Privacy Policy

Data Controller Information:

Data Controller: Oxygen SMD Ltd.
Headquarters: 1097 Budapest, Gubacsi út 6/D
Company Registration Number: 01-10-047568
Tax Number: 23288940-2-43
Email Address: office@oxygensmd.hu
Phone Number: +36 1 456 3600
Representative: Péter Borbély, Managing Director

1. General Provisions

Oxygen SMD Ltd. has established this Privacy Notice (hereinafter referred to as the “Notice”) to define its internal data protection processes, ensure the rights of individuals, and prevent data protection incidents. Oxygen SMD Ltd. conducts its data processing activities in compliance with the applicable internal rules, technical, and organizational measures to adhere to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (commonly referred to as the General Data Protection Regulation or GDPR), as well as Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Info Act”).

The objective of this Notice is to provide clear and comprehensible information to data subjects regarding the personal data collected, processed, or managed by Oxygen SMD Ltd. and its processors. It details the sources of data collection, the purpose and legal basis of processing, potential retention periods, the identity and contact details of data controllers, data processing activities, and the purpose, legal basis, and recipients of data transfers.

The scope of this Notice applies to the personal data processed by Oxygen SMD Ltd. concerning natural persons who are in a contractual relationship with, or involved in a contractual offer with, the company (including employees, sole proprietors, individual companies, natural person buyers, sellers, suppliers, and other natural persons engaged in contractual relations). The scope also extends to the contact information of representatives of legal entities connected to Oxygen SMD Ltd. For definitions, the terms outlined in Article 4 of the GDPR are applicable, along with additional definitions provided in specific chapters of this Notice.

Oxygen SMD Ltd. is engaged in design, manufacturing, SMT and CNC contract manufacturing, as well as creating customized decorative lighting for advertising and architectural purposes. Additionally, the company offers consultancy services to provide unique and comprehensive solutions tailored to its clients’ needs.

2. Definitions and Framework

The purpose of these definitions is to clarify the subjects of regulation and the specific meanings of various terms used in the system of rules. Below are the key definitions:

Data Processor:
A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.

Data Processing:
Any operation or set of operations performed on personal data or on sets of personal data, whether automated or not. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Restriction of Data Processing:
The marking of stored personal data with the aim of limiting their future processing.

Definitions and Terminology

Data Controller:
A natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of processing personal data. Where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Protection Impact Assessment (DPIA):
The evaluation of the impact of processing operations on the rights and freedoms of data subjects, particularly when using new technologies.

Data Protection Incident:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Data Protection Officer (DPO):
An individual who monitors the data controller’s or processor’s activities to ensure compliance with data protection regulations. (See Section 7: Security of Personal Data)

Pseudonymization:
The processing of personal data in such a way that the data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Criminal Personal Data:
Personal data relating to criminal convictions, offenses, or related security measures (as per Article 10 of the GDPR).

Recipient:
A natural or legal person, public authority, agency, or other body to which personal data is disclosed, regardless of whether it is a third party. However, public authorities that may receive personal data in the framework of a specific inquiry in accordance with Union or Member State law are not considered recipients; the processing of such data by those public authorities must comply with applicable data protection rules.

Third Party:
A natural or legal person, public authority, agency, or other body other than the data subject, data controller, data processor, and persons who, under the direct authority of the data controller or processor, are authorized to process personal data.

Consent:
A freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.

Supervisory Authority:
An independent public authority established by a Member State pursuant to Article 51 of the GDPR.

GDPR:
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Filing System:
Any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

Personal Data

Personal Data:
Any information relating to an identified or identifiable natural person (data subject). A natural person is identifiable directly or indirectly, for example, by reference to a name, an identification number, location data, online identifier, or specific factors related to physical, genetic, economic, or social identity.

Special Categories of Personal Data:
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data, health data, or data concerning a natural person’s sex life or sexual orientation (as per Article 9(1) of the GDPR).

  • Biometric Data:
    Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person that allows or confirms unique identification, such as facial images or fingerprint data.
  • Health Data:
    Personal data related to the physical or mental health of a natural person, including information about the provision of health services that reveals information about their health status.
  • Genetic Data:
    Personal data relating to the inherited or acquired genetic characteristics of a natural person, which provides unique information about the person’s physiology or health and is derived primarily from the analysis of a biological sample from the natural person.

Profiling:
Any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict characteristics concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Enterprise:
A natural or legal person engaged in economic activity, regardless of legal form, including partnerships or associations regularly engaged in economic activities. In this case, Oxygen SMD Ltd. acts as the Data Controller.

3. Principles of Data Processing

Oxygen SMD Ltd. processes personal data according to the following principles:

  • Lawfulness, Fairness, and Transparency:
    Personal data must be processed lawfully, fairly, and in a transparent manner for the data subject.
  • Purpose Limitation:
    Data collection must be for specific, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Data Minimization:
    Data processing must be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
  • Accuracy:
    Personal data must be accurate and, where necessary, kept up to date. Reasonable steps must be taken to ensure that inaccurate personal data, considering the purposes of processing, are erased or rectified without delay.
  • Storage Limitation:
    Personal data must be stored in a form that permits identification of data subjects for no longer than necessary for the purposes for which the data is processed. Longer storage is only allowed for archiving in the public interest, scientific or historical research, or statistical purposes under Article 89(1) of the GDPR, provided that appropriate technical and organizational measures are implemented to protect the rights and freedoms of data subjects.
  • Integrity and Confidentiality:
  • Data processing must be conducted in a way that ensures the appropriate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
  • Voluntary and Informed Consent:
  • The Data Controller processes personal data solely based on the voluntary, explicit, and informed consent of users, in accordance with Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act), Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising (Grt.), and this Data Processing and Privacy Policy.

4. Web Data Processing

Protecting the personal data of visitors and ensuring transparent and lawful data processing are of paramount importance to the operation of our website. The following information details the types of personal data we collect, the purposes for which we use them, and the rights of the data subjects. Our data processing practices comply with current data protection regulations, particularly the EU General Data Protection Regulation (GDPR), ensuring the adequate protection of personal data.

4.1 Job Applications

We process personal data when receiving and evaluating CVs and cover letters, whether they are submitted in response to a published job posting or as part of an inquiry without a prior job advertisement. The purpose of processing these data is to assess the suitability of the applicant for the given position.

Processed Data:
Only data voluntarily submitted by the data subject are processed, including name, contact details (e.g., phone number, email address), photo, educational background, qualifications, language skills, professional experience, and other relevant personal data required for the position (e.g., salary expectations or any other information provided by the applicant).

Retention Period:

  • For published job postings: Data are stored until the last day of the first year following the submission of the application, to consider applicants for potential future openings.
  • For general inquiries: Data are stored for six months.

By submitting their data, the data subject consents to the processing. Without such consent, the application cannot be evaluated.

4.2 Requests for Quotes and Newsletters

Purpose of Data Processing:

  • Enabling registration/requests for quotes via the website.
  • Keeping records of inquiries.
  • Facilitating communication between the company and interested parties.
  • Sending electronic newsletters to subscribers.
  • Providing updates, promotions, and marketing communications related to the company’s services.

Legal Basis for Processing:

  • Voluntary consent of the data subject (GDPR Article 6(1)(a)).
  • Section 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Ekertv.).
  • Section 6(5) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising (Grt.).

Processed Personal Data:
Name, phone number, email address, job title, and contact person name and address.

Retention Period:

  • For quote requests: 24 months from the last login or submission of a request.
  • For newsletter subscriptions: Until the receipt of a request for deletion.

If the data subject does not consent to the processing and storage of their data, the quote and potential contract cannot be completed. For newsletters, refusal to provide consent means the data subject accepts that they may miss out on promotions, sales opportunities, or company updates.

4.3. Use of Cookies

Definition and Purpose of Cookies:
Cookies, or anonymous visitor identifiers, are files or pieces of information stored on a user’s computer, internet device, smartphone, or tablet when visiting the website. Unless explicitly provided by the user, the Data Controller does not collect or process any personal data that could personally identify the user.

By visiting the website and clicking the “Accept” button, all users consent to the Data Controller recording data and information as outlined in section 4.3 of this Notice, including placing the cookies required for such recording. These data include information generated by the user’s computer during the use of the website, which are automatically logged by the system of Oxygen SMD Ltd. as a technical process.

Automatically recorded data are logged without the user’s specific declaration or action upon entering and leaving the website.

These data are not linked to other personal data, meaning the user cannot be identified based on this information. Only Oxygen SMD Ltd. and its designated data processors have access to these data. Such data can be collected using various technologies, including cookies, web beacons, and log files.

Types of Data Collected:

  • Cookies: Short text files sent by the website to the user’s computer’s hard drive, containing information about the user.
  • Log Files: The internet browser automatically sends certain additional data to the website, such as the user’s IP address, the operating system used, the browser type, the domain name from which the user accessed the website, the subpages visited within the website, and the content viewed on the website.

Usage and Limitations of the Information Collected:

  • Website Optimization: The Data Controller analyzes these data to identify the most popular areas of the website. This information helps improve the user experience, develop popular products, and plan future promotions.
  • Web Analytics: Website traffic and other analytical data are independently measured and audited by Google Analytics. Users can find detailed information about data management from the data controllers of Google Analytics:
  • Data collected through the aforementioned technologies cannot be used to identify the user and are not linked to other identifiable information.

Cookie Management Options:
The website provides users the option to disable cookies. The Oxygen SMD Ltd. website always notifies users when a cookie is sent to their device. Information about managing cookies can be found in the settings of the internet browser.

It is important to note that disabling or restricting the use of cookies may negatively affect or disable certain functionalities of the website.

4.4. Hosting Information

The operation of the OXYGEN SMD Ltd. website requires the involvement of a hosting service provider, which is classified as a data processor. The hosting provider processes data based on the instructions of OXYGEN SMD Ltd. and may not use the data for its own purposes.

Hosting Provider:

  • Name: Sybell Informatika Kft.
  • Address: 1158 Budapest, Késmárk u. 7/B 2nd Floor, 206.
  • Contact Email: hello@sybell.hu

5. Orders and Invoicing

OXYGEN SMD Ltd. may establish contractual relationships with legal entities and sole proprietors in the course of its business activities. Consequently, in cases of contracts with legal entities, the personal data of designated contact persons mentioned in the contract are processed. The purpose of data processing is to exercise rights and fulfill obligations arising from the contract.

Legal Basis for Data Processing:

  • The consent of the data subject, pursuant to GDPR Article 6(1)(a).
  • After the establishment of a contractual relationship, the legal basis includes the performance of the contract and compliance with legal obligations, pursuant to GDPR Article 6(1)(b) and Article 6(1)(c).
  • Regarding the contact person of the contracting party’s employee, data processing is based on the legitimate interests of the data controller under GDPR Article 6(1)(f).
  • Legitimate interest also applies during the statutory limitation period for potential legal claims.
  • For invoicing data and projects under EU funding, the legal basis is compliance with legal obligations under GDPR Article 6(1)(c) and applicable laws, such as Act CXXVII of 2007 (Sections 159, 169) and Act C of 2000 (Sections 166-169).

Processed Data Categories:

  1. Personal Data:
    Includes the name of the contact person or authorized representative mentioned in the contract, their corporate email address, and corporate mobile or landline phone number. These data are provided either by the data subject themselves or, in some cases, by their employer.
  2. Corporate Data:
    Includes company name, billing address (street, number, city, postal code), tax number (or international tax number), corporate email address, and phone number.

Retention Period:
Personal data are retained for at least five years in accordance with the limitation period for civil law claims. In the event of legal enforcement, the retention period may exceed this duration.
Invoices must be retained for eight years from their issuance date, in compliance with Act C of 2000, Section 169(2). If consent to data processing for invoicing purposes is withdrawn, OXYGEN SMD Ltd. is still entitled to retain the data for eight years based on Info Act Section 6(5)(a).

Data Transfers:
Data may be transferred to VRNG Consulting Kft. (1013 Budapest, Attila út 2, B Building, Mezzanine 6/A).

If a representative of the contracting party declines consent for their personal data to be processed, the contract cannot be established due to the lack of data necessary for its execution.

6. Data Processing

The following companies process data on behalf of OXYGEN SMD Ltd.:

  • IT Tasks: IT-PNG Kft.
  • Website Development: Edina Pásti
  • Web Hosting Provider: Sybell Informatika Kft.
  • Website Analytics: Google Ireland Limited
  • Billing System Maintenance:

OXYGEN SMD Ltd. reserves the right to involve additional data processors in the future. Users will be informed of any changes through updates to this Notice.

OXYGEN SMD Ltd. will only transfer personally identifiable data to third parties with the explicit consent of the user unless explicitly required by law.

7. Security of Personal Data

The Data Controller and Data Processor employ advanced technical and organizational measures to ensure the security of personal data, taking into account technological advancements, implementation costs, the purpose of data processing, and associated risks. These measures are proportionate to the severity of risks and aim to guarantee data security. These include pseudonymization, encryption, and ensuring the continuous security, integrity, and availability of systems. Additionally, in the event of an incident, the Data Controller is equipped to promptly restore access to the data and ensure system functionality. Security measures are regularly monitored, tested, and evaluated to ensure their effectiveness.

OXYGEN SMD Ltd. has not appointed a Data Protection Officer (DPO) as none of the cases listed in Article 37(1) of the GDPR apply:

  1. OXYGEN SMD Ltd. is not a public authority or body performing public tasks.
  2. Its primary activities do not include data processing operations requiring regular and systematic monitoring of data subjects on a large scale.
  3. Its primary activities do not involve the large-scale processing of special categories of personal data under Article 9 or data relating to criminal convictions and offenses under Article 10 of the GDPR.

7.1. Paper-Based Data Processing

To protect personal data processed on paper, the following security measures are implemented:

  • Data is only accessible to authorized personnel and remains confidential and non-public.
  • Documents in active processing are only accessible to relevant staff.
  • Personnel handling the data may only leave the designated processing area if the data carriers are securely locked away or the room is locked.
  • At the end of the workday, all paper-based data carriers are securely stored.
  • If paper-based data is digitized, the security measures applicable to digital data are subsequently applied.

7.2. Digitally Stored Data

To ensure the protection of personal data stored on computers and networks, the Data Controller enforces the following measures and safeguards:

  • Computers used for data processing are owned by the Data Controller or are subject to equivalent ownership rights.
  • Access to data stored on computers is only granted via valid, personalized, and identifiable credentials, which include at least a username and password. The Data Controller ensures regular password updates.
  • Continuous antivirus protection is provided for networks handling personal data.
  • Available IT tools are employed to prevent unauthorized access to the network by external individuals.

8. Data Subject Rights

The rights of data subjects regarding the processing of their personal data are as follows:

Right to Information (GDPR Article 15):

  • Data subjects have the right to request and receive accurate information about the processing of their personal data within 30 days.
  • They can request confirmation from the Data Controller regarding whether their personal data is being processed and, if so, access to those data, including an electronic copy.

Right to Erasure (GDPR Article 17):

  • Data subjects have the right to request the deletion of their personal data, especially if the processing is based solely on their consent and there is no other legal basis for processing.
  • The data subject can withdraw their consent at any time without justification.

Right to Rectification (GDPR Article 16):

  • Data subjects may request the correction of inaccurate personal data or the completion of incomplete data concerning them. The Data Controller must rectify the data without undue delay.

Right to Data Portability (GDPR Article 20):

  • For data processing based on consent or contract, data subjects have the right to receive the personal data they provided to the Data Controller in a structured, commonly used, machine-readable format. They can also request the transfer of their data to another Data Controller. This right must not adversely affect the rights and freedoms of others.

Right to Object (GDPR Article 21):

  • Data subjects have the right to object to data processing, particularly for processing based on legitimate interests. If an objection is raised, the Data Controller must cease processing unless compelling legitimate grounds exist that override the rights of the data subject, or the data processing is required for legal claims.
  • For processing related to direct marketing or profiling, data subjects can object at any time, and their data must no longer be processed for these purposes.

Right to Restriction of Processing (GDPR Article 18):

Data subjects can request the restriction of data processing if:

  1. The accuracy of personal data is contested, for a period enabling the Data Controller to verify its accuracy.
  2. The processing is unlawful, but the data subject opposes erasure and requests restriction instead.
  3. The Data Controller no longer needs the data, but the data subject requires it for legal claims.
  4. The data subject has objected to processing; restriction applies while it is determined whether the Data Controller’s legitimate interests override the subject’s rights.

While processing is restricted, data may only be used with the data subject’s consent or for legal claims, protection of others’ rights, or important public interest.

Right to Avoid Automated Decision-Making (GDPR Article 22):

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affects them.

Conditions for Erasure:

The Data Controller must delete personal data without undue delay if:

  • The data is no longer necessary for the purposes for which it was collected.
  • The data subject withdraws their consent and no other legal basis exists.
  • The data subject objects to the processing.
  • The processing was unlawful.
  • Deletion is required to comply with legal obligations.
  • The data was collected in connection with the provision of information society services to children.

Notification of Other Controllers:

If the Data Controller has made personal data public and is required to delete it, they must take reasonable steps to inform other controllers processing the data to delete links, copies, or replications of the data, considering available technology and implementation costs.

9. Management of Data Breaches

A data breach is any event involving the personal data processed, transmitted, stored, or handled by OXYGEN SMD Ltd., which results in the unlawful processing of personal data. This includes unauthorized or accidental access, alteration, disclosure, deletion, loss, or destruction of data, as well as accidental damage or destruction.

OXYGEN SMD Ltd. must report a data breach to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) without undue delay, and no later than 72 hours after becoming aware of the incident. An exception applies if OXYGEN SMD Ltd. can demonstrate that the data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If the notification cannot be made within 72 hours, the reason for the delay must be provided, and the required information may be disclosed in stages without undue further delay.

The notification to the NAIH must include the following information:

  • The nature of the data breach, including the categories and number of data subjects and personal data records affected.
  • The name and contact details of the Data Controller.
  • The likely consequences of the data breach.
  • The measures taken or planned to address, mitigate, or remediate the breach.

OXYGEN SMD Ltd. will notify affected data subjects of the data breach within 72 hours via its website. This notification must include at least the information specified above.

To ensure proper documentation and management of data breaches, OXYGEN SMD Ltd. maintains a Data Breach Register, which includes:

  • The scope of affected personal data.
  • The number and type of affected individuals.
  • The date and circumstances of the data breach.
  • The effects of the data breach.
  • Measures taken to address the breach.

The records in the Data Breach Register are retained for five years from the detection of the data breach.

10. Contact Information

If you have any comments, questions, or complaints regarding this Privacy Policy, please contact us in writing or via email at the following:

Data Controller: OXYGEN SMD Ltd.
Postal Address: 1097 Budapest, Gubacsi út 6/D
Email Address: office@oxygensmd.hu
Phone Number: +36 1 456 3600
Representative: Péter Borbély, Managing Director