1. INTRODUCTION
The purpose of this policy is to record the privacy and data management principles applied by Phantom Shopping and the Company’s data protection and data management policy.
Phantom Shopping undertakes to ensure that all data management related to its activity meets the requirements set out in this policy and the applicable legislation.
The purpose of this policy is to enable the data subject to receive information about the data, the source, the purpose, the legal basis, the duration of the data processing, the data processor, the address and the data handling related activities of the data processor involved in the processing of data by Phantom Shopping on paper and electronically managed data, in the case of the transfer of his personal data concerned – the legal basis and the addressee of the transfer. The scope of this policy also applies to phantomshopping.hu website and Mymo interface management and operation of Phantom Shopping.
By this policy, Phantom Shopping wishes to ensure the legal order of the operation of the registers, the constitutional principles of data protection, the enforcement of data security requirements, to prevent unauthorized access to the data and to unauthorized alteration or disclosure of data.
Phantom Shopping manages personal information confidential and will take all security, technical and organizational measures that guarantee the security of data.
2. TERMS OF REFERENCE
– Data subject: Any natural person determined or identified, directly or indirectly, by any identified personal data;
– Personal data: data related to the data subject, in particular the name, identifier and the knowledge of one or more physical, physiological, mental, economic, cultural or social identities of the data subject, as well as the deduction from the data;
– Special Data:
- racial origin, membership of a national and ethnic minority, political opinion or party affiliation, religious or other beliefs, the membership of a representation,
- health status, abnormal passion, sexual life data and criminal personal data;
– Criminal personal data: personal data relating to a criminal offense or criminal proceedings relating to criminal proceedings or the detection of criminal offenses in connection with or in connection with criminal proceedings, as well as in the organization of the enforcement of sentences, relating to the criminal record;
– Contribution: voluntary and decisive disclosure of the data subject’s will, based on appropriate information and with which he or she gives his / her unambiguous consent to the handling of any personal data relating to it – full or for each operation ;
– Objection : the statement of the data subject with whom he or she is objecting to the handling of his or her personal data and requesting the termination of the data processing and the cancellation of the processed data;
– Data Manager : a natural or legal person or a non-legal entity that either independently or with others determines the purpose of data management, makes and executes decisions on data handling (including the equipment used) or performs it with the data processor;
– Data Management: regardless of the method used, any operation or the operations together, such as collecting, capturing, recording, organizing, storing, modifying, utilizing, retrieving, transmitting, publishing, aligning, linking, blocking, deleting and destroying any of the operations, or to prevent further use of the data, to take photographs, sound or images, and to record physical features (such as finger or palm print, DNA pattern, iris image) that can identify the person;
– Transmission: To make the data available to a specific third party;
– Disclosure: To make the data available to anyone;
– Deletions of data: To make data unrecognizable in such a way that its recovery is no longer possible;
– Blocking data: For the purpose of limiting the continued handling of the data with an identifying indication for a definite or fixed time period;
– Data destruction: Complete physical destruction of data media;
– Data processing: Performing technical tasks related to data management operations, regardless of the method and device used to implement the operations and the location of the application, provided that the technical task is carried out on the data record;
– Data processor: is a natural or legal person or non-legal entity who, on the basis of a contract, including a contract under a provision of the law, processes data;
– Privacy Incident: Unauthorized processing or processing of personal data, including unauthorized access, modification, transmission, disclosure, deletion or destruction, and incidental destruction or damage.
– If the terms of reference of the applicable data protection law (when this policy is drafted the Act on Information) differ from the terms of this policy, then the terms defined by law will govern.
Abbreviations used in these policies:
Act on Information: the right to information self-determination and freedom of information 2011 CXII. law
Accounting Act. Act C of 2000 on Accounting Art. Act V of 2013 on the Civil Code
- Act on the Labor Code of 2012
GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)
3. DATA MANAGEMENT RULES
Since information self-determination is based on the fundamental rights of all natural persons enshrined in the Basic Law, therefore in the course of Phantom Shopping proceedings, data processing is under the provisions of the law in force and in accordance with the provisions of the applicable law. The data management of Phantom Shopping is based on the following legal bases (GDPR Article 6 (1)
- the data subject concerned has consented to handling his or her personal data for one or more specific purposes (voluntary contribution);
- data processing is necessary for the performance of a contract in which the data subject is required to take action by one party or before the conclusion of the contract at the request of the data subject (performance of the contract); c) data processing is necessary to fulfill the legal obligation for the data manager (legal obligation);
- data handling is necessary to enforce legitimate interests of the data manager or a third party (legitimate interest).
Personal data managed by Phantom Shopping is forbidden for private use or for purposes other than those contained herein. Data management must at all times comply with the purpose limitation principle, based on that Phantom Shopping manages personal data only for the purposes set out above, exercising the right and the obligation to reach the minimum extent and duration necessary to attain it.
Data managed by Phantom Shopping is primarily the responsibility of our competent internal staff and does not transfer them to third parties solely from a legitimate interest (such as debt collection and statutory obligation).
4. DATA SECURITY REGULATIONS
For the security of personal data processed on paper, Phantom Shopping applies the following measures:
– the data can only be accessed by the authorized others can not access it, may be disclosed to others;
– documents are stored in a well-sealed, dry, fire-proof room with security system;
– the files in continuous active treatment are only available to the competent authorities;
– the Data Management Officer of Phantom Shopping can only leave the premises where data management takes place during the day, if the storage media is or the office is closed;
– the Data Management Officer of Phantom Shopping closes the paper-based media at the end of the work;
– if the personal data handled on paper is digitized, the security rules applicable to digitally stored documents are applied by Phantom Shopping
– In order to ensure the security of personal data stored on computer or on network, Phantom Shopping applies the following measures and warranty elements in accordance with the applicable Information Security Regulations:
– computers, laptops,telephones,mobilephones used indatamanagement are the property of, or the Company has the same right over them;
– the data on the computer can only be accessed with valid, personalized, identifiable entitlements – at least with a username and password – and Phantom Shopping will regularly and, if reasonably, provide for the exchange of passwords;
– if the goal of the data management is achieved, the data processing deadline has expired, the file containing the data will be unrecoverably deleted and the data can not be recovered;
– the magnetic data storage medium stored in the armored box designed for this purpose is stored in a fire-proof location and manner;
– in the personal data management network, it provides virus protection continuously;
– using available computing devices to prevent unauthorized people from accessing the network.
5. DATA MANAGEMENT AT PHANTOM SHOPPING
5.1 Data management during the use of www.phantomshopping.hu
5.1.1 Automatically recorded data
When visiting the phantomshopping.hu website, certain details of the visitor’s device (eg. laptop, PC, phone, tablet) are automatically recorded. Such data include the IP address, the date and time of the visit, the pages visited, the website from which the visit was made, the type of browser used, the type of operating system, and the name and address of the ISP. The data to be recorded will be logged automatically upon logging in or exiting without the visitor’s specific statement or action. This information is only used in aggregated and processed form by Phantom Shopping, to correct any defects in our services, to improve their quality and for statistical purposes. The data will only be used anonymously.
The aim of the data management is: Technical development of the IT system, control of the operation of the service, personalization, producing statistics and the protection of the visitors’ rights. In the event of abuse, in cooperation with the internet service provider of the visitors and the authorities, the data can also be used to determine the source of abuse.
Legal Basis for Data Management The 2001 CVIII Law on Electronic Commerce Services and Information Society Services Law 13 / A. §.
The range of data management is the Internet service provider of the visitor, in some cases the visitor’s IP address, the software browser version, the type of computer operating system, the website from which the visitor reached phantomshopping.hu, the pages that were visited on the website, the search words used to access the site.
The duration of the data management is 30 days from the date of viewing the site.
The way of data management: electronically
5.1.2 One-time information or information handled for inquiries
The Data Manager allows the data subjects to gain information on the website via the contact tab or via the central email address from the Phantom Shopping, visitors can enter the relevant information (full name, email address, company name, title, phone number) required for contact by completing a form. However, the data can only be sent to the data subject if he accepts the data management rules of Phantom Shopping (Phantom Shopping) otherwise he will not be able to send his message.
