Privacy Policy

Valid from: 15.01.2023

Quinta Digital Ltd. (hereinafter: the Data Controller) acting as data controller, collects and processes your personal data that you submit or disclose to us. We also act as a data controller when we process your personal data received or obtained through third parties. A data controller complies with the following Data Protection and Data Security Regulations (hereinafter: the Internal Regulations) in order to register its internal data management processes and ensure the rights of the data subjects.

Data controller: Quint Digital Kft.

Headquarters: 1061. Budapest, Kiraly u 26

Company registration number: 01-09-410767

Tax registration number: 32182725-1-41

Electronic contact: info(at)quintadigitalgroup.com

Represented by: Peter Kertesz, managing director 

Preamble

This Internal Regulation shall be interpreted in accordance with the provisions of other regulations of the Data Controller. In the event of a conflict between the ordinance of this Regulation and the provisions of any other rules relating to the protection of personal data, the instructions of this Regulation shall prevail.

The purpose of this policy is to explain to the Data Controller’s employees, stakeholders and systems users the rules and procedures to be followed in the processing of personal data.

The data management operations shall be planned and carried out by the Data Controller in  such a way as to ensure that the privacy of the data subjects is adequately protected. By always being concerned with the actual technical background, it shall take the technical and organizational steps and establish the procedural rules necessary to ensure data security.

When using a data processor, the Data Controller should ensure that the selected data processor takes the necessary measures to protect personal data and to follow the Data Controller’s policies and individual instructions.

  1. PURPOSE AND SCOPE OF THE REGULATIONS

This Policy reflects our intent to comply with the new EU General Data Protection Regulation standards 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals regarding to the process of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (hereinafter referred to as the “GDPR”). 

With these Internal Regulations, the Data Controller intends to ensure the legal order of the operation of data protection, the enforcement of the constitutional principles of data protection and data security requirements, and to prevent unauthorized access to, alteration of, or disclosure of personal data.

The material scope of the Internal Regulation extends to all processes carried out by the company’s non-legally independent organizational units, during which the processing of personal data takes place.

  1. DEFINITIONS

The conceptual framework of these Integral Regulation is the same as the interpretative definitions specified in the GDPR, in particular:

data security: practical, IT and other technical protection of the integrity and confidentiality of individual personal data, regardless of the legal classification and content of the data, and organizational, technical solutions and procedural rules against unauthorized processing of personal data, in particular their acquisition, processing, alteration and destruction on the basis of which the risk factors of data management – and by this the threat – can be minimized by organizational, technical solutions and measures;

data management: any operation or set of operations on data, regardless of the procedure used (manual or computer), particularly the collection, recording, systematization, storage, modification, use, interrogation, transmission, disclosure, coordination or aggregation of data, blocking, deleting and destroying.

data controller: a natural or legal person, a public authority or an organization without legal personality who, alone or along with others, determines the purpose of data processing, makes and implements decisions on data processing (including the instrument used), or executed by a data processor; where the purposes and means of the processing are defined by EU or national law, the controller or the specific criteria for the designation of the controller may be defined by EU or national law.

data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

data processor: a natural or legal person or an organization without legal personality who, according to a contract – including a contract concluded on the basis of a provision of law – processes data and manages personal data

pseudonymization: the processing of personal data in such a way that it is no longer possible to establish, without the use of additional information, that personal data which relates to a specific natural person, provided that such additional information is stored separately, and technical and organizational measures are taken to ensure that this personal data may not be linked to identified or identifiable natural persons.

addressee: natural or legal person, public authority, agency or any other institution to whom personal data are disclosed, whether or not access to personal data is in accordance with the law, provided that the applicable data protection rules are complied with in accordance with the purposes of the processing of those data by those public authorities.

third party: a natural or legal person, public authority, agency or an organization without legal personality who is different from the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data 

data subject’s consent: any voluntary, solid and unambiguous indication of the data subject’s will, a statement based on a clear affirmative action, signifies agreement to the processing of personal data relating to him or her 

data protection incident: a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled

genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which contains specific information on the physiology or state of health of that person and which is derived primarily from the analysis of a biological sample taken from that natural person

biometric data: personal data obtained by means of specific technical procedures relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of the natural person, such as facial image or dactyloscopic data

health data: personal data concerning the physical or mental state of health of a natural person, including data relating to health services provided to a natural person which contain information on the state of health of the natural person

enterprise: any natural or legal person engaged in an economic activity, regardless of the legal status of the entity, including partnerships and associations carrying on a regular economic activity

enterprise group: the controlling enterprise and the enterprises controlled by it

“Supervisory authority” means an independent public authority established by a Member State in accordance with Article 51.

supervisory authority concerned: the supervisory authority concerned by the processing of personal data for one of the following reasons:

Cross-border processing of personal data is a processing operation carried out in the Union in connection with the activities of a controller or a processor established in more than one Member State or in the Union where the controller or processor is located in a single place of business in the context of activities carried out in such a way that it significantly can affect or is likely to significantly affect those who can be affected in more than one Member State.

Relevant and substantiated objection: an objection as to whether this Regulation has been infringed or whether the proposed measure concerning the controller or the processor is in conformity with the Regulation; the objection must clearly set out the draft decision on the fundamental rights and freedoms of data subjects and, where it is relevant, the importance of the risks to the free movement of personal data within the Union

Information society services: services within the meaning of Article 1 paragraph (1) point (b) of Directive 2015/1535 / EU of the European Parliament and of the Council

international organization: means an organization governed by public international law, or any of its subordinate organizations, or any other institution set up by an agreement between two or more countries or set up by such an agreement

statistical data: descriptive data that cannot be linked to a specific natural person

personal data: data which can be linked to the data subject, in particular the name, identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities of the data subject, and the consequence that can be drawn from the data

registration system: any structured, functionally or geographically centralized, decentralized or dispersed file of personal data which is accessible according to defined criteria

personal identification data: surname and first name, maiden name, sex, place and date of birth, mother’s maiden name, place of permanent residence, place of temporary residence, social security identification number (hereinafter: TAJ number) together or any of these if it is or may be suitable for the identification of the data subject

restriction on data processing: marking of stored personal data in order to limit their future processing

profiling: any form of automated processing of personal data in which personal data are evaluated in order to assess certain personal characteristics of a natural person, in particular his/her professional performance, economic situation, state of health, personal preferences, interests, reliability, behavior, location or movement used to analyze or predict

  1. RULES ON DATA PROCESSING

As the self-determination of information is a fundamental right of every natural person ensured in the Constitution, he/she only processes data in accordance with the legal regulations in force during his/her proceedings.

The processing of personal data is only possible for the purpose of practising law or fulfilling an obligation, depending on the purpose. Data management must always comply with the purpose limitation principle. The use of personal data processed by the data controller for private purposes is prohibited.

The data controller processes personal data only for a specified purpose, in order to exercise law and fulfill an obligation, to the minimum extent and for the time necessary to achieve that purpose. At all stages of the data processing, it must be fit for purpose – and if the purpose of the data processing has ceased or the processing of the data is otherwise unlawful, the data will be deleted. 

The Data Controller takes care of the deletion by the employee who actually handles the given personal data. The cancellation may be verified by the person who effectively exercises employer rights over the employee and, if appointed or commissioned by the Data Controller, by the internal data protection officer. If such a person is appointed, his/her name and contact details may be found in Annex 1 to this Internal Regulation.

The data controller processes personal data only on the basis of the prior consent of the data subject concerned in the case of special written personal data, or the fulfillment of a law, legal authorization or contractual obligation.

Before recording the data, the data controller must in all cases inform the data subject about the purpose of the data processing and the legal basis of the data processing.

The employees of the data controller’s organizational units and the employees of the organizations participating in the data processing and performing any of its operations on behalf of the Data Controller are obliged to keep the personal data disclosed as a business secret. Persons handling personal data and having access to it are obliged to make a Privacy Statement, which is included in Annex 3 of this Internal Regulation.

If a person covered by the Internal Regulations becomes aware that the personal data processed by the Data Controller is incorrect, incomplete or out of date, he/she is obliged to correct it or initiate the correction of it with the person responsible for recording the data.

The Data Controller shall keep records through the Chief Executive Officer or, if appointed or mandated, the Internal Data Protection Officer, to monitor the action taken on the data protection incident and to inform the data subject (Annex 10). The register contains the scope of the personal data processed, the scope and number of persons involved in the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as other data specified in the legislation requiring data processing. The Data Controller should notify the organizations and persons affected by the data protection incident of which it keeps a list (Annex 11).

