Data Protection Information of Basewalk Kft.
for the Taskfit pro and Taskfit Systems
Summary

Pursuant to § 20 of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Info Act) BaseWalk Kft. (hereinafter: Basewalk) as the operator of the Taskfit system informs the users (hereinafter: Data subjects) of the Basewalk Taskfit Pro and Taskfit systems (hereinafter jointly: Taskfit) that the data of the Data subjects in the Taskfit system will be processed by Basewalk in line with the Data Protection Information available at www.taskfit.com and www.taskfitpro.com. Please find below a short summary:

1. Details of the data processing

purpose of the data processingscope of processed datalegitimate groundduration of the data processing
1providing services in connection with the use of the system (e.g. identification of the data subject, providing user support, ensuring the availability of the system)– obligatory: family name, first name, e-mail address, chosen password
– optional data: occupation, company name, phone number
– other data collected during the use of the system 1
voluntary consentuntil the realisation of the purpose of the data processing,
– in the case of the taskfit pro system until the completion of the development period,
– in the case of the taskfit system for the period of the use of the service
2improvement of the user experience, development of the systemdata provided obligatorily or voluntarily by the data subject and the anonym data generated from the above data 2voluntary consent
3enforcing of rights (handling of complaints)data necessary for the complaint handling and the enforcement of rights from the data provided by the data subject obligatorily or voluntarily (e.g.. family name, first name, home address)– based on consent in the case of a complaint handling procedure initiated by the data subject,
– in other cases based on § 6(5) of the info act
identical with the period during which the right/claim can be enforced (in the case of a legal dispute the period of time until the final and binding completion of the administrative/court proceeding)

1 See Section 3.2.b.) of the complete Information Form
2 For details on the anonymisation please refer to 3.1.c. of the complete Information Form

1. The personal data of the Data subject are processed by the Operator pursuant to Point a) § 5(1) of the Info Act, primarily based on Data subject’s voluntary consent or in the case set forth in § 6(5) of the Info Act the personal data provided by the Data subject can be processed by Operator, unless otherwise stipulated by law, without further consent in the cases set forth in the above section of the Act.

2. Data subject shall be entitled to request information from the Operator concerning the processing of his/her personal data via the following contact details: Basewalk Kft. Address: 1031 Budapest, Záhony u. 7. Graphisoft Park “B” building Phone: +36 30 546 3773 E-mail: info@basewalk.com.
Furthermore, the Data subject may request the Operator to correct his/her personal data or to delete or block the same, except for the cases of obligatory data processing. If the Data subject’s rights are breached or if the Data subject does not agree with the decision of the Operator or Operator fails to inform the Data subject about its decision, then in the cases set forth in § 21 of the Info Act the Data subject may turn to the court within the applicable deadline. The Data subject may also initiate the proceeding of the National Authority for Data Protection and Freedom of Information of Hungary.

3. Basewalk uses the personal data provided on the basis of consent only for such purposes that the owner of the personal data consented to and shall not forward the same to third parties.

4. Basewalk protects the personal data with such methods and care that is expected from such undertaking and prevents the unauthorised access to any part or to the whole of the data. Basewalk arranges for data security and prevents the unauthorised use of the data.

5. Basewalk shall process the data in its system confidentially, and shall not forward data to unauthorised third persons. The data processing is in full compliance with the requirements of Act no. CVIII of 2001 on specific matters of electronic commercial services and services related to the information society and with the requirements of Act CXII of 2011 on informational self-determination and freedom of information.

Budapest, 8 September 2016

Basewalk Kft.

Data Protection Policy of BaseWalk Kft.
Taskfit pro and Taskfit Systems
Detailed data protection rules

1. Introduction

The processing of the personal data of the users (hereinafter: „Data subjects”) of the Taskfit Pro and Taskfit systems (hereinafter jointly: „Taskfit”) developed and operated by Basewalk Kft. (seat: 1031 Budapest, Záhony u. 7. Graphisoft Park “B” building; company registration number: 01-09-183017; hereinafter: „Operator”) is absolutely necessary for the operation of the systems and for the related tasks of the Operator (hereinafter: „Service”).

Taskfit is a personal task management and time-keeper application with the primary purpose of increasing the efficiency of IT-related work and minimising the administrative tasks coming along with such work. The objective of the Operator is to develop Taskfit into an internationally recognised, widely used and reliable service and to operate the same in the long run.

2. Purpose of the Policy

The purpose of this data protection policy (hereinafter: „Policy”) is to inform the Data subjects and the visitors of the www.taskfit.com and www.taskfitpro.com sites about the most important ‘data processing’-related information in connection with the Service, and the ways and possibility of enforcing the rights of the Data subjects.

The Operator as the provider of the Services acts as data controller in relation to the following personal data and considers the contents of the Policy binding on itself. Operator undertakes to process the Service-related data in compliance with the requirements of this Policy and of the applicable laws and states that Operator will not use the personal data obtained in connection with the Service for any other purposes than the ones set forth in the Policy.

Operator does not request or collect personal data other than the ones in this Policy. It is the Data subjects’ responsibility to protect their own personal data and to prevent the access to the same during the use of the Services. User shall warrant that the consent of any third party data subject has been lawfully obtained for the processing of third party personal data that have been provided or made accessible in connection with the Service (e.g. sending the content of a website, name, email, phone number, etc.). Data subject shall be responsible for Data subject’s user content.

Operator processes the personal data of the Data subjects only within the territory of the European Union and will not transfer the same to any data controller or data processor other than the ones indicated in this Policy.

The data protection rules and information concerning the Operator’s data processing are continuously available at the websites www.taskfit.com and www.taskfitpro.com, and, if requested, Operator provides the Data subjects with the same.

Operator maintains the right to amend this Policy. Operator shall inform the Data subjects about the modification in advance in line with the applicable laws.

Should you have any queries concerning this Policy, please contact us at the e-mail address: info@basewalk.com so that we can answer immediately.

Operator is committed to protect the personal data of the Data subjects and considers the respecting of the informational self-determination right of the Data subjects as extremely important with a view to the stipulations of Act no. CVIII on specific matters of electronic commercial services and services related to the information society (hereinafter: „Info Act.”). The Operator processes the personal data confidentially and takes all the security, technical and organisational measures that guarantee the security of the data.

3. Scope of the personal data; purpose, legitimate ground and duration of the data processing

Some of the data processing actions of Operator in the cases below are based on the Data subject’s voluntary consent, i.e. in these cases the Data subject makes the decision to use the Service and provides Operator with his/her personal data. In certain cases some of the data are processed, stored and forwarded in line with the applicable laws. About this Operator shall inform the Data subjects.

Such cases are regulated in § 6(5) of the Info Act when the data provided on the basis of the voluntary consent can be processed by the Operator, unless otherwise stipulated by law, in the cases below, without a specific consent of the Data subject or even after the withdrawal of the Data subject’s consent:

a) in order to fulfil a legal obligation of Operator, or

b) for the legitimate interest of Operator or of a third person if the legitimate interest is proportional to the limitation of the right to the protection of personal data.

Such cases can occur when the Operator initiates a legal proceeding against Data subject and during the course of the proceeding Operator uses the data provided by the Data subject.

Operator thrives to hold its data processing at a level that is absolutely necessary. At the same time certain personal data have to be processed due to well-founded Data subject complains and claims concerning the Service and in connection with Operator’s related obligations.

3.1. Details of the data processing

3.1.a.)

purpose of the data processingscope of processed datalegitimate groundduration of the data processing
1providing services in connection with the use of the system (e.g. identification of the data subject, providing user support, ensuring the availability of the system)-obligatory: family name, first name, e-mail address, chosen password
– optional data: occupation, company name, phone number
– other data collected during the use of the system3
voluntary consentuntil the realisation of the purpose of the data processing,
– in the case of the taskfit pro system until the completion of the development period,
– in the case of the taskfit system for the period of the use of the service
2improvement of the user experience, development of the systemdata provided obligatorily or voluntarily by the data subject and the anonym data generated from the above data4voluntary consent
3enforcing of rights (handling of complaints)data necessary for the complaint handling and the enforcement of rights from the data provided by the data subject obligatorily or voluntarily (e.g.. family name, first name, home address)-based on consent in the case of a complaint handling procedure initiated by the data subject,
– in other cases based on § 6(5) of the info act
identical with the period during which the right/claim can be enforced (in the case of a legal dispute the period of time until the final and binding completion of the administrative/court proceeding)

