Statement on Data Handling and Data Processing

from Webergoline Ltd. to customers who receive IT services from Webergoline Ltd.

Version: 1.01 Dated: 2018-05-17
Version: 1.02 Dated: 2018-05-24
Changes between v1.01 and v1.02 are underlined in the text.

Circumstances: why is this statement necessary?

1. Statement of Webergoline Ltd.
1.1 What kind of personal data does Webergoline Ltd. handle or process
1.1.1 Case management system
1.1.2 Accessing customer data stored in the IT system of Webergoline Ltd.
1.2 For what purpose does—if it does—Webergoline Ltd. handle customer data?
1.3 What is the legal base for data handling?
1.4 What is the time frame of data handling?
1.5 What security measures does Webergoline Ltd. take to protect data?
1.6 Location of data handling and data processing
1.7 What rights does Webergoline Ltd. secure regarding personal data handling?
1.8 What measures does Webergoline Ltd. take if there is a data protection incident?
1.9 Legal environment

Circumstances: why is this statement necessary?     

Contracts are signed between Webergoline Ltd. (registered office: 1124 Budapest, Apor Vilmos tér 25-26., corporate registration number: 01-09-982965) and its customers regarding IT, website, webshop, and web application service development. During the realization of these contracts, Webergoline Ltd. and its subcontractors (hereinafter: Webergoline Ltd.) access their customers’ IT infrastructure and the data stored there, since it is essential for the realization of the contracts. Under these circumstances, Webergoline Ltd. falls under the categories of “data handler” and “data processor” as defined by the current data protection legislation effective in the EU and in Hungary. For this reason, Webergoline Ltd. issues the present Statement on Data Handling and Data Processing (hereinafter: Statement).

With the Statement, Webergoline Ltd. records certain facts regarding its data handler and data processor position. The Statement does not substantially affect the cooperation between Webergoline Ltd. and its customers.

1. Statement of Webergoline Ltd.:

On behalf of Webergoline Ltd., I, Attila Horváth, executive director of Webergoline Ltd. and the person entitled to sign, issue the following statement:

1.1 What kind of personal data does Webergoline Ltd. handle or process?

Two main situations can be distinguished:

1.1.1 Case management system

Webergoline Ltd. appears as a data handler during the correspondence between Webergoline Ltd. and its customers, since data appears in the case management system of Webergoline Ltd. in the process. In this situation Webergoline Ltd. does not require and does not collect personal data as defined by GDPR and by Act CXII. of 2011 on informational self-determination and freedom of information. In case personal data should enter into the case management system, it will be deleted two years after the contract is fulfilled. In addition, business email addresses, phone numbers, and IT user accounts regularly enter into the case management system of Webergoline Ltd. These also are deleted two years after the contract is fulfilled.

1.1.2 Accessing customer data stored in the IT system of Webergoline Ltd.   

Webergoline Ltd. as an operator of IT infrastructure, during its web development services does not collect personal data, does not process information, and does not prepare analysis on individual’s private data. Webergoline Ltd.’s activities are exclusively limited to carrying out the objectives of the contracts: development of websites, of webshops, and of individual web services.

  • However, during web development, Webergoline Ltd. accesses a wealth of information on its infrastructure. This data belongs to two main categories:
  • Technical Webergoline Ltd. has to work with this data. Files monitoring website operation and configuration files belong in this category.
  • User In this category belong databases, emails, and .doc and .xls files. In general, Webergoline Ltd. does not know and therefore cannot declare what kind of data this entails regarding content, since this is customer data. Without explicit mandate, Webergoline Ltd. does not look into, examine, analyze, or copy the content of this data, as it has strictly been regulated by Webergoline Ltd.’s internal regulation since 2012. This data can be personal or business data; however, Webergoline Ltd. does not have the competence, the ability, or the mandate to make this differentiation, and consequently it does not differentiate between them.

1.2 For what purpose does—if it does—Webergoline Ltd. handle customer data?

Webergoline Ltd. provides web development services; it creates websites and webshops according to the customers’ requests. The picture and content data necessary for the projects is provided by the customers, and Webergoline Ltd. does not interpret the content of this data. Webergoline Ltd. only uses this data to carry out its tasks, including making this data available and usable for the runtime system (e.g., it makes available the invoice database for the invoice system), backing up this data, resetting this data, etc.

1.3 What is the legal base for data handling?

The legal base is provided by contractual obligation.

1.4 What is the time frame of data handling?

Webergoline Ltd. deletes the data from the case management system two years after the contract is fulfilled. Access to its customers’ systems is ad hoc, meaning that it has access to the data only during the login time or if during a backup. These data access and data handlings cease once Webergoline Ltd.’s contractual obligation is fulfilled.

1.5 What security measures does Webergoline Ltd. take to protect data?

  • Webergoline Ltd. uses in its customer communication VPN protected case management system (on its own servers) and SSL channel protected email and teamwork supporting systems (Microsoft O365 and Google Suite).
  • As defined in its internal regulation Webergoline Ltd. duplicates customer data only in two cases:
  • If it is necessary for data security (e.g., backups). For this, Webergoline Ltd. always asks for consent from the customer, and, at the point when the backup is no longer needed, it deletes the data.
  • If Webergoline Ltd. needs to have a copy based on the explicit assignment (e.g., data reset task, DRP test).
  • Webergoline Ltd. kindly asks its customers not to send personal data as defined by GDPR, because Webergoline Ltd. can only delete data from its case management system with extra efforts. Based on the examination of the law and our position, Webergoline Ltd. understands that email addresses and phone numbers that are received through our normal business activity do not qualify as data under GDPR regulation.
  • Webergoline Ltd. has procedures and regulations that are necessary to comply with the above laws, and they are continuously expanded and developed.

Further disclaimer on secure data handling: In certain cases, emails are not encrypted channels. For this reason, data sent via email during correspondence between Webergoline Ltd. and its customers (or other partners) can be considered as public data. Exceptions are: data transferred in encrypted attachments (e.g., password-protected Word, .zip, or .pdf documents), and encrypted letters (S/MIME, PGP, GPG, etc.)

1.6 Location of data handling and data processing

The staff of Webergoline Ltd. often work from home office, in or beyond EU-countries. Some of Webergoline Ltd.’s team live abroad, with many of them in Transcarpathia, Ukraine. Webergoline Ltd. signs a contract on data handling with every one of its subcontractors as recommended by the European Commission’s sample contract.

(https://eur-lex.europa.eu/legal-content/HU/ALL/?uri=CELEX:32010D0087)

1.7 What rights does Webergoline Ltd. secure regarding personal data handling?

As Webergoline Ltd. does not store personal data by default, this question is not relevant in this case. Nevertheless, Webergoline Ltd. expects its customers to send remarks and notes regarding this issue to the designated contact email address that can be found in the contract.

In addition, Webergoline Ltd. provides support for its customers to comply with their responsibilities as defined by GDPR and other regulations on data handling, including the cooperation in audits on data handling processes. If the contract does not explicitly state the participation in GDPR audits regarding any of the actual services, then Webergoline Ltd. can provide that service for an extra fee.

1.8 What measures does Webergoline Ltd. take if there is a data protection incident?

In accordance with the regulations, Webergoline Ltd. reports the incident to the supervising authority within 72 hours of the realization of the incident and keeps a record of every data protection incident. Webergoline Ltd. informs the customer of the incident, if it is required by the law, and in all justified cases.

1.9 Legal environment

  • Act CXII. of 2011 on the right to informational self-determination and freedom of information (regarding personal data handling)
  • Regulation (EU) 2016/679