Privacy Policy | EU Training

PRIVACY NOTICE REGARDING THE USE OF THE WWW.EUTRAINING.EU WEBSITE AND THE PROVISION OF SERVICES RELATED THERETO

20th February 2024

The provider of the www.eutraining.eu Website (hereafter referred to as Website), which is Arboreus Online Training Services Limited Liability Company (company reg. no. 01-09-902506; seat: 1075 Budapest, Rumbach Sebestyén utca 12. A. ép. I. em. 2.; hereinafter as: Service Provider) informs the users of the data processing regarding the engagement of the Website of Service Provider as follows, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (hereafter referred to as GDPR).

1. TERMS

2. WHAT IS THE PURPOSE OF THE PRESENT NOTICE?

The website’s terms of use are governed by the Website GTC, which shall apply to all questions not addressed herein. By using the Website and the Training services, Service Provider and the User enter into an agreement per the provisions of the Website GTC. The present Privacy notice serves to provide adequate information to the Users on the processing of personal data by Service Provider, relating to the Website and the Training services, as it is required by applicable law.

Regarding the data processing taking place on the Website and the Training services, Service provider shall be deemed as a data controller.

3. WHAT IS THE PURPOSE OF THE WEBSITE?

On the Website, the Users may browse the available general information material and the Training service offers, as displayed by Service Provider without the need for registration, they may search among these by various criteria, and may choose to subscribe for the services thereon by filling out the provided registration and order form with their data.

The services on the Website and the Training services themselves may only be engaged by persons over the age of 18. The Training services may only be engaged by the Users for their own selves; in case of a User sending a subscription order on another person’s behalf, they guarantee that they are in possession of proper authorization from that person, regarding the processing and forwarding of their data.

Users are liable for any and all of the data and the contents uploaded by them, for which Service Provider expressly excludes liability.

4. HOW DOES THE PRESENT PRIVACY NOTICE APPLY TO THE USERS?

By accessing the Website, by utilizing the Training services thereon, and by using any of the Website functions, they automatically acknowledge the contents of the present Privacy notice without any separate statements.

5. HOW AND BY WHOM MAY THIS PRIVACY NOTICE BE AMENDED, AND HOW AND WHERE IS IT PUBLISHED BY SERVICE PROVIDER?

Service provider is entitled to unilaterally amend this Privacy notice at any time, publishing it in a joint, amended version on the Website, under a separate menu item. We request that all Users carefully read the present notice on every Website visit.

The present Privacy notice is continuously available on the Website. The Users may open, view, print, save the Privacy notice, but may not amend them, only Service Provide is entitled do so.

6. WHAT PERSONAL DATA DO WE PROCESS, FOR HOW LONG, FOR WHAT PURPOSES AND BY WHAT AUTHORIZATION?

The legal bases for our data processing are the following:

a. GDPR Article 6 (1) a) where the processing is based on the informed consent of the data subject (hereafter referred to as Consent)

b. GDPR Article 6 (1) b), on where processing is necessary for the Performance of Contract to which the data subject is party (hereafter referred to as Performance of Contract)

c. GDPR Article 6 (1) c) where data processing is necessary for the fulfilment of or compliance with a legal obligation of the data controller (e.g. obligations with tax statues – hereafter referred to as Legal obligation)

d. GDPR Article 6 (1) f) where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, (hereafter referred to as Legitimate interest)

e. the data processing authorisation afforded by Article 13/A of Act CVIII of 2001 on Electronic Commerce and on Information Society Services, where data controllers are authorised to process the natural identification data and home address of the recipients without the need for consent, as required for contracts for information society services, for defining their contents, for subsequent amendments and for monitoring performance of these contracts, for invoicing the relevant fees, and for enforcing the claims arising out of or in connection with such contracts., moreover, where data controllers are authorised to process natural identification data and home address for the purposes of invoicing for the fees payable under the contracts for the provision of information society services to the extent related to the use of information society services, and information relating to the date, the duration and the place of using the service. (hereafter referred to as E-Commerce)

The legal basis for the data processing is specified below, per data categories and by reference to the elements of the above list.

6.1. Data processed regarding registered Users pertaining to their use of the Website and their engagement of the Training services thereon

In order to use the Training services or the Website’s functions, the Users shall provide their data. Certain data shall be provided during the registration which is necessary for the online purchase and use of Training services, as well as during the ordering, billing and communication with us. The Service Provider processes following data during those processes:

The Users are entitled to object against the data processing on the legal basis of Legitimate interest. In that case the Service Provider does not process their data for that particular purpose further.

The Legitimate interest of the Service Provider is claim and law enforcement. The data processed for that particular purpose are used for submitting claims and serve as evidence in case of a lawsuit. Those data can be requested by the Users as well for the same purpose. Processing the data for claim and law enforcement purposes is the legal interest of both the Service Provider and the User and does not affect the User’s fundamental rights and other personal rights disproportionately.

6.2. Data processed regarding the Contact personnel of contracted Clients that are legal entities

The contact persons of the contracted Clients are entitled to object against the data processing on the legal basis of Legitimate interest. In that case the Service Provider does not process their data for that particular purpose further.

The other Legitimate interest of the Service Provider is communication with its Client through the Client’s contact persons. It is the common interest of the Service Provider and the Client. The Service Provider processes only the necessary data for this purpose, so this data processing on Legal interest does not affect the contact persons’ fundamental rights and other personal rights disproportionately.

6.3. Data processed regarding participants in the researches of Service Provider

From time to time, we invite Users of our Website and others interested to provide information via surveys or contests. The purpose of conducting surveys is to improve our services and better understand our customers’ needs, while the purpose of contests is to increase customer experience on the Website.

Participation in these surveys or contests is completely voluntary. Information collected in these surveys are used solely in an aggregated basis and no individual will be associated with the information provided in response to such surveys, except as indicated in the next paragraph.

The participants can withdraw their consent in any time by sending an e-mail to the Service Provider’s e-mail address mentioned below.

Exceptionally, Service Provider might conduct surveys which involve follow-up communications with respondents (e.g., if statistical results gained from the survey are shared with respondents or when some incentives, gifts are provided to the respondents). For such purposes, we may need to store contact information of respondents. However, it remains to be the user’s decision whether he/she wants to share such personal information with the Service Provider.

6.4. Data processed regarding persons (in case of legal entities their contact persons) requesting a quote from the Service Provider

The contact persons of the legal entities requesting offer are entitled to object against the data processing on the legal basis of Legitimate interest. In that case the Service Provider does not process their data for that particular purpose further.

The Legitimate interest of the Service Provider and the legal entity requesting offer is communication with each other through the legal entity’s contact persons in order to provide the legal entity with an offer and in order to enter into a contract with each other. It is the common interest of the Service Provider and the legal entity requesting offer. The Service Provider processes only the necessary data for this purpose, so this data processing on Legitimate interest does not affect the contact persons’ fundamental rights and other personal rights disproportionately.

6.5. Data processing regarding persons contacting the customer service and persons submitting a question or request via the contact form

The Users and Clients are entitled to object against the data processing on the legal basis of Legal interest. In that case the Service Provider does not process their data for that particular purpose further.

The Legitimate interest of the Service Provider is claim and law enforcement. The data processed for that particular purpose are used for submitting claims and serve as evidence in case of a lawsuit. Those data can be requested by the Users, Clients as well for the same purpose. Processing the data for claim and law enforcement purposes is the legal interest of both the Service Provider and the User/Client and does not affect the User’s or Client’s fundamental rights and other personal rights disproportionately.

The other Legitimate interest of the Service Provider is identification of the User or Client contacted the customer service in order to manage their claim, request or answer their questions. It is the common interest of the Service Provider and the User/Client. The Service Provider processes only the necessary data for this purpose, so this data processing on Legal interest does not affect fundamental rights and other personal rights of the Users or Clients contacted the customer service disproportionately.

The third legitimate interest of the Service Provider here is administration and manage of the complaint, request or questions submitted by the Users or Clients through the customer service. It is the common interest of the Service Provider and the User/Client. The Service Provider processes only the necessary data for this purpose, so this data processing on Legal interest does not affect fundamental rights and other personal rights of the Users or Clients contacted the customer service disproportionately.

6.6. Data processing regarding the subscribed addressees of newsletter services

The Service Provider sends electronic direct marketing messages for marketing purposes to the Users subscribed to one or more newsletters of the Service Provider through direct contact which contain offers, promotions, news, information about the selected program and other benefits.

Users must explicitly express their intention to sign-up to our newsletters by activating the relevant checkbox and providing their e-mail address on the Website.

Service Provider provides multiple newsletters, recipients will only receive newsletters which they have explicitly subscribed to through the double opt-in method described above. Recipients of our newsletters can withdraw their consent by unsubscribing at any time using the instructions listed at the end of each e-mail newsletter and also in the Profile menu (Privacy settings).

6.7. Profiling based electronic direct marketing

The Service Provider sends personalised electronic direct marketing messages containing offers, promotions, discounts, discount coupons, news, articles, tricks, tips and other benefits, which are based on the behaviour, previous purchases, initiated but aborted purchases of the User on the Website to the Users granted consent to sending electronic direct messages based on profiling.

The Service Provider does not apply automated decision-making during profiling.

The Service Provider during profiling tracks the Users’ behaviour on the Website, collects data on the previous purchases, initiated but aborted purchases, left basket contents on the Website, virtual Euro balance of the Users not spent. Furthermore, the Service Provider combines the aforementioned purchase history and behavioural data of the Users with their registration data and draws conclusions from those data on the range of interests, preferences, the next competition test of the User.

The Service Provider sends personalised electronic direct marketing messages to the Users based on the result of the aforementioned profiling. For example:

If the User put a product into the basket, but he/she does not buy it, leaves the basket without payment – the Service Provider sends a reminder to this User that the products are still in the basket.
If the User buys a cheaper version of a product, the Service Provider sends him/her a discount coupon in order to encourage the User to purchase the larger and more expensive version of the product on a discounted price.
If the User bought a product, the Service Provider offers him/her additional products or services fitting the product bought by the User in electronic message.
If the User has virtual Euro not been spent on the Website, the Service Provider sends electronic direct marketing messages to the User in order to encourage him/her to spend this virtual amount on the Website.
The Service Provider see that the User are preparing for a given type of exam or test and the Service Provider offers him/her personalised products, articles, tips and tricks for practicing and preparation for the exam/test.

The Users who have not granted consent to receiving electronic direct marketing messages, Service provider does not profile and does not send to them targeted, online behaviour based online direct marketing messages and advertisements.

The Service Provider processes the following data of the Users for the purpose of profiling and profiling based electronic direct marketing:

Users can grant their consent to the profiling based electronic direct marketing messages on the Website during the registration and after registration in the Privacy settings menu of the User Profile menu. The Users can withdraw their consent by unsubscribing at any time using the instructions listed at the end of each e-mail electronic direct marketing message and also in the Privacy settings menu of the Profile menu.

6.8. Data processing regarding the sending of system notifications to registered Users

The Service Providers may send service and system-essential messages to the registered Users of the Website. These messages are strictly limited to communication necessary to use our services. Those service and system-essential messages are electronic messages sent for the purpose of the performance of the contract, including information about the operation, accessibility, maintenance of the website, the services provided through the website and webinars, about the changes of the date, place or other parameter of the programs and services ordered, and also technical and organizational information in connection with the service or the Service Provider and also includes verifications of online payment, online orders, online purchases.

6.9. Data collected automatically via the Website

We use cookies and other various programs on the website in order to understand the Website Visitors preferences and behaviour relating to the Website, to develop the Website based on those, and to generate anonymous statistics on Website traffic. Certain small programs aid the Users in not having to input their data on repeat visits, and to make their identification easier and quicker, while other programs serve to identify the Users.

You can find here what kind of information we collect about you via cookies:

a. Cookies strictly necessary for the operation of the Website

The Service Provider processes the data collected by the cookies strictly necessary for the operation of the Website based on Legitimate interest according to Article 6 (1) f) of the GDPR.

These cookies are necessary for the Website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.

You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

In case of data processing based on Legitimate interest, the User is entitled to object against the data processing at any time; in this case the Service Provider will not process his/her data further.

The Service Provider does not apply cookies essentially necessary for the operation of the Website.

b. Cookies for statistical, analytical purposes

Those cookies help the Service Provider to understand how visitors interact with the Website by collecting and reporting information anonymously. These cookies allow the Service Provider to count visits and traffic sources so the Service Provider can measure and improve the performance of the Website. They help the Service Provider to know which pages are the most and least popular and see how visitors move around the Website.

All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies the Service Provider will not know when you have visited the Website, and will not be able to monitor its performance.

The Service Provider processes the data collected by the statistical, analytical cookies based on consent according to Article 6 (1) a) of the GDPR.

The User can withdraw his/her consent at any time.

c. Marketing/remarketing cookies

The Service Provider does not use marketing, remarketing cookies on the Website.

d. General provisions about cookies

In general, the cookie is a small file consisting of letters and numbers which is sent to the device of the User from the web server of the Service Provider. It enables for example the Service Provider to recognize the final appliance of the User when the connection is created between the web server of the Service Provider and the device.

Service Provider does not use the aforementioned cookies and personal data collected automatically by them either for the purpose of profile making, direct marketing, automated decision-making or for online behavioral marketing.

Reputable partners aid Service Provider in analysing Website statistics, and analytics companies such as Google Analytics, HotJar Analytics, Drupal may also place cookies on the User’s device.

Users may disallow Google cookies on the page used for the disabling of Google ads.

On http://www.networkadvertising.org/choices/ there are further means to deny other, third party cookies from being used.

Control of cookies:

Most cookies enable Users to control cookie usage via their settings. However, if User restricts the usage of cookies, this may hinder user experience, since it will no longer be customised. User may also stop the saving of personal settings, such as the saving of login information.

If User does not wish for Service Provider to use cookies when User visits the Website, he/she may refuse usage under his/her settings page. In order to let Service Provider know that the User has refused usage of cookies, a denial cookie is placed on the User’s device, thus, Service Provider will know that no cookies may be placed on the device upon the next visit of the Website. If the User does not wish to receive cookies, they may change their browser settings accordingly. If no such change has been made, Service Provider will view User as having given consent to the sending of any kinds of cookies. The Website shall not function completely without cookies.

For further information of cookies, including types, management and removal, visit
Wikipedia.org or www.allaboutcookies.org or www.aboutcookies.org.

For more information about Google Analytics cookies, please visit:
http://www.google.com/policies/privacy/

If you want to switch off the Google Analytics tracking, please click on the following link:
http://tools.google.com/dlpage/gaoptout.

Every browser is different, the „Help” menu can help the User in modifying the cookie settings. You can find more information about cookie settings here: http://www.youronlinechoices.com/hu/.

The cookie settings menu in case of the most popular browsers are the following:

Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=en
Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
Microsoft Edge: https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy-microsoft-privacy

6.10. Data processing on the Facebook page

The Service Provider operates a Facebook Page under the URL address https://www.facebook.com/eutraining/ on which page Service Provider displays news, advertisements, videos, organises games and promotions, discloses events, photos, posts. Service Provider collects, analyses and displays in aggregated way personal data with the function of Facebook Insight on the Facebook Page concerning the type of the activities of the Users on the Facebook Page, how much time they spend with viewing contents.

Service Provider hereby informs the visitors of the Facebook Page that Service Provider and Facebook Ireland Limited are joint data processors under the Article 26 of GDPR concerning the personal data collected in Facebook Insight function of the Facebook Page; Service Provider and Facebook Ireland Limited jointly determines the purposes and tools of data processing. The agreement of joint data processing concluded between Service Provider and Facebook Ireland Limited is available here: https://www.facebook.com/legal/terms/page_controller_addendum.

Furthermore, Service Provider informs the visitors of its Facebook Page about the split of the main responsibilities and obligations between Service Provider and Facebook Ireland Limited and also about the relevant provisions of the agreement on joint data processing:

Responsibilities and obligations of Facebook Ireland Limited:

a. Facebook Ireland Limited undertakes the primary liability of the data processing of the data in Facebook Insight function; data processing is carried out by Facebook Ireland Limited in trhe name of the Service Provider.

b. Facebook Ireland Limited is liable for appropriately informing the Users on the data processing.

c. Facebook Ireland Limited is liable for keeping in touch with the Users, answering the Users' requests when the Users exercise their rights concerning data protection; Service Provider is not entitled to contact the Users in this matter on the basis of the joint processing agreement. If the User submits his/her request/claim of data protection to Service Provider, Service Provider is obliged to forward it to Facebook Ireland Limited within 7 days; the User shall receive the answer of his/her request from Facebook Ireland Limited.

d. Facebook Ireland Limited is liable for keeping the data safety provisions on the personal data collected and processed in the function of Facebook Insight; for announcement of data breaches and for informing the Users about the data breaches.

Responsibilities and obligations of Service Provider:

a. Service Provider is obliged to ensure that Service Provider has appropriate legal basis of the data processing concerning Facebook Insight.

b. Service Provider is obliged to indicate itself as data controller on the Facebook Page.

c. Service Provider is not entitled to claim the concrete personal data processed in Facebook Insight function from Facebook Ireland Limited; Service Provider is able to reach only the statistics and reports created by Facebook Ireland Limited, Service Provider does not have access to the personal data forming the basis of the reports.

Service Provider hereby informs the visitors of the Facebook page that Service Provider processes their following data on the following legal basis:

Regarding the likes on Facebook Page: number of likes; place of likes, number of new likes
Regarding posts on Facebook Page: how much people are reached by the post, number of likes, comments and shares of the post, number of dislikes, hides, reporting as spam, when the persons reaching the Facebook Page view Facebook content;
Regarding visits of the Facebook Page: how much times was the Page visited, how much times did the users come from external sites;
Regarding videos on Facebook Page: number of watching video more than 3 seconds, more than 30 seconds, top videos of the Page;
Regarding visitors of the Facebook Page: gender, age, location (country, city), language of the persons who liked the Page, number of visitors viewed the post in the last 28 days, who liked, commented or shared something on the Facebook Page in the last 28 days.

The legal basis of Service Provider’s aforementioned data processing is Consent according to Article 6 (1) a) of the GDPR. The Users can withdraw his/her consent in any time. Granting or withdrawing consent is possible in the Users' Facebook profile.

Facebook Ireland Limited is obliged to disclose the detailed privacy notice on the Facebook Pages on the basis of the aforementioned joint data processing agreement.

Service Provider excludes its liability for any data processing carried out by Facebook Ireland Limited, only Facebook Ireland Limited is liable for that.

7. WHO PROCESSES YOUR PERSONAL DATA, AND WHO HAS ACCESS TO THEM?

7.1. The data controller

The controller of the personal data specified under point 6. hereto is Service Provider, meaning Arboreus Online Training Services Llc., the company data of which are as follows:

Arboreus Online Training Services Llc.
Seat: 1075 Budapest, Rumbach Sebestyén utca 12. A. I. 2.
Mail address: 1075 Budapest, Rumbach Sebestyén utca 12. A. I. 2.
Company reg.: 01-09-902506
Tax reg. no.: 14408102-2-42
Represented by: dr. András Iván Baneth, CEO, availabilities: on the seat and e-mail of Service Provider
E-mail address: support@eutraining.eu
Website: www.eutraining.eu

On behalf of Service Provider, the data is accessible to the employees of Service Provider whose access is essential to the performance of their duties. Access authorisations are specified in a strict internal code.

7.2. Data processors

For the processing of the personal data of representative and contact persons, we engage the following companies, with whom we have entered into data processor agreements. The following data processors conduct the processing of personal data:

8. WHO IS THE DATA PROTECTION OFFICER OF THE SERVICE PROVIDER AND WHAT ARE THEIR CONTACT DETAILS?
Service Provider is not required by the law to appoint a data protection officer.

9. TO WHOM DO WE TRANSFER YOUR PERSONAL DATA?

We transfer your personal data only to the data processors mentioned in point 7.2. Besides of them we transfer your data to:

Some of the data processors we use processes your personal data outside of the European Union. We hereby inform you concerning the data transfers to abroad as follows:

a. Data processors in third countries applying Standard Contractual Clauses for data transfer to third countries:

Atlassian Corporation Plc, Australia
Freshworks, Inc., USA
Google LLC, USA
Vimeo, Inc, USA
Twilio Ireland Limited, USA

b. U.S.-based processors of the controller, which are not applying Standard Contractual Clauses or other Model clauses for data processing:

Drupal Association and Dropbox, Inc. are not on applying Standard Contractual Clauses for data transfer between controller and processor into the USA, for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. Furthermore, there are no binding corporate rules which are applicable to them, the European Commission has not adopted an adequacy decision regarding the U.S., and the appropriate safeguards mentioned in Article 46 of the GDPR do not exist, thus transferring data to these companies are based on explicit consent under Article 49 (1) a) of the GDPR.

Information provided by the controller about potential risks:

it cannot be guaranteed that the companies affected meet the requirements of the GDPR.
it cannot be guaranteed that the companies affected will comply with the data security regulations.
it cannot be guaranteed that the company affected will ensure an adequate level of protection regarding the processing of personal data.
it cannot be guaranteed that the law applicable to the company affected will ensure fundamental rights and the protection of personal data.
it cannot be guaranteed that an independent data protection supervisory authority or other body exists which exercises control over the data processing of the companies in question.
it cannot be guaranteed that the country of the company in question complies with its international obligations regarding data protection.
it cannot be guaranteed that the data subject can exercise its data protection rights properly and efficiently according to the law applicable to the company in question and in the country of the company in question.

c. Processors of the controller based in the EU

Clickmeeting Sp.z.o.o. is seated in and is processing data in Poland, in the territory of the EU. Hotjar Limited is seated in and is processing data in Malta, in the territory of the EU. Online SAS is seated in and is processing data in France, in the territory of the EU. SPRL CIOBOOTSTRAP.COM is seated in and is processing data in Belgium, in the territory of the EU. András Kőrizs and ASBL PRODUCTIONS ASSOCIÉES are seated in and are processing data in Belgium, in the territory of the EU. Pay and Shop Limited is seated in and is processing data in Ireland, in the territory of the EU.

Data transfer to these companies shall not be considered as data transfer abroad, thus it does not require an explicit authorization or consent.

10. WHAT RIGHTS DO YOU HAVE REGARDING THE PROCESSING OF YOUR DATA, AND HOW CAN YOU EXERCISE THEM?

The detailed rights and remedies of the Users are set forth in the applicable provisions of the GDPR (especially in articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Service Provider provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the individual, information may also be provided orally, provided that the identity of the individual is proven by other means.

The Service Provider will respond without unreasonable delay and by no means later than within one month of receipt to the request of an individual whereby such person exercises his/her rights about the measures taken upon such request (see articles 15-22 of the GDPR). This period may be, if needed, extended by further two months in the light of the complexity of the request and the number of requests to be processed. The Service Provider notifies the individual about the extension also indicating its grounds within one months of the receipt of the request. Where the request has been submitted by electronic means, the response should likewise be sent electronically unless the individual otherwise requests.

In case the Service Provider does not take any measure upon the request, it shall so notify the individual without delay but by no means later than in one month stating why no measures are taken and about the opportunity of the individual to lodge a complaint with the data protection authority and to file an action with the courts for remedy.

10.1. The individual’s right of access

(1) The individual has the right to obtain confirmation from the Service Provider whether or not personal data concerning him/her are being processed. Where the case is such, then he/she is entitled to have access to the personal data concerned and to the following information:

a. the purposes of the processing;
b. the categories of personal data concerned;
c. the recipients or categories of recipient to whom the personal data have been or will be disclosed including especially recipients in third countries and/or international organisations;
d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e. the right of the individual to request from the Service Provider rectification or erasure of personal data or restriction of processing of personal data concerning the individual, or to object to such processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the personal data are not collected from the individual, any available information as to their source;
h. whether automated decision making (Section (1) and (4) of article 22 of the GDPR) is applied including profiling, and in such case, at least information in comprehensible form about the applied logic and the significance of such data processing and the expectable consequences it may lead to for the individual.

(2) Where personal data are forwarded to a third country, the individual is entitled to obtain information concerning the adequate guarantees of the data transfer.

(3) The Service Provider provides a copy of the personal data undergoing processing to the individual. The Service Provider may charge a reasonable fee based on administrative costs for requested further copies. Where the individual submitted his/her request in electronic form, the response will be provided to him/her by widely used electronic means unless otherwise requested by the individual.

10.2. Right to rectification

The individual has the right to request that the Service Provider rectify inaccurate personal data which concern him/her without undue delay. In addition, the individual is also entitled to have incomplete personal data completed e.g. by a supplementary statement or otherwise.

10.3. Right to erasure (‘right to be forgotten’)

(1) The individual has the right that when he/she so requests, the Service Provider erase the personal data concerning him/her without delay where one of the following grounds applies:

a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Service Provider;
b. the individual withdraws consent on which the processing is based, and no other legal ground subsists for the processing;
c. the individual objects to the processing and there are no overriding legitimate grounds for the processing;
d. the personal data have been unlawfully processed;
e. the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Service Provider is subject;
f. the collection of the personal data occurred in connection with offering services regarding the information society.

(2) In case the Service Provider has made the personal data public and then it becomes obliged to delete it as aforesaid, then it will, taking into account the available technology and the costs of implementation, take reasonable steps including technical steps in order to inform processors who carry out processing that the individual has initiated that the links leading to the personal data concerned or the copies or reproductions of these be deleted.

(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other things, for:

a. exercising the right of freedom of expression and information;
b. compliance with a legal obligation which requires processing by Union or Member State law to which the Service Provider is subject;
c. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
d. the establishment, exercise or defence of legal claims.

If you would like us to erase all or one of your personal data, please submit a request for erasure in e-mail to our support@support.eutraining.eu e-mail address or in mail sent to Arboreus Kft., H-1075 Budapest, Rumbach Sebestyén utca 12. A. I. 2. mailing address.

If you would like us to erase your personal data on our Facebook page, please check the information in the Facebook settings on how to erase your personal data on Facebook.

10.4. Right to restriction of processing

(1) The individual has the right to obtain a restriction of processing from the Service Provider where one of the following applies:

a. the accuracy of the data is contested by the individual, for a period enabling the Service Provider to verify the accuracy of the personal data;
b. the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of their use instead;
c. the Service Provider no longer needs the personal data for the purposes of the processing, but the individual requires them for the establishment, exercise or defence of legal claims;
d. the individual has objected to processing based on the legitimate interest of the Service Provider pending the verification whether the legitimate grounds of the Service Provider override those of the individual.

(2) Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with the consent of the individual or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) The Service Provider informs the individual whose request has served as grounds for the restriction based on the aforesaid, before the restriction of processing is lifted.

10.5. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Service Provider will communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Service Provider informs the individual about those recipients if he/she so requests.

10.6. Right to data portability

(1) The individual has the right to receive the personal data concerning him/her, which he/she has provided to the Service Provider in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Service Provider, where:

a. the processing is based on consent or on a contract; and
b. the processing is carried out by automated means.

(2) In exercising the right to data portability pursuant to paragraph 1, the individual shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(3) Exercising the aforesaid right shall not contravene to provisions concerning the right to erasure (‘right to be forgotten’) and, further, this right shall not harm the rights and freedoms of others.

10.7. Right to object

(1) The individual has the right to object, on grounds relating to his/her particular situation, at any time to processing of personal data concerning him/her for the purposes of legitimate interests. The Service Provider will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defence of legal claims.

(2) Where personal data are processed for scientific or historical research purposes or statistical purposes, the individual, on grounds relating to his/her particular situation, has the right to object to processing of personal data concerning him/her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

10.8. Right to lodge a complaint with a supervisory authority

The individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of work or place of the alleged infringement if he/she considers that the processing of personal data relating to him/her infringes the GDPR. In Hungary, the competent supervisory authority is the Hungarian Authority for Data Protection and Freedom of Information (; H-1055 Budapest, Falk Miksa u. 9-11, mailing address: 1363 Budapest, POB 9; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: )

10.9. Right to an effective judicial remedy against a supervisory authority

(1) The individual has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him/her.

(2) The individual has the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform him/her within three months on the progress or outcome of the complaint lodged.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

10.10. Right to an effective judicial remedy against the Service Provider or the processor

(1) The individual, without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, has the right to an effective judicial remedy where he/she considers that his/her rights under the GDPR have been infringed as a result of the processing of his/her personal data in non-compliance with the GDPR.

(2) Proceedings against the Service Provider or a processor shall be brought before the courts of the Member State where the Service Provider or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual has habitual residence. In Hungary, in these kinds of proceedings the general court has jurisdiction. The proceedings can be brought - according to the choice of the individual concerned - before the general court where one has its habitual residence or place of stay. Information on the competent courts is available at www.birosag.hu.

11. MEASURES TAKEN FOR THE PURPOSES OF DATA SECURITY

Service Provider has enacted the following information security procedures for the purposes of data protection.

We follow a detailed information security code regarding the safety of the data and the information that is under our control, with which compliance is mandatory for all our personnel, and which is both known and used by our staff.

We regularly coach and train our employees regarding data and information security requirements.

11.1. Data security in IT infrastructure

We store personal data on a rented cloud, on rented servers and on the hard drives of company computers, access to which is strictly controlled and only granted to a very restricted circle of personnel. We regularly test our IT systems in order to ensure and maintain data- and IT security.

Office workstations are password-protected, third-party storage devices are restricted and may only be used following approval.

Protection against malicious software is provided regarding all of the systems and system elements of the Service Provider.

During the planning and operation of programs, applications and tools, we address security functions separately and with emphasis.

When allocating authorisations to our IT systems, we pay close attention to the protection of data (e.g. passwords, authorisations) affecting these systems. Passwords provided on the Website are encrypted using Hash and Salted Hash technology. In developers’, staging and demo environments, User data is masked and stored accordingly.

We generate backups of the data daily and weekly. The backups may only be accessed by a select authorized circle. Two instances of the backups are in separate locations thus ensuring restorability.

Remote communication with our servers may only take place on encrypted channels via SSH key pairs.

11.2. Data security in communication

Regarding electronically forwarded messages and files, we secure the integrity of data on both the controller’s and the user’s data, in order to comply with the principle of safe data exchanges.

We prevent data loss and damage by fault detecting and correcting procedures and we ensure the prevention of deniability.

Regarding the network used for data transmission, we provide defense against illegal connection and eavesdropping per an adequate security level.

11.3. Data security in document management

We comply with data security requirements in document management as well, which we stipulate in document management by-laws. We manage documents by pre-set access and authorization levels, based on the level of confidentiality regarding the documents. We follow strict and detailed rules regarding the destruction of documents, their storage and handling at all times.

11.4. Physical data security

In order to provide physical data security, we ensure our physical barriers are properly closed and locked, and we keep strict access control regarding our visitors at all times.

Our paper documents containing persona data are stored in a closed locker that is fire- and theft-proof, to which only a select few have authorised access.

The rooms where storage devices are placed in have been made to provide adequate protection against unauthorised access and breaking and entering, as well as fire and environmental damage. Data transit, as well as the storage of backups and archives is done in these confined locations.

11.5. What procedure do we follow upon an incident?

Pursuant to applicable law, we report incidents to the supervisory authority within 72 hours of having gained knowledge thereof, and we also keep records of them. In cases regulated by applicable law, we also inform subjects of the incidents, where necessary. In cases where such is required by law, we also inform concerned data subjects thereof. Regarding other matters, we conduct ourselves pursuant to our global Incident Management Rules and the processes set out therein.

12. WHEN AND HOW DO WE AMEND THIS PRIVACY NOTICE?

Should the scope of data or the circumstances of data management be subject to change, this notice shall be amended and published on www.eutraining.eu, as is required by GDPR. Please pay attention to the amendments of this notice, as they contain important information regarding the management of your personal data.