Privacy Policy - Linistry

Linistry Zrt.

Privacy Notice

Last amendment: 09 April 2025

Table of contents

GENERAL INFORMATION
UPGRAGING AND AVAILABILITY OF THE POLICY
SPECIFIC DATA PROTECTION REQUIREMENTS.
PERSONAL DATA PROCESSED AND PURPOSE OF PROCESSING
ENTITIES ENTITLED TO PROCESS PERSONAL DATA
SECURITY (TECHNICAL AND ORGANIZATIONAL) MEASURES
DATA PROTECTION RIGHTS AND REMEDIES

GENERAL INFORMATION

Linistry Zrt. (“Linistry”) processes information qualified as “personal data” under Article 4 (1) of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) in relation to third parties, contact persons of its partners and persons using its services (hereinafter collectively referred to as “data subject(s)”).

This privacy notice (“Privacy Notice”) is to provide information about the processing of such personal data as well as about the data subjects’ rights and remedies related to the processing.

Linistry acts either as a data controller or a data processor – Section 4 contains a detailed description in relation to this.

Contact details of Linistry:

Registered seat of Linistry: H-1031 Budapest, Záhony utca 7.

Registration number of Linistry: 01-10-141874

Telephone number of Linistry: +36(70)249-9060

E-mail address of Linistry: info@linistry.com; in respect of privacy issues: gdpr@linistry.com

Website: https://linistry.com

Data Protection Officer: dr. Vándor András, vandor.andras@jogiszakerto.hu

UPGRADING AND AVAILABILITY OF THE POLICY

Linistry reserves the right to unilaterally modify this Privacy Notice with immediate effect subsequent to such modification, subject to the limitations provided for by law and the requirements of advance notification to the individuals in due time, if necessary. Linistry may modify this Privacy Notice, particularly when it is required as a result of changes in the laws, the practice of the data protection authority, business needs or employees’ needs, any new activity involving personal data processing or any newly revealed security exposures, or if it is deemed necessary because of individuals’ feedback. When communicating in relation to this Privacy Notice or privacy issues, or otherwise keeping in contact with individuals, Linistry may use the contact details of individuals available to Linistry in order to get or keep in contact with individuals. Upon the request of an individual, Linistry will, for example, send a copy of the latest updated version of this Privacy Notice to individuals or certify that a certain individual has read the Privacy Notice.

SPECIFIC DATA PROTECTION REQUIREMENTS

In certain cases, specific privacy-related terms and conditions may also be applicable to certain individuals; said individuals will be duly notified thereof. Such specific terms and conditions are provided for in connection with cookies that are used on the website of Linistry, and the cookies used in connection with Linistry’s Queue Management solution.

In each case, organisations and individuals are obliged to make the relevant personal data available to Linistry in accordance with the applicable laws. Individuals shall especially be in possession of adequate and informed consent, or any other appropriate legal basis, for making personal data available to Linistry (for example if the data of contact persons and family members are given). If Linistry becomes aware that any personal data of a data subject was disclosed without her/his consent or any other appropriate legal basis, then Linistry may immediately delete such personal data, and the data subject is also entitled to exercise the rights and remedies set forth in this Privacy Notice. Linistry will not be liable for any loss or harm which may arise from any breach of the above undertaking and representation of any individual.

PERSONAL DATA PROCESSED AND PURPOSE OF PROCESSING

The table below describes the scope of the processed personal data, the purposes, the legal basis, and the duration of the processing. Where a purpose of processing is required for pursuing a legitimate interest of Linistry or any third party, then Linistry will perform a balancing test of the underlying interests, which is available upon a request submitted to Linistry by means of the contact details listed hereinabove.

Linistry expressly wishes to draw the attention of the individuals to their right of objection to the processing of their personal data on grounds relating to their particular situation at any time where the processing is based on a legitimate interest, including cases where the processing takes the form of profiling. In such cases, Linistry shall cease to process the personal data unless it can prove that the processing has to be continued due to compelling legitimate reasons which override the interests, rights and freedoms of the individuals, or which relate to the submission, the enforcement or the protection of legal claims.

Where this Privacy Notice indicates the relevant limitation period for the enforcement of claims as the duration of data processing, then any event which interrupts the limitation period shall extend the term of the data processing until the new date when the underlying claim may lapse (Section 6:25 (2) of Act V of 2013 on the Civil Code – the “Civil Code”). If the limitation period is interrupted, the claim can be enforced within one year from the time when the reason for interruption ceases to exist or, in respect of a limitation period of one year or less, within three months, even if the limitation period has already lapsed or there is less than one year or less than three months, respectively, remaining from it (Section 6:24 (2) of the Civil Code).

The 8 years’ retention period specified in Act C of 2000 on accounting (the “Accounting Act”) shall be counted from the day of a given year when the accounting item related to the data or the accounts/accounting relied on or made use of the relevant data in any way. In practice if the data appears in an agreement under which more completions arise (e.g. service is provided several times during the term of the agreement), the 8 years’ period shall be counted from each completion separately, because there is a separate invoice for each completion, based on which the transaction is entered into the accounts.

Processing when using the Linistry’s solution ’Queue Management’

The objective of Linistry is to make waiting fun and useful, cut down waiting times and physical queuing. Linistry’s ”Queue Management” Solution (the “Linistry System”) helps the guidance and instruction of those waiting.

Linistry as data processor

During the use of the Linistry System, usually it is the customer of Linistry (the organization whose service is to be used by the waiting person) that will determine the purpose of the processing of the personal data of the waiting persons. In this case the customer shall act as a “data controller”, and Linistry shall provide its solution ‘Take-a-Number System’ only according to the instructions of the customer. If there is the case, Linistry’s customer shall determine, among others, the following:

what purpose the Linistry’s solution is used for and personal data processed therein (for instance, in customer service activity and/or assistance for waiting persons, digital Queue Management solution or display of advertisement)
what data are required for identification and taking a numbered ticket,
what channel is used to notify the waiting persons of the waiting time, and
what devices and interfaces are used to make available Linistry’s Queue Management solution.

Linistry’s customer may also collect personal data in relation to the waiting person – in accordance with the conditions specified in its own privacy notice and the customer may use the personal data for the purposes specified therein (for instance, marketing, satisfaction surveys, data analysis).

The data processing of Linistry shall cover the following:

Description of Linistry’s tasks	Personal data processed by Linistry as a data processor	Data retention period and additional processors hired by Linistry
When using Linistry’s Queue Management solution, the waiting persons receive a numbered ticket. In case of a remote queue or when making an appointment (i.e. the waiting person is not waiting on site), the waiting person must provide her/his phone number or e-mail address and a name for addressing her/him. By using the data, Linistry will be able to call / notify the waiting persons when their turn comes: Linistry’s Queue Management solution will send an SMS or e-mail message to the specified contact address when the waiting person has to leave for the place of using the service chosen by her/him.	Data required for the operation of Linistry’s Queue Management solution, entered by the waiting person on a web interface: mobile phone number, name (as the display will show the waiting person’s name when calling – Linistry requests for a monogram or first name), e-mail address. Linistry does not require a full name – any kind of name will be suitable, which allows the waiting person to realize that she/he is called to the specific administrator. The name is necessary because when the waiting person arrives at the waiting spot, and she/he is waiting for the screen to show the serial number assigned by the Linistry, her/his name and the relevant counter. The name will help even if the waiting person cannot remember the number. Linistry will also record the following data: the name of the service used during queuing, the estimated and actual time, place, and method of use (for example, by making an appointment or simply by queuing – walk-in; depending on this, Linistry’s Queue Management solution must work in a different way in order for Linistry to serve the waiting person). Such data are needed so that Linistry will be able to track the implementation of its service and then to complete the process. Linistry also stores information about what messages a particular waiting person should have already received. For example, if any waiting person has not come, Linistry can check to see if the messages has been sent out and see exactly what information was sent in the message and when. The messages do not contain personal data (the content of the messages may be, for example: “It will be your turn soon, we are waiting for you!” or “Successful Queuing”).	General data retention period: Linistry will delete the waiting person’s name, mobile phone number and e-mail address from the active database not later than 48 hours after the scheduled service time unless the customer defines longer or shorter data retention period. Backups: Linistry stores the data it processes as a data processor for 35 days as part of its backup unless the customer defines longer or shorter data backup period. You can check the actual retention and backup period of your personal data in the privacy notice of the given customer the services of which you use through our Queue Management solution. By using other, non-personal data, Linistry may make statistics and analysis for its customers (so-called “BI analysis” – for example, Linistry may check the number of services, the number of waiting persons, the average waiting and service time, the set time for service and saved minutes). The above statistics and analysis do not contain personal data of the waiting person anymore, so it is not possible to identify the person who was waiting in a queue before, nor her/his previous activity. The list of additional data processors (sub-processors) hired by Linistry is provided in Section 5 of this Privacy Notice.

Description of Linistry’s tasks

Personal data processed by Linistry as a data processor

Data retention period and additional processors hired by Linistry

When using Linistry’s Queue Management solution, the waiting persons receive a numbered ticket. In case of a remote queue or when making an appointment (i.e. the waiting person is not waiting on site), the waiting person must provide her/his phone number or e-mail address and a name for addressing her/him. By using the data, Linistry will be able to call / notify the waiting persons when their turn comes: Linistry’s Queue Management solution will send an SMS or e-mail message to the specified contact address when the waiting person has to leave for the place of using the service chosen by her/him.

Data required for the operation of Linistry’s Queue Management solution, entered by the waiting person on a web interface: mobile phone number, name (as the display will show the waiting person’s name when calling – Linistry requests for a monogram or first name), e-mail address.

