Privacy Notice of Service Portal

PRIVACY NOTICE

This Privacy Notice (hereinafter referred to as: “Privacy Notice”) describes the data processing on the https://serviceportal.semilab.com/website (hereinafter referred to as: “Service Portal”) operated by SEMILAB Semiconductor Physics Laboratory Co. Ltd. (registered seat: H-1117 Budapest, Prielle Kornélia St. 4/A., company registration number:  01-10-041351, represented by: dr. Pavelka Tibor, contact: gdpr@semilab.hu, hereinafter referred to as: “Data Controller”) especially the characteristics of data collection, storage and use.

This Privacy Notice is effective from 1st of February, 2022. The Data Controller keeps the current version of the Privacy Notice permanently available on the Service Portal and at its headquarters.

The Privacy Notice has been prepared in line with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as: “GDPR”), with due consideration of the provisions of Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter referred to as: “Privacy Act”). The definitions of this Privacy Notice are the same as the ones set out in Article 4 of the GDPR, also supplemented by certain points of the interpretative provisions mentioned in Section 3 of the Privacy Act.

 

1. Principles relating to processing of personal data

In the course of providing its services Data Controller pays particular attention to personal data protection, complies with the mandatory legal provisions, and processes data in a secure and fair manner. Data Controller processes personal data as set out in section 2 of this Privacy Notice. Data Controller shall treat the disclosed personal data confidentially, shall take into account the principles of lawfulness, fairness and transparency under the GDPR, and shall treat personal data purpose-bound, with the principle of data minimisation in mind. Data Controller shall also comply with the principle of storage limitation, integrity, confidentiality, and consider the principle of accuracy under the GDPR.

 

2. The method and security of data processing

Data Controller ensures the security of the data, and takes the necessary technical and organizational measures, as well as implements the procedural rules that are needed to enforce the provisions laid down in the GDPR, the Privacy Act and the data and confidentiality provisions provided in other legislation. Data Controller protects personal data from unauthorized access, modification, transmission, publication; unauthorized or accidental deletion and destruction; damages and also from becoming inaccessible as a result of changes in the technologies used. Data Controller protects data files that are processed electronically in various registers, by ensuring that they are stored in different registers, and cannot be directly interconnected and associated with the Data subject, unless it is permitted by law.

 

3. Data processing in relation to the Service Portal

The Service Portal on the one hand is designed to help the customers with servicing, reporting, replacing parts and ordering maintenance. The service is optionally available for the customers of the Data Controller, they can request it via e-mail to the Service Operation team. Data Controller then uploads the customers to the Service Portal’s servicing feature. The Data Controller provides a communication platform on the Service Portal as well for the customers, where the Data Controller's employees can directly contact them.

Service Portal also has another feature, whereby Data Controller makes the invoices available to customers to download for data security reasons. Every customer of the Data Controller must provide contact data via e-mail to the Logistics Department and then the customer will be uploaded to the Service Portal’s invoice feature. This feature is to replace sending out invoices via e-mail and deemed necessary for data security reasons.

The two features of the Service Portal are not dependent on one and other. The servicing feature is only available for those who specifically request it, whereas the invoice feature is available for every customer of the Data Controller.

Data Controller uses the services of Salesforce Inc. (registered seat: 415 Mission Street, 3rd Floor, San Francisco, CA 94105) to provide the Service Portal. Salesforce has consented to be bound by the provisions of the GDPR in accordance with Commission Decision 2021/914/EU on standard contractual clauses for the transfer of personal data to third countries pursuant as well as its Data Processing Addendum (https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf ) that is issued pursuant to the provisions of the GDPR, consequently, the data processing complies with the GDPR, thus the protection of personal data is ensured.

 

3.1. Data processing regarding the User Account

Purpose of the processing

Uploading data to the Service Portal. Processing and storage of data related to User Accounts.

Categories of personal data concerned

Data subject’s account name, official name, e-mail address, phone number, fax number, website, shipping name, billing name, shipping address and billing address.

Data subjects

Data Controller’s customers.

Legal basis for the processing

Data subject’s consent under Article 6 (1) (a) of the GDPR.

Period of storage

Until the Data subject’s consent is withdrawn.

Method of the processing

Electronic.

Source of the personal data

By using the purchasing software service provided by Salesforce, the Data Controller already has the Data subject's purchase data. Additional new data will be provided by the Data subject.

Automated decision-making and profiling

Data Controller does not use automated decision-making and does not perform profiling.

Who has access to the personal data?

Responsible employees of the Data Controller’s Service Operation team and Sales Department, Financial Department, Logistics Department, System Admin and possible Data processors of the Data Controller. The current list of Data processors is listed in Section 4 of this Privacy Notice.

Data transfer

Data is transferred to Salesforce, which is located in the United States. There is no data transfer to international organisations.

 

3.2. Data processing regarding the servicing feature of the Service Portal

3.2.1. Reporting issues

If a service issue arises when using the product purchased from the Data Controller the customers can report issue(s) on the Service Portal. During the process they must provide the subject, the description, and the severity of the asset issue. Reporting via the Service Portal is optional, if the customers do not use the service, they can contact the Data Controller via e-mail and by any other contact form.

Purpose of the processing

Receipt, investigation of the issues and resolving the issues.

Categories of personal data concerned

Data subject’s account name, name, e-mail address, any data relating to the issue.

Data subjects

Person who reports an issue via the Service Portal’s interface.

Legal basis for the processing

Data subject’s consent under Article 6 (1) (a) of the GDPR.

Period of storage

Until the Data subject’s consent is withdrawn.

Method of the processing

Electronic.

Source of the personal data

By using the purchasing software service provided by Salesforce, the Data Controller already has the Data subject's purchase data. Additional new data will be provided by the Data subject.

Automated decision-making and profiling

Data Controller does not use automated decision-making and does not perform profiling.

Who has access to the personal data?

Responsible employees of the Data Controller’s Service Operation team, Sales Department, System Admin and possible Data processors of the Data Controller. The current list of Data processors is listed in Section 4 of this Privacy Notice.

Data transfer

Data is transferred to Salesforce, which is located in the United States. There is no data transfer to international organisations.

 

3.2.2. Request for quotation

Data subject can request a quotation regarding the issue at the same time as reporting it. If the Data subject wishes to request a quotation for the said issue, he/she can indicate it by using the checkbox. The Data Controller will send the quotation by e-mail to the data subject’s e-mail address.

Purpose of the processing

Manage and answer quotation requests, send quotations.

Categories of personal data concerned

Description of the issue, name, e-mail.

Data subjects

Persons who open a new case issue on the Service Portal and require the quotation.

Legal basis for the processing

Processing activities will be based on the Data subject’s consent under Article 6 (1) (a) of the GDPR

Period of storage

Until the Data subject’s consent is withdrawn.

Method of the processing

Electronic

Source of the personal data

By using the purchasing software service provided by Salesforce, the Data Controller already has the Data subject's purchase data. Additional new data will be provided by the Data subject.

Automated decision-making and profiling

The Data Controller does not use automated decision-making and does not perform profiling.

Who has access to the personal data?

Responsible employees of the Data Controller’s Service Operation team, Sales Department, System Admin and possible Data processors of the Data Controller. The current list of Data processors is listed in Section 4 of this Privacy Notice.

Data transfer

Data is transferred to Salesforce, which is located in the United States. There is no data transfer to international organisations.

 

3.3. Data processing regarding the invoice feature of the Service Portal

In view of the more stringent, higher security solutions, a sub-interface of the Service Portal has been developed, where the Data Controller uploads the invoices and this interface can be accessed by the customer with his/her own login IDs, and thus access and download the invoices. This ensures that only those authorised to access the accounts can do so, thus preventing phishing and fraud.

In order to receive the invoices sent out by the Data Controller, it is necessary for customers to be uploaded to the Service Portal. The interest balancing test regarding this data processing is available at the Data Controller’s registered seat.

Purpose of the processing

Sending out and receiving (download) invoices via the Service Portal for data security reason, processing and storage of data related to the invoice feature of the Service Portal.

Categories of personal data concerned

Data subject’s name, e-mail, phone number and the invoice.

Data subjects

Data Controller’s customers.

Legal basis for the processing

The Data Controller’s legitimate interest based on Article 6 (1) (f) of the GDPR.

Period of storage

The invoice is stored for 8+1 years in connection with Section 169 (2) of Act C of 2000 on accounting. Other personal data is stored for 5 years after the User Account is closed.

Method of the processing

Electronic

Source of the personal data

By using the purchasing software service provided by Salesforce, the Data Controller already has the Data subject's purchase data and contact person data. Additional new data will be provided by the Data subject.

Automated decision-making and profiling

The Data Controller does not use automated decision-making and does not perform profiling.

Who has access to the personal data?

Responsible employees of the Data Controller’s Financial Department, Logistics Department, Sales Department, System Admin and possible Data processors of the Data Controller. The current list of Data processors is listed in Section 4 of this Privacy Notice.

Data transfer

Data is transferred to Salesforce, which is located in the United States. There is no data transfer to international organisations.

 

3.4. Record-keeping relating to the exercise of rights of the Data subjects

Purpose of the processing

Processing regarding the record-keeping relating to the exercise of rights of the Data subjects under the GDPR

Categories of personal data concerned

Data subject’s name, place and date of birth, mother's maiden name, address, mailing address, application for the exercise of a Data subject's right under the GDPR

Data subjects

Data subjects exercising their rights under the GDPR

Legal basis for the processing

Legal obligation based on Article 6 (1) (c) of the GDPR and based on Article 6 (1) (f) of the GDPR, the Data Controller’s legitimate interest.

Period of storage

5 years from the assessment of the application.

Method of the processing

On paper and / or electronically

Source of the personal data

Data subject.

Possible consequence of failure to provide data

If the Data subject does not provide the data, the Data Controller will not be able to meet the requirements of the GDPR

Automated decision-making and profiling

The Data Controller does not use automated decision-making and does not perform profiling.

Who has access to the personal data?

Responsible employees of the Data Controller and employees of any possible Data processors. The current list of Data processors of the Data Controller is listed in Section 4 of this Privacy Notice.

Data transfer

There is no data transfer.

 

4. Data processors

The Data processors do not make decisions independently, they shall act in compliance with the contract concluded with the Data Controller and with the instructions received from the Data Controller. Data processors record, manage and process the personal data transferred to them by the Data Controller in accordance with the provisions of GDPR. The Data processors can access, and process personal data provided by the Data subjects during the period specified in the Privacy Notice regarding the individual purposes of data processing. The Data Controller transfers data to the following data processing companies regarding the data processing mentioned in this Privacy Notice:

Data processor category

Purpose of data processing

Data processor

Name

Registered seat

Company registration number

Salesforce

Providing the server and the Service Portal, storing the purchase data.

Salesforce.Com, Inc.

 

415 Mission Street, 3rd Floor San Francisco Ca 94105

C2167918

 

5. Rights of the Data subject

Data subject is entitled to exercise the following rights by sending a request to the Data Controller’s e-mail address (gdpr@semilab.hu): right to information and access, right to rectification, right to erasure (‘right to be forgotten’), right to restriction of processing, right to object and automated individual decision making, right to data portability, right to withdraw consent. In case of a complaint Data subject can turn to the Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) in Hungary or to the court. In the juridical proceeding the district court has jurisdiction.

In case of execution of the Data subject's request, Data Controller identifies the Data subject in accordance with this Privacy Notice, and Data Controller complies with the Data subject's request only after the identification has been conducted.

If the Data subject’s request was not prepared in accordance with this Privacy Notice and Data Controller has not been able to identify the Data subject, Data Controller notifies the applicant of the deficiencies, which if the Data subject fails to comply with, Data Controller will be unable respond to the request.

The time elapsed between the request to provide the necessary personal data/carry out the missing activity requested by the Data Controller to the provision of the personal data, does not count towards the deadline for responding to the request.

Data Controller informs all recipients of any rectification, erasure or restriction of processing with whom personal data have been shared with, unless this proves to be impossible or involves a disproportionate effort. Upon request, Data Controller informs the Data subject of these recipients.

 

5.1. Right to information and access

According to Article 13 of GDPR the Data Controller - in case personal data relating to a Data subject are collected from the Data subject - shall, at the time when personal data are obtained, provide the Data subject with all of the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. where possible, the planned period for which the personal data will be stored or if not possible, the criteria used to determine that period;
  5. right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data subject or to object to such processing;
  6. the right to file a complaint with the Hungarian Authority for Data Protection and Freedom of Information (NAIH);
  7. the right to seek judicial remedies;
  8. if the personal data are not collected from the Data subject, any available information regarding their source;
  9. the existence of automated decision-making, including profiling, the significance and the planned consequences of such processing for the Data subject;
  10. appropriate measures taken in case data are transferred to third countries or international organizations Data subject has the right to obtain a copy of the personal data undergoing such processing.

If personal data have not been obtained from the Data subject the following information is provided by the Data Controller - pursuant to Article 14 of the GDPR - in addition to the information mentioned above:

  1. the categories of personal data concerned;
  2. the recipients or categories of recipients of the personal data, if any;

The Data Controller shall provide the information:

  1. within a reasonable period after obtaining the personal data, but at the latest within one month;
  2. if the personal data are to be used for communication with the Data subject, at the latest at the time of the first communication to that Data subject; or
  3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The above mentioned shall not apply if:

  • the Data subject already has the information;
  • the provision of such information proves impossible or would involve a disproportionate effort;
  • obtaining or disclosure is expressly laid down by Union or Member State law to which the Data Controller is subject and which provides appropriate measures to protect the Data subject's legitimate interests; or
  • where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

The Data subject shall have the right to obtain the following information form the Data Controller in accordance with Article 15 of the GDPR:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  • the envisaged period for which the personal data will be stored;
  • the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data subject or to object to such processing, the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the Data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling.

The provided information shall be concise, easily accessible and easy to understand, and in clear and plain language. Data Controller is liable to providing the information. Data Controller shall provide all information provided to the Data subject in writing, including electronic means. Subject to the data security rules set out in Article 15 and Article 32 of the GDPR, Data Controller shall only provide information to the Data subject if the Data Controller is convinced of the Data subject's identity. If the identity is not verified, the Data Controller shall reject the Data subject's request for exercise of rights and shall at the same time inform the Data subject of the manner of exercising his or her rights.

Data Controller shall provide information on what action he took upon a request from the Data subject within one month from the date of receipt. Taking into account the complexity of the request and the number of requests, this one-month period may be extended by a further two months by reasoned information sent to the Data subject by the Data Controller within one month of the submission / receipt of the request to the Data Controller.

It is considered a proper communication or receipt if the Data subject sends the written request to the official address of the Data Controller or to the e-mail address provided for this purpose and arrives there.

A request not communicated in accordance with the above will not be taken into account by the Data Controller.

Information and communication relating to the processing of personal data must be easily accessible and comprehensible and must be drafted in clear and simple language. This principle applies in particular to informing Data subjects about the identity of the controller and the purpose of the processing, as well as further information to ensure fair and transparent processing of the Data subject's personal data, and to informing Data subjects that they have the right to be confirmed and informed about the data processed about them.

Data Controller may charge a reasonable fee based on administrative costs according to Article 12 of GDPR.

 

5.2. Right to rectification

Data subject has the right to obtain from Data Controller the rectification of inaccurate personal data concerning him or her, without undue delay. Taking into account the purpose of the processing, the Data subject has the right to request the completion of his or her incomplete data, even by means of a supplementary declaration.

 

5.3. Right to erasure (‘right to be forgotten’)

Data subject has the right to request from the Data Controller the erasure of the Data subject’s personal data and the Data Controller is obliged to erase such personal data, without undue delay. In such cases Data Controller will not be able to further provide the Data subject with the services of the Data Controller. Data subject has the right to request erasure if one of the following applies:

  1. the personal data is no longer necessary for the purpose that the Data Controller collected it for;
  2. Data subject withdrew his or her consent to the processing activities and there is no other legal basis for processing applies;
  3. the Data subject objects to the processing pursuant to Section (1) of Article 21 of GDPR and there are no overriding legitimate grounds for the processing, or the Data subject objects to the processing pursuant to Section (2) of Article 21 of GDPR;
  4. his or her personal data is being unlawfully processed;
  5. EU or member state law oblige the Data Controller to erase Data subject’s personal data to comply with a legal obligation;
    OR
  6. the personal data have been collected in relation to the offer of information society services referred to in Article 8 of GDPR.

 

5.4. Right to restriction of processing

Data subject may have the right to request from Data Controller the restriction of processing his or her personal data if one of the following grounds applies:

  1. Data subject contest the accuracy of the personal data Data Controller process about the Data subject. Data Controller must restrict processing the contested data until they can verify the accuracy of Data subject’s personal data.
  2. Data Controller are unlawfully processing the Data subject’s personal data.
  3. Data Controller no longer need to process the Data subject’s personal data but the Data subject need the personal data for the establishment, exercise or defense of legal claims.
  4. The Data subject has objected to processing pursuant to Article 21 of GDPR pending the verification whether the legitimate grounds of the controller override those of the Data subject.

In case of the restriction is justified, personal data shall, with the exception of storage, only be processed

  • if the Data subject consented to it;
  • for the establishment, exercise or defense of legal claims;
  • for the protection of the rights of another natural or legal person, or
  • for reasons of important public interest of the Union or of a Member State.

If the processing of the Data subject’s personal data has been restricted, Data subject will be informed before the restriction of processing is lifted.

 

5.5. Right to object

The Data subject shall have the right to object, if processing his or her data is based on:

  • the public interest or in the exercise of official authority vested in Data Controller according to point (e) of Section (1) of Article 6;
  • purposes of the legitimate interests pursued by Data Controller or by a third party according to point (f) of Section (1) of Article 6.

The Data Controller shall no longer process the personal data unless there is compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data subject or for the establishment, exercise or defense of legal claims.

 

5.6. Right to data portability

The Data subject shall have the right to receive the personal data concerning him or her, which he or she provided to Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without obstruction from the Data Controller, where:

  1. the processing is based on the Data subject’s consent or the processing is necessary for the Data Controller to perform a contract with the Data subject; and
  2. the processing is carried out by automated means.

 

5.7. Right to withdraw consent

Where processing is based on consent, the Data subject shall have the right to withdraw his or her consent at any time. Regarding this, the Data Controller informs the Data subject that they may continue to process the Data subject's personal data for the purpose of fulfilling his legal obligation or validating his legitimate interests even after the consent is given by the Data subject has been withdrawn, if the enforcement of the interest is proportionate to the restriction of the right to the protection of personal data.

6. Legal remedies

If the Data subject has the impression that the processing of his/her personal data is not in compliance with the GDPR, the Data subject is entitled to contact the Data Controller directly at the following e-mail address: gdpr@semilab.hu

The Data subject is also entitled to file a complaint with the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság; “NAIH”, H-1055, Hungary, Budapest, Falk Miksa utca 9-11; postal address: H-1363 Budapest, Pf. 9. phone: +36-1 391-1400; fax: +36-1 391-1410; e-mail: ugyfelszolgalat@naih.hu). The Data subject to protect his/her data has the right to initiate proceedings before the court, which proceeds under priority. The Data subjects can choose whether the action shall be brought before the district court in whose area of competence the Data subject’s place of residence is located or before the district court in whose area of competence the Data subject’s habitual residence is located (https://birosag.hu/en/judicial-system). The competent district court can be found on this site: http://birosag.hu/ugyfelkapcsolati-portal/birosag-kereso