The LAC Holding Zrt. – hereafter: Enterprise - by publishing the present data processing notification, complies with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The notification should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.
I. THE DATA CONTROLLER
The controller within the meaning of the General Data Protection Regulation is the LAC Holding Zrt. (Enterprise)
COMPANY NAME: LAC Holding Zrt.
REGISTERED SEAT: 1097 Budapest, Könyves Kálmán krt. 16.
Company registration number: 01 10 043185
VAT number: 12176278-2-43
PHONE: +36 1 476 3460
E-MAIL ADDRESS: kzprojects@lac.hu
WEBSITE: lackz.net
Personal data will be assessed by those employees of the Enterprise who are authorised by the Enterprise, and those processors who are contracted for processing with the Enterprise whose processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
II. PROCESSOR(S)
Enterprise employs external processor company for running and maintaining its website.
COMPANY NAME: LAC Holding Zrt.
REGISTERED SEAT: 1097 Budapest, Könyves Kálmán krt. 16.
Company registration number: 01 10 043185
VAT number: 12176278-2-43
PHONE: +36 1 476 3460
E-MAIL ADDRESS: kzprojects@lac.hu
WEBSITE: lackz.net
III. DEFINITIONS
For the purposes of this Regulation:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. 1‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. 2However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
13. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.
IV. LAWFULNESS OF PROCESSING
1. Consent of the Individual
(1) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law.
(2) Consent of the data subject should be given in the following forms:
a) by a written statement, by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,
b) by electronic means, ticking a box when visiting the website of the Enterprise, or choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.
(3) Silence, pre-ticked boxes or inactivity should not therefore constitute consent
(4) Consent should cover all processing activities carried out for the same purpose or purposes. (5) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
(6) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
2. Performance of a contract
(1) Processing shall be lawful only if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(2) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract and consent for processing unnecessary personal data should not be condition for entering the contract.
3. Responsibility and liability of the controller for any processing of personal data carried out by the controller
(1) In case that the lawfulness of data processing is determined by law in the event of a legal obligation, consent of the person concerned is not necessary for the processing of his or her personal data.
(2) Controller is obliged to inform the data subject about the prupose, lawfullness, time interval, the controller’s person, and about his or her rights.
(3) Controller shall process data after data subject withdrew his/her consent if it is necessary for fulfilling the Controller’s legal obligation.
4. Processing of personal data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(1) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
(2) At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
(3) The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
V. RIGHTS OF THE DATA SUBJECT
1. Enterprise is providing the following notification on the rights of the data subject:
Data subject has right to
a) receive information prior to processing,
b) be informed of the existence of profiling and the consequences of such profiling
c) to have personal data concerning him or her rectified and a ‘right to be forgotten’
d) to obtain from the controller restriction of processing,
e) to data portability,
f) to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest or the purposes of the legitimate interests pursued by the controller
g) not to be subject to a decision based solely on automated processing, including profiling,
h) to lodge a complaint with a single supervisory authority. Complaints can be submitted to the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400;Fax:+36(1)391-1410.,www:http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu
i) to an effective judicial remedy against the supervisory authority,
j) to an effective judicial remedy against the controller or the processor.
k) to be informed of the progress and the outcome of the complaint within a reasonable period.
2. Detailed information on exercise of the rights of the data subject
Right to transparency
(1)Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all information related to data processing:
(2)Information that are provided in case data are collected from the data subject:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
(3)In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
c) where the processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
f) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(4) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) the categories of personal data concerned;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
(5) In addition to the information referred to in paragraph (4), the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) where the processing is based on point (f) of Article 6 (1), the legitimate interests pursued by the controller or by a third party;
c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
d) where processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
e) the right to lodge a complaint with a supervisory authority;
f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
g) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(6) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph (4).(7) Paragraphs (4) to (6) shall not apply where and insofar as:
a) the data subject already has the information;
b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
Right of access by the data subject
(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right of data subject to rectification and erasure
Right to rectification
(1) The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’)
(2) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
(3) Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(4) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
(1) The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
(2) The controller shall inform the data subject about those recipients if the data subject requests it.
