INSTRUCTION NO. 1/2024 (06.18.)

THE WISER Group Kft. uniform data protection and data management regulations

Version number: V.001
Effective date: June 18, 2024.

Approved by: László Kozák, Managing Director
Access: For internal use only

 

  1. GENERAL PROVISIONS
    1.1 PURPOSE OF THE POLICY

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, i.e. the General Data Protection Regulation (GDPR) of the European Union, WISER Group Kft., as a data controller (hereinafter referred to as “the Controller”),Data controller”) has adopted the following regulations (hereinafter referred to as “the regulations”) for the purpose of recording its data processing activities, ensuring the rights of data subjects and establishing a general data protection regime.Regulations”) is created. Through this Policy, the Data Controller intends to ensure the legality of its operations, the enforcement of the constitutional principles of data protection and data security requirements, and to prevent unauthorized access to data, its unauthorized alteration, or disclosure.

1.2 SCOPE OF THE POLICY

The scope of the Regulation covers all processes carried out at any organizational unit of the Data Controller during which personal data is processed, regardless of whether the data management or data processing is carried out entirely or partially by computer means (electronically) or manually.

The personal scope of this Policy extends to the Data Controller's employees, persons employed in other legal relationships related to work, and any natural or legal person affected by data processing.

These Regulations are effective from the date indicated on the cover until revoked.

1.3 DEFINITIONS

"affected”: natural person identified or identifiable on the basis of any information;

"personal data": any information about the data subject;

"contribution": the voluntary, definite and clear declaration of the data subject's will based on adequate information, by which the data subject indicates through a statement or other behavior that clearly expresses his will that he gives his consent to the processing of his personal data;

"data controller”: the natural or legal person or organization without legal personality who, within the framework defined by law or a mandatory legal act of the European Union, independently or together with others, determines the purpose of the data management, the data management (including the device used) makes and implements relevant decisions, or has them implemented by the data processor;

"data handling": regardless of the procedure used, any operation performed on the data or the set of operations, including in particular the collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, locking, deletion and destruction of the data, as well as preventing its further use, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprint or palm print, DNA sample, iris image);

"data transfer": making the data available to specific third parties;

"data processing”: the totality of data processing operations performed by a data processor acting on behalf of or at the request of the data controller;

"data processor": the natural or legal person or organization without legal personality who - within the framework and conditions defined by law or a mandatory legal act of the European Union - processes personal data on behalf of or at the direction of the data controller;

"third person": a natural or legal person, or an organization without legal personality, who is not the same as the data subject, the data manager, the data processor or the persons who carry out operations aimed at processing personal data under the direct control of the data manager or data processor;

"data protection incident": a breach of data security that results in the accidental or unlawful destruction, loss, modification, unauthorized transmission or disclosure of transmitted, stored or otherwise handled personal data, or unauthorized access to them;

"health data": personal data relating to the physical or mental health of a natural person, including data relating to healthcare services provided to the natural person which contain information about the health status of the natural person;

"profiling": any processing of personal data - in an automated manner - aimed at evaluating, analyzing or predicting the data subject's personal characteristics, in particular those related to his performance at work, economic situation, health, personal preferences or interests, reliability, behavior, location or movement;

"addressee"Data subject": the natural or legal person, or an organization without legal personality, to whom or to whom personal data are made available by the data controller or data processor.

1.4 DATA PROCESSING POLICIES

The Data Controller always acts in accordance with the following guidelines when processing personal data:

Personal data may only be processed for a clearly defined, lawful purpose, in order to exercise a right and fulfill an obligation. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal. ("legality, due process and transparency")

Only personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose can be processed. Personal data can only be processed to the extent and for the time necessary to achieve the purpose. ("purposefulness")

Personal data must be appropriate and relevant for the purposes of data management, and must be limited to what is necessary. ("data saving")

During data management, the accuracy, completeness and, if necessary, the up-to-dateness of the data must be ensured, as well as that the data subject can only be identified for the time necessary for the purpose of the data management. ("accuracy")

Personal data must be stored in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management. During data processing, personal data will retain its quality as long as the relationship with the data subject can be restored. The relationship with the data subject can be restored if the data controller has the technical conditions necessary for restoration. ("limited storage capacity")

In the course of data management, appropriate security of personal data must be ensured by applying suitable technical or organizational measures, especially those that create protection against unauthorized or illegal processing, accidental loss, destruction or damage. ("integrity and confidentiality")

The Data Controller is responsible for compliance with the above guidelines and must be able to demonstrate compliance. ("accountability")

1.5 DATA CONTROLLER INFORMATION

Name: WISER Group Kft.

Address: 1065 Budapest, Révay köz 4.

Tax number: 27928181-2-41

Company registration number: 01-09-357551

Registering court: Company Court of the Capital City Court

Legal representative: Managing Director László Kozák

E-mail: info@wisergroup.hu

Phone number: +36 30 336 08 16

  1. DATA PROCESSING RULES
    2.1 PURPOSE OF DATA PROCESSING

The Data Controller processes personal data for purposes arising in connection with its operations, for employment purposes, for marketing purposes, for the operation of personal and property security devices, for the purpose of document management processes related to the operation, IT services and ensuring information security, for the purpose of utilizing data assets, and for the purpose of performing other basic activities specified in the organization's founding document. If the legal conditions for this exist, the Data Controller is entitled to initiate a new data processing activity. The individual data processing operations and their details are recorded in the Data Controller's data processing activities register (Annex No. 1) is included.

2.2 LEGAL BASIS FOR DATA PROCESSING

The processing of personal data by the Data Controller is lawful only if and to the extent that at least one of the following conditions is met:

  1. the person concerned gave his consent to process your personal data for one or more specific purposes;
  2. data management is necessary for the performance of a contractto which the data subject is a party, or it is necessary to take steps at the data subject's request prior to entering into a contract;
  3. data processing is the responsibility of the data controller to fulfill a legal obligation necessary;
  4. the data processing is carried out by the data subject or another natural person protection of vital interests necessary because;
  5. data management public interest or public authority vested in the data controller necessary for the performance of a task performed in the context of its practice;
  6. the data is processed by the data controller or a third party to enforce its legitimate interests necessary, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

    2.2 TERMS OF CONTRIBUTION

Consent is a voluntary, specific, adequately informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear and unambiguous action, signifies agreement to the processing of personal data concerning him or her. The data subject may give his or her consent – in a storable form – in a contract, on a standard form for this purpose (Annex No. 7), in electronic form or on paper. The data subject may withdraw his/her consent at any time. Consent may only be used for data processing in which compliance with the requirements of prior information and voluntariness can be proven. Voluntariness cannot be proven if the data subject has given his/her consent to data processing that serves the interests of the Data Controller exclusively in a subordinate-superior relationship, en masse, and without exception to a specific group of persons.

Where the data subject gives his/her consent in the form of a written statement which also applies to other matters, the request for consent shall be presented in a manner that is clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Consent may be given in any form which allows the data subject to be identified and the fact of consent recorded, in particular:

  1. in writing (with the signature of the person concerned);
  2. electronically after the individual identification of the data subject, if the fact of consent is recorded (logged);
  3. electronically in a message sent from the electronic mail address registered by the Data Controller concerned, provided that the message is recorded and preserved without changes.
    • BALANCE OF INTERESTS TEST

In certain cases, the Data Controller may process data without consent if a legitimate interest allows this, provided that the Data Controller complies with its prior information obligation. If the legal basis for data processing is justified by legitimate interest, the Data Controller will conduct a balancing test to assess the lawfulness of the data processing (Annex No. 2), during which the necessity of the purpose of data processing and the proportionate restriction of the rights and freedoms of the data subjects are examined and duly substantiated.

When carrying out the balancing test, the Data Controller identifies its legitimate interest in the data processing, as well as the counterweighting interest of the data subject and the fundamental right of the data subject. The Data Controller always examines the condition for weighing the conflicting rights and interests with regard to the specific circumstances of the given case. During the assessment, the Data Controller takes into account in particular the nature and sensitivity of the data processed or to be processed, the extent of its publicity, the seriousness of the potential infringement, etc.

As part of the balancing test, the Data Controller also carries out a necessity and proportionality test, according to which exceptions to the protection of personal data and restrictions on protection must remain within the limits of what is strictly necessary. The nature and quantity of the data to be processed must not exceed what is necessary for the purposes of the legitimate interests pursued. The proportionality test involves an assessment of the relationship between the objectives and the means chosen. The means chosen must not exceed the extent of necessity, but the means must also be suitable for achieving the specified purpose. Based on the weighting, the Data Controller determines whether the personal data can be processed.

The data subjects will be informed about the result of the test, which clearly shows on the basis of which legitimate interest and why it is considered a proportionate restriction that the Data Controller processes personal data without the data subject's consent, i.e. why the Data Controller's legitimate interest in processing the data overrides the data subject's interests and rights. The Data Controller will inform the data subjects about the data protection safeguards applied in the absence of consent and about the possibility of objecting to data processing. The result of the weighing of conflicting interests and rights cannot be prescribed without the Data Controller allowing a different result in view of the specific circumstances of the given case, therefore the Data Controller will carry out a separate balancing of interests test in each individual case.

Possible scenario, from which the Data Controller reserves the right to deviate:

  1. Before commencing the planned data processing, the Data Controller reviews whether the processing of personal data is absolutely necessary to achieve its purpose: whether alternative solutions are available that can achieve the planned purpose without processing personal data.
  2. The Data Controller shall determine its legitimate interest as precisely as possible.
  3. The Data Controller determines the purpose of data processing, what personal data and how long the legitimate interest requires data processing.
  4. The Data Controller determines what interests the data subjects may have in relation to the given data processing (for example, the aspects that the data subjects could raise against the data processing).
  5. The Data Controller shall weigh its legitimate interests against the interests and fundamental rights of the data subjects and shall determine whether the personal data may be processed. The Data Controller shall determine why the legitimate interests of the Data Controller – and the processing carried out on the basis thereof – proportionately limit the rights and expectations of the data subjects specified in step 4.
  6. The Data Controller determines which guarantees can ensure the necessity and proportionality of data processing (of course, other guarantee measures can also be applied).

    2.3 HANDLING OF SPECIAL DATA

The concept of special data is not generally defined by the GDPR, it only mentions certain categories of it (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic and biometric data for the purpose of uniquely identifying natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons) or defines it separately. Special data can only be processed if

  1. the data subject has given his or her explicit consent to the processing of those personal data for a specific purpose and the consent is not prohibited by Union or Member State law;
  2. the processing is necessary for the controller or the data subject to fulfil their obligations and exercise their specific rights under legal provisions governing employment, social security and social protection, if this is permitted by Union or Member State law, which also provides for appropriate safeguards to protect the fundamental rights and interests of the data subject, or by a collective agreement under Member State law;
  3. the processing is necessary to protect the vital interests of the data subject, provided that the data subject is unable to give consent due to physical or legal incapacity;
  4. the processing concerns personal data that the data subject has explicitly made public;
  5. data processing is necessary for the establishment, exercise or defense of legal claims;
  6. the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law, which is proportionate to the aim pursued, respects the essence of the right to the protection of personal data and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
  7. the processing is necessary for preventive health or occupational health purposes, to assess the employee's ability to work, to make a medical diagnosis, to provide health or social care or treatment, or to manage health or social systems and services, based on Union or Member State law or pursuant to a contract with a healthcare professional;
  8. processing is necessary for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes on the basis of Union or Member State law which is proportionate to the aim pursued, respects the essence of the right to the protection of personal data and provides for suitable and specific measures to safeguard the fundamental rights and interests of the data subject.

    2.4 PRIOR INFORMATION REQUIREMENT

If personal data concerning the data subject are collected from the data subject, the Data Controller shall provide the data subject with all of the following information at the time the personal data are obtained, unless and to the extent that the data subject already has the information:

  1. the identity and contact details of the data controller and, if any, the data controller's representative;
  2. contact details of the data protection officer, if any;
  3. the purpose of the intended processing of personal data and the legal basis for the processing;
  4. in the case of data processing based on legitimate interest, the legitimate interests of the data controller or a third party;
  5. where applicable, the recipients of the personal data and the categories of recipients, if any;
  6. where applicable, the fact that the controller intends to transfer the personal data to a third country or to an international organisation, the existence or absence of an adequacy decision by the Commission or an indication of the appropriate and suitable safeguards, and a reference to the means of obtaining a copy thereof or their availability;
  7. the period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
  8. the right of the data subject to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and to object to the processing of such personal data, as well as the right of the data subject to data portability;
  9. the right to withdraw consent at any time, which does not affect the lawfulness of data processing carried out on the basis of consent before withdrawal;
  10. the right to lodge a complaint with the supervisory authority;
  11. whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for concluding a contract, and whether the data subject is obliged to provide the personal data, as well as the possible consequences of failure to provide the data;
  12. the fact of automated decision-making, including profiling, and at least in these cases, the logic involved and understandable information on the significance and foreseeable consequences of such processing for the data subject.

If the personal data were not obtained from the data subject, the Data Controller shall indicate the source of the data and, where applicable, whether the data originate from publicly available sources. The Data Controller shall provide the information as follows:

  1. taking into account the specific circumstances of the processing of personal data, within a reasonable period of time from the date of obtaining the personal data, but no later than one month;
  2. if the personal data are used for the purpose of communicating with the data subject, at least upon initial contact with the data subject; or
  3. if the data is expected to be communicated to other recipients, at the latest when the personal data is communicated for the first time.

The above information shall be provided to the data subject in a concise, transparent, comprehensible and easily accessible form, in clear and plain language, and as a rule in writing, including by electronic means. If the Data Controller intends to process personal data for purposes other than those for which they were collected, it shall inform the data subject of such purposes and of any relevant additional information prior to such further processing.

2.5 RECORDING OF DATA PROCESSING ACTIVITIES

The Data Controller shall keep records of the data processing activities carried out under its responsibility. The Data Controller's unified data processing activities record constitutes Annex 1 to these Regulations. This record shall contain the following information:

  1. the name and contact details of the data controller and, if any, the name and contact details of the joint controller, the controller's representative and the data protection officer;
  2. the purposes of data management;
  3. description of the categories of data subjects and the categories of personal data;
  4. categories of recipients to whom the personal data are or will be disclosed, including recipients in third countries or international organisations;
  5. where applicable, information on the transfer of personal data to a third country or an international organisation, including the identification of the third country or international organisation and, in the case of transfers pursuant to the second subparagraph of Article 49(1) of the GDPR, a description of the appropriate safeguards;
  6. if possible, the deadlines for erasing the different categories of data;
  7. if possible, a general description of the technical and organisational measures.

    2.6 IMPACT ASSESSMENT AND PRIOR CONSULTATION

If a new data processing operation – in view of its nature, scope, circumstances and purposes – is likely to result in a high risk to the rights and freedoms of natural persons, then before the start of the data processing, the Data Controller shall conduct an impact assessment on how the data processing operation affects the protection of personal data. Similar data processing operations that pose similar risks may be carried out within the framework of a single impact assessment. The data protection impact assessment is the responsibility of the data controller’s organisational unit, in accordance with the impact assessment document () which is an integral part of this Regulation.Annex No. 3) in order to assess the risks and other aspects of the impact assessment, the data controller shall seek the opinion of the Data Protection Officer of the Data Controller, if applicable. It is mandatory to carry out a data protection impact assessment:

  1. large-scale, systematic surveillance of public places, for example when using an electronic surveillance system (camera) that meets these conditions;
  2. in the case of processing large amounts of health and other sensitive data;
  3. in the case of a systematic and extensive evaluation of certain personal characteristics relating to natural persons which is based on automated processing, including profiling, and which is used to make decisions which have legal effects concerning the natural person or similarly significantly affect him/her;
  4. in the case of data processing operations that are included in the supervisory authority's list of mandatory data protection impact assessments.

A data protection impact assessment does not need to be carried out for data processing based on law (mandatory), data processing necessary for the fulfillment of a legal obligation, and data processing that is included in the supervisory authority's list of data processing exempted from data protection impact assessment. The impact assessment shall cover at least:

  1. to systematically describe the planned data processing operations and to describe the purposes and legal basis of the data processing; including, in the case of data processing based on a balancing of interests, the legitimate interest sought to be pursued by the data controller;
  2. to assess the necessity and proportionality of data processing operations, taking into account the purposes of data processing;
  3. to assess the risks to the rights and freedoms of data subjects; and
  4. to present measures to manage risks, including safeguards and data security measures to demonstrate compliance with the law and this policy, taking into account the legitimate interests of data subjects.

After the impact assessment has been completed, the Data Controller's organizational unit shall ensure that the impact assessment is reviewed as necessary, but at least in the event of a change in the risk posed by the data processing operations, during which the risk assessment is re-evaluated. The risk review shall be carried out at least every three years. The results of the completed impact assessment shall be sent to the Data Controller's data protection officer. The data protection officer may make comments on the impact assessment.

If the data protection impact assessment establishes that the planned data processing would actually involve a high risk in the absence of measures taken to mitigate the risks, the Data Controller shall consult the supervisory authority, with the assistance of the data protection officer, if applicable, before processing the personal data.

2.7 DATA TRANSFER

Data transfer, if the data is made available to a specific third party, including allowing access to the data or extracting it. Data transfer within the organizational system of the Data Controller as a data controller, the transfer of data to a data processor, and access to the data subject's own personal data are not considered data transfer. Data transfer to a third country is the transfer of data to a country outside the Member States of the European Economic Area (hereinafter: EEA). Disclosure, if the data is made available to anyone.

The Data Controller treats personal data confidentially. Data transfer, data transfer to a third country or international organization, and personal data disclosure may only take place in full compliance with all relevant regulations and in accordance with the provisions of the GDPR.

The data controller's organizational unit decides on the transfer of data, the transfer of data to a third country or an international organization, and the disclosure of personal data. If there is any doubt about the lawfulness, the head of the organizational unit is obliged to contact the Data Controller's data protection officer - in writing or electronically - who will issue a statement on the lawfulness of the planned data processing operations.

Personal data processed within the organizational system of the Data Controller, as a data controller, may be transferred - to the extent and for the period necessary to perform the task - to an organizational unit that needs the data to perform its tasks as set out in the law, internal regulations or instructions.

2.8 DATA PROCESSING

The Data Controller may use a data processor for certain data processing operations. The data processor processes data for the data controller on behalf of the data controller, on its behalf and, where applicable, in accordance with its specific instructions. Data processors carry out data processing in accordance with the instructions of the Data Controller, may not make substantive decisions regarding data processing, may process personal data received only in accordance with the instructions of the Data Controller, may not process data for their own purposes, and must store, preserve and keep personal data confidential in accordance with the instructions of the Data Controller. Data processors may not use additional data processors without the prior written ad hoc or general authorisation of the Data Controller.

The terms of data processing shall be set out in a written agreement (Annex No. 4) must be concluded. The agreement can also be concluded as part of another contract. Data processing can also take place based on legal provisions, in which case the legal provisions govern the data processing relationship. It is not necessary to conclude a written agreement if the data processing relationship is fully regulated by the given legal provisions.

The data processing agreement shall include at least:

  1. the subject matter, purpose, duration of data processing, the type of personal data and the range of data subjects;
  2. that - unless otherwise provided by law - the data processor carries out the data processing in accordance with the written instructions of the data controller, as well as the circumstances of the instructions, in particular the name of the organizational unit or person authorized to do so.
  3. whether the data processor is entitled to use a further data processor and, if so, the obligation to provide information regarding the use or replacement of the further data processor;
  4. the data processor's data security measures;
  5. the procedure for informing about data protection incidents;
  6. cooperation rules related to ensuring the rights of the data subject;
  7. the data processor's obligation of confidentiality;
  8. the obligation for the data processor to delete all personal data (including existing copies) or return them to the data controller, in accordance with the decision of the data controller, after the completion of the data processing, unless otherwise provided by law;
  9. that the data processor provides all information necessary for the data controller to comply with its legal obligations;
  10. that the data processor provides the data controller with all information necessary to demonstrate the lawfulness of the data processing and cooperates with any inspection, on-site inspection or audit of the data processing;
  11. if necessary, additional rights and obligations of the data controller and data processor.

    3.0 DATA SECURITY

    3.1. BUILT-IN AND DEFAULT PROTECTION

Taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, the Data Controller shall implement appropriate technical and organizational measures, such as pseudonymization, both when determining the method of data processing and during data processing, with the aim of, on the one hand, effectively implementing data protection principles, such as data economy, and, on the other hand, incorporating the necessary guarantees into the data processing process to meet the requirements of data protection legislation and to protect the rights of data subjects.

The Data Controller shall implement appropriate technical and organizational measures to ensure that an appropriate level of data security is guaranteed, including in particular ensuring the continued confidentiality, integrity, availability, resilience of the systems and services used to process personal data, and ensuring access to personal data and the timely restoration of data availability in the event of an incident. When determining the appropriate level of security, specific account shall be taken of the risks arising from data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

3.2 PHYSICAL PROTECTION

In order to ensure the security of personal data processed on paper, the Data Controller stores the documents in a well-locked, fire- and property-protected room. In order to fulfill the Data Controller's retention obligation, manually processed documents containing personal data are placed in a file cabinet, which is also a well-locked, fire- and property-protected area with limited access. Documents containing personal data may only be viewed by those authorized to do so, and may not be accessed by anyone else, or disclosed to anyone else. Upon expiration of the retention obligation, the Data Controller destroys the documents.

3.3 INFORMATION TECHNOLOGY PROTECTION

To ensure the security of personal data stored on a computer or network, the Data Controller applies the following guarantee measures:

  • the computers used for data processing are the property of the Data Controller or it has rights equivalent to ownership over them;
  • The data on the computer can only be accessed with valid, personal, identifiable authorization – at least a username and password – and the Data Controller will ensure that passwords are changed when necessary;
  • Only persons with appropriate authorization and designated for that purpose may access the data stored on the server;
  • if the purpose of data management has been achieved and the data management deadline has expired, the file containing the data will be irretrievably deleted;
  • continuously ensures virus protection on the network that processes personal data;
  • prevents unauthorized persons from accessing the network using the available IT tools.

The flow of personal data managed by the Data Controller is implemented electronically using servers, and their physical storage is done using data storage devices.

MONITORING EMPLOYEE ACTIVITIES

The employee may be monitored in the context of his/her employment-related conduct. In this context, the Data Controller, as the employer, may also use a technical device, and shall inform the employee of this in advance in writing. The Data Controller may use the information technology or computing device or system provided by the employer for work purposes - unless otherwise agreed - exclusively for the purpose of fulfilling the employment relationship. During the monitoring, the Data Controller, as the employer, may inspect the data related to the employment relationship stored on the computing device used for the performance of the employment relationship. From the point of view of the monitoring authority, the data necessary to verify compliance with the restriction in the case of a prohibition of private use shall also be considered employment-related data. This paragraph shall also apply if, based on the agreement of the parties, the employee uses his/her own computing device for the performance of the employment relationship.

Employees are obliged to securely store and protect the data carriers they use or possess that contain personal data, regardless of the method of recording the data, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage. During the processing of personal data, data recorders and data carriers may only be used in encrypted (standard-compliant) form. The Data Controller may ensure the further enforcement of data security requirements by means of separate internal regulations and instructions. The Data Controller's employees are obliged to act in accordance with the procedure specified in internal regulations and instructions, ensuring a high level of data security.

The Data Controller's employees who perform data management or data processing are obliged to treat personal data they learn about in the course of their activities confidentially and keep them secret. Only those who have signed a confidentiality statement (Annex No. 5) did.

3.4. PROCEDURE FOR DATA PROTECTION INCIDENTS

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed. If any employee of the Data Controller suspects a data breach or receives a notification of a data breach from the data processor, the Data Controller shall notify the Data Controller of the following in accordance with the Data Protection Incident Management Policy (Annex No. 6) must be followed in accordance with the procedure set out in

  1. TASKS

    4.1 RESPONSIBILITY

The Data Controller's management, taking into account the organizational structure of the Data Controller, determines the data protection organization, the tasks and powers related to data protection and related activities, and - if necessary - appoints the person responsible for supervising data processing, the data protection officer.

Management of the Data Controller

  1. is responsible for creating the necessary conditions for the exercise of the rights guaranteed by law by the data subjects;
  2. is responsible for ensuring the personal, material and technical conditions necessary for the protection of personal data processed by the Data Controller;
  3. is responsible for eliminating any deficiencies or unlawful circumstances discovered during data processing audits, and for initiating and conducting proceedings necessary to establish the liability of another person;
  4. supervises the activities of the data protection officer, if any;
  5. may order an investigation to uncover the facts;
  6. approves the Data Controller's data protection policies.

During the implementation of this Policy, the tasks and responsibilities of individual organizational units and individuals are determined by the internal regulations relating to the organization, operation and activities of the Data Controller, as well as the job descriptions/role descriptions of the employees. The managers of the organizational units of the Data Controller are responsible for ensuring that data processing in the organizational unit they manage is carried out in accordance with the provisions of the law and this Policy.

The Data Controller's employee performing data processing shall always inform the data subject about the essential content of the data processing before collecting personal data. The Data Controller's employees performing data processing are obliged to keep the personal data they have come to know as a business secret and to handle such data in accordance with the Regulations and other organizational instructions. The Data Controller's employees shall ensure during their activities that unauthorized persons cannot access personal data, and that the storage and placement of personal data is designed in such a way that it cannot be accessed, learned, changed or destroyed by unauthorized persons.

Within the employee's own job/task

  • is responsible for the processing, modification, deletion, transmission and disclosure of data, as well as for the accurate and traceable documentation of data;
  • manages and preserves the data acquired in the course of performing his/her duties, ensures the secure management and storage of records;
  • ensures that unauthorized persons cannot access the data in the registers it keeps;
  • complies with data processing laws and internal instructions;
  • participates in internal professional training related to data management and data protection;
  • is obliged to refuse to execute any instructions that are contrary to the laws on data management, data protection, and internal instructions.

    5.0 RIGHTS AND REMEDIES OF THE DATA SUBJECT

The data subject rights listed in the following points can be exercised by submitting a request to the Data Controller. The Data Controller shall assess the request for the exercise of rights as soon as possible after its submission, but no later than 25 (twenty-five) days, and shall notify the data subject of its decision in writing or, if the data subject submitted the request electronically, electronically.

5.1 INFORMATION ON THE PROCESSING OF YOUR PERSONAL DATA

At the request of the data subject, the Data Controller provides information about the data subject's data managed by it or processed by the data processor commissioned by it or at its disposal, its source, the purpose, legal basis, duration of the data processing, the name and address of the data processor and its activities related to data processing, the circumstances of the data protection incident , its effects and the measures taken to prevent them, and - in the case of forwarding the data subject's personal data - the legal basis and recipient of the data transfer.

5.2 ACCESS TO PERSONAL DATA

The data subject has the right to receive feedback from the Data Controller as to whether his personal data is being processed, and if such data processing is underway, he is entitled to access the personal data and the following information:

  1. the purposes of data management;
  2. categories of personal data concerned;
  3. the recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients in third countries and international organizations;
  4. where appropriate, the planned period of storage of personal data or, if this is not possible, the criteria for determining this period;
  5. the right of the data subject to request from the Data Controller the correction, deletion or restriction of processing of personal data concerning him and to object to the processing of such personal data;
  6. the right to submit a complaint to a supervisory authority;
  7. if the data were not collected from the data subject, all available information about their source;
  8. the fact of automated decision-making, including profiling, as well as, at least in these cases, understandable information about the logic used and the significance of such data management and the expected consequences for the data subject.

If personal data is transferred to a third country or to an international organization, the data subject is entitled to receive information about the appropriate guarantees regarding the transfer.

The Data Controller provides a copy of the personal data that is the subject of data management to the data subject. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise.

The right to request a copy must not adversely affect the rights and freedoms of others.

5.3 RIGHT TO CORRECTION

The data subject is entitled to have the Data Controller correct inaccurate personal data concerning him without undue delay upon request. Taking into account the purpose of the data management, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

5.4 RIGHT TO DELETION (RIGHT TO BE FORGOTTEN)

The data subject has the right to request that the Data Controller delete the personal data concerning him without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

  1. the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
  2. the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management;
  3. the data subject objects to data processing and there is no overriding legal reason for data processing;
  4. personal data has been processed unlawfully;
  5. the personal data must be deleted in order to fulfill the legal obligation prescribed by EU or member state law applicable to the Data Controller;
  6. the collection of personal data took place in connection with the offering of services related to the information society.

If the Data Controller has disclosed the personal data and is obliged to delete it according to the above, it will take reasonable steps, including technical measures, taking into account the available technology and the costs of implementation, in order to inform the Data Controllers handling the data that the data subject has requested from them deleting the links to the personal data in question or the copy or duplicate of this personal data.

Data deletion cannot be initiated if data management is necessary: for the purpose of exercising the right to freedom of expression and information; for the purpose of fulfilling the obligation under EU or member state law applicable to the Data Controller requiring the processing of personal data, or for the execution of a task carried out in the public interest or in the context of the exercise of public authority vested in the Data Controller; affecting the field of public health, or for archival, scientific and historical research purposes or for statistical purposes, on the basis of public interest; or to submit, assert or defend legal claims.

5.5 RIGHT TO RESTRICTION OF DATA PROCESSING

The data subject has the right to request that the Data Controller restricts data processing if one of the following conditions is met:

  1. the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the Data Controller to check the accuracy of the personal data;
  2. the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use;
  3. the Data Controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; obsession
  4. the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the Data Controller's legitimate reasons take precedence over the data subject's legitimate reasons.

If data processing is subject to restrictions based on the above, such personal data, with the exception of storage, will only be processed with the consent of the data subject, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of another natural or legal person, or in the important public interest of the Union or a member state can be handled.

The Data Controller informs the data subject at whose request the data processing was restricted in advance of the lifting of the data processing restriction.

The Data Controller informs all recipients of the correction, deletion or limitation of data management to whom or to whom the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the Data Controller informs about these recipients.

5.6 RIGHT TO DATA PORTABILITY

The data subject has the right to receive the personal data concerning him/her provided to a Data Controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another Data Controller without being hindered by the Data Controller whose provided the personal data if:

  1. data management is based on the consent of the data subject or a contract; and
  2. data management is automated.

When exercising the right to data portability as described above, the data subject is entitled to - if this is technically possible - request the direct transmission of personal data between Data Controllers. The exercise of this right may not violate the right to erasure. The aforementioned right does not apply in the event that the data processing is in the public interest or is necessary for the execution of a task performed in the context of the exercise of the public authority delegated to the Data Controller. The right mentioned in the paragraph may not adversely affect the rights and freedoms of others.

5.7 RIGHT OF WITHDRAWAL

The data subject is entitled to withdraw his consent to the processing of his personal data at any time, the exercise of which right does not affect the legality of the data processing carried out on the basis of the consent prior to the withdrawal.

5.8 SUBMITTING A COMPLAINT TO A SUPERVISORY AUTHORITY

The concerned National Data Protection and Freedom of Information Authority (hereinafter: "Authorities") may initiate an investigation in order to investigate the legality of the Data Controller's action if the Data Controller restricts the enforcement of the data subject's rights or rejects his request for the enforcement of these rights, and the data subject may request the conduct of the Authority's data protection official procedure if, in his judgment, the Data Controller, or the the data processor commissioned by him or acting on the basis of his instructions violates the regulations regarding the handling of personal data, defined in law or in a binding legal act of the European Union.

Name: National Data Protection and Freedom of Information Authority

Headquarters: 1055 Budapest, Falk Miksa utca 9-11

Mailing address: 1363 Budapest, Pf.: 9.

Phone: +36 (1) 391 1400

Fax: 06 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

5.9 RIGHT TO REFER TO COURT

The data subject may go to court against the Data Controller or – in connection with the data processing operations within the scope of the data processor’s activity – the data processor, if, in his opinion, the Data Controller or the data processor entrusted by him or acting on the basis of his instructions has used his personal data in accordance with the law or the European It is treated in violation of the regulations defined in the mandatory legal act of the Union.

The Data Controller or the data processor is obliged to prove that the data management complies with the regulations for the management of personal data defined in legislation or in a mandatory legal act of the European Union.

The lawsuit may be initiated by the person concerned - at his or her choice - before the court competent for his or her place of residence. A person who otherwise does not have legal capacity can be a party to the lawsuit. The Authority may intervene in the lawsuit in order to win the case for the person concerned.

  1. FINAL PROVISIONS

In matters not specifically regulated in the Regulations, the provisions of the relevant data protection legislation shall apply. If necessary due to changes in legislation or for other reasons, the management shall amend the content of the Regulations. The provisions of the Regulations shall be interpreted in accordance with other regulations in force of the Data Controller. If there is a contradiction between these provisions and the provisions of any other regulations applied before the entry into force of these Regulations regarding the processing of personal data, these provisions shall apply. In the implementation of these Regulations, the tasks and responsibilities of individual organizational units and persons shall be determined by the internal instructions relating to the organization, operation and activities of the Data Controller.

ANNEXES

 

  1. Annex No. – Records of data processing activities
  2. Annex No. – Balancing of interests test
  3. Annex No. – Impact assessment sheet
  4. Annex No. – Data processing agreement
  5. Annex No. – Privacy Statement
  6. Annex No. – Privacy Incident Management Policy
  7. Annex No. – Data processing consent statement template

 

en_GBEN