The data protection obligations of natural or legal persons or organizations without legal personality performing data processing activities on behalf of the data controller ought to be enforced in the contract concluded with the data processor. The Data Controller enters into a Data Processing Agreement with the Data Processor, as required by the GDPR, which is Annex 5 according to the Internal Regulations. The data management points to be included in other contracts are included in Annex 4 in the Internal Regulations.

  1. THE COMPANY’S DATA PROTECTION SYSTEM

The current senior official of the Data Controller, taking into account the specifics of the Data Controller, defines the organization of data protection and the tasks and powers related to data protection and related activities, and appoints the person responsible for the supervision of data management.

The head of each relevant organizational unit is responsible for compliance with the provisions of the Internal Regulations.

In the course of their work, the employees of the data controller shall ensure that the storage and placement of personal data is designed in such a way that it cannot be accessed, changed or destroyed by an unauthorized person.

The data protection system of the data controller is supervised by the senior official.

In relation to data protection, the Chief Executive:

is responsible for ensuring the conditions necessary for the exercise of the rights of data subjects specified in the Regulation;

is responsible for providing the personal, material and technical conditions necessary for the protection of personal data handled by the company;

is responsible for the elimination of any deficiencies or unlawful circumstances that may be discovered during the audit of data management, and for the initiation and conduct of the procedure necessary for the establishment of personal liability;

orders an investigation;

issues the company’s internal data protection rules.

  1. DATA SECURITY RULES

Physical protection

In order to ensure the security of personal data processed on paper, the Data Controller applies the following measures:

the data can only be accessed by those entitled to it; they cannot be accessed by others; they cannot be disclosed to others;

the documents shall be placed in a well-locked, dry room equipped with fire and property protection;

only competent persons shall have access to the records under continuous active management;

A data controller’s data processing staff member only can leave the room where the data processing takes place during the day by closing the data media entrusted to him or her, or by closing the office;

the employee of the company performing data management closes the paper-based data carrier upon completion of the work;

if personal data processed on paper is digitized, the company will apply the security provisions governing digitally stored documents.

If the purpose of processing the personal data stored on paper has been achieved, the Data Controller shall arrange for the destruction of the paper. In this case, the Data Controller will designate an employee who will be responsible for the destruction. The employee responsible for destruction compiles the file package to be destroyed with the involvement of the department involved in the destruction. A three-member destruction committee must participate in the destruction. A record of the destruction must be kept. The members of the committee shall personally check that the documents entered in the minutes are indeed destroyed.

If the data carrier of the personal data is not based on paper but on another type of physical device, the rules for the destruction of the physical device shall also govern the destruction of the paper based data.

IT protection

In order to ensure the security of personal data stored on the computer or network, the Data Controller shall apply the following measures and guarantee elements in accordance with the requirements of the applicable internal IT regulations:

the computers used in the data processing are the property of the Data Controller or the Data Controller has the same right of ownership over them;

the data on the computer can only be accessed with a valid, personal, identifiable authorization – at least with a username and password – and the Data Controller ensures the exchange of passwords on a regular basis or in justified cases;

all computer records with the data are traceably logged;

the data stored on the network server machine (hereinafter: server) may be accessed only with appropriate authority and only by designated persons;

if the purpose of the data processing has been achieved and the time limit for the data processing has expired, the file containing the data shall be irreversibly deleted and the data may not be recovered again;

in order to secure the data stored on the network, the Data Controller avoids data loss by continuously mirroring the server;

the Data Controller performs daily backups of active data from databases containing personal data to magnetic data carriers; the backup applies to the entire data file of the central server;

the magnetic data carrier storing the saved data is stored in a fireproof place and manner in a safe box designed for this purpose;

the Data Controller provides virus protection on the personal data management network continuously;

prevent unauthorized persons from accessing the network by using the available computer equipment.

Server security

The flow of personal data managed by the company is implemented electronically with the help of servers, and their physical storage with the help of data storage facilities. Both the data storage and the servers must be located in a separate room.

Access management

The purpose of the rights management regulation is to ensure that the allocated rights can be accurately traced and preserved in a documented form, and that the activities of the persons with each right and the range of data used by them can be controlled. The up-to-dateness of this data greatly helps the Data Controller to meet the level of security expected of him or her, as well as to operate the IT network in accordance with legal and professional standards.