The aim of the data management is to provide adequate information, to inform the interested persons about the questions and observations made during the contact, to retrieve the information exchanged during the contact.
Legal basis for data management: voluntary contribution
Scope of managed data: full name, email address, company name, title, phone number
Duration of data handling: 2 months from sending the reply
The way of data management: electronically
5.1.3 Personal data processed for contact purposes
Providing relevant information to the data subject after the contractual relationship has been established.
The aim of the data management is to provide adequate information and retrieve the information exchange during a contact
The legal basis for data handling is the performance of a contract
The range of data processed is the full name, e-mail address and phone number
of the contact person,
Duration of data management: the existence of a customer relationship and the
deadline for enforcing civil claims
The way of data management: electronically and / or on paper
5.1.4 Personal data handled for the fulfillment of a contract
The legal provisions of data management related to the establishment of a contractual relationship (for example, the Accounting Act for Issuing an Account) and the 2001 CVIII Law on Certain Issues of Information Society
Services. Law 13 / A. § (3) data that are technically indispensable for the provision of the service.
Data management operations are essentially for contact purposes, such as invoicing, or sorting / filtering. Automatic profiling is not done.
The purpose of the data management is to complete the contract
The legal basis for data handling is the fulfillment of a legal obligation
The scope of the data processed: according to the Accounting Act
Duration of data management: the existence of a customer relationship and the deadline for enforcing civil claims, 8 years, and the period specified in the applicable tax and accounting legislation
The way of data management: electronically and / or on paper
5.1.5 Data management for registration on www.phantomshopping.hu
Phantom Shopping allows you to register as a mystery shopper. After the registration button has been pressed, the system moves you to the MyMo interface. In the mystery shopper module, it is possible to give your personal data.
The purpose of data management is to create a contract, define, modify, fulfill its content, invoicing of contract fees, identify a user, provide communications
Legal Basis for Data Processing: GDPR Article 6 (1) (b)
The range of data processed: full name, email, address, phone number, password, bank account number, driving license, gender, place and time of birth, tax identification number, social security number, driving license, learned profession, income level, hair color,
The duration of the processing is 3 months after the date of deletion by Phantom Shopping account and Phantom Shopping registration.
The way of data processing: electronically
5.1.6 Data management on entering www.phantomshopping.hu as a mystery shopper
On Phantom Shopping website you can try as a mystery shopper and enter the site as a client. In both cases, a registered email address and a password are required. As a mystery shopper the system deletes the MyMo interface where the mystery shopper previously registered.
Purpose of data management: The e-mail address is indispensable for identifying the reporting user in the database and serves the purpose of the contact.
Legal Basis for Data Processing: GDPR Article 6 (1) (b)
Scope of managed data: email address, password
The duration of the processing is 3 months after the date of deletion by Phantom Shopping account and Phantom Shopping registration.
The way of data processing: electronically
5.1.7 System message via e-mail or push message in the Phantom Shopping system
Phantom Shopping sends Phantom Shopping registered users a system message from time to time. System messages are any messages that may be related to the functionality of the Phantom Shopping system, any service failure, maintenance, functionality of the Phantom Shopping system, changes to existing and new features, new features, the scope and use of the Phantom Shopping System, the Terms and Conditions, the Data Handling Information, the Privacy Policy, or any modification thereof, the User’s rights, obligations, and services regarding the Phantom Shopping System, including any acknowledgment messages, certificates, notifications, confirmations sent by each of the services being used.
The purpose of data management is to send a system message to fulfill the contract
Legal Basis for Data Processing: GDPR Article 6 (1) (b)
The range of data processed is: email address, name
Duration of the data processing: 12 months after the termination of the contract
The way of data management : electronically
5.1.8 Data management for records uploaded to Phantom Shopping system by mystery shoppers
As a result of the mystery shopping, the mystery shoppers will make a report on incognito-made purchases and other audits by Phantom Shopping Reports may contain personal information about the Employer’s employee.
