Effective from September January 1, 2022
DELIGO is committed to data privacy by design. We are EU General Data Protection Regulation (GDPR) compliant and only work with service providers that are GDPR and/or Privacy Shield compliant.
This Privacy Notice applies to all data collected when you use DELIGO’s Services. If you have any questions or feedback about it, please send an email to email@example.com. We will be very happy to assist you.
Thank you for trusting and using DELIGO!
The purpose of the present Policy is to establish the principles of data protection and controlling used by DELIGO VISION TECHNOLOGIES LTD., seated at Felso Zoldmali út 78. floor 1. door 6., H-1025 Budapest, Hungary; registered under registration number Cg. 01-09-334165 by the Municipal Court, Budapest, Hungary, hereinafter referred as: “Company” or “Data controller”) and the company’s policies in data protection and controlling that the company as data controller accepts as bounding.
During the establishment of the present Policy the company particularly considered the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection “Regulation” or “GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (“Privacy Act”), Act V of 2013 on the Civil Code (“Civil Code”).
Protecting the security and privacy of your personal data is important to us. Therefore, we conduct our business in compliance with applicable laws on data privacy protection and data security.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller: the person determined by Section 2, who alone or jointly with others, determines the purposes and means of the control of personal data.
Personal data: any data or information, based on which a natural person User can be identified, directly or indirectly.
Processor: the service provider who processes personal data on behalf of the Data controller.
Data subject (User): a natural person who uses the Services and therefore gives their personal data specified by Section 3.
Kiosk/s or Product/s: hardware product designed and manufactured by Data controller to facilitate canteen checkout, capture transaction photos and payment authorizations.
Service/s: software products developed and distributed by Data controller that facilitate automated checkout services in canteen environments. This includes the Deligo Dashboard that the User can access to set up and monitor the checkout process.
POS Solution: is a restaurant order and user lifecycle management solution.
2. The identity and activity of the Data controller:
2.1. Data controller is DELIGO VISION TECHNOLOGIES LTD., seated at Felso Zoldmali út 78. floor 1. door 6., H-1025 Budapest, Hungary; registered under registration number Cg. 01-09-334165, represented by Istvan András Haidekker, email address: firstname.lastname@example.org. Controller is a commercial enterprise registered under the laws of Hungary.
2.2. The personal data of the Data subject is processed by the Data controller in connection with the operation of the Services, based on the present Policy.
2.4. Data controller performs the data control in accordance with the requirements of good faith, transparency and fair dealing, and in cooperation with the Data subjects. Data controller only controls the data determined by law or provided by the Data subjects with the purposes set forth in the present Policy. The scope of the processed Personal data is proportionate to the purpose of the controlling and cannot extend beyond it.
2.5. Data controller does not inspect the provided Personal data. The person providing the data is exclusively responsible for the accuracy of the provided data.
2.6. Data controller in certain cases (e.g. in case of official legal, police requests, legal procedure, violation of copyright, property or other rights or reasonable grounds to these, the infringement of Collector’s interests, the endangerment of the service providing etc.) makes the affected Data subject’s Personal data available to third persons.
3. Legal base of the data controlling
3.1. Data controller obtains personal data when Data subject (User) registers to the Services, specifically the Deligo Dashboard:
Registration: When User registers to the Services the User’s personal data is stored: name, email address and phone number that is necessary for the Data controller to provide access to the Services for the User.
We may contact you through email or phone to provide you informational updates about new versions or features of the Products/Services and to ask you to participate in surveys to help improve the Products/Services. You may revoke your consent at any time with future effect by sending an e-mail to email@example.com or by clicking ’unsubscribe from this list’ or ’update subscription preferences’ at the bottom of the email you received. This will not affect the processing of your personal data being undertaken until the revocation. You are legally not obligated to provide us with the relevant information for the abovementioned purpose.
Without that above information, however, we will not be able to provide Services.
3.2. Legal base: The processing of User’s personal data is based on the legal basis of Art. 6 (1)(b) GDPR and the User's consent in accordance with Article 6(1)(a) of the GDPR by clicking on the “Accept” button during the registration to the Services.
3.3. Objective of processing: Data controller shall only control personal data to provide Services to the User and for the purpose which it was requested for and in order to exercise rights and discharge obligations. The data control corresponds to the purpose of the control in every stage. The collection and control of data shall be concluded fairly and lawfully. Data controller seeks to control only the data that is necessary and apt to achieve the purpose of the controlling. The personal data shall only be processed to the extent and in the period of time necessary to achieve the purpose.
According to the above mentioned the purpose of the controlling is: User uses the Services to enable automated checkout in cafeteria environments. The Data controller may use the contact details of the User to send notifications about the operation of automated checkout services to the User.
3.4. Source of the data: Data controller only controls personal data provided by the User during the registration to the Services and the performance of the services and products and does not collect data from any other sources.
Transfer of data to the Processors listed in the present Policy may be concluded without the explicit consent of the User. Transfer of data to third parties, in the absence of provisions of laws providing the contrary, shall only be concluded based on a final and binding decision of the authorities, or the particular preliminary consent of the User.
3.5. Data transfer: Data controller only transfers data to third persons if it is necessary to the performance of the services/products or the transfer is authorized by law.
Data controller has the right and is obligated to transfer all the available and lawfully stored personal data to the competent authority if Data controller is bound by the law or by a final and binding decision of the authority. For these kinds of transfer of data and its consequences the Data controller cannot be held liable.
Data controller documents the transfers in all cases and keeps record of the transfers.
3.6. Duration of processing:
3.6.1. We delete or anonymize your personal data as soon as
or until the User requests to delete its registration for the Services, or
User’s consent is withdrawn and/or the service/product is no longer provided to the User;
3.6.2. Furthermore, Data controller deletes the personal data if
the controlling is unlawful: If it becomes clear that the controlling of the data is unlawful Data controller immediately performs the erasure.
the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
the Data subject requests the erasure (except for controlling based on the law); Data subject may request the erasure of the data processed based on his or her consent. In this case Data controller deletes the data. The erasure can only be denied if the law gives authorization for the controlling. In all cases Data controller provides information about the denial, and the legal provisions authorizing the controlling.
the data is incomplete or incorrect, and cannot be lawfully corrected, given that the erasure is not prohibited by the law;
the purpose of the controlling has ceased, or the statutory deadline of the storage of the data has passed as outlined in this Policy;
5. Security and disclosure of personal data
5.1. Data controller ensures the security of the personal data, implements the necessary technical and organizational measures and develops the procedural rules that are necessary for the implementation of the relevant laws and rules of protection of data and confidentiality. Data controller protects the data with adequate measures against unauthorized access, alteration, transfer, public disclosure, erasure or destruction, the accidental destruction and damage, and unavailability resulting from the change of the applied technology.
5.2. Data controller keeps records of the processed data in accordance with the relevant laws, ensuring that the data can only be accessed by the employees and other persons acting on behalf of Data controller (processors) for whom the access is necessary to perform their jobs and tasks. The data can only be accessed with logging. The employees of Data controller may only perform individual searches or other individual operations concerning the data on the request of the Data subject, or if is necessary for the provision of the service.
5.3. Data controller takes due account of the existing technological advances when determining and applying the measures to be taken for the protection of data. Controller selects the available solution that ensures the higher level of protection of personal data unless the application of that would mean disproportionate difficulties.
5.4. Data controller among the tasks relating to information technology protection ensures in particular:
The protection against unauthorized access, including the protection of software and hardware devices and the physical protection (access control, securing the network);
Measures taken to enable the restoration of data files, including the regular backups and the separate and secure handling of the copies (mirroring, backups);
The protection of the data files against viruses (anti-virus service)
Physical protection of the data files and the storage devices including the protection against fire, water, lightning, and other natural disasters and the restoration of the data damaged in those disasters (archiving, fire protection).
5.5. Employees and other persons acting on behalf of Data controller must keep safe and protect the data carriers used or disposed of by them, regardless of the method of collection of the data, against unauthorized access, alteration, transfer, public disclosure, erasure or destruction, and accidental destruction and damage.
5.6. Data controller operates the electronic register through a computer program that meets the data security requirements. The program ensures that the data can only be accessed in accordance with the purposes, under controlled conditions, and by persons for whom it is necessary in order to carry out their tasks.
6. Rights of Data subjects
6.1. Data controller informs the Data subject about the Data process at the time of the collection of data. Besides that, the Data subject has the right to request information about the controlling at any time.
Upon the request of the Data subject Controller informs the Data subject about the Data subject’s data processed by Controller and by the Processors mandated by Controller, about the source of the data, the purpose, the legal grounds and period of the Data process, the name, address and controlling related activity of the Processor, and about the circumstances and effect of the personal data breach along with the steps taken for the prevention. Furthermore, in case of the transfer of the Personal data of the Data subject Data controller also provides information about legal grounds and recipient of the transfer. Data controller is obliged to provide the information as soon as possible, but in any event not later than 25 days from the filing of the request. On the request of the Data subject the information must be provided in writing. The information is free of charge if the requester has not filed a request for information in the current year. In any other case a reimbursement may be determined. The paid reimbursement must be refunded if the data was processed unlawfully, or the request led to the correction of the data.
6.2. The Data subject may request his incorrectly stated data to be corrected by Data Controller. If the data to be corrected is the basis of regular reporting, Data controller informs the recipient of the reporting if necessary, and raises the attention of the Data subject, that the correction must be initiated with other controllers as well.
6.3. The Data subject, except for in cases of controlling provided by the law, may request the erasure of his or her Personal data. Controller informs the Data subject about the erasure.
6.4. The Data subject may object to the controlling of his or her personal data according to the Privacy Act.
6.5. The Data subject may file the request for information, correction, and erasure in writing in a letter addressed to the seat or premises of Controller, or in an e-mail sent to the address of Data controller: firstname.lastname@example.org.
6.6. The Data subject may request the restriction of the Controlling of the Personal data of the Data subject if he or she debates the correctness of the processed Personal data. In this case the period of the restriction is limited to the period of time that enables the Data Controller to inspect the correctness of the Personal data. Data Controller marks the piece of processed Personal data, if the Data subject debates its correctness or accuracy, but the incorrectness or inaccuracy of the debated Personal data cannot be ascertained undoubtedly.
The Data subject may also request the restriction of the controlling of Data subject’s Personal data from Data Controller if the controlling is unlawful, but the Data subject objects to the erasure of the Personal data, and requests the restriction instead of the erasure.
Furthermore, the Data subject may request the restriction of the controlling of Data subject’s Personal data from Data controller if the purpose of the controlling is achieved, but it is necessary for the Data subject that the Personal data stays processed by Data controller in order to submit, enforce or protect legal claims.
6.7. The Data subject shall have the right to receive the Personal data concerning him or her, which he or she has provided to the Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
6.9. The Data subject may make the above-mentioned necessary declarations in connection with the exercise of the Data subject’s rights in writing in a letter addressed to the seat or premises of Data controller, or in an e-mail sent to the address of Data controller: email@example.com.
6.11. The Data Subject may take legal action against the Data controller or, in the context of processing operations within the scope of the Data processor's activities, the Data processor, if he or she considers that the Data controller or a Data processor acting on his or her behalf or at his or her instructions is processing his or her Personal Data in breach of the requirements for the processing of Personal Data laid down by law or by a legally binding act of the European Union and the Hungarian law. The competent court is the Metropolitan Court of Budapest, but the action may also be brought before the court of the place of residence or domicile of the person initiating the action, at the latter's choice.
7.1. Data controller reserves the right to modify the present Policy with a unilateral decision at any time.
7.2. The Data subject accepts the provisions of the Policy in force at when logging into the Services. Requesting the consent of the Data subjects individually is not necessary when modifying the Policy.