1. Introductory and interpretative provisions
1.1. Identification of organisation and controller
Company name: Budapest Convention Bureau / Magyar Kongresszusi Iroda nonp. Kft.
Company registration No.: HU27333169
Registered address: H-1011 Budapest, Szilágyi Dezső tér 1
Location of Internet data management: www.budcb.hu
Further information can be found in the “Privacy Notice” in force at all times. The aforementioned entity is hereinafter referred to as “Data Controller” or “Company” in this policy.
1.2. Purpose of the policy
The purpose of this policy is to set out in our Company the general data management rules and regulations that apply to the management of personal data in order to ensure that the right to the protection of personal data is guaranteed.
In connection with our data management system, we have prepared policies, documents, records, forms and templates, the list of which is listed in Annex 1 to this policy.
The provisions of this policy are in line with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter referred to as “General Data Protection Regulation, or GDPR).
1.3. Personal and material scope of the policy
The policy applies to all personal data processed by our Company and to all employees of our Company.
• personal data: any information relating to an identified or identifiable natural person (“data subject”); identifies a natural person who, directly or indirectly, in particular by reference to an identifier such as name, number, location, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
• data management: any operation or set of operations carried out on personal data or files by automated or non-automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, transmission of communication, by dissemination or otherwise making available, coordination or interconnection, restriction, erasure or destruction;
• data controller: means a natural or legal person, public authority, agency or any other body which independently or jointly determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may be determined by Union or Member State law;
• data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
• recording system: a file of personal data in any way, centralized, decentralized or functional or geographically, which is accessible according to specific criteria.
• transmission of data: where the data is made available to a specific third party;
• data protection officer Person mandatorily designated under Article 37 of the GDPR Regulation.
• data protection representative Responsible employee or external agent in charge of managing data management at the organization. Where appropriate, the data protection officer may carry out this activity.
• disclosure: means the making available of data to anyone;
• dataset: the sum of the data processed in a single register;
• document: any recorded information, a set of data, which may appear on paper, electronic or any other medium, generated or received in the course of the operation of a body or the activity of a person, which may include text, data, graphs, sound, pictures, movies, or any other form of information or a combination thereof;
• risk: a possibility which characterizes an event and its consequences in terms of severity and probability.
• restriction of processing: the marking of stored personal data for the purpose of limiting their processing in the future;
• profiling: any form of automated processing of personal data in which personal data are used to assess certain personal characteristics of a natural person, in particular performance at work, economic situation, health status, used to analyze or predict characteristics related to personal preferences, interests, reliability, behavior, location or movement;
• pseudonymisation: the management of personal data in such a way that it is no longer possible to determine to which specific natural person the personal data relate without the use of additional information, provided that such additional information is stored separately and technical and organizational measures are taken to ensure that this personal data may not be linked to identified or identifiable natural persons;
• recipient: means the natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether or not a third party. Public authorities which have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the management of such data by those public authorities shall, in accordance with the purposes for which the data are managed, be subject to the applicable data protection rules;
• third party: any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who have been authorized to process personal data under the direct control of the controller or processor;
• consent of the data subject: a voluntary, specific and well-informed and unambiguous statement of the data subject’s intention, by means of a statement or an act which unequivocally expresses the confirmation (Article 7), that he consents to the processing of personal data concerning him;
• personal data breach: a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed;
• supervisory authority: an independent public authority established by a Member State in accordance with Article 51 of the GDPR;
2. Principles and legality of data management
2.1. Principles of data management
2.1.1. Lawfulness, fairness and transparency
As a data controller, personal data are processed only in a fair and transparent manner for the data subjects, in accordance with the requirements laid down in the relevant legislation and internal rules, using the rights granted to the data subjects for their intended purpose.
2.1.2. Purpose limitation
As a data controller, we manage personal data only for clear and legitimate purposes. At all stages of data management must correspond to the purpose of the processing, the collection and processing of data must be fair and legal.
2.1.3. Data saving, limited storage
As data controller, we manage only so many personal data that are suitable for the unambiguous identification of the data subject and for the fulfilment of the task and for the achievement of the purpose. The time limits for the retention and deletion of data should be set on the basis of the purpose, the laws governing the management of data and internal rules. If the purpose of the management has been fulfilled or ceased, the data shall be deleted after the retention period laid down in the legislation or internal rules governing the management.
During data management, we ensure the accuracy, completeness and, if necessary, the up-to-dateness of the data, as well as that the data subject can be identified only for the time necessary for the purpose of data management. If, as data controller, we become aware that the personal data managed is incorrect or incomplete, we correct it or initiate it with the employee responsible for recording the data and notify all those to whom the data has been transmitted.
