Privacy Policy

The purpose of this Privacy Notice is to inform Data Subjects about the processing of their personal data carried out by Pharmanext Trading and Services Limited Liability Company (hereinafter referred to as “Pharmanext Ltd.”, “Pharmanext”, or the “Data Controller”).

This information obligation is based on Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”), as well as Section 14(a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (“Info Act”).

1. Definitions

 

“Personal Data”

Any information relating to an identified or identifiable natural person (the “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing”

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means. This includes, but is not limited to, the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of personal data.

“Data Controller”

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its designation may also be determined by Union or Member State law.

“Data Processor”

A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

“Recipient”

A natural or legal person, public authority, agency, or other body to whom personal data are disclosed, regardless of whether they are a third party.

“Third Party”

A natural or legal person, public authority, agency, or other body other than the Data Subject, the Data Controller, the Data Processor, or persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process personal data.

“Profiling”

Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

“Website”

The website operated by the Data Controller for marketing purposes and facilitating contact with users: www.pharmanext.hu.

2. Identity and Contact Details of the Data Controller

  • Company Name: Pharmanext Ltd.
  • Registered Office: 1085 Budapest, Stáhly utca 2/A, 3rd Floor, Office 3, Hungary
  • Company Registration Number: 01-09-346351
  • Tax Number: 27042692-2-42
  • Email: info@pharmanext.hu
  • Phone: +36 1 275 4281
  • Legal Representative of the Data Controller: Mátyás Szalai
  • The Data Controller is a company duly incorporated and registered in Hungary.

The Data Controller processes any personal data that comes to its attention in full compliance with the applicable data protection legislation in force at all times, including, in particular, the Info Act and the GDPR.

3. Protection of Personal Data, Categories of Personal Data Processed by the Data Controller, Purpose and Legal Basis of Processing, and Retention Period

The Data Controller respects the protection of personal data and, in accordance with the applicable laws and regulations, ensures the proper processing and safeguarding of all personal data made available to it.

The Data Controller uses personal data solely for the purposes specified. It does not combine such data with databases obtained from other sources and—unless otherwise required by law—discloses personal data to third parties only with the explicit consent of the Data Subject. Furthermore, the Data Controller makes every reasonable effort to ensure the protection and security of such personal data.

The following sections describe the data processing activities carried out by Pharmanext in its capacity as the Data Controller with regard to natural persons (“Data Subjects”), including the key characteristics of each processing activity, such as the categories of personal data processed, the purpose and legal basis of processing, the retention period, and, where applicable, information regarding the transfer of personal data.

3.1 Processing of Technical Data – Information Related to the Use of the Website

1. Log Files

When accessing the Website, the internet browser installed on the Data Subject’s device automatically transmits certain information to the Website’s server, where it is temporarily stored in the form of log files.

The information typically stored includes:

  • the date and time of access;
  • the name of the requested webpage;
  • the IP address of the device;
  • the referring URL;
  • the volume of data transferred;
  • the page loading time;
  • the browser type and version; and
  • the name of the internet service provider.

The personal data processed upon accessing the Website consist of the Data Subject’s IP address. However, the IP address alone is not used to directly identify the Data Subject, as it is not combined with any other personal data that could enable such identification.

Purpose of ProcessingLegal Basis for ProcessingRetention Period
To ensure the proper functioning of the Website, provide a convenient browsing experience, and evaluate system security and stability.The processing is based on the Data Controller’s legitimate interest pursuant to Article 6(1)(f) of the GDPR.Personal data are retained for no longer than the duration of the Data Subject’s visit to the Website.

2. Cookies

To ensure that the content of the Website is displayed correctly and provides an optimal user experience, the use and acceptance of cookies is required.

Cookies are small text files automatically created by web browsers and stored on the user’s device (such as a computer, laptop, or mobile phone) when visiting the Website. A cookie typically contains the name of the website from which it originates and its expiration date.

Based on their duration, cookies are generally divided into two categories:

  • Session cookies, which are temporary and are automatically deleted when the browser is closed or the Website is left.
  • Persistent cookies, which remain stored on the user’s device until they expire or are manually deleted.

Cookies do not directly identify the Data Subject. Neither the Data Controller nor the developer or operator of the Website associates cookie data with any other information that would enable the direct identification of the Data Subject.

For more detailed information about the cookies used on this Website, please click HERE.

3.2 Contact Requests and Information Requests

To provide the requested information, the Data Subject is required to provide certain contact details.

In connection with responding to enquiries and maintaining communication, the following personal data may be processed:

The following personal data may be processed in connection with responding to enquiries and maintaining communication:

  • Title
  • Name
  • Email address
  • Telephone number
  • Any other information voluntarily provided by the Data Subject that is relevant to the enquiry (e.g. postal address)
  • Message content
Purpose of ProcessingLegal Basis for ProcessingRetention Period
Contacting the Data Subject in order to provide the requested information.The Data Subject’s consent pursuant to Article 6(1)(a) of the GDPR.Personal data will be retained for 7 days following the contact request or until the Data Subject withdraws their consent, whichever occurs first.

4. Storage and Protection of Personal Data

The Data Controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with its data processing activities. These measures are determined taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons.

For the purposes set out in this Privacy Notice, the Data Controller stores personal data exclusively in electronic form at its registered office.

5. Rights of Data Subjects

Data Subjects may, at any time, exercise their rights by contacting the Data Controller using the contact details provided in Section 2 of this Privacy Notice.

Data Subjects may, at any time:

  1. request information from the Data Controller regarding the processing of their personal data;
  2. request the rectification of personal data processed by the Data Controller;
  3. request the erasure of their personal data and the restriction of its processing;
  4. request to receive their personal data and, where the legal conditions are met, have those data transmitted by the Data Controller to another data controller;
  5. object, on grounds relating to their particular situation, to the processing of their personal data based on the Data Controller’s legitimate interests;
  6. withdraw their consent to the processing of personal data where processing is based on consent. Such withdrawal shall not affect the lawfulness of any processing carried out prior to the withdrawal of consent.

Right of Access


The Data Subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them are being processed. Where such processing is taking place, the Data Subject has the right to access their personal data and to receive information regarding the circumstances of the processing.

Where the Data Subject’s request is manifestly unfounded, where the Data Subject is not entitled to the requested information, or where the Data Controller can demonstrate that the requested information is already available to the Data Subject, the Data Controller may refuse the request for information.

Right to Rectification


The Data Subject has the right to obtain, without undue delay, the rectification of inaccurate personal data concerning them processed by the Data Controller. The Data Subject also has the right to request the completion of incomplete personal data.

Right to Erasure


The Data Subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the consent on which the processing is based has been withdrawn and there is no other legal basis for the processing;
  3. the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. the personal data have been processed unlawfully;
  5. the personal data must be erased in order to comply with a legal obligation.

The Data Controller shall not erase personal data where processing is necessary:

(i) for exercising the right to freedom of expression and information;

(ii) for compliance with a legal obligation requiring processing under applicable law; or

(iii) for the establishment, exercise, or defence of legal claims.

Right to Restriction of Processing

The Data Subject has the right to obtain from the Data Controller the restriction of processing where one of the following applies:

  1. the Data Subject contests the accuracy of the personal data, for a period enabling the Data Controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the Data Controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise, or defence of legal claims; or
  4. the Data Subject has objected to processing, pending verification of whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent, or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State.

The Data Controller shall inform the Data Subject before any restriction of processing is lifted.

If the Data Controller determines that the Data Subject’s objection is well-founded, it shall terminate the processing without undue delay and notify all recipients to whom the personal data have previously been disclosed of the objection, where applicable.

Right to Object


The Data Subject has the right to object, on grounds relating to their particular situation, at any time to the processing of their personal data based on the Data Controller’s legitimate interests.

In such cases, the Data Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.

  • Right to Data Portability

    Provided that it does not adversely affect the rights and freedoms of others, the Data Subject has the right to receive their personal data in a structured, commonly used, and machine-readable format.

    The Data Subject also has the right to have those personal data transmitted directly by the Data Controller to another data controller, where:

    1. the processing is based on the Data Subject’s consent or is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract; and
    2. the processing is carried out by automated means, i.e. the personal data are processed electronically rather than in paper form.

Handling of Data Subject Requests


The Data Subject may submit any request relating to the exercise of the above rights using the contact details of the Data Controller provided in Section 2 of this Privacy Notice.

The Data Controller shall provide information on the action taken in response to the request without undue delay and, in any event, no later than 30 days from receipt of the request.

If the Data Controller decides not to take action on the request, it shall inform the Data Subject within the same 30-day period of the reasons for not taking action and shall also inform the Data Subject of the available legal remedies.

The Data Subject is entitled to request information regarding the processing of their personal data free of charge once per calendar year.

If the Data Subject submits additional requests concerning the same personal data within the same calendar year, the Data Controller may charge a reasonable administrative fee, the amount and due date of which shall be determined on the basis of the specific circumstances of the request.

6. Transfer of Personal Data to Third Countries or International Organisations


The Data Controller does not transfer the Data Subject’s personal data to any third country outside the European Economic Area (EEA) or to any international organisation.

7. Management of Personal Data Breaches


The Data Controller shall notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The Data Controller shall maintain a record of all personal data breaches, including the facts relating to the breach, its effects, and the remedial measures taken. Such records shall enable the supervisory authority to verify the Data Controller’s compliance with its legal obligations concerning the notification of personal data breaches.

Where the Data Controller determines that a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it shall inform the affected Data Subject without undue delay. The notification shall include the following information:

  1. the nature of the personal data breach;
  2. the name and contact details of the Data Protection Officer (where applicable);
  3. the likely consequences of the personal data breach; and
  4. the measures taken or proposed by the Data Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Data Controller shall not be required to notify the Data Subject of a personal data breach where:

  1. the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach, in particular measures—such as encryption—that render the personal data unintelligible to any person who is not authorised to access them;
  2. following the personal data breach, the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialise;
  3. such notification would involve a disproportionate effort. In such cases, the Data Controller shall instead inform the Data Subjects by means of a public communication published on the Website.

8. Legal Remedies

If the Data Controller rejects a request submitted by a Data Subject, the Data Subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or initiate legal proceedings before the competent court having jurisdiction over the Data Subject’s place of residence or habitual residence.

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

This Privacy Notice may be amended and/or withdrawn unilaterally by the Data Controller at any time, while ensuring that Data Subjects are informed accordingly.

Any amendments shall be communicated by publication on the Website and, where appropriate depending on the nature of the changes, by direct notification to the affected Data Subjects.

If you believe that the Data Controller has not processed your personal data in accordance with applicable data protection laws, we kindly ask that you first contact the Data Controller using one of the contact details provided above and communicate your concerns or requests. This enables us to investigate and resolve the matter as quickly and effectively as possible.

Scroll to Top