PRIVACY POLICY

being in force from 21th of May, 2020.

Code Yachts Korlátolt Felelősségű Társaság operates the https://codeyachts.com/ website (hereinafter: „Website”). When using the Website, processing of personal data may arise in the following areas:

  • A chat module (chat flow) is available on the Website.
  • Possibility to subscribe to the Newsletter.
  • It is possible to apply for a trial sailing via the Website.
  • Via the Website, it is possible for potential sales partners to get in contact.
  • Via the Website, it is possible to get in contact with the Data Controller (regarding unspecified subjects).
  • Use of the website in general, in the course of which we use cookies.

The purpose of the present Privacy Policy is to provide data subjects with information about the data processing performed on the Website of Code Yachts Korlátolt Felelősségű Társaság, as Data Controller, which data processing is linked to the operation of the Website. The present Privacy Policy applies to the entire Website and all its subdomains (excluding subscribing to the Newsletter). The present Privacy Policy does not apply to websites accessible on domains other than the Website, regardless of the fact if the data subject may have accessed them via a link placed on the Website. In connection with the personal data of the persons using the Website, Data Controller acts in accordance with the legislation on data protection and advertising being in force – in particular in accordance with the provisions of the Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter: “Infotv.”); and that of the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: „GDPR”). Data Controller shall process the data subject’s personal data confidentially, shall ensure their protection, shall take necessary technical and organizational measures and establish procedural rules necessary to enforce the GDPR and other data protection rules.

Data Controller

Code Yachts Korlátolt Felelősségű Társaság (8000 Székesfehérvár, Budai utca 14. fszt. 1., phone number: +36 20 244 7926, e-mail: office@codeyachts.com, hereinafter: „Data Controller”)

Scope of data being processed, purpose and period of data processing

Data Controller does not perform profiling.[1]

Data Controller does not process sensitive data.

 

  1. Chat module (chat flow)

Activity linked to data processing 1.

Use of the chat module (chat flow) available on the Website

Data subject

Natural persons using the Chat module (chat flow) set on the Data Controller’s Website.

Data processed

E-mail address

Purpose of data processing

If, as a result of the communication initiated using the chat module (chat flow), separate communication with a real person on the part of Data Controller becomes necessary, this communication would be executed via this e-mail address.

Period of data processing

The date of the withdrawal of the consent given to the data processing or, if no further message exchange takes place between the parties within 90 (ninety) days after the last message exchange between the data subject and Data Controller, then the date when this period expires. (From the two dates the date which is earlier.)

Legal ground of data processing

The freely given consent of the data subject, based on Point a) Paragraph (1) of Article 6 of GDPR.

 

  1. Newsletter

Information about the data protection related to the newsletter is available at this link.

 

  1. Trial sailing

Activity linked to data processing 3.

Organizing trial sailing, and handling the applications

Data subject

Persons applying for trial sailing via the interface of the Data Controller’s Website.

Data processed

Name, phone number and e-mail address of the data subject

Purpose of data processing

Organizing trial sailings in order to test the Data Controller’s products, via the HubSpot Meetings Module interface available on the Website, on which the data subject can make an appointment by entering his or her personal data mentioned above.

 

Period of data processing

The date of the withdrawal of the consent given to the data processing or, if no further message exchange takes place between the parties within 90 (ninety) days after the last message exchange between the data subject and Data Controller, then the date when this period expires. (From the two dates the date which is earlier.)

Legal ground of data processing

The freely given consent of the data subject, based on Point a) Paragraph (1) of Article 6 of GDPR.

 

  1. Contact with potential sales partners

Activity linked to data processing 4.

Getting in contact with potential sales partners

Data subject

The potential sales partner (if the potential sales partner is a natural person) or his or her contact person if they provide personal data.

Data processed

Name, phone number and e-mail address of the data subject (sales partner or contact person)

Purpose of data processing

On its Website, Data Controller offers the opportunity for potential sales partners to get in contact with Data Controller. In addition to the data of a non-natural person firm, personal data may also be provided on the interface, for example given by private entrepreneurs or by the contact persons of entrepreneurs.

Period of data processing

The date of the withdrawal of the consent given to the data processing or, if no further message exchange takes place between the parties within 90 (ninety) days after the last message exchange between the data subject and Data Controller, then the date when this period expires. (From the two dates the date which is earlier.)

Legal ground of data processing

The freely given consent of the data subject, based on Point a) Paragraph (1) of Article 6 of GDPR.

 

  1. General contacts

Activity linked to data processing 5.

Getting in contact with Data Controller via the Website (without any limitation concerning the subject matter)

Data subject

The visitor of the Website who sends his or her data and a message to Data Controller via the form to be filled in under vie the heading  ‘Contact’.

Data processed

Name and e-mail address of the data subject.

Purpose of data processing

Processing messages sent to Data Controller via the heading ‘Contact’ of the Website within the Data Controller’s organization, in the framework of which the message and the question raised are examined and on the basis of which examination Data Controller responds to the requests.

Period of data processing

The date of the withdrawal of the consent given to the data processing or, if no further message exchange takes place between the parties within 90 (ninety) days after the last message exchange between the data subject and Data Controller, then the date when this period expires. (From the two dates the date which is earlier.)

Legal ground of data processing

The freely given consent of the data subject, based on Point a) Paragraph (1) of Article 6 of GDPR.

 

  1. Cookies[2]

Data Controller uses cookies for two purposes. One type of cookies includes those which are essential for the performance of the service provided by Data Controller and as for the operation and use of the Website. The other type of cookies includes those which are not essential for the above, but which monitor and evaluate the effectiveness and efficiency of individual pages and subpages and which inform Data Controller about the behavior of the users (ie the data subjects) on the Website (which information Data Controller intends to use for the development of the Website and for market research purposes). Please note that there are cookies in both categories which handle personal information. On the Website, Data Controller uses both cookies which handle personal data and cookies which do not handle personal data. The scope of personal data being processed primarily affects the IP address of the data subject, his or her activity on the Website (clicks, downloads, etc.), his or her location, the type of his or her browser and operating system. The data subject of the personal data being processed is the visitor of the Website. Personal data are stored for 90 days.

In addition to the functions and cookies which are essential for the operation of the Website and thus for providing the service of Data Controller and for assuring the use of the Website by the data subject (Point b) (1) Article 6 of GDPR), Data Controller only uses cookies, if the data subject has given his or her consent to their use (Point a) (1) Article 6 of GDPR). When accessing the Website for the first time and at any time thereafter, the data subject can change his or her cookie settings and consent given based on the present Policy by clicking on the “Privacy & Cookies Policy” button on the Website and then by clicking on the “Cookie Setting” button.

Browsers offer the possibility to change cookie settings in general. Most browsers automatically accept cookies as default cookies, but this can be changed in order to prevent their automatic acceptance after the change of settings. More information about the settings of some popular browsers are available at the following links:

Google Chrome; Firefox; Microsoft Internet Explorer 11; Microsoft Internet Explorer 10 ; Microsoft Edge

Persons having access to personal data

The data may be accessed by the employees of Data Controller and by other data processors defined in the present Policy in order to perform their duties. Thus, for example, the data processors defined in the present Policy may have access to personal data in order to provide services, handle cases and process data.

Data transfer

The data subject’s data shall not be transferred to third parties, except for the transfer to the data processor defined below. The data transfer to a third party or any recipient shall only take place if we inform the data subject about the potential recipient in advance and then the data subject gives his or her prior consent or if the given data transfer is otherwise required by law. Data Controller shall not transfer personal data to third countries or international organizations in the course of its data processing activities, unless otherwise stated in this Policy.

Data processor

As for the Website, Data Controller uses the services of HubSpot Group, in the course of which Data Controller is in contractual relationship with HubSpot Ireland Limited (address: Ground Floor, Two Dockland Central Guild Street, Dublin 1, telephone: +353 1 5187500), and as some of the services provided to the Data Controller are include data processing (eg. using HubSpot Meeting Module to organize test sailings), the latter entity is a data processor. The US-based HubSpot Inc., the group’s primary service provider, is part of the EU-U.S. Privacy Shield, thus it provides an adequate level of protection, some data is stored on servers located there. Data processor is entitled to process the data received only in accordance with the instructions of Data Controller, unless otherwise required by any EU or Member State law. Data processor is also obliged to act in accordance with the provisions of the relevant legislation, in particular with that of the GDPR.

The Data Controller stores data – including personal data, using the OneDrive cloud service, hence the personal data mentioned in this privacy policy (or at least some of them) are uploaded to the cloud (online storage). OneDrive is the service of Microsoft group, and in the course of using this service the Data Processor’s contracting partner is Microsoft Ireland Operations Limited (postal address: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Republic of Ireland; registered seat: 70 Sir John Rogerson’s Quay, Dublin 2, Republic of Ireland), hence the latter entity is data processor. The affiliated company of the data processor seated in the United States, Microsoft Corporation is part of the EU-U.S. Privacy Shield, thus it provides an adequate level of protection, some data is stored on servers located there. Data processor is only entitled to process the received data in accordance with the instructions of Data Controller, unless otherwise required by any EU or Member State law. Data processor is also obliged to act in accordance with the provisions of the relevant legislation, in particular with that of the GDPR.

The website is hosted by Versanus Informatikai és Szolgáltató Korlátolt Felelősségű Társaság (registration number: 01-09-738703; seat: 1023 Budapest, Bécsi út 3-5. 5. em. 56.), this company provides webhosting services to the Data Controller. In the course of this, the data processor may access personal data related to the use of the Website, eg. the IP address of the data subject. Data processor is only entitled to process the received data in accordance with the instructions of Data Controller, unless otherwise required by any EU or Member State law. Data processor is also obliged to act in accordance with the provisions of the relevant legislation, in particular with that of the GDPR.

Measures to ensure data security:   

Data Controller is obliged to ensure data security, it shall take technical and organizational measures and establish procedural rules which ensure that the recorded, stored and processed data are protected and which prevent their destruction, unauthorized use or unauthorized alteration. Data Controller also draws the attention of third parties – which the data subject’s data have been transferred to – to the fact that they have to comply with the data security requirements.

Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons. Data Controller shall make its best efforts to ensure that the data can not be damaged or destroyed. The above obligation is also prescribed by Data Controller for the employees participating in its data processing activities and for the data processors acting on its behalf.

The Dara Controller stores the personal data in the systems of the data processors (in the OneDrive cloud and the HubSpot system) in the course of the processing of the data, and the employees of the Data Controller access and download the data on a case-by-case basis, if data processing is needed.

In order to prevent that unauthorized persons can have access to the data, Data Controller ensures the protection of personal data and prevents unauthorized access to them on its tools as follows: the access to the server and to the computers is protected by passwords and a firewall and antivirus software is applied.

Communication of a personal data breach to the data subject

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Data Controller shall communicate the personal data breach to the data subject without undue delay in clear and plain language.

The communication to the data subject shall not be required if any of the following conditions are met:

  • Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  • Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  • it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Rights of the data subjects

In addition to the rights defined above, the data subjects may exercise the following rights in relation to the data processing set forth in the present Policy:

Right to get information and to have access to personal data being processed:

The data subject has the right to obtain confirmation from Data Controller as to whether or not personal data concerning him or her are being processed, and, if that is the case, to have access to the personal data and the following information:

  1. the purposes of the data processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. if possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the data subject’s right to request from Data Controller the personal data’s rectification, erasure or the restriction of their processing if these personal data are related to the data subject or the data subject’s right to object to such data processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. if the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, and at least in these cases meaningful information about the logic involved, as well as the significance and the envisaged consequences of such data processing for the data subject.

If personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards relating to the data transfer.

Data Controller shall provide the data subject with a copy of his or her personal data undergoing the data processing. For any further copies requested by the data subject, Data Controller may charge a reasonable fee based on administrative costs. If the data subject submits the request by electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested by the data subject.

The right to obtain a copy referred to in the previous paragraph shall not adversely affect the rights and freedoms of others.

The rights mentioned above can be exercised through the Data Controller’s contact details indicated above.

Right to rectification:

Based on the data subject’s request, Data Controller shall without undue delay rectify any inaccurate personal data related to the data subject. Taking into account the purposes of the data processing, the data subject has the right to have his or her incomplete personal data completed, including by providing a supplementary statement.

Right to erasure („Right to be forgotten”):

The data subject has the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay if any of the following reasons exists:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws his or her consent on which the data processing is based, and if there is no other legal ground for the data processing;
  3. the data subject objects to the data processing and there are no overriding legitimate grounds for the data processing, or if the personal data are processed for direct marketing purposes;
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Data Controller is subject;
  6. the personal data have been collected in relation to the offer of information society services.

Erasure of data cannot be initiated if data processing is necessary:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which Data Controller is subject or for the performance of a task carried out in the public interest;
  3. for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, for the provision of health or social care or treatment or for the management of health or social care systems and services, on the basis of Union or Member State law or pursuant to contract with a health professional and if those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
  4. for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular as for professional secrecy;
  5. for reasons of public interest in the area of public health and if those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies;
  6. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if the right of erasure would make such data processing impossible or the right of erasure would such data processing seriously jeopardize[3]; or
  7. for the establishment, exercise or defence of legal claims.

Right to restrict data processing:

The data subject has the right to obtain from Data Controller the restriction of data processing if one of the following conditions applies:

  1. the accuracy of the personal data is contested by the data subject, in this case restriction is related to a period enabling Data Controller to verify the accuracy of the personal data;
  2. the data processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. Data Controller no longer needs the personal data for the purposes of the data processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  4. the data subject has objected to data processing based on public interest or legitimate interest, in this case restriction is related to a period in the course of which it can be verified whether the legitimate grounds of Data Controller override those of the data subject.

If processing has been restricted according to the above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of data processing according to the above shall be informed by Data Controller before the restriction of data processing is lifted.

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from Data Controller to which the personal data have been provided, if the data processing is based on consent or on a contract and the processing is carried out by automated means.

In exercising his or her right to data portability defined above, the data subject shall have the right to have the personal data transmitted directly from one controller to another, if it is technically feasible.

The exercise of the right referred to data portability shall be without prejudice to the right to erasure („right to be forgotten”). That right shall not apply to data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Data Controller.

The right to data portability shall not adversely affect the rights and freedoms of others.

Right to object:

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, if the legal ground of data processing is to perform a task carried out in the public interest or in the exercise of official authority vested in Data Controller, or the data processing is necessary for the purposes of the legitimate interests pursued by Data Controller or by a third party, including profiling based on these provisions. Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the data processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

If personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right to withdraw the given consent: 

If the data processing of Data Controller is based on the data subject’s consent, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of data processing based on consent before its withdrawal.

Procedure in the event of a request submitted by the data subject concerning the exercise of the above rights:

Data Controller shall provide information to the data subject on action taken on the data subject’s request related to the rights defined in the present Policy without undue delay and in any event within one month of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If Data Controller does not take action on data subject’s request, Data Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Any information and communication requested by data subject shall be provided by Data Controller free of charge, unless requests from the data subject are manifestly unfounded or excessive, in particular because of their repetitive character. In this case, Data Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication requested or refuse to act on the request.

Data Controller shall communicate any rectification or erasure of personal data or restriction of data processing carried out by Data Controller to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Data Controller shall inform the data subject about those recipients if the data subject requests it.

Data processing

Data Controller does not have resort to a third party data processor, apart from the ones mentioned above.

Personal data related to children and third parties 

Persons under the age of 16 may not provide their personal data unless consent is given by the holder of parental responsibility. By making the personal data available to Data Controller, the parent, as a data subject, declares and guarantees that he or she will act in accordance with the above, and his or her capacity to act is not limited in connection with the provision of these information.

If you are not legally entitled to make any personal data available on your own, you must obtain the consent of the third parties concerned (eg legal representative, guardian, other person acting as representative of the consumer) or provide another legal ground for making the data available. In this context, you must consider whether the consent of a third party is required in connection with the provision of the personal data in question. It can happen that Data Controller does not get into personal contact with you, so you are obliged to ensure compliance with the present section and Data Controller is not liable in this aspect. Regardless of this, Data Controller is always entitled to check whether the appropriate legal ground for the processing of any personal data is available. For example, if you are acting on behalf of a third party, such as a consumer, we are entitled to request your authorization and / or the data subject’s appropriate consent to the data processing in question.

Data Controller makes its best effort to delete any personal data which has been made available to Data Controller without authorization. Data Controller ensures that if it becomes aware of the non-authorized availability of any personal data, this personal data shall not be transferred to another person or used by Data Controller. Please, let Data Controller know immediately by any of the contacts indicated in the Contact Details section if you become aware of the fact that a third party has unauthorizedly provided any personal data to Data Controller.

Contact Details

Any questions or requests related to our data processing and to your personal data stored in the system should be sent to the office@codeyachts.com e-mail address, or in writing to the address of 8000 Székesfehérvár, Budai utca 14. fszt. 1. or contact us by phone at +36 20 244 7926.  Please note that – in your own interest – concerning the data processing related to your personal data we are only able to provide information or take any action if you have credibly proven your identity.

Judicial remedy

Data Controller can be contacted with any questions or remarks related to data processing by any of the contact details indicated in the present Policy.

Investigation can be initiated at the Hungarian National Authority for Data Protection and Freedom of Information [postal address: 1530 Budapest, Pf.: 5., phone: +36 (1) 391-1400, email: ugyfelszolgalat@naih.hu, website: www.naih.hu], referring that there is an infringement or imminent threat of an infringement related to the processing of a personal data.

If the data subject’s rights have been violated, the data subject may also take action against Data Controller at the competent court. The court is acting immediately in this case (these actions have priority). Data Controller is obliged to prove that the data processing complies with the provisions of the law. The trial falls into the jurisdiction of the regional courts. According to the option of the data subject, the action may be brought before the regional courts having jurisdiction based on the place of residence or the place of stay of the data subject.

 

 

 

 

 

[1] Profiling is any form of automated processing of personal data in which personal data are used to evaluate, analyse or predict certain personal characteristics of the user (e.g. characteristics related to personal preferences, interests, health, behavior, location, or movement).

[2]   Short data files placed on the user’s computer (or on other devices, such as on a mobile phone) by the website being visited. The purpose of the cookie is to facilitate the given infocommunication and internet service, to make it more convenient, and to provide the owner of the website with information. There are many varieties of cookies, but they can generally be classified into two major groups. One is the temporary cookie which the website only places on a user’s device during a specific session (e.g. during security authentication), the other is the persistent cookie (e.g.: recording permanent settings) which stays on the device for a longer period of time (this also depends on the settings of the device or that of the browser).

[3]Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards protecting the rights and freedoms of the data subject. These safeguards shall ensure that technical and organizational measures are in place in particular in order to ensure respect for the principle of data minimisation. These measures may include pseudonymisation provided that these purposes can be fulfilled in that manner. If these purposes can be fulfilled by further data processing which does not permit or no longer permits the identification of data subjects, these purposes shall be fulfilled in that manner.