This privacy notice applies to the processing of personal data of natural persons designated as contact persons in transport and other contracts concluded by Timberpak Hungary Limited Liability Company (registered office: 1173 Budapest, Határmalom utca 4.; company registration number: 01-09-421130; hereinafter: “Data Controller”), as well as to the processing of personal data of natural persons acting as contact persons of the Data Controller’s potential (future) business partners.
This privacy notice forms an inseparable part and annex of the contract between the Data Controller and the contracted partner.
The contracted partner is obliged to provide this privacy notice to the contact person concerned by the data processing and must certify to the Data Controller that this has been done.
1. Data Controller information:
- Company name: Timberpak Limited Liability Company
- Representatives: Manuel de Menech, Maksim Viktorovich Veretyuk, Martin Wurzl
- Registered office: 1173 Budapest, Határmalom utca 4.
- Company registration number: Cg. 01-09-421130
- Registering authority: Company Court of the Budapest Metropolitan Court
- Tax number: 32381553-2-42
- Telephone number: +36202617768
- E-mail: lorant.riesz@egger.com
- Person providing information regarding data processing: Lóránt Riesz
2. Categories of personal data processed and legal basis of processing:
The legal basis of processing is the following:
a) Pursuant to Article 6(1)(f) of the GDPR, processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party.
Identified legitimate interest: The processing of contact data serves the mutual legitimate interest of the Data Controller and the contracted partner, as it is necessary for performing the contract between them, facilitating communication related to the contract, and sending notifications to the contracted partner. The Data Controller processes only the strictly necessary personal data of the contact person; therefore, the fundamental rights and freedoms of the contact person are not infringed or do not override the legitimate interests of the Data Controller and the contracted partner.
Processing is necessary because, without contact data, communication with contractual partners would be extremely difficult, which would hinder contract performance.
The personal data processed are necessarily linked to the contact person designated by the business partner (employee, agent, or other contractual relationship), without whom the business partner (a legal entity) and the Data Controller cannot communicate. This processing represents a proportionate restriction for the data subject. The Data Controller processes personal data only to the extent necessary to achieve the legitimate business purpose. The data processed are not special categories of personal data. No disadvantage arises for the contact persons due to the processing, and the processing constitutes a proportionate restriction because the Data Controller ensures the right to request erasure of personal data upon the data subject’s request or objection. Access to personal data is restricted to the Data Controller’s employees as necessary. The Data Controller also provides appropriate firewall and antivirus protection as well as secure storage of paper-based documents.
The legal basis for processing is defined separately for each data category and purpose, as follows:
| Category of data processed | Source of data | Purpose of processing | Legal basis | Retention period |
| Contact person’s name | Contracted partner | a) Contract establishment b) Contract performance c) Enforcement of claims and rights d) Identification e) Communication | GDPR Article 6(1)(f): Legitimate interest | If the data appear in documents necessary for fulfilling tax obligations, they are retained for 5 years from the last day of the calendar year in which the tax return or reporting must be submitted or, in the absence thereof, in which the tax must be paid. If the data appear in a contract concluded with the partner, they are stored for 8 years following termination of the contract to fulfil accounting obligations. In other cases, they are retained for 5 years after termination of the contract (general limitation period). |
| Contact person’s e-mail address | Contracted partner | a) Contract establishment b) Contract performance c) Enforcement of claims and rights d) Communication | GDPR Article 6(1)(f): Legitimate interest | |
| Contact person’s telephone number | Contracted partner | a) Contract establishment b) Contract performance c) Enforcement of claims and rights d) Communication | GDPR Article 6(1)(f): Legitimate interest |
3. Data Protection Officer:
The Data Controller is not required to appoint a Data Protection Officer; therefore, no appointment has been made in accordance with the GDPR.
4. Data transfer to foreign countries or international organizations:
The Data Controller does not transfer personal data to third countries or international organizations.
5. Persons entitled to access the data / recipients of personal data:
Persons entitled to access the data are employees participating in the conclusion, amendment, termination, or performance of the contract or document in question, those handling disputes related to non-performance or improper performance, and employees performing accounting tasks.
6. Rights of data subjects
The data protection rights and remedies of data subjects are governed by the relevant provisions of the GDPR (particularly Articles 15–17, 18–22, 77–80, and 82). The summary below outlines the main rules and the Data Controller’s related obligations.
6.1. Right of access
The data subject has the right to obtain confirmation from the Data Controller as to whether personal data concerning them are being processed, and, if so, access to those personal data.
The Data Controller will provide a copy of the personal data undergoing processing. For additional copies, the Data Controller may charge a reasonable fee based on administrative costs. If the request is submitted electronically, the information must be provided in an electronic format unless otherwise requested by the data subject.
6.2. Right to rectification
The data subject has the right to request the rectification of inaccurate personal data without undue delay. They may also request the completion of incomplete personal data.
6.3. Right to erasure (“right to be forgotten”)
The data subject has the right to request that the Data Controller erase their personal data without undue delay, and the Data Controller is obliged to do so if any of the following grounds apply:
- The personal data are no longer necessary for the purposes for which they were collected or processed.
- The data subject withdraws consent and there is no other legal basis for processing.
- The data subject objects to processing and there are no overriding legitimate grounds.
- The personal data have been processed unlawfully.
- Erasure is required to comply with a legal obligation.
6.4. Right to restriction of processing
The data subject may request restriction of processing if:
- They contest the accuracy of the data (restriction applies during verification period).
- Processing is unlawful and the data subject opposes erasure and requests restriction instead.
- The Data Controller no longer needs the data for processing purposes, but the data are required by the data subject for legal claims.
- The data subject objects to processing; in this case, restriction applies until it is determined whether the Data Controller’s legitimate grounds override the data subject’s interests.
If processing is restricted, the personal data may only be processed (except for storage): with the data subject’s consent, for legal claims, for protecting rights of another natural or legal person, or for important public interest of the EU or a member state.
The Data Controller shall inform the data subject before lifting the restriction.
6.5. Right to object
The data subject may object at any time, on grounds relating to their particular situation, to processing of personal data based on legitimate interest. In such cases, the Data Controller may no longer process the data unless it demonstrates compelling legitimate grounds overriding the data subject’s rights or for legal claims.
6.6. Right to lodge a complaint with a supervisory authority
The data subject may lodge a complaint with a supervisory authority, particularly in the member state of their habitual residence, workplace, or the place of the alleged infringement, if they consider that the processing of their personal data violates the GDPR. In Hungary, the competent authority is:National Authority for Data Protection and Freedom of Information (NAIH)Address: 1055 Budapest, Falk Miksa utca 9-11.; P.O. Box: Budapest, Pf. 9Phone: +36 (1) 391-1400Fax: +36 (1) 391-1410E-mail: ugyfelszolgalat@naih.hu
Additionally, the data subject may initiate court proceedings before the competent court of the Data Controller’s registered office or their own residence. Such cases are handled in an expedited procedure.
6.7. Right to data portability
The data subject may request the portability of their data, meaning they may request their data in a structured format or request that the Data Controller transmit it directly to another service provider, where technically feasible.
7. Data security
The Data Controller stores personal data both in paper form and electronically. Paper-based storage takes place exclusively in locked premises to prevent unauthorized access. For electronic storage, information security rules apply. Personal data are stored in a password-protected system, which is regularly reviewed. Access to personal data is restricted, and communication is transmitted via encrypted channels.
8. Automated decision-making and profiling
The Data Controller does not apply automated decision-making or profiling in relation to contact persons’ data