PRIVACY POLICY

Pauger Kft. (hereinafter referred to as “Organization”) processes the personal data of natural persons who provide their personal data to the Organization in the course of its operation and the operation of the website https://www.paugercarbon.com/ (hereinafter referred to as the “Website”), visitors to the Website, registrants on the Website, or those who provide their personal data in other ways (hereinafter collectively referred to as “Data Subject”). In relation to data processing, the Organization hereby informs the Data Subjects about the personal data it processes, the principles and practices it follows regarding personal data processing, and the manner and possibilities for exercising the rights of the Data Subjects. By giving consent, the Data Subject accepts the contents of the Data Management Information and consents to the data processing specified below.

1. Name of the Organization as Data Controller

Company name: Pauger Kft.

Headquarters, mailing address: 1016, Budapest, Naphegy tér 5/A
Email: info@paugercarbon.com
Tax number: 11927538-2-41
Company registration number: 01-09-683694

2. Data Protection Laws

In the course of its data management practice, the Organization takes into account the relevant, always current legislation. The data management principles published in this information are in accordance with the following laws:

• Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Data of Public Interest;
• Act CXIX of 1995 on the Management of Name and Address Data for Research and Direct Marketing Purposes (DM Act);
• Act VI of 1998 on the Protection of Individuals during the Processing of Personal Data by Automated Means;
• Act C of 2003 on Electronic Communications;
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grt.);
• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).

3. Definitions

3.1 Personal Data
Data related to an identified or identifiable natural person (Data Subject) based on specific personal data, including but not limited to the Data Subject’s name, identification number, and one or more factors specific to the physical, physiological, mental, economic, cultural, or social identity of the Data Subject, as well as conclusions drawn from the data regarding the Data Subject.

3.2 Consent
The voluntary and explicit expression of the Data Subject’s will, based on adequate information, by which the Data Subject gives their unequivocal consent to the processing of personal data relating to them, either in full or for specific operations.

3.3 Objection
The Data Subject’s declaration in which they object to the processing of their personal data and request the termination of data processing and the deletion of the processed data.

3.4 Data Controller
A natural or legal person, or an organization without legal personality, which alone or jointly with others determines the purposes and means of the processing of personal data, makes decisions regarding data processing (including the means used) and implements them or has them implemented by a data processor.

3.5 Data Processing
Any operation or set of operations performed on data, regardless of the method applied, including but not limited to the collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment, combination, blocking, deletion, and destruction of data, as well as the prevention of further use of data, creation of photographs, sound, or images, and recording of physical characteristics suitable for personal identification (e.g., fingerprints, palm prints, DNA samples, iris images).

3.6 Data Transmission
Making data accessible to a specified third party.

3.7 Disclosure
Making data accessible to anyone.

3.8 Data Deletion
Making data unrecognizable in such a way that their restoration is no longer possible.

3.9 Data Blocking
Marking data with an identification mark to restrict its further processing for a definite or indefinite period.

3.10 Data Destruction
Complete physical destruction of the data carrier containing the data.

3.11 Data Processing
Technical tasks related to data processing operations, regardless of the method and means applied for the execution of operations, as well as the place of application, provided that the technical task is carried out on the data.

3.12 Data Processor
A natural or legal person, or an organization without legal personality, which processes data based on a contract with the data controller, including contracts concluded under legal provisions.

3.13 Third Party
A natural or legal person, or an organization without legal personality, who is not the same as the Data Subject, the data controller, or the data processor.

3.14 Third Country
Any state that is not a member of the European Economic Area.

3.15 Cookie
A text file that is stored on our computer by the website visited through the internet browser. Its function is to make surfing more comfortable and personalized, as it allows us to store various personal data, passwords. With the help of cookies, targeted/personalized advertising campaigns can also be carried out.

4. Principles Followed During Data Processing

Personal data may only be processed for specific purposes, for exercising rights, and fulfilling obligations. Data processing must comply with its purpose at all stages, and data must be collected and processed fairly and legally.

Only such personal data may be processed that is essential for the realization of the purpose of data processing, suitable for achieving the purpose. Personal data may only be processed to the extent and for the duration necessary for achieving the purpose.

During data processing, the accuracy, completeness, and – if necessary for the purpose of data processing – the up-to-dateness of the data must be ensured, and it must be ensured that the Data Subject can only be identified for the time necessary for achieving the purpose of data processing. The Data Subject is responsible for the correctness, completeness, and truthfulness of the provided data. The Organization is not liable for damages resulting from incorrectly provided data, even if the erroneous nature of the data could have been recognized. If a person acts on behalf of another person, the data provider is responsible for possessing a data protection consent declaration in line with this Data Management Information and proving it.

Personal data may only be processed with appropriate prior information based on consent, except if the processing is required by law or justified by the legitimate interest of the parties.

Personal data processed by the Organization is not disclosed to the public and is not transferred to third parties, except for the specified subcontractors, who are also not authorized to retain or further transfer the personal data.

Personal data may only be transferred to a data controller or data processor conducting data processing in a third country if the Data Subject has expressly consented to it. Data transfer to a state belonging to the European Economic Area is considered equivalent to data transfer within the territory of Hungary.

Before the start of data processing, the Data Subject must be informed whether the data processing is based on consent or mandatory. Before the start of data processing, the Data Subject must be clearly and thoroughly informed about all facts related to their data processing, particularly the purpose and legal basis of data processing, the persons authorized to process and handle the data, the duration of data processing, and who can access the data.

The information must also cover the Data Subject’s rights and remedies related to data processing.

The Organization ensures the security of the data and takes all necessary technical measures and develops procedural rules necessary for the implementation of data protection regulations in line with the provisions of the laws detailed in point 2.

5. Processing of Personal Data

5.1 Legal Bases

Personal data can be processed (GDPR Article 6(1)) if: a) The Data Subject has given consent for their personal data to be processed for one or more specific purposes; b) The processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract; c) The processing is necessary for compliance with a legal obligation to which the data controller is subject; d) The processing is necessary to protect the vital interests of the Data Subject or of another natural person; e) The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; f) The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, especially where the Data Subject is a child.

If data processing is based on the voluntary consent of the Data Subjects (Section 5(1) of the Infotv. and Section 13/A(3) of Act CVIII of 2001), giving consent implies acceptance of the contents of the data management information. According to Section 20(1) of the Infotv., the Data Subject must be informed about all facts related to data processing, including but not limited to the purpose and legal basis of data processing, the persons authorized to process and handle the data, the duration of data processing. According to Article 7(3) of the GDPR, the Data Subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal. The withdrawal of consent can be done in the same simple manner as its granting.

5.2 Personal Data Collected

Data Type	Purpose	Data Subjects	Legal Basis	Personal Data Type	Data Accessed By	Duration	Consequences of Non-Provision
CV Data	Possible employment contract	Job applicants	GDPR Art. 6(1)(f)	Personal, educational, career and other data required for evaluation	Managing Director	Duration of the evaluation process	May affect evaluation
Contract Data	For tax and financial purposes	Partners, representatives	GDPR Art. 6(1)(b)(c); Civil Code 2013	Name, address, contact details	Managing Director	At least 6 years after contract termination	Administrative errors may occur
Contact Data	For business activities	Partners, representatives, employees	GDPR Art. 6(1)(f)	Name, address, contact details	Managing Director, authorized employees	At least 6 years after contract termination	Data Subject may not be reachable
Invoice Data	For billing and delivery	Customers	GDPR Art. 6(1)(b)(c); VAT Act 2007	Customers’ personal data (name, address, phone number, email)	Managing Director	At least 6 years after invoice issuance	Administrative errors may occur
Website Visitors’ Data	To monitor website operation and prevent abuse	Website visitors	GDPR Art. 6(1)(f); Act CVIII of 2001	Date, time, user’s computer IP address, visited page URL, previous page URL, user’s OS and browser data	IT department	30 days from website visit	No information on user activities

6. Persons Entitled to Know the Data, Data Transmission, Data Processing

The data is primarily accessible to the Organization, the companies contracted with the Organization for data processing (recorded in the Register of Third Parties and Data Controllers), and the Organization’s internal staff, but not made public or transferred to third parties. The Organization may use data processors to achieve the specified goals.

Beyond the above, the personal data of the Data Subject may only be transferred if required by law or with the consent of the Data Subject.

7. Possibility of Modifying the Data Management Policy

The Organization reserves the right to unilaterally modify this data management policy with prior notice to users. By using the service after the modification takes effect, you accept the modified data management policy.

8. Rights of Users Regarding the Processing of Their Personal Data

The Data Subject may request information about the processing of their personal data and request the correction or, with certain exceptions provided by law, the deletion of their personal data. Upon request, the Organization provides information to the Data Subject about the data it processes, the purpose, legal basis, and duration of data processing, the name, address (registered office), and activity related to data processing of the data processor, and who and for what purpose receive or have received the data (details in GDPR Article 15). The data controller provides the information in writing, in an understandable form, within the shortest possible time from the submission of the request, but no later than within 30 days. This information is free of charge. The request for information should be sent by email to info@paugercarbon.com, to which the Data Subject will receive a reply within 8 business days.

Under GDPR Article 16, the Data Subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning them. Upon the Data Subject’s request, the data controller is obliged to correct the inaccurate personal data concerning them without undue delay. Considering the purpose of data processing, the Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Under GDPR Article 17, the Data Subject has the right to obtain from the data controller the erasure of personal data concerning them as follows:

1. The Data Subject has the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller has the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the Data Subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; c) the Data Subject objects to the processing for direct marketing purposes, and there are no overriding legitimate grounds for the processing; d) the personal data has been unlawfully processed; e) the personal data must be erased to comply with a legal obligation; f) the personal data has been collected in relation to the offer of information society services.
2. If the data controller has made the personal data public and is obliged to erase the personal data, the data controller, taking into account available technology and implementation costs, shall take reasonable steps, including technical measures, to inform other data controllers processing the personal data that the Data Subject has requested the erasure of any links to, or copy or replication of, those personal data.
3. The restriction of the Data Subject’s right to erasure may only occur under the following exceptions in GDPR:
   • the exercise of the right to freedom of expression and information;
   • compliance with a legal obligation or the performance of a task carried out in the public interest;
   • public health purposes;
   • archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
   • the establishment, exercise, or defense of legal claims.

Under GDPR Article 18, the Data Subject has the right to obtain from the data controller restriction of data processing as follows:

1. The Data Subject has the right to obtain from the data controller restriction of data processing where one of the following applies: a) the accuracy of the personal data is contested by the Data Subject, for a period enabling the data controller to verify the accuracy of the personal data; b) the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the data controller no longer needs the personal data for the purposes of processing, but the Data Subject requires the data for the establishment, exercise, or defense of legal claims; d) the Data Subject has objected to processing pending the verification of whether the data controller’s legitimate grounds override those of the Data Subject.
2. Where data processing has been restricted under the above, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. The data controller shall inform the Data Subject who has obtained restriction of processing before lifting the restriction.

Under GDPR Article 21, the Data Subject has the right to object to the processing of personal data concerning them as follows:

1. The Data Subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or for the purposes of the legitimate interests pursued by the data controller or by a third party, including profiling based on those provisions. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.
2. Where personal data is processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
3. At the latest at the time of the first communication with the Data Subject, the right referred to in the above paragraphs shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information.
4. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the Data Subject may exercise their right to object by automated means using technical specifications.
5. Where personal data is processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the Data Subject, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Under GDPR Article 20, the Data Subject has the right to data portability as follows:

1. The Data Subject shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where:
   • the processing is based on consent or on a contract, and
   • the processing is carried out by automated means.
2. In exercising their right to data portability, the Data Subject shall have the right to have the personal data transmitted directly from one data controller to another, where technically feasible.
3. The exercise of the right to data portability shall be without prejudice to the right to erasure. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
4. The right to data portability shall not adversely affect the rights and freedoms of others.

The Data Subject can indicate their demands to the Organization via the contact information provided in point 10. The Organization will inform the Data Subject of the decision in writing. If the Data Subject disagrees with the decision, they may turn to a court (tribunal) to enforce their rights, in which case the court will proceed urgently. The data controller will examine the request within the shortest possible time, but no later than 25 days, and inform the Data Subject of the decision in writing. If the Data Subject disagrees with the data controller’s decision or if the data controller fails to meet the 25-day deadline for examination, the Data Subject may turn to a court within 30 days of the communication of the decision or the last day of the deadline.

9. Declaration of the Data Controller

The data controller recognizes the content of this information as binding and undertakes that its data processing related to the service will meet the expectations defined in this information.

10. Remedies

Regarding data processing, the Data Subject has the following rights and remedies:

The Data Subject can request information about the processing of their personal data from the Organization at its contact points (email: info@paugercarbon.com; postal address: Összekötő út 3, 2475 Kápolnásnyék); in this context, the Organization provides information about the data it processes, the purpose, legal basis, and duration of data processing, and the legal basis and recipients of any data processing or transfer.

The Organization is obliged to provide the information in writing within 25 days, which can only be refused for reasons defined by law. The Data Subject has the right to legal remedies before a court and to lodge a complaint with a supervisory authority. In case of unlawful data processing observed by the Data Subject, a civil lawsuit can be initiated against the Data Controller. The case is within the jurisdiction of the tribunal. The lawsuit can be initiated before the tribunal of the Data Subject’s place of residence. Without prejudice to other administrative or judicial remedies, each Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to them infringes the GDPR.

The Data Subject can turn to the NAIH with their complaints and legal remedy requests: National Authority for Data Protection and Freedom of Information
Postal address: 1374 Budapest, Pf.: 603.
Address: 1055 Budapest, Falk Miksa utca 9-11
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu