Last updated: 15 September, 2020
Since basically we do not work on our own, but in order to operate our chatbot service more effectively we invoke the different social media sites of our Partners and the Partners’ chat widget platforms embedded in their website, therefore we kindly ask you to also study the information about data protection of the platforms you are using, since our Company is obligated by these third party data protection practices and policies, as well as its own regulations.
Our data processing principles are in accordance with the data protection laws being in force, hence in particular with the followings:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data
- Act CXII of 2011 on Informational Self-Determination and Freedom of Information
- Act V of 2013 on the Civil Code
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services
- Act C of 2003 on Electronic Communications
- Act CLV of 1997 on Consumer Protection
- Act CLXV of 2013 on Complaints and Public interest Disclosures
- Act I of 2012 on the Labor Code
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities.
“platform”: applications, and other popular social platforms and chat widgets embedded in website through which the end users use the Chatbot Services
“end user”: the clients/subscribers/partners of our Partners, namely each natural person or legal entity, unincorporated other organization, who or that use the Chatbot Services on the Platforms of our Partners, register on the Platforms to use the Chatbot Services, and use the functions of the Chatbot Services, and as part of that they provide – at their option – their data
“chatbot service”: intelligent chatbot technology providing automatic communication accessible for the End Users and tailor made by our Company alongside the expectations of our Partners. Our chatbots simulate a conversation with the End User, provide information and services to them.
Name: Talk-A-Bot Kft.
Seat: 1114 Budapest, Bartók Béla út 29. 1. emelet 4.
Registration No.: 01-09-286391
Tax No.: 25735967-2-43
Represented by: Ákos Gyula Deliága, Gergely Ákos Kalydi managing director, each individually
Based on Article 37 of GDPR our company is not obliged to designate a data protection officer, however we do accept your data protection related questions at the following e-mail: email@example.com
Our Company in order to provide a high-quality service claims the services of the third-party suppliers, data (sub-) processors available here, in certain cases also considered as individual data controllers:
Our data processors are under obligation of secrecy and contractual guarantee for preserving the personal data gained during the performance of their assignment, and they process the personal data solely for the purpose and according to the instructions defined in the contract obtained between them. In case we change the range of our partners, the modifications will be transcribed in this Policy.
Additionally, there are external service providers, to whom – either directly or indirectly – in order to provide services personal services are transferred or could be transferred, as well as these external service providers could transfer personal data to the data controller. External service providers are those service providers as well, with whom the data controller are not in a contractual relationship, however for providing service to our Partners – either by the contribution of the Concerned (for example connecting the individual account to the service, and in order to make easier the registration or log in the service) or without a contribution – due to they have access to the platforms and the data available on those platforms, hereby they could collect data about the Concerned and all end users’ activity, from which in certain cases – individually or together with other collected data by these external service providers – end users could be identified.
Such external service providers are the following ones, for example, in case you are interacting with the relevant platforms:
Facebook Ireland LTD (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland)
Twitter International Company
Viber Media LLC
ABOUT OUR DATA PROCESSING, PURPOSES AND PRINCIPLES
Together with our Partners it is our priority aim to protect the personal data of the data subject and to respect the right of informational self-determination of the data subjects, to protect their private sector, therefore we handle the personal data confidentially and take all security, technical and organizational measures that guarantee the safety of such data.
In the agreement concluded between our Company and our Partners for the purpose of providing the Chatbot Services for the End Users of our Partners, based on the assignment and instructions of our Partners we set out in detail the rules of data processing activity carried out by our Company, as well as our related data protection obligations.
We can say in general about our data controlling, that we take into account the following principles:
(i) “lawfulness, fairness and transparency”: we process personal data lawfully, fairly and in a transparent manner in relation to the data subject;
(ii) “purpose limitation”: personal data collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(iii) “data minimization”: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(iv) “accuracy”: accurate and, where necessary, kept up to date scope of data; we take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(v) “storage limitation”: while choosing the storage form, we focus on that the personal data shall be identified for no longer than is necessary for the purposes for which the personal data are processed;
(vi) “integrity and confidentiality”: we process data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Our Company cooperates in good faith and according to the requirements of transparency and righteousness with data subjects during data controlling. Our Company controls only those data provided in the law or provided by data subjects, for the data controlling purposes listed in the following. Bearing in mind the purpose of data controlling, we do not control any data more than unjustifiable.
Our Company does not verify the provided personal data, solely the provider is responsible for their adequacy.
