Privacy Policy

INFORMATION FOR CUSTOMERS AND USERS OF THE WEBSITE ON THE PROCESSING OF THEIR PERSONAL DATA

Last update: 07/02/2024

This Privacy Policy (hereinafter ‘Policy’) provides information to Data Subjects with regard to the processing of their personal data in connection with the business or administrative activities of ConSteel Solutions Kft. (hereinafter ‘Company/Controller’) and its website https://www.consteelsoftware.com, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter ‘GDPR’ or ‘Regulation’), in particular Articles 13 and 14 of the Regulation.

In order to comply with the principle of fair and transparent processing, the Data Subject must be provided with adequate information about the fact and purposes of the data processing. Information pertaining to the processing of personal data concerning the Data Subject should be provided to him or her at the time of collection from the Data Subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case.  Where personal data can be legitimately disclosed to another recipient, the Data Subject should be informed at the time of the first disclosure of the personal data to the recipient. Where the Controller is unable to provide the Data Subject with information on the origin of the personal data because it originates from various sources, it shall provide general information.

1. The Data Controller and its contact details

ConSteel Solutions Korlátolt Felelősségű Társaság (Limited Liability Company)

• Mailing address: KÉSZ Csoport, 6000 Kecskemét, Izsáki út 8/B.
• email address: info@consteelsoftware.com
• website: https://www.consteelsoftware.com

Data Protection Officer’s name and contact details:

Dr. Orsolya Bálint

• Mailing address: 1095 Budapest, Mester u. 87.
• email: adatvedelem@keszgroup.com

The Controller’s current data can be accessed in the free and public business register www.e-cegjegyzek.hu by entering the Controller’s name or other identification data (company registration number or tax number).

2. Glossary of Terms

• Data Subject / Customer / Visitor means any natural person identified or identifiable, directly or indirectly, on the basis of personal data;
• Personal data means any information that can be associated with a data subject, in particular the name, the identification number and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and the inference that can be drawn from the data concerning the data subject;
• Consent means any freely given and explicit indication of the data subject’s wishes, based on appropriate information, by which he or she signifies his or her unambiguous agreement to the processing of personal data relating to him or her, whether in full or in part;
• Controller means the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes of the data processing, and takes and executes decisions regarding the processing (including the means of processing used) or has them executed by a processor on its behalf.  Controller: ConSteel Solutions Korlátolt Felelősségű Társaság; registered office: 6000 Kecskemét, Izsáki út 8. B. ép.; Company registration number: Cg. 03-09-120681, Tax number: 22790132-2-03;
• Processing means any operation or set of operations which is performed on personal data, regardless of the procedure used, in particular collection, recording, documenting, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure and destruction, as well as prevention of further use, taking of photographs, sound recordings or images and recording of physical characteristics which permit identification of individuals;
• Transmission means making data available to a specified third party;
• Processor means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
• Data processing by a processor means the performance of technical tasks related to data processing operations, irrespective of the method and means used for performing the operations and the place of use, provided that such technical tasks are performed on the data;
• Erasure means rendering data unrecognisable in a way such that their recovery is no longer possible;
• Data blocking means the assignment of identifiers to data in order to restrict their further processing either permanently or for a limited period of time;
• Data destruction means the total physical destruction of the data medium containing the data;
• Dataset means the set of data managed in a single register;
• Third party means a natural or legal person or unincorporated body other than the data subject, the controller or the processor;
• Data breach means the unlawful processing of personal data by the controller or the processor, in particular unauthorised access, alteration, transfer, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage;

3. Definition of data processing activities and related data categories

3.1. Visits to the website

Categories of data processed: IP addresses + geolocation data

Purpose of the processing: Ensure protection of the IT system and security of the site, and improve user experience through the use of cookies authorised by the visitor (see Section 4).

Similar to most other sites, the Controller’s website automatically collects certain information and stores it in log files. Such information may include Internet Protocol (IP) addresses, the region or general location where the computer or device accesses the Internet, as well as browser type, operating system, screen resolution and other usage information related to the use of the site. The Controller uses this information to create and maintain a website that meets the needs of our users, including, for example, using Data Subjects’ IP addresses to diagnose problems with the server and to perform administrative tasks related to the website.

The legal basis for processing: Legitimate interests (Article 6 (1) (f) of the GDPR)

Duration of processing: 26 months from the date of the last visit.

3.2 Registration on the Website

Categories of data processed: The Data Subject’s full name, telephone number, email address, country, IP address and geolocation data

Purpose of the processing: Customer identification.

The legal basis for processing: Legitimate interests (Article 6 (1) (f) of the GDPR)

Duration of processing: Until registration is cancelled by the Customer.

Data transfer: not applicable.

3.3 Request for quotation

Categories of data processed: The Data Subject’s full name, telephone number, email address, country, work or physical address, IP address and geolocation data

Purpose of the processing: Customer identification. Making an offer to the Customer.

The legal basis for processing: Data Subject’s consent (Article 6 (1) (a) of the GDPR)

Duration of data processing: until the offer is accepted, or, if the offer is rejected, until the date of rejection or, if no response is received, until the day after the expiry of the offer validity period.

Data transfer: to the Data Controller’s regional contractual partners in the country indicated by the Data Subject.

3.4 Download of trial version

Categories of data processed: The Data Subject’s full name, phone number, email address, country, IP address + geolocation data, company data (company name, position, sector, website (optional), and reason for downloading trial version), saved model, hardware data for license use, usage time, and number of software starts

Registration is required to request and use the trial version. Requesting a trial version implies that the Controller will provide technical support to the Data Subject and may contact him or her in connection with the use of the trial.

Purpose of the processing: Identifying the Customer and providing him or her with the data (license file) necessary to use the trial version.

The legal basis for processing: Legitimate interests (Article 6 (1) (f) of the GDPR)

Duration of processing: for data other than those listed in point 3.2, for 3 years from the date of use of the trial version or until the Customer cancels the registration.

Data transfer: to the Data Controller’s regional contractual partners in the country indicated by the Data Subject.

Saved structural models will be stored on a platform called Steelspace, which will be stored on the Controller’s own servers and on the servers of the companies that we have contracted to provide services to us.

3.5 Download of educational version

Categories of data processed: The Data Subject’s full name, phone number, email address, country, IP address + geolocation data, higher education institution attended, document proving student status, saved model, and hardware data for license use.

Registration is required to request and use the educational version. Requesting an educational version implies that the Controller will provide technical support to the Data Subject and may contact him or her in connection with the use of the educational version.

Purpose of the processing: Customer identification, delivery of the educational version to the Customer, use of the educational version by the Customer, and proof of student status.

The legal basis for processing: Legitimate interests (Article 6 (1) (f) of the GDPR)

Duration of processing: for data other than those listed in point 3.2, 3 years from the start date for the use of the trial version or until the Customer cancels the registration.

Data transfer: To the Controller’s regional contractual partners in the country indicated by the Data Subject. Data transferred: The Data Subject’s full name, telephone number, email address, and saved models.

3.6 Commercial use of the software

Categories of data processed: The Data Subject’s full name, phone number, email address, country, IP address + geolocation data, company data (company name, position, sector, and reason for downloading trial version), saved model, hardware data for license use, billing data (address, tax number, tax identification number, and email address).

Purpose of the processing: Customer identification, conclusion of the software license agreement and invoicing.

The legal basis for processing: Performance of contract (Article 6 (1) (b) of the GDPR)

Performing the contract implies that the Controller will provide technical support to the Data Subject and may contact him or her in connection with the contract concluded.

Duration of processing: until the expiry of the document retention period; in the case of invoices: the period provided for by Act C of 2000.

Data transfer: to KÉSZ Consulting Pénzügyi Szolgáltató és Gazdasági Tanácsadó Korlátolt Felelősségű Társaság (6000 Kecskemét, Izsáki út 8. B. ép.) as data processor and invoice processor.

To the Data Controller’s regional contractual partners in the country indicated by the Data Subject.

3.7 Newsletter subscription

Categories of data processed: The Data Subject’s full name, telephone number, email address, country, IP address and geolocation data.

Purpose of the processing: Informing the Data Subject about events, news, latest discounts, special offers and updates of the Controller.

The legal basis for processing: Data Subject’s consent (Article 6 (1) (a) of the GDPR)

Duration of processing: until the date of withdrawal of consent / the date of unsubscribing from the newsletter.

Data transfer: To the Data Controller’s regional partners in the country indicated by the Data Subject.

The Data Subject/Customer may withdraw his or her consent at any time by sending a message to that effect to info@consteelsoftware.com.

4. Data storage

Please review the privacy notices and privacy policies of the service providers used by the Controller before providing your data in any form.

The Controller uses the following services to store personal data:

• Firebase (22 4th Street Suite 1000 San Francisco, California, 94103, United States), a proprietary application developed by the Controller based on Google’s service, whose privacy policy is available here.
• CRM service provided by HubSpot, Inc. (1 Sir John Rogerson’s Quay, Dublin 2, Ireland) whose privacy policy is available here.
• Microsoft Office 365 service provided by Microsoft Corporation (Konrad-Zuse-Str.1, 85716 Unterschleißheim, Germany) whose privacy policy is available here.
• Google LLC: Google Analytics (Gordon House, Barrow Street, Dublin 4, Ireland) whose privacy policy is available here.
• Jira Service Management provided by Atlassian Ltd. (Level 6, 341 George Street, Sydney, NSW 2000, Australia) whose privacy policy is available here.
• Hotjar Ltd. (Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta), whose privacy policy is available here.

5. Information about the cookies used on the website

A cookie (or ‘HTTP cookie’) is a small block of data that is stored in your browser by web servers associated with internet services.

The cookies used by this website are essential for the proper functioning of the site (‘essential cookies’), while others collect information about the use of the website (statistics) to make the site more convenient and useful. Some cookies are only temporary and disappear when you close your browser, while there are also persistent versions that are stored on your computer for a longer period of time.

The purpose of cookies is to make the site more customisable to the interests and needs of the visitor on subsequent visits, making the site easier to use. Cookies are also designed to speed up future user activities and improve the user experience when using the Sites. Cookies can also be used to generate anonymous aggregated statistics, giving us more transparency on how people use the sites, which in turn will allow us to improve site structure and content.

Various types of cookies can be used on the sites, including session cookies and persistent cookies. Session cookies are temporary, i.e. they are only stored on the user’s device until the visitor leaves the website he or she is using. You may even need to delete them manually if you do not want to store them for a longer period of time.

Placing an anonymous visitor identifier (cookie)

Anonymous visitor identifiers (cookies) are files or pieces of information that are stored on users’ computers (or other internet-capable device such as a smartphone or tablet) when they visit a website. A cookie usually contains the name of the website where it was placed on the device, its expiration (i.e. for how long it’s stored on the device), and its value, which is usually a randomly generated unique number.

Strictly necessary cookies

These cookies are necessary for the website to work well; they allow the user to navigate the site and use various features. For example, remembering previously performed actions or typed text enables the site to make it easier for the user to use the website when navigating back to a page during the same session.

These cookies cannot be used to identify a user individually. Disabling of these cookies by the user may have an impact on the website and its performance.

Performance cookies

They help us understand how visitors interact with the websites by providing information about the sites they visit, the time they spend on a site, and any problems they encounter, such as error messages. This helps to improve the performance of the site. These cookies cannot be used to identify a user individually. They collect data in aggregate and anonymised.

