Privacy Policy

In the course of managing your data, being mindful of your best interests, Phantom Shopping always acts in full compliance with Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest as well as other effective privacy laws and the data protection practices developed through the activities of the Data Protection Commissioner while also having regard to key international recommendations.

1. INTRODUCTION

The purpose of this policy is to record the privacy and data management principles applied by MS International Ltd. and the Company’s data protection and data management policy.
MS International Ltd. undertakes to ensure that all data management related to its activity meets the requirements set out in this policy and the applicable legislation.
The purpose of this policy is to enable the data subject to receive information about the data, the source, the purpose, the legal basis, the duration of the data processing, the data processor, the address and the data handling related activities of the data processor involved in the processing of data by MS International Ltd. on paper and electronically managed data, in the case of the transfer of his personal data concerned – the legal basis and the addressee of the transfer. The scope of this policy also applies to phantomshopping.com website and Mymo interface management and operation of MS International Ltd.
By this policy, MS International Ltd. wishes to ensure the legal order of the operation of the registers, the constitutional principles of data protection, the enforcement of data security requirements, to prevent unauthorized access to the data and to unauthorized alteration or disclosure of data.
MS International Ltd. manages personal information confidential and will take all security, technical and organizational measures that guarantee the security of data.

Data Manager Data:

Name: MS International Advisory and Trading Service Limited Liability Company
Headquarters: 1023 Budapest, Ürömi utca 43.
Company Registration Number: Cg. 01-09-199280
Phone: (+36) 1 274 4957
Mobile: (+36) 20 776 0749
E-mail: [email protected]

 

 2. TERMS OF REFERENCE

– Data subject: Any natural person determined or identified, directly or indirectly, by any identified personal data;
– Personal data: data related to the data subject, in particular the name, identifier and the knowledge of one or more physical, physiological, mental, economic, cultural or social identities of the data subject, as well as the deduction from the data;
– Special Data: racial origin, membership of a national and ethnic minority, political opinion or party affiliation, religious or other beliefs, the membership of a representation,
health status, abnormal passion, sexual life data and criminal personal data;
– Criminal personal data: personal data relating to a criminal offense or criminal proceedings relating to criminal proceedings or the detection of criminal offenses in connection with or in connection with criminal proceedings, as well as in the organization of the enforcement of sentences, relating to the criminal record;
– Contribution: voluntary and decisive disclosure of the data subject’s will, based on appropriate information and with which he or she gives his / her unambiguous consent to the handling of any personal data relating to it – full or for each operation ;
– Objection : the statement of the data subject with whom he or she is objecting to the handling of his or her personal data and requesting the termination of the data processing and the cancellation of the processed data;
– Data Manager : a natural or legal person or a non-legal entity that either independently or with others determines the purpose of data management, makes and executes decisions on data handling (including the equipment used) or performs it with the data processor;
– Data Management: regardless of the method used, any operation or the operations together, such as collecting, capturing, recording, organizing, storing, modifying, utilizing, retrieving, transmitting, publishing, aligning, linking, blocking, deleting and destroying any of the operations, or to prevent further use of the data, to take photographs, sound or images, and to record physical features (such as finger or palm print, DNA pattern, iris image) that can identify the person;
– Transmission: To make the data available to a specific third party;
– Disclosure: To make the data available to anyone;
– Deletions of data: To make data unrecognizable in such a way that its recovery is no longer possible;
– Blocking data: For the purpose of limiting the continued handling of the data with an identifying indication for a definite or fixed time period;
– Data destruction: Complete physical destruction of data media;
– Data processing: Performing technical tasks related to data management operations, regardless of the method and device used to implement the operations and the location of the application, provided that the technical task is carried out on the data record;
– Data processor: is a natural or legal person or non-legal entity who, on the basis of a contract, including a contract under a provision of the law, processes data;
– Privacy Incident: Unauthorized processing or processing of personal data, including unauthorized access, modification, transmission, disclosure, deletion or destruction, and incidental destruction or damage.
If the terms of reference of the applicable data protection law (when this policy is drafted the Act on Information) differ from the terms of this policy, then the terms defined by law will govern.

Abbreviations used in these policies:

Act on Information: the right to information self-determination and freedom of information 2011 CXII. law
Accounting Act. Act C of 2000 on Accounting
Art. Act V of 2013 on the Civil Code
LC. Act on the Labor Code of 2012
GDPR REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)

 

3. DATA MANAGEMENT RULES

Since information self-determination is based on the fundamental rights of all natural persons enshrined in the Basic Law, therefore in the course of MS International Ltd. proceedings, data processing is under the provisions of the law in force and in accordance with the provisions of the applicable law. The data management of MS International Ltd. is based on the following legal bases (GDPR Article 6 (1)
a) the data subject concerned has consented to handling his or her personal data for one or more specific purposes (voluntary contribution);
b) data processing is necessary for the performance of a contract in which the data subject is required to take action by one party or before the conclusion of the contract at the request of the data subject (performance of the contract);
c) data processing is necessary to fulfill the legal obligation for the data manager (legal obligation);
d) data handling is necessary to enforce legitimate interests of the data manager or a third party (legitimate interest).

Personal data managed by MS International Ltd. is forbidden for private use or for purposes other than those contained herein. Data management must at all times comply with the purpose limitation principle, based on that MS International Ltd. manages personal data only for the purposes set out above, exercising the right and the obligation to reach the minimum extent and duration necessary to attain it.
Data managed by MS International Ltd. is primarily the responsibility of our competent internal staff and does not transfer them to third parties solely from a legitimate interest (such as debt collection and statutory obligation).

 

4. DATA SECURITY REGULATIONS

For the security of personal data processed on paper, MS International Ltd. applies the following measures:
– the data can only be accessed by the authorized others can not access it, may be disclosed to others;
– documents are stored in a well-sealed, dry, fire-proof room with security system;
– the files in continuous active treatment are only available to the competent authorities;
– the Data Management Officer of MS International Ltd. can only leave the premises where data management takes place during the day, if the storage media is or the office is closed;
– the Data Management Officer of MS International Ltd. closes the paper-based media at the end of the work;
– if the personal data handled on paper is digitized, the security rules applicable to digitally stored documents are applied by MS International Ltd.
In order to ensure the security of personal data stored on computer or on network, MS International Ltd. applies the following measures and warranty elements in accordance with the applicable Information Security Regulations:
– computers, laptops, telephones, mobile phones used in data management are the property of, or the Company has the same right over them;
– the data on the computer can only be accessed with valid, personalized, identifiable entitlements – at least with a username and password – and MS International Ltd. will regularly and, if reasonably, provide for the exchange of passwords;
– if the goal of the data management is achieved, the data processing deadline has expired, the file containing the data will be unrecoverably deleted and the data can not be recovered;
– the magnetic data storage medium stored in the armored box designed for this purpose is stored in a fire-proof location and manner;
– in the personal data management network, it provides virus protection continuously;
– using available computing devices to prevent unauthorized people from accessing the network.

 

5. DATA MANAGEMENT AT MS INTERNATIONAL LTD

5.1 Data management during the use of www.phantomshopping.com

5.1.1 Automatically recorded data

When visiting the phantomshopping.com website, certain details of the visitor’s device (eg. laptop, PC, phone, tablet) are automatically recorded. Such data include the IP address, the date and time of the visit, the pages visited, the website from which the visit was made, the type of browser used, the type of operating system, and the name and address of the ISP. The data to be recorded will be logged automatically upon logging in or exiting without the visitor’s specific statement or action. This information is only used in aggregated and processed form by MS International Ltd., to correct any defects in our services, to improve their quality and for statistical purposes. The data will only be used anonymously.

The aim of the data management is: Technical development of the IT system, control of the operation of the service, personalization, producing statistics and the protection of the visitors’ rights. In the event of abuse, in cooperation with the internet service provider of the visitors and the authorities, the data can also be used to determine the source of abuse.

Legal Basis for Data Management The 2001 CVIII Law on Electronic Commerce Services and Information Society Services Law 13 / A. §.

The range of data management is the Internet service provider of the visitor, in some cases the visitor’s IP address, the software browser version, the type of computer operating system, the website from which the visitor reached phantomshopping.com, the pages that were visited on the website, the search words used to access the site.

The duration of the data management is 30 days from the date of viewing the site.

The way of data management: electronically

5.1.2 One-time information or information handled for inquiries

The Data Manager allows the data subjects to gain information on the website via the contact tab or via the central email address from the MS International Ltd., visitors can enter the relevant information (full name, email address, company name, title, phone number) required for contact by completing a form. However, the data can only be sent to the data subject if he accepts the data management rules of Phantom Shopping (MS International Ltd.) otherwise he will not be able to send his message.

The aim of the data management is to provide adequate information, to inform the interested persons about the questions and observations made during the contact, to retrieve the information exchanged during the contact.

Legal basis for data management: voluntary contribution

Scope of managed data: full name, email address, company name, title, phone number

Duration of data handling: 2 months from sending the reply

The way of data management: electronically

5.1.3 Data management for registration on www.phantomshopping.com

Phantom Shopping allows you to register as a mystery shopper. After the registration button has been pressed, the system moves you to the MyMo interface. In the mystery shopper module, it is possible to give your personal data.

The purpose of data management is to create a contract, define, modify, fulfill its content, invoicing of contract fees, identify a user, provide communications

Legal Basis for Data Processing: GDPR Article 6 (1) (b)

The range of data processed: full name, email, address, phone number, password, bank account number, driving license, gender, place and time of birth, tax identification number, social security number, driving license, learned profession, income level, hair color,

The duration of the processing is 3 months after the date of deletion by Phantom Shopping account and Phantom Shopping registration.

The way of data processing: electronically

5.1.4 Data management on entering www.phantomshopping.com as a mystery shopper

On Phantom Shopping website you can try as a mystery shopper and enter the site as a client. In both cases, a registered email address and a password are required. As a mystery shopper the system deletes the MyMo interface where the mystery shopper previously registered.

Purpose of data management: The e-mail address is indispensable for identifying the reporting user in the database and serves the purpose of the contact.

Legal Basis for Data Processing: GDPR Article 6 (1) (b)

Scope of managed data: email address, password

The duration of the processing is 3 months after the date of deletion by Phantom Shopping account and Phantom Shopping registration.

The way of data processing: electronically

5.1.5 Data management on entering the www.phantomshopping.com website as a Client

On Phantom Shopping website you can enter the site as a mystery shopper and a client. In both cases, a registered email address and a password are required. As a client, the system moves to the MyMo interface where you can enter additional contact information.

Purpose of data management: It is indispensable to identify the user in the database and serve the purpose of communication.

Legal Basis for Data Processing: GDPR Article 6 (1) (b)

Scope of managed data: email address, password, phone number

The duration of the processing is 3 months after the date of deletion by Phantom Shopping account and Phantom Shopping registration.

The way of data management: electronically .

5.1.6 System message via e-mail or push message in the Phantom Shopping system

Phantom Shopping sends Phantom Shopping registered users a system message from time to time. System messages are any messages that may be related to the functionality of the Phantom Shopping system, any service failure, maintenance, functionality of the Phantom Shopping system, changes to existing and new features, new features, the scope and use of the Phantom Shopping System, the Terms and Conditions, the Data Handling Information, the Privacy Policy, or any modification thereof, the User’s rights, obligations, and services regarding the Phantom Shopping System, including any acknowledgment messages, certificates, notifications, confirmations sent by each of the services being used.

The purpose of data management is to send a system message to fulfill the contract

Legal Basis for Data Processing: GDPR Article 6 (1) (b)

The range of data processed is: email address, name

Duration of the data processing: 12 months after the termination of the contract

The way of data management : electronically

5.1.7 Data management for records uploaded to Phantom Shopping system by mystery shoppers

As a result of the mystery shopping, the mystery shoppers will make a report on incognito-made purchases and other audits by MS International Ltd. Reports may contain personal information about the Employer’s employee.

The purpose of the data management is to complete the contract

Legal Basis for Data Processing: GDPR Article 6 (1) (b)

The range of data processed is: name, personal description, behavior

Duration of data management: until the trial buyer has been registered

The way of data management: electronically

5.1.8 Summary description about the results of the mystery shopping and recommendation to the Client

As a result of the mystery shopping, the mystery shoppers will make a report on incognito-made purchases and other audits by MS International Ltd. Based on these reports, MS International Ltd. assesses the extent to which employees meet the expected standards of customer experience, which helps to make suggestions for development for Client’s employees, tailor-made if needed.

The purpose of the data management is to complete the contract

Legal Basis for Data Processing: GDPR Article 6 (1) (b)

The range of data processed is: name, personal description, behavior

Duration of data management: the existence of a customer relationship and the deadline for enforcing civil claims, 8 years, and the period specified in the applicable tax and accounting legislation

The way of data management is electronically

5.1.9. Data management via telephone

MS International Ltd. will also provide information via telephone on the range of services it offers by contacting customers.

The purpose of data management is to provide adequate information and fulfillment of the contract

Legal basis for data handling: voluntary contribution

Scope of managed data: full name, phone number

Duration of data management: until a contractual relationship has been established

Method of data management: on paper

5.2. Community sites

MS International Ltd. is listed on Facebook as well as on the Instagram community site called phantom shopping.
You can subscribe to the news feed on the message wall on the Phantom Shopping site by clicking on the ‘like’ link on the page and clicking on the ‘dislike’ link on the same page you can unsubsribe, or using the message wall settings you can delete the unwanted news appearing on the message wall.

The purpose of data management is to share or like, popularize social content, site content, products, actions or the website itself.

Legal basis for data handling: voluntary contribution

The range of data processed: name and photo given during registration

The duration of the data management depends on the subscriber’s decision

The source of the data, how it is handled, how it is delivered and how it is based, can be found on the given social networking site. Data management takes place on social networking sites, so the duration of the data handling, the ways of deleting and modifying the data are governed by the rules of the respective community site.

 

6. OTHER DATA MANAGEMENT

MS International Ltd. provides information on data management which are not listed in the data management regulations at the time the data was collected. Based on the authority of the court, the prosecutor, the investigating authority, the offender authority, the administrative authority, the National Data Protection and Information Authority or the law, other bodies may seek MS International Ltd. as a data controller to provide information, transmit data, or to make documents available.
If the authority indicates the exact purpose and scope of the data – for the authorities listed in detail above – MS International Ltd shall only disclose personal data to the extent strictly necessary for the purpose of the request.

 

 7. DATA TRANSMISSION

In case of data transmission, MS International Ltd. sends the data to a specific third party or otherwise makes it available. A third party may be regarded as a data manager, a data processor or a non-data subject. Data transmission means making this information available to third parties. The data manager will not transmit data to a third country (any state other than an EEA state). The data manager keeps records of data transfers. If the data subject contributed his/her explicit consent, MS International Ltd will allow the transmission of the data if the transfer of data is a case-by-case and necessitates a contract or legal requirement. MS International Ltd. allows data to be transmitted if it is required by the protection of the public interest established by EU or national law.

The purpose of data management is data transmission

The legal basis for data management is the concerned contribution or legal obligation

The range of data management is either affected or defined by law

Data management duration: transmission time

The method of data management: electronically and / or on paper

The addressee of the data transmission is a person or organization designated by the data subject or an organization specified by law

MS International Ltd. reserves the right to provide the personal data processed to the competent authorities and courts, in accordance with the request, in the cases specified by law, without the consent of the data subject.

 

8. Web-hosting

Data Processor Activity: Website Service

Name and contact of data processor

CHROME-SOFT Ltd.
headquarters: 1119 Petzvál József utca 4a.
phone: +06 1 225-8494
e-mail: [email protected]

The aim of the data management is to make the website accessible and properly operated.

Legal basis for the data management: Article 6 (1) (f) of the GDPR, or the
electronic commerce services and information on CSR-related services in 2001.
Law 13 / A. § (3).

The fact of data management, the range of data management: all personal data provided by the data subject

Data processing time, date of deletion of data: Data controller and server service provider, or the affected party to the server service provider’s request for deletion.

The method of data management: electronically

Data subjects: Anyone using the website

 

9. THE RIGHTS OF DATA SUBJECTS

 Right of access
The data subject has the right to be informed by the data manager of whether his personal data is being processed and, if such processing is in progress, he has the right to have access to personal data and the information listed in the decree.

 Right to rectification
The data subject shall have the right to rectify any inaccurate personal data that he or she is entitled to request without undue delay. Taking into account the purpose of data management, the data subject has the right to request the addition of incomplete personal data, including by means of a supplementary statement.

 Right to erasure
The data subject is entitled to request that the data manager, without undue delay, delete personal data concerning him/her and that the data controller is obliged to delete the personal data of the data subject without undue delay under certain conditions.

 Right to be forgotten
If the data manager disclosed personal data and is required to delete, he / she shall take reasonable steps, including technical measures, to take account of the available technology and implementation costs, in order to inform the data managers handling the data that the data subject has requested them the deletion of links to personal data, a duplicate or duplicate of such personal data.

 Right to Restrict Data Management
The data subject shall have the right to request that the data manager restricts the data management upon his request if one of the following conditions is met:
• the data subject disputes the accuracy of the personal data; in this case, the restriction concerns the period of time that the data manager can check the accuracy of the personal data;
• Data management is illegal and the data subject is opposed to the deletion of the data and instead asks to restrict their use;
• the data manager no longer needs personal data for data processing, but the data subject requires them to submit, enforce, or protect legal claims;
• the data subject objected to data management; in this case, the restriction applies to the duration of determining whether the data manager’s legitimate reasons prevail over the legitimate grounds of the data subject.

 Right to data portability
The data subject shall have the right to receive personal data provided to him by a data manager in a fragmented, widely used machine-readable format and shall be entitled to transmit this data to another data manager without the obstruction of the previous data manager whom the data subject provided personal information (…).

 Right to protest
The data subject has the right to object to the processing of his or her personal data (…) at any time when personal data is managed due to the legitimate interest of the data manager or his public authority.

9.1 Request for information

According to the Act on information and GDPR regulation, data subject may request the information concerned to manage his/her personal data and may request the rectification of his/her personal data or, with the exception of mandatory data, cancellation or blocking as indicated in the data logging or other contact details of the data manager.

At the request of the data subject, MS International Ltd. will inform him/her of the data, the source, the purpose, the legal basis, the duration of the data handling, and the legal basis and the addressee of the data it manages.

The data manager shall provide the information in writing, for the request of the data subject, at the earliest opportunity, within a maximum period of one month from the submission of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by an additional 2 (two) months, which will inform the data subject within a one-month deadline. An exception is the case where the request is clearly insufficent or, in the case of a particularly repetitive nature, is excessive.

The information is free of charge – if an information request has not yet been submitted to the data manager in the current year for the same data field – in other cases, MS International Ltd. may charge reimbursement.

9.2 Objection

If the data subject objects to the processing of his or her personal data, his / her personal data will be deleted within 14 working days of receiving his / her protest. An exception is the case where data is justified by compelling legitimate reasons, including the public interest or the case where data is necessary for the submission, validation or protection of legal claims.

 

10. LEGAL REMEDY

An appeal can be submitted to the National Data Protection and Freedom Authority:

National Privacy and Freedom Authority

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C

Postal address: 1530 Budapest, Pf. 5

Phone: +36-1-391-1400

Fax: +36-1-391-1410

E-mail: [email protected]

Website: http://www.naih.hu

 

 11. OTHER PROVISIONS

The term of this Privacy Policy will expire from May 25, 2018 until revocation. MS International Ltd. reserves the right to update this Privacy Policy at any time. Informs the data subjects about the changes.