|
Summit D&V Ltd. |
DATA PROCESSING POLICY |
23_v2 |
|
Administration Department |
22 July, 2020. |
CHAPTER I.
A/ GENERAL PROVISIONS
§ 1. Introduction
This Policy lays down the internal rules of Summit D & V Kft. (registered seat: 2500 Esztergom, Dobogókői út 35., registration number: 11-09-009638, tax identification number: 11831015-2-11; hereinafter: Summit D & V or Company) on data processing activities in order to comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data and repealing Directive 95/46/EC (hereinafter: Regulation or GDPR).
Establishment and amendment of this Policy belongs to the power of the managing director.
This Policy has been prepared taking also into consideration that the Company is a member of Sumitomo group, its sole shareholder is Sumitomo Corporation (registered seat: OTEMACHI PLACE EAST TOWER 3-2 Otemachi 2-Chome, Chiyoda-ku, Tokyo 100-8601, Japan, registration number: 0199-01-008692, registering authority Tokyo Legal Affairs Bureau, hereinafter: Mother Company).
Therefore, in the course of data processing the Company is going to cooperate, if necessary, with the Mother Company and other corporations of the company group (hereinafter: Connected Companies).
§ 2. Purpose of the Policy
1. The purpose of this Policy is to establish those internal rules and implement measures that are to ensure the compliance of the Company’s data processing activities with the provisions of the Regulation and the InfoAct.
2. Additional purpose of this Policy is to enable the Company to certify its compliance with the Regulation, as well as the principles relating to possessing the personal data (Article 5.).
§ 3. Scope of the Policy
- This Policy applies to the processing of personal data of natural persons by the Company.
- Customers belonging to the categories of private practitioners, private companies, agricultural entrepreneurs, as well as purchasers and suppliers shall be considered natural persons for the purposes of this Policy.
- The scope of this Policy does not cover such personal data processing which is related to legal entities including the name and form, as well as data on availabilities of the legal entity (Article 14 of GDPR).
§ 4. Definitions
The definitions applicable for the purposes of this Policy are set forth in Article 4. of the Regulation. We highlight the key definitions accordingly:
1. „personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. „processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. „restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
4. „profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
5. „pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. „filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
7. „controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. „processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. „recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. „third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
11. “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
B/ SPECIAL PROVISIONS
CHAPTER II.
ENSURING THE LAWFULNESS OF THE DATA PROCESSING
§ 5. Data processing under the consent of the data subject
1. In case of data processing under the consent of the data subject the consent of the data subject should be required on a separate data sheet (Annex III.).
2. Consent shall be considered given also if the data subject ticks a box when visiting an internet website, chooses technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
3. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
4. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
5. Conclusion or performance of a contract cannot be made dependent by the Company on giving the consent to processing of such personal data that are not necessary for such performance.
6. The consent shall be as easy to withdraw as to give it.
7. If collecting of personal data has been made under the consent of the data subject the controller may, unless otherwise provided by law, process the collected data for compliance with a legal obligation to which the controller is subject without any further consent and even after the withdrawal of the consent.
8. The Company will make available its general data processing information (Annex I) for data subjects on its website at menu point About us/Data processing information. The purpose of this information is to inform the data subjects unambiguously and elaborately of any and all facts in connection with the processing of their data in a publicly accessible form prior to commencing the data processing and afterwards continuously such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, if the data subject’s personal data is processed in accordance with Subsection (5) of Section 6 of the InfoAct, and the persons to whom his data may be disclosed. Information shall also be provided on the data subject’s rights and remedies. This data processing information must be made accessible at every material data processing step indicated with a special link (e.g. in case of a registration, prior to the registration, in the course of the registration etc.). The data subjects must be informed of the accessibility of such information.
9. If the processing is necessary for compliance with a legal obligation it is independent from the consent of the data subject because it was set forth by law. In this case the data subject should be informed before the processing that the processing is mandatory and the data subject should also be informed of any and all facts in connection with the processing of their data unambiguously and elaborately, before carrying out the processing, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, if the data subject’s personal data is processed for compliance with a legal obligation to which the controller is subject and the persons to whom his data may be disclosed. Information shall also be provided on the data subject’s rights and remedies. In case of mandatory processing the information can be given through publishing the reference to the legal regulations containing the foregoing information.
The list of data processing activities constitutes Annex II. of this Policy.
CHAPTER III.
DATA PROCESSING IN CONNECTION WITH EMPLOYMENT RELATIONSHIP
§ 6. § Labour and personnel records
1. Only those data can be requested from the employees and documented and those medical aptitude examinations related to his job function carried out that are necessary for conclusion fulfilment or termination of the employment relationship or for providing social and welfare benefits and do not infringe his rights to personality.
2. In order to exercise its legitimate employer interests (Article 6. (1) f) the Company shall process the following data of its employees for the purposes of conclusion, fulfilment or termination of the employment relationship:
1. name
2. birth name
3. birth date
4. birth place
5. mother’s name
6. gender
7. address
8. citizenship
9. tax identification number
10. SSN
11. pensioner number (in case of retired employees)
12. phone number, phone number of the employee’s relative, if it is requested by the employee
13. e-mail address
14. ID number
15. number of domicile card
16. bank account number
17. online identification (if any)
18. date of entering into employment and termination thereof
19. job function
20. copy of school education certificate or diploma
21. copy of driving license
22. data of previous employment, documents, reference letter
23. photograph
24. CV
25. amount of salary, data in connection with salary and other wage payment
26. name of relative, his/her personal data, address, marriage, birth and death certificate
27. final resolution or certificate verifying lawful reduction from the employee’s salary based on legal regulation or consent
28. appraisal of the employee’s work
29. documents on disciplinary procedures (written warning letters)
30. method and reasons of terminating the employment relationship
31. negative criminal record, depending on the job function
32. summary of the job function aptitude examinations
33. in case of membership in private pension funds or voluntary mutual financial funds the designation of the fund and the membership number of the employee
34. passport number and designation and number of the document authorizing employment in case of employees with foreign citizenship
35. data recorded in minutes on work accidents
36. data for using welfare services and accommodation
37. data recorded by the video surveillance and entering systems used at the Company for security and property safety purposes.
38.data relating to alcohol control
3. Data relating to sickness shall be processed by the Company only for performance of rights and obligations set forth by the Labour Code.
4. The recipients of the personal data are the following: the employer’s managing director, the person exercising the employer’s rights, the employees of the Company responsible for labour matters and the Company’s data processors.
5. Only the data of the managers of the Company can be forwarded to the shareholder of the Company, except for the cases of approving the salary increase and the annual bonus for which purposes the names and wage data of all employees can be forwarded.
6. The retention period of personal data is the following:
a) retention period of data related to employment relationship is unlimited except for
(i) 3 years after termination of the employment in case of data listed in Section 6. § 2.,12.,13.,17.,21.-24., as well as 26.,28.,29.,31., 32., 36. and 38. of this Policy,
(ii) 5 years after termination of the employment in case of data listed in Section 6. § 2. 27., and 35. of this Policy
(iii) 3 days after recording without use of data listed in 6. § 2. 37. For the purposes of this Section use shall mean if the recorded picture or sound or other personal data are to be used as evidence in the course of a judicial process or other official proceedings.
7. The data subject must be communicated that the data processing is based on the Labour Code and the exercise of the legitimate interests of the employer.
8. Simultaneously with concluding the employment contract the employee will be informed of his personality rights and the processing of personal data by delivering an Information Letter as of Annex IV.
§ 7. Data processing in connection with aptitude tests
1. An employee may be requested to take an aptitude test if one is prescribed by employment regulations, or if deemed necessary with a view to exercising rights and discharging obligations in accordance with employment regulations. Prior to doing the examination the employees must be informed in a detailed manner, among others, of the aimed capacities, abilities of the test as well as the method and tools of the test to be conducted. If the test is prescribed by law, then the employee must also be informed of the exact title and paragraph of the legal regulation concerned.
2. The test forms focusing on the aptitude and preparedness of the employees can be completed by the employees both prior to entering into employment contract or during the employment relationship.
3. Completion of test forms suitable for searching psychological and personality characteristics by major groups of employees can only be required, provided they are aiming at the better organization of work processes and increasing their efficiency in connection clearly with employment relationship if the data resulting from the research cannot be bound to certain concrete employees i.e. the data process is made in an anonymous way.
4. Sphere of personal data subject to processing: the existence of job function suitability and the conditions precedents thereto.
5. Legal basis of data processing: the legitimate interests of the employer.
6. Purpose of data processing: establishment and maintenance of employment relationship as well as performing job function.
7. Recipients and categories of recipients of personal data: The outcome of the test can be known by the examined employees and the experts conducting the tests. The employer may only receive information about the fact whether or not the examined employee is apt for the job function concerned and the conditions to be ensured for that. However, the particulars of the test and the full documentation thereof cannot be known by the employer.
8. Retention period of personal data: Three years after termination of the employment relationship.
§ 8. Processing of personal data of employees applying for job, tenders, CVs
1. Sphere of personal data subject to processing: name, birth date and place, mother’s name, address, education details, photograph, phone number and e-mail address of the natural person as well as employer’s notes about the applier, if any.
2. Purpose of the data processing: application, adjudication of the application, conclusion of employment contract with the selected person. The data subject must be informed of the employer’s decision on not being selected for the job concerned. This information can be communication personally verbally, through phone conversation or in written form.
3. Legal basis of data processing: consent of the data subject.
4. Recipients and categories of recipients of personal data: the manager exercising employer’s rights at the Company, employees responsible for HR matters and employees vested with decision making or proposal submitting power in the course of application process.
5. Retention period of personal data: Until the adjudication of the application or tender but by the end of the probation period of the job function to be performed. Personal data of applicants not selected must be cancelled. Personal data of those applicants must also be cancelled who withdrew their applications.
6. The employer may retain the application sonly under the express, clear and voluntary consent of the data subject provided retention thereof is required for a data processing purpose compliant with laws. Such consent should be requested from the applicant after the closure of the application procedure. (Annex V.).
§ 9. Data processing in connection with checking the use of E-mail account
1. If an e-mail account is provided by the Company to the employee, whereby both e-mail account and address are meant, this e-mail account and address can be used by the employee exclusively for the purposes of his/her responsibilities under his/her job function so that the employees can keep in touch with each other through this channel or the employees could correspond on behalf of the employer with clients, other persons and entities.
2. The e-mail account cannot be used by the employee for private purposes and personal letters cannot be stored on the account.
3. The employer is entitled to check the full contents and use of the e-mail account regularly, each three months, and in the course thereof the legal basis of the data processing is the legitimate interest of the employer. The purposes of the control are checking the compliance with the employer’s instruction on the use of the e-mail account as well as with the employees’ obligations as of Sections 8. § and 52. § of Labour Code.
4. The employer’s managing director and the person vested with exercising the employer’s rights are authorized to conduct the control.
5. Provided the circumstances of the control do not exclude the possibility, the attendance of the employee should be ensured during the control.
6. Prior to starting the control, the employee should be informed of the nature of the employer’s interests of the control as well as the person authorized to conduct the control on behalf of the employer. The employee should also be informed of the rules of the control, obeying the principle of graduation and the steps of the procedure as well as his/her rights and remedies available in connection with the data processing relating to the control of the e-mail account.
7. In the course of the control the principle of graduation should be applied i.e. the address and subject of the e-mail should be examined in order to reveal whether it is connected to the employee’s responsibilities arising from his job function or serves private purposes. Contents of e-mails of non-private purposes can be controlled by the employer without limitation.
8. If, in contrary to the provisions of this Policy, it can be stated that the e-mail account was used by the employee for private purposes he should be called to delete the personal data without delay. In case of absence of the employee or the lack of his cooperation the personal data will be deleted by the employer during the control. Labour law consequences can be applied by the employer against the employee for using the e-mail account in contrary to the provisions of this Policy.
9. The employee may exercise his rights in connection with data processing connected to the control of his e-mail account in compliance with the provisions of this Policy on the rights of data subjects.
§ 10. Data processing in connection with control of computers, laptop, tablet
Computers, laptops and tablets provided by the Company to the employee for working purposes can be used by the employee exclusively for the purposes of his/her responsibilities under his/her job function. The use of the same for private purposes is prohibited by the Company so the employee is not entitled to process and store any of his correspondence and personal data on these tools. The stored data on these tools can be checked by the employer. As regards the control of these tools and the legal consequences the provisions of foregoing Section § 9. shall prevail.