Linistry does not require a full name – any kind of name will be suitable, which allows the waiting person to realize that she/he is called to the specific administrator. The name is necessary because when the waiting person arrives at the waiting spot, and she/he is waiting for the screen to show the serial number assigned by the Linistry, her/his name and the relevant counter. The name will help even if the waiting person cannot remember the number.

Linistry will also record the following data: the name of the service used during queuing, the estimated and actual time, place, and method of use (for example, by making an appointment or simply by queuing – walk-in; depending on this, Linistry’s Queue Management solution must work in a different way in order for Linistry to serve the waiting person). Such data are needed so that Linistry will be able to track the implementation of its service and then to complete the process.

Linistry also stores information about what messages a particular waiting person should have already received. For example, if any waiting person has not come, Linistry can check to see if the messages has been sent out and see exactly what information was sent in the message and when. The messages do not contain personal data (the content of the messages may be, for example: “It will be your turn soon, we are waiting for you!” or “Successful Queuing”).

General data retention period: Linistry will delete the waiting person’s name, mobile phone number and e-mail address from the active database not later than 48 hours after the scheduled service time unless the customer defines longer or shorter data retention period.

Backups: Linistry stores the data it processes as a data processor for 35 days as part of its backup unless the customer defines longer or shorter data backup period.

You can check the actual retention and backup period of your personal data in the privacy notice of the given customer the services of which you use through our Queue Management solution.

By using other, non-personal data, Linistry may make statistics and analysis for its customers (so-called “BI analysis” – for example, Linistry may check the number of services, the number of waiting persons, the average waiting and service time, the set time for service and saved minutes). The above statistics and analysis do not contain personal data of the waiting person anymore, so it is not possible to identify the person who was waiting in a queue before, nor her/his previous activity.

The list of additional data processors (sub-processors) hired by Linistry is provided in Section 5 of this Privacy Notice.

Linistry as data controller

During the use of Linistry’s Queue Management solution, there are a few cases, when both the customer and Linistry determine separately their own purpose of the processing of the personal data of the waiting persons and the means of data processing. In this case the customer and Linistry shall act as independent “data controllers. If there is the case, Linistry processes the following personal data for the following purposes:

Purpose of data processing	Legal ground of data processing	Personal data processed by Linistry	Data retention period and data processors hired by Linistry
Fulfilment of the contract with the waiting person, perform the services of Linistry’s Queue Management solution, sending communication to the waiting person related to the Queue Management solution. For example, the waiting persons receive a ticket. In case of a remote queue or when making an appointment (i.e. the waiting person is not waiting on site), the waiting person must provide her/his phone number or e-mail address and a name for addressing her/him. By using the data, Linistry will be able to call / notify the waiting persons when their turn comes: Linistry’s Queue Management solution will send an SMS or e-mail message to the specified contact address when the waiting person has to leave for the place of using the service chosen by her/him.	Article 6 (1) (b) of the GDPR – _ the purpose is directly the performance (implementation) of the contract to which the individual is subject.	Data required for the operation of Linistry’s Queue Management solution, entered by the waiting person on a web interface: mobile phone number, name (as the display will show the waiting person’s name when calling – Linistry requests for a monogram or first name), e-mail address. Linistry does not require a full name – any kind of name will be suitable, which allows the waiting person to realize that she/he is called to the specific administrator. The name is necessary because when the waiting person arrives at the waiting spot, and she/he is waiting for the screen to show the serial number assigned by the Linistry, her/his name and the relevant counter. The name will help even if the waiting person cannot remember the number. Linistry will also record the following data: the name of the service used during queuing, the estimated and actual time, place, and method of use (for example, by making an appointment or simply by queuing – walk-in; depending on this, Linistry’s Queue Management solution must work in a different way in order for Linistry to serve the waiting person). Such data are needed so that Linistry will be able to track the implementation of its service and then to complete the process. Linistry also stores information about what messages a particular waiting person should have already received. For example, if any waiting person has not come, Linistry can check to see if the messages has been sent out and see exactly what information was sent in the message and when. The messages do not contain personal data (the content of the messages may be, for example: “It will be your turn soon, we are waiting for you!” or “Successful Queuing”).	General data retention period: Linistry will delete the waiting person’s name, mobile phone number and e-mail address from the active database not later than 48 hours after the scheduled service time. Backups: Linistry stores the data it processes as a data processor for 35 days as part of its backup. By using other, non-personal data, Linistry may make statistics and analysis for its customers (so-called “BI analysis” – for example, Linistry may check the number of services, the number of waiting persons, the average waiting and service time, the set time for service and saved minutes). The above statistics and analysis do not contain personal data of the waiting person anymore, so it is not possible to identify the person who was waiting in a queue before, nor her/his previous activity. The list of data processors (sub-processors) hired by Linistry is provided in Section 5 of this Privacy Notice.

Purpose of data processing

Legal ground of data processing

Personal data processed by Linistry

Data retention period and data processors hired by Linistry

Fulfilment of the contract with the waiting person, perform the services of Linistry’s Queue Management solution, sending communication to the waiting person related to the Queue Management solution.

