Privacy Policy
1. Purpose and Scope of the Privacy Policy, Applicable Laws
The purpose of this Privacy Notice is to define the data protection and data management principles applied by ROIworks Zrt. (hereinafter: the “Data Controller”), as well as the data protection and management policy adopted by the company, which the company, as a data controller, acknowledges as binding upon itself.
In developing the provisions of this Notice, the Company has taken particular account of the following laws and regulations: Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”); Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Infotv.”); Act V of 2013 on the Civil Code (“Ptk.”); and Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (“Grtv.”).
This Privacy Notice applies to
(i) data processing related to the operation of the website available at https://www.roi.works/
(hereinafter collectively referred to as the “Website”);
(ii) data processing related to clients; and
(iii) data processing in connection with the organization of prize games and promotions.
2. Definitions
Data Processing:
Any operation or set of operations performed on Personal Data, regardless of the procedure applied — such as the collection, recording, organization, structuring, storage, adaptation, alteration, use, retrieval, consultation, disclosure, transmission, dissemination or otherwise making available, publication, alignment or combination (including profiling), restriction, erasure, or destruction of Personal Data.
Data Processor:
A service provider that processes Personal Data on behalf of the Data Controller. The Data Processors used in connection with the services referred to in this Notice are listed in Section 11.
Data Controller:
The person specified in Section 3 who determines — alone or jointly with others — the purposes and means of data processing.
User:
A natural person who (i) visits the Website and, in doing so, submits an inquiry or order using the data specified in Section 7.
External Service Provider:
Third-party service partners — engaged by the Data Controller or the operator of the Website, either directly or indirectly — that provide certain services and may receive or access Personal Data for the purpose of delivering such services, or may transmit Personal Data to the Data Controller. External Service Providers also include those providers who do not cooperate directly with the Data Controller or the Website operator but, by accessing the Website, may collect data about Users that, either on their own or when combined with other information, may enable the identification of the User.
Personal Data or Data:
Any information relating to an identified or identifiable natural person (User), who can be identified — directly or indirectly — by reference to such data.
Notice:
This Privacy Notice of the Data Controller.
3. The Data Controller and Its Activities
Name: ROIworks Zrt.
Registered office: 1139 Budapest, Váci út 99–105, Balance Building, 2nd floor
E-mail: operation@roi.hu
The Data Controller is a business entity registered in Hungary.
4. Principles, Method, and Applicable Laws of Data Processing
4.1. The Data Controller carries out data processing in accordance with the principles of good faith, fairness, and transparency, and in compliance with
and cooperates with Users in the course of data processing. The Data Controller processes only those data that are specified by law or voluntarily provided by Users, and solely for the purposes defined in this Notice. The scope of the Personal Data processed is proportionate to the purpose of data processing and does not extend beyond it.
4.2. In all cases where the Data Controller intends to use Personal Data for a purpose other than that for which it was originally collected, the User shall be informed in advance, and the Data Controller shall obtain the User’s prior and explicit consent, or provide the User with the opportunity to prohibit such use.
4.3. The Data Controller does not verify the accuracy of the Personal Data provided to it. The person providing the Personal Data is solely responsible for their correctness and authenticity.
4.4. The Data Controller does not transfer the Personal Data it manages to any third parties other than the Data Processors specified in this Notice and, in certain cases referred to herein, the External Service Providers. An exception to this provision is the use of data in a statistically aggregated form, which does not contain any information that could identify the User in any way; therefore, such use shall not be considered Data Processing or Data Transfer. In certain cases — such as official court or police requests, legal proceedings, copyright, property, or other rights violations or well-founded suspicions thereof, harm to the legitimate interests of the Data Controller, or threats to the provision of the service — the Data Controller may grant access to the relevant User’s available Personal Data to third parties.
4.5. The systems of the Data Controller may collect data on Users’ activity, which cannot be linked to the Personal Data provided by Users during registration, nor to data generated when using other websites or services. By way of exception, if the User consents to receiving marketing offers (such as EDM, personalized banners, or displays) from the Data Controller, the User acknowledges that, within the framework of this service and solely for the purpose of providing it, the data collected on the User’s activity may be linked to the Personal Data provided by the User during registration.
4.6. The Data Controller shall inform the affected User, as well as all parties to whom the Personal Data have previously been transmitted for the purpose of Data Processing, of any rectification, restriction, or erasure of the Personal Data. Notification may be omitted if it does not infringe the legitimate interests of the User in light of the purpose of the Data Processing.
4.7. In accordance with the relevant provisions of the GDPR, the Data Controller is not required to appoint a Data Protection Officer.
4.8. The Data Controller manages Personal Data in compliance with the applicable laws and regulations. The main laws governing data processing include, in particular:
● Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the “Infotv.”);
● Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: the “Grtv.”);
● Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
● Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR);
● Act C of 2000 on Accounting, Section 169 (regarding the retention of accounting documents).
4.9. The Personal Data of a person under the age of 16 may only be processed with the consent of an adult exercising parental responsibility over that person. The Data Controller is not in a position to verify the authority or the content of the declaration of consent; therefore, the User and/or the person exercising parental responsibility over the User shall guarantee that the consent complies with the applicable legal requirements. In the absence of such consent, the Data Controller does not collect Personal Data relating to persons under the age of 16.
6. Purpose of Data Processing
6.1. The Data Controller processes Personal Data solely for specified purposes, and only to exercise rights or fulfill obligations. Data Processing shall comply with its intended purpose at every stage. The collection and processing of data are carried out fairly and lawfully. The Data Controller strives to ensure that only those Personal Data are processed which are essential and suitable for achieving the purpose of the processing. Personal Data may be processed only to the extent and for the duration necessary to achieve the specified purpose.
6.2. The primary purpose of Data Processing is the operation of the Website and, in the case of form submissions, establishing contact with the User. Based on the above, the purposes of Data Processing in connection with the core activities of the Data Controller are as follows:
● Identifying the User and maintaining contact with the User;
● Ensuring successful communication with the User in the case of form submission;
● Fulfilling the obligations of the Data Controller and exercising the rights to which the Data Controller is entitled;
● Preparing analyses and statistics, and improving services – for this purpose, the Data Controller uses only anonymized data and aggregated information that cannot be used to identify individuals;
● Protecting the rights of Users; With respect to Users who have consented to being contacted for marketing purposes:
● Market research: assessing Users’ needs and purchasing habits;
7. Source of Personal Data and Scope of Processed Personal Data
7.1. In connection with its core activities, the Data Controller processes the Personal Data provided by the Users. Users may modify or delete the data they have provided at any time and may also request the deletion of their entire registration. The provision of Personal Data takes place on the Website. The data that may be recorded by the User include: full name, email address, telephone number, and details of the inquiry or area of interest.
7.2. In addition to the above, the Data Controller also processes technical data, including IP addresses and cookies, as described in Section 9.
8. Description of the Data Processing Procedure
8.1. The source of the Personal Data is the User, who provides the data through the form available on the Website. The data requested on the registration form are mandatory unless explicitly indicated otherwise.
8.2. The User provides the data voluntarily; the Data Controller does not issue any mandatory guidelines or set any content-related requirements in this regard. The User expressly consents to the processing of the data he or she provides.
9. Management of Technical Data and Cookies
9.1. The system of the Data Controller automatically records the IP address of the User’s computer, the start time of the visit, and, in certain cases—depending on the computer’s settings—the type of browser and operating system used. The recorded data, except in cases where the User has given consent for marketing purposes or profiling, cannot be linked with other Personal Data and are used exclusively for statistical purposes.
9.2. Cookies enable the Website to recognize returning visitors. They assist the Data Controller, as the operator of the Website, in optimizing the Website and tailoring its services to the habits and preferences of the Users. Cookies are also suitable for
● remembering user settings so that they do not have to be re-entered each time the User navigates to a new page;
● remembering previously entered data so that it does not need to be retyped;
● analyzing the use of the website in order to implement improvements based on the information obtained, ensuring that the site functions in accordance with user expectations to the greatest possible extent, allowing users to easily find the information they are looking for;
● monitoring the effectiveness of our advertisements. The Data Controller also uses cookies to display advertisements to Users via Google and Facebook. The data processing in this context is carried out without human intervention.
