DATA PROCESSING GUIDELINES

Definition of the controller

Apcom CE Kft. (henceforward: Apcom CE) the authorized distributor partner of Apple and other manufacturer of electronic products in Hungary, and an importer of various Apple and other accessories. Apcom CE is engaged in wholesale activities, and as a part of this, operates a web shop. Apcom CE does carry out retail sales.

Name of the company: Apcom CE Kereskedelmi Korlátolt Felelősségű Társaság (short  name: Apcom CE Kft.)
Seat: 1031 Budapest, Záhony u. 7. C. ép. Fszt.
Company registration number: 01-09-709868 (Company Registry Court of Budapest Capital-Regional Court)
Tax ID: 12916593-2-44, HU12916593
Phone number: +36 1 4303500
E-mail address: logistics@apcom.hu
Webpage: https://shop.apcom.eu

Apcom CE appoints no data protection officers.


Data controller activities carried out by Apcom CE

The data protection provisions of the General Data Protection Regulation (Regulation (EU) No. 2016/679 of the European Parliament and of the Council, hereinafter referred to as: the Regulation) regulate the protection of the personal data of natural persons. As a general rule, the wholesale activities that Apcom CE is engaged in do not result in the processing of the personal data of natural persons. However, there are some cases where Apcom CE does handle the data of natural persons. Apcom CE is committed to ensuring that its data processing activities are always in line with the provisions of the Regulation.

To help you interpret the terms used in this information brochure, we would like to refer to the definitions of the Regulation:
 personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
 data controller means the natural or legal person (...) which, alone or jointly with others, determines the purposes and means of the processing of personal data.


Description of the various cases of data processing (their purpose, legal basis, duration and the scope of the processed data)

Processing of contact information (identified in a contract) for the purpose of wholesale activities

Brief description of the data processing case
During the course of its operations, Apcom CE concludes contracts with distributors and commercial businesses. These contracts may contain contact information. The contact information of the designated persons (name, phone number, email address) are strictly needed for the purpose of making and maintaining business contacts.
The purpose of data processing is to maintain the contractual relationships between the parties to make the performance of the contract possible, which is a legitimate purpose for data processing.
Legal basis for data processing:
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (henceforward: Act CVIII of 2001) gives the following definition: “E-commerce services: services provided within the framework of information society where the purpose is the commercial sale, purchase, exchange or other kind of requisition of tangible, marketable moveable property (including money, securities and natural forces that can be taken into possession), services, real estate and rights having asset value (henceforward jointly referred to as: goods)”
According to Paragraph (3) of Article 13/A of Act CVIII of 2001: “The service provider may (...) process such personal data that is technically absolutely necessary for him to be able to provide his services.”
Article 47 of the Preamble of the Regulation states the following regarding the legal basis: “...Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”
As a legal basis for data processing, refer to Article 6 (1) (f) of the Regulation: the legitimate interest of the partner and that of Apcom CE to perform and to maintain their commercial relationship. In case of data processing where the legal basis is legitimate interests, a “balance of interest” test shall be carried out and its results shall be communicated to the data subjects. Apcom CE has already carried out the relevant “balance of interests” test. The results of the “balance of interests” test show that the legitimate interest of Apcom CE does not impose a disproportionate restriction on the rights of the data subjects in protecting his personal data.
Scope of the processed data
The name, e-mail address and phone number of the contact person.
Duration of data retention
Until the expiration of the claims arising from the contract.
Relevant IT systems
The management systems and web shop of Apcom CE.

Marketing materials related to wholesale activities, sending newsletters to the distributors

Brief description of the data processing case:
The marketing activities carried out are not aimed at individuals, Apcom CE only sends newsletters and marketing materials to its commercial partners and registered distributors (companies), to the email address provided for this purpose by said companies.
The newsletters sent by email contain product promotions and other direct marketing materials, advertisements. When additional direct marketing letters are sent, they most often provide information about new products, software updates, product support and product descriptions.
The purpose of data processing is the distribution of commercial offers to the commercial partners, distributors, which is a legitimate purpose for data procession.
Both the newsletters and the marketing materials contain an option to unsubscribe, thus providing the data subjects with the right to object.
Legal basis for processing
Paragraph (47) of the Preamble of the Regulation applies to the direct marketing messages sent to commercial partners, which states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” and „...Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.”.
As the legal basis of the data processing, we refer to Point f) of Paragraph (1) of Article 6 of the Regulation: data processing is carried out for the purposes of the legitimate interests of Apcom CE.
In case of data processing where the legal basis is legitimate interests, a “balance of interest” test shall be carried out and its results shall be communicated to the data subjects. Apcom CE has already carried out the relevant “balance of interests” test. The results of the “balance of interests” test show that the legitimate interest of Apcom CE does not impose a disproportionate restriction on the rights of the data subjects in protecting his personal data.
Scope of the processed data
The name and e-mail address of the designated contact person.
Date of unsubscription.
Duration of data retention
Until the termination of the contractual relationship, or sooner in case of unsubscription.
Relevant IT systems
The management systems and web shop of Apcom CE.