The purpose of the data management is to complete the contract
Legal Basis for Data Processing: GDPR Article 6 (1) (b)
The range of data processed is: name, personal description, behavior
Duration of data management: until the mystery shoppers has been registered
The way of data management: electronically
5.3 Community sites
Phantom Shopping is listed on Facebook as well as on the Instagram community site called phantom shopping.
You can subscribe to the news feed on the message wall on the Phantom Shopping site by clicking on the ‘like’ link on the page and clicking on the ‘dislike’ link on the same page you can unsubsribe, or using the message wall settings you can delete the unwanted news appearing on the message wall.
The purpose of data management is to share or like, popularize social content, site content, products, actions or the website itself.
Legal basis for data handling: voluntary contribution
The range of data processed: name and photo given during registration
The duration of the data management depends on the subscriber’s decision
The source of the data, how it is handled, how it is delivered and how it is based, can be found on the given social networking site. Data management takes place on social networking sites, so the duration of the data handling, the ways of deleting and modifying the data are governed by the rules of the respective community site.
6. OTHER DATA MANAGEMENT
Phantom Shopping provides information on data management which are not listed in the data management regulations at the time the data was collected. Based on the authority of the court, the prosecutor, the investigating authority, the offender authority, the administrative authority, the National Data Protection and Information Authority or the law, other bodies may seek Phantom Shopping as a data controller to provide information, transmit data, or to make documents available.
If the authority indicates the exact purpose and scope of the data – for the authorities listed in detail above – MS International Ltd shall only disclose personal data to the extent strictly necessary for the purpose of the request.
- THE WAY PERSONAL DATA IS STORED, THE SECURITY OF DATA MANAGEMENT
The computer system and other data retention locations of Phantom Shopping are located at its headquarters.
Phantom Shopping selects and manages the IT tools used to manage personal data in the provision of the service so that the data treated:
- only accessible to authorized persons;
- authenticity and authentication is ensured; • its immutability can be verified;
- Protect against unauthorized access.
Phantom Shopping protects the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction, damage, and the technique used.
Phantom Shopping, with regard to the current state of the art technology, provides technical, organizational and organizational measures to protect the security of data management, providing a level of protection that meets the risks associated with data management.
8. DATA PROCESSORS
8.1. Server service provider
Activity performed by data processor: server service
The purpose of data management is to make the website available and to properly operate a server service
Legal basis for the processing of data: Article 6 (1) (f) of the GDPR, or the electronic commerce services and information on CSR-related services in 2001. Law 13 / A. § (3)
The fact of data management, the range of data management: all personal data provided by the data subject
Data processing time, date of deletion of data: Data controller and server service provider, or the affected party to the server service provider’s request for deletion.
The way of data management: electronically
The circle of data subjects: Everyone who reaches the server
8.2. Web-hosting
Data Processor Activity: Website Service
The aim of the data management is to make the website accessible and properly operated.
Legal basis for the data management: Article 6 (1) (f) of the GDPR, or the electronic commerce services and information on CSR-related services in 2001. Law 13 / A. § (3).
The fact of data management, the range of data management: all personal data provided by the data subject
Data processing time, date of deletion of data: Data controller and server service provider, or the affected party to the server service provider’s request for deletion.
The method of data management: electronically
Data subjects: Anyone using the website
8.3. Accounting tasks, billing, payroll accounting
Data Processor Activity: Accounting Tasks and Billing
The aim of data management is to issue an electronic invoice / accounting / payroll accounting
The legal basis for the processing is Article 6 (1) (c) of the GDPR, or the electronic commerce services and information on CSR-related services in 2001. Law 13 / A. § (3).
The fact of data management, the range of managed data: name, billing name, billing address
Time of data handling, deadline for deletion of data: Under Article 169 (2) of Act C of 2000 on Accounting, 8 years.
The method of data management: electronically
The circle of data subjects is: mystery shoppers, employees
8.4. Payment of mystery shoppers
An activity performed by a data processor is a contractual agreement with the mystery shoppers and the payment of the mystery shoppers.