2.1.5. Integrity and confidentiality
When handling personal data, including the transmission of data on paper and electronically, as well as the granting of IT rights, we ensure that only those whose work or data scope is absolutely necessary have access to the data.
2.1.6. Integrated data protection
In determining the methods of data management and management, as the data controller, we apply technical and organisational measures according to the state of the art which ensure adequate protection of personal data, protection against unauthorized or unlawful handling, accidental loss, destruction or damage to the data.
2.1.7. Principle of accountability
As a data controller, we are responsible for complying with the data protection principles and we are able to demonstrate this compliance through our established data management and data protection system.
2.2. Legality of data management (legal basis for data management)
We treat personal data as data controllers only if one of the following conditions is met:
a) the data subject expressly agrees to the management of personal data for one or more specific purposes,
b) the management is necessary for the performance of the data subject’s contract or prior to the data subject’s contract, at his request,
c) data processing is necessary for the fulfilment of an obligation imposed by EU or Hungarian legislation,
d) processing is necessary to protect the vital interests of a natural person,
e) the processing is necessary for the exercise of public or legal powers of public authority,
f) the processing is necessary for the enforcement of the legitimate interests of our organization or of a third party.
In so far as none of the above legal bases exist for the processing of personal data, the processing is not lawful. The conduct of unlawful, unjust data processing is prohibited in any case!
2.2.1. Legal basis on consent (Article 6/a)
Consent to data management must be clear, expressed (consent cannot be “anticipated”, silence does not constitute consent). As data controller, we are obliged to obtain the consent of the data subject and to prove that the consent has been made.
Where the data subject gives his consent in a written declaration covering other matters, the request for consent shall be submitted in a manner which is clearly distinguishable from those other matters, in an understandable and easily accessible form, in a clear and simple language. Consent shall not be a condition for the conclusion of a contract or for the use of a service.
The data subject shall have the right to withdraw his consent at any time. Withdrawal of consent shall not affect the lawfulness of the consent-based data management prior to withdrawal. Before giving consent, the data subject shall be informed accordingly. Withdrawal of consent should be possible in the same simple manner as granting it.
In order to demonstrate compliance with the GDPR, we will retain these evidentiary documents.
2.2.2. Performance of a contract as legal basis (Art. 6/b)
In connection with the performance of the contract concluded with the data subject, we process your personal data, which may take the following forms:
• Contract for services
• Contract for services
• Connecting to our service
• Other forms of contract
2.2.3. Fulfilment of a legal obligation as legal basis (Art. 6/b)
This legal basis may include provisions adjusting the application of the rules set out in this Regulation, including the general conditions governing the lawfulness of the processing by the controller, the type of data subject to the processing, the data subjects, the entities with which the personal data may be communicated and the purposes of such disclosure, restrictions on the purpose of processing, the duration of storage and processing operations and other processing procedures, including the measures necessary to ensure legal and fair processing.
Our organization processes data in order to comply with other legal regulations. The relevant legal list is contained in the “Privacy Notice” in force at all times.
2.2.4. Protection of the interests of the data subject as a legal basis (Article 6/d)
If the interests of the data subject so require, the personal data will be processed by our organization on the basis of the GDPR Regulation.
2.2.5. Carrying out a task of public interest as a legal basis (Art. 6/e)
In order to clarify the compliance of the processing, we will review the provisions in which specific requirements for processing are more accurately defined and further measures are taken to ensure the lawfulness and fairness of the processing.
2.2.6. Legitimate interest as a legal basis (Article 6/f)
Where the processing is necessary for the purposes of the legitimate interests of the controller or of a third party, we take into account all the interests, fundamental rights and freedoms of those who have a legitimate interest.
In the discretion test, we record the stakeholders, the subject matter of consideration and the legitimate interests. If the interests of the controller are stronger than the interests of the opposing data subject, the legitimate interest may be legally designated as the legal basis for the processing of personal data.
Where the interests or fundamental rights and freedoms of data subjects which require the protection of personal data (in particular if the data subject is a child) prevail over the interests of the controller, the processing based on the legitimate interest can not be continued. If there is neither a legitimate interest nor any other legal basis in relation to the processing of personal data, the processing is not lawful. In any case, the continuation of unlawful processing is prohibited.
2.3. Management of child data
If the legal form of data processing is based on consent (Art. 6 GDPR), the processing of personal data carried out in relation to information society services offered directly to children is lawful when the child is over the age of 16. In the case of a child under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent is given or authorized by the person exercising parental control over the child.
As a data controller, taking into account the available technology, we will make reasonable efforts to verify in such cases that consent has been given or authorised by the exerciser of parental control over the child.
3. Handling of special data
3.1. Rules for handling special data
We may only process special data as data controllers if:
a) the data subject expressly agrees to the processing of personal data for one or more specific purposes (unless the consent is prohibited by EU law or Hungarian law),
b) data processing is necessary for the fulfilment of obligations and the exercise of rights arising from legal requirements governing employment, social security and social protection, if this is permitted by EU or Hungarian legislation (which defends the fundamental rights and interests of the data subject provides for appropriate guarantees) or a collective agreement,
c) the processing is necessary for the protection of the vital interests of a natural person and is unable to give consent due to the physical or legal incapacity of the data subject,
d) the processing relates to personal data explicitly disclosed by the data subject,
e) the processing is necessary for the establishment, exercise or defence of legal claims,
f) processing is necessary for reasons of significant public interest, under Union or Hungarian law (which also provides for appropriate safeguards protecting the fundamental rights and interests of the data subject),
g) processing for preventive health or occupational health purposes, assessing the worker’s ability to work, setting up a medical diagnosis, providing health or social care or treatment, or managing health or social systems and services , under EU or Hungarian legislation or under a contract with a healthcare professional (if the processing of data is carried out by a professional or under the responsibility of a professional professional who is subject to a legal or other rule established by a public body confidentiality),
h) processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or ensuring a high quality and safety of health care, medicines and medical devices, and by law, which also provides for appropriate safeguards to protect the fundamental rights and interests of the data subject (in particular as regards professional secrecy);
i) processing is necessary for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes under Union or Hungarian legislation (which also provides for appropriate safeguards protecting the fundamental rights and interests of the data subject).
4. Data processing that does not require identification
If the purposes from which we process personal data as data controllers do not or no longer require the identification of the data subject by our Company, then we are not obliged to retain, obtain or process additional information as data controllers in order to, to identify the data subject solely in order to comply with this Regulation.
If, in these cases, our Company can prove that it is not in a position to identify the data subject, it is necessary to inform him accordingly if possible. In such cases, Articles 15 to 20 (rights of the data subject) shall not apply unless the data subject provides additional information enabling him to be identified for the purpose of exercising his rights under those Articles.
5. Management of the rights of the data subject
As data controller, we always enforce the rights of data subjects under the law, i.e.:
a) receive prior information on the processing of data (right to prior information);
b) access to the personal data of the Controller and related information (right of access);
c) request the erasure of their personal data (right to erasure);
d) rectify or complete the data provided at their request (right to rectification);
e) restrict the processing of their data (right to restriction of processing);
f) in the case of processing, their data are obtained in a structured, widely used machine-readable format or transmitted to another controller (right to data portability);
g) object to the processing of your data (right to object);
h) claim damages for damage suffered as a result of unlawful processing or personal harm (right to compensation);
i) initiate administrative and/or judicial proceedings (right to remedy) in order to seek redress.
5.1. Right to prior information
The data subject shall have the right to be informed of the facts and information related to data processing prior to the commencement of data processing. When providing information and choosing the form of communication, we always take into account the form of contact with the stakeholders.
In order to fulfil the above obligations, our Privacy Notice contains all mandatory and recommended information specified in Articles 13 and 14 of the GDPR Regulation, for which we use a template format and which we formulate in accordance with Article 12 of the GDPR Regulation in a concise, transparent and understandable format.
a) taking into account the specific circumstances of the processing of personal data, within a reasonable period of time from the date of obtaining the personal data, but not later than one month;
b) where we use personal data for the purpose of communicating with the data subject, at least at the time of first contact with the data subject;
c) if we are expected to disclose the data to another recipient, at the latest when the personal data is communicated for the first time.
We do not have any prior information obligation if:
a) the data subject already has the information;
b) the provision of such information proves impossible or would require disproportionate effort, or where the obligation to provide information would make it impossible or seriously jeopardise the achievement of the purposes of such processing;
c) the acquisition or disclosure of the data is expressly provided for in Union or Member State law applicable to the controller, which provides for appropriate measures to protect the legitimate interests of the data subject;
d) personal data must remain confidential on the basis of an obligation of professional secrecy imposed by Union or Member State law, including statutory confidentiality.
