferred to them by Data Controller if data processing is based on written agreement with the Data Controller and only according to the Data Controller’s instructions.
- Data processors are entitled to process personal data according to the Data Controller’s instruction until the termination of the data processing contract or at the latest until the time of transferring back or deleting the personal data or within the period when Data Controller is entitled to process those personal data.
- Data Controller entrusts only such data processors that provides sufficient appropriate safeguards in order to prove that processing is performed in accordance with GDPR and appropriate technical and organizational measures were implemented.
- In cases set out by law the Data Controller is obliged to transfer personal data prescribed by law and processed by the Data Controller to institutions, organizations, entities prescribed by law. Data Controller has to inform data subjects about the fact of such data transfer, if it isn’t prohibited by the law.
10. Measures for security of processing
- Data Controller takes all the reasonable steps to avoid any unlawful access or usage of personal data or the devices which used for data processing. Data Controller ensures the security of processed personal data in compliance with the provisions of the GDPR.
11. Rights of the data subjects
- The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- According to Sections 15-22 of GDPR data subject is entitled to submit request to Data Controller for access to personal data concerning him or her are being processed by Data Controller and for rectification or erasure of personal data, or for restriction of processing and data subject can exercise the right for data portability.
- The data subject can exercise her/his right regarding data processing and her/his right to withdraw consent through a request sent to Data Controller ‘s registered seat or e-mail address after identifying her or himself.
- If Data Controller has well-established doubts regarding the identification of the person who submitted the request, Data Controller is entitled to ask for more necessary information in order to identify the data subject.
- Data Controller provides information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month from receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Data Controller informs the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information are provided by electronic means where possible, unless otherwise requested by the data subject.
- If Data Controller does not take action on the request of the data subject, Data Controller informs the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
- Providing information regarding exercising data subject’s rights is free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, Data Controller may either:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request.
12. Availability of remedy
- Data Controller makes all the efforts to ensure the lawful and to the extent possible the most secure processing of personal data. Therefore, it is appropriate to directly liaise with Data Controller if any problems occur before taking any other remedies, in order to solve the problems as soon as possible.
- Data subject has the right to lodge a complaint with the supervisory authority competent in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. If the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint, the data subject has the right to an effective judicial remedy. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
- The data subject has the right to an effective judicial remedy.