The Data Controller uses cookie information for profiling purposes, in order to develop and deliver personalized offers to Users who have consented to being contacted for marketing purposes.
9.3. Users can set their web browsers to accept all cookies, reject all cookies, or notify them when a cookie is sent to their device. These settings are usually available in the browser’s “Options” or “Settings” menu. By disabling the use of cookies, the User acknowledges that the Website may not function properly or to its full capacity without them. Detailed information on managing cookie settings in various browsers is also available (in English) at www.aboutcookies.org .
10. Data Transmission
10.1 The Data Controller shall transfer Personal Data to a third party only if the User has given explicit consent – with knowledge of the scope of the data being transferred and the recipient of the transfer – except in the cases specified in sections 10.2 and 10.3 below, or if the data transfer is authorized by law.
10.2 If the Data Controller transfers the operation or utilization of the services it provides, in whole or in part, to a third party, it may also transfer the Personal Data it manages, in whole or in part, to this third party without obtaining separate consent from the User, provided that the Users are appropriately informed in advance. Such data transfer must not place the User in a less favorable position than that defined by the data processing rules in force at the time as set out in this Privacy Notice. In the event of a data transfer under this section, the Data Controller shall provide Users with the opportunity to object to the transfer before it takes place. If a User objects, the transfer of that User’s data under this section shall not be carried out.
10.3 The Data Controller is entitled and obliged to transfer any Personal Data available to it and lawfully stored by it to the competent authorities if such transfer is required by law or by a final and binding order of an authority. The Data Controller cannot be held liable for such data transfer or for any consequences arising therefrom.
10.4 The Data Controller shall document all data transfers and maintain records of such transfers.
11. Data Processing
11.1 The Data Controller is entitled to use a Data Processor to perform its activities. Data Processors shall not make independent decisions; they may act only in accordance with the contract concluded with the Data Controller and the instructions received from it. The Data Controller shall supervise the work of the Data Processors. Data Processors may engage additional data processors only with the consent of the Data Controller.
11.2 The Data Controller shall specify the Data Processors it engages in this Privacy Notice.
Data Processors engaged by the Data Controller:
● Google Ireland Limited, 4 Barrow Street, Dublin, Ireland (hosting, analytics)
● Facebook Limited, 4 Grand Canal Square, Dublin, Ireland
● ProWebGroup OÜ, Sepapaja 6, Tallinn 15551, Estonia (hosting services)
12. External Service Providers
12.1 In operating the Website, the Data Controller uses External Service Providers with whom the Data Controller cooperates.
12.2 With respect to the Personal Data processed in the systems of the External Service Providers, the provisions of the respective External Service Providers’ own privacy policies shall apply. The Data Controller shall make every reasonable effort to ensure that the External Service Provider handles the Personal Data transferred to it in compliance with applicable laws and uses such data solely for the purposes defined by the User or as specified in this Privacy Notice.
12.3 The Data Controller shall inform Users of any data transfers made to External Service Providers within the framework of this Privacy Notice.
● Google Ireland Limited Ireland, Dublin, Barrow Street 4.
● Facebook Limited, 4 Grand Canal Square, Dublin, Ireland
● ProWebGroup OÜ, Sepapaja 6, Tallinn 15551, Estonia (hosting services)
12. Data Security and Access to Personal Data
12.1 The Data Controller ensures the security of the Personal Data it processes by implementing the technical and organizational measures and establishing the procedural rules necessary to enforce the applicable legal, data protection, and confidentiality requirements. The Data Controller protects Personal Data with appropriate measures against unauthorized access, alteration, transfer, disclosure, deletion, or destruction, as well as against accidental loss or damage and any loss of accessibility resulting from changes in the applied technology.
12.2 The Data Controller maintains the Personal Data it processes in accordance with applicable laws, ensuring that such data are accessible only to those employees and other persons acting within the Data Controller’s scope of responsibility (data processors) who require access to perform their duties or tasks. The employees of the Data Controller may carry out individual searches or perform specific operations on the data only at the request of the User or when it is necessary for the provision of the service.