§ 11. Data processing in connection with the control of the use of internet at work place
1. The employee is entitled to visit only those websites that are connected to his responsibilities under his job function. The use of internet for private purposes is prohibited by the Company.
2. As a result of internet registration implemented on behalf of the Company as part of the responsibilities under job function the Company becomes the beneficiary of the registration and identification and password referring to the Company must be used to the registration. If disclosure of personal data is also needed for registration the Company is obliged to apply for the erasure thereof once the employment relationship has been terminated.
3. The employee’s internet use at work place can be checked by the employer. As regards the legal consequences the provisions of foregoing Section § 9. shall prevail.
§ 12. Data processing in connection with the control of using the Company mobile phones
1. Private purpose use of the Company mobile phones is not allowed by the Company. The mobile phone can only be used for purposes in connection with work performance and the employer is entitled to check the phone number and data of any and all outbound phone calls as well as the stored data of the mobile phone.
2. The employee must report to the employer if he used the Company mobile phone for private purposes. In this case the control can be so conducted that a detailed list of outbound calls is required by the employer from the service provider and the employee is invited to make the phone numbers of private purposes unrecognisable. The employer may lay down that the costs of private purpose calls must be borne by the employee.
3. Otherwise, as regards the control and the legal consequences the provisions of foregoing Section § 9. shall prevail.
§ 13. Data processing in connection with entering and leaving the work place
1. If a non-electronic entrance system is operated an information letter must be published about the person is charge of data processing and the manner of data processing.
2. The sphere of personal data subject to processing: name of the natural person, name of the company represented by him, the name of the employee visited, the plate number of the car, the time of entrance and leave.
3. Legal basis of data processing: the enforcement of the employer’s legitimate interests.
4. Purpose of the data processing: property protection, performance of contracts, fulfilment of employee obligations.
5. Recipients and categories of recipients of personal data, the person exercising the employer’s rights, the employees of the Company responsible for labour matters and the employees of the Company’s data processor in its capacity as property protection agent
6. Retention period of personal data: 6 months.
7. The employer is entitled to check the employee’s influence on alcohol. The employee is required to cooperate in the alcohol investigation carried out by the employer.
§ 14. Data processing in connection with video surveillance at work place
- In order to protect human life, safety and personal freedom, as well as business secret and personal property electronic surveillance system is operated by the Company at its registered seat, business establishment and premises open for receiving visitors which is suitable for sound and video recording under which the camera records also the attitude of the data subject to the considered personal data.
2. Legal basis of this data processing: the enforcement of the employer’s legitimate interests and the consent of the data subject.
3. An information document and symbol calling the attention of third parties intending to appear at the site must be placed in a well visible location and legible form about the use of electronic surveillance system. The information should be given in case of each camera. This information should contain the following: the fact of surveillance via electronic property protection system, purpose of recording and storing video and sound recordings on personal data, legal basis of the data processing, the location of storing recordings the retention period, the person in charge with applying and operating the system, the categories of persons authorized to know the data as well as information on provisions about the rights of data subjects and the enforcement thereof.
4. Sound and video recording can be recorded and processed about third parties entering the surveilled area such as clients, visitors, guests only with their consent. Such consent can be given also by implicit conduct. Implicit conduct means especially if the person staying at the surveilled area, in spite of the information and symbol about the application of electronic surveillance system, enters the area.
6. Those whose rights or legal interests are concerned by the recording of sound and/or video record may request not to erase or delete the data within 3 working days from the recording certifying his rights or legal interests.
7. Application of the electronic surveillance system is not allowed at those premises where the survey might violate the personal integrity such as dressing rooms, bathrooms, restrooms and medical premises and visitor’s hall belonging thereto. The same applies to premises which are designated for employees to stay during breaks.
8. The following persons are authorized to see the recorded data through the electronic surveillance system beyond those entrusted by law: staff operating the system for detecting the unlawful actions and checking the system as well as the managing director of the employer and his substitute and the site manager of the surveilled area.
CHAPTER IV.
DATA PROCESSING CONNECTING TO CONTRACTS
§ 15. Processing of contracting parties’ data – filing system on buyers and suppliers
1. Under legal basis of fulfilment of contracts the following data of those natural persons are processed by the Company for purposes of conclusion, fulfilment and termination of contracts or offering contractual benefits who entered into contract with the Company as buyers or suppliers: name, birth name, birth place and date, mother’s name, address, tax identification number, entrepreneurial and agricultural number, ID number, registered seat or premises, phone number, e-mail address, web-site, bank account number, customer number (client number, order number), online identification number, (list of buyers, suppliers, lists of stem purchasers). Such data processing will qualify as lawful even if the data processing is necessary for taking steps prior to entering into contract under the request of the data subject. Recipients of the personal data: employees and data processors of the Company responsible for client service, accounting and taxation. Retention period of personal data: 5 years after termination of the contract.
2. Before commencement of data processing the data subject natural person must be informed of the legal basis of data processing which is performance of contract. Such information may be provided also within the contract. The data subject must be informed of forwarding his personal data to data processors.
§ 16. Availabilities of natural persons being representatives of customers, buyers and suppliers qualifying as legal persons
1. Sphere of personal data subject to processing: name, address, phone number, e-mail address and online identification number of the natural person.
2. Purpose of the data processing: performance of contracts concluded with the Company’s business partners qualifying as legal person, and keeping in touch with them. The data subject’s consent constitutes the legal basis of data processing.
3. Recipients and categories of recipients of personal data: employees of the Company responsible for client service.
4. Retention period of personal data: until 5 years following the existence of the business relationship or the capacity of the data subject being representative.
5. When collecting the data subjects should sign a statement. Contents of such statement must be communicated to the data subject by the employee being in connection with the client, the buyer or the supplier and the data subject’s consent must be requested to process his personal data through the execution of the statement. The statement must be saved during the retention period.
§ 17. Data processing of visitors at the website of the Company – information about application of cookies
1. Cookies qualify as short files of letters that are placed by the visited website on the user’s terminal equipment. The purpose of the cookies is to facilitate and make the info communication and internet service more comfortable. There are various types but usually they are classified in two groups. The first is the temporary cookie which is placed by the website just for one specific process (e.g. security identification during internet banking) at the terminal equipment of the visitor. The other type is the permanent cookie (e.g. language of a website) which remains on the terminal equipment as long as the user deletes it. Under the directives of the European Commission cookies may be placed on the equipment of the user only with the consent of the user unless they are inevitably necessary for using the service concerned.
- In case of cookies not requiring the user’s consent the information must be given at the first visit of the website. The full text of the information should not be displayed at the website. Short summary on the merit of the information published by the operators of the website is sufficient with a reference to the full information through a link.
- In case of cookies subject to consent, the information can be connected to the first visit of the website even in the case if the data processing relating to application of cookies commences with visiting the page. If the application of cookies is connected to the use of the function expressly requested by the user then the information can be displayed connected to the use of this function. In this case the full text of the information should not be displayed at the website. Short summary on the merit of the information published by the operators of the website is sufficient with a reference to the full information through a link.
4. Visitors must be informed of using cookies at the website. By this information the Company safeguards that visitors can get acquainted with the purposes of data processing and the types of data processed, including processing data not directly connected to the user, even prior to utilize the services connected to the information society of the website and afterwards at any time.
CHAPTER V.
DATA PROCESSING BASED ON LEGAL OBLIGATIONS
§ 18. Data processing for complying with taxation and accounting obligations
- Under the legal basis of complying with legal obligations, in order to perform taxation and accounting obligations set forth by law (book keeping, taxation) the Company will process the data of natural persons entering into business relationship with it as buyers and suppliers specified by law. The data processed under Sections § 169. and § 202. of Act CXXVII. of 2017. are especially: tax number, name, address, tax status. The data processed under Section § 167. of Act C. of 2000 are especially: name of the person or body ordering the economic transaction, signatures of persons effecting payment and verifying execution, as well as, depending on the organization, the signature of the inspector; in documents of movements of inventories and liquid assets receipts, the signature of the recipient, and the signature of payer in counter-receipts. The data processed under Act CXVII. of 1995 are the following: number of entrepreneurial certificates, number of agricultural certificate and tax identification number.
2. Retention period of personal data: 8 years after termination of the legal relationship serving for legal basis of data processing.
3. Recipients and categories of recipients of personal data: employees and data processors of the Company responsible for taxation, accounting, payroll and social security tasks.
§ 19. Data processing as payer
- Under the legal basis of fulfilment of legal obligations, the Company shall process the personal data of those data subjects, including employees, their relatives, any other hired or occupied persons, with whom it stands in a legal relationship as payer. (Section § 31.7. of Act CL. of 2017, „Art”) The purpose of this data processing is to comply with paying taxes and contributions set forth by law such as determination of taxes, tax advances, contributions, payroll activities, social security and pension management. The data processed are specified by Section 50 § of Art, highlighting the following: the natural identification data of natural persons including the previous name and title, gender, citizenship, tax identification number, social security number (SSN). If legal consequences are connected by tax laws, the Company may process the health and trade union membership data (§ 40 and § 47 (2) b/ of Szja) of the employees for the purposes of paying taxes and contributions (pay rolling, social security management).
2. Retention period of personal data: 8 years after termination of the legal relationship serving as legal basis.
3. Recipients and categories of recipients of personal data: data processors and employees of the Company responsible for taxation, payroll and social security (paying) tasks.
§ 20. Data processing of documents with durable value under Act on Archives
- The company processes the documents that qualify as documents with durable value, under Act LXVI of 1995 on public records, public archives and the protection of private archives for compliance with its legal obligation for the purposes of preserving the durable value of the archival material of the Company intact and in a usable state for future generations. Retention period: until its delivery to the public archives.
2. The Act on Archives shall prevail on the addressee of the personal data and other issues of data processing.
§ 21. Data processing for the purposes of complying with legal obligations against money laundering
- The Company processes the following data of its clients, their representatives and beneficiary owners for the purposes of complying with its legal obligations as specified in Act No. LIII. of 2017 on prevention and combating of money laundering and terrorist financing: natural persons’
a) first name and surname, b) birth first name and surname, c) citizenship, d) birth place and date, e) mother’s maiden name, f) address, in lack of that place of residence, g) type and number of identification card and certificate on permanent residence as well as the photocopy of documents presented (7. §).
2. Recipients of personal data: managing director and those employees of the Company who are responsible for customer service tasks as well as the person designated by the Company pursuant to Pmt.
3. Retention period of personal data: 8 years after the termination of the business relationship or the fulfilment of the transaction assignment/Pmt. 56. § (2)/.
CHAPTER VI.
PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
§ 22. Principles relating to processing of personal data:
Personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject. To this end an information letter is disclosed for its clients and employees by the Company containing the data protection rules applied in the course of business and internal procedures (principle of “lawfulness, fairness and transparency”).
2. Personal data may be collected for specified, explicit and legitimate purposes and further processed in a manner that is compatible with those purposes (principle of “purpose limitation”).
3. Data processing must always be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of “data minimisation”).
4. The data processed must be accurate and, where necessary, kept up to date during the whole work procedure therefore the Company will take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘principle of accuracy’).
5. The personal data must be kept by the Company for no longer than is necessary for the purposes or the existence of the legal basis for which the personal data are processed, except for the case when further data processing is required by law (principle of “storage limitation”).
6. The Company will take care that the personal data are processed in a manner that ensures security thereof via appropriate technical or organizational measures against occurrence of data protection incidents (principle of “integrity and confidentiality”).
7. The Company shall be responsible for, and be able to demonstrate that its data security provisions and practice based on the foregoing are compliant with the rules of InfoAct and GDPR (principle of “accountability”).
CHAPTER VII.
THE DATA SUBJECT’S RIGHTS
§ 23. Summary information on the data subject’s rights
This Section, for the purposes of transparency, briefly summarizes the data subject’s rights the detailed explanation of which with the method of exercising them will be given in the next Section.
Right to get prior information
The data subject shall have the right to get information about the facts and information connected to data processing before commencement of data processing (Articles 13-14 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed.
Information on relevant provisions in details is set forth in the next Section.
Right to rectification
The personal data processed must be accurate and kept up to date. The Company shall take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (Article 16 of GDPR).
Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies (Article 17 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the conditions specified in the Regulation applies (Article 18 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it (Article 19 of GDPR).
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, pursuant to the terms and conditions set forth by the Regulation (Article 20 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (Article 21 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Restrictions
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 (Article 23 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay (Article 34 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Right to lodge a complaint with a supervisory authority (Right to official remedy)
The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation (Article 77 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Right to an effective judicial remedy against a supervisory authority
Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
If the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant (Article 78 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
Right to an effective judicial remedy against a controller or processor
Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation (Article 79 of GDPR).
Information on relevant provisions in details is set forth in the next Section.
§ 24. Detailed information on the rights of the data subjects
Right to prior information
The data subject shall have the right to get information about the facts an information connected to data processing before commencement of data processing.
- Information to be provided where personal data are collected from the data subject
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative
b) the contact details of the data protection officer, where applicable
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
B) Information to be provided where personal data have not been obtained from the data subject
1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) the categories of personal data concerned;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
e) the right to lodge a complaint with a supervisory authority;
f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
5. Paragraphs 1 to 4 shall not apply where and insofar as:
a) the data subject already has the information;
b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 (1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
c)obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy (Article 14 of GDPR.)
Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others (Article 15. of GDPR).
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims (Article 17 of GDPR).
Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted (Article 18 of GDPR).
Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others (Article 20 of GDPR).
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21 of GDPR).
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place (Article 22 of GDPR).
Restrictions
1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
a) national security;
b) defence;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
f) the protection of judicial independence and judicial proceedings;
g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and(g);
i) the protection of the data subject or the rights and freedoms of others
j) the enforcement of civil law claims.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
a) the purposes of the processing or categories of processing;
b) the categories of personal data;
c) the scope of the restrictions introduced;
d) the safeguards to prevent abuse or unlawful access or transfer;
e) the specification of the controller or categories of controllers;
f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
g) the risks to the rights and freedoms of data subjects; and
h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction (Article 23 of GDPR).
Communication of a personal data breach to the data subject
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33 (3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met (Article 34 of GDPR).
Right to lodge a complaint with a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
- The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 (Article 77 of GDPR).
- If your rights have been infringed in connection with processing of your data by the Company you have to lodge your complaint with the following competent authority:
Nemzeti Adatvédelmi és Információszabadság Hatóság
Website: http://naih.hu
Postal address: 1530 Budapest, P.O.: 5.
E-mail: ugyfelszolgalat@naih.hu
Phone number: +36 (1) 391-1400
4. In case of any assumed infringement of rights in connection with processing of their data any and all data subjects are entitled to institute a legal action also at the competent courts of justice, in case of the Company at Tatabánya Court of Justice, in the capital city at the Metropolitan Court of Justice.
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court (Article 78 of GDPR).
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers (Article 79 of GDPR).
CHAPTER VIII.
APPLICATION OF THE DATA SUBJECT, MEASURES BY THE CONTROLLER
25. § Measures under the application of the data subject
1. The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request.
2. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
3. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided by us our Company as data controller free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
| (a) | charge HUF 6,350,- or |
| (b) | refuse to act on the request. |
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6. If the Company in its capacity as data controller has got well-grounded doubts about the existence of the natural person filing the application disclosure of further information suitable for confirmation of the personality of the data subject may be requested.
CHAPTER IX.
DATA SECURITY PROVISIONS OF THE COMPANY
§ 26. Security requirements of personal data processed on paperwork
1. any and all personal data, independently from the fact on which sort of medium it is manifested, can be known only by authorized persons, access or disclosure to unauthorized persons is prohibited,
2. documents must be placed in dry and closable premises supplied with fire and property protection equipment,
3. interrupting his work, the officer of the Company carrying out data processing may only so leave the office or premises where the data processing activity is carried out that he locks up the documents or closes the premises,
4. once the work has been finished the documents must be locked up,
5. these security provisions are valid also for working at home.
§ 27. Security requirements of personal data stored at the Company on computers or network
- the same security requirements apply to computers used for data processing activities independently from the fact whether it is owned by the Company or the employee,
- access to personal data stored on computers or network is permitted only with valid, personalized and identifiable authorization. The Company shall take care of the permanent changes of passwords.
- if the purpose in connection with the processing of the personal data has been achieved, or the deadline for data processing has expired or the lawfulness of the data processing has ceased to exist for whatever reasons, then the file containing the data must be irrevocably erased such a way that the data cannot be reached any more.
- the firewall safety of computers and other protection against viruses must be taken care of,
- continuous safety saves must be made on computers and regular safety saves on network system in the course of data processing,
- by using the up-to-date suitable informatics equipment and technologies the Company shall permanently take care of informatics protection of the personal data processed,
- the provisions on protection of informatics equipment of the Company are set forth by the IT Policy.
§ 28. Data security measures
1. The Company shall, in connection with data processing activities based of any and all legal grounds and for any and all purposes, implement those technical and organisational measures and establish those procedural rules that are necessary for obeying the regulation and Info Act.
2. The Controller shall protect the data with appropriate measures against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. The Company shall qualify and process the personal data as confidential ones. Confidentiality obligations are set forth for employees relating to personal data. Access to personal data is limited by the Company through specifying authorization levels.
4. Informatics systems are protected by the Company with fire walls and anti-virus programs.
5. The electronic data processing and filing activities are carried out by the Company using computer programs that suit the requirements of data security. The Policy ensures that access to personal data are granted only to those persons, restricted to purposes and within controlled circumstances who must use them in order to fulfil their responsibilities.
6. In the course of processing the personal data by automated means the data controller and the data processor shall ensure with additional measures the following:
a) preventing the unauthorized data input;
b) preventing the use of automated data processing systems by unauthorized persons through data transmission equipment;
c) the possibility to control and determine that the personal data have been or may be transferred to which bodies through data transmission equipment;
d) the possibility to control and determine when and who has done the input of personal data to the automated data processing systems;
e) the installed systems can be restored in case of break-down and
f) the possibility that reports should be prepared about the malfunctions discovered in the course of automated data processing.
7. In order to protect the personal data, the company shall take care of the control of inbound and outbound electronic communication.
8. Documents under progress and processing can be accessed only the competent officers and the documents containing personnel, salary, employment and other personal data must be kept under lock and key.
9. The Company safeguards the physical protection of the data as well as the tools and documents carrying them.
CHAPTER X.
DATA SECURITY INCIDENT RESPONSE PLAN
§ 29. PURPOSE AND SCOPE
This Policy is established by Summit D & V to provide general procedures for an effective, efficient, and orderly response to Events and Incidents, and applies to Summit D & V, all Covered Persons, and any Event or Incident. This Policy provides a set of guidelines.
This Response Plan distinguishes between Event and Incident. Events are defined in § 30. Incidents are defined in Chapter I. of this Policy. Appropriate responsive actions for a given Event or Incident depend on the particular facts and circumstances of the Event or Incident. Appropriate members of the Incident Response Team (“IRT”) may, in consultation with Company senior management, modify their responsive actions as appropriate, including by omitting or including additional or alternate individuals or actions based on the specific Event or Incident.
IRT consists of permanent and substitute members. Managing director, administrative director and highest-ranking HR employee of the Company belong to the permanent members. Substitute members may be the in-house legal counsels of the Mother Company or Connected Companies, the Company’s outside legal counsel, attorney at law (hereinafter jointly: Legal Counsel), the person in charge for operating the IT system of the company and/or the data protection officer of the Company’s Mother Company or Connected Companies or data protection specialist. Involvement of a substitute member shall be decided by majority voting of the permanent members with the proviso that in case of tie vote involvement of a substitute member is mandatory.
The data protection officer of the Company at company group level is Jon Margree. His availability and emergency e-mail address where the internal report on loss of data must be sent is the following:
The Company intends that the response to an Incident that may result in a risk of litigation and/or other legal or regulatory proceedings, including any documents created in the course of such response, will be covered by the attorney-client and/or the attorney work product privileges, as applicable. All information relating to any Event or Incident that is or may become subject to this Policy is also the confidential information of Company.
§ 30. CLASSIFYING EVENTS AND INCIDENTS
1. Events
An Event is an observed change in the normal functioning of our businesses’ information systems that indicates possible malicious activity or a violation of Company’s information security policies. Events may be changes that indicate changes to the accessibility, integrity, or confidentiality of systems that store Protected Data. Examples of Events may include, but are not limited to, the following:
- An instance where computer logs or audit files indicate suspicious activity;
- A suspicious transmission or deletion of Protected Data;
- A suspected compromise of a user’s account or password for accessing a Company system;
- Detection of a rogue wireless access point, unauthorized wireless device, or other suspicious wireless activity;
- Detection of an unauthorized scanning device or software on any system;
- Fluctuation or change in system or network performance, including any network downtime that affects production applications;
- An instance where a user is found or suspected to have access to Protected Data without authorization;
- A suspected denial of service attack.
- Discovery of ransomware notes or report of anomalous encrypted device.
- Discovery of malware;
- A report of lost or missing media or device containing unencrypted Protected Data;
- Notification that a suspected unauthorized third party is in possession of
- Protected Data; or
- A suspected violation of the Company’s acceptable use policies.
2. Incidents
An Incident is a confirmed Event that has caused or could cause a disruption in the business or trigger potential legal obligations.
The IRT will determine an Incident’s severity level. The IRT may upgrade or downgrade the Incident’s severity level as more details about the Incident are learned through the response. Incidents are classified into one of three severity levels, with a set of criteria for each level. Specific guidelines and examples of the criteria for each of the severity levels are set forth in the following table:
S
|
SEVERITY 1 HIGH
|
SEVERITY 2 MEDIUM |
SEVERITY 3 LOW |
| An Incident involving (1) a significant volume of Protected Data; (2) creation of a substantial negative impact on operations requiring substantial resources to contain, control or counteract; or (3) creation of a significant risk of negative financial or public relations impact.
|
An Incident involving a nonsignificant volume of Protected Data that has been compromised or an Incident likely to impact business operations in a matter that will require an organized response.
|
An Incident that is unlikely to trigger notification obligations and likely will have no or limited impact on business operations. |
|
|
Examples |
Examples |
|
|
|
EVERITY 1
H
IGH
SEVERITY 1
§ 31. RESPONDING TO AN EVENT
|
Action |
Responsible Party and Description |
| Reporting | If a Covered Person becomes aware of a suspected or actual Event or Incident of any type, he or she must contact their local HR Manager or IT Department. The individual who receives this report in HR or IT will alert the IRT |
| Triage | The IRT will, at the direction of Legal Counsel as appropriate, oversee gathering information about the Event. |
| Escalation / Response | The IRT will evaluate whether the Event should be escalated to an Incident. If the Event is not escalated to an Incident, the IRT, or its designee, will take appropriate steps to investigate, contain, and remediate the Event |
| Internal Notification | The IRT will evaluate who at the Mother Company should be notified of the Event in accordance with Notification Guidance below. |
| Periodic Reporting | Legal Counsel or relevant IRT member, as appropriate, will provide Company management with a summary of Events on a regular basis. |
Action Responsible Party and Description
§ 32. RESPONDING TO AN INCIDENT
|
Action |
Responsible Party and Description |
| Escalation /
Classification |
If the IRT classifies an Event as an Incident, the IRT, as directed by Legal Counsel, will classify the Incident in accordance with the severity levels above, notify Company management, and undertake the actions below, as appropriate.
All Medium and High severity Incidents are to be directed by Legal Counsel. The IRT will direct the response to Low severity Incidents. It is not intended that all actions be taken in every Incident, nor is it required that the actions be taken in a particular order. |
| Assembling the Team | The IRT, in consultation with Legal Counsel as appropriate, will involve appropriate Company associates to respond to the Incident based on the circumstances and severity of the Incident. |
| Engaging Outside Legal
Counsel |
The IRT, in consultation with in-house Legal Counsel, will determine whether the Company will engage outside Legal Counsel. |
| Outside Experts | Legal Counsel will coordinate the engagement of any outside experts, including, as appropriate, forensic experts and public relations experts. If outside experts are engaged, the IRT will collaborate with such third parties to respond to the Incident. |
| Strategy | The IRT, led by Legal Counsel, as appropriate, will develop an overall strategy for investigating, containing, and remediating the Incident. The strategy will involve a determination of the urgency of the response, any external notifications or third-party cooperation required, and how best to coordinate a response. |
| Investigation | The IRT, led by Legal Counsel, as appropriate, will oversee actions to investigate the cause and scope of the Incident. |
| Containment | The IRT, led by Legal Counsel, as appropriate, will oversee actions reasonably designed to contain and control the Incident. |
| Restoration | The IRT will oversee appropriate actions to restore affected systems or business operations to normal and secure functioning, on a short-term basis, if necessary. |
| Remediation | The IRT will oversee actions to remediate vulnerabilities that were related to the Incident. |
| Preservation | At the direction of Legal Counsel, the IRT will preserve potential evidence relating to the Incident. Steps that may be appropriate, depending on the circumstances, include maintaining a chain of custody for papers and other physical evidence, preserving relevant system logs, making backups of affected files and systems, and/or maintaining historical backups to show the system’s prior state. |
| Insurance | If appropriate, Legal Counsel will contact Company’s relevant insurance carrier. |
| Notification | Legal Counsel will review and analyse Company’s obligations to report an Incident, including under Company’s contractual commitments to third parties and applicable federal, state and international laws, based on the facts and circumstances of the Incident and will advise Company with respect to any appropriate external notifications, consistent with the Notification Guidance in this Plan. |
C/ CLOSING PROVISIONS
CHAPTER XI.
§ 33. Establishment, revision and amendment of the Policy
The managing director of the Company is authorized to establish, review and amend this Policy.
The Company’s legal counsel keeps monitoring the legal regulations regarding the amendments of laws promulgated in the Official Gazette concerning data protection or employees of the Company and provides a regular monthly report thereon to the Company.
The laws concerned by the report shall be analysed and appraised by the Company.
Should the Company deem that certain laws have got or may have impact on the operations of the Company, an extended explanation will be required from the legal counsel.
Upon the feed-back of the legal counsel the management of the Company thinks over whether or not measures are to be implemented.
If implementation of measures is considered necessary by the management of the Company, an examination will be made to reveal whether such measures can be adopted through its internal organizational unit. If yes, the adequate organizational unit shall be appointed for implementing such measures.
If the Company comes to the conclusion that involvement of external specialist, such as tax advisor, accountant, attorney at law, IT manager, labour protection expert, is reasonable it will get in touch with the expert needed, or if there is no legal relationship with such expert, survey one, and makes an inquiry for completing the required tasks.
If internal policy should be amended as a consequence of the measures, the Company will, involving the legal counsel or external expert, if necessary, revise the internal policy and if seems reasonable amend it or adopt an internal policy complying with the amendments in law.
§ 34. Measures for knowing about the Policy
Any and all employees of the Company must be informed of the terms and conditions of this Policy according to Annex IV attached hereto.
Annex I: General data processing information
Annex II: List of data processing activities
Annex III: Data request form
Annex IV. Information for employees
Annex V.: Voluntary consent for storing applications
Esztergom, 22 July, 2020
Ryusuke Hosomi
Managing director
ANNEX I.
DATA PROCESSING INFORMATION
ON THE RIGHTS OF DATA SUBJECTS INCONNECTION WITH
PROCESSING OF THEIR PERSONAL DATA AT
SUMMIT D & V AUTÓIPARI GYÁRTÓ ÉS SZERELŐ
KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG
TABLE OF CONTENTS
Introduction
CHAPTER I. – DESIGNATION OF THE DATA CONTROLLER
CHAPTER II. – DESIGNATION OF THE DATA PROCESSORS
1. IT service provider of the Company
2. Book-keeping service provider of the Company
3. Postal services, services, parcel deliveries
4. Service provider for property protection
CHAPTER III. DATA PROCSESSING IN CONNECTION WITH EMPLOYMENT RELATIONSHIP
1. Labour and personnel records
2. Data processing in connection with aptitude tests
3. Processing of personal data of employees applying for job, tenders, CVs
4. Data processing in connection with checking the use of E-mail account
5. Data processing in connection with control of computers, laptop, tablet
6. Data processing in connection with the control of the use of internet at work place
7. Data processing in connection with the control of using the Company mobile phones
8. Data processing in connection with entering and leaving the work place
9. Data processing in connection with video surveillance at work place
CHAPTER IV. DATA PROCESSING CONNECTING TO CONTRACTS
1. Processing of contracting parties’ data – filing system on buyers and suppliers
2. Availabilities of natural persons being representatives of customers, buyers and suppliers qualifying as legal persons
3. Data processing of visitors at the website of the Company – information about application of cookies
CHAPTER V. DATA PROCESSING BASED ON LEGAL OBLIGATIONS
1. Data processing for complying with taxation and accounting obligations
2. Data processing as payer
3. Data processing of documents with durable value under Act on Archives
4. Data processing for the purposes of complying with legal obligations against money laundering
CHAPTER VI. DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECTS
CHAPTER VII. APPLICATION OF THE DATA SUBJECT, MEASURES BY THE CONTROLLER
INTRODUCTION
This Policy lays down the internal rules of Summit D & V Kft. (registered seat: 2500 Esztergom, Dobogókői út 35., registration number: 11-09-009638, tax identification number: 11831015-2-11; hereinafter: Summit D & V or Company) on data processing activities in order to comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data and repealing Directive 95/46/EC (hereinafter: Regulation or GDPR).
Establishment and amendment of this Policy belongs to the competence of the managing director.
This Policy has been prepared taking also into consideration that the Company is a member of Sumitomo group, its sole shareholder is Sumitomo Corporation (registered seat: OTEMACHI PLACE EAST TOWER 3-2 Otemachi 2-Chome, Chiyoda-ku, Tokyo 100-8601, Japan, registration number: 0199-01-008692, registering authority Tokyo Legal Affairs Bureau, hereinafter: Mother Company). Therefore, in the course of data processing the Company is going to cooperate, if necessary, with the Mother Company and other corporations of the company group (hereinafter: Connected Companies).
CHAPTER I.
NAME OF THE DATA CONTROLLER
Issuer of this Information qualifying also as Data Controller:
Company name: Summit D & V Autóipari Gyártó és Szerelő Korlátolt Felelősségű Társaság
Seat: 2500 Esztergom, Dobogókői út 35.
Registration number: 11-09-009638
Tax number: 11831015-2-11
Representative: Ryusuke Hosomi managing director
Phone number: + 36 33 542 450
Fax: +36 33 542 401
E-mail address: info@summit-dv.hu
Website: www.summitdvkft.hu
(hereinafter: Company or Data Controller)
CHAPTER II.
DESIGNATION OF DATA PROCESSORS
Data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Articles 4.- 8. of GDPR).
Engagement of a data processor is not subject to the consent of the data subject but information must be provided to him. In compliance with the foregoing we hereby provide the following information.
1. IT service provider of the Company
Data processor is engaged for maintenance and management of the Company’s website who provides IT services (hosting services) and within this framework, under the duration of our contract with him, processes the personal data disclosed on the website. Storing the personal data at the server constitutes his operations.
Designation of this data processor is the following:
Company name: Gyarmati Dávid e.v.
Seat: 2534 Tát, Berzsenyi Dániel utca 12.
Tax number: 67692947-2-31
Representative: Gyarmati Dávid
Phone number: 36-30-568-8668
E-mail address: info@colonialworks.hu
Website: www.colonialworks.hu
2. Book-keeping service provider of the Company
External book-keeping service provider is engaged with a service contract in order to comply with taxation and accounting obligations that processes the personal data of those natural persons with whom the Company has got contractual or payer relationship.
Designation of this data processor is the following:
Company name: Crowe FST Consulting Kft.
Seat: 1124 Budapest, Jagelló út 14.
Registration number: 01-09-703091
Tax number: 12780187-2-43
Representative: Kiss László, Kölber Ferenc Nándor
Phone number: 36-1-225-3490
3. Postal service providers, services, parcel deliveries
These data processor get from the Company the personal data necessary for due service of the ordered product (name, address and phone number of the data subject) and deliver the product using the same.
These service providers are the following:
Company name: Hungarian Post Office (Magyar Posta Zrt.)
Seat: 1138 Budapest, Dunavirág u. 2-6.
Registration number: 01-10-042463
Tax number: 10901232-2-44
Representative: pursuant to the trade registry extract
Phone number: 36-1-767-8282
Courier service
(1) Company name: Federal Express Corp. Magyarországi Fióktelepe
Seat: 2220 Vecsés, Lőrinci út 59.
Registration number: 13-17-000083
Tax number: 22246891-2-13
Representative: Pfiszter János Ferenc
Phone number: 36-80-980-980
(2) Company name: DHL Express Magyarország Kft.
Seat: 1185 Budapest, BUD Nemzetközi Repülőtér 302. ép
Registration number: 01-09-060665
Tax number: 10210798-2-44
Representative: pursuant to the trade registry extract
Phone number: 36-1-245-4545
4. Service provider for property protection
Pursuant to our engagement under the contractual relationship with the Company this data processor, as long as the contractual relationship is valid, carries out the work place video surveillance, entrances and leaves and processes the data in connection therewith.
Designation of this service provider is the following:
Company name: Gran Monitoring Vagyonvédelmi Szolgáltató Kft.
Seat: 2500 Esztergom, Deák Ferenc utca 34.
Registration number: 11-09-025273
Tax number: 25937066-2-11
Representative: Szamosvári Zsolt
Phone number: 36-30-934-9600
CHAPTER III.
DATA PROCSESSING IN CONNECTION WITH EMPLOYMENT RELATIONSHIP
1. Labour and personnel records
(1) Only those data can be requested from the employees and documented and those medical aptitude examinations related to his job function carried out that are necessary for conclusion, fulfilment or termination of the employment relationship or for providing social and welfare benefits and do not infringe his rights to personality.
(2) In order to exercise its legitimate employer interests (Article 6. (1) f) of the Regulation) the Company shall process the following data of its employees for the purposes of conclusion, fulfilment or termination of the employment relationship:
1. name
2. birth name
3. birth date
4. birth place
5. mother’s name
6. gender
7. address
8. citizenship
9. tax identification number
10. SSN
11. pensioner number (in case of retired employees)
12. phone number, phone number of the employee’s relative, if it is requested by the employee
13. e-mail address
14. ID number
15. number of domicile card
16. bank account number
17. online identification (if any)
18. date of entering into employment and termination thereof
19. job function
20. copy of school education certificate or diploma
21. copy of driving license
22. data of previous employment, documents, reference letter
23. photograph
24. CV
25. amount of salary, data in connection with salary and other wage payment
26. name of relative, his/her personal data, address, marriage, birth and death certficate
27. final resolution or certificate verifying lawful reduction from the employee’s salary based on legal regulation or consent
28. appraisal of the employee’s work
29. documents on disciplinary procedures (written warning letters)
30. method and reasons of terminating the employment relationship
31. negative criminal record, depending on the job function
32. summary of the job function aptitude examinations
33. in case of membership in private pension funds or voluntary mutual financial funds the designation of the fund and the membership number of the employee
34. passport number and designation and number of the document authorizing employment in case of employees with foreign citizenship
35. data recorded in minutes on work accidents
36. data for using welfare services and accommodation
37. data recorded by the video surveillance and entering systems used at the Company for security and property safety purposes
38. data relating to alcohol control
(3) Data relating to sickness shall be processed by the Company only for performance of rights and obligations set forth by the Labour Code.
(4) The recipients of the personal data are the following: the employer’s managing director, the person exercising the employer’s rights, the employees of the Company responsible for labour matters and the Company’s data processors.
(5) Only the data of the managers of the Company can be forwarded to the shareholder of the Company, except for the cases of approving the salary increase and the annual bonus for which purposes the names and wage data of all employees can be forwarded.
(6) As a main rule, the retention period of personal data is unlimited, specific data are provided in the Data Processing Policy of the Company.
(7) The data subject must be communicated that the data processing is based on the Labour Code and the exercise of the legitimate interests of the employer.
(8) Simultaneously with concluding the employment contract the employee will be informed of his personality rights and the processing of personal data by delivering an Information Letter as of Annex IV.
2. Data processing in connection with aptitude tests
(1) An employee may be requested to take an aptitude test if one is prescribed by employment regulations, or if deemed necessary with a view to exercising rights and discharging obligations in accordance with employment regulations. Prior to doing the examination the employees must be informed in a detailed manner, among others, of the aimed capacities, abilities of the test as well as the method and tools of the test to be conducted. If the test is prescribed by law, then the employee must also be informed of the exact title and paragraph of the legal regulation concerned.
(2) The test forms focusing on the aptitude and preparedness of the employees can be completed by the employees both prior to entering into employment contract or during the employment relationship.
(3) Completion of test forms suitable for searching psychological and personality characteristics by major groups of employees can only be required, provided they are aiming at the better organization of work processes and increasing their efficiency in connection clearly with employment relationship if the data resulting from the research cannot be bound to certain concrete employees i.e. the data process is made in an anonymous way.
(4) Sphere of personal data subject to processing: the existence of job function suitability and the conditions precedents thereto.
(5) Legal basis of data processing: the legitimate interests of the employer.
(6) Purpose of data processing: establishment and maintenance of employment relationship as well as performing job function.
(7) Recipients and categories of recipients of personal data: The outcome of the test can be known by the examined employees and the experts conducting the tests. The employer may only receive information about the fact whether or not the examined employee is apt for the job function concerned and the conditions to be ensured for that. However, the particulars of the test and the full documentation thereof cannot be known by the employer.
(8) Retention period of personal data: 3 years after termination of the employment relationship.
3. Processing of personal data of employees applying for job, tenders, CVs
(1) Sphere of personal data subject to processing: name, birth date and place, mother’s name, address, education details, photograph, phone number and e-mail address of the natural person as well as employer’s notes about the applier, if any.
(2) Purpose of the data processing: application, adjudication of the application, conclusion of employment contract with the selected person. The data subject must be informed of the employer’s decision on not being selected for the job concerned. This information can be communication personally verbally, through phone conversation or in written form.
(3) Legal basis of data processing: consent of the data subject.
(4) Recipients and categories of recipients of personal data: the manager exercising employer’s rights at the Company, employees responsible for HR matters and employees vested with decision making or proposal submitting power in the course of application process.
(5) Retention period of personal data: Until the adjudication of the application or tender but by the end of the probation period of the job function to be performed. Personal data of applicants not selected must be cancelled. Personal data of those applicants must also be cancelled who withdrew their applications.
(6) The employer may retain the application only under the express, clear and voluntary consent of the data subject provided retention thereof is required for a data processing purpose compliant with laws. Such consent should be requested from the applicant after the closure of the application procedure (Annex V.).
4. Data processing in connection with checking the use of E-mail account
(1) If an e-mail account is provided by the Company to the employee, whereby both e-mail account and address are meant, this e-mail account and address can be used by the employee exclusively for the purposes of his/her responsibilities under his/her job function so that the employees can keep in touch with each other through this channel or the employees could correspond on behalf of the employer with clients, other persons and entities.
(2) The e-mail account cannot be used by the employee for private purposes and personal letters cannot be stored on the account.
(3) The employer is entitled to check the full contents and use of the e-mail account regularly, each three months, and in the course thereof the legal basis of the data processing is the legitimate interest of the employer. The purposes of the control are checking the compliance with the employer’s instruction on the use of the e-mail account as well as with the employees’ obligations as of Sections 8. § and 52. § of Labour Code.
(4) The employer’s managing director and the person vested with exercising the employer’s rights are authorized to conduct the control.
(5) Provided the circumstances of the control do not exclude the possibility, the attendance of the employee should be ensured during the control.
(6) Prior to starting the control the employee should be informed of the nature of the employer’s interests of the control as well as the person authorized to conduct the control on behalf of the employer. The employee should also be informed of the rules of the control, obeying the principle of graduation and the steps of the procedure as well as his/her rights and remedies available in connection with the data processing relating to the control of the e-mail account.
(7) In the course of the control the principle of graduation should be applied i.e. the address and subject of the e-mail should be examined in order to reveal whether it is connected to the employee’s responsibilities arising from his job function or serves private purposes. Contents of e-mails of non-private purposes can be controlled by the employer without limitation.
(8) If, in contrary to the provisions of this Policy, it can be stated that the e-mail account was used by the employee for private purposes he should be called to delete the personal data without delay. In case of absence of the employee or the lack of his cooperation the personal data will be deleted by the employer during the control. Labour law consequences can be applied by the employer against the employee for using the e-mail account in contrary to the provisions of this Policy.
(9) The employee may exercise his rights in connection with data processing connected to the control of his e-mail account in compliance with the provisions of this Policy on the rights of data subjects.
5. Data processing in connection with control of computers, laptop, tablet
Computers, laptops and tablets provided by the Company to the employee for working purposes can be used by the employee exclusively for the purposes of his/her responsibilities under his/her job function. The use of the same for private purposes is prohibited by the Company so the employee is not entitled to process and store any of his correspondence and personal data on these tools. The stored data on these tools can be checked by the employer. As regards the control of these tools and the legal consequences the provisions of foregoing Section § 4 shall prevail.
6. Data processing in connection with the control of the use of internet at work place
(1) The employee is entitled to visit only those websites that are connected to his responsibilities under his job function. The use of internet for private purposes is prohibited by the Company.
(2) As a result of internet registration implemented on behalf of the Company as part of the responsibilities under job function the Company becomes the beneficiary of the registration and identification and password referring to the Company must be used to the registration. If disclosure of personal data is also needed for registration the Company is obliged to apply for the erasure thereof once the employment relationship has been terminated.
(3) The employee’s internet use at work place can be checked by the employer. As regards the legal consequences the provisions of foregoing Section § 4 shall prevail.
7. Data processing in connection with the control of using the Company mobile phones
(1) Private purpose use of the Company mobile phones is not allowed by the Company. The mobile phone can only be used for purposes in connection with work performance and the employer is entitled to check the phone number and data of any and all outbound phone calls as well as the stored data of the mobile phone.
(2) The employee must report to the employer if he used the Company mobile phone for private purposes. In this case the control can be so conducted that a detailed list of outbound calls is required by the employer from the service provider and the employee is invited to make the phone numbers of private purposes unrecognisable. The employer may lay down that the costs of private purpose calls must be borne by the employee.
(3) Otherwise, as regards the control and the legal consequences the provisions of foregoing Section § 4. shall prevail.
8. Data processing in connection with entering and leaving the work place
(1) If a non-electronic entrance system is operated an information letter must be published about the person is charge of data processing and the manner of data processing.
(2) The sphere of personal data subject to processing: name of the natural person, name of the company represented by him, the name of the employee visited, the plate number of the car, the time of entrance and leave.
(3) Legal basis of data processing: the enforcement of the employer’s legitimate interests.
(4) Purpose of the data processing: property protection, performance of contracts, fulfilment of employee obligations.
(5) Recipients and categories of recipients of personal data, the person exercising the employer’s rights, the employees of the Company responsible for labour matters and the employees of the Company’s data processor in its capacity as property protection agent
(6) Retention period of personal data: 6 months.
9. Data processing in connection with video surveillance at work place
(1) In order to , business establishment and premises open for receiving visitors which is suitable for sound and video recording under which the camera records also the attitude of the data subject to the considered personal data.
(2) Legal basis of this data processing: the enforcement of the employer’s legitimate interests and the consent of the data subject.
(3) An information document and symbol calling the attention of third parties intending to appear at the site must be placed in a well visible location and legible form about the use of electronic surveillance system. The information should be given in case of each camera. This information should contain the following: the fact of surveillance via electronic property protection system, purpose of recording and storing video and sound recordings on personal data, legal basis of the data processing, the location of storing recordings the retention period, the person in charge with applying and operating the system, the categories of persons authorized to know the data as well as information on provisions about the rights of data subjects and the enforcement thereof.
(4) Sound and video recording can be recorded and processed about third parties entering the surveilled area such as clients, visitors, guests only with their consent. Such consent can be given also by implicit conduct. Implicit conduct means especially if the person staying at the surveilled area, in spite of the information and symbol about the application of electronic surveillance system, enters the area.
(5) The recorded recordings can be stored without use no longer than for 3 (three) working days. Use shall mean if the recorded sound and/or video recording or other personal data is to be transferred to the police, other authorities, and court for the purposes of the proceedings as evidence.
(6) Those whose rights or legal interests are concerned by the recording of sound and/or video record may request not to erase or delete the data within 3 working days from the recording certifying his rights or legal interests.
(7) Application of the electronic surveillance system is not allowed at those premises where the survey might violate the personal integrity such as dressing rooms, bathrooms, restrooms and medical premises and visitor’s hall belonging thereto. The same applies to premises which are designated for employees to stay during breaks.
(8) The following persons are authorized to see the recorded data through the electronic surveillance system beyond those entrusted by law: staff operating the system for detecting the unlawful actions and checking the system as well as the managing director of the employer and his substitute and the site manager of the surveilled area.
CHAPTER IV.
DATA PROCESSING CONNECTING TO CONTRACTS
1. Processing of contracting parties’ data – filing system on buyers and suppliers
(1) Under legal basis of fulfilment of contracts the following data of those natural persons are processed by the Company for purposes of conclusion, fulfilment and termination of contracts or offering contractual benefits who entered into contract with the Company as buyers or suppliers: name, birth name, birth place and date, mother’s name, address, tax identification number, entrepreneurial and agricultural number, ID number, registered seat or premises, phone number, e-mail address, web-site, bank account number, customer number (client number, order number), online identification number (list of buyers, suppliers, lists of stem purchasers). Such data processing will qualify as lawful even if the data processing is necessary for taking steps prior to entering into contract under the request of the data subject. Recipients of the personal data: employees and data processors of the Company responsible for client service, accounting and taxation. Retention period of personal data: 5 years after termination of the contract.
(2) Before commencement of data processing the data subject natural person must be informed of the legal basis of data processing which is performance of contract. Such information may be provided also within the contract.
(3) The data subject must be informed of forwarding his personal data to data processors.
2. Availabilities of natural persons being representatives of customers, buyers and suppliers qualifying as legal persons
(1) Sphere of personal data subject to processing: name, address, phone number, e-mail address and online identification number of the natural person.
(2) Purpose of the data processing: performance of contracts concluded with the Company’s business partners qualifying as legal person, and keeping in touch with them. The data subject’s consent constitutes the legal basis of data processing.
(3) Recipients and categories of recipients of personal data: employees of the Company responsible for client service.
(4) Retention period of personal data: until five years following the existence of the business relationship or the capacity of the data subject being representative.
(5) When collecting the data subjects should sign a statement. Contents of such statement must be communicated to the data subject by the employee being in connection with the client, the buyer or the supplier and the data subject’s consent must be requested to process his personal data through the execution of the statement. The statement must be saved during the retention period.
3. Data processing of visitors at the website of the Company – information about application of cookies
(1) Cookies qualify as short file of letters that are placed by the visited website on the user’s terminal equipment. The purpose of the cookies is to facilitate and make the info communication and internet service more comfortable. There are various types but usually they are classified in two groups. The first is the temporary cookie which is placed by the website just for one specific process (e.g. security identification during internet banking) at the terminal equipment of the visitor. The other type is the permanent cookie (e.g. language of a website) which remains on the terminal equipment as long as the user deletes it. Under the directives of the European Commission cookies may be placed on the equipment of the user only with the consent of the user unless they are inevitably necessary for using the service concerned.
(2) In case of cookies not requiring the user’s consent the information must be given at the first visit of the website. The full text of the information should not be displayed at the website. Short summary on the merit of the information published by the operators of the website is sufficient with a reference to the full information through a link.
(3) In case of cookies subject to consent the information can be connected to the first visit of the website even in the case if the data processing relating to application of cookies commences with visiting the page. If the application of cookies is connected to the use of the function expressly requested by the user then the information can be displayed connected to the use of this function. In this case the full text of the information should not be displayed at the website. Short summary on the merit of the information published by the operators of the website is sufficient with a reference to the full information through a link.
(4) Visitors must be informed of using cookies at the website. By this information the Company safeguards that visitors can get acquainted with the purposes of data processing and the types of data processed, including processing data not directly connected to the user, even prior to utilize the services connected to the information society of the website and afterwards at any time.
CHAPTER V.
DATA PROCESSING BASED ON LEGAL OBLIGATIONS
1. Data processing for complying with taxation and accounting obligations
(1) Under the legal basis of complying with legal obligations, in order to perform taxation and accounting obligations set forth by law (book keeping, taxation) the Company will process the data of natural persons entering into business relationship with it as buyers and suppliers specified by law. The data processed under Sections § 169. and 202. of Act CXXVII. of 2017 are especially: tax number, name, address, tax status. The data processed under Section § 167. of Act C. of 2000 are especially: name of the person or body ordering the economic transaction, signatures of persons effecting payment and verifying execution, as well as, depending on the organization, the signature of the inspector; in documents of movements of inventories and liquid assets receipts, the signature of the recipient, and the signature of payer in counter-receipts. The data processed under of Act CXVII. of 1995 are the following: number of entrepreneurial certificates, number of agricultural certificate and tax identification number.
(2) Retention period of personal data: 8 years after termination of the legal relationship serving for legal basis of data processing.
(3) Recipients
2. Data processing as payer
(1) Under the legal basis of fulfilment of legal obligations the Company shall process the personal data of those data subjects, including employees, their relatives, any other hired or occupied persons, with whom it stands in a legal relationship as payer. (Section § 31.7. of Act CL. of 2017, „Art”) The purpose of this data processing is to comply with paying taxes and contributions set forth by law such as determination of taxes, tax advances, contributions, payroll activities, social security and pension management. The data processed are specified by Section 50 § of Art, highlighting the following: the natural identification data of natural persons including the previous name and title, gender, citizenship, tax identification number, social security number (SSN). If legal consequences are connected by tax laws, the Company may process the health and trade union membership data (§ 40 and § 47 (2) b/ of Szja) of the employees for the purposes of paying taxes and contributions (pay rolling, social security management).
(2) period of personal data: 8 years after termination of the legal relationship serving as legal basis.
(3)
3. Data processing of documents with durable value under Act on Archives
(1) The
(2) The Act on Archives shall prevail on the addressee of the personal data and other issues of data processing.
4. Data processing for the purposes of complying with legal obligations against money laundering
(1) The Company processes the following data of its clients, their representatives and beneficiary owners for the purposes of complying with its legal obligations as specified in Act No. LIII. of 2017 on prevention and combating of money laundering and terrorist financing (Pmt): natural persons’
a) first name and surname, b) birth first name and surname, c) citizenship, d) birth place and date, e) mother’s maiden name, f) address, in lack of that place of residence, g) type and number of identification card and certificate on permanent residence as well as the photocopy of documents presented (Pmt.7. §).
(2) Recipients
(3) Retention period of personal data: 8 years after the termination of the business relationship or the fulfilment of the transaction assignment /Pmt. 56. § (2)/.
CHAPTER VI.
DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECTS
Right to prior information
The data subject shall have the right to get information about the facts and information connected to data processing before commencement of data processing (Articles 13-14 of the Regulation).
A) Information to be provided where personal data are collected from the data subject
(1) Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative
b) the contact details of the data protection officer, where applicable
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) where the processing is based on point (f) of Article 6 (1) of the Regulation, the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Articles 46 or 47 of the Regulation, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
(2) In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
c) where the processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
f) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(3) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
(4) Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information (Article 13 of the Regulation).
B) Information to be provided where personal data have not been obtained from the data subject
(1) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) the categories of personal data concerned;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Articles 46 or 47 of the Regulationl, or the second subparagraph of Article 49 (1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) where the processing is based on point (f) of Article 6 (1) of the Regulation (legitime interests) the legitimate interests pursued by the controller or by a third party;
c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
d) where processing is based on point (a) of Article 6 (1) of the Regulation (consent of the data subject) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
e) the right to lodge a complaint with a supervisory authority;
f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(3) The controller shall provide the information referred to in paragraphs 1 and 2:
a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
(4) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
(5) Paragraphs 1 to 4 shall not apply where and insofar as:
a) the data subject already has the information;
b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 (1) of the Regulation or in so far as the obligation referred to in paragraph1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
c)obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy (Article 14 of the Regulation).
Right of access by the data subject
(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.
(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
(4) The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others (Article 15 of the Regulation).
Right to erasure (‘right to be forgotten’)
(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point(a) of Article 9 (2) of the Regulation, and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of the Regulation;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.
(2) Where the controller has made the personal data public and is obliged pursuant to paragraph1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points(h) and (i) of Article 9 (2) as well as Article 9 (3) of the Regulation;
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the Regulation in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims (Article 17 of the Regulation).
Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article21(1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject.
(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained restriction of processing pursuant to paragraph1 shall be informed by the controller before the restriction of processing is lifted (Article 18. of the Regulation).
Right to data portability
(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1) of the Regulation; and
b) the processing is carried out by automated means
(2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
(3) The exercise of the right referred to in paragraph1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The right referred to in paragraph1 shall not adversely affect the rights and freedoms of others (Article 20 of the Regulation).
Right to object
(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) of the Regulation, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
(3) Where the data subject objects to processing for direct marketing purposes the personal data shall no longer be processed for such purposes.
(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated individual decision-making, including profiling
(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(2) Paragraph1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9 (1) of the Regulation, unless point (a) or (g) of Article 9 (2) of the Regualtion applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place (Article 22 of the Regulation).
Restrictions
(1) Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34 of the Regulation, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
a) national security;
b) defence;
c) public security;
d) prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
f) the protection of judicial independence and judicial proceedings;
g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) the monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and(g);
i) the protection of the data subject or the rights and freedoms of others
j) the enforcement of civil law claims.
(2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
a) the purposes of the processing or categories of processing;
b) the categories of personal data;
c) the scope of the restrictions introduced;
d) the safeguards to prevent abuse or unlawful access or transfer;
e) the specification of the controller or categories of controllers;
f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
g) the risks to the rights and freedoms of data subjects; and
h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction (Article 23 of the Regulation).
Communication of a personal data breach to the data subject
(1) When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
(2) The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points(b), (c) and (d) of Article 33 (3) of the Regulation.
(3) The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph1. is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
(4) If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met (Article 34 of the Regulation).
Right to lodge a complaint with a supervisory authority
(1) Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
(2) The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article78 (Article 77 of the Regulation).
(3) In the event of a breach of law relating to the data processing of the Company, the complaint shall be submitted to the following competent supervisory authority:
National Authority for Data Protection and Freedom of Information
website: http://naih.hu
mail adress: 1530 Budapest, Pf.5.
e-mail: ugyfelszolgalat@naih.hu
phone: +36 (1) 391-1400
(4). The proceedings against the Company in the case of an alleged breach of law regarding the processing of the personal data by the data subject may be brought before the competent court to Tatabánya Regional Court or in the capital, Budapest Metropolitan Regional Court.
Right to an effective judicial remedy against a supervisory authority
(1) Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
(2) Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56. of the Regulation does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 of the Regulation.
(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
(4) Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court (Article 78. of the Regulation).
Right to an effective judicial remedy against a controller or processor
(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
(2) Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers (Article 79. of the Regulation).
CHAPTER VII.
APPLICATION OF THE DATA SUBJECT, MEASURES BY THE CONTROLLER
(1) The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request.
(2) That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
(3) Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
(4) If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
(5) Information provided under Articles 13 and 14 of the Regulation and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided by us our Company as data controller free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
a) charge HUF 6,350,- or
b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(6) If the controller has got well-grounded doubts about the existence of the natural person filing the application disclosure of further information suitable for confirmation of the personality of the data subject may be requested.
Esztergom, October 11, 2019
Ryusuke Hosomi
Managind Director
ANNEX II.
REGISTRATION OF DATA PROCESSING ACTIVITIES AT
SUMMIT D & V AUTÓIPARI GYÁRTÓ ÉS SZERELŐ KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG
1. NAME OF THE DATA CONTROLLER
Name of the Company: Summit D & V Autóipari Gyártó és Szerelő Korlátolt Felelősségű Társaság
Seat: 2500 Esztergom, Dobogókői út 35.
Registration number: 11-09-009638
Tax number: 11831015-2-11
Representative: Ryusuke Hosomi managing director
Phone number: + 36 33 542 450
Fax: +36 33 542 401
E-mail address: info@summit-dv.hu
Website: www.summitdvkft.hu
(hereinafter: Company or Data Controller)
2. DATA SECURITY MEASURES
The Company shall, in connection with data processing activities based of any and all legal grounds and for any and all purposes, implement those technical and organizational measures and establish those procedural rules that are necessary for obeying the regulation and Info Act.
The Data Controller
- The Controller shall protect the data with appropriate measures against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- The Company shall qualify and process the personal data as confidential ones. Confidentiality obligations are set forth for employees relating to personal data.
- Access to personal data is limited by the Company through specifying authorization levels.
- Informatics systems are protected by the Company with fire walls and anti-virus programs.
- The electronic data processing and filing activities are carried out by the Company using computer programs that suit the requirements of data security. The Policy ensures that access to personal data are granted only to those persons, restricted to purposes and within controlled circumstances who must use them in order to fulfill their responsibilities.
- In order to protect the personal data the company shall take care of the control of inbound and outbound electronic communication.
- The Company safeguards the physical protection of the data as well as the tools and documents carrying them.
- Documents under progress and processing can be accessed only by the competent officers and the documents containing personnel, salary, employment and other personal data must be kept under lock and key.
3. DATA PROCESSING IN CONNECTION WITH EMPLOYMENT RELATIONSHIP
3.1. Labor and personnel records
(1) Only those data can be requested from the employees and documented and those medical aptitude examinations related to his job function carried out that are necessary for conclusion, fulfillment or termination of the employment relationship or for providing social and welfare benefits and do not infringe his rights to personality.
(2) In order to exercise its legitimate employer interests (Article 6. (1) f) the Company shall process the following data of its employees for the purposes of conclusion, fulfillment or termination of the employment relationship:
1. name
2. birth name
3. date of birth
4. place of birth
5. mother’s maiden name
6. gender
7. address
8. citizenship
9. tax ID number
10.social security ID number
11. pensioner ID number (if the employee is a pensioner)
12.phone number of the employee, phone number of the employee’s relatives if, it is so requested by the employee)
13. e-mail address
14. ID number
15. number of the address card
16. bank account number
17. identification online (if any)
18. beginning and last day of the work
19. scope of the work
20. copy of the education’s certificate, qualification’s certificate
21. copy of the driving licence
22. previous work place’s data, documents, reference letter
23. photo
24. CV
25. wage, data in connection of the payment of the wage and any of other remuneration
26. name of the employee’s relatives, personal data, address thereof, marriage, birth and death certificate
27. the debt to be deducted from the employees’ wage under a final decision or the employee’s written consent, or its eligibility
28. evaluation of the employee’s work
29. documents of disciplinary proceedings (written warning)
30. type and reasons of the employment relationship’s termination
31. certificate of good conduct depending on the scope of the job
32. summary of job aptitude tests
33. in the case of a private pension fund and a voluntary mutual insurance fund membership, the name, identification number and employee’s membership number
34. passport number for a foreign employee, the title and number of the document certifying his/her entitlement of work
35. data recorded in the minutes on the accident of the employee 36.data necessary for the use of welfare services and commercial accommodation
37. data recorded by the Company’s Electronic Surveillance System for security and property protection purposes38.data relating to alcohol control
(3) Data relating to sickness shall be processed by the Company only for performance of rights and obligations set forth by the Labor Code.
(4) The recipients of the personal data are the following: the employer’s managing director, the person exercising the employer’s rights, the employees of the Company responsible for labor matters and the Company’s data processors.
(5) Only the data of the managers of the Company can be forwarded to the shareholder of the Company, except for the cases of approving the salary increase and the annual bonus for which purposes the names and wage data of all employees can be forwarded.
(6) The retention period of personal data is the following: as a main rule it is unlimited and as regards the specific data the Company’s Data Processing Policy shall prevail.
(7) The data subject must be communicated that the data processing is based on the Labor Code and the exercise of the legitimate interests of the employer.
3.2. Data processing in connection with aptitude tests
(1) An employee may be requested to take an aptitude test if one is prescribed by employment regulations, or if deemed necessary with a view to exercising rights and discharging obligations in accordance with employment regulations. Prior to doing the examination the employees must be informed in a detailed manner, among others, of the aimed capacities, abilities of the test as well as the method and tools of the test to be conducted. If the test is prescribed by law, then the employee must also be informed of the exact title and paragraph of the legal regulation concerned.
(2) The test forms focusing on the aptitude and preparedness of the employees can be completed by the employees both prior to entering into employment contract or during the employment relationship.
(3) Completion of test forms suitable for searching psychological and personality characteristics by major groups of employees can only be required, provided they are aiming at the better organization of work processes and increasing their efficiency in connection clearly with employment relationship if the data resulting from the research cannot be bound to certain concrete employees i.e. the data process is made in an anonymous way.
(4). Sphere of personal data subject to processing: the existence of job function suitability and the conditions precedents thereto.
(5) Legal basis of data processing: the legitimate interests of the employer.
(6) Purpose of data processing: establishment and maintenance of employment relationship as well as performing job function.
(7) Recipients and categories of recipients of personal data: The outcome of the test can be known by the examined employees and the experts conducting the tests. The employer may only receive information about the fact whether or not the examined employee is apt for the job function concerned and the conditions to be ensured for that. However, the particulars of the test and the full documentation thereof cannot be known by the employer.
(8) Retention period of personal data: Three years after termination of the employment relationship.
3.3. Processing of personal data of employees applying for job, tenders, CVs
(1) Sphere of personal data subject to processing: name, birth date and place, mother’s name, address, education details, photograph, phone number and e-mail address of the natural person as well as employer’s notes about the applier, if any.
(2) Purpose of the data processing: application, adjudication of the application, conclusion of employment contract with the selected person. The data subject must be informed of the employer’s decision on not being selected for the job concerned.
(3). Legal basis of data processing: consent of the data subject.
(4) Recipients and categories of recipients of personal data: the manager exercising employer’s rights at the Company, employees responsible for HR matters
(5) Retention period of personal data: Until the adjudication of the application or tender but by the end of the probation period of the job function to be performed. Personal data of applicants not selected must be cancelled. Personal data of those applicants must also be cancelled who withdrew their applications.
(6) The employer may retain the application sonly under the express, clear and voluntary consent of the data subject provided retention thereof is required for a data processing purpose compliant with laws. Such consent should be requested from the applicant after the closure of the application procedure.
3.4. Data processing in connection with checking the use of E-mail account
(1) If an e-mail account is provided by the Company to the employee, whereby both e-mail account and address are meant, this e-mail account and address can be used by the employee exclusively for the purposes of his/her responsibilities under his/her job function so that the employees can keep in touch with each other through this channel or the employees could correspond on behalf of the employer with clients, other persons and entities.
(2) The e-mail account cannot be used by the employee for private purposes and personal letters cannot be stored on the account.
(3) The employer is entitled to check the full contents and use of the e-mail account regularly, each three months, and in the course thereof the legal basis of the data processing is the legitimate interest of the employer. The purposes of the control are checking the compliance with the employer’s instruction on the use of the e-mail account as well as with the employees’ obligations as of Sections 8. § and 52. § of Labour Code.
(4) The employer’s managing director and the person vested with exercising the employer’s rights are authorized to conduct the control.
(5) Provided the circumstances of the control do not exclude the possibility, the attendance of the employee should be ensured during the control.
(6) Prior to starting the control the employee should be informed of the nature of the employer’s interests of the control as well as the person authorized to conduct the control on behalf of the employer. The employee should also be informed of the rules of the control, obeying the principle of graduation and the steps of the procedure as well as his/her rights and remedies available in connection with the data processing relating to the control of the e-mail account.
(7) In the course of the control the principle of graduation should be applied i.e. the address and subject of the e-mail should be examined in order to reveal whether it is connected to the employee’s responsibilities arising from his job function or serves private purposes. Contents of e-mails of non-private purposes can be controlled by the employer without limitation.
(8) If, in contrary to the provisions of this Policy, it can be stated that the e-mail account was used by the employee for private purposes he should be called to delete the personal data without delay. In case of absence of the employee or the lack of his cooperation the personal data will be deleted by the employer during the control. Labor law consequences can be applied by the employer against the employee for using the e-mail account in contrary to the provisions of this Policy.
(9) The employee may exercise his rights in connection with data processing connected to the control of his e-mail account in compliance with the provisions of this Policy on the rights of data subjects.
3.5. Data processing in connection with control of computers, laptop, tablet
(1) Computers, laptops and tablets provided by the Company to the employee for working purposes can be used by the employee exclusively for the purposes of his/her responsibilities under his/her job function. The use of the same for private purposes is prohibited by the Company so the employee is not entitled to process and store any of his correspondence and personal data on these tools. The stored data on these tools can be checked by the employer. As regards the control of these tools and the legal consequences the provisions of foregoing Section 3.4. shall prevail.
3.6. Data processing in connection with the control of the use of internet at work place
(1) The employee is entitled to visit only those websites that are connected to his responsibilities under his job function. The use of internet for private purposes is prohibited by the Company.
(2) As a result of internet registration implemented on behalf of the Company as part of the responsibilities under job function the Company becomes the beneficiary of the registration and identification and password referring to the Company must be used to the registration. If disclosure of personal data is also needed for registration the Company is obliged to apply for the erasure thereof once the employment relationship has been terminated.
(3) The employee’s internet use at work place can be checked by the employer. As regards the legal consequences, the provisions of foregoing Section 3.4. shall prevail.
3.7. Data processing in connection with the control of using the Company mobile phones
(1) Private purpose use of the Company mobile phones is not allowed by the Company. The mobile phone can only be used for purposes in connection with work performance and the employer is entitled to check the phone number and data of any and all outbound phone calls as well as the stored data of the mobile phone.
(2) The employee must report to the employer if he used the Company mobile phone for private purposes. In this case the control can be so conducted that a detailed list of outbound calls is required by the employer from the service provider and the employee is invited to make the phone numbers of private purposes unrecognizable. The employer may lay down that the costs of private purpose calls must be borne by the employee.
(3) Otherwise, as regards the control and the legal consequences the provisions of foregoing Section 3.4. shall prevail.
3.8. Data processing in connection with entering and leaving the work place
(1) If a non-electronic entrance system is operated an information letter must be published about the person is charge of data processing and the manner of data processing.
(2) The sphere of personal data subject to processing: name of the natural person, name of the company represented by him, the name of the employee visited, the plate number of the car, the time of entrance and leave.
(3) Legal basis of data processing: the enforcement of the employer’s legitimate interests.
(4) Purpose of the data processing: property protection, performance of contracts, fulfillment of employee obligations.
(5) Recipients and categories of recipients of personal data, the person exercising the employer’s rights, the employees of the Company responsible for labor matters and the employees of the Company’s data processor in its capacity as property protection agent
(6) Retention period of personal data: 6 months.
(7) The employer is entitled to check the employee’s influence on alcohol. The employee is required to cooperate in the alcohol investigation carried out by the employer.
3.9. Data processing in connection with video surveillance at work place
(2) Legal basis of this data processing: the enforcement of the employer’s legitimate interests and the consent of the data subject.
(3) An information document and symbol calling the attention of third parties intending to appear at the site must be placed in a well visible location and legible form about the use of electronic surveillance system. The information should be given in case of each camera. This information should contain the following: the fact of surveillance via electronic property protection system, purpose of recording and storing video and sound recordings on personal data, legal basis of the data processing, the location of storing recordings the retention period, the person in charge with applying and operating the system, the categories of persons authorized to know the data as well as information on provisions about the rights of data subjects and the enforcement thereof.
(4) Sound and video recording can be recorded and processed about third parties entering the surveilled area such as clients, visitors, guests only with their consent. Such consent can be given also by implicit conduct. Implicit conduct means especially if the person staying at the surveilled area, in spite of the information and symbol about the application of electronic surveillance system, enters the area.
(6) Those whose rights or legal interests are concerned by the recording of sound and/or video record may request not to erase or delete the data within 3 working days from the recording certifying his rights or legal interests.
(7) Application of the electronic surveillance system is not allowed at those premises where the survey might violate the personal integrity such as dressing rooms, bathrooms, restrooms and medical premises and visitor’s hall belonging thereto. The same applies to premises which are designated for employees to stay during breaks.
(8) The following persons are authorized to see the recorded data through the electronic surveillance system beyond those entrusted by law: staff operating the system for detecting the unlawful actions and checking the system as well as the managing director of the employer and his substitute and the site manager of the surveilled area.
4. DATA PROCESSING CONNECTING TO CONTRACTS
4.1. Processing of contracting parties’ data – filing system on buyers and suppliers
(1) Under legal basis of fulfilment of contracts the following data of those natural persons are processed by the Company for purposes of conclusion, fulfilment and termination of contracts or offering contractual benefits who entered into contract with the Company as buyers or suppliers: name, birth name, birth place and date, mother’s name, address, tax identification number, entrepreneurial and agricultural number, ID number, registered seat or premises, phone number, e-mail address, web-site, bank account number, customer number (client number, order number), online identification number, (list of buyers, suppliers, lists of stem purchasers). Such data processing will qualify as lawful even if the data processing is necessary for taking steps prior to entering into contract under the request of the data subject. Recipients of the personal data: employees and data processors of the Company responsible for client service, accounting and taxation. Retention period of personal data: 5 years after termination of the contract.
(2) Before commencement of data processing the data subject natural person must be informed of the legal basis of data processing which is performance of contract. Such information may be provided also within the contract.
(3) The data subject must be informed of forwarding his personal data to data processors.
4.2. Availabilities of natural persons being representatives of customers, buyers and suppliers qualifying as legal persons
(1) Sphere of personal data subject to processing: name, address, phone number, e-mail address and online identification number of the natural person.
(2) Purpose of the data processing: performance of contracts concluded with the Company’s business partners qualifying as legal person, and keeping in touch with them. The data subject’s consent constitutes the legal basis of data processing.
(3) Recipients and categories of recipients of personal data: employees of the Company responsible for client service.
(4) Retention period of personal data: until five years following the existence of the business relationship or the capacity of the data subject being representative.
4.3. Data processing of visitors at the website of the Company
(1) Cookies qualify as short file of letters that are placed by the visited website on the user’s terminal equipment. The purpose of the cookies is to facilitate and make the info communication and internet service more comfortable. There are various types but usually they are classified in two groups. The first is the temporary cookie which is placed by the website just for one specific process (e.g. security identification during internet banking) at the terminal equipment of the visitor. The other type is the permanent cookie (e.g. language of a website) which remains on the terminal equipment as long as the user deletes it. Under the directives of the European Commission cookies may be placed on the equipment of the user only with the consent of the user unless they are inevitably necessary for using the service concerned.
- In case of cookies not requiring the user’s consent the information must be given at the first visit of the website. The full text of the information should not be displayed at the website. Short summary on the merit of the information published by the operators of the website is sufficient with a reference to the full information through a link.
- In case of cookies subject to consent the information can be connected to the first visit of the website even in the case if the data processing relating to application of cookies commences with visiting the page. If the application of cookies is connected to the use of the function expressly requested by the user then the information can be displayed connected to the use of this function. In this case the full text of the information should not be displayed at the website. Short summary on the merit of the information published by the operators of the website is sufficient with a reference to the full information through a link.
(4) Visitors must be informed of using cookies at the website. By this information the Company safeguards that visitors can get acquainted with the purposes of data processing and the types of data processed, including processing data not directly connected to the user, even prior to utilize the services connected to the information society of the website and afterwards at any time.
4.4. Information about application of cookies
(1) In compliance with the generally spread internet practice cookies are used on the website of our Company, too. Cookies qualify as small files that contain a number of characters and they are stored on the user’s computer while the user is browsing. When he next visits the website the website thanks for the cookies, is able to recognize the browser of the user. Cookies may store user’s settings such as the selected language and other information. Among others, cookies collect information on the visitor and his equipment, remember the user’s individual settings and may be utilized when using the shopping cart in an online store. In general, cookies facilitate the use of the website, enrich the user’s real internet experience regarding the website and promote to become an efficient source of information. Furthermore, for the purposes of the operator of the website cookies ensure the control over the website, the prevention against abuses as well as the adequate level of services provided on the website.
(2) The following data of the visitor and his equipment used for browsing will be stored and processed by the Company’s website:
– IP address used by the visitor,
– type of the browser,
– characteristics of the equipment’s operating system used for browsing (language set)
– date of the visit,
– visited website, subpage, functions or service.
(3) Acceptance or permission to use cookies is not mandatory. You may reinstall your browser’s settings so that any and all cookies should be refused or indicated once the systems are sending a cookie. Although most of the browsers automatically accept cookies as default but they can be changed in order to avoid the automatic acceptance and offer the option to choose. Nevertheless, we draw your attention that certain website functions and web services might not work properly without cookies.
(4) Merely the cookies used on the website are not sufficient enough to identify the user.
(5) Cookies used on the Company’s website are the following:
1. Cookies technically inevitably necessary, so called session cookies.
These cookies are necessary so that the visitors may browse the website, fully and smoothly use its functions and the available services and, among others, especially restore the actions implemented by the visitor during his visit on the website concerned. The retention period of these cookies is limited to the actual visit of the visitor. When the session is ended or the browser is closed this type of cookies will be automatically deleted from the computer.
The sphere of data processed: AVChatUserId, JSESSIONID, portal_referer.
Section 13/A. § (3) of Act CVIII. of 2001 serves as legal basis for this sort of data processing.
Purpose of data processing: ensuring the proper operation of the website.
2. Cookies requiring approval:
These cookies allow the Company to remember the choices of the user in connection with the website. The visitor may at any time prohibit this sort of data processing both prior to using this service and in the course thereof. These data cannot be connected to the identification data of the user and cannot be transferred to third parties without the consent of the user.
2.1.Cookies supporting use:
Legal basis of data processing: the consent of the visitor.
Purpose of data processing: increasing the efficiency of the service, enhancing the user’s experience and making the use of the website more comfortable.
Retention period of data processing: 6 months.
2.2. Cookies ensuring performance:
Google Analytics cookies – you may get information on:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google AdWords cookies – you may get information on:
https://support.google.com/adwords/answer/2407785?hl=hu
5. DATA PROCESSING BASED ON LEGAL OBLIGATIONS
5.1. Data processing for complying with taxation and accounting obligations
The data processed under of Act CXVII. of 1995 are the following: number of entrepreneurial certificate, number of agricultural certificate and tax identification number.
(2) Retention period of personal data: 8 years after termination of the legal relationship serving for legal basis of data processing.
(3) Recipients and categories of recipients of personal data: employees and data processors of the Company responsible for taxation, accounting, payroll and social security tasks.
5.2. Data processing as payer
(3) Recipients and categories of recipients of personal data: data processors and employees of the Company responsible for taxation, payroll and social security (paying) tasks.
5.3. Data processing for the purposes of complying with legal obligations against money laundering
(1) The Company processes the following data of its clients, their representatives and beneficiary owners for the purposes of complying with its legal obligations as specified in Act No. LIII. of 2017 on prevention and combating of money laundering and terrorist financing: natural persons’
a) first name and surname, b) birth first name and surname, c) citizenship, d) birth place and date, e) mother’s maiden name, f) address, in lack of that place of residence, g) type and number of identification card and certificate on permanent residence as well as the photocopy of documents presented (7. §).
(2) Recipients of personal data: managing director and those employees of the Company who are responsible for customer service tasks as well as the person designated by the Company pursuant to Pmt.
(3) Retention period of personal data: 8 years after the termination of the business relationship or the fulfilment of the transaction assignment/Pmt. 56. § (2)/.
Dated: Esztergom, November 01, 2019.
____________________________
Ryusuke Hosomi
Managing director
ANNEX III
DATA REQUEST FORM FOR PROCESSING OF PERSONAL DATA
UNDER CONSENT
| NAME OF THE DATA SUBJECT: | |
| BIRTH PLACE AND DATE: | |
| MOTHER’S NAME: | |
| ADDRESS: | |
| PHONE NUMBER: | |
| E-MAIL ADDRESS: | |
| ADDITIONAL PERSONAL DATA: |
INFORMATION:
| NAME OF THE DATA CONTROLLER: | |
| REPRESENTATIVE: | |
| WEBSITE: | |
| PURPOSE OF DATA PROCESSING: | |
| LEGAL BASIS OF DATA PROCESSING: | Consent of the data subject. |
| RECIPIENTS OF PERSONAL DATA:
(those who can see them) |
|
| RETENTION PIRIOD OF PERSONAL DATA: |
INFORMATION ON THE RIGHTS OF THE DATA SUBJECT:
You in your capacity as data subject are entitled to request from the data controller the access to your personal data, rectification and erasure thereof, restriction of data processing as well as object it and you have rights to data portability.
You have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
You have the right to lodge a complaint with a supervisory authority (Nemzeti Adatvédelmi és Információszabadság Hatóság).
The provision of data is not condition precedent to conclude a contract, you are not obliged to disclose your personal data. Potential consequence of failing to disclose your data: _______________________
Further information is available in the Data Processing Information at the website of the Company (on footnotes) ****
I have acknowledged the foregoing information and notification and given my free consent for processing my disclosed personal data for the purposes indicated voluntarily, free from any external influence.
Dated,: ……………………….
____________________________
signature
ANNEX IV
INFORMATION on
processing of personal data of employees and on personality rights at
Summit D & V Autóipari Gyártó és Szerelő
Korlátolt Felelősségű Társaság
Pursuant to the provisions of Act I. of 2012 on labour code (hereinafter: „the Labour Code) the rights relating to personality of employees may be restricted if deemed strictly necessary for reasons directly related to the intended purpose of the employment relationship and if proportionate for achieving its objective. The means and conditions for any restriction of rights relating to personality, and the expected duration shall be communicated to the employees affected in advance. On general principle, employees may not waive their rights relating to personality in advance. Any legal statement concerned with the rights relating to personality of an employee shall be formally valid if made in writing (9.§). The employer must inform their employees concerning the processing of their personal data. In the interest of fulfilment of obligations stemming from an employment relationship, the employer is authorized to disclose the personal data of an employee to a data controller as prescribed by law, indicating the purpose of disclosure, of which the affected employee shall be notified in advance (10. §). The employer is allowed to monitor the behaviour of employees only to the extent pertaining to the employment relationship. The employer’s actions of control, and the means and methods used, may not be at the expense of human dignity. The private life of employees may not be monitored. The employer must inform their employees in advance concerning the technical means used for the surveillance of employees (11.§).
The employer complies with its information obligations on the protection of personality rights as follows.
I. Information on processing of personal data
1. The employee is hereby informed by the employer that, for the purposes of its legitimate interests, the following data of the employees are processed in connection with his employment relationship under the Labour Code:
■ Labour and personnel records
■ Data processing in connection with aptitude tests
■ Data processing in connection with checking the use of E-mail account
■ Data processing in connection with control of computers, laptop, tablet
■ Data processing in connection with the control of the use of internet at work place
■ Data processing in connection with the control of using the Company mobile phones
■ Data processing in connection with entering and leaving the work place
■ Data processing in connection with video surveillance at work place
2. The employee is hereby informed by the employer that under the legal basis of fulfilment of legal obligations the employer shall process the personal data of the employees and, upon their statements, their relatives in order to comply with paying taxes and contributions set forth by law such as determination of taxes, tax advances, contributions, payroll activities, social security management (data processing as payer).
3. The employee declares that the data processing policy of the employer has been acknowledged by him, including its chapter about data processing in connection with employment relationship and within this the provisions on the sphere of data to be processed, the purpose of data processing, the retention period, the recipients of data as well as data processing as payer, the data security measures and the rights of employees as data subjects in connection with data processing so the employer has duly completed its obligation of information
II. Information about data processors
1. The employee is hereby informed by the employer that in the interest of fulfilment of tax, contribution and social security obligations stemming from employment relationship, the employer is authorized to disclose the personal data of the employee to a data controller as prescribed by law.
The name and registered seat of the bookkeeping firm are as follows:
Crowe FST Consulting Kft.
1124 Budapest, Jagelló út 14.
The above assigned bookkeeping firm acting as data processor may be replaced during the employment relationship.
2. The assigned firm responsible for property protection, acting as data processor may process the data of the video surveillance system, as well as the date of entrance and leave.
The name and registered seat of the property protection service provider are as follows:
Gran Monitoring és Vagyonvédelmi Szolgáltató Kft.
2500 Esztergom, Deák Ferenc utca 34.
The above data processor may be replaced during the employment relationship
3. Denomination of other data processors:
IT service provider of the Company:
Digitexx Multimedia
2500 Esztergom, Vasas utca 12.
Postal service providers, services, parcel deliveries:
Magyar Posta Zrt.
1138 Budapest, Dunavirág u. 2-6.
Federal Express Corp. Magyarországi Fióktelepe
2220 Vecsés, Lőrinci út 59.
DHL Express Magyarország Kft.
1185 Budapest, BUD Nemzetközi Repülőtér 302. ép
III. Information on technical means used for the surveillance of employees
The employer informs its employee that the following technical means are used for monitoring his behaviour pertaining to the employment relationship:
1. Personal checking
The employer or, under its assignment, the service provider responsible for property protection is entitled to call the employee entering the workplace or leaving it for showing his package as well as opening his locker by communicating the purpose and reason of the contemplated measure if
a) there is solid ground to assume that the employee concerned keeps with him a thing arising out of a criminal action or misdemeanour which is to be safeguarded by the security guard under his contractual obligation;
b) this thing has not been passed in spite of reminder and
c) the measures are necessary for preventing or interrupting an unlawful action.
If in the course of personal checking clothes screening or search is necessary, the employer or, under its assignment, the service provider responsible for property protection must notify the authority. The employer is entitled to check the employee’s influence on alcohol. The employee is required to cooperate in the alcohol investigation carried out by the employer.
2. Application of electronic surveillance system
The employer, in order to protect human life, safety and personal freedom, as well as business secrets and properties, may apply an electronic surveillance system with facilities of sound and/or video recordings.
Application of the electronic surveillance system is not allowed at those premises where the survey might violate the personal integrity such as dressing rooms, bathrooms, restrooms and medical premises and visitor’s hall belonging thereto. The same applies to premises that are designated for employees to stay during breaks.
The following persons are authorized to see the recorded data through the electronic surveillance system beyond those entrusted by law: staff operating the system for detecting the unlawful actions and checking the system as well as the managing director of the employer and his substitute and the site manager of the surveilled area.
The recorded recordings can be stored without use no longer than for 3 (three) working days. Use shall mean if the recorded sound and/or video recording or other personal data is to be transferred to the police, other authorities, and court for the purposes of the proceedings as evidence. Those whose rights or legal interests are concerned by the recording of sound and/or video record may request not to erase or delete the data within 3 working days from the recording certifying his rights or legal interests.
The employee is informed by the employer on the place, target area (viewing angle) and the purpose of placement through the special policy on application of electronic surveillance system.
3. In case of eventual operation of a non-electronic entrance system the person responsible for data processing and the method of data processing are set forth by Section 13. of the Data Processing Policy.
4. Information on the control of phone use
Private purpose use of the Company mobile phones is not allowed by the Company. The mobile phone can only be used for purposes in connection with work performance and the employer is entitled to check the phone number and data of any and all outbound phone calls as well as the stored data of the mobile phone. The employee must report to the employer if he used the Company mobile phone for private purposes. In this case the control can be so conducted that a detailed list of outbound calls is required by the employer from the service provider and the employee is invited to make the phone numbers of private purposes unrecognizable. The employer may lay down that the costs of private purpose calls must be borne by the employee.
5. Information on the control of Company car use
For the purposes of property protection and posterior controlling of the routes performed and filtering the unreasonable bypasses as well as checking the fuel use the employer may use journey forms to be completed by the car users.
6. Information on the control of using computer and internet
The use of Company owned computers and electronic mail account and internet for private purposes is prohibited by the employer.
The computers and electronic mail accounts used by the employee can be checked and monitored by the employer. The employee must, under the instruction of the employer, delete the files and contents incompatible with work performance from the computer or the electronic mail account.
7. Information on restrictions of conduct beyond working time
Pursuant to Section 8.§ (2) of the Labour Code „employees may not engage in any conduct during or outside their paid working hours that – stemming from the employee’s job or position in the employer’s hierarchy – directly and factually has the potential to damage the employer’s reputation, legitimate economic interest or the intended purpose of the employment relationship. The actions of employees may be controlled as defined in Subsection (2) of Section 9. When exercising such control, the employees affected shall be informed in writing in advance.”
Based on the foregoing the employee is expected by the employer to refrain only from such behaviour and expression of opinion during his conduct outside of working time that directly and factually has the potential to damage the employer’s reputation, legitimate economic interest or the intended purpose of the employment relationship.
EMPLOYER: Ryusuke Hosomi
Managing Director,
person exercising the employer’s rights