1. SUMMARY

CNW Rendszerintegrációs Zrt. (hereinafter referred to as the Data Controller) processes the personal data of visitors to its websites, users who register on the website, customers placing orders, and newsletter subscribers (hereinafter collectively referred to as the Data Subjects). All personal data is collected and processed strictly in accordance with applicable laws. System notifications may be sent without separate consent; however, newsletters are only sent with prior consent. Your data is stored as securely as possible and will only be disclosed to third parties with your consent. You may request information about your personal data or its deletion by writing to: office@cnw.hu.

2. DATA CONTROLLER DETAILS

Name of the data controller: CNW Rendszerintegrációs Zrt.
Mailing address: 1105 Budapest, Vaspálya u. 14/C
Email address: office@cnw.hu
Phone number: +36 1 323 2600
Company registration number: 01-10-041037
Tax number: 11796770-2-43

3. PURPOSE OF THE PRIVACY POLICY

This Privacy and Data Protection Policy (hereinafter: the Policy) is intended to record the data protection and data management principles applied by CNW Rendszerintegrációs Zrt. (registered office: 1181 Budapest, Wlassics Gyula u. 50.; company registration number: 01-10-041037; phone number: +36 1 323 2600; registry court: Metropolitan Court as Court of Registration; tax number: 11796770-2-43) and to describe its data protection practices.

The Data Controller acknowledges this legal statement as binding upon itself and undertakes to ensure that all data processing carried out in the course of its activities complies with the present Policy and the applicable legal requirements. In connection with data processing, the Data Controller informs users of the website about the personal data it manages, the principles and practices it follows regarding personal data processing, and the means and possibilities for Data Subjects to exercise their rights.

The Service Provider respects the privacy rights of visitors to its website and handles personal data confidentially, in compliance with applicable data protection laws and international recommendations, and in accordance with this privacy statement. The Data Controller reserves the right to amend this Policy at any time, and will notify users of such changes. Continued use of the website requires acceptance of the changes in the manner provided by the Data Controller.

The principles and procedures set forth in this Privacy Statement comply with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: the “Privacy Act”), and Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”).

4. SCOPE, DURATION AND PURPOSE OF PERSONAL DATA PROCESSING

A Data Subject may order services on the Data Controller’s website after registration or login. Providing data is voluntary — the Data Subject is not required to provide personal data — however, in some cases (e.g., when ordering as a private individual), failure to provide such data may prevent service delivery.

Purpose of data processing with the Data Subject’s consent:

  • Provision of services
  • Documentation of service fulfillment
  • Verification of contract formation
  • Compliance with legal obligations (e.g., issuing invoices)

In cases of mandatory data processing, the Data Controller complies with legal obligations concerning data retention and processing as prescribed by law, for the time and scope defined by applicable legislation. The Data Controller is not responsible for the accuracy of data provided by the Data Subject.

Technical data:
For technical reasons, the website automatically records the user’s IP address, the type of operating system and browser used, and other related information. This logging is continuous and is not linked to any personal data provided during registration or usage. These technical logs are only accessible to the Service Provider.
The Service Provider may also record the websites from which the user accessed the site, the pages visited, and the duration and time of visits. These data do not allow for personal identification or profiling.
The system identifies visitors’ computers using so-called cookies.
Technical data is processed solely for website operation and statistical purposes.

Data Provided During Registration and Service Purchase and Its Processing:
During registration, the Data Subject is required to provide the following personal data: full name, billing address (postal code, city/town, street, house number), country, telephone number, and personal email address.
After submitting the data, the Data Controller notifies the Data Subject via email regarding the success of the registration.
Following registration, the Data Subject may optionally provide additional data or comments if they are necessary for the performance or facilitation of services provided by the Service Provider.

The Data Controller undertakes not to send emails to the email addresses provided during registration, except for messages related to the services used by the Data Subject and system messages. If the Data Subject has explicitly subscribed to the newsletter, they will also receive those communications. Newsletter content may include updates, information about Moodle plugins, educational material, and other service-related or marketing messages.

  • Purpose of data processing:
    To document purchases, orders, and payments; issue financial records; provide the service; communicate changes related to the specific service; send reminders (e.g., payment reminders, requests for other essential technical information necessary for service delivery).
  • Legal basis of data processing:
    The Data Subject’s consent, and/or statutory obligation (e.g., accounting laws).
  • Duration of data processing:
    8 years for data processing based on legal obligation, or until consent is withdrawn in other cases.

Cloud Hosting Service

The Service Provider offers Cloud Hosting (cloud-based services) via the Website, including the option to order such services. During the use of the service, the Service Provider processes technical data generated and the data provided by the User during the order process.

During ordering, the User may optionally provide additional data (comments) if these are required to fulfill or support the services or product sales provided by the Service Provider.

  • Purpose of data processing:
    To document purchases, orders, and payments; issue financial records; provide the service; communicate changes related to the specific service; send reminders (e.g., payment reminders, or requests for technical information necessary for delivery).
  • Legal basis of data processing:
    The Data Subject’s consent, and/or statutory obligation (e.g., accounting laws).
  • Duration of data processing: 8 years for data processing based on legal obligation, or until consent is withdrawn in other cases.

Data Stored and Processed From Inquiries Not Related to Services

  • Processed data: email address, name, phone number (if provided by the sender).
  • Purpose of data processing: to maintain communication.
  • Legal basis of data processing: the Data Subject’s consent.
  • Duration of data processing: until consent is withdrawn.

Other Data Processing

For any data processing not listed in this Privacy Policy, we provide specific information at the time of data collection.

Authorities such as courts, the public prosecutor’s office, investigative authorities, administrative bodies, the National Authority for Data Protection and Freedom of Information, or other entities authorized by law may contact the Data Controller to request information, data provision, data transfer, or access to documents.

The Data Controller will only disclose personal data to such authorities to the extent strictly necessary and only if the authority specifies the exact purpose and the scope of requested data.

5. STORAGE, PROTECTION AND ACCESS TO PERSONAL DATA

Personal data is stored using IT systems on servers located at the Data Controller’s registered office. The data may be accessed primarily by the Data Controller’s executives and employees. As described in this notice, certain data may be shared with data processors or other data controllers (e.g., accountants) to achieve the purposes stated herein.

Beyond these cases, personal data concerning the User will only be shared under circumstances defined by law (e.g., an official request by a legally authorized authority) or with the User’s explicit consent.

The Data Controller protects the stored data against unauthorized access, alteration, transmission, deletion, damage, or destruction.

The Data Controller maintains a data protection record, which includes:

  • the categories of personal data processed;
  • the scope and number of persons potentially affected by a data protection incident;
  • the date, circumstances, effects, and corrective measures related to the incident;
  • any other data required by applicable data protection laws.

6. DATA SECURITY

The Data Controller takes all necessary steps to ensure the security of personal data provided by the Data Subject, both during network communication and during the storage and retention of data. Access to personal data is strictly limited to prevent unauthorized access, alteration, or use.

The servers hosting the Data Controller’s website are located at ATW. During data processing, the Data Controller ensures confidentiality: protecting the information so that only those authorized can access it; integrity: protecting the accuracy and completeness of the information and the method of processing; and availability: ensuring that the information and the tools needed to access it are available to authorized users when required. These obligations are also extended to the employees participating in data processing activities and to data processors acting on behalf of the Data Controller.

Data Protection Incident

A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. The Data Controller keeps a record of data protection incidents, including the facts related to the incident, its effects, and the remedial actions taken. In the event of an incident – except where it does not pose a risk to the rights and freedoms of natural persons – the Data Controller notifies the Data Subject and the supervisory authority without undue delay, and no later than 72 hours after becoming aware of the incident.

The Data Subject does not need to be informed if any of the following conditions are met:

  • The Data Controller has implemented appropriate technical and organizational protection measures, which were applied to the data affected by the incident—especially measures like encryption that render the data unintelligible to unauthorized persons;

  • The Data Controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects referred to in Article 33(1) of the Regulation is unlikely to materialize again;

  • Informing the Data Subject would require disproportionate effort. In such cases, public communication or a similarly effective method must be used to inform the affected individuals.

7. USER RIGHTS AND LEGAL REMEDIES

The Data Subject is entitled at any time to request information about the personal data processed by the Data Controller and may modify such data at any time. The Data Subject may also request the deletion of their data via the contact details provided in this section.

The Data Subject may request information from the Data Controller about the processing of their personal data, rectification of their data, deletion or blocking of their data—except where processing is mandatory—restriction of processing, and may object to data processing.

Data Subject’s Rights:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability

The Data Subject may exercise their rights via the following contact details:
Mailing address: 1105 Budapest, Vaspálya u. 14/C
Email: office@cnw.hu

For any questions or comments related to data processing, the Data Subject may contact the Data Controller’s staff through the above contact details. The Data Controller must respond to the request in the shortest time possible, but no later than 25 days from the receipt of the request, in writing and in an understandable form, and in the same manner as the request.

The Data Subject is entitled to request the rectification or deletion of incorrectly recorded data at any time. Some data may be corrected by the Data Subject directly on the website; otherwise, the Data Controller will delete the data within 3 working days of receiving the request, after which they cannot be restored.

Upon the Data Subject’s request, the Data Controller will delete personal data within a maximum of 15 days. This does not apply to data processing required by law (e.g., accounting regulations), which the Data Controller will retain for the legally required period.

The Data Controller will restrict data processing at the Data Subject’s request if the accuracy of the data is disputed, the processing is unlawful, or in the case of the Data Subject’s objection to processing, and if the data are no longer needed by the Controller.

The Data Subject has the right to receive their personal data in a structured, commonly used, machine-readable format and to transmit those data to another controller without hindrance, provided that the necessary conditions are met.

The Data Subject may enforce their rights before the Budapest Metropolitan Court (1055 Budapest, Markó u. 27.) or before the county court of their residence/headquarters, according to their choice (legal background: Act CXII of 2011 on Informational Self-Determination and Freedom of Information, Section 22(1)).

They may also seek assistance from the National Authority for Data Protection and Freedom of Information:
1024 Budapest, Szilágyi Erzsébet fasor 22/C
Website: www.naih.hu
Email: ugyfelszolgalat@naih.hu
Phone: +36-1/391-1400

The Data Controller may only refuse to provide information in cases and for reasons specified by the Info Act or the GDPR. In such cases, the Data Controller will inform the Data Subject in writing about the legal basis for refusal and the legal remedies available.

If, during registration for the service, the Data Subject provided third-party data, the Data Controller will provide all possible assistance to the competent authorities in identifying the infringing person.

8. COOKIE POLICY

Our websites use cookies. We do not and cannot personally identify you based on the information stored in cookies; we use them only to determine whether you have previously visited our website, what pages you viewed, and which services may interest you based on that. You may refuse the use of cookies through your browser settings; however, this may limit the availability of some features on our site.

a. What are cookies?

Cookies are small text files stored on your computer, mobile phone, or tablet when you visit a website. They allow the site to remember your settings, such as your username, so you don’t have to re-enter it each time. Many user-friendly features rely on cookies being enabled. We do not sell cookie data or use it for identification.

b. How do we use cookies?

We use cookies to track:

  • display settings (e.g., font size)

  • browser type/version, operating system, referrer URL, IP address of the accessing computer, date/time of visit

  • whether a user has completed a satisfaction survey

  • whether consent has been given for cookie use

  • items placed in the shopping cart

  • user behavior and traffic patterns for improving our site and services

These data are collected for internal statistical purposes only.

Types of cookies used:

  • Essential temporary cookies: stored only for the duration of the session; required for certain functions of the website.

  • User experience cookies: collect anonymous data about site usage and errors to help improve performance. Their lifespan is limited to the session.

Third-party cookies:

  • Google Analytics (_utma, _utmb, _utmv, _utmz, _utmx): Collect anonymous data on site usage. No user identification is possible.
    More info: www.google.hu/intl/hu/policies/privacy

  • Facebook.com (datr, lsd, reg_ext_ref, reg_fb_gate, reg_fb_ref, wd): Enables sharing site content. May set cookies we don’t control. Facebook remarketing code displays promotions. User identification is not possible.

  • Twitter.com (__utma, __utmb, __utmc, __utmv, __utmz, _twitter_sess, external_referer, guest_id, k, original_referer): Enables sharing content on Twitter. May set cookies we don’t control. No personal identification possible.

  • accounts.google.com (GALX, GAPS, GoogleAccountsLocale_session): Enables sharing content on Google. May set cookies we don’t control. No personal identification possible.

  • Google Adwords (NID, SID): The site uses Adwords remarketing tags and conversion tracking cookies, which only identify browsers, not individuals. Users may opt out.

Analytics: Aggregated, anonymous statistical reports may be kept indefinitely. These reports do not allow identification of individuals.

Cookie settings can be changed via your browser help menu or through these links:

Cookies can be deleted or disabled via browser settings, usually under Tools/Settings → Privacy/History/Custom settings → Cookies/Tracking.

9. OTHER PROVISIONS

The Data Controller reviews this notice annually. The Service Provider reserves the right to unilaterally amend this Privacy Policy with prior notification to the Data Subject. A review is also required if there are significant legal changes or changes to the data protection processes or procedures. In such cases, the Privacy Policy will be updated accordingly and published on the website, with attention drawn to the changes.

Our site is not responsible for the data processing practices of external websites. The Data Controller does not verify the personal data provided. The provider of the data is solely responsible for its accuracy. By providing an email address, the Data Subject also assumes responsibility that the services will only be used by them from that email account.