Our Company does not transfer the processed personal data to any third party, beside the Processors and Outside suppliers included in the present Informative. An exception to these provisions is the use of data in a statistically cumulated form that must not include in any form such data that is suitable for the identification of the User concerned, therefore does not constitute as Processing, nor transferring.
The data subjects are entitled to withdraw their consent at any time. The withdrawal of consent does not affect the legality of processing based on consent prior the withdrawal.
ABOUT OUR CERTAIN DATA PROCESSING ACTIVITIES
|About our Chatbot Service-related data processing|
The purpose of data processing
The operation of Chatbot application at Partners, providing Chatbot Service.
In more details: the first step of familiarizing with the bot after establishing contact with the chatbot is the understanding of the related informative about data processing and expressing its content. In the absence of adaption, the bot notes that data subject does not wish to have a closer look at the bot.
In conjunction with our Chatbot services, the data provided by the End User – whether directly or during registration with its social profile – is controlled and processed by our Company with the following purpose – illustratively, since it is always defined within the framework of agreement signed with the Partner -: effective providing of Chatbot Service; identification of end users registered on Platform; the use of Chatbot Services available on Platforms; providing information for the users registered on the Platform regarding the functioning of Chatbot Services (for example messages of technical nature, information related to the modification of Chatbot Services, etc.); solving operational problems; establishing a contract, defining and modifying its content, implementing the contract and following its implementation, invoicing the related charges, as well as exercising the related legal claims; ensuring the communication between our Partners and the End User; performing Customer Service tasks, complaint-handling; the usage of data for cumulated, anonymized and statistical purpose, creation of surveys, statistics and estimates; facilitating and ensuring the payment activity of bank cards and other; increasing efficiency, improving operation and development of Platform; personalizing and customizing the account of End User on Platform – related to Chatbot Services available on Platform.
GDPR article 6. section (1) point a) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes
GDPR article 6. section (1) point f) – legitimate interest of the data controller
|Scope of controlled personal data||Data strictly necessary for the operation of chatbot and made available based on the standard settings of the Platform chosen by Customer, in particular: (App user ID – identification generated for chatbot, user name, profile picture URL, as well as any other data provided by End User (text, button usage, picture) in the Chatbot interaction; in case of Viber the data also shared with the platform (Viber ID, telephone number); data given by Customer for identification purpose (e.g. internal identifier, business e-mail address, e-mail address, phone number, address, data of premises/location, certain characters of tax ID and/or social security number) which End User profile – business account – created for the Chatbot Services is in the possession of the Data Controller in certain cases. Beyond this, the platform used by user for the service, language, date of registration, data given during chat communication. The cloud-based error monitoring that helps our software teams discover, triage, and prioritize errors in real-time are covering the following data properties: access to client’s environment, admin user’s credentials, admin user’s IP address and web browser data (version, type), operation system of admin’s user’s computer (type, version). The scope of processed data may vary with the all-time functions.|
|Duration of data processing|
Until data subject has withdrawn his/her consent.
After one year from the last activity of the End User (if the End User does not use again the chatbot service within one year from the last activity) the personal data of chatbot conversations are anonymized (ID is separated from the End User).
After five years of the last activity all data of the chatbot conversation is deleted.
Processor stores and uses beyond the referenced one-year storage time the data collected during the usage of Chatbot Service in an anonymized manner which means the End User is no longer identifiable, noting that after five years the whole chat stream is deleted.