5.1.1. Information to be provided where personal data are collected from the data subject
Where personal data relating to the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time of obtaining the personal data:
a) the identity and contact details of the controller and, if any, of the controller’s representative;
b) the contact details of the DPO, if any;
c) the purpose of the intended management of personal data and the legal basis for the management;
d) in the case of processing based on Article 6 (1) (f) of the GDPR Regulation (legitimate interest enforcement), the legitimate interests of the controller or third party;
e) where applicable, the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organization, and the existence or absence of a Commission decision on adequacy, or in the case of a data transmission referred to in Article 46, Article 47 or the second subparagraph of Article 49 (1), an indication of the appropriate and suitable guarantees and a reference to the means of obtaining a copy of them or their availability;
In addition to the abovementioned information, as data controller, at the time of obtaining the personal data, in order to ensure fair and transparent processing, the data subject shall be informed of the following additional information:
a) the duration of the storage of personal data or, if that is not possible, the criteria for determining that period;
b) the right of the data subject to request from the controller access to, rectification, erasure or restriction of management of personal data concerning him, and to object to the management of such personal data and to the data subject’s right to data portability;
c) in the case of processing based on Article 6 (1) (a) of the GDPR Regulation (consent of the data subject) or Article 9 (2) (a) (consent of the data subject), the right to withdraw consent at any time, which does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal;
d) the right to lodge a complaint addressed to the supervisory authority;
e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for concluding a contract, whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide the data;
f) the fact of the automated decision-making process referred to in Article 22 (1) and (4), including profiling, and at least in such cases, comprehensible information on the logic used and the significance of such processing and the expected consequences for the data subject.
g) Where the controller intends to carry out further processing of personal data for purposes other than that for which they were collected, it shall inform the data subject of that different purpose and of any relevant supplementary information referred to in paragraph 2 prior to further processing.
h) Sections 1 to 3 shall not apply if and to the extent that the data subject already has the information.
5.1.2. Information to be provided where the personal data have not been obtained from the data subject
If we do not obtain personal data from the data subject, we will provide the data subject as data controller the following information in addition to those described in point 4.1.1:
a) Source of personal data and, where applicable, whether the data originate from publicly available sources; and (Data source definition)
5.1.3. Issue and provision of information to be provided
We will make the enforcement forms available separately each, which information is published in our Privacy Notice.
The legal enforcement forms drawn up on a separate sheet contain information on the relevant subject and the procedure.
We provide the above information, information and the measures related to the rights in the following sections free of charge. Where the data subject’s request is clearly unfounded or excessive, in particular because of its repetitive nature, for the administrative costs involved in providing the requested information or information or taking the action requested, so:
a) Our company may charge a reasonable fee or
b) refuse to act on the application.
The proof of the unequivocally unfounded or exaggerated nature of the application lies with our Company.
The task is performed by the internal Data Protection Officer in our organization. If, pursuant to Article 37 of the Regulation, we employ a Data Protection Officer and he alone performs our data processing tasks, he is responsible for communicating with the data subjects, assessing and managing the requests. The Data Protection Officer Policy applies to the appointment of the Data Protection Officer.
As data controller, a copy of the personal data subject to data processing is made available to the data subject. Additional copies requested by the data subject may be charged at a reasonable rate based on administrative costs. Where the data subject has submitted an application by electronic means, the information shall be provided in a widely used electronic format, unless otherwise requested by the data subject. The right to request a copy must not adversely affect the rights and freedoms of others.
5.2. The data subject ‘s right of access
The data subject shall have the right to receive feedback from the controller as to whether his personal data are being processed and, if such processing is in progress, he shall have the right to obtain access to the personal data and to the following information:
a) the purposes of data management;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular the recipients in third countries or international organisations;
d) where applicable, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
e) the right of the data subject to request from the data controller the rectification, erasure or restriction of management of personal data relating to him and to object to the management of such personal data;
f) the right to lodge a complaint addressed to a supervisory authority;
g) where the data were not collected from the data subject, any available information on their source;
h) the fact of the automated decision-making process referred to in Article 22 (1) and (4), including profiling, and at least in such cases, comprehensible information on the logic used and the significance of such processing and the expected consequences for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed thereof.
5.3. Right to erasure (“right to be forgotten”)
The data subject has the right to as our Company to delete personal data concerning him without undue delay at his / request, and as data controller we are obliged to delete the personal data concerning the data subject without undue delay if any of the following reasons exist:
a) personal data are no longer required for the purpose for which they were collected or otherwise processed;
b) the data subject withdraws his consent on which the processing is based pursuant to Art. 6 (1) (a) or Article 9 (2) (a) GDPR Regulation and there is no other legal basis for the processing;
c) the data subject objects to processing pursuant to Article 21 (1) of the GDPR Regulation and there are no legitimate grounds for processing or the data subject objects to processing pursuant to Article 21 (2);
d) the personal data are unlawfully processed by the controller;
e) the personal data must be erased in order to comply with a legal obligation imposed by Union or Member State law applicable to the controller;
f) personal data were collected in connection with the provision of information society services referred to in Article 8 (1) of the GDPR Regulation.
We do not have an obligation to delete if data management is required:
a) for the purpose of exercising the right to freedom of expression and information;
b) to fulfil an obligation under Union or Member State law applicable to the controller to process personal data, or to carry out a task in the public interest or in the exercise of a public authority conferred on the controller;
c) in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of the GDPR Regulation on grounds of public interest in the field of public health;
d) for archiving purposes in the public interest, scientific and historical research or statistical purposes in accordance with Article 89 (1) of the GDPR Regulation, where the right referred to in that paragraph is likely to render impossible or seriously jeopardise such processing impossible or
e) for the establishment, exercise or defence of legal claims.
5.4. Right to rectification
The data subject has the right to have inaccurate personal data concerning him corrected by our Company without undue delay upon request. Taking into account the purpose of the data management, the data subject shall have the right to request the completion of incomplete personal data, by means of a supplementary statement.
When processing staff rectifies or completes personal data, he shall inform the controller or processor to whom he has transmitted the personal data subject to the rectification.
5.5. Right to restrict data processing
The data subject has the right to restrict the data processing at requesting our Company to do so if any of the following is met:
a) the data subject contests the accuracy of the personal data, in which case the restriction relates to the period enabling the controller to verify the accuracy of the personal data;
b) the management is unlawful and the data subject opposes the deletion of the data and instead requests the restriction of their use; or
c) the controller no longer needs the personal data for the purposes of data processing, but the Data Subject requests them for the establishment, exercise or defence of legal claims.
d) the data subject has objected to management pursuant to Art. 21 (1) GDPR: in this case the restriction applies to the period until it is established whether the legitimate grounds of the controller take precedence over the legitimate grounds of the data subject.
Where the processing is subject to a restriction under this point, such personal data, with the exception of storage, may be processed only with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the Union or a Member State.
As data controller, we inform the data subject in advance about the lifting of the restriction of data processing, at whose request we have restricted the processing of data pursuant to the above point.
5.6. The right to data portability
The data subject shall have the right to receive the personal data relating to him and which he has provided to our Company in a structured, widely used, machine-readable format, in addition, he shall have the right to transfer such data to another controller, without prejudice to the to whom the personal data have been made available, if:
a) the processing is based on consent pursuant to Art. 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b) GDPR; and
b) data processing is carried out in an automated manner.
In exercising the right to portability of data in accordance with the above point, the data subject shall have the right to request, where technically feasible, the transfer of personal data between controllers.
The exercise of this right should be without prejudice to Article 17 of the GDPR Regulation, so that right does not apply where processing is in the public interest or is necessary for the performance of a task carried out in the exercise of its public powers conferred on the controller.
The right to data portability should not adversely affect the rights and freedoms of others.
5.7. Right to protest
The data subject shall have the right to object to the processing of his personal data at any time for reasons relating to his own situation if the legal basis for data processing is:
a) Article 6 (1) (e) GDPR Regulation (processing is necessary for the performance of a task in the public interest or in the exercise of a public authority vested in the controller), or
b) Legal bases based on Article 6 (1) (f) of the GDPR Regulation (processing is necessary to enforce the legitimate interests of the controller or of a third party), including profiling based on those provisions.
In this case, we may no longer process personal data as data controllers unless it is proved that the processing is justified by overriding legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data relating to him for that purpose, including profiling, insofar as it relates to direct marketing. If the data subject objects to the processing of personal data for the purposes of direct marketing, the personal data may no longer be processed for that purpose.
The rights of the protest shall be explicitly brought to the attention of the data subject at the latest at the time of first contact and shall be displayed in a clear and separate manner from all other information.
Where personal data are processed for scientific and historical research purposes or statistical purposes in accordance with Article 89 (1) of the Regulation, the data subject shall have the right to object to the processing of personal data relating to him on grounds relating to his or her situation, except if the processing is necessary in order to perform a task carried out for reasons of public interest.
Decisions shall not be based on special categories of personal data referred to in Article 9 (1) of the Regulation, unless Article 9 (2) (a) or (g) applies and appropriate measures to protect the rights, freedoms and legitimate interests of the data subject has been taken.
As data controller, we will examine the objection within the shortest time, but not later than 15 days from the submission of the request, we will make a decision on its merits and inform the applicant in writing of its decision.
If we as data controllers establish the validity of the data subject’s objection, the processing, including further data collection and data transfer, shall be terminated and the data blocked, and shall notify all those to whom the the personal data subject to objection have been transferred earlier and who are obliged to take action to enforce the right to object.
5.8. Objection to automated decision-making (including profiling)
The data subject shall have the right not to be subject to (object to) a decision based solely on automated processing, including profiling, which would have legal effects or would similarly significantly affect him.
Our obligation does not apply if the decision:
a) is necessary for the conclusion or performance of a contract between the data subject and the controller;
b) is made possible by Union or Member State law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
c) is based on the explicit consent of the data subject.
In the cases referred to in points (a) and (c), as the data controller, we are obliged to take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on our part, to express his or her views and to object to the decision.
5.9. The data subject’s right to information about the personal data breach
Where the personal data breach is likely to entail a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.
The abovementioned information provided to the data subject shall clearly and explicitly explain the nature of the personal data breach and shall at least provide the information and measures referred to in Article 33 (3) (b), (c) and (d) of the GDPR Regulation.
At the time of the incident, we do not have any information to the data subject if any of the following conditions are met, if:
a) as data controller, we have implemented appropriate technical and organisational protection measures and have applied those measures to the data affected by the personal data breach, in particular those measures, such as the use of encryption, which make the data unintelligible to persons who are not authorised to have access to data;
b) as data controller, we have taken further measures following the personal data breach to ensure that such high risk to the rights and freedoms of the data subject is no longer likely to materialise;
c) the information would require a disproportionate effort. In such cases, data subjects are informed through publicly published information or similar measures are taken to ensure that data subjects are equally effectively informed.
If the Company has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to entail a high risk, order the data subject’s information or determine the fulfilment of one of the conditions.
5.10. Right to complain to the supervisory authority
Without prejudice to other administrative or judicial remedies, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he has his habitual residence, place of work or where the alleged infringement is situated, where the data subject considers that he or the processing of personal data is in breach of this Regulation.
The supervisory authority to which the complaint has been lodged shall inform the client of the procedural developments in relation to the complaint and the outcome thereof, including that the client is entitled to a judicial remedy pursuant to Article 78 of the Regulation.
5.11. Right to compensation
If the data controller violates the personal rights of the data subject by unlawful processing of the data subject or breach of the requirements of data security, the data subject may claim damages from the controller.
The data processor shall be exempted from payment of damages or liability if he proves that he has performed his duties on the basis of legal requirements and in accordance with the instructions of the controller.
No damages need not be reimbursed and no damages shall be claimed if we prove as a data controller that the damage or breach was caused by an unavoidable cause beyond the scope of the management, or by the intentional or severely negligent conduct of the injured person, or if we prove that we are not liable in any way for the event that caused the damage.
The data subject may initiate an investigation with the Supervisory Authority if he considers that, as a controller, we unreasonably restrict the enforcement of the rights set out in the above points, or a request for the enforcement of these rights is rejected by us.
The data subject may initiate the regulatory procedure of the Supervisory Authority if it considers that the controller or its processor violates the relevant legal requirements during the processing.
The data subject may go to court against the controller or his processor if he considers that the controller or his processor infringes the applicable legal requirements during the processing.
The court specified in Act CXXX of 2016 on the Procedure of Civil Procedure has jurisdiction over the lawsuit by the fact that the lawsuit may, at the option of the person concerned, also be instituted before the court of his or her place of residence or stay.
5.13. Right to an effective judicial remedy against a supervisory authority
Without prejudice to other administrative or non-judicial remedies, every natural or legal person shall be entitled to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him.
Without prejudice to other administrative or non-judicial remedies, each data subject shall have the right to an effective judicial remedy if the supervisory authority competent pursuant to Articles 55 or 56 of the Regulation does not deal with the complaint or does not inform the data subject within three months procedural developments in connection with a complaint lodged pursuant to Article 77 or the outcome thereof.
Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
Where proceedings are brought against a decision of the supervisory authority on which the Board has previously issued an opinion or has taken a decision under the consistency mechanism, the supervisory authority shall send that opinion or decision to the court.
5.14. Right to an effective judicial remedy against the controller or the data processor
Without prejudice to available administrative or non-judicial remedies, including the right to lodge a complaint with the supervisory authority under Article 77 of the Regulation, each data subject shall be entitled to an effective judicial remedy if he considers that his personal data should be subject to their rights under this Regulation have been infringed as a result of improper management of the Regulation.
Proceedings against the controller or the data processor shall be brought before the courts of the Member State in which the controller or data processor is situated. Such proceedings may also be brought before the courts of the Member State of habitual residence of the Data Subject, unless the Controller or the data processor is a public authority of a Member State acting under its public authority.
Union or Member State law applicable to the controller or processor may, by means of legislative measures, may limit the scope of Articles 12 to 22 of the GDPR Regulation. (rights of data subjects) and Article 34 and Articles 12 to 22 the scope of the rights and obligations set out in Article 5, if the restriction respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure to protect the following in a democratic society:
a) national security; defence; public security;
b) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions, including protection against and prevention of threats to public security;
c) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and tax matters, public health and social security;
d) the protection of judicial independence and judicial proceedings;
e) in the case of regulated professions, the prevention, investigation, detection and prosecution of ethical offences;
f) control, inspection or regulatory activity related to the performance of public authority functions;
g) the protection of the data subject or the protection of the rights and freedoms of others;
h) enforcement of civil law claims.
The abovementioned legislative measures shall, where appropriate, contain detailed provisions at least on:
a) the purposes of the processing or the categories of processing,
b) the categories of personal data,
c) the scope of the restrictions imposed,
d) the guarantees of misuse or unauthorised access or prevention of transmission,
e) the definition of the controller or the definition of the categories of controllers,
f) the duration of data storage and the applicable guarantees, taking into account the nature, scope and purposes of the processing or categories of processing,
g) the risks to the rights and freedoms of data subjects, and
h) the right of data subjects to be informed of the restriction, unless this could adversely affect the purpose of the restriction.
7. Rules for the transfer of data
7.1. General rules for the transfer of data
The Company may transfer personal data to a third party (a person other than the Company and the data subject) if the transfer of data is not prohibited by law and the transfer is carried out on an appropriate legal basis, on purpose and in compliance with data security rules.
7.2. Specific rules for the transfer of data abroad (international transfer)
7.2.1. The European Economic Area (hereinafter: EEA)
The transfer of data to the EEA Member State shall be deemed to take place within the territory of Hungary.
7.2.2. Third country (non-EEA Member State)
Personal data may be transferred to the third country to the processor/controller conducting the processing:
a) on the basis of an adequacy decision of the Commission of the European Union,
b) where the controller or processor of the recipient provides adequate guarantees regarding the processing of the data (e.g. approved code of conduct or approved certification mechanism, binding corporate rules), or the competent supervisory authority authorises the transfer,
c) in the case of derogations concerning special situations.
As data controllers, we may transfer personal data to third countries regarding the management/processing of personal data between our Company and the third country concerned in compliance with the relevant requirements of the GDPR Regulation. With regard to the transfer of personal data to a third country, it is possible to use the enforcement possibilities under these regulations.
7.2.3. Derogation concerning a special situation
In the absence of an adequacy decision pursuant to Art. 45 (3) GDPR or appropriate guarantees under Article 46, including binding corporate rules, the transfer of personal data to a third country or international organisation or multiple shall be transmitted only if at least one of the following conditions is met:
a) the data subject has consented to the transfer after being informed of the possible risks arising from the transfer arising from the absence of an adequacy decision by the Commission of the European Union and appropriate safeguards,
b) the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the request of the data subject,
c) the transfer is necessary for the conclusion or performance of a contract between the controller and another natural or legal person in the interest of the data subject,
d) the transfer of data is necessary for important reasons of public interest,
e) the transfer of data is necessary for the establishment, enforcement and defence of legal claims,
f) the transfer of data is necessary for the protection of the vital interests of the data subject or of another person and the data subject is physically or legally unable to give consent,
g) the data transmitted originate from a register which is intended to inform the public under Union or Member State law and which is accessible for consultation either by the public in general or by any person demonstrating a legitimate interest in this respect (if the conditions laid down by law for inspection are fulfilled).
Where the conditions for the transfer listed in the preceding point do not apply, the transfer to a third country may only take place if the transfer is not recurring, it relates only to a limited number of data subjects and in the interests of the controller in a compelling legitimate interest necessary, with respect to which the interests, rights and freedoms of the data subject do not take precedence, and the controller has examined all the circumstances of the transfer and has provided appropriate guarantees as to the protection of personal data on the basis of that examination.
In the event of a transfer in this case, the controller shall inform the data subject within 3 working days of the transfer and of the compelling legitimate interest of the controller.
7.3. Rules for the use of data processors
7.3.1. Data processing activities may be carried out by natural or legal persons, on the basis of a contract concluded by our Company and the wording of “Data Processing Contract Addendum”, according to the written instructions of our Company.
7.3.2. The essential requirements for data processing shall be compulsorily laid down in the relevant contract, and the primary signatory shall be responsible for fixing those requirements in the contract and monitoring the fulfilment of those requirements under the contract.
8. Incident Management
Our obligation to inform us about incidents has occurred is set out in clause 5.9 of this Policy. There is a separate policy for dealing with incidents called the Privacy Incident Management Policy.
The Privacy Incident Management Policy contains the full procedure for the personal data breach:
• closure of the investigation, inspection report and action plan;
• implementation and follow-up of measures;
• registration, and
• the necessary forms.
9. Data security
Appropriate technical and organisational measures taking into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and objectives of the processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons implement measures to ensure a level of data security appropriate to the level of risk, including, inter alia, where appropriate:
• pseudonymization and encryption of personal data;
• ensuring the continuing confidentiality, integrity, availability and resilience of systems and services used to manage personal data;
• in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
• a procedure for systematic testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to guarantee the security of management.
In determining the appropriate level of security, we shall take explicit account of the risks arising from the processing of personal data arising in particular from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled, accordingly, in all cases, we strive to ensure that technical, technological, and physical measures are taken to effectively protect data that prevent data leakage, data loss, data theft, or external attacks.
As a data controller, we ensure the security of the data throughout our organization or department. To this end, we take the necessary technical and organisational measures necessary to enforce the laws, data and confidentiality regulations governing specific data processing, both stored in the electronic information system and traditional paper based data files stored on data carriers.
We use the procedures and technical means to protect the data from unauthorized access, alteration, transmission, disclosure, deletion or destruction, accidental destruction or damage and changes in the technique used against divorce.
The details of electronic information security and the processing of documents containing personal data are governed by the regulations listed in Annex 1 to this Policy.
10. Recording of data processing
If the controller intends to introduce a new processing or modify a processing of data, the head of the department or the employee designated by him shall do so by electronic means no later than 5 working days after the start of the new or modified processing notify the Data Protection Responsible or the Data Protection Officer, describing the processing or modification. Following notification, the controller of the processing register shall, in cooperation with the notifier, amend or supplement the processing register after notification.
In order to fulfil the above obligations, all information is stored, “Asset Inventories” are kept in accordance with Article 30 of the GDPR Regulation, and we have developed a Data Management Procedure in addition to internal data management processes.
The data protection responsible/data protection officer is responsible for keeping data processing records up to date. As data controller, we take all reasonable steps to ensure that we correctly track the data and related data processing and to transfer the changes to the relevant registers in a timely manner.
The controller shall keep a record of the processing activities of the data controller (hereinafter: Records). The Records summarises the individual data processing activities and includes for each processing:
• the purpose of the processing;
• the legal basis for data processing;
• the range of stakeholders;
• the scope of the data processed;
• information on the transfer, including processors, joint controllers, recipients, third parties, recipients in third countries;
• the duration of the processing;
• its integration into the operational system (description of relevant technical and organisational measures);
• other information.
11. Data protection impact assessment
Where processing is likely to entail a high risk to the rights and freedoms of natural persons, we will conduct a data protection impact assessment of how processing operations affect the protection of personal data. Data Protection Impact Assessment is preceded by a risk assessment.
12. Designation of Data Protection Officer
Our company has reviewed Article 37 of the GDPR Decree against the designation of the DPO and concluded that it is mandatory for us to appoint a data protection officer. (appropriate finding underlined)
Our company wishes to regulate the provisions relating to the data protection officer in one place, taking into account the full fulfilment of the rights and legitimate interests of the data subjects.
13. Obligation of confidentiality
The obligation of confidentiality applies, without limitation, to the persons carrying out the processing, such as our employees, processors or persons involved in the processing activities of any kind.
We hold the privacy of your personal information in the highest regard.
We provide legal guarantees to this effect with our employees through Statements or contracts with partners, confirming their responsibility in this respect!
Access to personal data may only be granted to those who need to know it in order to perform their duties or perform the contract.
Persons carrying out the processing shall undertake not to disclose the personal data processed, not to make it available to unauthorised third parties and to ensure unauthorised acquisition, access, use, modification, deletion, protection from destruction or communication to unauthorized persons.
The obligation of confidentiality does not apply to personal data, the disclosure of which is required by law, or the disclosure or disclosure of which the data controller has given prior consent to.
14. Closing stipulations
In respect of matters not regulated in these regulations, the provisions of the GDPR Regulation shall be followed and the mandatory documents of the Supervisory Authority shall be taken into account.
15. Annexes – Table of Contents
Documents related to data management and data protection.
The table of contents of policies, documents, registers, forms and template texts developed for the processing of data.
1. Request for access
2. Request for rectification
3. Restriction of data processing request
4. Request for data portability
5. Application for objection
6. Request for cancellation
7. Request for withdrawal of consent