Microsec Ltd. (corporation validly established and existing under the laws of Hungary having its seat at H-1033 Budapest, Ángel Sanz Briz út 13. [Graphisoft South Park, Building C], hereinafter: "Microsec") is the developer and owner of the PassBy[ME] software (hereinafter: “PassBy[ME]”). For the operation of PassBy[ME], it is indispensable that Microsec processes some of the natural persons’ personal data who use PassBy[ME] (hereinafter “Data Subjects”).
The purpose of this privacy policy (hereinafter “Privacy Policy”) is to supply essential information to the Data Subjects about the data processing Microsec performs with respect to PassBy[ME]. It is the partner organisation’s (hereinafter: “Client”) responsibility to ensure that the users added by the Client, including but not limited to the Client’s employees or own clients, are informed about the content of this Privacy Policy.
In the course of providing the service of PassBy[ME], Microsec acts as data controller with respect to the personal data described below and it undertakes to fully abide by this Privacy Policy. Microsec warrants that the data processing that it carries out with respect to PassBy[ME] is in full compliance with the requirements set out in this Privacy Policy and in the relevant legal regulations as effective.
Microsec is committed to the protection of the Data Subjects’ personal data and particularly wishes to observe the Data Subjects’ right to informational self-determination. Microsec treats the Data Subjects’ personal data confidentially and takes all the security, technical and organizational measures which guarantee the security of such data.
Microsec reserves the right to alter this Privacy Policy and commits to supply information about any such alteration in accordance with the relevant legal regulations as effective.
The Privacy Policy and information related to the processing of data by Microsec are available on the www.passbyme.com website.
Should you have any question with regard to this Privacy Policy, please contact our data protection officer, dr. Lilla Lovas at info@passbyme.com and we will answer your queries.
Microsec’s data processing principles are in harmony with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)> and the Hungarian laws.
Microsec strives to limit its personal-data processing activity to what is absolutely necessary. Nonetheless, the processing of some personal data is inevitable. Those who supply data to Microsec are warned that where they disclose other persons’ data they are obliged to obtain the Data Subjects’ consent.
Data processing as a controller related to PassBy[ME] accounts
Client must create an account to use PassBy[ME] and Client is entitled to add users and appoint administrators to its own account.
Purpose of the data processing: To contact the Client and the Data Subjects, to create the accounts and to connect them with the accounts.
Description of the data processing: The Client’s representative creates an account for the Client by providing basic information. After that the administrator of the Client’s account is entitled to add user accounts by providing information about the users. The required information contains personal data, which is used only to create and connect the accounts.
Legal grounds for the data processing:
• Client’s account: Consent to the processing given by the Data Subject (the Client’s administrator).
• User’s account: Processing is necessary for the purposes of the legitimate interests pursued by Microsec and Client.
The scope of data processed:
• Client’s account: contact person’s name, e-mail address, phone number.
• User’s account: full name, username, e-mail address, phone number (optional), phone name, aliases, user ID, IP address, transaction data.
Source of the data processed: Client’s administrator. In case of the IP Address, it is the Data Subject.
Duration of the data processing: Microsec deletes the transaction data 5 years after the transaction. Microsec deletes all the data 5 years after the termination of the contract with the Client.
Data transfer (transmission): None.
Data processing as a processor related to PassBy[ME] accounts
Description of the data processing: Microsec may process third-parties’ personal data as a data processor by providing some functions of PassBy[ME] (e.g. document uploading, messaging). In such cases, Microsec assumes that the Client or users added by the Client (data controller) has a lawful legal basis to process the personal data. As a data processor, Microsec does not monitor the content of the uploaded documents, therefore Microsec is not eligible to review the legal basis of the processing. Microsec will not take any responsibility for such data processing. The data processor shall not be obliged to provide information on the processing of personal data, it is the data controller’s obligation.
Legal grounds for the data processing: Processing is necessary for the purposes of the legitimate interests pursued by Client.
The scope of data processed: content of the documents involved in the transactions.
Duration of the data processing: Microsec deletes the document involved in the transaction within 24 hours after it has been uploaded.
Data transfer (transmission): None.
Other data processing
Microsec may occasionally perform other personal data processing. Information about any data processing not mentioned in this Privacy Policy will be provided on the occasion of the data collection.
The Data Subjects are informed that the court, the public prosecutor, the criminal investigation authority, the infringements authority, the public administration authority, the National Data Protection and Informational Freedom Authority (“NAIH”), as well as other authorities authorized by legal regulation may request information, data and documents from Microsec, who will grant such requests to the extent it is required by the relevant legal regulations. Microsec will disclose personal data to the authorities only to the extent it is indispensable for the fulfilment of the authorities’ meticulously detailed request for information as regards the scope and purpose of information.
The place of data processing is Microsec’s servers located in Hungary.
Microsec selects and operates the IT equipment used to process personal data with respect to PassBy[ME] in such a way that the processed data(’s):
a) is available to authorized persons (availability);
b) authenticity and authentication is ensured (authenticity of data processing);
c) integrity can be proven (integrity of data); and
d) is protected against unauthorized access (confidentiality of data).
Microsec takes appropriate measures to protect the data particularly against unauthorized access, modification, transfer, publication or disclosure, erasure or purposeful destruction as well as against accidental destruction, damage or unavailability as a result of switching of technologies.
Name: Microsec Ltd.
Registered office: H-1033 Budapest, Ángel Sanz Briz road 13., Hungary
Registration No.: 01-10-047218
EU VAT No.: HU23584497
Telephone: +36 1 802 4492
E-mail: info@passbyme.com
In case of the personal data processed by Microsec as a data controller, the Data Subjects may request information about the processing of their personal data, and the rectification or – save for where the processing of data is mandatory – erasure or blocking of their personal data, in the manner indicated upon the recording of data or by contacting the data controller using this latter’s contact details shown in the Privacy Policy.
Upon a Data Subject’s request, Microsec supplies information about the Data Subject’s data processed by Microsec as data controller and/or processed by a data processor on Microsec’s behalf, about the sources where such data was obtained from, and the purpose and duration of and the legal grounds for the processing of data, as well as the name, address and related activities of the data processor, and – in the case of data transfer – the legal grounds for and the recipients of such transfer. The data controller must comply with a Data Subject’s request for information as soon as possible but in no event later than 30 days (unless relevant regulation contains a tighter deadline) and supply the information requested in a clear and easily understandable form and in writing if the Data Subject so requests. Such information must be supplied free of charge, unless the Data Subject has already submitted to the data controller a request for information concerning the same set of data earlier in the same year. Where that is the case, the Microsec will charge a fee to recover its expenses.
Microsec rectifies a Data Subject’s personal data if such data is inaccurate while the correct personal data is available to Microsec.
Microsec blocks a Data Subject’s personal data at the Data Subject’s request, or in cases where there is reason to suppose – based on the information available to Microsec – that the erasure of such data could harm the Data Subject’s legitimate interests. Personal data that has been blocked as mentioned above may only be processed as long as the purpose of data processing which prevented erasure of the same continues to exist.
Microsec marks the personal data if the relevant Data Subject contests the correctness or accuracy of such data while the correctness or accuracy of the data or otherwise cannot be verified beyond doubt.
Microsec erases any and all personal data which is being processed unlawfully, if the relevant Data Subject requests, or if such data is incomplete or inaccurate and cannot be lawfully completed or corrected, provided that such erasure is not disallowed by law, the purpose of data processing no longer exists, or the statutory time limit for the storing of data has expired, or the erasure was ordered by a court of law or by the National Authority for Data Protection and Freedom of Information. If Microsec processes the personal data as a data processor only, then such requests shall be sent to the Client, and Microsec may perform such action only upon the Client’s instructions.
Microsec has 30 days to erase, block or rectify personal data. Where the data controller refuses to comply with a Data Subject’s request for rectification, blocking or erasure, it communicates the reasons for such refusal to the Data Subject in writing within 30 days. When rectifying, blocking, marking or erasing data, Microsec notifies the relevant Data Subject as well as all recipients to whom such data was previously transmitted for processing. Such notification is not necessary where, in the light of the purpose of the data processing, the Data Subject’s legitimate interests are not affected.
Data Subjects may object to the processing of their personal data:
a) if the processing or transfer of such personal data is carried out solely in order to discharge a legal obligation pertaining to the data controller or to enforce the rights or legitimate interests of the data controller, the data recipient or a third party, unless the processing of the data is mandatory and is carried out pursuant to a legal regulation;
b) if the personal data is used or transmitted for the purposes of direct marketing, public opinion polling or scientific research;
c) in other cases as prescribed by law.
Microsec investigates any objections as soon as possible after submission but not later than within 15 days, makes a decision as to the merits of the same, and notifies the relevant Data Subject about its decision in writing. If, according to the findings of the data controller, the objection is justified, the data controller discontinues all data processing operations (including any further collection, capture and transfer of data); it blocks the data concerned, and notifies all the recipients of such personal data about the objection and the measures taken in response for such recipients to also take measures in their turn to give effect to the Data Subject’s objection. If a Data Subject disagrees with the decision taken by the data controller, the Data Subject may challenge the decision in court within 30 days of being informed about such decision.
Data Subjects may, in the event of an infringement of their rights, file a petition in court against the data controller. The court will hear such cases in expedited proceedings.
Any questions, comments or complaints regarding the processing of personal data by Microsec as data controller should be addressed to Microsec, whose contact details are to be found under section 5 above.
Requests for remedy and any complaints may also be addressed to the data protection authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság
(National Authority for Data Protection and Freedom of Information)
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf. 5.
Telephone: +36 1 391 1400
Facsimile: +36 1 391 1410
E-mail:ugyfelszolgalat@naih.hu
Website: http://www.naih.hu