DIEGO Kereskedelmi és Szolgáltató Kft. (2372 Dabas, Beton u. 26., tax number: 10744804-2-44, trade registration number: 13-09-083541) (the “Service Provider” or “controller”) is subject to the following policy:

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), please be informed of the following.

This data protection policy regulates the data processing of the following sites/mobile applications: https://diegofranchise.com/

The data protection policy is available at: https://diegofranchise.com/adatvedelem

Any amendments to the policy shall enter into force upon publication in the above sites.

The controller and its contact details

Name: DIEGO Kereskedelmi és Szolgáltató Kft.

Registered office: H-2372 Dabas, Beton út 26.

Email: info@diegofranchise.com

Telephone: +36 29 567 200

Terms and definitions

“personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles relating to the processing of personal data

Personal data shall be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (“purpose limitation”);
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The controller shall be responsible for, and be able to demonstrate compliance with, those above (“accountability”).

The controller declares that its data processing is in compliance with the principles set out in this section.

Registration for partners

Fact of the data collection, the range of processed data, and the purpose of data processing:

Personal data	Purpose of data processing	Legal ground
Name	Identification	Article 6 (1) a) and b) of the GDPR
E-mail address	Communication, sending responses	Article 6 (1) a) and b) of the GDPR
Telephone number	Communication	Article 6 (1) a) and b) of the GDPR
Date and time of registration	Execution of technical operation.	Article 6 (1) a) and b) of the GDPR
IP address upon registration	Execution of technical operation.	Article 6 (1) a) and b) of the GDPR

Range of data subjects: The range of data subjects includes all franchise partners on the website.
Duration of the processing, and deadline for the erasure of data: If any of the conditions set out in Article 17 (1) of the GDPR applies, the data processing shall last until the data subject’s erasure request.
Possible processors authorized to know the data, recipients of personal data: Personal data may be processed by those employees of the controller who are specifically authorized for this.
Information on the data subjects’ rights related to data processing:

A data subject may request from the controller access to the personal data relating to him or her, or the rectification, erasure or restriction of processing of such personal data, and
a data subject also has the right to data portability, and further to cancel his or her consent at any time.

The data subject may initiate access to, erasure and rectification of the personal data, or restriction of their processing, or data portability, in the following ways:

by mail to the address 2372 Dabas, Beton út 26.,
by e-mail to the email address info@diegofranchise.com,
on the phone at phone number +36 29 567 200.

Legal basis for the processing: Article 6 (1) a) and b) of the GDPR.
Please be informed that

data processing is based on your consent, and/or is necessary in order to take steps at your request prior to entering into the contract;
you must provide personal data so that we can contact you and accept you as partner.
as a consequence of your failure to provide such data, you are unable to contact
the controller, and register.
withdrawal of the consent shall not affect the lawfulness of the data processing performed before such withdrawal.

Customer relationship

Fact of the data collection, the range of processed data, and the purpose of data processing:

Personal data	Purpose of data processing	Legal ground
Name, e-mail address, phone number	Communication, identification, performance of contracts, business objectives	Article 6 (1) b) and c), for the purposes of the enforcement of claims arising from the contract, 5 years in accordance with Article 6:21 of Act V of 2013 on the Civil Code of Hungary.

Range of data subjects: All data subjects who communicate with the controller on the phone/in e-mail/in-person, or have a contractual relationship with the controller.
Duration of the processing, and deadline for the erasure of data: DM letters are stored until the erasure request of the data subject, but for maximum 2 years.
Possible processors authorized to know the data, recipients of personal data: Personal data may be processed by those employees of the controller who are specifically authorized for this, subject to the above principles.
Information on the data subjects’ rights related to data processing:

A data subject may request from the controller access to the personal data relating to him or her, or the rectification, erasure or restriction of processing of such personal data, and
a data subject also has the right to data portability, and further to cancel his or her consent at any time.

The data subject may initiate access to, erasure and rectification of the personal data, or restriction of their processing, or data portability, in the following ways:

by mail to the address 2372 Dabas, Beton út 26.,
by e-mail to the email address info@diegofranchise.com,
on the phone at phone number +36 29 567 200.

Legal basis for the processing:

Please be informed that

data processing is necessary for the performance of a contract and the making of an offer.
you must provide personal data so that we can perform our contract/fulfill your requests.
as a consequence of your failure to provide such data, we are unable to perform the contract/process your request.

Use of Google Ads conversion tracking

The processor uses the “Google Ads” online advertisement program, and in the scope of this uses Google’s conversion tracking service. Google’s conversion tracking application is the analysis service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
If the User reaches a website via a Google ad, a cookie necessary for conversion tracking will be saved to his or her computer. The period of validity of such cookies is limited, and they do not include any kind of personal data, therefore the User cannot be identified through them.
When the User browses specific pages of a website, and the cookie has not expired yet, Google as well as the controller can see that the User has clicked on the ad.
Each Google Ads client gets a cookie of its own, therefore they cannot be tracked through the websites of Ads clients.
The purpose of the information obtained by means of conversion tracking cookies is to prepare conversion statistics for the clients of Ads choosing conversion tracking. This is how the clients get informed about the number of users clicking on their ads and transmitted to sites furnished with conversion tracking tags. However, they do not obtain any information on the basis of which any user could be identified.
If you do not wish to participate in conversion tracking, you can reject it by banning the possible installation of cookies in your browser. From this point onwards you will not be included in conversion tracking statistics.
For further information, and Google’s privacy policy, see the website google.de/policies/privacy/

Using Google Analytics

This website uses the Google Analytics application, which is the web analytics service of Google Inc. (“Google”). Google Analytics uses text files called “cookies” that are saved to your computer and facilitate the analysis of the use of the website visited by the User.
The information generated by the cookies related to the website used by the User are usually transmitted to and stored in a Google server located in the USA. Before this, by activating IP anonymization in the website, Google shortens the User’s IP address within the Member States of the European Union or in other states that are party to the Agreement on the European Economic Area.
It occurs in exceptional cases only that full IP addresses are transmitted to Google servers located in the USA and shortened there. Upon the order of the operator of this website, Google will use such information to evaluate how the User used the website, and furthermore to prepare reports related to the activity of the website and to perform additional services related to the use of the website and internet use for the operator.
In the scope of Google Analytics, the IP address transmitted by the User’s browser is not matched with other Google data. The User may prevent the storage of cookies by setting his or her browser adequately; please note, however, that in such case it may occur that you are unable to use some functions of this website comprehensively. You may also prevent Google from collecting and processing data generated by cookies and related to your website use (including your IP address) by downloading and installing the browser plugin available in the following link: https://tools.google.com/dlpage/gaoptont?hl=bu.

Handling of cookies

For the use of cookies, such as ‘cookie used for a session protected by password”, ‘cookies necessary for the basket’, ‘security cookie’, ‘necessary cookies’, ‘functional cookies’ and ‘cookies responsible for the statistics of the website’ it is not necessary to request consent from the data subjects.
Fact of the data processing, and the range of processed data: Individual identification number, dates and times
Range of data subjects: All data subjects visiting the website.
Purpose of data processing: To identify users and monitor visitors.
Duration of the processing, and deadline for the erasure of data:

Cookie type	Legal basis for processing	Duration of processing
Session cookies	Art. 13/A (3) of Act CVIII of 2001 on Certain Issues of E-Commerce Activities and Information Society Services	Period until the closure of the relevant visitor session
Permanent or saved cookies	Art. 13/A (3) of Act CVIII of 2001 on Certain Issues of E-Commerce Activities and Information Society Services	Until erased by the data subject
Statistics and marketing cookies	Art. 13/A (3) of Act CVIII of 2001 on Certain Issues of E-Commerce Activities and Information Society Services	1 month – 2 years

Possible processors authorized to know the data: When using cookies, the controller does not process any personal data.
Information on the data subjects’ rights related to data processing: It is possible for the data subjects to erase cookies in the Tools/Settings menu of their browsers, usually under the option “Data protection”.
Legal basis for the processing: It is not necessary to obtain the consent of the data subjects if the sole purpose for using cookies is to transmit messages through the electronic communication network, or if cookies are inevitably necessary for the service provider to provide an information society service expressly requested by the subscriber or user.
Most browsers enable our users to set which cookies are to be saved, or to erase specific cookies. In case you restrict the saving of cookies in specific websites, or do not permit the cookies of third parties, in specific circumstances this may result in your inability to use our website in its entirety. Here you can find information on how cookie settings can be customized in the case of the usual browsers:

Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)

Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)

Firefox (https//support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)

Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)

Processor used for the processing of data

Hosting provider

Activities performed by the processor: Hosting service
Processor’s name and contact details:

Kinsta Inc. Attn: Privacy and Data Protection Team 8605 Santa Monica Blvd #92581 West Hollywood, CA 90069 United States of America privacy@kinsta.com

Fact of the data processing, and the range of processed data: All personal data provided by the data subject.
Range of data subjects: All data subjects using the website/mobile application.
Purpose of data processing: To make the website/mobile application accessible, and operate it properly.
Duration of the processing, and deadline for the erasure of data: Data processing lasts until the termination of the agreement between the controller and the hosting provider, or until the data subject’s erasure request to the hosting provider.
Legal basis for the processing: Article 6 (1) f), and Article 13/A (3) of Act CVIII of 2001 on Certain Issues of E-Commerce Activities and Information Society Services. The legitimate interest includes the appropriate operation of the website, protection against attacks, fraud.

Other data processors (if any)

Social networking sites

Fact of the data collection, and the range of processed data: The user’s name registered in the social networks Facebook/Twitter/Pinterest/YouTube/Instagram etc., and/or his or her public profile image.
Range of data subjects: All data subjects who have registered in the social networks Facebook/Twitter/Pinterest/YouTube/Instagram etc., and “liked” the Service Provider’s social networking site, or got in touch with the controller via a social network.
Purpose of the data collection: The sharing, “liking”, following and popularization of certain content elements, products and promotions of the website or the website itself in social networking sites.
Duration of the data processing, deadline for the erasure of data, possible processors authorized to know the data, and information on the data subjects’ rights related to data processing: The data subject can get informed about the source of the data, their processing, and the method of and legal basis for their transmission in the given social networking site. The processing of the data occurs in the social networking sites, therefore the duration and method of the processing, and opportunities for the erasure and rectification of the data are governed by the policies of the given social network.
Legal basis for the processing: freely given consent of the data subject to the processing of his or her personal data in the social network.

Customer relationship and other types of data processing

If in the course of the use of the controller’s services the data subject should have any questions or problems, he or she may contact the controller in the ways specified in the website (telephone, email, social networks, etc.).
Incoming emails, messages, data provided on the phone, on Facebook, etc. will be erased by the controller, together with the name, e-mail address and other freely given personal data of the customer, after the lapse of 2 years at the most from the disclosure of the data.
On the types of data processing that are unlisted in this prospectus, the User will be informed upon the registration of the data.
Upon exceptional requests from the authorities, or in the case of requests from other bodies under statutory authorization, the Service Provider shall be obligated to provide information, or disclose or transmit data, or make documents available.
In such cases the Service Provider will disclose personal data to the inquiring authority—if it has specified the exact purpose and the range of the data—only to such extent as is absolutely necessary for the implementation of the goal of the request.

Rights of the data subjects

1. Right of access

You shall have the right to obtain from the controller confirmation as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the information listed in the regulation.

2. Right to rectification

You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning yourself. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3. Right to erasure

You shall have the right to obtain from the controller the erasure of personal data concerning yourself without undue delay, and the controller shall have the obligation to erase your personal data without undue delay where specific conditions apply.

4. Right to be forgotten

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

5. Right to restriction of processing

You shall have the right to obtain from the controller restriction of processing where one of the following conditions applies:

you contest the accuracy of the personal data; in such case the restriction shall concern a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
you have objected to the processing; in such case the restriction concerns the period until it is verified whether or not the legitimate grounds of the controller override those of yours.

6. Right to data portability

You shall have the right to receive the personal data concerning yourself, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…)

7. Right to object

In the case of processing based on legitimate interest or official authority as legal bases, you shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data (…), including profiling based on those provisions.

8. Right to object in the case of direct marketing

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

9. Automated individual decision-making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

The above paragraph shall not apply if the decision:

is necessary for entering into, or performance of, a contract between you and a data controller;
is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.

Timeframe for action

The controller shall provide information on action taken on any of the above requests without undue delay and in any event within 1 month of receipt of your request.

That period may be extended by 2 further months where necessary. The controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.

If the controller does not take action on your request, the controller shall inform you without delay and at the latest within 1 month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The processed data should be stored so that unauthorized parties are unable to access them. In the case of hard copy documents, by having a physical storage and archiving policy in place, and in the case of data processed in electronic format, by using a central authority management system.
The method for the digital storage of documents must be chosen so that the data can be erased—having regard to any potentially different erasure deadlines as well—upon the expiry of the period of storage, or where erasure is necessary for any other reason. Erasure must be irreversible.
Hard copy documents must be deprived of personal data using a paper shredder, or engaging an external entity specialized in the physical destruction of documents. In the case of an electronic data storage medium, physical destruction—and before this the safe and irreversible erasure of the data where necessary—should be taken care of in accordance with the rules concerning the disposal of electronic data storage media.
The controller takes the following concrete data security measures:

With a view to the security of personal data processed on paper, the Service Provider applies the following measures (physical protection):

The documents are placed in a secure, lockable, dry room.
If personal data processed on paper are digitalized, the rules governing for digitally stored documents must be applied.
In the course of their work, employees of the Service Provider who carry out processing may only leave the room where data are being processed after they have locked away the data storage media entrusted to them or locked the given room.
Personal data may be accessed only by persons authorized to know such data, and third parties may not have access to these.
The building and rooms of the Service Provider are furnished with fire protection and anti-theft equipment.

IT protection

The computers and mobile devices (other data storage media) used for processing constitute the Service Provider’s property.
The computer system used by the Service Provider to store personal data is equipped with antivirus protection.
With a view to the security of digitally stored data, the Service Provider uses data savings and archiving.
The central server may only be accessed by adequately authorized persons assigned for this.
Data stored in computers may only be accessed with user names and passwords.

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject without undue delay.

The communication to the data subject shall describe in clear and plain language the nature of the personal data breach, and contain the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; and describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject shall not be required if any of the following conditions are met:

the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.

Notification of a personal data breach to the authority

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Supervision in the case of statutory data processing

If the term of the statutory data processing or regular revision of its necessity is not set forth in an act, a regulation of the local authority, or a statutory legal act of the European Union, the data controller shall revise at least in every three years from the commencement of the data processing whether the data processing performed by it, or by the data processor acting on its behalf or upon its instructions is necessary for the completion of its objectives.

Circumstances and results of such revision shall be documented by the data controller, and such documentation shall be kept for ten years after performance of this revision, and upon request shall be provided to the Hungarian National Authority for Data Protection and Freedom of Information(hereinafter: Authority).

Complaint procedure

You can make a complaint concerning any possible infringement by the controller at the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information

H-1055 Budapest, Falk Miksa utca 9-11.

Mailing address: H-1363 Budapest, Pf. 9.

Telephone: +36-1-391-1400 Fax: +36-1-391-1410

Email: mailto:ugyfelszolgalat@naih.hu

Afterword

This prospectus has been prepared having regard to the following laws:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
Act CVIII of 2001 on Certain Issues of E-Commerce Activities and Information Society Services (in particular Article 13/A);
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (in particular Article 6);
Act XC of 2005 on the Freedom of Electronic Information;
Act C of 2003 on Electronic Communications (in particular Article 155);
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioral Advertising;
Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information.

Adatkezelési tájékoztató – EN

DIEGO Franchise

Introduction