Privacy policy
PRIVACY POLICY RELATING TO THE RIGHTS OF NATURAL PERSON DATA SUBJECTS IN RESPECT OF THE PROCESSING OF THEIR PERSONAL DATA
TABLE OF CONTENTS
INTRODUCTION
CHAPTER I – NAME OF DATA CONTROLLER
CHAPTER II – NAME OF DATA PROCESSORS
- IT provider of the Company
- Accounting provider of our Company
CHAPTER III – EMPLOYMENT-RELATED DATA PROCESSING
- Employment and staff records
- Data processing related to aptitude tests
- Processing data of employees applying for admission, applications and resumes
- Data processing related to monitoring email account usage
- Data processing related to monitoring computers, laptops, tablets
- Data processing related to monitoring workplace internet usage
- Data processing related to monitoring company mobile phone usage
- Data processing related to the use of the GPS navigation system
- Data processing related to entry to and exit from workplace
- Data processing related to camera surveillance in the workplace
CHAPTER IV – CONTRACT-RELATED DATA PROCESSING
- Processing of contracting partners’ data – Registers of customers, suppliers
- Contact details of natural person representatives of legal entity clients, customers, suppliers
- Processing of the data of visitors on the Company’s website
- Information on the use of cookies
- Registration on the Company’s website
- Community guidelines / Data processing on the Company’s Facebook page
- Data processing for direct marketing purposes
CHAPTER V – DATA PROCESSING BASED ON LEGAL OBLIGATIONS
- Data processing to fulfil tax and accounting obligations
- Payer-related data processing
- Data processing related to records of permanent value pursuant to the Archives Act
- Data processing for complying with anti-money laundering obligations
CHAPTER VI – SUMMARY OF DATA SUBJECT’S RIGHTS
CHAPTER VII – DETAILED INFORMATION ON DATA SUBJECT’S RIGHTS
CHAPTER VIII – SUBMITTING DATA SUBJECT REQUESTS, ACTIONS BY THE DATA CONTROLLER
INTRODUCTION
REGULATION (EU) 2016/679 of the EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation) stipulates that the controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and furthermore, that the controller assist the data subject in the exercising of his or her rights.
The obligation to provide preliminary information is also set out in Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
The policy below serves to comply with the statutory obligations listed above and applicable to us under the Hungarian and European Union laws.
The information shall be published on the Company’s website and, upon request, shall also be sent to the data subject.
CHAPTER I
NAME OF DATA CONTROLLER
Issuer of this policy and also the Data Controller:
Company name: Tatár Pékség Kft.
Registered office: H-2314 Halásztelek, II. Rákóczi Ferenc út 142/A
Company registration number: 13-09-083123
Tax number: 10833595-2-13
Represented by Antal Tatár
Telephone number: 06 20 947 – 8073
Email address: tatar.antal@tatarpek.hu
Website: https://tatarpek.hu/
(hereinafter the Company)
CHAPTER II
NAME OF DATA PROCESSORS
Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; (Article 4(8) of the Regulation)
The use of the data processor does not require the prior approval of the data subject, but they shall be informed. Accordingly, we are providing the following information:
- IT Provider of our Company
Our Company employs a data processor for the purpose of maintaining and managing its website, such data processor provides the IT services (storage service), as part of which it processes the personal data provided on the website during the term of the agreement with said data processor. The operation performed by it is the storage of personal data on the server.
Name of such data processor is as follows:
Company name: SZTJ Informatikai és Oktatási Szolgáltató Kft.
Registered office: H-2314 Halásztelek, Nap u.8
Company registration number: 13-09-108963
Tax number: 13770404-2-13
Represented by Tibor Szentgyörgyi
Telephone number: +36 20 376 46 15
Email address: tibor@sztj.hu
Website: sztj.hu
- Accounting Provider of our Company
To perform its tax and accounting obligations, our Company uses a third-party provider engaged pursuant to an accounting service contract, it also processes the personal data of the natural persons in contractual or payer relationships with our Company, for the purpose of performing the tax and accounting obligations of our Company.
Name of such data processor is as follows:
Company name: Miksa és Társa Könyvelő és Tanácsadó Kft.
Registered office: H-2084 Pilisszentiván, Fenyves utca 6
Company registration number: 13-09-113793
Tax number: 13989815-2-13
Represented by Viktor Miksa
Telephone number: +36 70 360 7776
CHAPTER III
EMPLOYMENT-RELATED DATA PROCESSING
- Employment and staff records
(1) The only types of data that may be requested from and retained about employees, and they only types of medical aptitude tests that can be conducted are those that are required to establish, maintain and terminate employment or required to provide social-welfare benefits, and which do not violate the personal rights of employees.
