WEBSITE DATASHEET DOCUMENTATION
I. TITLE OF DATA MANAGEMENT
The Enterprise informs the data subject that he is qualified as data manager in case of handling of his / her personal data.
COMPANY NAME: |
BRAMCKE GMBH |
HEAD QUARTER: |
52353 DÜREN, AN GUT NAZARETH 18A, GERMANY |
VAT ID: |
DE323556495 |
REPRESENTATIVE: |
Kovács Sándor Zsolt |
E-MAIL: |
info@bramcke.de |
WEBSITE: |
www.bramcke.de |
Personal data may be recognized by the entity, persons or entities performing data processing activities under the terms of the Service, and to the extent specified by the Enterprise, to the extent necessary to perform the activities of the Employee with access rights related to the relevant data management purpose.
Employees of the Enterprise have access rights to personal data, related to the relevant data management, or persons, services carrying out data processing activities on the basis of service contracts to the Enterprise, in the extent specified by the Enterprise and to the extent necessary to carry out their business.
- DESIGNATION OF DATA PROCESSOR(S)
(1) The Enterprise uses an external data processor entrusted with the personal data handled on the basis of a voluntary contribution to operate and maintain its web site.
COMPANY NAME: Tarhely.eu Szolgáltató Kft.
HEADQUARTER: 1097 Budapest, Könyves Kálmán körút 12-14.
VAT ID: 14571332-2-42
E-MAIL: support@tarhely.eu
WEBSITE: tarhely.eu
ACTIVITY: server hosting, system administrator service
III. DEFINITIONS
1. „personal data”: identified or identifiable natural person („affected”) concerning relevant information;
a natural person may be identified, directly or indirectly, based on one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of an identifier such as name, number, positioning data, online identifier or natural person identified;
2. „data management”: the totality of any operation or operations carried out in an automated or non-automated way in personal data or data files, such as collecting, recording, organizing, tagging, storing, transforming or modifying, querying, inspecting, using, communicating, distributing or otherwise making available, aligning or linking, limiting, deleting or destroying;
3. „limitation of data management”: the designation of stored personal data to limit their future management
4. „profiling”: any form of the automated management of personal data where personal data are used to evaluate certain personal characteristics associated with a natural person, in particular to analyze or predict characteristics related to work performance, economic status, health status, personal preferences, interest, reliability, behavior, location or movement;
5. „name encryption”: the processing of personal data in a way that, without the use of additional information, it can no longer be stated to which specific natural person is the subject of the personal data, provided that such additional information is stored separately and guarantees with technical and organizational measures that the identity or this personal data can not be linked to identified and identifiable natural persons;
6. „registration system”: any personal data in any way, centralized, decentralized or functional or geographic, accessible on the basis of defined criteria;
7. „data manager”: means any natural or legal person, public authority, agency or any other organisation that determines the purposes and means of handling personal data individually or with others; where the purposes and means of data management are defined by Union or national law, the data controller or the particular aspects of the designation of the data controller may also be determined by Union or national law;
8. „data processor”: means any natural or legal person, public authority, agency or any other organisation that manages personal data on behalf of the data controller;
9. „addressee”: means any natural or legal person, public authority, agency or any other organisation, with whom the data processor communicates personal information, regardless of whether it is a third party. Public authorities which have access to personal data in an individual investigation in accordance with Union or national law shall not be considered as addressee; the management of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of data management
10. „third party”: means any natural or legal person, public authority, agency or any other organisation, which is not the same as the data subject, the data controller, the data processor or persons who have been authorized to handle personal data under the direct control of the data controller or data processor;
11. „contribution of the subject”: a voluntary, specific and appropriate informed and explicit statement of the will of the person concerned by which he or she indicates the statement in question or the act of expressing ineffective affirmation that he or she has consented to the processing of personal data concerning him;
12. „privacy incident”: casualty of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise treated;
13. „enterprise”: a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships and associations with regular economic activities.
IV. THE LEGAL BASIS OF DATA MANAGEMENT
1. Contribution of the party concerned
(1) The lawfulness of the handling of personal data must be based on the consent of the person concerned or another of their legitimate statutory basis.
(2) In the case of data handling on the basis of the consent of the person concerned, the data subject may contribute to the management of his or her personal data in the following form:
a) in writing, in the form of a statement giving consent to personal data processing,
b) by electronic means, by expressly adopting the check box of the Enterprise website or by making technical adjustments to the use of information society services, and by any other statement or action that is relevant to the intended use of the person's personal data in that context clearly indicates.