Right to data portability
(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
(2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
(3) The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to object
(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
(3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right not to be subject to automated individual decision-making, including profiling
(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(2) Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
c) is based on the data subject’s explicit consent.
(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(2)1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Right to lodge a complaint with a supervisory authority
(1) Pursuant to Article 77. every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
(2) Complaints can be submitted to the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400;Fax:+36(1)391-1410.,www:http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu
(3) The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Right to an effective judicial remedy against a supervisory authority
(1) Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
(2) Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
(4) Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
Right to an effective judicial remedy against a controller or processor
(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
(2) Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
Restrictions
(1) Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
a) national security;
b) defence;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
f) the protection of judicial independence and judicial proceedings;
g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
i) the protection of the data subject or the rights and freedoms of others;
j) the enforcement of civil law claims.
(2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
a) the purposes of the processing or categories of processing;
b) the categories of personal data;
c) the scope of the restrictions introduced;
d) the safeguards to prevent abuse or unlawful access or transfer;
e) the specification of the controller or categories of controllers;
f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
g) the risks to the rights and freedoms of data subjects; and
h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
Communication of a personal data breach to the data subject
(1) When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
(2) The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
(3) The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
(4) If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
VI. PROCEDURE ON REQUEST OF THE DATA SUBJECT
(1) The Enterprise will provide information to data subjects whose requests are received from an individual whose identity can be validated by Company.
(2) The Enterprise must provide a response to data subjects requests within 30 calendar days of receiving the Data Subject Request without any undue delay. In case of complex and numerous requests deadline can be prolonged for futher 2 months. Controller must inform data subject in one month about the prolonged delay and its reasons.
(3) Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
(4) If the Enterprise does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
(5) Enterprise shall provide information free of charge in the following cases: feedback on processing personal data, assess to processed data, data to be rectified, corrected, erased, restriction of processing, data portability, on objecting data processing and the notification of personal data breach.
(6) Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: charge a reasonable fee of 5000 HUF taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.
(7) The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(8) Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
VII. PROCEDURE IN CASE OF PERSONAL DATA BREACH
(1) Personal data incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data including breaches that are the result of both accidental and deliberate causes.
(2) ‘personal data breach’ means . a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored. Personal data breach occurs if data has been deleted either accidentally or by an unauthorised person, or, in securely encrypted data, the decryption key has been lost, infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid),
(3) Providers shall without delay maintain an inventory of personal data breaches comprising the facts surrounding the breach, its effects and the remedial action taken.
(4) In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
(5) The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
(6) The notification referred to in paragraph 3 shall at least:
a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
c) describe the likely consequences of the personal data breach;
d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(7) Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
(8) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33.
VIII. DATA PROCESSING ON WEBSITE
Information on the data of the website visitors
(1) Visiting the website of the Enterprise one or more cookies - small pieces of data packages - will be downloaded to the visitor’s device when they browse the website. Cookies are then sent back to the website on each subsequent visit. Cookies allow website to recognize the user s device if and only the user expressed explicit (active) consent by continuing his/her browseing activity on the website after having read our cookie policy.
(2) This website uses cookies to improve user experience and to automatise the entry process. Cookies are not containing information that can identify the user, Enterprise does not process private data in this matter.
Registration, newsletter subscription
(1) The legal basis of data processing is registration, and the consent of user is the legal basis of newsletter subscription. This is provided by the user by ticking the checkbox under „registration” and „newsletter subscription” text on the website.
(2) Data subjects of registration and newsletter subscription: natural persons who intend to subscribe the newsletter of the Enterprise, and intend to register to the website and whose consent is given to process his/her personal data.
(3) Data processed for email subscription: name, email address.
(4) Data processed for registration: name, postal address, email address, phone number, entry password.
(5) Purpose of data processing in case of newsletter subscription: providing information about the services and products, news and events of the Enterprise.
(6) Purpose of data processing in case of registration: contact details for preparing a contract, providing free access services of the website, providing access to the website contents that are not publicly assessable.
(7) Persons entitled to data management (who can assess data) in case of newsletter subscription and registration: managing director of the Enterprise, employee responsible for customer relations, data processors responsible for the Enterprise’s website.
(8) Personal data will be stored until data subject unsubscribes from newsletter. The duration of data control: from subscribing until unsubscribing from newsletters, in case of registration: until deleting the registration data by request of the data subject.
(9) Data subject may unsubscribe from receiving newsletters and may request erasure of his/her registration data. Data subject can unsubscribe from newsletter by clicking the un-subscription link in the email footer, or by sending a letter to the Enterprise.
Data processing for Direct marketing purposes
(1) Processing for direct marketing purposes shall be lawful if the data subject has given clear and explicit consent to the processing of his or her personal data for direct marketing purposes. The user’s prior consent is provided on the website of the Enterprise by ticking the consent checkbox following the information about the data process regulation. „Consent to be reachable for direct marketing purposes”.
(2) Consent can be given by the data subject by sending the data sheet via post.
(3) Data subjects: natural persons who expressed clear consent for the Enterprise for managing his/her personal data for direct marketing purposes.
(4) Purpose of data control: sending promotional, publicity or communications activity on our services and products, sending offers, notifying promotions by email or by post.
(5) Persons entitled to data management: managing director of the Enterprise, employees responsible for customer service and marketing
(6) Description of the data involved in data control: name, postal address, phone number, email address.
(7) The duration of data control: until data subject withdraws consent to data processing for direct marketing purposes.
IX. DATA PROCESS RELATED TO FULFILLMENT OF CONTRACTS
(1) The Enterprise managing personal data of natural persons contracting with the Enterprise (customers, clients, transporters) related to their contract. Data subjects must be informed about processing their personal data.
(2) Data subjects: natural persons who establish contractual relationship with the Enterprise
(3) The legal basis of data control is the performance of contract, the purpose of the data control is to keep in touch with the contract, to enforce the claim arising from the contract and to comply with contractual obligations.
(4) Persons entitled to data management: managing director of the Enterprise, employees responsible for customer service, accountants employed by the Enterprise.
(5) Description of the data involved in data control: name, address, seat, phone number, email address, tax number, bank account number, number of business licence
(6) The duration of data control: 5 years after the expiry of contract.
X. PROVISIONS ON DATA SECURITY
(1) Enterprise shall process personal data only in accordance with the present Regulation for data processing purposes.
(2) The Enterprise shall take the technical and organizational measures, and shall develop the rules of procedure, that are needed to ensure that the provisions of the GDPR, and other relevant legal provisions on data protection should be enforced.
(3) Data must be protected by the Enterprise by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and in a way to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
(4) Technical and organisational measures implemented by the Enterprise for data security are described in the Data Protection Regulation of the Enterprise.
(5) In determining the measures to ensure security of processing, the Enterprise shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller.
XI. RULES OF DATA PROCESSING
1. General rules of data processing
(1) Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects in due compliance with the provisions of this Act and other regulations on data protection.
(2) Enterprise declares that the data processor may not make any decision on the merits of data processing and shall process any and all data entrusted to him solely as instructed by the controller; the processor shall not engage in data process for his own purposes and shall store and safeguard personal data according to the instructions of the controller.
(3) The Enterprise shall be held liable for the legitimacy of his instructions with regards to data processing.
(4) Enterprise must inform data subjects about the name and address (seat) of the technical data processor.
(5) The data processor shall not be permitted to subcontract another data processor according to the notice of the data controller.
(6) Contracts for the process of data must be made in writing. Any company that is interested in the business activity for which personal data is used may not be contracted for the process of such data.
Budapest, 23 May 2018