The purpose of this information is to ensure the proper handling of personal data in order to protect the fundamental rights and freedoms of natural persons. In the course of its activities, the company intends to fully comply with the legal requirements for the management of personal data, in particular with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council.

Essential terms and definitions:

GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union

data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;

data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;

data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

personal data: any information relating to an identified or identifiable natural person (data subject); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;

third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data manager, the data processor or the persons who have been authorized to handle personal data under the direct control of the data manager or data processor;

the consent of the data subject: the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;

restriction of data management: marking of stored personal data for the purpose of limiting their future management;

aliasing: processing of personal data in a way that, without the use of additional information, it is no longer possible to determine which specific natural person the personal data refers to, provided that such additional information is stored separately and technical and organizational measures are taken to ensure that this personal data cannot be linked to identified or identifiable natural persons;

registration system: a file of personal data divided in any way – centralized, decentralized or according to functional or geographical aspects – which is accessible based on specific criteria;

data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled;

Data management guidelines:

Personal data must be handled legally and fairly, as well as in a transparent manner for the data subject.

Personal data may only be collected for a specific, clear and legitimate purpose. The purpose of processing personal data should be appropriate and relevant, and may only be to the extent necessary.

Personal data must be accurate and up-to-date. Inaccurate personal data must be deleted immediately.

Personal data must be stored in such a way that identification of the data subjects is possible only for the necessary period. Personal data may be stored for a longer period of time only if the storage is for the purpose of archiving in the public interest, for scientific and historical research purposes, or for statistical purposes.

The processing of personal data must be carried out in such a way that the appropriate security of personal data is ensured by applying appropriate technical or organizational measures, including protection against unauthorized or illegal processing, accidental loss, destruction or damage of data.

The principles of data protection shall be applied to all information relating to identified or identifiable natural persons.

The company’s data processing employee is liable for disciplinary, compensation, violation and criminal liability for the lawful handling of personal data. If the employee learns that the personal data he is managing is incorrect, incomplete, or out of date, he must correct it or initiate its correction with the employee responsible for recording the data.

Management of personal data:

Since natural persons can be associated with online identifiers provided by the devices, applications, tools and protocols they use, such as IP addresses and cookie identifiers, this data, combined with other information, is suitable and can be used to create a profile of natural persons and to for identification.

Data processing can only take place if the person concerned gives his voluntary, specific, informed and clear consent to the processing of data by means of a clear affirmative action, for example a written – including electronic – or oral statement.

Consent to data management is also considered if the person concerned ticks a relevant box while viewing the website. Silence, a pre-ticked box or inaction does not constitute consent.

Consent is also considered if a user makes relevant technical settings during the use of electronic services, or makes a statement or action that clearly indicates the consent of the person concerned to the processing of his personal data in the given context.

Personal data must be managed in a way that ensures an adequate level of security and confidentiality, including in order to prevent unauthorized access to personal data and the tools used to manage personal data, as well as their unauthorized use.

All reasonable steps shall be taken to correct or delete inaccurate personal data.

Lawfulness of data management

The processing of personal data is legal if one of the following is fulfilled: – the data subject has given his consent to the processing of his personal data for one or more specific purposes; – data processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract; – data processing is necessary to fulfill the legal obligation of the data controller; – data management is necessary to protect the vital interests of the data subject or another natural person; – data processing is necessary to enforce the legitimate interests of the data controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

Pursuant to the above, data processing is considered lawful if it is necessary in the context of a contract or intention to enter into a contract.

If the data processing takes place in the context of the fulfillment of a legal obligation for the data controller, or if it is necessary for the execution of a task in the public interest or for the exercise of a public authority, the data processing must have a legal basis in EU law or the law of a member state.

Data processing shall be considered lawful when it is done to protect the life of the data subject or the interests of another natural person mentioned above. With reference to the vital interests of other natural persons, personal data processing may in principle only take place if the data processing in question cannot be carried out on any other legal basis.

Some types of personal data processing may serve important public interests and the vital interests of the data subject at the same time, for example in cases where data processing is required for humanitarian reasons, including monitoring epidemics and their spread, or in a humanitarian emergency, especially in the case of natural or man-made disasters need.

The data manager – including the data manager to whom the personal data may be disclosed – or the legitimate interest of a third party may create a legal basis for data management. Such a legitimate interest can be discussed, for example, when there is a relevant and appropriate relationship between the data subject and the data controller, for example in cases where the data subject is a client of the data controller or is employed by it.

The absolutely necessary processing of personal data for the purpose of preventing fraud is also considered a legitimate interest of the data controller concerned. The processing of personal data for direct business purposes is also considered to be based on a legitimate interest.

In order to establish the existence of a legitimate interest, it is necessary to carefully examine, among other things, whether the data subject can reasonably expect, at the time and in connection with the collection of personal data, that data processing may take place for the given purpose. The interests and fundamental rights of the data subject may take precedence over the interests of the data controller if the personal data are processed under circumstances in which the data subjects do not expect further data processing.

The legitimate interest of the data controller concerned is the processing of personal data carried out by public authorities, computer emergency response units, network security incident management units, electronic communication network operators and service providers, as well as security technology service providers to an extent that is absolutely necessary and proportionate to guarantee network and IT security.

The processing of personal data for purposes other than the original purpose of their collection is only permitted if the data processing is compatible with the original purposes of the data processing for which the personal data were originally collected. In this case, there is no need for a separate legal basis other than the one that enabled the collection of personal data.

The range of persons familiar with the data, data transfer, data processing:

Company employees are primarily entitled to know the data, but they are not published or given to third parties. In the course of the company’s activities, it may use data processors (accountant, carrier, transport, courier service, etc.).

Consent of the person concerned, conditions

If the data management is based on consent, the data controller must be able to prove that the data subject has consented to the processing of his personal data.

If the data subject gives his consent in the context of a written statement that also applies to other matters, the request for consent must be communicated in a way that is clearly distinguishable from these other matters.

The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal. Before giving consent, the data subject must be informed of this. It should be possible to withdraw consent in the same way as to give it.

When determining whether the consent is voluntary, the fact must be taken into account as much as possible, among other things, whether consent to the processing of personal data that is not are necessary for the performance of the contract.

The processing of personal data in relation to information society-related services offered directly to children is legal if the child has reached the age of 16. In the case of a child under the age of 16, the handling of the children’s personal data is legal only if and to the extent that the consent was given or authorized by the person exercising parental supervision over the child.

It is prohibited to process personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs or trade association membership, as well as genetic and biometric data aimed at the unique identification of natural persons, health data and personal data relating to the sexual life or sexual orientation of natural persons, unless the data subject has given his express consent to the processing of said personal data for one or more specific purposes.

Decisions regarding the determination of criminal liability and personal data relating to crimes and related security measures may only be processed if it is handled by a public authority.

Data management that does not require identification

If the purposes for which the data controller processes personal data do not or no longer require the identification of the data subject by the data controller, the data controller is not obliged to retain additional information.

If the data controller can prove that it is not in a position to identify the data subject, it will inform the data subject accordingly if possible.

Information and rights of the person concerned

The principle of fair and transparent data management requires that the data subject receives information about the fact and purposes of data management.

If the personal data is collected from the data subject, the data subject must also be informed whether he is obliged to disclose the personal data, as well as the consequences of not providing the data. This information can also be supplemented with standardized icons in order for the data subject to receive general information about the planned data management in a clearly visible, easily understandable and legible form.

Information related to the handling of personal data concerning the data subject must be provided to the data subject at the time of data collection, and if the data was not collected from the data subject but from another source, it must be made available within a reasonable time frame, taking into account the circumstances of the case.

The data subject has the right to access the data collected about him and to exercise this right simply and at reasonable intervals in order to establish and check the legality of the data management. All data subjects must be guaranteed the right to know, in particular, the purposes of the processing of personal data and, if possible, the period for which the processing of personal data applies,

In particular, the data subject has the right to have their personal data deleted and no longer processed if the collection or processing of personal data in another way is no longer necessary in connection with the original purposes of the data management, or if the data subjects have withdrawn their consent to the processing of the data.

If the processing of personal data is carried out for the purpose of obtaining direct business, the data subject must be guaranteed the right to object to the processing of his personal data for this purpose at any time free of charge.

Review of personal data

In order to ensure that the storage of personal data is limited to the necessary period, the data controller establishes deletion or regular review deadlines.

Regular review deadline established by the company manager: 1 year.

Duties of the data controlle

The data controller applies appropriate internal data protection rules for the sake of legal data management. This regulation covers the powers and responsibilities of the data controller.

It is the duty of the data controller to implement appropriate and effective measures, as well as to be able to prove that the data management activities comply with the applicable legislation.

This regulation must be made taking into account the nature, scope, circumstances and purposes of data management, as well as the risk affecting the rights and freedoms of natural persons.

The data manager implements appropriate technical and organizational measures taking into account the nature, scope, circumstances and purposes of data management, as well as the variable probability and severity of the risk to the rights and freedoms of natural persons. On the basis of this regulation, other internal regulations are reviewed and, if necessary, updated.

The data manager or the data processor keeps an appropriate record of the data management activities carried out under its authority. All data controllers and data processors are obliged to cooperate with the supervisory authority and make these records available upon request in order to control the relevant data management operations.

Rights related to data managemen

The right to request information

Any person can request information about what data the company processes, on what legal basis, for what data management purpose, from what source, and for how long, via the provided contact information. Upon your request, information must be sent to the provided contact information immediately, but within 30 days at most.

Right to rectification

Any person can request the modification of any of their data via the provided contact information. Upon your request, action must be taken immediately, but within no more than 30 days, and information must be sent to the contact address provided.

The right to erasure

Any person can request the deletion of their data via the provided contact information. Upon request, this must be done immediately, but within 30 days at most, and information must be sent to the contact address provided.

The right to block and restrict

Any person can request the blocking of their data via the provided contact information. The blocking lasts as long as the specified reason makes it necessary to store the data. Upon request, this must be done immediately, but within 30 days at most, and information must be sent to the contact address provided.

The right to protest

Any person can object to data processing via the contact details provided. The objection must be examined as soon as possible, but no later than 15 days after the submission of the application, a decision must be made regarding its validity and information about the decision must be sent to the contact address provided.

őségre tájékoztatást kell küldeni.

The possibility of legal enforcement related to data management

Nemzeti Adatvédelmi és Információszabadság Hatóság
Mailing address: 1530 Budapest, Pf.: 5.

address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (kukac) naih.hu

URL https://naih.hu
koordináták: É 47°30’56”; K 18°59’57”

In the event of a violation of the data subject’s rights, the data recipient may apply to the court against the data controller. The court acts out of sequence in the case. The lawsuit may be initiated by the person concerned – at his or her choice – before the court competent for his or her place of residence.

The company’s duties for adequate data protection

Data protection awareness. Professional preparation must be ensured to comply with the legislation. The professional training of employees is essential. The purpose of data management, the system of criteria, and the concept of personal data management must be reviewed. lawful data management and data processing must be ensured.

Proper information of the person involved in data management. It should be noted that – if the data processing is based on the data subject’s consent – in case of doubt, the data controller must prove that the data processing has been consented to by the data subject.

The information provided to the person concerned should be concise, easily accessible and easy to understand, therefore it must be formulated and displayed in clear and understandable language.

The requirement of transparent data management is that the person concerned receives information about the facts and purposes of data management. The information must be provided before the start of the data management and the right to information belongs to the data subject until its termination during the data management.

The main rights of the person involved in data management are the following:

– access to personal data relating to him;
– correction of personal data;
– deletion of personal data;
– restriction of the processing of personal data;
– protest against profiling and automated data processing;
– the right to data portability.

The data controller informs the data subject without undue delay, but at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The obligation to provide information can be ensured by operating a secure online system through which the data subject can easily and quickly access the necessary information.

The data management carried out by the company must be reviewed, and the enforcement of the right to informational self-determination must be ensured. At the request of the person concerned, his/her data must be deleted without delay if the person concerned withdraws the consent that is the basis for data management.

It must be clear from the consent of the person concerned that the person concerned consents to data management. If data management is based on the data subject’s consent, in case of doubt, the data controller must prove that the data subject consented to the data management operation.

In the case of personal data management of children, special attention must be paid to compliance with data management rules. The processing of personal data in relation to information society-related services offered directly to children is legal if the child has reached the age of 16. In the case of a child under the age of 16, the handling of the children’s personal data is legal only if and to the extent that the consent was given or authorized by the person exercising parental supervision over the child.

In case of illegal handling or processing of personal data, there is an obligation to report to the supervisory authority. The data controller must report the data protection incident to the supervisory authority without undue delay – if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the rights of the natural person.

In certain cases, it may be justified for the data controller to conduct a data protection impact assessment prior to data management. During the impact assessment, it is necessary to examine how the planned data management operations affect the protection of personal data. If the data protection impact assessment determines that data management is likely to involve a high risk, the data controller must consult with the supervisory authority before processing personal data.

In the event that the main activities include data management operations that, due to their nature, scope or goals, require regular and systematic, large-scale monitoring of the data subjects, a data protection officer must be appointed. The appointment of a data protection officer aims to strengthen data security.

Data security

The data must be protected with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.

In order to protect the data files managed electronically in the registers, an appropriate technical solution must be used to ensure that the data stored in the registers cannot be directly linked and assigned to the data subject.

When planning and applying data security, the current state of technology must be taken into account. Among several possible data management solutions, the one that ensures a higher level of protection of personal data must be chosen, unless it would represent a disproportionate difficulty for the data controller.

Data Protection Officer

The appointment of a data protection officer is mandatory based on the following criteria: data management is carried out by public authorities or other bodies performing public tasks, with the exception of courts acting in their judicial responsibilities;

the main activities of the data manager or data processor include data management operations which, due to their nature, scope or goals, require regular and systematic, large-scale monitoring of the data subjects;

the main activities of the data controller or the data processor relate to the processing of a large number of personal data related to criminal liability determinations and criminal data.

If the appointment of a data protection officer is mandatory, the following rules apply:

The data protection officer must be appointed on the basis of professional competence and, in particular, expert-level knowledge of data protection law and practice, as well as suitability for data management.

The data protection officer can be an employee of the data controller or the data processor, but can also perform his duties within the framework of a service contract.

The data manager or the data processor is obliged to publish the name and contact information of the data protection officer, and they must also be communicated to the supervisory authority.

Legal status of the data protection officer

The data controller must ensure that the data protection officer is involved in all matters related to the protection of personal data in an appropriate manner and in a timely manner. It must be ensured that the resources necessary to maintain the expert level knowledge of the data protection officer are available.

The data protection officer may not accept instructions from anyone regarding the performance of his duties. The data manager or the data processor may not dismiss the data protection officer in connection with the performance of his duties, nor may he impose sanctions. The data protection officer is directly responsible to the top management of the data controller or data processor.

The data subjects can contact the data protection officer in all questions related to the management of their personal data and the exercise of their rights.

The data protection officer is bound by an obligation of confidentiality or an obligation to treat data confidentially in connection with the performance of his duties.

The data protection officer may perform other tasks, but there should be no conflict of interest in relation to the tasks.

Duties of the data protection officer

Provides information and professional advice to the data manager or data processor, as well as to the employees performing data management; checks compliance with the internal rules of the data manager or data processor regarding the protection of personal data; upon request, provides professional advice regarding the data protection impact assessment, as well as monitors the completion of the impact assessment; cooperates with the supervisory authority.

Data protection incident

A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.

In the absence of appropriate and timely measures, a data protection incident can cause physical, financial or non-financial damage to natural persons, including the loss of control over their personal data or the restriction of their rights, discrimination, identity theft or identity abuse.

The data protection incident must be reported to the competent supervisory authority without undue delay, at the latest within 72 hours, unless it can be proven in accordance with the principle of accountability that the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.

The affected person must be informed without delay if the data protection incident is likely to involve a high risk to the rights and freedom of the natural person, so that he can take the necessary precautions.

Data management for administrative and record purposes

The company may also process personal data in cases related to its activities and for administrative and record-keeping purposes.

Data management is based on the voluntary and definite consent of the person concerned based on adequate information. After the detailed information – which covers the purpose, legal basis and duration of the data processing as well as the rights of the affected person – the data subject must be warned about the voluntary nature of the data processing.

Consent to data management must be recorded in writing.

Data management for administrative and record-keeping purposes serves the following purposes:

– data management of the company’s members and employees, which is based on a legal obligation;
– data management of persons in a contractual relationship with the company for contact, accounting and record-keeping purposes;
– the contact details of other companies, institutions and businesses that have a business relationship with the company, which can also be the contact and identification data of natural persons;

The data management according to the above is based on the one hand on a legal obligation, and on the other hand, the data of the person concerned has expressly consented to the processing of his data (for example, for the purpose of an employment contract or registered as a partner on a website, etc.)

In the case of documents sent to the company in written form – including personal data – (e.g. resume, job search application, other submissions, etc.), the consent of the person concerned must be assumed. After the case is closed – in the absence of consent for further use – the documents must be destroyed. The fact of destruction must be recorded in a protocol.

In the case of data management for administrative purposes, personal data are only included in the documents and records of the given case. The processing of this data lasts until the document on which the processing is based is disposed of.

In order to ensure that the storage of personal data is limited to the necessary period, data management for administrative and record-keeping purposes must be reviewed annually, and inaccurate personal data must be deleted immediately.

Compliance with the legislation must also be ensured in the case of data management for administrative and record-keeping purposes.

Legislation on which data management is based

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation).

CXII of 2011 Act on the right to self-determination of information and freedom of information.

LXVI of 1995 on the protection of public records, public archives and private archive material. law.

335/2005 on the general requirements for document management of bodies performing public duties. (XII. 29.) Government decree.

CVIII of 2001 Act on certain issues of electronic commercial services and services related to the information society.

Act C of 2003 on electronic communications.