(3) Silence, the foreground square or non-action is therefore not a consent.
(4) Contribution covers all data management activities for the same purpose or purposes.
(5) If data management serves multiple purposes at a time, the consent must be given for all data management purposes. If the consent of the party concerned is provided after an electronic request, the request shall be clear and concise and shall not unnecessarily hinder the use of the service for which the contribution is requested.
(6) The person concerned has the right to withdraw his consent at any time. Withdrawal of the contribution shall not affect the legality of the consent based on the consent prior to the withdrawal. Before consent is given, the person concerned must be informed thereof. The withdrawal of the consent must be allowed in the same simple way as the granting of the consent.
2. Performing of the Contract
Data processing is considered legitimate if it is necessary for the performance of a contract in which the party concerned is required to take action on one of the parties or before the conclusion of the contract.
1. Contribution to the processing of personal data not necessary for the performance of the contract may not be a condition for the conclusion of the contract.
3. Compliance with a legal obligation for the data controller or the protection of the vital interests of the data subject or other natural person
The legal basis for data handling is determined by law in the event of a legal obligation, so the consent of the person concerned is not necessary to handle his / her personal data.
- The data controller shall inform the data subject of the purpose, legal basis, duration of the data handling and the rights and remedies of the data controller.
2. The data controller shall be entitled to manage the data field necessary for the fulfillment of a legal obligation on him, following the withdrawal of the consent of the person concerned.
4. Implementation of a task carried out in the exercise of a public authority or in the exercise of a public authority on the data controller, enforcement of the legitimate interests of the data controller or a third party.
The data controller, including the data controller with whom personal data may be disclosed, or a legitimate interest of a third party, may provide a legal basis for data management, provided that the interests, fundamental rights and freedoms of the data subject do not take precedence, taking into account the reasonable expectations of the concerned person, based on his relationship with the data controller. Such a legitimate interest may arise, for example, when there is a relevant and adequate link between the data subject and the data controller, for example in cases where the data subject is in the client's or his employment.
- In order to establish the existence of a legitimate interest, it must to be taken into consideration whether the data subject can reasonably expect to be able to handle data for the purpose at the time of collection of personal data and in the context of the collection of personal data.
- The interests and fundamental rights of the data subject may take precedence over the data controller's interest if the personal data are handled under circumstances in which the data subjects do not count for further data handling.
V. CONDITIONS RELATING TO THE MANAGEMENT OF DATA CONTAINED BY THE PERSON CONCERNED
1. The following information is briefly provided to the person concerned about the rights of the person concerned:
The person concerned has the right to:
- to be informed before information is processed,
- to be given feedback by the data controller on whether his or her personal data is being processed and, if such processing is in progress, he has the right to provide personal data and the following information,
- to request the correction or deletion of the data of the data controller to be notified of this,
- request a restriction on data management and receive notification from the data controller about this,
- for data storage,
- to protest if their personal information is handled in the public interest or in the legitimate interest of the data controller.
- be exempt from automatic decision-making, including profiling,
- to complain to the supervisory authority. Exercising their rights of complaint by contacting the following contact details: Nemzeti Adatvédelmi és Információszabadság Hatóság (National Data Protection and Freedom of Information Authority), Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400;Fax:+36(1)391-1410.,www:http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu
- effective judicial remedies against the supervisory authority,
- Effective judicial remedies against data controller or data processor
- Information on the privacy incident.
2. Detailed information on rights of the party concerned
Rights to be informed
(1) The person concerned has the right to be informed about data management related information prior to commencing the conduct of his or her data management.
(2) Information to be made available when collecting personal data from the data subject:
the identity and contact details of the data controller and, if any, of the data controller's representative;
- the contact details of the Data Protection Officer, if any;
- the purpose of the planned management of personal data and the legal basis for data handling;
- in the case of data handling based on Article 6 (1) (f) of the Regulation, legitimate interests of data controller or third party;
- where appropriate, the addressees of the personal data or the categories of recipients, if any;
- e. where appropriate, the fact that the data controller wishes to transmit personal data to a third country or to an international organization and the existence or non-existence of a Commission decision on adequacy, or Article 46, 47 or Article 49 (1) , the indication of the appropriate and suitable guarantees and the means of obtaining copies thereof or the reference to their availability.
(3) In addition to the information referred to in paragraph 1, the data controller shall provide the data subject with the following additional information at the time of the acquisition of personal data in order to ensure fair and transparent data management:
- the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
- the right of the data subject to request access to, correction, deletion or limitation of the personal data of the data controller and to object to the handling of such personal data and the right of the data subject to the relevant data storage;
- the right to withdraw consent at any time in the case of data handling based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, which does not affect the lawfulness of the data processing carried out on the basis of consent prior to the withdrawal;
- the right to lodge a complaint addressed to the supervisory authority;
- whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract and whether the data subject is obliged to provide personal data and the possible consequences of non-disclosure;
- the fact of the automated decision making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and at least in such cases, the logic applied and the intelligible information on the significance of such data handling and the expected consequences.
(4) If personal data are not obtained from the data subject, the data controller shall provide the following information to the data subject:
- the identity and contact details of the data controller and, if there is any, of the data controller's representative;
- the Data Protection Officer’s contact details, if any;
- the purpose of the planned management of personal data and the legal basis for data handling;
- the categories of personal data concerned;
- the recipients of personal data or the categories of recipients, if any;
- where appropriate, the fact that the data controller wishes to transmit personal data to a recipient of a third country or to an international organization, or to the existence or non-existence of a Commission's conformity decision or to Article 46, Article 47 or Article 49 1, second indent, the indication of the appropriate and suitable guarantees and the means of obtaining copies thereof or a reference to their availability.
(2) In addition to the information referred to in paragraph 1, the data controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data management for the data subject concerned:
- the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
- if the data processing is based on Article 6 (1) (f) of the Regulation, on the legitimate interests of the data controller or third party;
- the right of the data subject to apply for access, rectification, cancellation or management of personal data relating to the data controller and to object to the processing of personal data and his right to data storage;
- the right to withdraw consent at any time in the case of data handling based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, which does not affect the lawfulness of the data processing carried out on the basis of consent prior to the withdrawal;
- the right to lodge a complaint addressed to a supervisory authority;
- the source of personal data and, where applicable, whether the data originate from publicly available sources; and
- the fact of the automated decision making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in such cases, the applied logic and the understandable information on the significance of such data handling and the expected consequences..
(3) If the data controller wishes to perform further data processing for purposes other than the purpose for which they are acquired, he / she shall inform the data subject of this different purpose and any relevant additional information referred to in paragraph 2 before further data processing.
(4) Paragraphs 1 to 3 shall not apply where and to the extent of:
- the person concerned already has the information;
- the disclosure of the information in question would prove impossible or would require disproportionate effort, in particular for purposes of public interest archiving, for scientific and historical research, or for statistical purposes, in the case of data processing in the light of the conditions and guarantees provided for in Article 89 (1) the obligation referred to in paragraph 1 of this Article would be likely to render impossible or seriously jeopardize the attainment of the purposes of this data management. In such cases, the data controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information publicly available;
- the acquisition or disclosure of data is expressly provided by the law of the Union or of the Member States applicable to the data controller, which provides for appropriate measures to protect the legitimate interests of the data subject; or
- the confidentiality of personal data on the obligation of professional secrecy imposed by an EU or national law, including the obligation of confidentiality based on the law..
Right of access of the subject
(1) The person concerned has the right to be informed by the data controller about whether his personal data is being processed and, if such data is being processed, he has the right to access personal data and the following information:
- the purposes of data management;
- the categories of personal data concerned;
- the categories of recipients or recipients with whom or which personal data will be communicated or disclosed, including in particular third-country addressees or international organizations;
- the intended duration of storage of data or, if this is not possible, the criteria for determining that period;
- the right of the data subject to request the data controller to rectify, erase or limit the personal data concerning him or her and may object to the handling of such personal data;
- the right to lodge a complaint addressed to a supervisory authority;
- if the data is not collected from the person concerned, all available information about their source;
- the fact of the automated decision making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and at least in such cases the applied logic and the understandable information on how such data are relevant and the expected consequences.
(2) Where personal data are transmitted to a third country or an international organization, the data subject shall have the right to be informed of the appropriate guarantees provided for the transmission in accordance with Article 46.
(3) The data controller shall provide the data subject with a copy of the personal data subject to data processing. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the application has been submitted electronically, the information should be provided in a widely used electronic format, unless otherwise requested by the person concerned.
The subject’s right to correct and cancel
(1) The data subject shall have the right to rectify any inaccurate personal data that he or she is entitled to request, without undue delay. Taking into account the purpose of data management, the person concerned has the right to request the addition of incomplete personal data, including by means of a supplementary statement.
The right to cancel ("the right to forget")
(1) The data subject shall have the right to delete personal data concerning him without undue delay, and the data controller shall be obliged to delete the personal data of the data subject without undue delay if one of the following reasons exists:
- personal data is no longer needed for the purpose from which they were collected or otherwise handled;
- the person concerned withdraws the consent of the data controller pursuant to Article 6 (1) (a) (consent to the processing of personal data) or Article 9 (2) (a) of the Regulation (giving explicit consent) and there is no other legal basis
- the person concerned is opposed to the data handling and does not have a prior legitimate reason for data processing or the person concerned is subject to the provisions of Article 21 (2) of the Regulation (personal data processing for the purpose of obtaining a business against protest);
- the personal data was unlawfully handled;
- the personal data should be deleted for the legal obligation of the data controller applicable to the law of the Union or of the Member States;
- the collection of personal data was made in connection with the offering of information society services as referred to in Article 8 (1).
(2) If the data controller has disclosed the personal data and is required to cancel it at the request of the person concerned, taking reasonable steps, including technical measures, to take account of the available technology and implementation costs in order to inform the data controllers handling the data that the data subject has requested them the links to the personal data in question or the deletion of a duplicate or duplicate of such personal data.
(3) Paragraphs 1 and 2 shall not apply where data processing is required:
- with a view to exercising the right to freedom of expression and information;
- for the purpose of performing an obligation under EU or Member State law for the data controller to handle personal data, or to carry out a task carried out in the exercise of public authority exercised in the public interest or on the data controller;
- pursuant to Article 9 (2) (h) and (i) of the Regulation and the public interest in the area of public health in accordance with Article 9 (3) of the Regulation;
- in accordance with Article 89 (1) of the Regulation, for purposes of public interest archiving, for scientific and historical research, or for statistical purposes, where the law referred to in paragraph 1 is likely to render impossible or seriously jeopardize this data management; or
- to present, enforce or protect legal claims.
Right to Restrict Data Management
(1) The data subject is entitled to request that the data controller restricts the data handling upon request if one of the following is met:
- the person concerned disputes the accuracy of the personal data, in this case the restriction concerns the period of time for the data controller to check the accuracy of the personal data;
- data processing is illegal and the data subject is opposed to the deletion of the data and instead asks for their use restriction;
- the data controller no longer needs personal data for data processing purposes but the data subject requires them to submit, enforce, or protect legal claims; or
- the person concerned objected to data handling pursuant to Article 21 (1) of the Regulation; in this case, the restriction applies to the period in which it is established that the legitimate reasons for the data controller have priority over the legitimate grounds of the party concerned.
(2) If the processing of data is restricted by paragraph 1, such personal data may only be disclosed with the consent of the person concerned or with the submission, claim or protection of legal claims or the protection of the rights of a natural or legal person, Member State's important public interest.
(3) The data controller shall inform the data subject at whose request he or she has limited the processing of data pursuant to paragraph 1, prior to informing him of the discontinuation of the restriction of data management.
Notice of obligation to correct or delete personal data or limitation of data management
(1) The data controller informs all addressees of the correction, deletion or data limitation with whom or with which personal information has been communicated, unless this proves impossible or requires disproportionate effort.
(2) At the request of the data subject, the data controller shall inform the addressees thereof.
The right to data portability
(1) The data subject shall have the right to receive personal data made available to him by a data controller in a fragmented, widely used machine-readable format and shall be entitled to transmit such data to another data controller without this being obstructed by the data controller provided personal information to you when:
- the processing of data is based on a contribution as per Article 6 (1) (a) of the Regulation (its contribution to the processing of personal data) or Article 9 (2) (a) of the Regulation (the express consent of the data subject to data processing) (1) (b) of the Treaty; and
- data management is done automated.
(2) In exercising the right to carry the data based on paragraph 1, the data subject shall be entitled to request the direct transfer of personal data between data controllers, if technically feasible.
(3) The exercise of the right referred to in paragraph 1 of this Article shall not jeopardize Article 17 of the Regulation. That right shall not apply where the processing of data is necessary for the performance of a task in the public interest or in the exercise of its public authority powers conferred on the data controller.
(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to protest
1) The person concerned is entitled, at any time, to object to the processing of his or her personal data in the context of the exercise of a public interest or power of attorney or to the data processing necessary to enforce the legitimate interests of the data controller or third party (Article 6 (1) (e) or (f)), including profiling based on those provisions. In this case, the data controller may not process the personal data unless the data controller proves that the data processing is justified by compelling reasons of lawfulness that prevail over the interests, rights and freedoms of the data subject, or for the purpose of submitting, enforcing or protecting legal claims related.
(2) If your personal data is handled for direct business acquisition purpose, the person concerned has the right to object at any time to the handling of their personal data for that purpose, including profiling if it is related to direct business acquisition.
(3) If a person objects to the personal data being handled for direct business purposes, personal data may no longer be handled for that purpose.
(4) The right referred to in paragraphs 1 and 2 shall be explicitly referred to in the first contact with the person concerned at the latest, and such information shall be clearly and separately disclosed.
(5) With respect to the use of information society services and by derogation from Directive 2002/58 / EC, the right of protest may be exercised by automated means based on technical specifications.
(6) Where personal data are processed in accordance with Article 89 (1) of the Regulation for scientific and historical research, or for statistical purposes, the data subject shall have the right to object to the processing of personal data relating to his personal data, for the purpose of carrying out a task for public interest purposes.
The right to exempt out of automated decision-making
(1) The data subject shall be entitled to exclude the scope of a decision based solely on automated data management, including profiling, which would have a bearing on him or would have a significant effect on him.
2) Paragraph 1 shall not apply in the case of a decision:
- it is necessary to conclude or complete the contract between the data subject concerned and the data controller;
- is made available to the data controller by Union or national law which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
based on the express consent of the person concerned.
(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention from the data controller, submit an objection to the decision.
(4) The decisions referred to in paragraph 2 shall not be based on the particular categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies and the rights, freedoms and appropriate measures have been taken to protect its legitimate interests.
The right to complain and legal remedy
The right to complain to the supervisory authority.
(1) The person concerned is entitled to lodge a complaint with the supervisory authority under Article 77 of the Regulation if the person concerned considers that the processing of personal data relating to him infringes this Regulation.
(2) The people concerned can exercise their rights of complaint by contacting the following contact details:
National Privacy and Freedom Authority address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu
(3) The supervisory authority to which the complaint has been filed shall inform the client of the procedural developments in the complaint and of the outcome thereof, including that under Article 78 of the Regulation, the client is entitled to a judicial remedy.
The right to an effective remedy against a supervisory authority
(1) Without prejudice to other administrative or non-judicial remedies, any natural or legal person is entitled to an effective remedy against a legally binding decision of the supervisory authority on him.
(2) Without prejudice to other administrative or non-judicial remedies, any person concerned shall be entitled to an effective remedy if the competent supervisory authority fails to address the complaint or within three months shall not inform the person concerned of any procedural developments concerning the complaint under Article 77 of the Regulation or on its outcome.
(3) The procedure against the supervisory authority shall be initiated before the courts of the Member State in which the supervisory authority is situated.
(4) If a supervisory authority commits a decision against which a Board has previously issued an opinion or made a decision under the unity mechanism, the supervisory authority shall send that opinion or decision to the court.
Right to an effective remedy against data controller or data processor
(1) Without prejudice to any administrative or non-judicial remedies available, including the right under Article 77 to complain to a supervisory authority, all the persons concerned shall be entitled to an effective judicial remedy if they consider that their personal data have not been infringed pursuant to this Regulation.
(2) The data controller or processor shall be initiated before the court of the Member State in which the data controller or the processor is established. Such proceedings may be instituted before the courts of the Member State in which the person concerned is habitually resident, unless the data controller or the data processor is a public authority of a Member State acting within the scope of his public authority.
Limitations
(1) The law of the Union or of the Member States applicable to the data controller or data processor may limit legislative measures in accordance with Articles 12 to 22 and Article 34 and Article 12-22. the rights and obligations set out in Article 5 if the restriction respects the essential content of fundamental rights and freedoms and is necessary and proportionate to safeguard the following in a democratic society
- the national security;
- home defense;
- public safety;
- investigation, detection or prosecution of criminal offenses or the enforcement of criminal penalties, including the protection against threats to public security and the prevention of such threats;
- the general objectives of the general interest of the Union or of a Member State, in particular the important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation issues, public health and social security;
- judicial independence and the protection of court proceedings;
- the prevention, investigation, detection and prosecution of ethical offenses in regulated professions;
- in the cases referred to in points (a) to (e) and (g), whether auditing, investigating or regulating the performance of public authority tasks;
- the protection of the person concerned or the protection of the rights and freedoms of others;
- enforcement of civil claims.
(2) The legislative measures referred to in paragraph 1 shall contain, where appropriate, detailed provisions at least:
- aims for data management or for data management categories,
- the categories of personal data,
- the scope of the restrictions imposed,
- guarantees of misuse or unauthorized access or transmission,
- defining the data controller or defining the categories of data controllers,
- the duration of the data storage and the applicable warranties, taking into account the nature, scope and objectives of data management or data management categories,
- the risks to the rights and freedoms of those concerned, and
- the right of the parties concerned to be informed of the restriction, unless this may adversely affect the purpose of the restriction.
Information on the privacy incident
(1) If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay.
(2) The information referred to in paragraph 1 to the data subject concerned shall be clearly and easily disclosed in the nature of the data incident and shall be disclosed at least
the name and contact details of the Data Protection Officer or other contact person providing information, the probable consequences of a data incident, measures taken or planned by the Data Controller to remedy a privacy incident, including measures to mitigate any adverse consequences arising from a data protection incident.
(3) The person concerned shall not be informed as referred to in paragraph 1 if either of the following conditions is met:
- the data controller has implemented appropriate technical and organizational protection measures and applied those measures to the data covered by the data protection incident, in particular measures such as the use of encryption that make it impossible for persons who are unauthorized to access personal data to understand the data;
- after the data protection incident, the data controller has taken further measures to ensure that the high risk referred to in paragraph 1, which is reported to the rights and freedoms of the person concerned, will no longer be likely to occur;
- the information would require disproportionate effort. In such cases, the parties concerned should be informed by means of publicly disclosed information or by taking similar measures to ensure that such persons are equally efficiently informed.
(4) If the data controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to pose a high risk, may order the person concerned to be informed or establish compliance with one of the conditions referred to in paragraph 3.
VI. PROCEDURE APPLICABLE FOR THIS REQUESTED APPLICATION
(1) The Enterprise shall facilitate the exercise of the rights of the data subject, and shall not refuse to execute the request to exercise its rights as set out in this Data Handling Notice, unless it proves that the data subject can not be identified.
(2) Within a period of one month from the receipt of the request, the undertaking shall inform the person concerned of the measures taken in response to the request without undue delay. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by two additional months. The controller shall inform the person concerned of the extension of the time limit by indicating the reasons for the delay within one month of the receipt of the application.
(3) If the concerned electronic application has been filed, the information should be provided electronically, as far as possible, unless otherwise requested by the person concerned.
(4) If the Enterprise fails to take measures in response to its request, it shall inform the data subject without delay and within one month of the receipt of the request for reasons of non-action and whether it may file a complaint with the supervisory authority and exercise its right of judicial redress
(5) The Company shall provide the data subject with the following information and action free of charge: feedback on personal data management, access to managed data, correction, completion, deletion, limitation of data handling, data storage, data protection, claim against data handling and data protection incident reporting.
(6) If the claim in question is clearly unjustified or excessive, in particular because of its repeatability, the data controller may, subject to the provision of the requested information or the administrative costs involved in the requested action, charge a sum of 5000.- Ft or refuse to grant a measure on request.
(7) Evidence of a manifestly unfounded or excessive nature of the application is borne by the data controller.
(8) Without prejudice to Article 11 of the Regulation, if the data controller has reasonable doubts as to the provisions of Articles 15-21. may request further information necessary to confirm the identity of the person concerned.
IX. PROCEDURE FOR DATA PROTECTION INCIDENT (PERSONAL DATA BREACH)
(1) Privacy incident is a breach of security within the meaning of the Regulation resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise treated.
(2) A privacy incident means the loss or theft of the personal data device (laptop, mobile phone), or the loss or inadmissibility of a code for decrypting the data encrypted by the data controller, an infection by ransomware, which makes data managed by the data controller unavailable until the payment of the ransom fee, the attack of the IT system, the sending of e-mails containing erroneous personal information, the publication of the list of titles etc.
(3) In the event of detection of a privacy incident, a representative of the Enterprise shall conduct an in-depth investigation into the identification of the privacy incident and the possible consequences thereof. The necessary measures must be taken to remedy the damage.
(4) The data protection incident shall be reported to the competent supervisory authority without undue delay and, if possible, 72 hours after the data protection incident has occurred, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not filed within 72 hours, the reasons for proving the delay must also be enclosed.
(5) The data processor notifies the data controller without undue delay after the data protection incident has become known.
(6) In the notification referred to in paragraph 3 at least:
- describe the nature of the privacy incident, including, where possible, the categories and approximate number of affected persons and the categories and approximate number of the data involved in the incident;
- the name and contact details of the Data Protection Officer or other contact person providing further information who communicates futher information;
- the likely consequences of the data protection incident should be described;
- the measures taken or planned by the data controller to remedy the data protection incident, including, where appropriate, measures to mitigate the potential adverse effects of the data protection incident.
(7) If and where it is not possible to disclose the information at the same time, they may be disclosed in installments without further undue delay.
(8) The data controller records the data protection incidents, indicating the facts related to the data protection incident, its effects and remedies. This register allows the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.
VI. ABOUT THE WEB SITE WITH RELEVANT DATA MANAGEMENT
Information about the visitors of the Enterprise’s website
(1) During a visit to the Enterprise’s website include one or more cookies - a small information package that the server sends to the browser and then sends the browser back to the server at every request directed to the server – will be sent to the computer of the person visiting the website, which will allow its browser to be uniquely identified, provided that the person who visits the site has given a (active) consent to further browsing the website following a clear and unambiguous information.
(2) Cookies only work to improve user experience and automate the process of entering. The cookies used on this website do not contain personal information that is personally identifiable, the Enterprise does not conduct personal data processing in this circle.
Registration, newsletter subscription
(1) The legal basis for data handling is in case of registration and newsletter subscription, the consent of the concerned party, who has been provided with the check box next to the "registration" or "newsletter subscription" section of the Enterprise website following information on the management of his / her data.
(2) Contact the person concerned, in the case of a newsletter subscription: any natural person who wishes to subscribe to the Enterprise Newsletter, or wishes to register on the website and consent to the processing of his / her personal data.
(3) The scope of the managed data newsletter subscribes: name, e-mail address.
(4) Registered data in the case of registration: name, address, e-mail address, telephone number, entry password.
(5) The purpose of data management in case of newsletter registration, is to provide information about the services, products and changes of the Company, information about news and events.
(6) In the case of registration of the data management target: contact to prepare for the conclusion of the contract, access to the services available free of charge on the website, access to the non-public content of the web site.
(7) The recipients of the data (who can know the data) in case of newsletter subscription, when registering: Head of Enterprise, Customer Relationship Manager, Data Processing Staff of the Enterprise Website.
(8) The duration of the data processing is in the case of newsletter subscription and registration: in case of newsletter subscription up to unsubscribe, at registration, deletion at the request of the person concerned.
(9) The person concerned may unsubscribe from the newsletter at any time or request the deletion of their registration (as well as their personal information). Newsletter unsubscribing is done by clicking the unsubscribe link located in the footer of the email sent to the person concerned or by posting to the head office of the Enterprise.
Data management related to direct marketing activity
(1) The legal basis of the Business Management for direct marketing purposes is the consent of the person concerned, which is clear and explicit. The person concerned provides a clear, express prior consent of the affected party on the website of the Enterprise to the consent for direct marketing request with the check box next to the text boksz following information on their data handling.
(2) The consent of the person concerned can be provided on a paper basis as well, after filling the datasheet of No. 2 Annex of this Regulation.
(3) Circumcision: Any natural person who gives a clear, express consent to the Enterprise to process of the their personal data for direct marketing purposes.
(4) Data management goals: providing services, selling goods, sending bids, notifying deals via electronic letters or mails.
(5) Personal Data is addressed to: Head of Enterprise, Workforce Support Services, employees responsible for marketing tasks.
(6) The personal data being managed are: name, address, phone number, e-mail address.
(7) The duration of the data processing: until the withdrawal of the personal data for direct marketing purposes by the relevant revocation.
Webshop-based data management
(1) For registration in the webshop, data management activity related to the newsletter subscription, and for informing visitors, the above provisions govern.
(2) Contracts being signed online on the Enterprise's website, falls within the scope of the CVIII. (Eker tv.), therefore, the purpose of the data management is to prove the fulfillment of the obligation to provide the consumer with information required by law, to prove the conclusion of the contract, to create the contract, to determine its content, to modify it, to monitor its performance, to charge the bill (s) enforcing claims related to it.
(3) When purchasing in the webshop, the legal basis for data processing is the performance of the contract and the fulfillment of a legal obligation.
(4) Data categories related to data management: buyers name, address, phone number, passcode, bank account number.
(5) Categories of persons affected by data handling: any natural person who registers in the company's webshop, subscribes to a newsletter, or purchases.