12.3 In determining and applying measures to ensure the security of Personal Data, the Data Controller takes into account the current state of technological development. Among the possible data management solutions, the Data Controller shall choose the one that provides a higher level of protection for Personal Data, unless doing so would entail disproportionate difficulty. In the scope of its IT security responsibilities, the Data Controller shall in particular ensure:
● The implementation of measures to protect against unauthorized access, including the protection of software and hardware tools, as well as physical protection (access control, network security);
● The implementation of measures ensuring the possibility of restoring data files, including regular backups and the separate, secure management of copies (mirroring, data backup);
● The protection of data files against viruses (virus protection);
● The physical protection of data files and the devices containing them, including protection against fire, water damage, lightning, and other natural disasters, as well as ensuring the recoverability of data in the event of such incidents (archiving, fire protection).
12.4 Employees and other persons acting on behalf of the Data Controller are required to securely store and protect any data carriers they use or possess that contain Personal Data—regardless of the method of data recording—against unauthorized access, alteration, transfer, disclosure, deletion, or destruction, as well as against accidental loss or damage.
12.5 The Data Controller operates the electronic records using an IT system that complies with data security requirements. The system ensures that access to the data is purpose-specific and takes place under controlled conditions, allowing access only to those individuals who need it to perform their duties.
13. Duration of Data Processing
The Data Controller shall delete the personal data if
a) its processing is unlawful; If it is established that the data have been processed unlawfully, the Data Controller shall immediately carry out the deletion.
b) the User requests it (with the exception of data processing based on legal obligation); The User may request the deletion of data processed on the basis of their voluntary consent. In such cases, the Data Controller shall delete the data. Deletion may only be refused if the processing of the data is authorized by law. In all cases where a deletion request is refused, the Data Controller shall provide information about the refusal and the legal provision that permits the continued processing.
c) the data are incomplete or inaccurate – and this condition cannot be lawfully remedied – provided that deletion is not prohibited by law;
d) the purpose of Data Processing has ceased, or the statutory retention period of the data has expired; Deletion may be refused (i) for the purpose of exercising the right to freedom of expression and information, (ii) if the processing of Personal Data is authorized by law, or (iii) for the establishment, exercise, or defense of legal claims. The Data Controller shall in all cases inform the User of any refusal of a deletion request, indicating the reason for the refusal. Once a request for the deletion of Personal Data has been fulfilled, the previously deleted data cannot be restored. Newsletters sent by the Data Controller may be unsubscribed from via the unsubscribe link contained in each newsletter. In the event of unsubscription, the Data Controller shall delete the User’s Personal Data from the newsletter database. As the Data Controller provides an ongoing service to the User, the relationship between the parties is not limited in time. Accordingly, in the absence of a request from the User, the Data Controller shall process the Personal Data for as long as the relationship between the Data Controller and the User exists and for as long as the Data Controller continues to provide services to the User. All other Personal Data shall be deleted by the Data Controller if it is evident that the Personal Data will no longer be used, meaning that the purpose of the Data Processing has ceased.
e) deletion is ordered by a court or by the National Authority for Data Protection and Freedom of Information. If a court or the National Authority for Data Protection and Freedom of Information issues a final order requiring the deletion of Personal Data, the Data Controller shall carry out the deletion. Instead of deletion, the Data Controller shall—while informing the User—restrict (block) the Personal Data if the User requests it or if, based on the available information, it can be assumed that deletion would violate the User’s legitimate interests. The restricted Personal Data may be processed only for as long as the purpose of Data Processing that precluded deletion continues to exist. The Data Controller shall mark any Personal Data it processes if the User disputes its accuracy or correctness, but the inaccuracy or incorrectness of the disputed data cannot be clearly established. In the case of Data Processing mandated by law, the provisions of the relevant legislation shall govern the deletion of data. In the event of deletion, the Data Controller shall render the Personal Data unidentifiable. If required by law, the Data Controller shall destroy the data carrier containing the Personal Data.
