Privacy and Data Processing Policy of Green Aqua LLC
1) Controller’s name
Green Aqua LLC (with its Hungarian name: Green Aqua Kereskedelmi Korlátolt Felelősségű Társaság, hereinafter: Green Aqua) is a company engaged in the commercial distribution of aquascaping products and accessories, building and maintenance of aquariums, and online content creation related to aquascaping. In addition to its shop, Green Aqua LLC also operates webshops (https://greenaqua.hu, http://greenaqua.com).
Company name: Green Aqua LLC (in Hungarian: Green Aqua Kereskedelmi Korlátolt Felelősségű Társaság, short name: Green Aqua Kft.)
Registered office: H-1119 Budapest, Thán Károly utca 23-25, Hungary
Company registration number: 01-09-950626 (Company Registry Court of Budapest-Capital Regional Court)
Tax number: 14702530-2-43
Phone number: +36 1 610 4627
English-language website: http://greenaqua.com
Our customer service operates in the Green Aqua shop: H-1119 Budapest, Thán Károly utca 23-25, Hungary
Should you have any questions or comments on data processing, please contact Green Aqua’s customer service at by email.
2) Processing performed by Green Aqua LLC
In the following, we provide information to our Customers on the data processed by Green Aqua LLC in relation to its commercial and service activities (hereinafter: Services), the source of such data, the purpose, legal basis and duration of processing, the activities of any processors involved in processing, furthermore, in the case of data transfers, the legal basis and recipients of such transfer. We also provide information on how Green Aqua protects such data and information.
Green Aqua is committed to ensuring that its data processing operations comply with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter: GDPR).
Please note that, for the purposes of this notice, the following terms have the following meaning in accordance with the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘controller’ means the natural or legal person (…) which, alone or jointly with others, determines the purposes and means of the processing of personal data.
3) Possible legal bases for processing
In accordance with the GDPR, the processing of personal data is lawful if at least one of the following legal bases apply:
- processing is based on consent,
- processing is required for the performance or conclusion of a contract,
- processing is necessary for compliance with a legal obligation,
- processing is necessary in order to protect vital interests (e.g. the protection of life),
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (not relevant for Green Aqua).
Where processing is based on consent, the Customer is entitled to withdraw his or her consent any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
Where data are provided based on law or a contractual obligation, failure to provide the data may result in the Customer being unable to use the given services of Green Aqua.
Green Aqua as controller will not verify any personal data provided to it. Sole liability for the data lies with the Customer.
Legitimate interest as a legal basis may only apply if the controller’s legitimate interest which the controller seeks to protect is proportionate to the limitation of the right to protect personal data. Establishing the same requires the preparation of a prior interest balancing test. In the course of such interest balancing test, Green Aqua as the controller:
- identifies its legitimate interest in the processing of the personal data that is the subject of the interest balancing test,
- identifies the data subject’s interests and rights relating to his or her personal data forming the subject of the interest balancing test,
- examines the legitimate interests of the data subject and those of the controller and, on that basis, establishes whether the personal data may be processed.
Green Aqua will not verify any personal data provided to it. The user/customer/consumer is solely liable for the truthfulness of the data he or she provides. By providing his or her email address, the user/customer/consumer warrants that, apart from him or her, no-one else will use such email address for using services. All liability regarding the registration with the given email address lies with the user who registered that address.
Green Aqua may not use the personal data provided voluntarily by the visitor/user/customer/consumer for any purpose other than those described. Primarily, Green Aqua and its internal staff has access to the data. Please note that the personal data provided by you as a user/customer/consumer voluntarily will not be transferred by Green Aqua to any third party or authority without your prior express consent, unless required by mandatory law.
4) Description of data processing operations (purpose, legal basis, duration, categories of data processed)
4/A) Data processing concerning shop visitors
Description of data processing: surveillance through CCTV.
Purpose of processing: Protection of property, protection of Green Aqua’s premises, detection and prevention of violations of law, protection of the life and bodily integrity of customers and employees, examination of quality and other complaints.
Legal basis for processing: Article 6(1)(f) of the GDPR (referred to in clause 2 above): ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
Data subjects, categories of data processed: Data subjects: Visitors and employees. Data processed: The likenesses of shop visitors and employees, and their other personal data recorded by the surveillance system.
Duration of data storage: 10 to 30 days from recording, depending on the camera.
4/B) Data processing concerning shop customers
Description of processing: shopping, placing of orders, invoicing, packaging and delivery.
Purpose of processing: Conclusion and performance of the sales contract regarding the products, supporting and verification of the sales of products, performance of the sales contract (product delivery), performance of distance contracts in the case of online orders.
Legal basis for processing: Article 6(1)(b) of the GDPR (referred to in clause 2 above): ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ and Article 6(1)(c) of the GDPR: ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
Data subjects, categories of data processed: Data subjects: Customers. Data processed: name, home address (or registered office), contact details (phone number, email). Date and time of purchase. Means of payment. Date, time and method of delivery. Delivery address. Tax number (for legal persons). Any other data disclosed by the Customer (e.g. the person taking delivery of the product, other home address data, financial data – bank account data etc.).
Duration of data storage: Until the statute of limitations of claims arising from the contract; for 8 years concerning invoices, based on the Accounting Act.
4/C) Data processing concerning customers purchasing through the Website
Regarding invoicing, packaging and delivery, webshop purchases only differ from shop purchases when it comes to the form of data processing.
Description of data processing: registration on the website, purchasing in the webshop, exercising the right of withdrawal/termination within 14 days.
Upon selecting payment by bank card, the customer is navigated to the online payment provider’s website. It is on this external payment platform that the data of the card payment transaction (name, card number, expiry date, CVC code) are requested. The service provider requests the data of the payment transaction (payer ID, amount, date and time of transaction) from Green Aqua. The payment service provider processes the requested data in compliance with the applicable PCI DSS standard (Payment Card Industry Data Security Standard) and data protection regulations: https://www.paymentgateway.hu/adatvedelem. Green Aqua is only notified of the success of online payment; and never receives any payment information.
Purpose of processing: Setting up the user account for visitors who register, simplifying the purchase process, conclusion and performance of distance contracts, ensuring that the statutory right of withdrawal/termination can be exercised.
Legal basis for processing: Article 6(1) points (a) to (c) of the GDPR (referred to in clause 2 above): ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject;’
Data subjects, categories of data processed: Data subjects: Persons who register or purchase. Data processed: name, email, password for login, IP address, date and time of registration, purchase or contract conclusion, details for invoicing and delivery (name, address, phone number, email), other details provided by the customer (e.g. delivery information, person taking delivery, other address data etc.).
Duration of data storage: Until the withdrawal of consent, deletion of personal account data, until the statute of limitations of the claims arising from the contract. The withdrawal document is stored together with the invoice; the duration of data storage is governed by the provisions set out above regarding invoices.
4/D) Marketing activity
The sending of newsletters by Green Aqua depends on the prior statement of the Customer. In case of consent, Green Aqua sends regular marketing newsletters to subscribers. Newsletters always offer the option to unsubscribe.
The sending of advertisements by Green Aqua depends on the prior statement of the Customer. We will not send advertisements or marketing materials to the email address provided by the Customer without the Customer’s consent.
Please note that if you consent to the sending of personalised advertisements, we will use the data of your previous purchases and/or webshop browsing for that purpose.
In the personalised advertisements, we will send you information on our products, current services, promotions and special offers, and other information that we think may be of relevance for you.
The data collected by Green Aqua by using advertisements as a marketing tool regarding the Customer’s browsing habits on the website (e.g. searching for products) will be used to decide which products to recommend to the Customer. The marketing activity of Green Aqua is not subject to decisions based ‘solely on automated processing’.
Customers may revisit their decision on direct marketing and personalised advertisements at any time and may notify us, free of charge and without any limitation whatsoever, if they no longer wish to receive notices of that kind. Each time Customers receive a direct marketing material from us by email, we will remind them of their option to change their mind any time. If they do so, they have the option to unsubscribe of advertisements any time.
Green Aqua monitors whether you opened and/or forwarded the email messages received from us, so that we can provide more useful and interesting information in the future. If you do not want us to collect information on whether you opened and forwarded our messages, you need to unsubscribe from our newsletters, as we have no means to send email messages without collecting data of this kind.
Description of processing: newsletter, direct marketing, loyalty programme.
Purpose of processing: Sending commercial offers to those interested, sending marketing materials and personalised advertisements, providing discounts to returning customers, increasing customer satisfaction, increasing the number of returning customers.
Legal basis for processing: Article 6(1)(a) of the GDPR (referred to in clause 2 above):‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes;’
Data subjects: those interested, customers, returning customers. Categories of data processed: name, email, date of subscription/unsubscribing, IP address, data of previous purchases and/or browsing the website, date and time of purchases.
Duration of data storage: Until the withdrawal of consent.
4/E) Cases of data processing related to servicing
Servicing can take place on various bases. Service under guarantee, warranty for material defects under law, service under mandatory guarantee, repairs for charge after the guarantee/warranty period based on separate agreement. Green Aqua intermediates service activities to customers regarding several of our distributed brands.
Distributed brands, service partners
- Green Aqua, Greenworks, Aquacare, ADWA, Aqualighter, Aqua Medic, Aquario, Aqua Rebell, Beta, Camozzi, Chihiros, Dennerle, ONF, Oxyturbo, Seachem, Söchting - Green Aqua LLC
- ADA, DOOA - Aqua Design Amano Co. Ltd.
- Aquarium Systems, ATI, Atman, D-D The Aquarium Solution, ISTA, Odyssea, WaveReef - Korallosakvárium Kft.
- Eheim - Fisch Kft.
- GHL - GHL Advanced Technology GmbH & Co.KG
- Hydor - Aquarium Kutsera Trade Kft.
- JBL - Best Aquatic Kft.
- Oase - Oase Kereskedelmi Kft.
- Sylvania - Elektro-Profi Kereskedelmi Kft.
- Tetra - Pet Akvarisztika Kft.
- Tropica - Tropica Aquarium Plants A/S
- Twinstar - Digimodelo - Unipessoal Lda
Data processing in managing guarantee and warranty claims
The Customer has several ways to contact the service. The Customer may report the malfunction and bring the defective product to the Green Aqua store or return it to Green Aqua. Green Aqua draws up a report of the consumer’s quality complaint in each case, including which right the consumer wishes to enforce. After that, depending on the brand, Green Aqua repairs the defective product or sends it to a service partner. Where it was possible to identify the defect, the service remedies the same and we send information thereof to the consumer.
Returning of products
We draw up a report on the returning of repaired or replaced products, products not requiring, or impossible to, repair. Such reports contain the same categories of personal data as the reports drawn up on consumer quality complaints.
Handling of rejected consumer claims
Where a complaint is rejected, Green Aqua draws up a report on rejection and, where the defect can be repaired for a charge, gives a quote. These documents contain the same categories of personal data as the reports drawn up on consumer quality complaints. If such a quote is accepted, the charge will be invoiced as described above.
4/F) Other service activities (repairs for payment, maintenance)
The cases and documents of processing are the same as those described above for the handling of guarantee and warranty claims.
Description of processing: handling of guarantee and warranty claims under law, other service activity.
Purpose of processing: fulfilling guarantee and warranty obligations, meeting repair and maintenance claims, performing other service activities.
Legal basis for processing: Article 6(1) points (a) to (c) of the GDPR (referred to in clause 2 above): ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; processing is necessary for compliance with a legal obligation to which the controller is subject;’ – Section 6:159 of the Civil Code (Remedies for breach of warranty for material defects) and Section 6:171 (Guarantee), Government Decree no. 151/2003. (IX. 22.) on compulsory guarantee for consumer durables, Decree no. 19/2014. (IV. 29.) NGM of the Minister for National Economy on the procedural rules for administering warranty and guarantee claims on products sold to consumers under a contract between the consumer and enterprise, Government Decree no. 249/2004. (VIII. 27.) on the statutory guarantee related to specific repair and maintenance services.
Data subjects: consumers. Categories of data processed: personal and contact data recorded on the invoice and the report drawn up on the consumer quality complaint, and on the invoice and the service worksheet: name, address, email, phone number, product data, date of purchase, date of reporting the error, date of sending a notice, date of receipt of the repaired product.
Duration of data storage: 3 years or until the statute of limitation of the complaint or any claims arising from the contract, but no more than 5 years.
4/G) Customer service and handling of complaints
Description of processing: Book of Customers, data processing in relation to consumer protection cases, customer service administration though chatbot, handling of messages.
Purpose of processing: Ensuring the consumers’ right of complaint. Information regarding products, stock, invoicing, guarantee, warranty, withdrawal, promotions, sending advertisements and marketing materials, documenting the legality of procedures, resolution of legal disputes, managing Customer emails, managing social media messages.
Legal basis for processing: Points (a) and (c) in Article 6(1) of the GDPR (referred to in clause 2 above):‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for compliance with a legal obligation to which the controller is subject;’
Data subjects: consumers, interested persons, Customers. Categories of data processed: name, address, email, phone number, product data, date of purchase, date of complaint, user ID generated by the chatbot, social media name, social media profile picture, data of social media profile, date of service, personal data provided voluntarily, subject and details of enquiry, IP address.
Duration of data storage: The report drawn up on the quality complaint and the reply: 5 years, the content of the Book of Customers: 2 years, chatbot: until the withdrawal of consent or 1 year after being logged in the system, storing of messages: for no more than 5 years.
4/H) Data processing in support of service
Description of processing: Document and email management, processing the data of contact persons specified in the contracts.
Purpose of processing: Retention of the data contained in hard copy and electronic documents, making them available for further use, maintaining the contractual relationship.
Legal basis for processing: The same as for the data contained in the document. Article 6(1)(f) of the GDPR (referred to in clause 2 above): ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
Data subjects: Individuals affected by the data processing, contact persons. Categories of data processed: personal data, IP address, email.
Duration of data storage: Depending on the content of the document, no more than 10 years, or the statute of limitation of any claims arising from the contract.
4/I) Data processing concerning website visitors
Upon first visit to the website, the window popping up at the bottom of the screen provides information on the cookies used on the site. In this pop-up window, the user can select the cookies to which he or she consents.
A certain part of the cookies we use is essential for you to navigate between the various pages and access certain protected contents (such as pages that are only available for registered users).
In addition to that, we also use functional cookies that allow us to collect information on how you use the site and to personalise the website; for example, we can remember what language you chose and what product you searched for. These data are only used for offering our contents in a personalised manner, and they are not used for any other purpose. Traffic logging cookies serve to identify the sites visited. This helps us log website traffic. This information is only used for the purpose of statistical analyses; original data are deleted after use. Cookies also allow, for example, our users to log in to the website and to access personalised contents.
Description of processing: Cookies and webserver logging
Purpose of processing: With a view to customised service, the website places a small data package, so-called cookie, on visitors’ computers, and reads it back; while webserver logging serves the purpose of independent measurement of website traffic and other web analytics data.
Legal basis for processing: Consent as per point (a) and legitimate interest as per point (f) of Article 6(1) of the GDPR (referred to in clause 2 above): ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’, ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’
Data subjects: Website visitors. Categories of data processed: date, time, the user’s IP address, browser information, the URL of the website visited, time spent on the website, type and version of the operating system, the user’s searches.
Duration of data storage: Until the withdrawal of consent. The controller processes and stores the cookies to the extent necessary for and proportionate to the purpose, for the minimum duration required. Cookies are stored on the user’s device until deleted, but until the expiry of their validity at the latest.
In addition to the above, the independent measurement and audit of the website’s traffic and other web analytics data are supported by external servers (Google Analytics). Detailed information on the processing of measurement data are available at www.google.com/analytics/. If you do not want Google Analytics to measure the above data in the described manner and for the described purpose, please install the relevant blocking plugin in your browser.
Every now and then, our website uses external web services to display various content. This is necessary to display contents such as various pictures, videos, statistics or search boxes. As in the case of social buttons, we cannot influence what data these websites or external domains collect on your use of such embedded contents.
5) Processing by data processors
5/A) Green Aqua as data processor
According to the GDPR, ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Green Aqua does not carry out any data processing as a processor on behalf of Customers as controllers.
5/B) Use of data processors
In certain cases, Green Aqua as a controller uses data processors. The data transferred by Green Aqua are recorded, managed and processed by such Data Processors in compliance with the GDPR.
With respect to the data processing operations of Green Aqua, we only collaborate with the following data processors in order to provide the services described below:
- Dropbox. Address: 185 Berry Street, 94107 San Francisco, CA, USA - cloud storage
- Euclid Services Limited Ltd. Address: Agias Elenis, 4 6th floor, FLat/Office 601, 1060 Nicosia, Cyprus - EuroVPS server hosting
- GLS Hungary Kft. Address: H-2351 Alsónémedi, GLS Európa utca 2, Hungary - Package delivery
- Google Inc. Address: Barrow Street, Gordon House, Dublin 4., Ireland - Analytics website traffic data and Adwords advertisement service
- Klevu Oy. Address: Bertel Jungin aukio 5. 02600 Espoo, Finland - Website search software
- Nosto Solutions. Address: Aleksanterinkatu 15a, FI24189119, 00100 Helsinki, Finland - Marketing / Recommendation system
- Zendesk, Inc. Address: Market St. 1019, 94103 San Francisco, CA, USA - Customer relations software
- Prohost.be Bvba. Address: Ganzenstraat 11, 8000 Brugge, Belgium - Server hosting service
- VRNG Consulting Kft.. Address: H-1013 Budapest, Attila út 2.B, fe. 6/a - Accounting
- TNT Express Hungary Kft. Address: H-1097 Budapest, Ecseri út 14-16 - Package delivery
- Reviews.io Address: 29 St Nicholas Place, Leicester, LE1 4LD UK - Product review software
- Facebook Ireland Ltd. Address: Hannover Reach, 5-7 Hannover Quay, Dublin 2, Ireland - Social
- Klaviyo, Inc. Address: 125 Summer Street, Boston, MA, 02111, United States - Newsletter
The processors made a declaration in contract on the confidential handling of data and on GDPR compliance. The contracts concluded with processors and customers/consumers/service users are filed and archived by Green Aqua in its electronic records, thereby ensuring that contract data can be subsequently accessed and that data can be erased at the Customer’s request. Green Aqua complies with the GDPR in processing the data.
5/C) Data transfer
As of 1 July 2020, Green Aqua as an invoice issuer is obliged to transfer the invoice data, immediately after creating the invoice in the invoicing programme, to the National Tax and Customs Administration of Hungary (NTCA) in respect of all resident taxpayers (companies, sole traders and individuals registered for taxation). From 1 January 2021, we supply data on all transactions, including invoices issued to individuals. Legal background: Act CXXVII on 2007 on value-added tax and Decree 23/2014. (VI. 30.) NGM of the Minister of National Economy on the verification of electronically stored invoices by the tax authority.
Courts and authorities may contact the controller and request information, the disclosure and transfer of data, or the provision of documents. Provided that the requesting court or authority has specified the exact purpose of use and the scope of the data, Green Aqua will only disclose those personal data to the courts and authorities and only to such extent that is indispensable for the implementation of the purpose of the request.
6) The rights of data subjects
The GDPR defines ‘data subject’ as a natural person who can be identified, directly or indirectly, by reference to information or personal data concerning him or her. Please note that, before meeting any requests for the enforcement of rights, we are obliged to identify the person making such request.
The User/Customer who is in contact with us—and who is a ‘data subject’ with respect to data processing—has the rights detailed below.
6/A) Request for information
Customers have the right to receive information regarding the processing of their personal data as well as the enforcement of their rights. Such requests can be enforced by sending an email to one of the addresses listed on our ‘Contact‘ page. The requested information will be provided in writing, in accordance with the provisions of this Privacy Notice. We may refuse to fulfil the request if we can prove that we have no means to identify the Customer.
6/B) Right of access
The Customer has the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. The Customer has the right to obtain from Green Aqua confirmation as to whether or not personal data concerning him or her are being processed. Where that is the case, the Customer has the right to get access to the personal data and the following information:
- the purposes of processing,
- the categories of personal data concerned,
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing,
- the right to lodge a complaint with a supervisory authority,
- where the personal data are not collected from the data subject, any available information as to their source,
- the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
In practice, the right of access can be exercised such a way that the Customer provides a copy to Green Aqua of his or her personal data that are subject to data collection. If that is submitted by electronic means, then the data are required to be provided in one of the commonly used formats. Green Aqua will respond to the Customer’s request without undue delay but on the 30th day at the latest and, where we do not fulfil the Customer’s request, we are required to provide the reasons. Normally, a copy of the personal data can be requested free of charge. We may only charge a fee if multiple copies are requested or there is another way to request data that is faster and more efficient than the one pursued by the Customer.
6/C) Right to rectification
The Customer has the right to obtain from Green Aqua without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Customer also has the right to have incomplete personal data completed. Completion can take place by means of a supplementary statement provided by the Customer. Certain data may also be rectified by the Customer by logging in to his or her user account; in such cases, Green Aqua may refuse to perform the rectification.
6/D) Right to erasure (‘right to be forgotten’)
The Customer has the right to obtain from Green Aqua the erasure of personal data concerning him or her without undue delay and Green Aqua has the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Customer withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- the Customer objects to the processing pursuant to the relevant provisions of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing performed for direct marketing purposes (including profiling);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which Green Aqua is subject;
- the personal data have been collected in relation to the offer of information society services directly offered to children.
Green Aqua is not obliged to erase the data where the data processing is necessary for one of the following reasons:
- for exercising fundamental rights (exercising the right of freedom of expression and information);
- in cases of mandatory data processing (for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject);
- in the public interest (for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing);
- for the establishment, exercise or defence of legal claims.
The right to erasure may not cause the deletion of, in particular, personal data concerning the Customer which the Customer had provided for the performance of a contract, if and to the extent such personal data are still necessary for the performance of the given contract. Furthermore, the right to erasure may not be applied in cases where the duration of processing is determined by law, e.g. for invoices, as invoices must be retained for 8 years in accordance with the legal provisions. Where Green Aqua has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Customer has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. The rules for exemptions also apply in this case.
6/E) Right to restriction of processing
The Customer has the right to obtain from Green Aqua restriction of processing where one of the following applies:
- the Customer contests the accuracy of the personal data (for a period enabling Green Aqua to verify the accuracy of the personal data);
- the processing is unlawful and the Customer opposes the erasure of the personal data and requests the restriction of their use instead;
- Green Aqua no longer needs the personal data for the purposes of the processing, but they are required by the Customer for the establishment, exercise or defence of legal claims; or the Customer has objected to processing pursuant to the relevant provision of the GDPR, pending the verification whether the legitimate grounds of Green Aqua as controller override the Customer’s legitimate grounds.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Customer’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. Green Aqua will inform the Customer (upon whose request processing was restricted) before the restriction of processing is lifted.
6/F) Right to data portability
The Customer has the right to receive the personal data concerning him or her, which the Customer has provided to Green Aqua, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from Green Aqua where:
- processing is based on consent or a contract; and
- the processing is carried out by automated means.
In exercising the right to data portability, the Customer has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Please note that the right to data portability may only be exercised if both of the above conditions are met (i.e. processing is based on consent or a contract and is carried out by automated means). Accordingly, the right to data portability does not apply to e.g. data processed under a statutory provision. According to the guidelines of the Article 29 Data Protection Working Party (WP29), as the right to data portability may only be applied to data processing by automated means, it shall not apply to paper-based processing.
6/G) Right to object
Customers have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them if processing is based on the legitimate interests of Green Aqua. In such a case, Green Aqua shall no longer process the personal data unless it proves that processing is justified by compelling legitimate grounds which override the Customer’s interests, rights and freedoms or are related to the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the Customer has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling (to the extent that it is related to such direct marketing). Where the Customer objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
6/H) How to exercise rights. Available remedies
Green Aqua will provide the Customer with information on action taken on the requests without undue delay and in any event within 30 days of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Green Aqua shall inform the Customer of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Customer submitted the request electronically, then—to the extent possible—the information shall also be provided electronically, unless the Customer requires otherwise.
If Green Aqua does not take action on the request of the Customer, it shall inform the Customer without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Normally, Green Aqua provides the information requested based on the right to information, as well as any information and measures related to the exercising of the individual rights free of charge. Green Aqua shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. However, where the Customer’s request is manifestly unfounded or excessive, in particular because of its repetitive character, Green Aqua may either:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request.
7) Data security measures
7/A) General measures
We only collect and process personal data in line with legal regulations, so that we can provide information to data subjects when they enquire in writing about data processed concerning them. We only disclose data to third parties based on consent and under agreement.
In case of personal data breaches, i.e. deliberate, negligent or accidental data loss/alteration, breach of confidentiality, cyber-attacks etc., Green Aqua follows the procedure of having the designated administrator immediately shut down the servers (make them offline), notifying the personal data breach to the competent supervisory authority (the Hungarian National Media and Infocommunications Authority and the Hungarian National Authority for Data Protection and Freedom of Information) within 72 hours of becoming aware of the incident, and communicating the personal data breach to the data subjects by email. Where such communication would involve disproportionate effort by Green Aqua, we will display the link to this privacy page in the notifications line on the home page of Green Aqua. The notifications line is a prominent temporary message, usually in red, at the top of the home page.
Personal data breaches are recorded in public databases on Green Aqua’s Privacy page:
- Up until the publication of this document, no personal data breach has occurred as regards Green Aqua’s data processing operations.
Green Aqua ensures that, should a personal data breach occur, personal data do not become directly and immediately compromised. Against these, a specific computer protection and protection against physical intrusion has been developed: data are stored in a password-protected encrypted database in our administration system, no unencrypted copy is made thereof, and servers are protected with separate physical protection and an alarm system with video cameras connected to distance monitoring.
Communication between users and the internet platform is protected with a valid SSL certificate issued by Sectigo. The certificate can be queried at any time by clicking the information band at far left in the browser’s address line. We use dedicated antivirus and traffic monitoring software covering the communication of the computers in the internal network as well as against the intrusion of malware and against personal data breaches.
The data protection officer of Green Aqua is managing director Viktor Lantos.
7/B) Protection of children
By providing the data and information relating to the use of Green Aqua’s Services, the Customer declares that his or her capacity to act in connection with the provision of the data and information concerned is not limited. If, legally speaking, the Customer has no capacity to act or partially limited capacity to act as regards providing the data and information and is not entitled to make an individual declaration in this respect under applicable law, the Customer is obliged to obtain consent from the third party designated by law (e.g. legal representative, custodian) in connection with providing the information. In that context, the Customer is obliged to consider whether the consent of any third party is necessary in relation to providing the given piece of information. Green Aqua assumes no liability in that respect. The Civil Code of Hungary and the GDPR regulate the validity of legal declarations, including the validity of the consent to process the data of minors. Pursuant to Sections 2:13 and 2:14(1) of the Civil Code, ‘minors under the age of fourteen shall have no capacity to act. Juridical acts of a minor under 14 shall be null and void; his statutory representative shall act on his behalf.’ Pursuant to Sections 2:11 and 2:12(1) of the Civil Code, ‘minors shall have limited capacity to act if they have reached the age of fourteen and do not lack the capacity to act. Unless otherwise provided in the Civil Code, for declarations of a minor having limited capacity to act to be valid, the consent of the minor’s statutory representative shall be required.’ In the context of processing personal data based on consent, the GDPR provides that ‘in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.’
If we become aware that a person obviously having no ‘capacity to act’, such as, in particular, a child under the age of 16 acting without authorisation from his or her parent or guardian, wants to use the services of Green Aqua, we will take all reasonable steps to delete any information obtained from the child and ensure that such information will neither be transferred to any third party nor used by us.
If you as a Customer become aware that a child has provided personal data or information concerning him or herself to us without authorisation by his or her parent or guardian, please notify us immediately. For parents and guardians, we recommend teaching their children about the safe and responsible handling of their personal data (especially in the context of internet use).
9) Enforcement of rights
Pursuant to Act CXII of 2011 on informational self-determination and freedom of information (Privacy Act) and to Act V of 2013 on the Civil Code of Hungary (Civil Code), users/customers/consumers may enforce their rights before courts and may also apply to the National Authority for Data Protection and Freedom of Information (H-1125 Budapest, Szilágyi Erzsébet fasor 22/C, mailing address: 1530 Budapest, PO Box: 5, Web: www.naih.hu) in any issues related to personal data.
Should you have any questions or comments regarding the above, please contact us using our contact details.
Green Aqua LLC
Budapest, 1 October 2020