1. INTRODUCTION
Borealis Consulting International Ltd. (hereinafter referred to as Borealis Consulting,
Service provider, Data Controller) as a data controller, recognizes the content of this
legal notice as binding on itself.
The user assumes the controller's obligation that all activities related to data management
meets the requirements set out in this policy and applicable law.
The Borealis Consulting is the website operator of https://www.northernlightdiscovery.nl
The Service Provider reserves the right to change this information at any time. Of course,
it will notify the audience of any changes you may have in due time.
The Service Provider is committed to protecting the personal data of its clients and
partners, and it attaches great importance to respecting the right to self-determination of
its clients. The Data Controller handles personal information confidentially and takes all
security, technical and organizational measures that guarantee the security of the data.
The Service Provider describes its data management principles below, and presents the
expectations that you have formulated against yourself as a data controller and adhere to
it. The principles of data management are in line with current data protection legislation,
in particular:
• 2011 CXII. Act on Information Self-Determination and Freedom of Information;
• Act V. of 2013 - on the Civil Code (Civil Code);
• Act C. of 2000 on Accounting (Accounting Act);
• 2008 XLVIII. Act - on the basic conditions and certain limitations of economic advertising
(Grt.).
• CVIII of 2001 Act (Ekertv.) - on certain issues of electronic commerce services
and information society services;
• Regulation (EU) 2016/679 of the European Parliament (27 April 2016) on the protection of
individuals with regard to the processing of personal data and on the free movement of such
data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, hereinafter
" GDPR ")
2. DEFINITIONS
• concerned: any natural person identified or identifiable (directly or indirectly) by
personal data;
• personal data: data relating to the data subject (in particular the name of the data
subject, his / her identification mark and knowledge of one or more physical, physiological,
mental, economic, cultural or social identities) and the conclusion drawn from the data
subject;
• consent: a voluntary and definite declaration of the wishes of the data subject based on
appropriate information and with unambiguous consent to the processing of personal data
relating to him or her, wholly or in part;
• Data Controller: a natural or legal person or an entity without legal personality that
either independently or with others determines the purpose of data management, makes and
implements
• decisions relating to data management (including the equipment used), or implements it
with the data processor;
• data processing: any operation or operation performed on data, irrespective of the
procedure used, including, in particular, collection, recording, recording, systematization,
storage, alteration, use, querying, transmission, disclosure, coordination or
interconnection, blocking, deletion and destruction; preventing the further use of the data,
taking photographs, sound or images, and recording physical characteristics suitable for
identifying the person (e.g. finger or palm print, DNA sample, iris image);
• data transmission: making data available to a specific third party;
• disclosure: making data available to anyone;
• data deletion: making data unrecognizable in such a way that their recovery is no longer
possible;
• data processing: performing technical tasks related to data management operations,
irrespective of the method and equipment used to perform the operations and the location of
the application, provided that the technical task is performed on the data;
• data processor: a natural or legal person or an entity without legal personality who,
under a contract, including a contract under a provision of the law, processes data.
3. COMPANY
The details and contact details of our company are as follows:
Name: Borealis Consulting International Ltd.
Mailing address: Fűrészelő u.8., Érd, 2030 HUNGARY
Tax number: 25842290-2-13
Phone: +36 30 445 3487
E-mail: melinda.katona@borealisconsulting.hu
Data Controller Representative: Melinda Katona
4. THE SCOPE OF PERSONAL DATA, PURPOSE, TITLE AND DURATION OF DATA MANAGEMENT
The following information is provided for each of our data processing operations.
4.1. Request for quotation, inquiry with direct request
Interested in can have direct contacts to be made by electronic mail sent to the Service
Provider address, or by telephone.
Purpose of data management:
Contact between concerned and Service Provider in order to promote closer and more effective
cooperation and communication.
Legal basis for data management: legitimate interest - Article 6 (1) (f) GDPR
The scope of personal data handled: Contracting authority / Contact name; e-mail address e,
phone number or other information provided by the affected person
Duration of data management: 2 years after the validity period of the offer or protest of
the affected
Addressees of Personal Data: The data handled by the Data Controller in accordance with
Section 7. does not pass on to third parties other than the data processor(s) specified in
point 3.1 . Recorded data may only be provided by employees of the Data Controller(s) and
the designated colleague(s) of the processor get to know.
Indication of legitimate interest: The legitimate interest of the Service Provider to manage
the data of the data subject - direct marketing
The range of data management stakeholders:
Partners interested in the services of the Service Provider (eg: by e-mail, by phone), are
involved. Those involved in the submitted Technical Drawing Documentation.
