Privacy Policy

1. INTRODUCTION

Borealis Consulting International Ltd. (hereinafter referred to as Borealis Consulting, Service provider, Data Controller) as a data controller, recognizes the content of this legal notice as binding on itself. The user assumes the controller's obligation that all activities related to data management meets the requirements set out in this policy and applicable law. The Borealis Consulting is the website operator of https://thejourneyapps.com

The Service Provider reserves the right to change this information at any time. Of course, it will notify the audience of any changes you may have in due time.

The Service Provider is committed to protecting the personal data of its clients and partners, and it attaches great importance to respecting the right to self-determination of its clients. The Data Controller handles personal information confidentially and takes all security, technical and organizational measures that guarantee the security of the data.

The Service Provider describes its data management principles below, and presents the expectations that you have formulated against yourself as a data controller and adhere to it. The principles of data management are in line with current data protection legislation, in particular:

• 2011 CXII. Act on Information Self-Determination and Freedom of Information;
• Act V. of 2013 - on the Civil Code (Civil Code);
• Act C. of 2000 on Accounting (Accounting Act);
• 2008 XLVIII. Act - on the basic conditions and certain limitations of economic advertising (Grt.).

• CVIII of 2001 Act (Ekertv.) - on certain issues of electronic commerce services
and information society services;

• Regulation (EU) 2016/679 of the European Parliament (27 April 2016) on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation, hereinafter " GDPR ")


2. DEFINITIONS

• concerned: any natural person identified or identifiable (directly or indirectly) by personal data;

• personal data: data relating to the data subject (in particular the name of the data subject, his / her identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities) and the conclusion drawn from the data subject;

• consent: a voluntary and definite declaration of the wishes of the data subject based on appropriate information and with unambiguous consent to the processing of personal data relating to him or her, wholly or in part;

• Data Controller: a natural or legal person or an entity without legal personality that either independently or with others determines the purpose of data management, makes and implements


• decisions relating to data management (including the equipment used), or implements it with the data processor;

• data processing: any operation or operation performed on data, irrespective of the procedure used, including, in particular, collection, recording, recording, systematization, storage, alteration, use, querying, transmission, disclosure, coordination or interconnection, blocking, deletion and destruction; preventing the further use of the data, taking photographs, sound or images, and recording physical characteristics suitable for identifying the person (e.g. finger or palm print, DNA sample, iris image);

• data transmission: making data available to a specific third party;

• disclosure: making data available to anyone;

• data deletion: making data unrecognizable in such a way that their recovery is no longer possible;

• data processing: performing technical tasks related to data management operations, irrespective of the method and equipment used to perform the operations and the location of the application, provided that the technical task is performed on the data;

• data processor: a natural or legal person or an entity without legal personality who, under a contract, including a contract under a provision of the law, processes data.

3. COMPANY

The details and contact details of our company are as follows:


Name: Borealis Consulting International Ltd.
Mailing address: Fűrészelő u.8., Érd, 2030 HUNGARY
Tax number: 25842290-2-13
Phone: +36 30 445 3487
E-mail: melinda.katona@borealisconsulting.hu
Data Controller Representative: Melinda Katona


4. THE SCOPE OF PERSONAL DATA, PURPOSE, TITLE AND DURATION OF DATA MANAGEMENT

The following information is provided for each of our data processing operations.


4.1. Request for quotation, inquiry with direct request

Interested in can have direct contacts to be made by electronic mail sent to the Service Provider address, or by telephone.
Purpose of data management:

Contact between concerned and Service Provider in order to promote closer and more effective cooperation and communication.
Legal basis for data management: legitimate interest - Article 6 (1) (f) GDPR

The scope of personal data handled: Contracting authority / Contact name; e-mail address e, phone number or other information provided by the affected person
Duration of data management: 2 years after the validity period of the offer or protest of the affected

Addressees of Personal Data: The data handled by the Data Controller in accordance with Section 7. does not pass on to third parties other than the data processor(s) specified in point 3.1 . Recorded data may only be provided by employees of the Data Controller(s) and the designated colleague(s) of the processor get to know.

Indication of legitimate interest: The legitimate interest of the Service Provider to manage the data of the data subject - direct marketing
The range of data management stakeholders:


Partners interested in the services of the Service Provider (eg: by e-mail, by phone), are involved. Those involved in the submitted Technical Drawing Documentation.
Data transmission:

The Service Provider can transmit the necessary data to it’s own database systems if needed.

Data is currently being transmitted to the following systems: Mailchimp, MiniCRM
Data Transfer Statement:

I accept it in the inquiry / request / offer to personal data stored in the data management database are transferred to the Service Provider’s other databases as a Data controller.
The range of data transmitted:

Name of the contracting authority / contact person; e-mail address, phone number or. other information provided by the affected person
Legal basis for transmission: legitimate interest - direct marketing


4.2. Offers, requests via the website (https://thejourneyapps.com)

The service provides an opportunity to bid electronically request of stakeholders.
Purpose of data management:

Contact between concerned and Service Provider in order to promote closer and more effective cooperation and communication

Legal basis for data management: voluntary contribution of the data subject - - Article 6 (1) (a) of the GDPR

The range of personal data you handle: interested name (first name, surname); e-mail address, phone number or other information provided by the affected person
Duration of data management: 2 years after the validity period of the offer until the consent is withdrawn

Addressees of Personal Data: The data handled by the Data Controller in accordance with Section 7. does not pass on to third parties with the exception of the data processor (s) indicated in point. Only the employees of the Data Controller (s) and the designated colleague (s) of the data processor (s) can get the recorded data.
The range of data management stakeholders:

partners stakeholders interested in the Service Provider's services, products through the website,
Data Transfer Statement:

I accept it in the travel-initiated inquiry / request / offer to personal data stored in the data management database are transferred to the tour operator organization, as a Data controller.
The range of data transmitted:

Name of the contracting authority / contact person; e-mail address e, phone number or other information provided by the affected person
Legal basis for transmission: legitimate interest - direct marketing

Legal basis for transmission: the consent of the data subject

4.3. Request for quotation, follow-up data management

Purpose of data management: the legitimate interest of the data controller to record the data of the paperwork for the purpose of direct marketing beyond the period of validity of the offer
Legal basis for data processing: legitimate interest of the data controller, Article 6 (1) (f) GDPR,

The range of personal data that you manage: Contact name and first name; telephone number; e-mail address

Addressees of Personal Data: The data handled by the Data Controller in accordance with Section 7. does not pass on to third parties with the exception of the data processor (s). Only the employees of the Data Controller and the designated colleagues of the data processor (s) will be able to access the recorded data.
Duration of data management: 3 years after the validity period of the offer or subject to protest

Indication of legitimate interest:

Developing business relationships with partners, contracting authorities, accurate information, and information to stakeholders. The legitimate interest of the Service Provider is to manage the data of the data subject - direct marketing
The range of data management stakeholders:

Addressees of offers previously issued by the Service Provider contact person (s) included.


4.4. Client contact

Purpose of data management: identification of partners, differentiation from other partners or project participants, communication,
Legal basis for data processing: legitimate interest of the data controller, Article 6 (1) (f) GDPR,

The range of personal data that you manage: Contact name and first name; telephone number; e-mail address or other information provided by the
Duration of data processing: up to the protest of z concerned

Addressees of Personal Data: The data handled by the Data Controller in accordance with Section 7. does not pass on to third parties with the exception of the data processor (s) indicated in point. Only the employees of the Data Controller and the designated colleagues of the data processor (s) will be able to access the recorded data.
Indication of legitimate interest:

Providing the right communication with partners, providing information to stakeholders. The Service Provider has a legitimate interest in managing the data of the data subject. - direct acquisition
The range of data management stakeholders:

The partners and concerned Service Provider has contact with.

4.5. Newsletter

The objective of data management: Send an e-mail newsletters containing advertising business for those interested, and current information
Legal basis for data processing: prior consent of the data subject, Article 6 (1) (a) GDPR,
The range of personal data you manage: name, email address

Duration of data management: until withdrawal of voluntary contribution, up to unsubscribe from newsletter

The Service manages the data provided by the concerned til withdrawal of consent. On the basis of withdrawal of consent managed data will be deleted within 7 days from the newsletter database and then we will not send you any newsletter.

Addressees of personal data: The data controller shall not disclose the data obtained to any third party other than the data processor (s) specified in point 7. Only the employees of the Data Controller and the designated colleagues of the data processor (s) will be able to access the recorded data.

Unsubscribe at any time from the newsletter with an email sent to info@borealisconsulting.hu address or from by clicking the unsubscribe icon.
The range of data management stakeholders:

Partners that subscribe to the Service Provider's electronic newsletter are affected.


4.6. Invoice issuance (natural person)

The purpose of data management: to issue an invoice to the account payer, to comply with the legal requirements
Legal basis for data processing : by law - - GDPR Article 6 (1) (c) - 2000 C trv. Article 166 (1)
The range of personal data you manage:

• Account Payer Name
• Billing address

• Invoice Amount

• Purchased products, billed services

Duration of data management: by the deadline specified in the Accounting Act - 2000 C trv. Article 169

(2)
Possible consequences of missing data: Data is required.

Addressees of personal data: The data controller shall not disclose the data obtained to any third party other than the data processor (s) specified in point 7. Only the employees of the Data Controller and the designated colleagues of the data processor (s) will be able to access the recorded data.

The range of data management stakeholders:

If an invoice issued by the controller for the affected.



5. OTHER DATA TREATMENTS


Information on data management not listed in this prospectus is provided when recording the data. We inform our clients that some authorities, public bodies, courts can contact our company for personal information. Our company will only provide personal information to these bodies, if the exact purpose and scope of the data is specified, to the extent strictly necessary for the purpose of the request and if the fulfillment of the request is required by law.

6. TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY OR INTERNATIONAL ORGANIZATION

The Service Provider will not forward your personal data above to any third country or international organization.

7. INFORMATION ABOUT USING A DATA PROCESSOR


The controller handles the data to the data processor(s) contracted to perform the contract during data management.
Categories of Recipients: Accounting, Payroll, Webhosting:

8. MANAGE THIRD-PARTY DATA


If the Customer / Partner does not provide its own data to the Data Controller but any other natural person, the Customer / Partner is solely responsible for providing such information with the consent, knowledge and appropriate information of that natural person. The Data Controller does not have to check the existence of these. Controller Draws your Customer / Partner note that if you do not fulfill this obligation, and that the relevant claims against enforces the Data Manager, the claim validated and the amount of damages related to data management will be forwarded to the Client / Partner.


9. CHILDREN


Our services are not intended for persons under 16 years of age, and we ask that persons under the age of 16 do not provide Personal Data to the Data Controller.

If we find out that we have collected personal data from a child under 16 years of age we we will take the necessary steps to delete the data as soon as possible - except data controlling statutory provisions.

10. AUTOMATIC DECISION MAKING


The Service Provider does not apply automatic decision making during the data management procedures and data collection process.

11. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT


Our computing systems and other data storage locations are located at the headquarters and servers provided by the data processor. Our company selects and manages the IT tools used in the provision of personal data for the management of personal data so that the data processed:

(a) accessible to authorized persons (availability);
(b) authenticity and authentication insured (authenticity of data management);
(c) unchanged (data integrity);
(d) be protected against unauthorized access (data confidentiality).

We pay special attention to the security of the data, we also take the technical and organizational measures and establish the procedural rules necessary to enforce the GDPR guarantees. The data will be protected by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and unavailability due to accidental destruction, damage, or change in the technique used.

The IT system and network of our company and our partners is protected against computer-assisted fraud, computer viruses, computer burglary and denial of service attacks. The operator also provides security at server-level and application-level security. The data is backed up daily. In order to avoid data protection incidents, our company will take all possible measures, and in the event of such an incident - according to our Incident Management Code - we will immediately take action to minimize the risks and eliminate the damage.

12. RIGHTS, LEGAL OPTIONS OF INTERESTED PARTIES


The accepted may request information on the management of his or her personal data and may request the rectification, revocation or withdrawal - except data controlling statutory provisions - of his / her personal data, as well as his / her right to data transfer and protest in the manner indicated in the recording of the data, as well as the above contact details of the data controller.

The rights and remedies of the person concerned are set out in CXII. and Act 2016/679 defined below and communicated to those concerned.

Right of information, also known as the "right of access" of the data subject: on the request of the data subject on the basis of the Article 15 of Regulation 2016/679 and Act CXII. of 2011 Data controller gives information:

• about the data it manages and the categories of personal data
• the purpose of data management,

• the legal basis for data processing,

• the duration of the data management,

• where appropriate, the length of time for which the data are stored or, if that is not possible, the criteria for determining that period, \ t

• where applicable, if the data were not collected from the data subject, any available information on their source,

• where appropriate, automated decision-making, including profiling, and logic and comprehensible information on the importance of such data management and the expected consequences for the data subject;

• the data of the data processor, if he used a data processor, and the circumstances, effects and measures taken to counteract the data protection incident;

• in the case of transmission of the personal data of the data subject, on the legal basis, the purpose and the addressee of the transfer.


The information is free of charge if the person requesting the information has not submitted a request for information to the Data Controller for the same data year in the current year. In other cases, a cost reimbursement can be established. Repayment of costs already paid must be refunded if the data have been illegally treated or the request for information has led to a correction.

6. The data controller draws the attention of stakeholders to the fact that the information must be denied in accordance with the Act CXII. of 2011.

a. if, pursuant to a provision of law, international treaty or binding act of the European Union, the Data Controller transmits personal data as a data controller, at the same time as the data transfer, indicates the restriction of the personal data subject's rights under the said law or other restrictions on its handling.

b. the internal and external security of the state, such as defense, national security, prevention or prosecution of criminal offenses, security of the penitentiary, economic or financial interests of the state or local government, significant economic or financial interests of the European Union, and the exercise of occupations; disciplinary and ethical misconduct, for the prevention and detection of violations of labor and occupational safety, including control and supervision in all cases, and for the protection of the rights of the person concerned or others.

The Data Controller shall notify the National Data Protection and Freedom of Information Authority of the rejected information requests by 31 January of the year following the reference year.

Right of rectification: The data subject is entitled to rectify the inaccurate personal data relating to him or her without delay upon request. Taking into account the purpose of data management, the data subject is entitled to request the supplementation of incomplete personal data, including by means of a supplementary declaration. At the same time, if personal data do not correspond to reality and personal data corresponding to reality are available to the Data Controller, personal data shall be rectified by the Data Controller without the request of the data subject.

The right of cancellation, also known as "the right to be forgotten": The data subject is entitled, upon request, to delete the personal data relating to him or her without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay. if it is not ruled out by mandatory data management.

In addition to the above case, the Data Controller shall delete the data in accordance with CXII. of 2011 and European Parliament and Council (EU) 2016/679 if
• data processing is illegal;

• the data is incomplete or incorrect - and this condition cannot be legally remedied - provided that the cancellation is not precluded by law;

• the purpose of the data management has ceased to exist or the statutory deadline for storing the data has expired;

• it has been ordered by the court or the Authority.

• personal data are no longer needed for the purpose for which they were collected or otherwise processed;

• the data subject protests against the data processing and there is no legal reason for data processing as a priority;

• personal data must be erased in order to fulfill the legal obligation under the law applicable to the Data Controller;

• personal data were collected in connection with the provision of information society services offered directly to children as referred to in Article 8 (1) of EU 2016/679.

In the event that the Data Controller has disclosed the personal data for any reason and is obliged to cancel it as described above, it shall take reasonable steps, including technical measures, to take into account other data processing technologies, taking into account the costs of the available technology and implementation. data controllers that the data subject has requested the deletion of links or copies of such personal data.

Data Controller draws the attention of stakeholders to the limitations of an erasure or 'right to be forgotten' under the EU Regulation which are:

(a) exercising the right to freedom of expression and information;

(b) fulfillment of an obligation under EU or Member State law that governs the processing of personal data, or the exercise of a public authority or public authority remit entrusted to the controller;

(c) public interest in the field of public health;

(d) in accordance with Article 89 (1) of Regulation (EU) No 2016/679 for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where the right to erasure would be likely to render such processing impossible or seriously jeopardized; or
(e) submission, validation or protection of legal claims.

Right to restrict data management or also known as blocking: The data subject has the right to restrict data management upon request.

If, on the basis of the information available to you, it can be assumed that the deletion would infringe the legitimate interests of the data subject, the data shall be blocked. The personal data blocked in this way can only be processed until the data management purpose that excludes the deletion of the personal data exists.

If the person concerned disputes the accuracy or correctness of the personal data, but the inaccuracy or inaccuracy of the personal data at issue cannot be clearly established, the data is blocked. In this case, the limitation applies to the length of time that allows the Data Controller to verify the accuracy of personal data. According to the EU regulation, data must be locked if

(a) data processing is unlawful and the data subject is against the deletion of the data and instead requests a restriction on their use;

(b) the Data Controller no longer needs personal data for the purposes of data management, but the data subject requests them for the submission, validation or protection of legal claims; or

(c) the data subject rejects data controlling; in this case, the limitation applies to the period until it is

determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the data subject.

Where data management is subject to restriction (blocking), such personal data, with the exception of storage, may only be made with the consent of the data subject or for the submission, validation or protection of legal claims or for the protection of the rights of other natural or legal persons, or of the public interest of the Union or a Member State. can be treated.

The Data Controller hereby draws the attention of stakeholders to the fact that the right to rectification, erasure or blocking of the data subject may be restricted by law to the state's internal and external security, such as defense, national security, prevention or prosecution of crime, security of the penitentiary, and state. or economic or financial interest of the municipality, of major economic or financial interest of the European Union, and of disciplinary and ethical misconduct in the exercise of the occupations, prevention and detection of breaches of labor law and safety, including control and supervision in all cases. or to protect the rights of others.

The data controller shall, without undue delay, up to 30 days after receipt of the request, inform the data subject of the details of his / her application and / or rectify the data and / or delete and / or restrict (lock) the data or take other actions as requested. if there is no reason to exclude it.

The Data Controller shall notify the data subject in writing of the rectification, erasure, restriction of data management, and all those to whom the data was previously transferred for data management purposes. At the request of the data subject, the Data Controller shall inform the addressees. The notification may be omitted if it does not violate the legitimate interest of the data subject for the purpose of data management or if the information proves impossible or requires a disproportionate effort. The Data Controller must also notify the data subject in writing if the exercise of the right of the data subject is not feasible for any reason and must indicate the factual and legal grounds and the remedies open to the person concerned: the possibility of recourse to the courts and the National Data Protection and Freedom of Information.
The "right to data storage": The data subject is entitled to

(a) receives personal data relating to it which is made available to the Data Controller in a structured, widely used machine-readable format and is entitled to

(b) forward this data to another data controller

without being hampered by the controller to whom you provided personal data to you if:
(a) based on consent, data management; and
(b) data management is automated.

When exercising the right to portability of data, the data subject is entitled to request, if technically feasible, the direct transmission of personal data between controllers.

Considering the data processing performed by the Data Controller, the conditions for exercising the data carrier's rights are not fulfilled (there is no automated data management) and therefore the data subject cannot exercise this right.


Right to protest: The person concerned may object to the processing of his or her personal data, -including profiling- if:

 the processing (forwarding) of personal data is only necessary for the purpose of enforcing the right or legitimate interest of the Data Controller or the data recipient, except in the case of mandatory data management;

 the use or transmission of personal data is for direct marketing, opinion polling or scientific research;

 otherwise the exercise of the right of objection is permitted by law.

The protest concerned the EU Regulation 2016/679 3. Article 21 para. on the basis of the processing of personal data for the purpose of direct marketing, in which case personal data may no longer be processed for this purpose.

Where personal data are processed for scientific and historical research purposes or for statistical purposes, the data subject shall have the right to object to the processing of personal data concerning him or her for personal reasons, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The Data Controller - by simultaneously suspending data management - shall examine the protest as soon as possible after the submission of the request, but within a maximum of 30 days, and shall inform the applicant in writing of its outcome. If the applicant's objection is well founded, the Data Controller terminates the data management, including further data collection and data transfer, and locks the data, and notifies the persons to whom the personal data affected by the protest has previously been forwarded of any protest or action taken on it, and who are obliged to take action to enforce the right of protest.

If the data subject disagrees with the Data Controller's decision or the Data Controller fails to comply with the time limit referred to, he / she is entitled to apply to the court within 30 days of its notification.
The person concerned has the right to object to automated decision-making.

Judicial Enforcement: The person concerned may apply to a court for violation of his rights. The court acts out of the case. The Data Controller must prove that the data management complies with the provisions of the law.

In case of violation of your right to self-determination, you can complain:

National Authority for Data Protection and Freedom of Information Address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c
Phone: +36 (1) 391-1400 , Fax: +36 (1) 391-1410

www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu