PLANTATREE NONPROFIT KFT. DATA MANAGEMENT POLICY

INTRODUCTION, CONTACT DETAILS OF THE DATA CONTROLLER

The Planatree Nonprofit Kft. (hereinafter referred to as the “Data Controller” or “Company”) provides the following information regarding the processing of personal data in accordance with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (GDPR).

The Company is committed to protecting the personal data of its clients and partners and places great emphasis on respecting the information self-determination rights of its clients. The Company treats personal data confidentially and takes all security, technical, and organizational measures that ensure the safety of the data.

CONTACT DETAILS OF THE DATA CONTROLLER

Company name: Planatree Nonprofit Kft.

Registered office: 1111 Budapest, Lágymányosi utca 12. ground floor 2.

Company registration number: 01-09-343239

Tax number: 26758796-2-43

Email address: info@planatreeproject.com

Websites: www.plantatreeproject.com, www.plantatreecocktail.com, www.plantatree.hu

1. DEFINITION OF TERMS

1.1 Personal data

Any information relating to an identified or identifiable natural person (hereinafter: “Data Subject”). A natural person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.2 Data processing

Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

1.3 Data controller

The natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

1.4 Data processor

A natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

1.5 Recipient

A natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

1.6 Consent

The Data Subject’s voluntary, specific, informed, and unambiguous indication of their agreement to the processing of their personal data. Therefore, consent has 3 basic elements: voluntariness, specificity, and adequate information.

1.7 Third party

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

1.8 Data protection incident

Illegal processing or handling of personal data, especially unauthorized access, modification, transmission, disclosure, deletion or destruction, and accidental destruction and damage.

2. PARTNER

Legal entities or business associations without legal personality that use the services of the Data Controller based on a contract and/or facilitate the fulfillment of the Data Controller’s services, to which the Data Controller may transmit or be able to transmit personal data following the Data Subject’s consent, or which perform or may perform data storage, processing, related IT, and other secure data management activities for the Data Controller.

2.1 Employee

A natural person who has a contractual, employment or other legal relationship with the Data Controller, appointed or can be appointed by the Data Controller to provide its services, who may come or is in contact with personal data during their data processing or data management tasks, and for whose activities the Data Controller assumes full responsibility towards the circle of Data Subjects and third parties.

3. PRINCIPLES OF THE COMPANY’S DATA PROCESSING

Legality, Fair Processing, and Transparency

The company processes personal data lawfully, fairly, and in a manner that is transparent to the data subject.

3.1 Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes and is not processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes, in accordance with Article 89(1) of the GDPR.

3.2 Data Minimization

The personal data processed by the company is adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

3.3 Accuracy

The personal data processed by the company is accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

3.4 Limited Retention

Personal data is stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.

3.5 Integrity and Confidentiality

The company processes personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

3.6 Accountability

The company takes responsibility for complying with the above principles and states that its data processing adheres to these principles.

4. NEWSLETTER, DIRECT MARKETING ACTIVITY

The Data Subject may, in advance and explicitly, consent to the Company contacting them with advertising offers and other consignments at the provided contact details, and the Company processing the personal data required for sending the advertising offers.

The Company does not send unsolicited advertising messages, and the Data Subject can unsubscribe from the newsletters free of charge and without any restriction or justification. In this case, the Company deletes all personal data required for sending the advertising messages from its register and does not contact the Data Subject with further advertising offers.

Affected individuals: All natural persons who have subscribed to the newsletter.

Scope of managed data: Name, email address.

Legal basis for data processing: Consent of the Data Subject, Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activity (Advertisement Act).

Purpose of data processing: Sending an electronic message containing advertising to the Data Subject, providing information on current information, products, promotions, and offers.

Duration of data processing: The Company processes the personal data mentioned in this point until the consent is withdrawn, i.e., until the unsubscribe.

Potential data processors who can become aware of the data: Authorized employees of the data controller may process personal data, respecting the above principles.

Potential consequences of the failure to provide data: The Data Subject cannot receive newsletters or Direct Marketing outreach.

5. SCOPE OF THE REGULATION

Temporal scope: This Regulation is effective from March 22, 2021, until further notice or withdrawal.

Personal scope: The personal scope of this Regulation extends to the Data Controller, to persons whose data is included in data processing under the scope of this Regulation, and to persons whose rights or legitimate interests are affected by the Company’s data processing.

Material scope: The scope of this Regulation extends to all data processing by the Data Controller that contains personal data, regardless of whether it is electronic and/or on paper.

Right to amend: The Data Controller reserves the right to amend this regulation at any time. Affected parties and partners will be notified of any changes in due time.

6. RELEVANT LAWS

The Data Controller declares that its data processing is in accordance with the current laws on data protection, especially the following:

• Act CLV of 1997 – on consumer protection (Consumer Protection Act);
• Act C of 2000 – on accounting (Accounting Act);
• Act XLVII of 2008 – on the prohibition of unfair commercial practices towards consumers;
• Act CXII of 2011 – on the right to informational self-determination and freedom of information (Information Act);
• Act V of 2013 – Civil Code (Civil Code);
• Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

7. THE COMPANY’S WEBSITE

• Scope of the data subjects: Natural persons registering on the Company’s website (www.planatreeproject.com).
• Data processed: Name, email address, optionally provided Instagram account name.
• Purpose of data processing: Ensuring registration on the website, communication between users, providing updates and offers.
• Legal basis for data processing: Voluntary consent of the Data Subject.
• Duration of data processing: The Company will handle the data until the deletion of the user’s account.
• Potential data processors who can access the data: The personal data can be managed by the authorized employees of the data controller, in accordance with the above principles.
• Possible consequences of failing to provide data: The Data Subject cannot register on the Company’s website.

8. USING SOCIAL MEDIA

• The Company is accessible on Facebook and Instagram. Using these platforms and communicating with the Data Controller through them is based on the voluntary consent of the Data Subject.
• The Data Controller communicates with the data subjects only when they approach the Data Controller through social media. For instance, by liking the Data Controller’s content on Facebook, the Data Subject voluntarily agrees to the processing of their data.
• Scope of the data subjects: Natural persons who voluntarily follow, share, or like the content on the Data Controller’s social media pages, especially on Facebook and Instagram.
• Data processed: Registered name on Facebook, Instagram, and the public profile picture of the Data Subject.
• Purpose of data processing: Presence on social media platforms, sharing, publishing, and marketing content found on the website. With the help of social media, the Data Subject can also learn about the latest promotions.
• Legal basis for data processing: The Data Subject’s voluntary consent to the processing of their personal data on social media.
• Duration of data processing, deletion of data, potential data processors, and rights of the data subjects related to data processing: Data processing is realized on the social media platforms, so the terms of service of the respective platform apply regarding the duration, methods, and possibilities for data deletion or modification.

9. DATA PROCESSING RELATED TO COOKIES

What is a cookie?

Cookies are small-sized text files where websites store information related to visits for a specific period and purpose. During repeated visits, the website can recognize the text file, thereby identifying the previous visitor.

The primary function of cookies is to make browsing more convenient and personalized. With their help, we can store various personal data and settings. Cookies can also facilitate targeted, personalized advertising campaigns.

The Company’s website was created with the assistance of a portal and uses its engine. The portal and the sites created with its assistance can use the cookies defined below; however, the Data Controller does not use these cookies in any way. The used cookies communicate between the data subject’s device and the portal but do not forward or transmit any data to the Data Controller. Therefore, the portal’s data management guide is applicable concerning the used cookies.

Types of Cookies

The cookies used on the Company’s website can be categorized into 4 different groups, in accordance with the classification of the International Chamber of Commerce:

Strictly Necessary

These cookies are essential for browsing the website. Without these cookies, delivering content visited on the Company’s website (including the use of secure protocols) becomes impossible.

The Company’s website identifies you during its use with the help of a cookie containing an encrypted character string. Each time you enter the User Interface, we place this unique identifier cookie on your machine. For example: session cookie.

These cookies are essential for the website’s operation, so there is no option to disable them. Please do not continue using the Company’s website if you do not want these cookies to be downloaded to your browser.

Performance Enhancing

These cookies collect information about how visitors use a website. For example, which pages they visit most frequently, or where they encounter error messages.

These cookies do not store information that would identify visitors on websites. The information collected with their help is used exclusively in aggregate and anonymously. Their purpose is to improve the functions and user experience available on the Company’s website. For example: has_js__cdrop.

Cookies collecting data about the website’s performance can be disabled or deleted in the browser settings.

Storing Individual Settings

These cookies allow for the storage of user names and selected language preferences used on the website. For instance, a website can deliver local news based on the visitor’s geographic location stored in a cookie. These cookies are suitable for storing changed font sizes or other similar settings. The settings stored in the cookies are anonymous. Their stored values cannot be traced back to individual Data Subjects by the operator. For example: Drupal.tableDrag.showWeight, Drupal.toolbar.collapsed.

Disabling this type of cookie affects the functions of the Company’s website and, consequently, the user experience. However, cookies storing personal settings can be disabled or deleted in the browser settings.

Cookies Serving Web Analytics and Advertising Targeting

These cookies ensure that visitors encounter advertisements that match their interests. These service providers can store the visitors’ IP address and other non-personal identification information to display the Company’s advertisements on external websites in the future. For example: id, RSMKTO1, _mkto_trk, __utma, __utmb, __utmc, __utmz.

Cookies serving web analytics and advertising targeting can be disabled or deleted in the browser settings.

10. GOOGLE ADWORDS

The Data Controller uses the online advertising program “Google AdWords” to display its online advertisements, and also avails of Google’s conversion tracking service within this framework.

When the Data Subject reaches a website through a Google advertisement, a cookie necessary for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, so the Data Subject cannot be identified by them. Moreover, every Google AdWords Data Subject receives a different cookie, so they cannot be tracked through the websites of AdWords Data Subjects.

The information – obtained with the help of conversion tracking cookies – serves the purpose of producing conversion statistics for Companies that have chosen AdWords conversion tracking. Thus, companies can be informed about the number of Data Subjects who clicked on their advertisement and were forwarded to a page tagged with a conversion tracking tag.

If you do not wish to participate in conversion tracking, you can opt out by disabling the possibility of installing cookies in your browser. After this, you will not appear in the conversion tracking statistics.

For more information and Google’s privacy statement, please visit: www.google.de/policies/privacy/

11. GOOGLE ANALYTICS

The operator of the Company’s website uses the Google Analytics service for statistical analysis of visitors’ behavior. Despite the fact that the information obtained during the analysis does not contain personal data, in certain cases, traffic data can be traced back to the Data Subjects.

Google Analytics uses so-called “cookies”, text files saved on your computer, which help analyze the use of the website visited by the Data Subject.

Information created by cookies about the website use by the Data Subject is usually transferred to and stored on one of Google’s servers in the USA. By activating IP anonymization on the website, Google will truncate the IP address of the Data Subject within member states of the European Union or in other states party to the Agreement on the European Economic Area.

12. BARION

Essential cookies

Cookie name: ba_vid
Cookie description and its purpose: Its purpose is detecting fraud in case of online payment through Barion Smart Gateway based on the digital fingerprint of your browser and online habits. This cookie provides data that we can use to identify a website user through multiple sessions.
Provider: Barion Payment Inc.
Cookie lifetime in your browser: Till 1,5 years from the last update

Cookie name: ba_vid.xxx
Cookie description and its purpose: Its purpose is detecting fraud in case of online payment through Barion Smart Gateway based on the digital fingerprint of your browser and online habits. This cookie provides data that we can use to identify a website user through multiple sessions. It also collects ba_vid, digital fingerprint from browser settings, first-, current- and last visit timestamps on the site and that whether 3rd party cookies are enabled or not.
Provider: Barion Payment Inc.
Cookie lifetime in your browser: Till 1,5 years from the last update

Cookie name: ba_sid
Cookie description and its purpose: Its purpose is detecting fraud in case of online payment through Barion Smart Gateway based on the digital fingerprint of your browser and online habits. This cookie provides data that we can use to identify a user through multiple websites.
Provider: Barion Payment Inc.
Cookie lifetime in your browser: 30 minutes

Cookie name: ba_sid.xxx
Cookie description and its purpose: Its purpose is detecting fraud in case of online payment through Barion Smart Gateway based on the digital fingerprint of your browser and online habits. This cookie provides data that we can use to identify a user through a single website.
Provider: Barion Payment Inc.
Cookie lifetime in your browser: 30 minutes

Marketing cookies

Cookie name: BarionMarketingConsent.xxx
Cookie description and its purpose: Its purpose is storing your statement of consenting to the collection and usage of data regarding your browser sessions and shopping habits to provide you with tailored advertisements and offers. Provided you gave your consent, data collected by the following cookies placed for the purpose of credit card fraud prevention is also going to be used to analyze your browsing and shopping habits and to provide tailored advertisements and offers.
Provider: Barion Payment Inc.
Cookie lifetime in your browser: Till 1,5 years from the last update

Cookie name: Media and advertiser partners’ cookie
Cookie description and its purpose: Its purpose is providing a match between Barion’s and Partner’s ID cookies. In the cookie matching process our Partner’s server downloads and stores its own ID in the user’s browser in order to synchronize Barion and Partner IDs.
Provider: See in privacy notice
Cookie lifetime in your browser: Read more details about cookies in our Partners’ cookie policy. List of the Partners who use these kinds of cookies are available here with links to their own cookie policies.

Rights of the Data Subjects

The following rights apply to data subjects regarding personal data processed by the Company:

Right to information:

Upon the request of the data subject, the Data Controller provides information about the data they manage or process through an appointed data processor, their sources, the purpose and legal basis of data processing, the duration of data processing, the name and address of the data processor, and activities related to data processing. The Data Controller also informs about circumstances, impacts, and measures taken in case of a data protection incident and, in case of transferring data, the legal basis and recipient of the transfer.

Right to rectification:

If the personal data does not correspond to reality, and the actual personal data is available to the Data Controller or provided by the data subject, the Data Controller corrects the personal data.

Right to erasure:

The data subject has the right to request the Data Controller to delete their personal data without undue delay. The Data Controller is obligated to delete personal data without undue delay. However, personal data cannot be deleted if the processing was mandated by law.

Right to restriction of processing:

The data subject can request the Data Controller to restrict the use of their personal data if any of the following applies:

1. The data subject disputes the accuracy of the personal data – in this case, the restriction applies for the time necessary for the Data Controller to verify the accuracy of the data;
2. The data processing is unlawful and the data subject opposes the deletion of the data, instead requesting the restriction of its use;
3. The Data Controller no longer needs the personal data for processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
4. The data subject has objected to the processing – in this case, the restriction applies while it is determined whether the legitimate grounds of the Data Controller override those of the data subject.

If the processing is restricted, such personal data, excluding storage, can only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, for the protection of the rights of another person or for reasons of important public interest of the Union or of a Member State.
The Data Controller informs the data subject in advance about the lifting of the data processing restriction.

Right to data portability:

The data subject has the right to receive their personal data, which they provided to the Data Controller, in a structured, commonly-used, and machine-readable format, and has the right to transmit those data to another data controller.

Right to Object

The Data Subject has the right to object to the processing of their personal data if:

• The processing or transfer of personal data is solely for the purpose of fulfilling a legal obligation applicable to the Data Controller or for asserting the legitimate interests of the Data Controller, the recipient, or a third party, unless processing is required by law;
• The processing or transfer of personal data is for the purpose of direct business acquisition.

In this case, the Data Controller cannot continue to process the data, unless the Data Controller proves that there are compelling legitimate reasons for the processing that override the interests, rights, and freedoms of the data subject, or which are related to the establishment, exercise, or defense of legal claims.

Automated Decision Making in Individual Cases, Including Profiling

The Data Subject has the right not to be subject to a decision based solely on automated processing – including profiling – which would have legal effects concerning them or significantly affect them in a similar manner.

This right does not apply if the processing:

• Is necessary for entering into, or the performance of, a contract between the Data Subject and the Data Controller;
• Is authorized by Union or Member State law to which the Data Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights, freedoms, and legitimate interests; or
• Is based on the Data Subject’s explicit consent.

Procedural Rules

The Data Controller has twenty-five (25) days to delete, restrict, or correct personal data. If necessary, considering the complexity of the request and the number of requests, this period can be extended by another two months. The Data Controller will inform the Data Subject about this extension within one month of receiving the request, specifying the reasons for the delay. If the request was submitted electronically, the information will be provided electronically, unless the Data Subject requests otherwise.

If the Data Controller does not fulfill the Data Subject’s request for correction, blocking, or deletion, it will notify the reasons for the rejection in writing or electronically within 25 days.

In case of rejection, the Data Controller will inform the Data Subject about the possibility of judicial remedy and the opportunity to turn to the Authority. If the rights of the Data Subject are violated, they can turn to the court. The Data Controller must prove that data processing complies with the legal provisions. The lawsuit falls within the jurisdiction of the court.

The Data Controller will examine the objection as soon as possible, but no later than 15 days from the submission of the request, make a decision on its validity, and inform the requester in writing about the decision. If the Company determines the objection is valid, it will stop data processing, including further data collection and transfer, and lock the data. It will notify all those to whom the data was previously transferred about the objection and the measures taken based on it. These parties are obliged to take action to enforce the right to object.

If the Data Subject disagrees with the Company’s decision, they can turn to the court within 30 days of the decision’s announcement. However, data cannot be transferred to the data recipient if the Company agreed with the objection or if the court established the validity of the objection.

13. COMPLAINT HANDLING

Compensation and Damages, Right to Turn to Court:

If the Data Controller processes the Data Subject’s data unlawfully or breaches data security requirements, causing harm to another, the Data Controller must compensate for the damage. In the event of a violation of the Data Subject’s personal rights, the Data Subject can claim damages (Ptk. 2:52. §).

The Data Controller is also liable for damage caused by the data processor.

The Data Controller will not compensate for the damage and no damages can be claimed if the damage or the violation of personal rights resulting in legal injury came from the Data Subject’s intentional or grossly negligent behavior.

Data Protection Authority Procedure:

In the case of inappropriate data processing, the Data Subject can file a complaint with the National Data Protection and Freedom of Information Authority at the following contact details:

• Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
• Mailing address: 1530 Budapest, Pf.: 5.
• Phone: 06-1/391-1400
• Fax: 06-1/391-1410
• Email: ugyfelszolgalat@naih.hu
• Website: http://www.naih.hu