Changes in authorizations (existing authorizations, allocation, modification, termination of new authorizations) in the IT system must be documented.

In order to ensure the security of personal data, the Data Controller applies the following rights management regulations and principles:

The person responsible for IT shall set up a new authorization or change the authorization according the delegation of its owner.

When establishing entitlements, only the necessary and sufficient entitlements to perform the work shall be allocated.

It should be avoided that full access or administrative privileges are granted to persons performing other work or not claiming the privilege.

A named user with administrator privileges should be used to administer the system wherever possible. Unnamed administrator passwords must be stored in a sealed envelope, anti-resolution, and signed. Their use may be authorized by a senior official of the controller or, in the event of impediment, by a substitute in accordance with the substitution regime. The use of unnamed user rights must be justified and documented.

An employee of an external company e.g., a maintenance or development company, may not have continuous access rights for an unlimited period of time.

Authorization management process

In all cases, the person responsible for IT shall consult with the provider of the right, and the person exercising the employer’s right over the claimant regarding the granting or modification of the right, on the order form. The senior executive and the person exercising the employer’s right over the claimant have the right to veto the granting or modification of the entitlement.

Following the decision, the employee appointed by the person in charge of IT will set the permissions, which will be confirmed to the claimant.

Upon termination of employment or a legal relationship of the right holder, the direct superior is obliged to notify the person responsible for IT and the employer of the employer’s rights in order to cancel the rights previously held by the right’s holder.

In the event of the termination of the entitlement, the holder’s superior shall send the termination request electronically or on paper on the entitlement management order form to the person responsible for IT, who shall ensure that the entitlement is cancelled. The person in charge of IT or his/her delegate will then send confirmation to the person initiating the deletion.

In the event of a transfer, the supervisor exercising the employer’s rights over the previous job and the supervisor exercising the employer’s rights over the new job shall be jointly and severally liable for initiating the cancellation, modification or addition of new entitlements.

In the IT system, the profiles of the outgoing users must be suspended and put out of use. User accounts can be deleted after the systems have been scanned, provided that the deletion does not result in data loss.

  1. ENFORCING THE RIGHTS OF STAKEHOLDERS

The data subject may request information on the processing of his/her personal data, as well as request the correction or deletion of his/her personal data at the contact details indicated by the Data Controller, with the exception of data processing prescribed by law.

The data controller is obliged to forward the received application or protest to the head of the organizational unit with the task and competence in terms of data management within three days of receipt.

The head of the organizational unit with the task and competence shall respond to the request related to the processing of the personal data of the data subject in writing, in a comprehensible form, no later than within 30 days of its arrival.

The information shall include information in accordance with Articles 13 and 14 of the GDPR, Articles 15 to 22, and Article 34.

The information is, in principle, free of charge, and the Data Controller will only charge a fee in the case specified in Article 12, paragraph (5) of the GDPR.

The data manager only can reject an application due to the reasons set out in GDPR Article 23 with an explanation and according to the reasons set out in the Regulation; the rejection is acceptable only in written form.

Inaccurate data shall be corrected by the head of the department processing the data; if the necessary data and the official documents proving them are available, and in accordance with Article 16 of the GDPR, measures shall be taken to delete the processed personal data if there are specific reasons.

For the period of consideration of the data subject’s objection to the processing of personal data, the data processing shall be suspended by the head of the organizational unit performing the data processing for a maximum of 5 days, and the validity of the protest shall be examined and a decision shall be made.

The data controller shall also reimburse the damage caused to others by the unlawful processing of the data subject’s data or the breach of data security requirements, as well as the damages finally awarded in the event of a violation of the right to privacy caused by him or her or the data processor used by him or her. The data controller shall be released from liability for the damage caused and the obligation to pay damages if it proves that the damage or the violation of the data subject’s right to privacy was caused by an unavoidable cause outside the scope of data processing. In the same way, it does not compensate for the damage if it was caused by the injured party’s intentional or grossly negligent conduct.

The person concerned may have recourse to the Hungarian National Authority for Data Protection and Freedom of Information (1024 Budapest, Szilágyi Erzsébet fasor 22/C.) or to the court competent according to his or her place of residence or stay.

  1. DATA PROCESSES CARRIED OUT BY THE COMPANY

Location of data processing

1024 Budapest, Keleti Károly utca 26. 2nd floor 2.

Scope of data managed:

Data processed during the use of the service

Data processed when subscribing to a newsletter

Invoicing information

Labor data management

  1. DEALING WITH COMPLAINTS 

The Customer may notify the Data Controller orally or in writing of a complaint about the conduct, activity or omission of the Data Controller or a person acting on behalf of or for the benefit of the Data Controller in connection with the service.

Oral complaint

An oral complaint should be investigated immediately and remedied as necessary.

If the customer does not agree with the handling of the complaint or it is not possible to investigate the complaint immediately, the Data Controller shall immediately record a report on the complaint and its position, and a copy thereof:

* to be handed over to the customer on the spot in the case of an oral complaint communicated in person; in the case of an oral complaint communicated by telephone or other electronic communications service, he shall send it to the consumer at the same time as a substantive reply within 30 days at the latest.

The record of the complaint must include the following:

The Data Controller shall respond to the written complaint in writing and take action to communicate it within 30 days of its receipt, unless otherwise provided by the directly applicable legal act of the European Union. The Data Controller is obliged to justify its position rejecting the complaint.

The time limit for replying may be extended by a maximum of fifteen days at a time if an on-the-spot inspection or the need to contact an authority so requires.

The notifier shall be informed in writing of the extension of the time limit for reply and the reasons therefor before the expiry of the time limit for reply.

The head of the Data Controller or the administrator appointed by him/her may hear the complainant (applicant) if the investigation of the complaint or report so requires.

The Data Controller shall keep a record of the complaint and a copy of the response for five years and shall present it to the supervisory authorities upon request.

If the complaint is rejected, the Data Controller is obliged to inform the customer in writing which authority or the conciliation body may initiate the procedure with its complaint.

The mailing address of the competent authority or the conciliation body of the controller’s registered office must be provided.

Written complaint

By post: 1024 Budapest, Keleti Károly utca 26. 2nd floor 2.

Email: contact(at)evolutagency.com

In the case of a written complaint, a precise description of the specific case is required for the adjudication of the complaint; in the case of several objections, and their reasons must be recorded separately, and a copy of the documents supporting the complaint must be attached. If the complaint had a history, information about it should also be provided.

The validity of the written complaint is the signature of the notifier. If the written complaint is submitted through a representative or proxy, the name of the natural person acting as a proxy must also be indicated in the complaint, and the application must be accompanied by an original power of attorney signed by at least two witnesses or handwritten and signed.

In the case of a written complaint, the Data Controller shall examine the merits of the complaint and send its position and substantive decision/action on the complaint to the notifier within 3 days after the notification of the complaint.

During the handling of complaints, the Data Controller shall endeavor to act in accordance with the shortest deadlines and shall ensure that in its decision it investigates, remedies or rejects the complaint in accordance with the applicable legislation. It shall send the complainant a reasoned and unambiguous decision on the complaint, responding to any concerns raised.

In particular, the Data Controller may request the following data from the customer during the handling of complaints:

The data of the customer submitting the complaint must be handled in accordance with the rules of the GDPR:

the purpose of data management: recording, investigating and adjudicating complaints

the scope of the data processed: name of the customer; address, mailing address, place, time and manner of filing the complaint, a detailed description of the customer’s complaint, documents and other evidence presented by the customer and a list of the person taking the minutes and, in the case of an oral complaint, place and time of recording the minutes, contact e-mail address and telephone number of the client.

the legal basis for data processing: the data subject’s consent under the Regulation is in line with the 1997 CLV on consumer protection. Act 17 / A-C. The deadline for data storage with the legal basis specified in § Fgytv. 17 / A. § (7) and 17 / B. § (3)].

the data storage method: electronically and on paper.

  1. DATA PROCESSING, DATA TRANSMISSION

The Data Controller is responsible for the legality of the instructions given to the Data Processor by the Data Controller. The data controller can only give instructions to a data processor in writing.

A data processor may use an additional data processor in accordance with the provisions of the Data Controller.

The data processor may not make a substantive decision concerning data management, may process personal data obtained only in accordance with the provisions of the Data Controller, may not process data for its own purposes, and is obliged to store and retain personal data in accordance with the provisions of the data controller.

The data processor is obliged to comply with the requirements of the Data Protection and Data Security Regulations of the Data Controller and to perform its tasks related to data management in accordance with the provisions thereof.

The data processor is obliged to comply with the data security requirements in accordance with the provisions of the Data Protection and Data Security Regulations of the Data Controller.

  1. LIABILITY

If the Data Processor acts in compliance with the provisions of the service contract during the performance of its activities, the Data Controller shall be liable for its activities as if it had acted itself. If the activity of the Data Processor causes damage to the data subject or a third party, the Data Controller shall be obliged to comply with the data subject’s or third party’s liability.

If the Data Processor extends the rights specified in the service contract, it becomes an independent data controller for the given extension and shall be liable for any damage caused to the Data Controller, the data subject or a third party in accordance with the general rules of damage.

The Data Processor shall be liable to the Data Controller for the performance of its entire activity, in particular for the provision of an organizational copy of the electronic copy, for the compliance of the content, and for the continuous availability of the electronic copies stored by the Data Processor.

The parties shall indemnify the other party in full for all material and non-material damages caused to each other as a result of the breach of the service contract.

  1. PRIVACY MANAGEMENT

Persons covered by this Regulation shall, in the case of any IT system operated by or with the assistance of the Data Controller, immediately, but not later than within 12 hours, report to the Data Protection Officer if a data protection incident is suspected or if they are certain that a privacy incident occurred.

The notification must be made primarily during working hours by telephone, which must be confirmed by e-mail at the request of the data protection officer.

Procedures to be followed in the event of a data protection incident:

The Data Protection Officer and other data subjects shall act in accordance with this chapter in order to detect and determine the seriousness of a data protection incident reported to them or established within their jurisdiction.

Privacy Incident Handling Procedure:

The person responsible for data protection will contact the system administrator of the IT system affected by the data protection incident (if the incident also affects the IT system).

The data protection officer shall classify the data protection incident in one of the following categories during the inspection:

Low level data protection incident: in the event of unauthorized transfer, alteration, disclosure, intentional or accidental deletion or destruction of a negligible amount of personal data, or any other unlawful data processing event.

Medium level data protection incident: in the event of alteration, unauthorized transfer, disclosure, intentional or accidental deletion or destruction of personal data, or any other unlawful processing operation.

High level privacy incident: in the event of unauthorized alteration, transmission, disclosure, intentional or accidental deletion or destruction of a wide range of personal data, or any other unlawful processing operation, or

regardless of the scope of the data, any case where the incident is likely to have an adverse effect on the data subject, or the extent of the adverse effect is certain.

In the event of a low level data protection incident, the data protection officer shall:

determine with the system administrator of the affected system (if the incident also affects the IT system) how to handle the data protection incident and call on the person entitled to take action to handle the incident,

record the privacy incident in the incident record.

In the event of a moderate privacy incident:

the data protection officer shall immediately, but no later than within 12 hours, create a working group in which, in addition to the data protection officer, the system administrator (if the incident also affects the IT system) and the head of the Data Controller participate,

the working group shall determine how to handle the data protection incident and call on the person entitled to act to deal with the incident,

the data protection officer shall record the data protection incident in the incident register.

In the event of a high level privacy incident:

the data protection officer shall immediately, but no later than within 12 hours, convene a working group in which, in addition to the data protection officer, the system administrator (if the incident also affects the IT system) and the head of the Data Controller participate,

the working group shall determine how the data protection incident is to be handled and shall call upon the person entitled to take action to deal with the incident, and, if necessary, determine the manner in which the data subject is to be notified and the content of the notification, and to ensure that they are notified without delay.

the data protection officer shall record the data protection incident in the incident register.

the Data Controller shall keep a register of data protection incidents through the data protection incident in order to control the measures related to the data protection incident and to inform the data subject, including the scope and number of personal data affected by the data protection incident, the date of the data protection incident, its effects and the measures taken to remedy it, as well as other data specified in the legislation requiring data processing.

If the data subject so requests, the data protection officer shall provide information on data protection incidents involving the data subject’s personal data.

Who we are

Suggested text: Our website address is: https://quintadigitalgroup.com.

Comments

Suggested text: When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

Suggested text: If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

Suggested text: If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Suggested text: Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Who we share your data with

Suggested text: If you request a password reset, your IP address will be included in the reset email.

How long we retain your data

Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where your data is sent

Suggested text: Visitor comments may be checked through an automated spam detection service.