Data processing related to webpage visitors and cookies

To allow personalized service provision, Apcom CE and/or the designated third-party operators place and read a small data package, so-called cookie on the User’s computer. If the browser returns a cookie saved earlier, the operator managing the cookie may link the data recorded during the actual User visit with earlier ones, but exclusively in respect of its own content.
Most browsers will automatically accept these cookies by default. Storing cookies (cookies) can be disabled or configured in the browser to get notification before storing cookies on your computer. These settings apply only to the browser and the computer used, cookie settings and cookies are set individually per computer and browser. By deactivating cookies, the Website Operator cannot guarantee the proper functioning of the Website and the full use of the Website. By using the Website for the first time, the user of the Website accepts that cookies (cookies) are placed on your computer.
Our Cookies collect and processing the fallowing personal datas: IP address, history of browsing on the website and website settings.
Within your browser you can choose whether you wish to accept cookies or not. Different browsers make different controls available to you. Generally, your browser will offer you the choice to accept, refuse or delete cookies at all times, or those from providers that website owners use i.e. third party cookies, or those from specific websites. Each browser’s website should contain instructions on how you can do this.
If you block cookies on our website, you may be unable to access certain areas of our website and certain functions and pages will not work in the usual way.


Apcom CE as the data processor

According to the Regulation, the “data processor” is any natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
Apcom CE, as an authorized, contracted distributor of Apple Distribution International, Holyhill Industrial Estate, Holyhill, Cork, T23 YK84, Ireland (henceforward: Apple) acts as a data processor in handling the electronically transferred data related to the so-called educational discount (copy of the student IDs, copy of the invoices) sent by Apple distributors, by uploading them to the dedicated IT system of Apple Inc. Apcom CE does not process the transferred personal data in its own administrative systems. Information on Apple’s privacy policy is available here: https://www.apple.com/legal/privacy/


Use of data processors by Apcom CE

To aid in the performance of its duties, Apcom CE as a data controller may obtain the use of other data processors in certain cases. The data processors record, manage and process personal data forwarded to them by Apcom CE in accordance with the provisions of the Regulation, and shall make a statement regarding this to Apcom CE.

The list of data processors employed by Apcom CE

Data Processor designation

Related data processing activity carried out by Apcom CE

The duty of the data processor, brief description of the data processing

TRL Hungary Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság

registered office: 2510 Dorog, Mátyás király u. 11/A

Company registry number: 11-09-007772

All three

Operator of IT services (ERP)

"Printer-fair" Számítástechnikai, Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság

registered office: 2510 Dorog, Mátyás király u. 11/A. 

Company registry number: 11-09-005405

All three

operator of IT services (ERP)

Microsoft

All three

cloud service provider

Breezy S.R.O.

registered office: Plzeňská 157/98, Košíře, 150 00 Praha

Registration number: CZ27733823

All three

operator of IT services (ERP)

Schenker Nemzetközi Szállítmányozási és Logisztikai Korlátolt Felelősségű Társaság

registered office: 2310 Szigetszentmiklós, Leshegy út 30.

Company registry number: 13-09-173114

Processing of contact information (identified in a contract) for the purpose of wholesale activities

logistics operator engaged in packaging

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

registered office: 2351 Alsónémedi
GLS Európa u. 2.

Company registry number: 13-09-111755

Processing of contact information (identified in a contract) for the purpose of wholesale activities

courier company for delivering the packages

DHL Express Magyarország Szállítmányozó és Szolgáltató Kft.

registered office: 1185 Budapest, BUD Nemzetközi Repülőtér repülőtér 302. ép.

Company registry number: 01-09-060665

Processing of contact information (identified in a contract) for the purpose of wholesale activities

courier company for delivering the packages

PAKETT HUNGÁRIA Korlátolt Felelősségű Társaság

registered office: 1157 Budapest, Késmárk utca 16. 

Company registry number: 01-09-270036

Processing of contact information (identified in a contract) for the purpose of wholesale activities

courier company for delivering the packages

 

 

Apcom CE does not employ a storage space provider.


Data transfer to Third Countries

Apcom CE, as a member of Midis Group of companies (hereinafter referred as the „Group”), transfers data for controlling and internal audit purposes outside the Europian Union. When personal data are transferred outside of the Europian Union, to so-called third countries, the Group insures the same level of protection required by the Regulation in the EU and complies with the the provisions of the Regulation related to the transfer of personal data.

The rights of the data subjects

According to the language of the Regulation, “data subject” is a natural person who can be identified, directly or indirectly by reference to relevant information or personal data.
When it comes to data processing carried out by Apcom CE, the data subjects are primarily the persons designated as contact persons.
Apcom CE informs its customers that in all cases when, during the establishment of the commercial contact via electronic methods, the person registering the Distributor in the web shop provides the information of other persons, or when during the conclusion of the commercial contract or the validity of the legal relationship between the Parties, the person representing the distributor/contracted partner provides personal data and contact information for other persons, Apcom CE presumes that this information was legally obtained from the data subjects, and the distributor/contracted partner shall bear the responsibility for this.

The data subjects have the rights described below.
Please note that before complying with their requests regarding their rights, Apcom CE is obliged to identify the person submitting the request.
Where Apcom CE has reasonable doubt about the identity of the natural person submitting the request, additional information may be requested to confirm the identity of the requestor.

Requests for information

A prerequisite to the application of the legitimate interest legal basis is that the legitimate interest of the data controller shall be proportionate with the limitation of the right to the protection of personal data. In order to determine this, a prior “balance of interests” test is required. For the “balance of interests” test, Apcom CE as the data controller:
-    identifies his legitimate interests in relation to the personal data subject to the “balance of interests” test,
-    establishes the interests and rights of the data subject with regard to the personal data subject to the “balance of interests” test,
-    performs the examination of the legitimate interests on the side of the data subject and the data controller, and based on this, determines whether the personal data may be processed legally.
In case of data processing where the legal basis is legitimate interests, a “balance of interest” test shall be carried out and its results shall be communicated to the data subjects. Upon request, Apcom CE provides information to the data subject in connection with the contents of this paragraph.

The right of access

The data subject is entitled to receive information from Apcom CE about whether the processing of his personal data is still ongoing or not. If the data processing is ongoing, he has the right to access the personal information being processed as well as the following information:
a)    the purposes of data processing,
b)    the categories of personal data records concerned,
c)    recipients or categories of recipients to whom the personal data was or will be disclosed or transferred, including especially recipients from Third Countries and international organizations,
d)    where appropriate, the intended duration of the storage of personal data or, where this is not possible, the criteria for determining that period,
e)    right to request the data controller to correct, delete or restrict the processing of personal data related to him and to object to the processing of such personal data,
f)    the right to file a complaint addressed to a supervisory authority,
g)    if the relevant data was not collected from the data subject, all available information about their source,
h)    the fact that automated decision-making (including profiling) is in use, and at least the logic used and information about the nature of such data processing and its likely consequences in relation to the data subject (this information shall be provided in a clear and understandable form).

The data subject should have the right to access personal data collected concerning him, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the data processing carried out.

The practices ensuring the right of access

Upon such request by the data subject, Apcom CE provides the data subject a copy of the personal data subject to data processing. If the data subject submits the request by electronic means or data is processed in an electronic format, the information shall be provided in a commonly used electronic format (unless the data subject specifically requests a different format).
Apcom CE is obliged to respond to such requests sent by the data subject without undue delay and at the latest within 30 days, and to give reasons where it does not intend to comply with such requests.
The copy of personal data shall normally be provided free of charge. Apcom CE may charge a reasonable fee based on the administrative costs where more than one copy is requested, or if a simpler, quicker and more cost-effective method than the one requested by the data subject is available to comply with the data request.

The right to rectification

The data subject shall have the right to obtain from Apcom CE without undue delay the rectification of inaccurate personal data concerning him or her.
Where the purpose of data processing makes this relevant, the data subject is also entitled to request the completion of incomplete personal data.  Completion will be carried out by way of a supplementary statement submitted by the data subject.

Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from Apcom CE the erasure of personal data concerning him or her without undue delay and Apcom CE shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the data is no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws his consent which served as the legal basis of processing, and there is no other legal basis available to continue processing;
c) the data subject objects to the processing based on the relevant provisions of the Regulation, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing because it was carried out for direct marketing purposes (including profiling);
d) the personal data have been unlawfully processed;
e) the personal data must be erased to comply with a legal obligation stemming from EU or Member State law to which Apcom CE is subject;
f) the personal data have been collected in relation to the offer of information society services marketed directly to children.

Apcom CE is not obliged to delete the data if processing is necessary for the following reasons:
a) the exercising of fundamental rights (the right of freedom of expression and information);
b) in cases where processing is mandatory (in order to comply with legal obligations stemming from EU or Member States law applicable to the data controller on the processing of personal data);
d) public interest reasons (e.g. archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of such processing); or
e) for the establishment, exercise or defence of legal claims.

Where Apcom CE has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. Rules regarding exceptions are relevant even in this case.

Right to the restriction of processing

The data subject shall have the right to obtain from Apcom CE restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling Apcom CE to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) Apcom CE no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to the processing of data pursuant to the relevant provisions of the Regulation; in this case the restriction shall apply until it is proven that the legitimate grounds of Apcom CE as a data controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Apcom CE shall inform the data subject (upon whose request the restrictions have been introduced) about the fact of lifting the restrictions prior to such event.

Right to data portability

The data subject has the right to receive the personal data concerning him, which he has provided to Apcom CE , in a structured, commonly used and machine-readable format and have the right to transmit these data to another data controller without any hindrance from Apcom CE, where:
a) the legal basis for processing is consent or a contract; and
b) the processing is carried out by automated means.
In exercising his right of data portability, the data subject shall have the right to have his personal data transmitted directly from one controller to another, where technically feasible.

Please note that the right of data portability can only be exercised in case where all of the above conditions are met (i.e. data processing is based on consent or a contract AND data processing is carried out in an automated manner). This means that the right of data portability, for example, does not apply to data processed under the legal basis of legitimate interest.
According to the guidelines of the Data Protection Working Group (WP29) created under Article 29, as the right of data portability applies only to automated data processing, it does not apply to paper-based data management.

Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interests of Apcom CE.
In this case Apcom CE shall no longer process the personal data unless Apcom CE demonstrates compelling legitimate grounds for the procession which override the interests, rights and freedoms of the data subject or those needed for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
In case the data subject objects to data processing for direct marketing purposes, his personal data shall no longer be processed for such purposes.

Methods for the exercising of rights

Az Apcom CE shall inform the data subject without undue delay and at the latest within 30 days of the reception of the request about the measures taken in response to the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by two additional months. Apcom CE shall inform the data subject about the extension of the deadline, and shall also indicate the causes of the delay within one month of the reception of the request. When the request was made in an electronic form, unless otherwise requested by the data subject and if possible, the information shall be provided in an electronic form.
If Apcom CE does not wish to take actions in response to the request made by the data subject, Apcom CE shall, without undue delay and at the latest within 30 days of the reception of the request, inform the data subject of the reasons for the lack of action and his right to file a complaint with a supervisory authority, and of the option to exercise his right of appeal.
Apcom CE shall also provide the information required based on the right to information and the information related to the exercise of certain rights free of charge. However, if the request made by the data subject is undoubtedly unfounded or – because of its extremely repetitive nature – excessive, Apcom CE, depending on the administrative costs of the provision of the requested information or the requested actions:
a)    may charge a reasonable amount, or
b)    may refuse to take action with regards to the request.
It is the responsibility of Apcom CE to prove that a certain request is undoubtedly unfounded or excessive.


Remedies

Without prejudice to other administrative or judicial remedies, the data subject is entitled to file a complaint with a supervisory authority – in particular in the Member State of his habitual residence, his place of work or where the suspected infringement took place –, if he believes that the procession of his personal data violates the Regulation.
Without prejudice to other administrative or non-judicial remedies, the data subject is entitled to an effective judicial remedy where the competent supervisory authority does not handle the complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority, the data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.  Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
Should you have any complaint regarding the data processing practices of Apcom CE, please refer to the  Hungarian National Authority for Data Protection and Freedom of Information (NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., postal address: 1530 Budapest, Pf.: 5.., phone: +36 (1) 391-1400, fax: +36 (1) 391-1410, e-mail: ugyfelszolgalat@naih.hu, website: https://www.naih.hu), or file a complaint with the relevant court. The trial is a matter for the competent Court. The case may be initiated before the General Court of the data subject’s domicile or place of residence.


Data security measures

In order to provide protection to the data related to the data subjects, Apcom CE employs reasonable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that the stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
During these activities, Apcom CE takes special care to prevent any unauthorized or unlawful access to the personal data of the data subject. Despite all these actions, Apcom CE cannot completely guarantee the security of the personal data of the data subject.
 Apcom CE takes the following measures to protect the data of the data subjects:
-    using password protection or encryption, and
-    limiting access to the data (e.g. only those employees may access the data who need it in order to achieve the aforementioned goals), and preventing unauthorized access to the network with the use of available IT methods,
-    logging;
-    providing access to the data stored on the server only to the designated persons who have sufficient authority to do so,
-    creating backups to avoid data loss.

Please note that in cases where the data subject provides the information of a third party, Apcom CE will notify and cooperate with the authorities to determine the identity of the offender.


Effective date of the Data Processing Guidelines and further amendments

Effective date of the present Data Processing Guidelines: 25 May 2018.
Apcom CE reserves the right to unilaterally modify and update these guidelines without any prior notice. These shall enter into force with the publication of the amendment. It is recommended to visit the website periodically, so that you can always stay up-to-date with the eventual amendments and updates. Upon request, we will also send you an e-mail with the information currently in force.