REGARDING CERTAIN MANAGED SUPPORT SERVICES
Effective from: June 1, 2024
1 .1 As of 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter as: "GDPR") entered into force in all Member States of the European Union.
1.2 This Privacy Policy (hereinafter as: the Policy) is published in order to comply with the provisions of the GDPR and explain to natural persons which personal data Aliz Technologies Korlátolt Felelősségű Társaság (hereinafter as: Aliz Tech Kft./Company/Controller) compiles and how it uses the personal data in relation to MSP (Managed Support Services) services. In the course of providing the services, Controller may receive, store, and manage sensitive data on Controller’s systems. The obligation to provide information is provided for in Article 13 of the GDPR and in Article 14(a) of Act CXII of 2011 on Informational Self-determination and Freedom of Information (the Information Act).
name: Aliz Technologies Korlátolt Felelősségű Társaság (Aliz Tech Kft.)
registered office: 1143 Budapest, Gizella út 42-44.
company registration number: 01-09-924920
tax number: 14894413-2-42
e-mail: hello@aliz.ai
phone: + 36 70 513 3986
website: http://aliz.ai
Controller’s representative: Tamás Szatmári
The Controller is a business association incorporated in Hungary
The Controller is not obliged to appoint a data protection officer
The Controller shall process any personal data that comes to its knowledge in full compliance with the currently effective data protection provisions, in particular the provisions of the Information Act and the GDPR.
If you have any questions or requests regarding the processing of your personal data, you can contact us by sending an e-mail to msp@aliz.ai.
“personal data” means any information relating to an identified or identifiable natural person (hereinafter as: “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with EU or Member State law shall not be regarded as recipients; the processing of such data by those public authorities must be in compliance with the applicable data protection rules in line with the purposes of the processing;
“third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
“consent of the data subject”: means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
“personal data breach”: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
“GTC and MSP service”: means the contract made, by and among Aliz Tech Kft. as service provider and the client (‘Client’) on Managed Support Services which specifies the Services.
For more definitions, explanatory notes see also Article 4 of the GDPR.
4.1 The Controller shall respect the protection of personal data and shall ensure that such data provided to it will be processed and stored with due consideration of the currently effective legislation. The Controller shall use the personal data only for the purposes indicated, shall not merge them with its databases from other sources, shall not disclose the personal data processed to third parties without the express consent of the Data Subject, unless expressly provided for by law, and shall use all reasonable efforts to protect such data. The personal data processed will be stored in the manner and for the purposes described in this Policy only for the time necessary for the purpose for which the data was collected.
4.2 The Controller provides MSP services only to legal entities. The Controller may process personal data as follows: personal data included in service contract; on requests for the use of the service (e-mail/Ticket).
4.3. The Client shall use all reasonably available means to ensure that the Controller does not have access to the Client's personal data during the provision of the Services (including, in particular, the personal data of the Client's customers and employees), unless this is absolutely necessary for performance. In order to ensure an adequate level of security of the processed personal data, the Client encrypts or anonymizes or pseudonymizes the personal data with which the Controller would work, so that the Controller can work with such encrypted or anonymized or pseudonymized data instead. If, in order to perform the Services, it is necessary for the Controller to access the Client's personal data (including, in particular, the personal data of the Client's customers or employees), then the Client grants access to them, and shall inform the data subjects about the processing of their personal data by the Controller as per the terms of this Policy.
4.4 The Client is solely responsible and warrants for the compliance of its own personal data collection and processing practices, including where the Client uses the Services to process its employees’ or other individual’s personal data.
4.5 The Client undertakes to inform its employees and other individuals within its control (such as customers and subcontractors) about the processing of their data in relation to the MSP Services provided by the Controller. The Client shall inform the data subjects about the processing of their personal data by sharing this Policy. The Controller is not responsible for any loss or damage caused by any negligence or infringement by the Client of any data protection regulations or contractual obligations.
If a technical incident is detected by the Client’s employee (individual), the individual notifies the Controller directly or through the Client’s dedicated technical representative in the Ticketing System or via e-mail.
The Client (including the relevant employees and customers of the Client) submits requests to the Controller for the use of individual Services to the Client via the Ticketing System specified by the Controller or by e-mail.
Categories of personal data processed
The purpose of personal data processing
Legal basis for processing
Retention period
name;
e-mail:
phone number;
fax No.;
location;
message of Ticket / email
availability and use of individual services, ensuring the process
processing personal data on the basis of execution of the legitimate interests of the controller of personal data.
Legal basis article 6 paragraph (1) letter f) GDPR
the Controller retains records as long as ticket is closed
The Controller shall not transfer the Data Subject's personal data to a third country or international organization outside the European Economic Area, except for the cases explicitly mentioned in this Policy.
The Controller shall not disclose any Data Subjects personal information collected upon the performance of the Services or in any other manner as set out in this Policy, except in the following cases:
To perform certain services and functions, Controller may share personal information with vendors and external service providers, including providers of technology services, analytics services and hosting services. Partners have access to, process or store personal information to provide the Service.
7/1. Suppliers needed to provide the service:
Suppliers, including identification and contact information, economic information needed to manage the technical services that they supply to the Controller. For further information : https://aliz.ai/en/partner-data-privacy/
7/2. Processing for the storage of personal data:
Personal data is stored in the Ticketing System and the email service. The storage service provider will process personal data, which are stored within their database.
Name of the data processor: Zendesk, Inc.
The registered office of the data processor: Privacy Team, 989 Market Street, San Francisco, CA 94103, United States
E-mail of the data processor : euprivacy@zendesk.com
Website of the data processor: https://www.zendesk.com/company/agreements-and-terms/privacy-notice/#contact-information
Name of the data processor: Google Ireland Limited
The registered office of the data processor: Gordon House, Barrow Street, Dublin 4, Ireland (Privacy Team: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
E-mail of the data processor : https://support.google.com/a/contact/edu_privacy
Website of the data processor: https://policies.google.com/privacy?hl=en
The processor stores the data in accordance with the contract with the Controller. The processor is not entitled to access the data.
Pursuant to the Controller’s instructions, these vendors will access, process, or store personal information in the course of performing their duties to the Controller and do not use the Controller’s personal data for their own purposes unless required to do so by law.
8.1 The Controller implements appropriate technical and organizational measures to ensure a level of data security appropriate to the level of risk in its processing activities, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
8.2 The personal data collected through the platform is stored on (cloud-type) servers located in the European Union for the purposes set out in the Policy.
8.3 The Controller shall design and implement the data processing operations in a way to ensure the protection of the privacy of the data subjects, to reduce the risk of unauthorized access or changes to the system in operation.
8.4 The Controller's IT systems and network are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and attacks that could lead to denial of service. The Data Controller ensures security through server-level and application-level protection procedures.
8.5 Regardless of the (e-mail) protocol, electronic messages transmitted over the Internet are vulnerable to network threats that can lead to fraudulent activity or the disclosure or alteration of information. In order to protect against such threats, the Controller takes all reasonable precautions. Systems will be monitored to ensure that any security discrepancies are recorded and evidence of any security incident is available. However, as everyone knows, the internet is not 100% secure. Despite the Controller’s utmost care, the Controller is not responsible for damages caused by an unprotected attack.
Data Subjects may at any time contact the Controller at the contact details set out in Section 2 and
Right of access
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and receive information about the circumstances of their processing. If the Data Subject's request is manifestly unfounded or if the Controller is not entitled to provide the information, or if the Controller can prove that the Data Subject has the requested information, the Controller shall reject the request for information.
Right to rectification
The Data Subject shall have the right to obtain from the Controller, upon his or her request, the rectification of inaccurate personal data processed by the Controller without undue delay and the completion of incomplete personal data.
Right to erasure
The Data Subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data without undue delay where one of the following grounds applies:
i. those personal data are no longer needed;
ii. the consent underlying the processing is withdrawn and there is no other legal basis for the processing;
iii. the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
iv. if the personal data have been unlawfully processed by the Controller;
v. if the personal data must be erased by law.
The Controller shall not erase the data if the processing is necessary (i) for the exercise of the right to freedom of expression and information; or (ii) for compliance with an obligation under a law that requires the processing of personal data; or (iii) or for the establishment, exercise or defense of legal claims.
Right to restriction of processing
The Data Subject shall have the right to obtain from the controller the restriction of processing where one of the following applies:
i. the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
ii. the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
iii. the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims; or
iv. the Data Subject has objected to processing; in this event the restriction is pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
Where processing has been restricted, the personal data subjected by the restriction shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Controller shall inform the Data Subject in advance of the lifting of the restriction. If the Controller establishes that the objection is justified, it shall terminate the processing as soon as possible and notify the objection to all those to whom it has previously disclosed the Data Subject's data.
The right to object
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on the Controller’s legitimate interest. In this case the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.
Right to data portability
Where it does not infringe the rights and freedoms of others, the Data Subject is entitled to receive his or her personal data in a structured, commonly used, machine-readable format. He or she also has the right to have these data transmitted directly by the Controller to another controller if
i. processing is based on the Data Subject’s consent or is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; and
ii. data processing is automated, i.e. personal data is processed in an IT system and not on paper.
Processing of the Data Subject's request
The Data Subject may send his or her request to exercise the above rights to the contact details of the Controller as set out in Section 2. The Controller shall provide information on the measures and actions taken on the request no later than 30 days from the date of receipt of the request or, if no action is taken, it shall provide information about the reasons for the lack of action no later than 30 days from the date of receipt of the request. The Controller shall then also inform the Data Subject of his or her rights of redress (legal remedy).
The Data Subject may request information on processing once a year free of charge. If the Data Subject requests further information regarding the same set of data in a given year, the Controller shall be entitled to claim reimbursement of costs, the amount and the due date of which shall be determined on the basis of the specific circumstances of the case.
In the case of a personal data breach, the Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The Controller shall document any Personal data breaches, comprising the facts relating to the Personal data breach, its effects and the remedial action taken, in a manner that allows the supervisory authority to verify that the Controller has complied with its legal obligations regarding the notification of a Personal data breaches.
When, in the opinion of the Controller, the Personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall notify the Data Subject about the Personal data breach, without undue delay, and provide information on the following:
i. the nature of the personal data breach;
ii. the name and contact details of the data protection officer;
iii. the likely consequences of the personal data breach, furthermore;
iv. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Controller shall not be under an obligation to inform the Data Subjects and shall not send a notification about the Personal data breach, if
i. the Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
ii. the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
iii. the provision of information would involve a disproportionate effort and the Controller notifies and informs the Data Subjects by means of a public notice on its Website.
The Data Subject may exercise his/her rights before the courts in accordance with the GDPR, Data and the Act V of 2013 on Hungarian Civil Code. Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information (NAIH):
Name: National Authority for Data Protection and Freedom of Information
post address 1374 Budapest, Pf. 603.
address: 1055 Budapest, Falk Miksa utca 9-11.
Phone number: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL: http://naih.hu
In the event you still have requests or complaints, please contact the Berlin Commissioner for Data Protection and Freedom at
https://www.datenschutz-berlin.de/
Tel.: +49 30 13889-0
Fax: +49 30 2155050
Further contact details can be found here.
This Privacy Policy may be unilaterally amended and/or withdrawn by the Controller at any time, by informing the Data Subjects at the same time. Such information shall be provided by publication on the website or, depending on the nature of the change, by direct notification to the Data Subjects.
If you consider that the Controller is not acting lawfully in processing your personal data, please first communicate your observations or requests to the Controller using one of the contact details listed above, in order to enable us to process and handle your observation as quickly and efficiently as possible.
If you have any questions or comments, please write to us at the following e-mail address: msp@aliz.ai