For example, the waiting persons receive a ticket. In case of a remote queue or when making an appointment (i.e. the waiting person is not waiting on site), the waiting person must provide her/his phone number or e-mail address and a name for addressing her/him. By using the data, Linistry will be able to call / notify the waiting persons when their turn comes: Linistry’s Queue Management solution will send an SMS or e-mail message to the specified contact address when the waiting person has to leave for the place of using the service chosen by her/him.

Article 6 (1) (b) of the GDPR – _ the purpose is directly the performance (implementation) of the contract to which the individual is subject.

Backups: Linistry stores the data it processes as a data processor for 35 days as part of its backup.

The list of data processors (sub-processors) hired by Linistry is provided in Section 5 of this Privacy Notice.

Processing with the customers of Linistry and in connection with Linistry’s other activities

During the following data processing activities, Linistry shall act as a so called “data controller” – it will determine the purpose and means of the processing of personal data.

Purpose of the data processing	Legal ground of the data processing	Personal data processed	Data retention period
Processing the personal data of contact persons and representatives, chief executive officers of contracting partners, contacts of Linistry’s customers (e.g. financial and telecommunications companies, commercial stores) and/or persons involved in contract performance / verification of performance (i.e. day-to-day implementation of contracts). Purpose of the processing: performance of the contract (day-to-day activity) and/or keeping contact, providing information, sending communications. This includes e.g. the processing of postal addresses of contact persons, their payment instructions or sending official notifications with the use of the contact details and information regarding contractual obligations to be fulfilled.	It depends on whether a contract is concluded with the individual (e.g. a private entrepreneur) or with any other undertaking; a) it is Article 6 (1) (b) of the GDPR – _ the purpose is directly the performance (implementation) of the contract to which the individual is subject; b) it is Article 6 (1) (f) of the GDPR – pursuing the legitimate interests of both Linistry and the contracting partner: fulfilling the obligations, exercising the contractual rights and synchronising business cooperation between the contracting parties. The exchange of personal data is required under the contract; without them, Linistry is unable to conclude the contract and/or implement it, including the provision of Linistry’s “Take a Number” solution. Linistry cannot achieve the purpose of the processing without the contact details; they are absolutely necessary for keeping in touch, informing the data subjects and communicating with them.	The contact details (i.e. name, e-mail addresses, telephone numbers, mobile phone numbers, telefax numbers) of the contact persons of the contracting partners and/or persons involved in contract performance and verification of performance, and any other activity of or communication which includes any kind of personal data (e.g. communication received from a contact person or any other person acting on behalf of a contracting partner) in connection with the contract. The personal data are either provided to Linistry by the contracting partner, or the individuals themselves.	5 years after the date when the contractual relation ceased (Section 6:22 (1) of the Civil Code – claims lapse in 5 years) Tax obligations: data retention period is 5 years from the last day of the calendar year in which the tax concerned should have been declared or reported or, in the absence of such declaration or report, the tax should have been paid (Sections 78 (3) and 202 (1) of Act CL of 2017 on the Taxation Procedure –“Taxation Act”). Accounting documents: the data retention period is 8 years (Sections168-169 of the Accounting Act. In practice this means when the data are included in documents which support the accountancy records e.g. for example the data appear in contract documents between Linistry and the counterparty (such as an order) or on an invoice.
Processing the personal data of contact persons, representatives, chief executive officers of contracting partners and/or persons involved in contract performance and verification of performance in connection with compliance issues or any other activity needed to implement the contract including seeking remedies in order to enforce the rights arising from the contracts. Purpose of the data processing: any other action related to contractual or non-contractual compliance issues or the exercise of other rights. For example, seeking the remedies necessary to secure the rights of Linistry.	The legal basis of processing data is the legitimate interest of Linistry (Article 6 (1) (f) of the GDPR). The legitimate interest: handling compliance issues or any other activity needed to implement the contract including seeking remedies in order to enforce the rights arising from the contracts. It is also in Linistry’s legitimate interest to use the personal data of the persons concerned for evidence, claims and enforcement in any dispute. Linistry needs this data in order to initiate and prove possible enforcement proceedings, without which the purpose of data processing cannot be achieved.	The contact details (i.e. natural identification data – name, mother’s maiden name, place and date of birth, home address – e-mail addresses, telephone numbers, mobile phone numbers, telefax numbers) of the contact persons of the contracting partners and/or persons involved in contract performance and verification of performance, and any other activity or communication which includes any kind of personal data (e.g. any communication received from a contact person or any other person acting on behalf of a partner) in connection with the contract. The personal data is provided to Linistry either by the contracting partner or the individuals themselves, or third parties involved in the case.	5 years after the date when the contractual relation between the Linistry and the contracting party ceased (Section 6:22 (1) of the Civil Code – claims lapse in 5 years)
Processing related to the enforcement of the data protection rights of the individuals (see Section 7 for details)	Article 6 (1) (c) of the GDPR (processing is necessary for compliance with a legal obligation to which Linistry as a controller is subject). Legal obligation: to enable data subjects to exercise their rights set out in Articles 15-22 of the GDPR and document any other step taken in relation to inquiries. and to cooperate with the Linistry’s customer in the management of the data subject’s rights (if Linistry acts as a data processor).	Personal data related to inquiries received by Linistry in respect of data protection: in the case of individuals / legal entities or other organisations contacting Linistry, the data of the contact person necessary for making contact (including without limitation name, address, e-mail, phone), the content of the inquiry and steps taken and documents made in relation to the inquiry. For example, if an individual requests the deletion of all her/his data by email under the GDPR and Linistry performs this request, then the email itself in which the individual requested deletion will nevertheless be kept.	Data retention period: indefinite period, unless the data protection authority gives any other guidance.
Keeping records of personal data breaches (including documenting steps taken in relation to responding to incidents)	Articles 6 (1) c) of the GDPR (processing is necessary for compliance with a legal obligation to which Linistry as a controller is subject) Legal obligation: under Article 33 (5) of the GDPR, the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with the GDPR. If Linistry acts as a processor, under Article 33 (2) of the GDPR, it shall notify the controller without undue delay after becoming aware of a personal data breach.	Personal data of the data subjects affected by the personal data breach.	Data retention period: indefinite period, unless the data protection authority gives any other guidance.

Purpose of the data processing

Legal ground of the data processing

Personal data processed

Data retention period

Processing the personal data of contact persons and representatives, chief executive officers of contracting partners, contacts of Linistry’s customers (e.g. financial and telecommunications companies, commercial stores) and/or persons involved in contract performance / verification of performance (i.e. day-to-day implementation of contracts).

Purpose of the processing: performance of the contract (day-to-day activity) and/or keeping contact, providing information, sending communications.

This includes e.g. the processing of postal addresses of contact persons, their payment instructions or sending official notifications with the use of the contact details and information regarding contractual obligations to be fulfilled.

It depends on whether a contract is concluded with the individual (e.g. a private entrepreneur) or with any other undertaking;

a) it is Article 6 (1) (b) of the GDPR – _ the purpose is directly the performance (implementation) of the contract to which the individual is subject;

b) it is Article 6 (1) (f) of the GDPR – pursuing the legitimate interests of both Linistry and the contracting partner: fulfilling the obligations, exercising the contractual rights and synchronising business cooperation between the contracting parties.

The exchange of personal data is required under the contract; without them, Linistry is unable to conclude the contract and/or implement it, including the provision of Linistry’s “Take a Number” solution. Linistry cannot achieve the purpose of the processing without the contact details; they are absolutely necessary for keeping in touch, informing the data subjects and communicating with them.

The contact details (i.e. name, e-mail addresses, telephone numbers, mobile phone numbers, telefax numbers) of the contact persons of the contracting partners and/or persons involved in contract performance and verification of performance, and any other activity of or communication which includes any kind of personal data (e.g. communication received from a contact person or any other person acting on behalf of a contracting partner) in connection with the contract.

The personal data are either provided to Linistry by the contracting partner, or the individuals themselves.

5 years after the date when the contractual relation ceased (Section 6:22 (1) of the Civil Code – claims lapse in 5 years)

Tax obligations: data retention period is 5 years from the last day of the calendar year in which the tax concerned should have been declared or reported or, in the absence of such declaration or report, the tax should have been paid (Sections 78 (3) and 202 (1) of Act CL of 2017 on the Taxation Procedure –“Taxation Act”).

Accounting documents: the data retention period is 8 years (Sections168-169 of the Accounting Act. In practice this means when the data are included in documents which support the accountancy records e.g. for example the data appear in contract documents between Linistry and the counterparty (such as an order) or on an invoice.

Processing the personal data of contact persons, representatives, chief executive officers of contracting partners and/or persons involved in contract performance and verification of performance in connection with compliance issues or any other activity needed to implement the contract including seeking remedies in order to enforce the rights arising from the contracts.

Purpose of the data processing: any other action related to contractual or non-contractual compliance issues or the exercise of other rights. For example, seeking the remedies necessary to secure the rights of Linistry.

The legal basis of processing data is the legitimate interest of Linistry (Article 6 (1) (f) of the GDPR). The legitimate interest: handling compliance issues or any other activity needed to implement the contract including seeking remedies in order to enforce the rights arising from the contracts.

It is also in Linistry’s legitimate interest to use the personal data of the persons concerned for evidence, claims and enforcement in any dispute. Linistry needs this data in order to initiate and prove possible enforcement proceedings, without which the purpose of data processing cannot be achieved.

The contact details (i.e. natural identification data – name, mother’s maiden name, place and date of birth, home address – e-mail addresses, telephone numbers, mobile phone numbers, telefax numbers) of the contact persons of the contracting partners and/or persons involved in contract performance and verification of performance, and any other activity or communication which includes any kind of personal data (e.g. any communication received from a contact person or any other person acting on behalf of a partner) in connection with the contract.

The personal data is provided to Linistry either by the contracting partner or the individuals themselves, or third parties involved in the case.

5 years after the date when the contractual relation between the Linistry and the contracting party ceased (Section 6:22 (1) of the Civil Code – claims lapse in 5 years)

Processing related to the enforcement of the data protection rights of the individuals (see Section 7 for details)

Article 6 (1) (c) of the GDPR (processing is necessary for compliance with a legal obligation to which Linistry as a controller is subject).

Legal obligation: to enable data subjects to exercise their rights set out in Articles 15-22 of the GDPR and document any other step taken in relation to inquiries. and to cooperate with the Linistry’s customer in the management of the data subject’s rights (if Linistry acts as a data processor).

Personal data related to inquiries received by Linistry in respect of data protection: in the case of individuals / legal entities or other organisations contacting Linistry, the data of the contact person necessary for making contact (including without limitation name, address, e-mail, phone), the content of the inquiry and steps taken and documents made in relation to the inquiry. For example, if an individual requests the deletion of all her/his data by email under the GDPR and Linistry performs this request, then the email itself in which the individual requested deletion will nevertheless be kept.

Data retention period: indefinite period, unless the data protection authority gives any other guidance.

Keeping records of personal data breaches (including documenting steps taken in relation to responding to incidents)

Articles 6 (1) c) of the GDPR (processing is necessary for compliance with a legal obligation to which Linistry as a controller is subject)

Legal obligation: under Article 33 (5) of the GDPR, the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with the GDPR. If Linistry acts as a processor, under Article 33 (2) of the GDPR, it shall notify the controller without undue delay after becoming aware of a personal data breach.

Personal data of the data subjects affected by the personal data breach.

Data retention period: indefinite period, unless the data protection authority gives any other guidance.

ENTITIES ENTITLED TO PROCESS PERSONAL DATA

Linistry engages the following contractual partners for carrying out tasks related to data processing operations in addition to the ones listed above. Such contracting parties act as so-called “data processors” (i.e. they process the personal data defined in this Notice on behalf of Linistry). If Linistry is acting as a data processor, these organisations are acting as “sub-processors”.

Linistry should only use data processors or sub-processors that provide sufficient safeguards, in particular in terms of expertise, reliability and resources, for the implementation of technical and organisational measures which ensure that the requirements of the GDPR are met. Said safeguards should include the security of processing. The particular tasks and liabilities of the data processor or the sub-processor are provided for in the data processing agreement made between Linistry and the data processor or the sub-processor. After the completion of the processing on behalf of Linistry, the processor or the or sub-processors shall, at the choice of Linistry or Linistry’s customer, return or delete the personal data, unless there is a requirement to store the personal data under European Union or Member State law to which the processor is subject.

The data processor	Activity
Microsoft Ireland Operations Ltd One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521	Microsoft Ireland Operations Limited shall provide the Microsoft Office 365 service. Linistry shall process the personal data as a data controller or a data processor by using the Office 365 service. CloudSoft Kft. (2000 Szentendre, Ribizli utca 14.) shall provide the online service named Microsoft Azure as an intermediary partner of Microsoft Ireland Operations Limited. Linistry shall store the personal data processed by it as a data controller or a data processor in the database created in the Microsoft Azure. The data centres of the Microsoft are in the EU.
Amazon Web Services EMEA SARL 38 Avenue John F Kennedy, L-1855, Luxembourg	E-mail sending service. During its services, Amazon Web Services EMEA SARL shall also transfer personal data outside the European Economic Area (EEA). The data protection legislation in most non-EEA countries does not provide an adequate level of data protection as defined by the GDPR. In order to ensure adequate data protection guarantees, Linistry and Amazon Web Services EMEA SARL have entered into a model contract in the form approved by the European Commission (“General Terms and Conditions” or “Standard Contractual Clauses” or “SCC”), which is available here: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf. For further information on the SCCs please visit the website of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_hu.
Vonage BV Radarweg 29 A 12 Office, 1043 NX, Amsterdam, Netherlands	Linistry’ telecommunications partner. It will transmit notification SMS required for the queuing (waiting) process between the waiting persons and Linistry, and send the SMS to the appropriate telecommunications company. During such process, it will access the following personal data: telephone number of the waiting persons and the time, place and mode of the queuing. EU Data Center Isolation: This feature ensures that personal data associated with communications records, such as SMS messages, remains within European data centers. However, Vonage notes that while data transiting their platform can be confined to the EU, downstream delivery via mobile operators and aggregators may involve entities outside the EU. We are using the German Datacenter in Franfurt.

Soroban Consulting Kft.	It provides book-keeping services. Within this, it will have full access to company, contract and HR information, but it will have no access to the personal data of the waiting persons stored in the Linistry system.

The data processor

Activity

Microsoft Ireland Operations Ltd

One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521

Microsoft Ireland Operations Limited shall provide the Microsoft Office 365 service. Linistry shall process the personal data as a data controller or a data processor by using the Office 365 service.

CloudSoft Kft. (2000 Szentendre, Ribizli utca 14.) shall provide the online service named Microsoft Azure as an intermediary partner of Microsoft Ireland Operations Limited. Linistry shall store the personal data processed by it as a data controller or a data processor in the database created in the Microsoft Azure. The data centres of the Microsoft are in the EU.

Amazon Web Services EMEA SARL

38 Avenue John F Kennedy, L-1855, Luxembourg

E-mail sending service.

During its services, Amazon Web Services EMEA SARL shall also transfer personal data outside the European Economic Area (EEA). The data protection legislation in most non-EEA countries does not provide an adequate level of data protection as defined by the GDPR. In order to ensure adequate data protection guarantees, Linistry and Amazon Web Services EMEA SARL have entered into a model contract in the form approved by the European Commission (“General Terms and Conditions” or “Standard Contractual Clauses” or “SCC”), which is available here: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf. For further information on the SCCs please visit the website of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_hu.

Vonage BV

Radarweg 29 A 12 Office, 1043 NX, Amsterdam, Netherlands

Linistry’ telecommunications partner. It will transmit notification SMS required for the queuing (waiting) process between the waiting persons and Linistry, and send the SMS to the appropriate telecommunications company. During such process, it will access the following personal data: telephone number of the waiting persons and the time, place and mode of the queuing.

EU Data Center Isolation: This feature ensures that personal data associated with communications records, such as SMS messages, remains within European data centers. However, Vonage notes that while data transiting their platform can be confined to the EU, downstream delivery via mobile operators and aggregators may involve entities outside the EU.

We are using the German Datacenter in Franfurt.

Soroban Consulting Kft.

It provides book-keeping services. Within this, it will have full access to company, contract and HR information, but it will have no access to the personal data of the waiting persons stored in the Linistry system.

SECURITY (TECHNICAL AND ORGANIZATIONAL) MEASURES

Linistry protects its personal data storage systems with multifactor authentication and uses a number of Microsoft Azure security settings. For example, such setting is: SSL communication (encrypted). The SQL (Structured Query Language) database is protected by a firewall, it can only be connected from a specific IP address. In addition to SSL protection, the API interfaces are authenticated with OAuth authentication. Azure platform admin interfaces can only be accessed with multifactor authentication.

Linistry’s office building is protected by an electronic access system in the. Linistry offices can be locked with keys.

DATA PROTECTION RIGHTS AND REMEDIES

Unless otherwise provided below, this section applies to the data processing operations where Linistry acts as a data controller. If Linistry acts as a data processor, it cooperates with the data controller in handling data protection requests from data subjects.

7.1 Data protection rights and remedies

The detailed rights and remedies of the individuals are set forth in the applicable provisions of the GDPR (especially in Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80, and 82 of the GDPR). The summary set out below describes the most important provisions and the Linistry provides information for the individuals in accordance with the above articles about their rights and remedies related to the processing of personal data.

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the individual, information may also be provided orally, provided that the identity of the individual is verified by other means.

Linistry will respond without unreasonable delay to the request of an individual in which such person exercises her/his rights about the measures taken upon such request (see Articles 15-22 of the GDPR), with said response by no means to occur later than one month after receipt thereof. This period may, if needed, be extended for a further two months in light of the complexity of the request and the number of requests to be processed. Linistry shall notify the individual about the extension and also indicate its grounds therefor within one month of the receipt of the request. Where the request has been submitted by electronic means, the response should likewise be sent electronically, unless the individual requests otherwise.

If Linistry does not take any measure upon the individual’s request, it shall so notify the individual without delay, but by no means later than one month after receipt thereof, stating why no measures will be taken. Additionally, Linistry shall inform the individual about the individual’s right to lodge a complaint with the data protection authority and to file an action for remedy with the courts.

7.2 The individual’s right of access

The individual has the right to obtain confirmation from Linistry with regards to whether or not personal data concerning them is being processed. In such a case, the individual is entitled to have access to the relevant personal data and to the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data has been or will be disclosed, specifically including recipients in third countries and/or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the right of the individual to request from Linistry rectification or erasure of personal data, or restriction of processing of personal data concerning the individual, or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data is not collected from the individual, any available information as to its source.

(2) Where personal data is forwarded to a third country, the individual is entitled to obtain information concerning the adequate safeguards of the data transfer.

(3) Linistry provides a copy of the personal data undergoing processing to the individual. Linistry may charge a reasonable fee based on administrative costs for requested further copies thereof. Where the individual submitted their request by electronic means, the information will be provided to them in a commonly used electronic form unless otherwise requested by the data subject.

7.3 Right to rectification

The individual has the right to request that Linistry rectify inaccurate personal data which concerns them without undue delay. In addition, the individual is also entitled to have incomplete personal data completed e.g. by a supplementary statement or otherwise.

7.4 Right to erasure (‘right to be forgotten’)

(1) The individual has the right to request that Linistry erase the personal data concerning them without delay where one of the following grounds applies:

(a) the personal data is no longer required for the purposes for which it was collected or otherwise processed by Linistry;

(b) the individual withdraws consent on which the processing is based, and there are no other legal grounds for the processing;

(d) the personal data has been unlawfully processed;

(e) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which Linistry is subject;

(f) the collection of the personal data occurred in connection with the offering of services regarding the information society.

(2) If Linistry has made the personal data public and it is later obliged to delete it as a result of the above stated grounds, it will take reasonable steps to delete it, taking into account the available technology and the costs of implementation. These reasonable steps include technical steps in order to inform processors who carry out processing that the individual has initiated a request for the links leading to the relevant personal data, or the copies or reproductions thereof, be deleted.

(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other things, for:

a) exercising the right of freedom of expression and information;
b) compliance with a legal obligation which requires processing by European Union or Member State law to which Linistry is subject;
c) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes insofar as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
d) the establishment, exercise, or defence of legal claims.

7.5 Right to restriction of processing

(1) The individual has the right to obtain a restriction of processing from Linistry where one of the following applies:

a) the accuracy of the data is contested by the individual, for a period enabling Linistry to verify the accuracy of the personal data;
b) the processing is unlawful, and the individual opposes the erasure of the personal data and requests the restriction of its use instead;
c) Linistry no longer needs the personal data for the purposes of the processing, but the individual requires it for the establishment, exercise or defence of legal claims;
d) the individual has objected to processing pending the verification of whether the legitimate grounds of Linistry override those of the individual.

(2) Where processing has been restricted under paragraph (1), such personal data shall, with the exception of storage, only be processed with consent of the individual or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) Linistry informs the individual whose request has served as grounds for the restriction based on the aforesaid, before the restriction of processing is lifted.

7.6 Notification obligation regarding rectification or erasure of personal data or restriction of processing

Linistry will communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. Linistry shall inform the individual about those recipients if they so request.

7.7 Right to data portability

The individual has the right to receive the personal data concerning them, which they have provided to Linistry in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance from Linistry, where:

the processing is based on consent or on a contract; and
the processing is carried out by automated means.

In exercising the right to data portability pursuant to paragraph (1), the individual shall have the right to have the personal data transmitted directly from one controller to another (thus from Linistry to another controller), where technically feasible.
Exercising the aforesaid right shall be without prejudice to provisions concerning the right to erasure (‘right to be forgotten’) and, further, this right shall not adversely affect the rights and freedoms of others.

7.8 Right to object

(1) The individual has the right to object, on grounds relating to her/his particular situation, at any time to the processing of personal data concerning them for the purposes of legitimate interests. In such a case, Linistry will no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the individual, or for the establishment, exercise or defence of legal claims.

(2) Where the processing of personal data serves direct marketing purposes the individual is entitled to object to the processing of personal data regarding them for such purposes, including profiling, in so far as the latter relates to direct marketing.

(3) If the individual objects to the processing of personal data with the aim of direct marketing, then the personal data can no longer be processed for this purpose.

(4) In connection with the use of services related to information society, the individual may resort to their right of objection, with deviation from Directive No 2002/58/EC, by means of automated devices based on technical requirements.

(5) Where personal data is processed for scientific or historical research purposes or statistical purposes, the individual, on grounds relating to their particular situation, has the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.9 Right to lodge a complaint with a supervisory authority

The individual has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement if they consider that the processing of personal data relating to them infringes the GDPR. In Hungary, the competent supervisory authority is the Hungarian Authority for Data Protection and Freedom of Information (http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11.; postal address:1363 Budapest, Pf.: 9; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu). This right also applies to the individual if Linistry is a data controller and also if Linistry is a data processor.

7.10 Right to an effective judicial remedy against a supervisory authority

(1) The individual has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

(2) The individual has the right to an effective judicial remedy where the supervisory authority that is competent does not handle a complaint or does not inform them within three months on the progress or outcome of the complaint lodged.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

7.11 Right to an effective judicial remedy against Linistry or the processor

This right also applies to the individual if Linistry is a data controller and also if Linistry is a data processor.

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, any individual has the right to an effective judicial remedy where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in non-compliance with the GDPR.
Proceedings against Linistry or a processor shall be brought before the courts of the Member State where Linistry or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual has habitual residence. In Hungary, the general court has jurisdiction in these kinds of proceedings. The proceedings can be brought – according to the choice of the individual concerned – before the general court where one has its habitual residence or place of stay. Information on the competent courts and their contact details is available at birosag.hu.

Read our blog for the latest advices and resources

Boost Retail Efficiency: Streamlining Order Pickups with Virtual Queues

SaaS Digital Appointment Booking Solution at a Leading CEE Bank

Let’s Partner Up