Functionality cookies

They allow websites to remember a user’s choices (such as username, language, or the region where the site visitor is located) to help create a more personalised online experience. They also allow users to watch videos, play games and use social tools such as blogs, chat rooms and forums.

The information collected by such cookies may include personal identifying information that the user has shared, such as his or her username or profile picture. The visitor should always be clearly informed about what information the website operator collects, what it does with it and with whom it shares it. The user’s refusal to accept these cookies may have an impact on the performance and functionality of the website and may limit the user’s access to website content.

Targeting or Advertising Cookies

These cookies are used to deliver content that is more relevant to the user and his or her topics of interest. They may be used to deliver targeted advertising to the user and to limit the number of times a user views an advertisement. They also help to measure the effectiveness of advertising campaigns on the sites. These cookies can be used to remember the sites that a user has visited.

Most types of these cookies track visitors by their IP address, so that they can collect personally identifiable information.

Managing cookie settings and disabling cookies

Most browsers allow you to change cookie settings. Some of them automatically accept cookies by default, but this setting can be changed so that the visitor can prevent automatic acceptance in the future.

Please note that cookies are used to support and facilitate the usability and processes of the website. If they are disabled, we can’t guarantee that the visitor will be able to fully use all the features of the website. This may cause the website to function differently than intended in the browser.

The following links provide more detailed information on cookie settings for the browsers listed below

• Google Chrome 
• Firefox 
• Microsoft Internet Explorer 11
• Microsoft Internet Explorer 10
• Microsoft Internet Explorer 9
• Microsoft Internet Explorer 8 
• Safari

Links to other websites

Our website may occasionally contain links to third party websites over which we have no control. Once you leave our site, we are no longer responsible for the content of those third party sites or for the privacy and confidentiality of any information you provide to those sites. You should proceed with caution and always review[NV1]  the privacy notice or privacy policy of the website in question.

Rights of the website visitor (‘Data Subject’):

• You have the right to request information about the processing of your personal data
• You may access and request the data stored (not applicable to cookies)
• You may request the rectification of your personal data (not applicable to cookies)
• You can change or delete your cookie and technical identifier settings.

6. Rights of Data Subjects

The person concerned by the processing (Data Subject) may at any time request information about the processing of his or her personal data, request the rectification, specification, erasure or restriction of his or her personal data and exercise any right to which he or she is entitled under the applicable laws. Details of each of these rights are set out below.

6.1 Right of access

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

• the purposes of the processing in relation to the personal data concerned,
• the categories of personal data concerned;
• the categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations  (in the case of transfers to third country recipients and international organisations, the Data Subject has the right to request information on whether the transfer is subject to appropriate safeguards);
• the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
• the rights of the Data Subject (the right to rectification, erasure or restriction, the right to data portability and the right to object to the processing of such personal data),
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected by the Controller from the Data Subject, any available information as to their source;
• the existence of automated decision-making in respect of the Data Subject’s personal data, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.

The Controller may request the Data Subject to clarify the content of the request and to further specify the information and processing activities requested prior to the execution of the request.

If the Data Subject’s right of access under this section adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Controller shall be entitled to refuse to comply with the Data Subject’s request to the extent necessary and proportionate.

In the event that the Data Subject requests more than one copy of the above information, the Controller shall be entitled to charge a reasonable fee proportionate to the administrative costs of producing the additional copies.

If the Controller does not process the personal data indicated by the Data Subject, the Controller shall inform the Data Subject accordingly, in writing. 

6.2 Right to rectification

The Data Subject shall have the right to request from the Controller the rectification of any inaccurate personal data concerning him or her. If the personal data relating to the Data Subject is incomplete, the Data Subject shall have the right to request that the personal data be completed.

When exercising the right to rectification/completion, the Data Subject shall indicate the inaccurate or incomplete data and shall also inform the Controller of the accurate and complete data.  In justified cases, the Controller shall be entitled to request the Data Subject to provide the Controller with evidence of the clarified data in an appropriate manner, in particular by means of documents.

The Data Subject shall be obliged to rectify or supplement the data without undue delay.

The Controller shall, promptly after it has complied with the Data Subject’s request to exercise his or her right of rectification, inform the persons to whom the Data Subject’s personal data have been disclosed, provided that this does not prove impossible or involve a disproportionate effort on the part of the Controller. The Controller shall inform the Data Subject of these recipients at his or her request.

6.3 Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

• the personal data indicated by the Data Subject are no longer necessary in relation to the purposes for which they have been collected or otherwise processed by the Controller;
• the Controller was processing the personal data (including sensitive data) on the basis of the Data Subject’s consent, but the Data Subject has withdrawn his or her consent in writing and there is no other legal basis for the processing,
• The Data Subject objects to processing based on the legitimate interests of the Controller and there are no compelling legitimate grounds for the Controller which override the interests, rights and freedoms of the Data Subject or which are related to the establishment, exercise or defence of legal claims,
• the Controller has unlawfully processed the personal data,
• the personal data processed by the Controller has to be erased for compliance with a legal obligation in EU or national law to which the Controller is subject.
• the Data Subject objects to the processing and there are no overriding grounds for the processing;

The Data Subject shall make his or her request for erasure in writing and shall indicate for each personal data item the reason for which he or she wishes to erase it.

If the Controller grants the Data Subject’s request for erasure, it shall erase the personal data processed from all its records and shall inform the Data Subject accordingly.

In the event that the Controller is obliged to erase the Data Subject’s personal data, the Controller shall take all reasonable steps, including technical measures, necessary to inform the data controllers who have become aware of the Data Subject’s personal data as a result of its disclosure, of the mandatory erasure of the personal data. When providing the information, the Controller shall inform the other data controllers that it was the Data Subject who has requested the deletion of links to or copies of the personal data of the Data Subject.

The Controller shall, promptly after it has complied with the Data Subject’s request to exercise his or her right of erasure, inform the persons to whom the Data Subject’s personal data have been disclosed, provided that this does not prove impossible or involve a disproportionate effort on the part of the Controller. The Controller shall inform the Data Subject of these recipients at his or her request.

The Controller is not obliged to delete personal data where the processing is necessary

• for exercising the right to freedom of expression and information,
• for compliance with a legal obligation which requires data processing by Hungarian or European Union law to which the Controller is subject,
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
• for reasons of public interest in the area of public health,
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the Data Subject’s right to be forgotten is likely to render impossible or seriously impair the achievement of the objectives of that processing,
• for the establishment, exercise or defence of legal claims.

6.4 Right to restriction of processing

The Data Subject shall have the right to request that the Controller restrict the processing or use of personal data concerning him or her, if one of the following grounds applies:

• the accuracy of the personal data is contested by the Data Subject (in which case the restriction shall last until the Controller verifies the accuracy of the data),
• the Controller has unlawfully processed the personal data but the Data Subject requests restriction instead of erasure,
• the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
• The Data Subject objects to processing based on the legitimate interests of the Controller and there are no compelling legitimate grounds for the Controller which override the interests, rights and freedoms of the Data Subject or which are related to the establishment, exercise or defence of legal claims, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

Where processing is restricted, such personal data shall, with the exception of data storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the EU or of an EU Member State.

The Controller shall inform the Data Subject in advance of the lifting of the restriction.

The Controller shall, promptly after it has complied with the Data Subject’s request to exercise his or her right to restriction of processing, inform the persons to whom the Data Subject’s personal data have been disclosed, provided that this does not prove impossible or involve a disproportionate effort on the part of the Controller. The Controller shall inform the Data Subject of these recipients at his or her request.

6.5 Right to object

Where the processing of the Data Subjects’ data is based on legitimate interests, an important safeguard is that the Data Subjects must be provided with adequate information about the processing and the possibility to exercise their right to object. At the latest at the time of the first contact with the Data Subject, he or she should be expressly informed of this right.

The Data Subject has the right to object to the processing of his or her personal data on this basis and in such a case the Controller may no longer process the Data Subject’s personal data, unless it can be demonstrated that

• the processing is justified by compelling legitimate grounds on the part of the Controller which override the interests, rights and freedoms of the Data Subject, or
• that the processing is related to the establishment, exercise or defence of legal claims by the Controller.

6.6 Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller.

The right to data portability may be exercised in relation to personal data which have been provided by the Data Subject to the Controller, and

• the processing is based on the consent of the Data Subject, or on a contractual legal basis, and
• the processing is carried out by automated means.

Where technically feasible, the Controller shall, at the request of the Data Subject, transfer the personal data directly to another controller designated in the Data Subject’s request. The right to data portability under this section shall not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible with each other.

In relation to the exercise of the right of portability, the Controller shall provide the Data Subject with the necessary storage medium free of charge.

If the Data Subject’s right of portability under this section adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Controller shall be entitled to refuse to comply with the Data Subject’s request to the extent necessary.

The measures taken by the Controller in relation to the exercise of the right to data portability does not imply the deletion of the data concerned, but the Controller shall retain the data for as long as the Controller has a valid purpose or legal basis for processing the data.​​​​​​

6.7 Right to decide on automated individual decision-making, including profiling

The Controller hereby informs the Data Subject that it does not apply automated decision-making, including profiling, on personal data; should it do so, the Controller will inform the Data Subject accordingly.

6.8 Right to remedy

6.8.1 Right to lodge a complaint

If a Data Subject considers that the processing of his or her personal data by the Controller infringes the provisions of the applicable data protection laws, in particular the GDPR, he or she has the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information.

Contact details of the National Authority for Data Protection and Freedom of Information:

• Website:www.naih.hu
• Address: 1055 Budapest, Falk Miksa utca 9-11.
• Mailing address: 1374 Budapest, Pf. 603.
• Telephone: +36-1-391-1400
• Fax: +36-1-391-1410
• Email: ugyfelszolgalat@naih.hu

The Data Subject also has the right to lodge a complaint with another supervisory authority established, in particular, in the European Union Member State of his or her habitual residence, place of work or place of the alleged infringement.

6.8.2 Right to apply to the courts (right to bring an action)

Without prejudice to his or her right to lodge a complaint, the Data Subject may seek judicial remedy if his or her rights under the GDPR have been infringed in the processing of his or her personal data.

Legal action may be brought against the Controller, as a data controller with a domestic establishment, before a Hungarian court.

The Data Subject may also bring proceedings before the court of his or her place of residence or domicile, at his or her discretion, pursuant to Article 23 (3) of the Informational Self-determination Act. The contact details of the courts in Hungary can be found at the following link: http://birosag.hu/torvenyszekek.

Given that the Controller is not a public authority exercising public powers in a Member State, the Data Subject may also bring the proceedings before the competent court of the Member State of his or her habitual residence, provided that the Data Subject has his or her habitual residence in another Member State of the European Union.

6.8.3 Other means of redress

The Data Subject may appoint a non-profit organisation or association to lodge a complaint on his or her behalf, to judicially review the decision of the supervisory authority, to bring an action and to enforce the right to compensation on behalf of the Data Subject, which is established in accordance with the law of a Member State of the European Union, which has as one of its purposes, as set out in its articles of association, the protection of the rights and freedoms of Data Subjects with regard to personal data, and which is active in the field of the protection of their rights and freedoms.

7. Security of personal data

The Data Controller undertakes to ensure the security of personal data and to take all technical measures necessary to protect the personal data processed against unauthorised access, destruction, alteration and use. The Controller also undertakes to inform any third party (e.g. a Data Processor) to whom it may transfer or disclose personal data of its obligations in this regard.       

The Controller reserves the right to amend this Policy unilaterally, with effect from the date of the amendment, subject to any applicable legal restrictions and prior notice to Data Subjects.