(6) The categories of data addressees are: business manager, customer relationships representatives, sales representative employees, data processing employees managing the website of the Enterprise, employee accounting tasks, employee data processing employees.
(7) The place of data management is the headquarter of the Enterprise.
(8) Duration of data processing: 5 years from termination of contract.
VII. DATA MANAGEMENT ACTIVITY RELATING TO THE COMPLETION OF THE CONTRACT
(1) The Enterprise undertakes the management of personal data in the context of a contractual relationship with its natural persons - customers, buyers, suppliers -. The person concerned should be informed of the handling of personal data.
(2) People concerned: all natural persons who establish a contractual relationship with the Enterprise.
(3) The legal basis of the data management is the fulfillment of the contract, the purpose of data management is to maintain contact, to enforce contractual claims and to fulfill contractual obligations.
(4) Personal data are addressed to: the Head of the Enterprise, the employees, the data processors of the Enterprise providing customer service, accounting tasks based on their position.
(5) Personal data covered: name, address, headquarter, telephone number, e-mail address, tax number, bank account number, entrepreneurial card number, primary producer's ID number.
(6) Duration of data processing: 5 years from termination of contract.
VIII. INFORMATION ABOUT DATA MANAGEMENT ON THE APPLICATION OF AN ELECTRONIC MONITORING SYSTEM
(1) Our enterprise operates in an electronic observation and recording system (camera system) in the customer area and in the areas owned by the company. When the observed area (room) has been observed, the electronic observation system will record the relevant image and action.
(2) The legal basis for camera observation is the voluntary contribution of the concerned person based on information provided by our enterprise in the form of awareness-raising tables. The consent of the person concerned may also be expressed in the form of expressive behavior. Such an express referral behavior is deemed to be when entering or staying in the room / area observed with the electronic observation and recording system. If you do not wish to give your consent, do not enter the premises / areas or units marked with the attention sign.
(3) The purpose of the recordings is to protect human life, physical integrity, personal freedom, protection of business secrecy, for the protection of personal and property rights, the prevention, detection of infringements, the documentation of the circumstances of accidents occurring in the client area and the protection of the public private area of the public necessary for the performance of the insurer's duties. The camera monitoring system does not record sound.
(4) The legal basis of camera observation is the voluntary contribution of the concerned person, based on information provided by the Enterprise in the form of awareness-raising tables. The consent of the person concerned may also be expressed in the form of expressive behavior. This is an express referral behavior when entering or staying in the room / area observed with the electronic observation and recording system.
(5) Place of storage of recordings (personal data) recorded by the electronic monitoring system is in the headquarter of our company, the storing time of the recordings is 3 workdays.
(6) The scope of the data being processed is the contact image captured by the camera system and other personal data.
(7) Personal data captured by camera recording can be accessed by: head of Enterprise, camera operator, operational data processor who detect infringements and check the functioning of the system.
IX. PROVISIONS CONCERNING DATA SECURITY
(1) The Company may treat personal data only in accordance with the activities specified in this Code and the purpose of data management.
(2) The Company undertakes to ensure the security of the data and undertakes in this field to take all the technical and organizational measures necessary to enforce the data security rules, data and confidentiality rules and establish the procedural rules necessary to enforce the above-mentioned legislation.
(3) The Company protects the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction and damage, as well as the technology used.
(4) The technical and organizational measures to be taken by the Enterprise for data security are set out in the Enterprise Privacy Policy.
(5) In defining and applying the data security measures, the Enterprise is considering the state of the technology at all times and, in the case of several possible data management solutions, selects a higher level of protection of personal data unless it is disproportionate.
X. DATA PROCESSING RULES >
1. General rules on data processing
(1) The rights and obligations of the data processor regarding the processing of personal data are governed by the law and the special laws governing data management by the data controller.
(2) The Enterprise declares that in the course of its data processing activity it has no competency to take a substantive decision on data management, it can process personal data - he has acquired- only in accordance with the provisions of the data controller, it may not perform data processing for its own purposes and store and retain personal data according to the data controller.
(3) The Enterprise is responsible for the legality of the instructions given to the data processor regarding the data handling operations.
(4) Obligation of the enterprise to provide information to the data subjects on the data processor, providing information on the place of processing.
(5) The Enterprise shall authorize the data processor to employ additional data processors.
(6) The contract for the processing of data shall be in writing. Data processing can not entrust an organization that has interest in the business of personal data processing.
Debrecen, 02.08.2018.