Name and availability of the data processor
Sze-Pal Bau Ltd.
headquarters: 2161 Csomád, Kossuth Lajos út 70
The legal basis for data handling is the performance of a contract.
Legal Basis for Data Processing GDPR Article 6 (1) (b)
The fact of data management, the range of data management: all personal data provided by the data subject
Time of data handling, deadline for deletion of data: Until the termination of the agreement between the data controller and the data processor or the party concerned data processing to the data processor.
The method of data management: electronically
The circle of data subjects is: mystery shoppers
9. THE RIGHTS OF DATA SUBJECTS
➢Right of access
The data subject has the right to be informed by the data manager of whether his personal data is being processed and, if such processing is in progress, he has the right to have access to personal data and the information listed in the decree.
➢Right to rectification
The data subject shall have the right to rectify any inaccurate personal data that he or she is entitled to request without undue delay. Taking into account the purpose of data management, the data subject has the right to request the addition of incomplete personal data, including by means of a supplementary statement.
➢Right to erasure
The data subject is entitled to request that the data manager, without undue delay, delete personal data concerning him/her and that the data controller is obliged to delete the personal data of the data subject without undue delay under certain conditions.
➢Right to be forgotten
If the data manager disclosed personal data and is required to delete, he / she shall take reasonable steps, including technical measures, to take account of the available technology and implementation costs, in order to inform the data managers handling the data that the data subject has requested them the deletion of links to personal data, a duplicate or duplicate of such personal data.
➢Right to Restrict Data Management
The data subject shall have the right to request that the data manager restricts the data management upon his request if one of the following conditions is met:
- the data subject disputes the accuracy of the personal data; in this case, the restriction concerns the period of time that the data manager can check the accuracy of the personal data;
- Data management is illegal and the data subject is opposed to the deletion of the data and instead asks to restrict their use;
- the data manager no longer needs personal data for data processing, but the data subject requires them to submit, enforce, or protect legal claims;
- the data subject objected to data management; in this case, the restriction applies to the duration of determining whether the data manager’s legitimate reasons prevail over the legitimate grounds of the data subject.
➢Right to data portability
The data subject shall have the right to receive personal data provided to him by a data manager in a fragmented, widely used machine-readable format and shall be entitled to transmit this data to another data manager without the obstruction of the previous data manager whom the data subject provided personal information (…).
➢Right to protest
The data subject has the right to object to the processing of his or her personal data (…) at any time when personal data is managed due to the legitimate interest of the data manager or his public authority.
10. REQUEST FOR INFORMATION
According to the Act on information and GDPR regulation, data subject may request the information concerned to manage his/her personal data and may request the rectification of his/her personal data or, with the exception of mandatory data, cancellation or blocking as indicated in the data logging or other contact details of the data manager.
At the request of the data subject, Phantom Shopping will inform him/her of the data, the source, the purpose, the legal basis, the duration of the data handling, and the legal basis and the addressee of the data it manages.
The data manager shall provide the information in writing, for the request of the data subject, at the earliest opportunity, within a maximum period of one month from the submission of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by an additional 2 (two) months, which will inform the data subject within a one-month deadline. An exception is the case where the request is clearly insufficient or, in the case of a particularly repetitive nature, is excessive.
The information is free of charge – if an information request has not yet been
submitted to the data manager in the current year for the same data field – in other cases, Phantom Shopping may charge reimbursement.
11.OBJECTION
If the data subject objects to the processing of his or her personal data, his / her personal data will be deleted within 14 working days of receiving his / her protest. An exception is the case where data is justified by compelling legitimate reasons, including the public interest or the case where data is necessary for the submission, validation or protection of legal claims.
12. LEGAL REMEDY
An appeal can be submitted to the National Data Protection and Freedom Authority:
National Privacy and Freedom Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C
Postal address: 1530 Budapest, Pf. 5
Phone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: [email protected]
Website: http://www.naih.hu
13. OTHER PROVISIONS
The term of this Privacy Policy will expire from May 25, 2018 until revocation. Phantom Shopping reserves the right to update this Privacy Policy at any time. Informs the data subjects about the changes.