3see section 3.2.b.) of the policy
4for the purposes of the development of the system operator anonymises the data provided by the data subject during the use of the system. operator utilises the anonymised data only for statistical purposes and for the improvement of the user experience. for details on the anonymisation please refer to 3.1.c. of the policy

b.) Besides the direct registration it is also possible to register in the Taskfit (Pro) System with user accounts created in external systems (e.g. Google, Facebook) with data provided by the Data subject. In such cases the scope of data processed by the Taskfit is identical with the scope of data collected during the direct registration in the Taskfit system (see the scope of obligatory and voluntary scope of data) with the sole difference that in this case there is no need for a password as the identification and sign-in of the Data subject takes place in the external system.

c.) Anonymisation process
The improvement of the user experience and the development of the Taskfit System, for the purposes of analyses, require mainly statistical but in certain cases detailed test data mirroring the actual use. The test data derive from anonymised user data provided by the Data subjects during the live operation and from anonymised other data formulated during the use of the Service. The analyses are prepared on the basis of previously anonymised and aggregated data and their results are products that cannot be traced back to individuals.

The anonymisation techniques applied by the Operator (e.g. pseudonymisation) have been determined with a view to the nature of the processed data in line with Opinion no. 05/2014 on the Anonymisation Techniques of Article 29 Data Protection Working Party of the European Union as follows:

processed group of datadetailed data within the group of processed datathe data necessary for the development of the functionality of taskfitapplied anonymisation method(s)
user datainternal identifier, name, e-mail address, etc.identifier not referring to the userid: pseudonymisation (salted thrown away key hash function)
device datainternal identifier, user reference, name, typetype, identifier not referring to the usertype: summary, k-anonymity
id: pseudonymisation (salted thrown away key hash function)
task datainternal identifier, user reference, name of task, description of task, its statusidentifier not referring to the task, identifier not referring to the user, statusid: pseudonymisation (salted thrown away key hash function)
resource datainternal identifier, name of file/webpage, access pathway, its type, its default iconidentifier not referring to the resource, type of the resource, type of filetype of resource/file: summary, k-anonymity
id: pseudonymisation (salted thrown away key hash function)
time datainternal identifier, resource reference, start time of the use of the resource, end time of the use of the resourceidentifier not referring to the resource, identifier not referring to the user, time datatime data: adding noise, permutation
id: pseudonymisation (salted thrown away key hash function)

3.2. Scope of data processed in connection with the Services:

Data recorded by the User when using Taskfit:

– name of User’s own tasks

– description of the task

– status of the task

– deadline of the task

category elements and labels created by the User for the individual categorisation and classification of the own tasks

Data recorded by the System when using Taskfit:

– name of the applications used during User’s work concerning the tasks recorded by User, its access pathway and its default icon, duration of the use of the application;

– name of the files opened during the work concerning the task given by the User, its access pathway and its default icon, duration of the use of the file;

– name of the websites opened during the work concerning the task given by the User, their URL and default icon, duration of the use of the webpage;

– name, phone number and default profile picture (if any) of the person making or receiving the call in the case of phone calls during work performed concerning the task given by User, duration of the call;

– name, user identifier and a default profile picture (if any) of the partner in the case of text messages during work performed concerning the task given by User, duration of texting;

– subject, e-mail address(es) of the addressee(s) of e-mails in the case of electronic mails sent or received by User during work performed concerning the task given by User, date of sending, duration of the editing and reading of the e-mail;

– address and GPS coordinates of the location where work is performed concerning the task given by User other than the usual place of work, duration of the stay at the location.

3.3. Duration of the data processing:

The duration defined in the above chart (Section 3.1.a.).

All of the Data subjects’ data will be deleted immediately once the purpose of the data processing terminates or is realised.

The Data subject participating in the development of Taskfit pro who intends to also use the Taskfit System in the future, may object in writing to the deletion of his/her data after the development of the Taskfit pro system.

3.4. Data forwarding:

Operator shall not forward the processed data to third parties without the prior written consent of the Data subject.

A special case is a supplementary feature of Taskfit for the data links (hereinafter: Integrations) with external task management systems (e.g. Google calendar). The creation, setting, permitting, use and deletion of the Integrations are at the Data subject’s discretion, they depend on Data subject’s decision. When creating a piece of Integration, the Taskfit provides detailed information to the Data subject regarding the data given over and taken over in connection with the specific Integration and the method of the data forwarding. Data subject gives his/her consent for each case of data synchronisation regarding each piece of Integration individually. Operator shall not be liable for the data processing of external systems in connection with the data synchronisation generated by the Data subject; in these cases the data processing of the external systems is governed by the general terms and conditions of the given systems.
In default mode Taskfit does not have any data link to any external task management systems, such links are created by the Data subjects in each case.

Operator is entitled and obliged to forward all the available and rightfully processed personal data to the competent authorities, the forwarding of which is specified by law or by a final and binding administrative decision.

4. Place of data storage, security of data processing

4.1. Places of the storage of the data:

The seat of Operator: 1031 Budapest, Záhony u. 7. Graphisoft Park “B” building
The business establishment of Operator: 3515 Miskolc, Egyetemváros tér 40592/11. E/7. ép. 610

4.2. Operator uses IT devices for the service provision (processing of personal data) and operates the same in a way so that the processed data’s:

a) availability is ensured for the authorised persons (principle of availability – availability level as undertaken by the Operator);

b) authenticity and authentication are ensured (principle of authentic data processing – allowing access to the system only for authorised personnel);

c) unchanged nature can be verified (principle of data integrity – logging of access);

d) secured nature against unauthorised access is ensured (confidentiality of the data – Operator is liable for preventing the leaking of any data from the system).

Operator protects the data with proper measures, especially against unauthorised access, modification, forwarding, publishing, deletion or destruction, furthermore against accidental destruction, damage, as well as against inaccessibility deriving from the change of the applied technology.

Taking into consideration state-of-the-art technology, Operator shall make all the technical and organisational arrangements for the protection of the data processing that provides a protection proportional to the risks arising in connection with the data processing.

5. Details and contacts of the data controllers/data processors:

Operator does not employ further data processors or data controllers.

6. Rights and legal remedies of the Data subjects

6.1. Operator calls the attention of the Data subjects to the fact that in the case of any complaints or remarks it is advisable to contact the Operator directly first.

Contact details of Operator: Basewalk Kft. Address: 1031 Budapest, Záhony u. 7. Graphisoft Park “B” building Phone: +36 30 546 3773 E-mail: info@basewalk.com.

6.2. Rights of the Data subjects:

Rights: The Data subject may request information from the Operator regarding the processing of his/her personal data, furthermore it may request the correction of his/her personal data and, except for obligatory data processing, may request the deletion or blocking of the data in the same way as it was indicated at the time of the recording of the data or at the contact details of Operator. The Data subject may also object to the data processing in the cases specified below. The rights of the Data subjects include the initiation of a judicial proceeding or a proceeding of the National Authority for Data Protection and Freedom of Information of Hungary.

a.) Providing information: At the request of Data subject Operator provides information on the data processed by Operator or by assigned data controllers or data processors, the source of the data, the purpose of the data processing, the legitimate ground, duration of the processing; name, address and activities of the data processor, furthermore in the case of data forwarding its legitimate ground and the addressee. Operator shall provide the information as soon as possible from the receipt of the Data subject’s request but within 25 days at the latest (unless a shorter deadline is specified by another legal stipulation) in a clear and understandable way, in writing if this was requested by the Data subject. The information is free of charge if this was the first time in the given year that Data subject filed such request for information regarding the same scope of data. Otherwise, Operator may claim the remuneration of its expenses.

b.) Correction: Operator corrects the personal data if they are incorrect and the correct personal data are available.

c.) Blocking: Operator blocks the personal data if Data subject requests this or if it can be presumed based on the available information that the deletion would harm the legitimate interests of the Data subject. The blocked personal data can be processed as long as the purpose of the data processing that excluded the deletion of the personal data is given.

d.) Deletion: Operator deletes the personal data if the processing is unlawful; if Data subject requests the same; if the processed data is deficient or incorrect and this state cannot be remedied lawfully, provided that the deletion is not excluded by law; if the purpose of the data processing ceased to exist or if the statutory deadline of data storage specified by law has expired or if it was ordered by the court of by the National Authority for Data Protection and Freedom of Information of Hungary.
Deadlines: Operator has 30 days to delete, block or correct the personal data. If Operator fails to comply with the Data subject’s request for correction, blocking or deletion, then the reasons for the denial shall be communicated in writing within 25 days. Operator informs the Data subject about the correction, blocking, marking or deletion, as well as those persons to whom the data had been forwarded earlier for the purposes of data processing. The notification can be avoided if this does not harm the legitimate interests of the Data subject, with a view to the purpose of the data processing.

e.) Objection: Data subject may object to the processing of his/her personal data, if

a) the processing or forwarding of the personal data is only necessary for the fulfilment of legal obligations of Operator or for the enforcement of the legitimate interests of the data controller, the recipient of the data or third persons, unless the data processing was ordered by law;

b) the personal data is used or forwarded for the purposes of direct marketing, surveys or scientific research;

c) in other cases determined by law.
Operator investigates the objection as soon as possible after the filing of the request but within 15 days at the latest and makes a decision whether the objection is well-founded and informs the Data subject about its decision in writing. If the Operator finds the objection of the Data subject well-founded, then the data processing will be terminated, including further data recording or forwarding and the data will be blocked and Operator informs all those persons about the objection and the measures taken as a consequence of the objection who received previously the Data subject’s personal data. These persons shall also take steps to enforce the right to objection.

f.) Opportunity to turn to the court: If the Data subject does not agree with Operator’s decision then the Data subject may turn to the court against the decision within 30 days from its communication. Data subject may also turn to the court against Operator in the case of any breach of Data subject’s rights. The court proceeds in the case out of turn. The lawsuit, upon Data subject’s choice, may be initiated at the regional court with competence on the basis of the home address or temporary address of Data subject or at the regional court with competence on the basis of Operator’s (respondent’s) seat.
Operator shall compensate the damages caused by the unlawful processing of Data subject’s data or by the breach of the requirements of data security. If the unlawful processing of Data subject’s data or the breach of the requirements of data security also infringes the Data subject’s personality rights, then the Data subject may claim a restitution fee from the data controller. Operator shall be liable towards the Data subject for damages caused by the data processor and Operator shall also pay the restitution fee if the data processor harmed the Data subject’s personality rights.

Operator is exempted from the liability and from the obligation to pay the restitution fee if Operator proves that the damage or the harm of the personality rights of the Data subject was caused by an unavertable cause outside the scope of the data processing. Operator does not compensate the damages and a restitution fee cannot be claimed if the damage originated from the wilful or grossly negligent conduct of the injured person or if the harm of the personality rights originated from the wilful or grossly negligent conduct of the Data subject.

g.) Initiation of the proceeding of the National Authority for Data Protection and Freedom of Information of Hungary: After contacting the Operator, beyond the lawsuit at the court, the Data subject also have the opportunity to report the data processing to the National Authority for Data Protection and Freedom of Information of Hungary and initiate an investigation by referring to the Data subject’s injury suffered in connection with the processing of his/her personal data or if there is a direct risk to suffer such injury.

National Authority for Data Protection and Freedom of Information of Hungary
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu

7.) Other partners

The contractual partner of Operator, Nuage Kft. (1031 Budapest, Zahony srt. 7, Graphisoft Park “B” building) participates in the development of the Taskfit pro system but has no role in the data processing activities.