Data transmission:
The Service Provider can transmit the necessary data to it’s own database systems if
needed.
Data is currently being transmitted to the following systems: Mailchimp, MiniCRM
Data Transfer Statement:
I accept it in the inquiry / request / offer to personal data stored in the data management
database are transferred to the Service Provider’s other databases as a Data controller.
The range of data transmitted:
Name of the contracting authority / contact person; e-mail address, phone number or. other
information provided by the affected person
Legal basis for transmission: legitimate interest - direct marketing
4.2. Offers, requests via the website (https://www.northernlightdiscovery.nl)
The service provides an opportunity to bid electronically request of stakeholders.
Purpose of data management:
Contact between concerned and Service Provider in order to promote closer and more effective
cooperation and communication
Legal basis for data management: voluntary contribution of the data subject - - Article 6
(1) (a) of the GDPR
The range of personal data you handle: interested name (first name, surname); e-mail
address, phone number or other information provided by the affected person
Duration of data management: 2 years after the validity period of the offer until the
consent is withdrawn
Addressees of Personal Data: The data handled by the Data Controller in accordance with
Section 7. does not pass on to third parties with the exception of the data processor (s)
indicated in point. Only the employees of the Data Controller (s) and the designated
colleague (s) of the data processor (s) can get the recorded data.
The range of data management stakeholders:
partners stakeholders interested in the Service Provider's services, products through the
website,
Data Transfer Statement:
I accept it in the travel-initiated inquiry / request / offer to personal data stored in the
data management database are transferred to the tour operator organization, as a Data
controller.
The range of data transmitted:
Name of the contracting authority / contact person; e-mail address e, phone number or other
information provided by the affected person
Legal basis for transmission: legitimate interest - direct marketing
Legal basis for transmission: the consent of the data subject
4.3. Request for quotation, follow-up data management
Purpose of data management: the legitimate interest of the data controller to record the
data of the paperwork for the purpose of direct marketing beyond the period of validity of
the offer
Legal basis for data processing: legitimate interest of the data controller, Article 6 (1)
(f) GDPR,
The range of personal data that you manage: Contact name and first name; telephone number;
e-mail address
Addressees of Personal Data: The data handled by the Data Controller in accordance with
Section 7. does not pass on to third parties with the exception of the data processor (s).
Only the employees of the Data Controller and the designated colleagues of the data
processor (s) will be able to access the recorded data.
Duration of data management: 3 years after the validity period of the offer or subject to
protest
Indication of legitimate interest:
Developing business relationships with partners, contracting authorities, accurate
information, and information to stakeholders. The legitimate interest of the Service
Provider is to manage the data of the data subject - direct marketing
The range of data management stakeholders:
Addressees of offers previously issued by the Service Provider contact person (s)
included.
4.4. Client contact
Purpose of data management: identification of partners, differentiation from other partners
or project participants, communication,
Legal basis for data processing: legitimate interest of the data controller, Article 6 (1)
(f) GDPR,
The range of personal data that you manage: Contact name and first name; telephone number;
e-mail address or other information provided by the
Duration of data processing: up to the protest of z concerned
Addressees of Personal Data: The data handled by the Data Controller in accordance with
Section 7. does not pass on to third parties with the exception of the data processor (s)
indicated in point. Only the employees of the Data Controller and the designated colleagues
of the data processor (s) will be able to access the recorded data.
Indication of legitimate interest:
Providing the right communication with partners, providing information to stakeholders. The
Service Provider has a legitimate interest in managing the data of the data subject. -
direct acquisition
The range of data management stakeholders:
The partners and concerned Service Provider has contact with.
4.5. Newsletter
The objective of data management: Send an e-mail newsletters containing advertising business
for those interested, and current information
Legal basis for data processing: prior consent of the data subject, Article 6 (1) (a)
GDPR,
The range of personal data you manage: name, email address
Duration of data management: until withdrawal of voluntary contribution, up to unsubscribe
from newsletter
The Service manages the data provided by the concerned til withdrawal of consent. On the
basis of withdrawal of consent managed data will be deleted within 7 days from the
newsletter database and then we will not send you any newsletter.
Addressees of personal data: The data controller shall not disclose the data obtained to any
third party other than the data processor (s) specified in point 7. Only the employees of
the Data Controller and the designated colleagues of the data processor (s) will be able to
access the recorded data.
Unsubscribe at any time from the newsletter with an email sent to info@borealisconsulting.hu
address or from by clicking the unsubscribe icon.
The range of data management stakeholders:
Partners that subscribe to the Service Provider's electronic newsletter are affected.
4.6. Invoice issuance (natural person)
The purpose of data management: to issue an invoice to the account payer, to comply with the
legal requirements
Legal basis for data processing : by law - - GDPR Article 6 (1) (c) - 2000 C trv. Article
166 (1)
The range of personal data you manage:
• Account Payer Name
• Billing address
• Invoice Amount
• Purchased products, billed services
Duration of data management: by the deadline specified in the Accounting Act - 2000 C trv.
Article 169
(2)
Possible consequences of missing data: Data is required.
Addressees of personal data: The data controller shall not disclose the data obtained to any
third party other than the data processor (s) specified in point 7. Only the employees of
the Data Controller and the designated colleagues of the data processor (s) will be able to
access the recorded data.
The range of data management stakeholders:
If an invoice issued by the controller for the affected.
5. OTHER DATA TREATMENTS
Information on data management not listed in this prospectus is provided when recording the
data. We inform our clients that some authorities, public bodies, courts can contact our
company for personal information. Our company will only provide personal information to
these bodies, if the exact purpose and scope of the data is specified, to the extent
strictly necessary for the purpose of the request and if the fulfillment of the request is
required by law.
6. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION
The Service Provider will not forward your personal data above to any third country or
international organization.
7. INFORMATION ABOUT USING A DATA PROCESSOR
The controller handles the data to the data processor(s) contracted to perform the contract
during data management.
Categories of Recipients: Accounting, Payroll, Webhosting:
8. MANAGE THIRD-PARTY DATA
If the Customer / Partner does not provide its own data to the Data Controller but any other
natural person, the Customer / Partner is solely responsible for providing such information
with the consent, knowledge and appropriate information of that natural person. The Data
Controller does not have to check the existence of these. Controller Draws your Customer /
Partner note that if you do not fulfill this obligation, and that the relevant claims
against enforces the Data Manager, the claim validated and the amount of damages related to
data management will be forwarded to the Client / Partner.
9. CHILDREN
Our services are not intended for persons under 16 years of age, and we ask that persons
under the age of 16 do not provide Personal Data to the Data Controller.
If we find out that we have collected personal data from a child under 16 years of age we we
will take the necessary steps to delete the data as soon as possible - except data
controlling statutory provisions.
10. AUTOMATIC DECISION MAKING
The Service Provider does not apply automatic decision making during the data management
procedures and data collection process.
11. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT
Our computing systems and other data storage locations are located at the headquarters and
servers provided by the data processor. Our company selects and manages the IT tools used in
the provision of personal data for the management of personal data so that the data
processed:
(a) accessible to authorized persons (availability);
(b) authenticity and authentication insured (authenticity of data management);
(c) unchanged (data integrity);
(d) be protected against unauthorized access (data confidentiality).
We pay special attention to the security of the data, we also take the technical and
organizational measures and establish the procedural rules necessary to enforce the GDPR
guarantees. The data will be protected by appropriate measures, in particular against
unauthorized access, alteration, transmission, disclosure, deletion or destruction, and
unavailability due to accidental destruction, damage, or change in the technique used.
The IT system and network of our company and our partners is protected against
computer-assisted fraud, computer viruses, computer burglary and denial of service attacks.
The operator also provides security at server-level and application-level security. The data
is backed up daily. In order to avoid data protection incidents, our company will take all
possible measures, and in the event of such an incident - according to our Incident
Management Code - we will immediately take action to minimize the risks and eliminate the
damage.
12. RIGHTS, LEGAL OPTIONS OF INTERESTED PARTIES
The accepted may request information on the management of his or her personal data and may
request the rectification, revocation or withdrawal - except data controlling statutory
provisions - of his / her personal data, as well as his / her right to data transfer and
protest in the manner indicated in the recording of the data, as well as the above contact
details of the data controller.
The rights and remedies of the person concerned are set out in CXII. and Act 2016/679
defined below and communicated to those concerned.
Right of information, also known as the "right of access" of the data subject: on the
request of the data subject on the basis of the Article 15 of Regulation 2016/679 and Act
CXII. of 2011 Data controller gives information:
• about the data it manages and the categories of personal data
• the purpose of data management,
• the legal basis for data processing,
• the duration of the data management,
• where appropriate, the length of time for which the data are stored or, if that is not
possible, the criteria for determining that period, \ t
• where applicable, if the data were not collected from the data subject, any available
information on their source,
• where appropriate, automated decision-making, including profiling, and logic and
comprehensible information on the importance of such data management and the expected
consequences for the data subject;
• the data of the data processor, if he used a data processor, and the circumstances,
effects and measures taken to counteract the data protection incident;
• in the case of transmission of the personal data of the data subject, on the legal basis,
the purpose and the addressee of the transfer.
The information is free of charge if the person requesting the information has not submitted
a request for information to the Data Controller for the same data year in the current year.
In other cases, a cost reimbursement can be established. Repayment of costs already paid
must be refunded if the data have been illegally treated or the request for information has
led to a correction.
6. The data controller draws the attention of stakeholders to the fact that the information
must be denied in accordance with the Act CXII. of 2011.
a. if, pursuant to a provision of law, international treaty or binding act of the European
Union, the Data Controller transmits personal data as a data controller, at the same time as
the data transfer, indicates the restriction of the personal data subject's rights under the
said law or other restrictions on its handling.
b. the internal and external security of the state, such as defense, national security,
prevention or prosecution of criminal offenses, security of the penitentiary, economic or
financial interests of the state or local government, significant economic or financial
interests of the European Union, and the exercise of occupations; disciplinary and ethical
misconduct, for the prevention and detection of violations of labor and occupational safety,
including control and supervision in all cases, and for the protection of the rights of the
person concerned or others.
The Data Controller shall notify the National Data Protection and Freedom of Information
Authority of the rejected information requests by 31 January of the year following the
reference year.
Right of rectification: The data subject is entitled to rectify the inaccurate personal data
relating to him or her without delay upon request. Taking into account the purpose of data
management, the data subject is entitled to request the supplementation of incomplete
personal data, including by means of a supplementary declaration. At the same time, if
personal data do not correspond to reality and personal data corresponding to reality are
available to the Data Controller, personal data shall be rectified by the Data Controller
without the request of the data subject.
The right of cancellation, also known as "the right to be forgotten": The data subject is
entitled, upon request, to delete the personal data relating to him or her without undue
delay, and the Data Controller is obliged to delete the personal data concerning the data
subject without undue delay. if it is not ruled out by mandatory data management.
In addition to the above case, the Data Controller shall delete the data in accordance with
CXII. of 2011 and European Parliament and Council (EU) 2016/679 if
• data processing is illegal;
• the data is incomplete or incorrect - and this condition cannot be legally remedied -
provided that the cancellation is not precluded by law;
• the purpose of the data management has ceased to exist or the statutory deadline for
storing the data has expired;
• it has been ordered by the court or the Authority.
• personal data are no longer needed for the purpose for which they were collected or
otherwise processed;
• the data subject protests against the data processing and there is no legal reason for
data processing as a priority;
• personal data must be erased in order to fulfill the legal obligation under the law
applicable to the Data Controller;
• personal data were collected in connection with the provision of information society
services offered directly to children as referred to in Article 8 (1) of EU 2016/679.
In the event that the Data Controller has disclosed the personal data for any reason and is
obliged to cancel it as described above, it shall take reasonable steps, including technical
measures, to take into account other data processing technologies, taking into account the
costs of the available technology and implementation. data controllers that the data subject
has requested the deletion of links or copies of such personal data.
Data Controller draws the attention of stakeholders to the limitations of an erasure or
'right to be forgotten' under the EU Regulation which are:
(a) exercising the right to freedom of expression and information;
(b) fulfillment of an obligation under EU or Member State law that governs the processing of
personal data, or the exercise of a public authority or public authority remit entrusted to
the controller;
(c) public interest in the field of public health;
(d) in accordance with Article 89 (1) of Regulation (EU) No 2016/679 for the purpose of
archiving in the public interest, for scientific and historical research purposes or for
statistical purposes, where the right to erasure would be likely to render such processing
impossible or seriously jeopardized; or
(e) submission, validation or protection of legal claims.
Right to restrict data management or also known as blocking: The data subject has the right
to restrict data management upon request.
If, on the basis of the information available to you, it can be assumed that the deletion
would infringe the legitimate interests of the data subject, the data shall be blocked. The
personal data blocked in this way can only be processed until the data management purpose
that excludes the deletion of the personal data exists.
If the person concerned disputes the accuracy or correctness of the personal data, but the
inaccuracy or inaccuracy of the personal data at issue cannot be clearly established, the
data is blocked. In this case, the limitation applies to the length of time that allows the
Data Controller to verify the accuracy of personal data. According to the EU regulation,
data must be locked if
(a) data processing is unlawful and the data subject is against the deletion of the data and
instead requests a restriction on their use;
(b) the Data Controller no longer needs personal data for the purposes of data management,
but the data subject requests them for the submission, validation or protection of legal
claims; or
(c) the data subject rejects data controlling; in this case, the limitation applies to the
period until it is
determined whether the legitimate reasons of the Data Controller take precedence over the
legitimate reasons of the data subject.
Where data management is subject to restriction (blocking), such personal data, with the
exception of storage, may only be made with the consent of the data subject or for the
submission, validation or protection of legal claims or for the protection of the rights of
other natural or legal persons, or of the public interest of the Union or a Member State.
can be treated.
The Data Controller hereby draws the attention of stakeholders to the fact that the right to
rectification, erasure or blocking of the data subject may be restricted by law to the
state's internal and external security, such as defense, national security, prevention or
prosecution of crime, security of the penitentiary, and state. or economic or financial
interest of the municipality, of major economic or financial interest of the European Union,
and of disciplinary and ethical misconduct in the exercise of the occupations, prevention
and detection of breaches of labor law and safety, including control and supervision in all
cases. or to protect the rights of others.
The data controller shall, without undue delay, up to 30 days after receipt of the request,
inform the data subject of the details of his / her application and / or rectify the data
and / or delete and / or restrict (lock) the data or take other actions as requested. if
there is no reason to exclude it.
The Data Controller shall notify the data subject in writing of the rectification, erasure,
restriction of data management, and all those to whom the data was previously transferred
for data management purposes. At the request of the data subject, the Data Controller shall
inform the addressees. The notification may be omitted if it does not violate the legitimate
interest of the data subject for the purpose of data management or if the information proves
impossible or requires a disproportionate effort. The Data Controller must also notify the
data subject in writing if the exercise of the right of the data subject is not feasible for
any reason and must indicate the factual and legal grounds and the remedies open to the
person concerned: the possibility of recourse to the courts and the National Data Protection
and Freedom of Information.
The "right to data storage": The data subject is entitled to
(a) receives personal data relating to it which is made available to the Data Controller in
a structured, widely used machine-readable format and is entitled to
(b) forward this data to another data controller
without being hampered by the controller to whom you provided personal data to you if:
(a) based on consent, data management; and
(b) data management is automated.
When exercising the right to portability of data, the data subject is entitled to request,
if technically feasible, the direct transmission of personal data between controllers.
Considering the data processing performed by the Data Controller, the conditions for
exercising the data carrier's rights are not fulfilled (there is no automated data
management) and therefore the data subject cannot exercise this right.
Right to protest: The person concerned may object to the processing of his or her personal
data, -including profiling- if:
the processing (forwarding) of personal data is only necessary for the purpose of
enforcing the right or legitimate interest of the Data Controller or the data recipient,
except in the case of mandatory data management;
the use or transmission of personal data is for direct marketing, opinion polling or
scientific research;
otherwise the exercise of the right of objection is permitted by law.
The protest concerned the EU Regulation 2016/679 3. Article 21 para. on the basis of the
processing of personal data for the purpose of direct marketing, in which case personal data
may no longer be processed for this purpose.
Where personal data are processed for scientific and historical research purposes or for
statistical purposes, the data subject shall have the right to object to the processing of
personal data concerning him or her for personal reasons, unless the processing is necessary
for the performance of a task carried out for reasons of public interest.
The Data Controller - by simultaneously suspending data management - shall examine the
protest as soon as possible after the submission of the request, but within a maximum of 30
days, and shall inform the applicant in writing of its outcome. If the applicant's objection
is well founded, the Data Controller terminates the data management, including further data
collection and data transfer, and locks the data, and notifies the persons to whom the
personal data affected by the protest has previously been forwarded of any protest or action
taken on it, and who are obliged to take action to enforce the right of protest.
If the data subject disagrees with the Data Controller's decision or the Data Controller
fails to comply with the time limit referred to, he / she is entitled to apply to the court
within 30 days of its notification.
The person concerned has the right to object to automated decision-making.
Judicial Enforcement: The person concerned may apply to a court for violation of his rights.
The court acts out of the case. The Data Controller must prove that the data management
complies with the provisions of the law.
In case of violation of your right to self-determination, you can complain:
National Authority for Data Protection and Freedom of Information Address: 1125 Budapest,
Szilágyi Erzsébet fasor 22 / c
Phone: +36 (1) 391-1400 , Fax: +36 (1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu