Privacy rules

 

1. INTRODUCTION

 

The Absolut Reorg Zrt (hereinafter referred to as : Data Management or Entrepreneurship) is committed to protecting the privacy of your clients' information privacy. The Company shall treat the personal data in a confidential manner and shall take all security, technical and organizational measures that guarantee the security of the data .

1.1.  Purpose of the regulations:

The purpose of the Privacy Policy to learn about the relevant data protection and management principles of the Data Management and data protection and management policies employed by the enterprise, and is recognized as a binding bound by the Data Controller. In developing these rules, the Data Manager has taken particular account of the EU Data Protection Regulation , Regulation No. 2016/679 of the European Parliament and of the Council ( Eu ), as well as the laws, regulations and recommendations of the Member States related and harmonized.

The aim of this policy is that, in carrying out the tasks set by the Controller law, as well as all areas of services provided by the Data Manager, to all natural persons, regardless of nationality or place of residence, provided are related to personal data rights and fundamental freedoms of the persons concerned, especially the right to privacy to respecting the right to personal data in electronic, machine and manual data protection (data protection).

The Data Manager is committed to its customers, protect its partners' personal data, their personal information is handled and take all the data security, privacy, technical and organizational measures which result in personal data being accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to confidential.

1.2.  Scope of the regulation

The scope of the Regulatory Code applies to Absolut Reorg Zrt. . (company registration number: 01-10-047615 headquarters: 1074, Budapest, Dohány utca 14., tax identification number: 24191199-2-42 phone: +36703158313 e-mail: iroda@absolutreorg.hu ) the whole enterprise, all its organizational units and all its employees.

1.3.  Relevant Legislation

The company must act in accordance with the provisions of the following statutory regulations in accordance with the provisions of this Internal Code:

  • the European Parliament and of the Council (EU) regulation 2016/679 (27.04. 2016) on the protection of individuals with regard to the processing of personal data and the free movement of such data and repealing regulation No. 95/46/EK (General Data Protection Regulation, hereinafter 'GDPR'),
  • the Act CXII of 2011. of the right to information on self-determination and freedom of information , (hereinafter referred to as " Infotv .")
  • the Act V. of 2013. of the Civil Code (hereinafter: the Civil Code)
  • Act I. of 2012. of the Work Code (hereinafter: wc.)

 2. Concepts

 2.1.  Concepts

Data management: means the collection or recording of any operation or operations carried out in an automated or non-automated manner in personal data or data files, such as collecting, recording, rendering, compiling, storing, modifying or modifying, retrieving, inspecting, using, communicating, disseminating or otherwise by batch, alignment or interconnection, restriction , deletion or destruction

Data Manager: a natural or legal person, public authority, agency or any other body that determines the purposes and means of handling personal data individually or with others; where the purposes and means of data management are defined in Union or national law, the data controller or the particular aspects of the designation of the data controller may also be determined by Union or national law

Data processor: a natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data controller

Privacy Policy: any applicable law of the European Union (including GDPR from 25. May 2018. ), any member state or third country law protecting customer data

Privacy incident: a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled

GDPR: Regulation No. 2016/679 of the European Parliament and of the Council of 27. April 2016. on the processing of personal data by the natural persons and on the free movement of such data and directive 95/46 / EC (General Data Protection Regulation)

Personal data: personal data: any information relating to an identified or identifiable natural person ("concerned"); the natural person who can identify, directly or indirectly, one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of an identifier such as name, number, positioning data, online identifier or natural person can be identified

Biometric data: personal data obtained by any specific technical procedures relating to the physical, physiological or behavioral characteristics of a natural person that allows or confirms the unique identification of a natural person such as facial or dactyloscopic data.

Health data: are personal data relating to the physical or psychological health of a natural person, including information on health services provided to a natural person that carries information on the health of a natural person .

Genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which carries specific information on the physiology or health of that person and which is primarily derived from an analysis of the biological sample taken from that natural person

Addressee: a natural or legal person, a public authority, agency or any other body with which you or with whom personal information is communicated, whether or not it is a third party. Public authorities which have access to personal data in an individual investigation in accordance with Union or national law shall not be considered recipients; the management of such data by those public authorities must comply with the data protection rules to be met in accordance with the purposes of data management

Third Party: a natural or legal person, a public authority, an agency or any other body other than the data subject, the data controller, the data processor or persons who have been authorized to access personal data under the direct control of the data controller or the data processor

Contribution of the party concerned: a voluntary, concrete and appropriate and informed and explicit statement of the will of the person concerned by which he or she indicates the statement in question or a statement expressing his / her ambiguity expressing his consent to the processing of his / her personal data

Record keeping system: for personal data in any way - fragmented holdings, with access based on specific criteria be - centralized, decentralized or by functional or geographical basis

Enterprise: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships and associations with regular economic activities

Technical and organizational measures: for data management in the data management nature, scope, conditions and goals, as well as natural persons, rights and freedoms of reported procedures determined in accordance taking into account the varying probability and severity of risk to ensure and demonstrate that the processing of personal data in the GDPR in accordance with the last month. These measures will be reviewed by the data controller and updated as necessary

2.2.  Data manager

The name of the data manager: Absolut Reorg Zrt.

Head office: Hungary, Budapest, 1074, Dohány utca 14

Electronic contact details of the data controller: iroda@absolutreorg.hu

Its data management activities are governed by Regulation ( EU ) No 2016/679 of the European Parliament and of the Council (GDPR- General Data Protection Regulation), taking into account the positions of the Working Group 29.

3.  Principles of data management, legal basis and duration of data management

3.1.  Principles of data management

1. The enterprise  manages the data in a legally and fair manner and in a transparent way for the data subject ( legality, fairness and transparency ).

2. The enterprise manages the data management in a manner that is relevant to its purpose(s) and is relevant and limited to the need ( saving of the data ). Accordingly, the enterprise does not collect and store more data than is absolutely necessary for the purpose of data management.

3. The enterprise carries out the collection of personal data for a specific, unambiguous and legitimate purpose and does not treat them in a way that is incompatible with these purposes ( purpose limitation ).

4. The enterprise stores personal data in a form that allows the identification of the data subjects only for the time necessary to manage the personal data, subject to the storage obligation specified in the relevant legislation ( limited storage ).

5. Your business data management is accurate and up to date. The company takes all reasonable steps to ensure that inaccurate personal data are deleted or corrected immediately ( accuracy ) for the purposes of data management .

6. The company is responsible for meeting the principles outlined above, and the company confirms this compliance ( accountability ). Accordingly, the company will ensure the continued validity of these internal rules, continuous review of its data management and where necessary modification and supplementation of data management procedures. The company prepares documentation to verify compliance with legal obligations.

7. The enterprise ensures the security of personal data, including the protection against unauthorized or unlawful handling, accidental loss, destruction or damage to personal data ( integrity and confidentiality ) by using appropriate technical or organizational measures .

3.2.  Legal basis for data handling

1. The processing of personal data is lawful only and insofar as at least one of the legal bases for processing data based on public authority and a legitimate interest as a condition of data management is met:

2. The person concerned has consented to manage his or her personal data for one or more specific purposes (hereinafter referred to as " consent-based" data management ).

3. Data processing is necessary for the performance of a contract in which the party concerned is required to take action on the part of one party or before the conclusion of the contract (hereinafter referred to as contract-based data management ).

4. The processing of data is necessary for the legal obligation of the undertaking (hereinafter referred to as " legal obligation" ).

5. Data management is necessary for the protection of the vital interests of the concerned or another natural person (hereinafter referred to as vital interest-based data management ).

 

6. The processing of data is necessary for the performance of a task in the public interest or in the exercise of a public authority title conferred on the enterprise (hereafter referred to as " public authority" data management ).

7. Data management is necessary to enforce the legitimate  interests of an undertaking or a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data are of primary interest, in particular if the child concerned (hereinafter referred to as " legitimate interest" based data management ).

3.3.  Duration of data handling

 Your volunteered information will be retained by you until you request it to be deleted. Any other data - your email address and voluntarily provided information - will be deleted. The data automatically stored by the server are available for 30 days, then we will only keep them in aggregate form, as statistics of attendance. We keep our data in contact with our co-worker until the existence of our company or legal successor. The purpose of data management is to maintain and operate an integrity management system that includes chronological overview of electronic communication. Your legal basis is the legitimate interest of the company, but as mentioned above, the person concerned may at any time request deletion of his or her data.

4. THE SCOPE OF PERSONAL DATA, THE DURATION OF THE DATA MANAGEMENT, THE LEGAL BASIS

Entrepreneurial / Provider Data Management

4.1.  Customer's data

The purpose of the data management is to provide the enterprise as a data management service, invoice issuance, customer registration, differentiation, document purchase and payment, fulfillment of accounting obligations , customer relationship analysis, customer customization , more targeted service.

The legal basis of data management: data management necessary for performance of the contract [GDPR Article 6 (1) of Art. (b)] and a Act C of 2000 on Accounting (hereinafter referred to as.. Accounting code) of accounting. Code .169. Section (2).

Type of personal data handled: tax identification number , date, time, name, address, name of service delivery, purchase, purchase method, payment method. Duration of data management: accounting. code . Pursuant to Article 169 (2), eight years.

Possible consequences of not delivering data: Customer can not receive a registered invoice. If a law or company's accounting policies require an invoice, you may not buy our product, I can not take the service charge.

The legal basis for the transmission of data: data  management  necessary  for performance of the contract [GDPR Article 6 (1) of Art. (b)].

4.2.  Data management for quality management

The purpose of data management is to manage the quality objections raised by products offered by the enterprise and its services.

Legal Basis for data processing: Data management required to perform contract [GDPR 6 . Article subsection  (1). (b)] and  a Conservation Act 1997, CLV. TV. (hereinafter referred to as "the Act" ) You're in charge . 17 / A. § (7).

Type of personal data handled: unique identifier number of the complaint,  name  / address of the consumer / client , address of the complaint, time of filing of complaint, method of complaint submission, list of documents, documents and other evidence submitted by the consumer, description of the complaint, time and the name of the record keeper, in case of signing or retrieving the details of the product.

Duration of data processing : As regards the records of complaints and the replies to written complaints , You're in charge . 17 / A. § (7) Five years, for duplicates of entries in the book of buyers, two years.

Possible consequences of failure to provide data : the data subject can not exercise his consumer rights.

Data transmission : Complaints to the enterprise's central e-mail address and mail address, quality objections to the service of the enterprise, the product manufacturer or, where appropriate, the competent authorities.

The legal basis for the transmission of data: data  management  necessary  for performance of the contract [GD PR Article 6 (1) of Art. (b)].

4.3.  Data handling related to extraordinary events

The purpose of the data management is to handle the extraordinary events that occur during the provision of the service and to record the minutes.

The legal basis of data management: the controller and the legitimate interests of other persons in disclosure management of incidents [GDPR Article 6 (1) of Art. (f )],

Number of treated data : name, address, telephone number of the victim, date of accident, description of the accident and accident, description of the action, name of first aid, witness name, address, telephone number, availability and location of the accident.

Term of data management: Five years for customer accusations.

Possible consequences of not delivering data : It is impossible to  enforce the rights arising from an extraordinary event .

4.4.  A www.absolutreorg.hu privacy policy

4.4.1.  A www.absolutreorg.hu server logging

When visiting www.absolutreorg.hu web server user data is not recorded.

External Service Provider Data Logging: The portal html code contains links to external servers that are independent of the enterprise and which refer to an external server. The external service provider is connected directly to the user's computer.

We are reminding our visitors that the providers of these links are able to collect user data (eg. IP address, browser, operating system details, cursor movement, visited page title, and time of visit) due to direct communication with the user's browser due to direct communication with the user's browser.

Potentially personalized content for the user is served by the external service provider.

The data controllers listed below can provide detailed information on the management of data by external service providers.

Independent testing and auditing of the www.revomatic .com website monitoring and web analytics data from an external service provider to Google Analytics server helps.

As a third-party service provider, map information is provided on the website at www.maps.google.com.

For details on managing measurement data, go to http://www.google.com/intl/en/policies/ for details.

4.5.   The www.absolutreorg.hu website has its own cookie management (detailed rules are contained in the specific rules of the Enterprise )

For a tailor-made service, the service provider provides a small data packet, cookies(cookies) on the back and read during subsequent visits.

If your browser returns a previously saved cookie, the cookie operator can link the user's current visit with the past, but only for their own content.

The aim of the data management is to identify, distinguish between users, identify users' current session, store data, prevent data loss, identify users, track and web analytics .

The legal basis of data management: the controller has a legitimate interest in the identification of users, and tailored to service [GDPR Article 6 (1) of Art. (f )].

The scope of the data being processed: identification number, date, time, and previously visited page.

Cookies with a valid validity period (permanent) are stored on your computer until they are deleted, but at the latest until their expiration date. Cookies can be deleted from your computer or disabled in your browser.

To manage cookies, you can usually use the Privacy / History / Custom Settings menu in cookies , cookies , cookies or tracing in the Tools / Preferences menu of browsers .

The cookie is a variable content alphanumeric information packet sent by the web server that is stored on the user's computer and stored for a predetermined period of validity. The use of cookies allows you to query some of your visitor's data and track your internet usage.

Cookies help determine the user's precisely the relevant field of interest, Internet usage patterns, story-site visits.

Since cookies are a kind of tag that allows a web page to recognize a visitor returning to a page, their application can contain a valid username and password for that site. If a user's browser returns a previously saved cookie on the hard drive when visiting a site , the sender can link the current visit to the previous one, but because the cookies are linked to the domain, it only works with its own content.

Biscuits are not capable of identifying the user individually, they are only suitable for recognizing the visitor's computer.

4.6.  Contact

4 .6 .1. Business client's correspondence

If you are looking for our company, you can contact the data administrator in the information provided in this brochure or on the website.

The company will delete all e-mails received with the sender's name, e-mail address, date, time and other personal data specified in the message, no later than five years after the date of disclosure.

4.7.  Other data management

Data management not listed in this information is provided when data is included. We inform our clients that the information handler may be contacted by other bodies on the basis of the court, the prosecutor, the investigating authority, the offense authority, the administrative authority, the National Data Protection and Information Authority and the law, to provide information, transmit data or provide documentation .

The enterprise provides to the authorities, if the authority indicates the precise purpose and scope of the data, only to the extent and to the extent that it is necessary for the purpose of the inquiry to be provided.

5. Privacy Policy

5 .1. General description

The data controller ensures the security of the data, and takes all the technical measures and develops the procedural rules that are necessary for the implementation of the data protection provisions. The User is responsible for the data provided by the User, their correctness, completeness and authenticity. The Data Handler will not be held liable for damages resulting from incorrectly entered data if it has recognized the incorrect nature of the data.

The undertaking undertakes appropriate technical and organizational measures taking into account the state of science and technology and the costs of implementation, the nature,scope, circumstances and objectives of data management and the varying degrees of real- ness and seriousness of the rights and freedoms of natural persons. guaranteeing a level of data security that is appropriate to the degree of risk.

According to the foregoing, the company must guarantee the confidentiality, inviolability and availability of the information it manages.

In order to manage personal data, the Enterprise selects and operates the IT tools used so that the data treated is:

  • for authorized access (availability);
  • authenticity and authentication (credibility of data management);
  • its unambiguousness can be verified (data integrity);
  • (data confidentiality) is protected against unauthorized access.

 

The Company protects the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unintentional access resulting from accidental destruction, damage, and the technique used.

In order to protect electronically managed files in its various registers, the Enterprise ensures, by means of an appropriate technical solution, that data stored - unless permitted by law - can not be directly linked and assigned to the data subject.

In order to define the appropriate level of data security measures, the company evaluates each of the data files that it manages in terms of defense needs and classifies it as a security grade.

To assess the security degree of each data processing, it is necessary to analyze:

a) unauthorized knowledge, alteration, deletion of the treated personal data, the risk of hardware and software damage and the expected damage;

b) whether it is possible to recover damaged data files and possible remediation expenditures, the availability of data sources for the reproduction of personal data, the possibility of replacing lost data from the manual background record;

c) whether it is justified to apply differentiated safety standards in view of the nature of the personal data handled;

d) other risk elements that jeopardize data security

5 .2. Types of controls

In order to ensure the security of data management, the company uses physical, logical and administrative controls together.

5.2.1. The enterprise uses at least the following physical controls:

a) the Enterprise ensures that unauthorized persons can not enter their building / office by operating an access system to filter out unauthorized persons

b) the undertaking ensures that the data handled are physically unauthorized by unauthorized persons (closure of offices, server rooms, etc.) , in order to prevent unauthorized access to the information handled electronically and on paper ; use of monitor foils; placing monitors in such a way that the data contained therein can only be accessed by the right holders; be connected to the PC only audited by the firm data carrier close to it; or any other method that will ensure the realization of the goal).

5.2.2. The enterprise uses at least the following logical controls:

a) the enterprise ensures that the data it manages is only accessible to those with the appropriate authority

5.2.3. The enterprise uses at least the following administrative controls:

a) the undertaking ensures that any access to personal data can be traced

b) the undertaking shall ensure the establishment of a procedure for records management so that records containing personal data which are incorrectly entered may be ascertained as soon as possible and recognized as narrowly as possible by the staff member (if the postal service provider considers that he has obtained such a document, to the rightful party or any other method to ensure the attainment of the objective]

6. How to store personal data and security of data management

6 .1. How to store personal data

The Enterprise and data processing meant the technology availability and implementation costs, as well as data management nature, scope, conditions and goals, as well as natural persons, rights and freedoms of appropriate taking into account the varying probability and severity of risk technical and organizational measures are taken to ensure that the level of data security.

6.2. Data security

In view of the current state of the art, the Enterprise provides technical, organizational and organizational measures to protect the security of data management, providing a level of protection that meets the risks associated with data management.

The Enterprise keeps it under data management

  • the confidentiality: protects the information that is only accessed by authorized persons;
  • the integrity: protects the information and method of processing accuracy and completeness;
  • the availability: ensures that when the authorized user needs it, actually gain access to the desired   information and tools are made available for this.

 

The IT system and network of Entrepreneur and Data Managers are protected against computer-aided fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer burglaries, and attacks leading to service denial. The operator provides security through server-level and application-level security procedures.

We inform the users that electronic mails, protocols (email , web , ftp, etc.) transmitted over the Internet are vulnerable to network threats that lead to dishonest activity, controversy or disclosure or modification of information.

To protect such threats, the data controller will take all the precautionary measures he or she may have to take. Systems are monitored to capture all security dangers and provide evidence of any security incident.

System monitoring also allows checking the effectiveness of the precautions used.

7.Announcement of a privacy incident

The Data Protection Incident may, in the absence of an appropriate and timely action, cause physical, material or non-material damage to natural persons, including the loss of their personal data or the restriction of their rights, discrimination, identity theft or identity theft, loss of reputation, breach of the confidentiality of personal data protected by professional secrecy or other significant economic or social disadvantages to the natural persons in question.

Given that data incidents can occur in any data controller and in such cases data controllers need to react quickly, it is important that as a data controller we do everything we can to prevent incidents. At the same time, we ask our users, if they feel any indication of the use of our website which indicates that they have lost their personal data or are experiencing a limitation of their rights , identity theft or identity theft presume the confidentiality of their data is reported to the data controller immediately so that we can take the necessary steps.

The privacy incident is reported to the authority without undue delay and, if possible, at the latest 72 hours after the privacy incident has come to its notice.

The data protection incident does not have to be reported to the authority if the privacy incident is unlikely to pose a risk to the rights and freedoms of natural persons.

If the notification is not filed within 72 hours, the reason for the delay should also be attached.

7.1.  Where notification to the Data Protection Incident Authority is required, the notification shall include:

a) describe the nature of the data protection incident, including, where possible, the categories and approximate number of affected persons and the categories and the approximate number of the data involved in the incident;

b) the name and contact details of the Data Protection Officer or other contact person providing additional information shall be communicated;

c) the likely consequences of a data protection incident;

d)  describe measures taken or planned by the undertaking to remedy a data protection incident, including, where appropriate, measures to mitigate the potential adverse consequences of a data protection incident.

If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the company informs the data subject of the data protection incident without undue delay.

7.2.   In the information provided above, the data subject should clearly and easily disclose the nature of the privacy incident and communicate:

a) the name and contact details of the Data Protection Officer or other contact person providing further information;

b) the likely consequences of a data protection incident should be described;

c) the measures taken or planned by the undertaking to remedy a data protection incident, including, where appropriate, measures to mitigate the potential adverse consequences of a data protection incident.

7.3.  The person concerned shall not be informed if any of the following conditions are met:

a)  the undertaking implemented appropriate technical and organizational protection measures and applied those measures to the data covered by the data protection incident, in particular the measures, such as the use of encryption, which are unintelligible to unauthorized persons make the data;

b) the undertaking has taken further measures following the data protection incident to ensure that the rights and freedoms of the person concerned are reported, the high risk is no longer likely to be realized;

c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that such information is equally effective.

If the enterprise also performs data processing activities, it informs the data controller for whom data processing is performed by the data protection incident.

If the enterprise applies a data processor, it must be stipulated in the data processing contract that the data processor must immediately notify the enterprise of the data incident incurred by him.

8. Rights of affected persons, remedies

You may request the information concerned to handle your personal data and may request the rectification of your personal data or, with the exception of mandatory data, cancellation, revocation, limitation of data handling and the right to file and protest, as indicated by the data entry, or by the customer service of the data controller.

In accordance with the provisions of the GDPR, the Service Provider / Entrepreneur will ensure the following:

8 .1. Right to information

At the request of the person concerned, the Enterprise shall take appropriate measures to ensure that all information relating to the processing of personal data referred to in Articles 13 and 14 of the GDPR and to Articles 15 to 22, and Article 34, in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner.

The right to information applies to the data subject in respect of each data base. The information shall be provided in writing or otherwise, including, where appropriate, the electronic path.

Information provided to the person concerned

Oral information may be provided at the request of the person concerned, provided that the identity of the person concerned has been verified otherwise.

The company, without undue delay, and in any event within 30 days of receiving the request inform the data subject with other stakeholders for the rights of stakeholders on measures taken in response to the request.

If necessary, taking into account the complexity of the application and the number of applications, the 30-day deadline may be extended by another 60 days. The company shall inform the person concerned of the extension of the time limit by indicating the reasons for the delay within 30 days of the receipt of the application. If the application concerned is submitted electronically, the information should be provided electronically, as far as possible, unless otherwise requested by the data subject.

Information and action shall be provided free of charge.

Where an application for a claim is manifestly unfounded or, in particular, because of its repeated nature, the undertaking takes account of the administrative costs of providing the requested information or information or of the requested action:

a) may charge a reasonable amount, or

b) may refuse to take action on the application.

Evidence of a manifestly unfounded or excessive nature of the application is borne by the undertaking.

Mandatory information

If the enterprise has obtained the data directly from the party (including the clients in particular), the enterprise will in any case provide information on:

a) the business, if any, of the identity and contact details of the business representative;

b) contact details of the DPO, if any;

c) the purpose of the intended management of personal data and the legal basis for data handling

d) in the case of legitimate interest-based data management, legitimate interests of the business or third party;

e) where appropriate, the addressees of personal data

f) where appropriate, the fact that the undertaking intends to transmit personal data to a third country or an international organization,

At the time of the first acquisition of personal data, the company also informs the persons concerned of the following:

a) the length of time that the personal data is stored

b) the right of the data subject to apply for access to the personal data of the undertaking, their rectification, the cancellation or limitation of the processing of data relating to certain legal bases and the possibility of objecting to the handling of such personal data and the right to the data subject to the data concerned ;

c)  the right of withdrawal of data-based data management at any time, without prejudice to the lawfulness of the data processing carried out on the basis of consent prior to the withdrawal;

d) the right to lodge a complaint addressed to the supervisory authority (National Data Protection Authority, hereinafter referred to as the Authority or NAIH);

e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract and whether the data subject is obliged to provide personal data and the possible consequences of a lack of data provision.

If an undertaking wishes to perform further data processing for purposes other than the purpose for which it is collected, it shall inform the data subject of this different purpose and any relevant additional information related to it, before further data processing.

Your business can fulfill mandatory information in a variety of ways.

The business ("Privacy Policy") publishes it on its website in a way that is easy to find and easily accessible to anyone.

In addition to or instead of being posted on a website, your business may choose to make it available as an attachment to the " Privacy Policy " contract. In this case, it is sufficient to provide the data protection information concerning the concerned circle concerned.

8.2.   Right to access

The right of access is granted to the data subject in respect of any data base . The data subject has the right to be informed by the data controller of whether his personal data is being processed and, if such data is being processed, he has the right to have access to personal data and the information listed in the decree.

You are entitled to receive feedback from your business about whether your personal data is being processed and, if such data is being processed, you have the right to access personal information and the following information:

a) the purposes of data management;

b) the categories of personal data concerned;

c)  the categories of recipients or recipients with whom or with whom the personal data are communicated or communicated by the undertaking

d)  where appropriate, the intended duration of the storage of personal data

e)  the right of the data subject to apply for personal data to be corrected by the undertaking may, in the case of data handling linked to certain legal bases, discontinue or discontinue the processing of such data and may object to the handling of such personal data in connection with data handling linked to certain legal bases;

f)  the right to lodge a complaint addressed to the supervisory authority;

g) where data is not collected from the data subject, all available information on their source;

h)   the fact of automated decision-making, including profiling, and at least in such cases the logic used and the understandable information on the significance of such data management and the likely consequences for the data subject.

An undertaking shall make a copy of the personal data subject to data processing available to the data subject.

For additional copies requested by the person concerned, the enterprise may charge a fee based on administrative costs and the amount of which is included in the pricing rules of the business, other rules or other documents.

At the request of the person concerned, the information is provided by the Enterprise in electronic form. The right to find information in writing in the Introduction and in Section

  1. At the request of the person concerned, information may be given orally, following the credible identification and identification of his / her identity.

 

8.3.   Right to rectify

The data subject shall have the right to rectify any inaccurate personal data that he or she is entitled to request, without undue delay. The right of rectification applies to the data subject in respect of any data base.

8.4.   Right to cancellation

The right to be deleted or forgiven is not automatically granted to the data subject in respect of all legal grounds.

The enterprise shall delete personal data relating to the data subject without undue delay if one of the following reasons exists:

a ) the personal data no longer needed for the purpose for which they were collected or treated in other ways;

b) the party concerned withdraws the consent of the data controller (in the case of data- based data handling) and no other legal basis for data processing;

c) the data subject is objecting to data handling and has no prior legitimate reason for data handling in the case of data management based on or based on public authority

d) personal data has been treated unlawfully;

e) the personal data are to be deleted in order to comply with the legal obligation imposed by law applicable to the undertaking in the Union or in a Member State;

An enterprise's failure to comply with this request for deletion is not met if data management is necessary to comply with the statutory obligation to govern the processing of personal data.

If an enterprise receives a cancellation request, the business first asks whether the cancellation request is actually from the creditor. To this end, the company may request details of the identity between the affected and the business contracts (eg. contract number, contract date) to the relevant document issued by the company ID number, enter registered identification data (company, however, did not ask for identification as an extra data , which is not recorded by the person concerned).

If the business has to comply with the cancellation request, it must do everything in order to delete the personal data from all the databases.

The enterprise takes a note about deleting in order to be able to confirm the cancellation. The minutes shall be written by the business representative or by the person (s) who is entitled to this job description. The deletion report contains:

a) the name of the person concerned ;

b) the deleted personal data type;

c) the date of deletion.

The business informs about the cancellation obligation of all persons for whom personal data has been transmitted.

If the data controller has disclosed personal data and is required to do so, he / she shall take reasonable steps, including technical measures, to take account of the available technology and implementation costs, in order to inform the data controllers handling the data that the data subject has requested them links to personal data or the deletion of a duplicate or duplicate of such personal data.

Deletion of data can not be initiated if data management is required: to exercise the right to freedom of expression and the right of access; the fulfillment of an obligation under EU or Member State law applicable to the data controller for the processing of personal data, or for the performance of a task carried out in the exercise of public authority exercised in the public interest or on the data controller; in the field of public health or for archival, scientific and historical research purposes or for statistical purposes in the public interest; or legal claims, to argue against them or to protect them.

8.5.  Right to restrict data management

The data subject shall have the right to request that the data controller restrict his or her data handling if one of the following conditions is met:

- The person concerned disputes the accuracy of the personal data; in this case the restriction concerns the period of time that the data controller can check the accuracy of the personal data

- Data processing is illegal and the data subject is opposed to the deletion of the data and instead asks to limit their use ;

  • - The data controller no longer needs personal data for data processing, but the data subject requires them to submit, enforce, or protect legal claims ;
  • - The person concerned objected to data handling; in this case, the restriction applies to the duration of determining whether the data controller's legitimate reasons prevail over the legitimate grounds of the party concerned.

 

The right of restriction shall be accorded to the data subject in respect of any data base.

If the data processing is restricted by the preceding paragraph, such personal data may only be disclosed with the consent of the person concerned or with the submission, claim or protection of legal claims or the protection of the rights of a natural or legal person, or the European Union or a Member State important public interest.

The business informs about the obligation for whom personal data has been transmitted.

8.6.  The right to data storage

The data subject shall have the right to receive personal data made available to him by a data controller in a fragmented, widely used machine-readable format and shall be entitled to transmit such data to another data controller without this being obstructed by the data controller the personal information was provided to you .

The right to data storage is granted to the data subject in the case of consent or contract- based data processing when the data is processed in an automated way.

An enterprise ensures that the personal data that it has access to the business is provided to it in a fragmented, widely used machine-readable format and that the data is transferred to another data controller.

8.7.  Right to protest

You are entitled to object to your personal data when handling your business at any time for reasons related to your own situation.

The right of protest is granted to the person concerned

  • the legal basis for data handling is based on public authority or legitimate interest
  • the handling or transmission of personal data is only necessary to comply with the legal obligation of the Data Controller or to enforce the legitimate interest of the Data Controller, Data Provider or third party, unless data management has been ordered by law
  • the use or transfer of personal data is done for direct business acquisition, polling or scientific research
  • Data management is necessary to perform a task carried out in the public interest or in the exercise of public authority exercised on the data controller.

The data controller shall examine the protest within the shortest possible time but not later than one month from the submission of the request, make a decision on its validity and inform the applicant in writing.

In the case of an application for a protest in question, the undertaking may not treat personal data unless it proves that data processing is justified by compelling reasons of lawfulness which prevail over the interests, rights and freedoms of the data subject, or for the submission, protection.

If the Data Controller establishes the grounds for his / her protests, he / she will notify any person who has previously submitted the personal data affected by the protest. If the User Data Handler does not agree with the decision of the User, he or she may appeal to the court within 30 days from the date of its communication. The court proceeds out of order. The court is the competent court for the place where the data controller is domiciled, but the case may be initiated before the courts of the domicile of the person concerned.

If your personal data is handled for direct business, the person is entitled to object at any time to the handling of personal data relating to that purpose, including profiling, if it is related to direct business acquisition.

In the event of a protest against the handling of personal data for direct business acquisition, the data is not handled by the Enterprise for this purpose.

8.8.  Automated decision-making in individual cases, including profiling

The data subject shall be entitled to exclude the scope of a decision based solely on automated data management, including profiling, which would have a bearing on him or would have a significant effect on him.

The above entitlement shall not apply if data processing is necessary for the conclusion or performance of the contract between the data subject and the data controller; is made available to the data controller by Union or national law which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or the explicit consent of the person concerned.

8.9.  Right of withdrawal

The person concerned has the right to withdraw his consent at any time. Revocation of the contribution does not affect the lawfulness of the consent based on consent, prior to the withdrawal.

8.10.  Procedural rules

The data controller shall inform the data subject within 30 days of the receipt of the request without undue delay and in any way within 15-22 of GDPR. on the request for an Article.

If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by another 60 days. The controller shall inform the person concerned of the extension of the time limit by indicating the reasons for the delay within one month of the receipt of the application. If the concerned electronic application has been filed, the information will be provided electronically, unless otherwise requested by the person concerned.

If the data controller fails to take measures in response to his request, he shall inform the data subject without delay and within one month of the receipt of the request for reasons of non- action and whether he or she may file a complaint with a supervisory authority and exercise his right of judicial redress.

The Enterprise provides the requested information and information free of charge. If the request in question is clearly unjustified or excessive, in particular because of its repeated nature, the data controller may charge a reasonable fee or may refuse the measure based on the request, given the provision of the information or information requested or the administrative costs involved in the requested action.

The data controller informs all recipients of any rectification, deletion or data limitation that he or she has been communicating with him or her, unless this proves impossible or requires disproportionate effort. At the request of the data subject, the data controller shall inform the addressees thereof. The data controller shall provide the data subject with a copy of the personal data subject to data processing.

For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

If the application concerned is submitted electronically, the information will be provided in electronic format, unless otherwise requested by the person concerned.

8.11.  Damages and damages

Any person who has suffered material or non-material damage as a result of a violation of the Data Protection Regulation is entitled to compensation for the damage sustained by the data controller or the data processor. The data processor shall only be held liable for damage caused by data processing  if  he or she has  not complied with the  statutory obligations specifically imposed on the data processor or if the data controller's legitimate instructions have been disregarded or contravened. If several data controllers or multiple data processors or both the data controller and the data processor are involved in the same data management and are responsible for the damage caused by the data handling, each data controller or data processor is jointly and severally liable for the total damage. The data controller,or the data processor shall be exempt from liability if he or she proves that he or she is not liable in any way for the event giving rise to the damage.

8.12.  Relevant Remedies for Affected Persons

If, despite the protests of the Customer, you have legal rights to deal with your personal data, you may take the following remedies:

  • Ask for information about how to handle your personal information and request the correction of your personal information
  • You may request the deletion of personal data in respect of data processed on the legal basis of consent. You can withdraw your consent.
  • At your request, we provide information about the data processed by us or by our processor, the purpose, legal basis and duration of the data processing.
  • The User's personal data will be deleted if its handling is illegal if it asks if the purpose of data management is terminated if it is incomplete or incorrect and this status can not be legally corrected - provided that the deletion is not ruled out by law - or the data storage law has expired, the court or the Data Protection Commissioner has ordered it.

 

8.13.  Right to Court

In the event of violation of his or her rights, the data subject may turn to the court of law (according to the choice of the defendant's domicile or domicile). The court proceeds out of court. The charge pertaining to the protection of personal data is tax-free.

8.14.  Privacy Policy Procedures

You can lodge a complaint against a possible infringement of the data controller with the National Data Protection and Information Authority:

National Privacy and Freedom Authority 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, Mailbox: 5.

E-mail: ugyfelszolgalat@naih.hu

9  . RELIABLE DATA MANAGEMENT OF EMPLOYMENT

In this "Privacy Policy", the Company shall include all necessary information regarding the handling of data on natural persons in the job applications. The enterprise invokes the "Privacy Policy" by indicating availability in the job application that it issues. If the company does not make the "Privacy Policy" available electronically, the relevant provisions are included in the job application.

If the enterprise wishes to retain the documents submitted by the job applicant after the job is filled,  the application  of  the job  applicant must  be requested.  The contribution of volunteers, concrete, appropriate information must be based and unambiguous. In this interest, the contributing declaration must include at least the following:

a) the identity and contact details of the representative of the undertaking;

b) the purpose of the planned personal data is to seek [eg. a later request to fill a newly opened position] and the legal basis for data handling ( based on a contribution );

c) the duration of the storage of personal data;

d) the right of the data subject to request access to, correction, deletion or management of the personal data of the undertaking;

e) the right of the data subject to withdraw his consent at any time but without prejudice to the lawfulness of the data processing carried out on the basis of the consent prior to the withdrawal;

f) the right to lodge a complaint addressed to the public authority.

After the evaluation of the application, the media containing the personal data of the unsuccessful applicants shall be returned to the applicant, upon request, within 90 days or if the applicant's consent for the use of his personal data for further applications is not annulled. The annulment (deletion) record must be recorded.

The enterprise manages the data of the employees on the basis of the relevant provisions of the Act on Mt. and informs it in the manner specified in the Act on Mt. Compliance with the data management principles contained in the GDPR. The undertaking informs employees of the data processors it uses about their identity and the scope of the data transmitted to them. The Enterprise provides employee information on internal employee information.

10.  POSSIBILITY OF THE DIVERSITY MODIFICATION OF THE DATA PROTECTION DECLARATION

In the world of constant technological change, the Enterprise will update this information message as necessary (on a regular basis) .

The Data Controller reserves the right to unilaterally modify this Privacy Policy without prior notice to users. The modifier is made available to the data controller by the 15 days prior to the date of entry into force, irrespective of the law in force. Archives of the expired information leaflet. Before and after the entry into force of the amendment, it is entitled to withdraw the data treated with the consent. If you do not withdraw it, the current amended privacy statement shall be deemed to be accepted.

All the methods published in our Privacy Statement apply to the procedure for handling the personal data of the Person concerned. We do not make a separate statement regarding the handling of non-personal data.

11 . REGISTRATION OF DATA MANAGEMENT ACTIVITY

As a result of the accountability principle, the business records the data management activities in order to track and verify compliance with GDPR .

At least the following records are kept by the undertaking on data management activities under its responsibility:

a) record keeping of data transfers

b)  stakeholder requests for validation and registration of rights to the undertaking given by the answers

c)  official inquiries and records of responses given by that undertaking

d)  records of applications for termination of data processing

e) customer registration

f) registration of requests for marketing purposes

g)  records of the handling of personal data relating to the employment relationship

h)  records of recruitment

Records of data protection incidents.

The company keeps its records of data management activities, as defined above, with the following content:

a) the name and contact details of the undertaking and, where applicable, the name and contact details of the undertaking's representative and the DPO;

b) the purposes of data management;

c) a description of the categories of persons concerned and the categories of personal data;

d) categories of recipients with whom personal data are communicated or communicated

e) where appropriate, information on the transfer of personal data to a third country or an international organization;

f) where possible, the time limits for deletion of different categories of data;

g) where possible, a general description of the technical and organizational measures.

If the enterprise also performs an activity as a data processor, the enterprise keeps a record of all categories of data management activities on behalf of the enterprise. This register shall contain the following information:

a) the name and contact details of the data processor or processors and their representatives;

b) categories of data management activities performed on behalf of the business;

c) where appropriate, the transfer of personal data to a third country or an international organization.

The records are kept in writing by the enterprise on paper or in electronic format.