|About the processing of the data of our contracting partners and their contact persons|
The purpose of data processing
|Our Company with the legal ground of the performance of the contract processes the data of partners contracting as buyer, supplier and their contact persons with the aim of entering into, performing, terminating a contract or to provide benefit.|
|Legal base||processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [Article 6. (1) point b) of GDPR]|
|Scope of controlled personal data||name, birth name, date of birth, mother’s name, address, tax code, tax number, number of self-employment farmer card, number of ID card, seat, address of establishment, phone number, e-mail address, website address, bank account number, buyer number (customer number, order number), online identification (buyers, list of suppliers, lists of regular purchases) of natural person.|
|The consignees of personal data||The employees and data processors of our Company performing the tasks related to taxation and accounting, as well as the employees performing customer service.|
|Duration of data processing||Our Company, processes the personal data provided in the contract as well as the address, e-mail address and phone number, online identification of the natural person acting on behalf of – signing the contract – the legal entity entering into contract on the legal base of legitimate interest and for the purpose of communication and exercising the rights and obligations arising out of contract. The period of time of storing these data is 8 years following the termination of employment relationship providing the legal base, taking into account the performance of accounting and tax related obligations, as well as 5 years following the existence of contact quality. The contact person has a contractual relationship for employment with our Partner, as a contracting party, therefore that data processing does not have a negative impact on the rights of data subject. Our Partner agrees to inform at all times the concerned contact person regarding the data processing related to its contact person quality.|
|About the controlling of personal data of those applying for job advertisement|
The purpose of data processing
|In case of applying for a position at our Company, the application file submitted to firstname.lastname@example.org by the applicant is controlled by our Company, as the data controller, during the implementation of the selection process and the selection, understanding the professional and human values, level of education, previous work experience of applicants in order to find the best candidate to fill the vacant position.|
|Legal base||consent of data subject [point a) paragraph (1) of Article 6 of GDPR], having regard that with submitting the application file to our Company, data subject indicates clearly and actively its consent of controlling their personal data submitted upon applying|
|Scope of controlled personal data||Personal data included in application file submitted to our Company, thus CV and motivation letter in the first place.|
|The consignees of personal data||only those employees of our Company are entitled to control the personal data included in the application file, who are eligible to make proposal or decision regarding the appointment of the advertised job.|
|Duration of data processing||solely until the position has been filled, but maximum up to 1 year.|
|About the controlling carried out to perform tax and accounting obligations|
|The purpose of data processing||Our Company, in order to perform the tax and accounting related obligations (accounting, issuing invoices and storing issued invoices) provided by law, controls the personal data provided in the law of those entering into contract with them as buyer or supplier|
|Legal base||processing is necessary for compliance with a legal obligation to which the controller is subject [point c) paragraph (1) of Article 6 of GDPR]|
|Scope of controlled personal data||based on paragraph 169 and 202 of Act CXXVII of 2017 on Value Added Tax, in particular: tax number, name, address, tax status, based on paragraph 167 of Act C of 2000 on Accounting: name, address, name of the person or body ordering the economic transaction, signatures of persons effecting payment and verifying execution, as well as, depending on the organization, the signature of the inspector; in documents of movements of inventories and liquid assets receipts, the signature of the recipient, and the signature of payer in counter-receipts, based on Act CXVII of 1995 on Personal Income Tax: number of private entrepreneur identification card, number of farmer identification card, taxpayer identification.|
|The consignees of personal data||The employees and data processors of our Company performing the tasks related to taxation, accounting, payroll and social security.|
|Duration of data processing||based on Section 169 (2) of the Act of 2000 on Accounting 8 years after termination of relationship providing the legal base.|
|About the controlling of personal data of those persons who contact our Company|
The purpose of data processing
|Anyone may get in touch with our Company on our website at https://talkabot.net/#contact-us platform. In case our Company receives any requests, our Company is controlling the questions and all content of those requests which is shared by the individuals with us – including the individuals’ personal data in the request addressed to us contains such data –, in order to answer the requests addressed to our Company. Having regard the content of each requests one of our most competent colleagues will answer the questions within the shortest possible time.|
|Legal base||consent of data subject [point a) paragraph (1) of Article 6 of GDPR], having regard that with addressing the requests to our Company, data subject indicates clearly and actively its consent of controlling their personal data submitted upon contacting our Company.|
|Scope of controlled personal data||Personal data included in the requests addressed to our Company, thus primarily name, e-mail address, phone number, subject of the request and all information which is shared with our Company by the individuals contacting us on the platform devoted such purpose on our website.|
|The consignees of personal data||only those employees of our Company are entitled to control the personal data included in the request, who are eligible and competent to answer the request addressed to us.|
|Duration of data processing||until the request is answered fully, but maximum up to 1 year.|
|About the controlling of personal data relating to Chatbot tricks and hints (newsletter)|
|The purpose of data processing||every now and then our Company send information on new chatbot solutions, reports about our operating chatbots and chatbot news from all over the world.|
|Legal base||Consent of data subject [point a) paragraph (1) of Article 6 of GDPR], having regard that with subscribing for our Chatbot tricks and hints services, data subject indicates clearly and actively its consent of controlling their personal data submitted upon subscribing.|
|Scope of controlled personal data||primarily e-mail address and name used for subscription.|
|The consignees of personal data||the employees and data processors of our Company performing the tasks related to Chatbot tricks and hints services.|
|Duration of data processing||until the individuals are unsubscribe from Chatbot tricks and hints services.|
The transmission of the data of data subjects must take place solely within the framework specified in legislation, as in the case of our data processors we ensure the data subjects’ personal data not to be used in contrast to the originally determined aim with the help of contractual term clauses.
