This data management information describes that LABTECH Ltd. (registered office: 4031 Debrecen, Vág út 4., company registration number: 09-09-000369) and its partners (hereinafter: Labtech, “we”), its mobile application (“App”) and its website, http://www.labtech.hu (the “Site”) (collectively, the “Services”) collects, manages, uses, transmits and protects the personal information of its customers.

Labtech Ltd. pays special attention to the fact that during the collection, handling, use, processing and possible transmission of personal data, Act CXII of 2011 on the right to information self-determination and freedom of information. Act CVIII of 2001 on certain issues of electronic commerce services and information society services. Act 2016/679 / EU on the protection of individuals with regard to the processing of personal data and on the free movement of such data, ie the GDPR and other relevant legislation, national and international recommendations.

Data protection is important for Labtech Ltd., so be it a new or old user, you can get to know our practice below, and in case of further questions, contact us at http://www.labtech.hu/kapcsolat/ or at info@labtech.hu email address.

This data management information is an integral part of the contract (the “Contract”) concluded between Labtech Ltd. and you.

1. Explanatory Provisions

Affected person	Any natural person identified or identifiable, directly or indirectly, on the basis of personal data.
Personal data	Any data that can be related to the Customer – especially the name, username of the customer and any knowledge characteristic for one or more physical, physiological, mental, economic, cultural, or social identity of the Customer – and any conclusion related to the Customer drawn from the data.
Contribution (Consent)	A voluntary and firm declaration of the data subject’s intention, based on adequate information, giving his or her unambiguous consent to the processing of personal data concerning him or her, in whole or in part.
Protest	A statement by the data subject objecting to the processing of his or her personal data and requesting the termination of the data processing or the deletion of the processed data.
Data controller	A natural or legal person, or an organization without legal personality, which either alone or jointly with others determines the purpose of the processing of data, makes and implements decisions on the processing of data (including the means used) or implements it with the processor.
Data management	Irrespective of the procedure used, any operation or set of operations on data, in particular the collection, recording, systematisation, storage, alteration, use, consultation, transmission, disclosure, coordination or interconnection, blocking, erasure and destruction of data, and preventing its further use. It also includes taking photographs, sound or images and recording physical features capable of identifying a person (e.g. fingerprint or palm print, DNA sample, iris image).
Data transmission	Making the data available to a specific third party.
Disclosure	Making data available to anyone.
Data deletion	Making the data unrecognizable in such a way that it is no longer possible to recover it.
Data erasure	Performing technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data.
Data processor	A natural or legal person or an organization without legal personality who, under a contract, including a contract concluded under the law, processes data on behalf of the controller.
Data file	The set of data managed in one record.
Third person	A natural or legal person or an organization without legal personality who is not the same as the data subject, the controller or the processor.
EEA State	A Member State of the European Union and another State party to the Agreement on the European Economic Area and a State of which a State party to the Agreement on the European Economic Area is a national under an international agreement concluded between the European Union and its Member States and a State not party to the Agreement on the European Economic Area enjoys the same legal status as a national of a State.
Third country	Any non-EEA state.
Privacy Incident	Unlawful handling or processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage.

2. Processed Personal Information

The personal data of customers / business partners managed and stored at our company is described in Chapter 4 for each data management.

Company data related to a sales or supplier contract or the performance of a contract or other business documents and records do not constitute personal data.

Patient data on the data carriers of the products returned to our company (including the ECG measurement itself, the accelerometer data of the mobile device, the average heart rate, in which part of the human body the ECG was recorded, local time, time zone and geographical location, etc.) are not handled and are not stored.

3. Scope of Data Processing

The individuals involved in each of the data processing operations listed in Chapter 4 are responsible officials or employees of organizations that use Labtech’s services or provide a service / product to Labtech.

We only process the personal data of individuals who have not objected to individual data processing and have made their personal data available to us in accordance with their free will. If the legal basis of the data management is “Consent for one or more purposes”, Labtech Ltd. ensures the detailed information of the data subjects through this clear prospectus and the acquisition of the consent rights declarations.

Labtech Ltd., as a data controller, handles the processed data only for the purpose specified in the table according to Chapter 4, for a fixed period of time and does not make it available to third parties other than the described data processors.

By transferring the personal data to Labtech Ltd., you guarantee the correctness and accuracy of the data.

If the data is provided to Labtech not by the natural person but by his / her employer, Labtech shall not be liable for obtaining the natural person’s consent to the data transfer.

Labtech Ltd. excludes its liability in case of false or erroneous data provided by data sources.

4. Data Managements

5. Duration of Data Management

Data shall be processed only to the extent necessary for the purpose, for the time and only with the personal data that are strictly necessary and otherwise suitable for the purpose, in particular as long as your rights and administration obligations exist.

In determining the storage period of personal data, the following have been taken into account:

• The limitation period for claims arising from the contractual relationship between you and Labtech Ltd.
• The limitation period of claims related to the legal obligations of Labtech Ltd. under the Contract with the longer duration.

The storage time for each data is described in the table in Chapter 4. If a data occurs in more than one data management, the longer period according to the table shall prevail in determining the storage time for the data. The data stored in this way can only be used for data processing that is still in force.

6. Data Processing

Recipients of personal data within Labtech Ltd.:

• The top management of the company
• Employees of the commercial department
• Employees of the testing and support department
• Employees of the service department
• Employees of the quality assurance department

Labtech Ltd. uses the following data processors for its data management activities:

7. Entitled for Accessing Data

Employees, senior executives, consultants, data processing or other employees of Labtech Ltd. who need access for their work and who are bound by confidentiality obligations.

8. Transmission of Data

We recognize that your data is valuable and will do our best to protect it in our data processing.

In certain cases, we will share the personal data you provide with third parties who cooperate with us or act on our behalf, if this is necessary to achieve the purpose for which the data subject or you provided the data. Labtech Ltd. may also transfer personal data to other third parties if this serves the more efficient service of you, or if the said third parties process the affected data on behalf of Labtech Ltd.

Labtech Ltd. may transfer personal data to third party data processors that provide an appropriate level of technical and organizational guarantees. Labtech Ltd. may use external service providers to perform regular server maintenance, data storage or other IT tasks in accordance with generally accepted data protection practices.

We will only share information with other third parties if:

• We have the consent of the data subject;
• It is required of us by law;
• necessary for the purpose of legal proceedings, in connection with them or for the exercise or protection of rights guaranteed by law.

As soon as the conditions for the lawful handling or transfer of the data cease, Labtech Ltd. will immediately take action to delete the personal data from the database and send you a notification about the fact of the deletion.

9. Data Security

During the data management, Labtech Ltd. became aware of the data stored both in the electronic information system and on the traditional paper-based data carriers with the utmost care, strict confidentiality and seeks to protect them by all legal means, especially against unauthorized access, alteration, transmission, disclosure, other misuse, erasure or destruction, and technical and organizational measures against accidental destruction and damage.

The IT system of Labtech Ltd. provides adequate security for the management of data in an electronic information system. Like Labtech Ltd., our data controllers and partners ensure the protection of data and use it strictly for a specific purpose.

Personal data can only be accessed by duly authorized employees and data controllers who are authorized to do so. We have implemented generally accepted technological and operational security solutions to prevent the loss, alteration, destruction or misuse of identifiable personal information.

10. Newsletter

You can consent to Labtech Ltd. sending professional materials and other information and notifications related to Labtech Ltd. to the given email address in the form of a newsletter. Subscription is voluntary and can be canceled at any time via the link or reply email provided in the newsletter.

Labtech Ltd. creates a database from the data of the persons who provide their company contact details as contact persons (company name, name, position, company email address, if they cannot be linked to a natural person). In addition, in the opinion of Labtech Ltd., it regularly sends newsletters on topics that may be of interest to them.

Through the newsletter sending service, it draws the attention of the organizations represented by the contact persons to the current rules related to the activities of Labtech Ltd. and their changes and provides guidance on the practical application of each rule. It offers the opportunity to participate in (online) events as well as the direct contact details of its employees in connection with the topics.

Labtech Ltd. reserves the right to exclude anyone from sending newsletters at any time. Labtech Ltd. handles the data until the data subjects request their deletion.

11. Cookies

When you use our services or open our emails, we may collect certain information in an automated manner, such as cookies, web beacons, and web server logs. The information collected in this way includes your IP address, browser characteristics, device characteristics, operating system version, language preferences, referring URLs, information about steps taken on our services, and when you visit the website. This information does not identify you.

If you continue to use our services, we will assume that you enable this collection. If you wish to use the Services without cookies, you can log in at
http://www.labtech.hu/aboutus/privacy
Please note, however, that without cookies you may not be able to use all the features of our services.

We use cookies, web beacons, web server logs and other automated tools for purposes such as:

• Customizing user visits on websites;
• Providing user-tailored content and improving user experience;
• Supporting other aspects of our websites and business operations.

We may use third-party web analytics services to run our Services, such as Google Analytics, which use technologies like cookies, web server logs and web beacons to collect usage information. To learn more about Google Analytics and how to opt out, visit
http://www.google.com/analytics/learn/privacy.html

12. Customer Rights

1. The Right of Access

You are entitled to receive feedback from the data controller about whether your personal data is being processed and, if such processing is in progress, you have the right to have access to your personal information and related information.

2. The Right of Rectification

You are entitled to request the data controller to rectify any inaccurate personal information that he or she is required to do without undue delay. Taking into account the purpose of data management, you are entitled to request the supplementation of incomplete personal data, including by means of a supplementary statement.

3. The Right to Cancel (Erasure)

You are entitled to request that the data controller, without undue delay, erase personal information about you, and the data controller is obliged to delete personal information about you without undue delay under certain conditions.

4. The Right to Be Forgotten

If the data controller has disclosed the personal data and is required to cancel it, taking reasonable steps, including technical measures, the controller will inform other controllers processing the data that you have requested deletion of links to or copies of such personal data.

5. The Right to Restrict Data Management

You are entitled to request that your data controller restricts your data handling if one of the following conditions is met:

• You dispute the accuracy of your personal data;
• Data handling is illegal and you oppose deletion of data and request restriction instead;
• The data controller no longer needs personal data for data processing, but you
  require them to submit, enforce, or protect legal claims;
• You have objected to data manipulation; restriction applies while it is established
  whether the data controller’s legitimate reasons override yours.

6. The Right to Data Portability

You are entitled to receive personal data that you have provided to a data controller in a structured, commonly used and machine-readable format and are entitled to transmit this data to another data controller without hindrance.

7. The Right to Protest (Object)

You are entitled to object to the handling of your personal information, including profiling, at any time for reasons relating to your own situation.

8. Protest in Case of Direct Business Acquisition (Direct Marketing)

If your personal data is handled for direct business (direct marketing), you are entitled to object at any time to the handling of personal data relating to it, including profiling, if it is related to direct business acquisition. If you object, your personal information can no longer be handled for that purpose.

9. Automated Decision-Making in Individual Cases, Including Profiling

You are entitled to exclude the scope of any decision based solely on automated data handling, including profiling, which would significantly affect you.

The preceding paragraph shall not apply if the decision is:

• Required to conclude or perform a contract between you and the data controller;
• Authorized by Union or Member State law which also lays down appropriate measures
  to protect your rights and freedoms and legitimate interests; or
• Based on your explicit consent.

13. Deadline for Action

The data controller informs you of any measures taken in response to your requests without undue delay but in any case within 1 month of receipt of the request. If necessary, this may be extended by 2 months. You will be informed of any extension.

If the data controller fails to take action upon your request, you will be notified within one month of the reasons and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.

14. Informing the Person Concerned about the Privacy Incident

If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the privacy incident without undue delay.

Information will be clear and easily understood and include the nature of the privacy incident, contact details of the Data Protection Officer or other contact person, the likely consequences of the incident, and measures taken or planned to remedy the incident.

You will not be informed if:

• The data controller has implemented appropriate technical and organizational protection measures (e.g. encryption) which make the data unintelligible to unauthorized persons;
• After the incident, the data controller has taken measures to ensure that high risk is no longer likely to materialize;
• Informing would require disproportionate effort; in such cases, public communication or similar measures will be used.

If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority may require notification.

15. Report a Data Protection Incident to the Authority

The data protection incident shall be reported by the controller to the supervisory authority competent under Article 55 without undue delay and, if possible, no later than 72 hours after becoming aware of the incident, unless it is not likely to jeopardize the rights and freedoms of individuals. If the notification is not made within 72 hours, the reasons for the delay must be provided.

16. Review in Case of Mandatory Data Management

If the duration of the mandatory data processing or the periodic review of the need for it is not specified by law, a local government decree or a mandatory legal act of the European Union, the data controller shall review at least every three years whether the processing of personal data is necessary for the purpose.

The circumstances and results of this review shall be documented by the controller, kept for ten years after the review and made available to the Authority upon request.

17. Possibility for Complaint

Complaints against possible breaches of the data controller can be lodged with the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Postafiók 5.
Telephone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu

18. Other Information

Labtech Ltd. reserves the right to unilaterally amend this data protection information at any time. We will clearly inform you in writing of any changes at one of the contact details provided in the contract.

If you have any questions or comments, feel free to contact Labtech Ltd. at one of the following contacts:

• Telephone: +36 52 500 128
• E-mail: info@labtech.hu
• Address: 4031 Debrecen, Vág út 4.
• Mailing address: 4031 Debrecen, Vág út 4.

19. Regulations Taken into Account

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive
  95/46/EC (GDPR)
• Act CXII of 2011 on information self-determination and freedom of information (Infotv.)
• Act CVIII of 2001 on Electronic Commerce and Information Society Services (in particular Section 13/A)
• Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices
• Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity (in particular Section 6)
• Act XC of 2005 on Electronic Freedom of Information
• Act C of 2003 on Electronic Communications (specifically Article 155)
• Opinion No. 16/2011 on the EASA / IAB Recommendation on Best Practice in Behavioral Online Advertising
• Recommendation of the National Data Protection and Information Authority on data protection requirements for prior information