14. Rights of Users and the Enforcement Thereof
14.1 The Data Controller shall inform the User about the processing of Personal Data at the time of initial contact. In addition, the User is entitled to request information about the Data Processing at any time. Upon the User’s request, the Data Controller shall provide information regarding the data processed by it or by a Data Processor acting on its behalf or under its instructions, including the source of the data, the purpose, legal basis, and duration of the Data Processing, the name and address of the Data Processor and its activities related to the Data Processing, the circumstances and effects of any data protection incident, as well as the measures taken to remedy it. In the event of a transfer of the User’s Personal Data, the Data Controller shall also inform the User of the legal basis and the recipient of the transfer. The Data Controller is obliged to provide this information in writing, in an understandable form, as soon as possible but no later than within 25 days of the submission of the request. This information shall be provided free of charge if the User has not submitted a request for information regarding the same set of data in the current year. In all other cases, the Data Controller may charge a fee. Any fee already paid shall be refunded if the Personal Data have been processed unlawfully or if the request for information has resulted in the rectification of the data.
14.2 The User may request the Data Controller to correct any inaccurate Personal Data. In cases where regular data reporting is carried out based on the data to be corrected, the Data Controller shall, if necessary, inform the recipient of the data reporting about the correction and shall also draw the User’s attention to the need to initiate the correction with other data controllers, if applicable.
14.3 Except for Data Processing required by law, the User may request the deletion of their Personal Data (by completing the “Request for Deletion of Personal Data” form available on the Website). The Data Controller shall inform the User once the deletion has been carried out.
14.4 The User may object to the processing of their Personal Data in accordance with the provisions of the Information Act (Infotv.).
14.5 The User may submit a request for information, rectification, or deletion in writing, either by sending a letter to the registered office or business address of the Data Controller, or by sending an email to the Data Controller at operation@roi.hu .
14.6 The User may request the Data Controller to restrict the processing of their Personal Data if the User disputes the accuracy of the Personal Data being processed. In such cases, the restriction shall apply for the period necessary for the Data Controller to verify the accuracy of the Personal Data. The Data Controller shall mark the Personal Data it processes if the User disputes its accuracy or correctness, but the inaccuracy or incorrectness of the disputed Personal Data cannot be clearly established. The User may also request the restriction of processing if the Data Processing is unlawful, but the User opposes the deletion of the Personal Data and instead requests the restriction of their use. Furthermore, the User may request the restriction of processing if the purpose of Data Processing has been fulfilled, but the User requires the Data Controller to retain the Personal Data for the establishment, exercise, or defense of legal claims.
14.7 The User may request that the Data Controller provide the Personal Data supplied by the User and processed by automated means in a structured, commonly used, and machine-readable format, and/or that such data be transmitted to another data controller.
14.8 If the Data Controller does not comply with the User’s request for rectification, restriction, or deletion, it shall, within 25 days of receiving the request, provide a written explanation stating the reasons for the refusal. In the event of refusal of a request for rectification, deletion, or restriction, the Data Controller shall inform the User of the possibility of seeking judicial remedy and of filing a complaint with the National Authority for Data Protection and Freedom of Information.
14.9 The User may make the above statements related to the exercise of their rights using the contact details of the Data Controller specified in section 3.
14.10 The User may also submit a complaint directly to the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu ; website: www.naih.hu ). In the event of a violation of their rights, the User is entitled to seek judicial remedy pursuant to Section 22 (1) of the Information Act (Infotv.). The case shall fall within the jurisdiction of the competent regional court (törvényszék). The lawsuit may be initiated—at the User’s choice—before the regional court with jurisdiction over the User’s place of residence or temporary residence. Upon request, the Data Controller shall provide the User with detailed information regarding the available remedies and means of enforcement.
15. Amendment of the Privacy Notice
15.1 The Data Controller reserves the right to amend this Privacy Notice at any time at its sole discretion.
15.2 By continuing to use the Website after the amendment, the User accepts the provisions of the Privacy Notice as amended and in force at that time; therefore, no separate consent from individual Users is required.