For the purpose of providing information, reporting data or making papers available, the court, the public prosecution and other authorities (for example: police, tax office, National Agency for Data Protection) shall contact our Company. In these cases, we must obey our obligation of providing data, but solely up to an extent that is absolutely necessary to attain the aim of the enquiry.
The contributors and employees taking part in our Company’s data controlling and data processing are entitled to learn – under obligation of confidentiality – your personal data to a specified extent defined in advance.
We protect the personal data with appropriate technical and other measures, also ensure the protection and availability of the data, as well as protect them against being accessed unauthorized, modified, damaged and published and unauthorized used unauthorized.
Within the framework of organizational measures in our buildings we control the physical accessibility, we constantly educate our employees and store our paper documents sealed off with appropriate protection. In the context of technical measures, we use encryption, password protection and anti-virus software. Our Company shall do everything in its power to make the processes as safe as possible, regarding the data received by our Company we follow strict provisions in order to ensure the safety and to prevent the unlawful access of personal data. However, we draw your attention to the fact that data transmission via internet cannot be regarded as fully safe.
Together with our Partners we take the measures – concerning the safety of data processing – as prescribed in GDPR regulation Article 32, that is to say, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and systems used for the processing of personal data;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
- in assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed;
- vi) steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
If the data subjects use the Chatbot Service provided by our Partners with a social profile, in that case depending on their own settings, shall make available certain data of their social profiles on the various social media platforms for the data controller and processor (including but not limited to name; user name; e-mail address; phone number; social media profile; gender; age; information about the way of usage of social sites and about the type of activities carried out on such sites; areas of interest; marital status; photographs; comments published by data subject; other information regarding online behavior). The Platforms create the opportunity to select the way for sharing personal data on the social media profiles.
Our Company for operating the Chatbot Service uses and controls only the most necessary data from the data made available by the data subject.
The data security standards mean the support of personal data protection by technical and personal measures, as well as physical and IT solutions. Our Company acts in line with the data protection rules and jurisprudence, shall meet the regulations of the law in force, as well as shall take into account the more important national recommendations related to the data protection.
Rights and judicial remedy:
Data subjects about data controlling are entitled to
- ask for information,
- ask for the rectification, modification and supplementation of their personal data,
- object to the data controlling and to ask for the deletion their data (with the exception of the statutory data controlling),
- seek judicial remedy,
- issue a claim or to initiate a procedure at the supervisory authority (https://naih.hu/panaszuegyintezes-rendje.html). Supervisory Authority: National Agency for Data Protection (Seat: Szilágyi Erzsébet avenue 22/c, Budapest, H-1125; Postal address: Mailbox 5., Budapest, H-1530; Telephone: +36 (1) 391-1400; Fax: +36 (1) 391-1410; E-mail: email@example.com; Website: https://naih.hu/).
However, we kindly ask you to contact our Company before turning to supervisory authority or court with your complaint – in order to consult and solve the arisen problem as quickly as possible – since our Company undertakes the task of providing information at the request of the data subjects about their controlled and processed data, about their sources, about the purpose and basis of processing, about the duration of processing, and in case it is not possible, about the factors of defining that period of time, about the name, address and the processing related activity of our processors, about the circumstances, effects of personal data breach and the measures taken to control them and prevent them from happening, as well as about the legal basis and the addressed of transmission in case of personal data transmission. We shall provide information regarding these types of inquiries as soon as possible, up to a maximum of 1 month.
Our Company informs the data subjects as well as those to whom the data have been formerly transmitted for the purpose of processing, about the correction, indication and deletion of personal data. No notification is sent in case the absence of notification does not undermine a legitimate interest of the data subject. In case of rejection of application for correction or deletion we also indicate our reasons for rejections and give information about the possibilities for judicial remedy as well as turning to the Authorities.
In case of objecting to data processing, our Company shall examine the objection within less than 1 month upon submitting the request. We will give a written report about the decision of our Company. In case of justified opposition, we shall terminate the processing and delete the concerned data. In this case as well, we shall inform those to whom the data involved in objection have been formerly transmitted and those who are obliged to take measures to enforce the right to object.
In some cases, priority shall be given to certain other compelling reasons and justifications for data controlling to the data processing interest and rights of the data subjects. Naturally it is not obligatory to agree with us, we might even miss a deadline. In this case, within 30 days from communicating our decision and from the last day of the deadline, you can turn to court.