(2) Under the title of enforcing the employer’s legitimate interests (Article 6(1)f) of the Regulation), the Company processes the following data of the employee for the purpose of establishing, performing or terminating employment:
- name
- name at birth,
- date of birth
- mother’s maiden name,
- address,
- nationality,
- tax ID number,
- social security number,
- telephone number,
- ID card number,
- number of address card
- bank account number,
- start and end of employment,
- job description,
- copy of document verifying academic qualifications, resume.
- salary, data relating to payment of salary and other benefits,
- amount of debt to be deducted from the employee’s salary on the basis of a final ruling or law or written consent, and the legal basis thereof,
- manner of and reasons for the termination of employment,
- summary of job aptitude tests,
- data recorded in reports on accidents suffered by the employee,
- data recorded by surveillance and access systems used at the Company for security and property protection purposes, as well as data recorded by location systems.
(3) The employer processes data related to illness and trade union membership only to exercise rights or perform obligations specified in the Labour Code.
(4) Recipients of the personal data: manager of the employer, the person exercising the employer rights, the Company’s employees and data processors performing employment-related tasks.
(5) Only the personal data of the employees in senior positions may be transferred to the owners of the Company.
(6) The maximum period for which personal data will be stored: 3 years from the termination of employment.
(7) The data subject shall be informed prior to the start of the data processing about the fact that data processing is based on the Labour Code and the employer’s legitimate interest.
- Data processing related to aptitude tests
(1) Employees may only be subjected to aptitude tests that are required by employment-related regulations or which are needed in order to exercise a right or to perform an obligation defined in employment-related regulations. Prior to the test, employees shall be informed about the skills and abilities the given aptitude test aims to assess, and about the means and methods that are used. If the test is required by law, employees shall be informed about the title and exact number of the relevant law.
(2) The employer may have the employees complete the test sheets determining suitability and preparedness either before establishing or during employment.
(3) Larger groups of employees can only be asked to complete test sheets clearly related to employment and suitable for establishing psychological or personal traits in the interest of ensuring more effective performance and organisation of work processes if the data revealed cannot be linked to specific employees, i.e. data are processed anonymously.
(4) Scope of personal data that may be processed: the fact of job suitability and the required conditions thereof.
(5) Legal basis of data processing: legitimate interest of the employer.
(6) Purpose of personal data processing: establishment and maintenance of employment, performing a job.
(7) The recipients or categories of recipients of the personal data: The result of the test may be disclosed only to the employees tested and the person conducting the test. The employer may only receive information whether the person tested is suitable for the job or not, and what conditions are to be provided to this end. However, the details of the tests and its entire documentation shall not be disclosed to the employer.
(8) Duration of personal data processing: 3 years from the termination of employment.
- Processing data of applicants, applications and resumes
(1) Scope of personal data that may be processed: natural person’s name, date and place of birth, mother’s maiden name, address, qualifications, photo, telephone number, email address, employer’s notes on the applicant (if any).
(2) Purpose of personal data processing: application, evaluation of application, conclusion of employment contract with the selected applicant. The data subject shall be informed if it was not selected by the employer for the given position.
(3) Legal basis of data processing: data subject’s consent.
(4) The recipients or categories of recipients of the personal data: managers entitled to exercise the employer’s rights at the Company, employees performing employment-related tasks.
(5) Maximum period for which personal data will be stored: Until the evaluation of application. Personal data of applicants not selected shall be erased. The data of anyone having withdrawn his or her application shall also be erased.
(6) The employer may retain applications only based on explicit and voluntary consent of the data subjects, provided that retention is required for fulfilling the data processing purpose that is in line with the law. Such consent shall be obtained from the applicants following the conclusion of the recruitment procedure.
- Data processing related to monitoring email account usage
(1) If the Company provides an email account for the employee – such email address and account can be used by employees only for the purpose of job-related tasks to communicate with each other or with clients, other persons or organisations on behalf of the employer.
(2) The employee may not use the email account for personal purposes, and may not store personal messages in the account.
(3) The employer is entitled to regularly, every three months, inspect the entire content and the use of the email account, where the legal basis of data processing is the legitimate interest of the employer. The purpose of the inspection is to check compliance with the employer’s regulations concerning the use of the email account, and to audit employee obligations (Sections 8 and 52 of the Labour Code).
(4) The manager of the employer or the person exercising the employer’s rights is authorised to carry out the inspection.
(5) If the circumstances of the inspection do not exclude the possibility, the employee’s presence at the inspection shall be ensured.
(6) Prior to the inspection, the employee shall be informed about the employer’s interest underlying the inspection, about who is authorised to perform the inspection on behalf of the employer, based on what rules the inspection is performed (principle of gradual approach) and about the process of the procedure, and what rights or legal remedies are available concerning the data processing related to the inspection of the email account.
(7) The principle of gradual approach shall be applied, thus the email address and the subject field shall primarily be used to determine whether the email is related to the employee’s job or if it is of a personal nature. The content of non-personal emails may be inspected by the employer without restrictions.
(8) If, contrary to the provisions of this policy, it is established that the employee used the email account for personal purposes, the employee shall be instructed to erase the personal data without delay. In the event of the absence or lack of cooperation of the employee, personal data are deleted by the employer during the inspection. If the email account is used contrary to this policy, the employer may enforce labour law consequences against the employee.
9) The employee may exercise his or her rights specified in the chapter on data subject’s rights herein in connection with data processing within the framework of the inspection of the email account.
- Data processing related to monitoring computers, laptops, tablets
Computers, laptops or tablets made available to the employee by the Company may only be used by the employee for performing job related tasks. The Company prohibits the private use of such devices, and the employee may not store or process any personal data and may not use such devices for private correspondence. The employer may inspect the data stored on such devices. The provisions of Section 4 above shall apply to the inspection of such devices by the employer and the legal consequences thereof.
- Data processing related to monitoring workplace internet usage
(1) Employees may only visit websites related to their job. The employer prohibits the use of internet at the workplace for personal purposes.
(2) The holder of authorisation of internet registrations performed as job-related tasks is the Company, and an ID and password referring to the Company shall be used during registration. If the registration requires personal data to be provided, the Company shall initiate their erasure upon the termination of employment.
(3) The employer may monitor the employee’s internet use at the workplace, and the provisions of Section 4 above shall apply to such monitoring and the legal consequences thereof.
- Data processing related to monitoring company mobile phone usage
(1) The employer does not allow the personal use of company mobile phones. Such mobile phones may only be used for purposes relating to work, and the employer may inspect the call numbers of all outgoing calls, as well as the data stored on the mobile phone.
(2) The employee shall report to the employer if he/she has used the company mobile phone for private purposes. In this case, the inspection can be performed by the employer requesting a call history report from the telephone operator and requesting the employee to make the numbers called for private purposes unrecognisable on the document.
The employer may require that the costs of the private calls be covered by the employee.
(3) Otherwise, the provisions of Section 4 shall apply to the inspection and the legal consequences thereof.
- Data processing related to the use of the GPS navigation system
(1) The legal basis for the use of the GPS system is the legitimate interest of the employer, and its purpose is to verify work organisation, logistics and the performance of the employee obligations.
(2) Scope of data processed: vehicle registration plate, route and distance travelled, duration of vehicle use.
(3) The inspection may only be carried out during business hours and the geographical position of employees cannot be inspected outside business hours. Otherwise, the provisions of Section 4 shall apply to employer inspections and the legal consequences thereof.
- Data processing related to workplace entry and exit
(1) If an access control system is used, a notice shall be displayed regarding the identity of the data controller and the method of data processing.
(2) Scope of personal data that may be processed: natural person’s name, address, vehicle’s registration plate, time of entry and exit.
(3) Legal basis of data processing: enforcing the legitimate interest of the employer.
(4) Purpose of personal data processing: protection of property, performance of contract, to verify the performance of employee obligations.
(5) The recipients or categories of recipients of the personal data: managers entitled to exercise the employer’s rights at the Company, employees of the Company’s agent performing security services as data processors.
(6) Maximum period for which personal data will be stored: 6 months
- Data processing related to camera surveillance in the workplace
(1) At its registered office, business site and premises open to customers, for the purposes of protecting human life, physical integrity, personal freedom and business secrets and for the purpose of property protection, our Company has an electronic surveillance system in place which also allows for the recording of audio, video or audio-video recordings, based on which the conduct of the data subject as recorded by the camera may also be considered personal data.
(2) The legal basis of such data processing is enforcing the legitimate interests of the employer and consent granted by the data subject.
(3) The fact of the use of the electronic surveillance system in a given area shall be indicated at a clearly visible location and displayed in a legible fashion, facilitating the provision of information to third parties looking to enter said area. Such notice shall be displayed for each camera. Such notice shall contain information about the surveillance performed by way of the electronic property protection system, as well as information on the purpose of the recording and storage of audio, video or audio-video recordings made by the system containing personal data, the legal basis for processing, the place where and the period for which the recording is stored, the identity of the operator of the system, the persons authorised to view said data, and information on provisions concerning the rights of data subjects and the rules of the enforcement thereof.
(4) Audio and video recordings of third parties (customers, visitors, guests) entering the area monitored may be made and processed with their consent. Consent may also be granted by way of implied conduct. Implied conduct means, in particular, if the natural person present enters the area monitored despite notice and information calling attention to the use of the electronic surveillance system.
(5) If not used, the recordings may be retained for a maximum of 3 business days . Use means that the audio, video or audio-video recordings or other personal data are to be used in judicial or other official proceedings as evidence.
(6) Persons whose right or legitimate interest is affected by the audio, video or audio-video recording may request that the processor of such data do not destroy or erase the data, by submitting the request within three business days of recording after verifying their right or legitimate interest.
(7) Such electronic surveillance system cannot be used in areas where monitoring may violate human dignity, in particular changing rooms, showers, bathrooms or doctor’s offices and adjoining waiting areas, or premises that have been designated as areas where employees spend their breaks.
(8) At times when no one is allowed to be lawfully present at the workplace, in particular outside business hours or on bank holidays, the entire premises of the workplace (for example, changing rooms, bathrooms, premises that have been designated employee break areas) may be monitored.
(9) The data recorded by the electronic surveillance system may be viewed, in addition to persons authorised by the law, by the operating staff, the manager of the employer and its deputy, and also the workplace manager of the area monitored for the purpose of uncovering infringements and checking the operation of the system.
CHAPTER IV
CONTRACT-RELATED DATA PROCESSING
- Processing of contracting partners’ data – Registers of customers, suppliers
(1) The Company, under the title of performing the contract, for the purpose of concluding, performing and terminating the contract and providing contractual discounts, processes the name, name at birth, date of birth, mother’s maiden name, address, tax ID number, tax number, number of sole trader’s or primary producer licence, ID card number, address, address of registered office and business site, telephone number, email address, website address, bank account number, customer code (client code, order code), online ID (list of customers, suppliers, regular customer lists) of natural persons who entered into a contract with it as customers or suppliers. Such data processing is considered lawful even if data processing is required to perform the steps requested by the data subject prior to concluding the contract. Recipients of personal data: employees of the Company performing customer service tasks, employees and data processors performing accounting and taxation related tasks. Duration of personal data processing: 5 years from the termination of the contract.
(2) The data subject shall be informed prior to the start of data processing that the legal basis of data processing is the performance of the contract, which information may be included in the contract.
(3) The data subject shall be informed about the transfer of its personal data to the data processor.
- Contact details of natural person representatives of legal entity clients, customers, suppliers
(1) Scope of personal data that may be processed: natural person’s name, address, telephone number, email address, online identifier.
(2) Purpose of personal data processing: performance of the contract concluded with the Company’s legal entity partner, business correspondence, the legal basis of processing: the data subject’s consent.
(3) The recipients or categories of recipients of the personal data: employees of the Company performing customer service tasks.
(4) Maximum period for which personal data will be stored: 5 years after the existence of the business relationship, or the representative capacity of the data subject.
- Processing of the data of visitors on the Company’s website
(1) Cookies are short data files, which are placed on the user’s computer by the website visited. The objective of cookies is to facilitate the given info-communications/internet service and make it more convenient. There are several types of cookies, but in general they are categorised into two larger groups. One includes session cookies, which the website places on the user’s device for a given session (for example, as part of the security identification during online banking), while in the other, persistent cookies (for example, language setting for a website), which remain on the computer until erased by the user. Pursuant to the directives of the European Commission, cookies [unless indispensable to the use of the service] can be saved on the user’s device only with the user’s consent.
(2) In case of cookies not requiring user consent, information on cookies used shall be provided at the time of the first visit to the website. It is not necessary to display the entire text of the cookie information on the website, it is sufficient if website operators provide a short summary of the notification and provide a link to access the full policy.
(3) In case of cookies requiring consent, the information may be linked to the first visit to the website if data processing accompanying the use of the cookies already begins with the visit to the page. If the use of the cookie is related to a function specifically requested by the user, the notice may be displayed in relation to the use of said function. Again, it is not necessary to display the entire text of the cookie notice on the website, it is sufficient to provide a short summary of the notification and provide a link to access the full policy.
- Information on the use of cookies
(1) In line with general internet practice, our Company also uses cookies on its website. Cookies are small, unique identification files containing a string of characters, which are saved on the visitor’s computer when they visit a website. When the given website is visited again, the website recognises the visitor’s browser with the help of the cookie. Cookies may store user settings (for example, language setting) as well as other information. Among other things, they collect information about visitors and their device, they remember individual settings, and may be used, for example, during the use of online shopping carts. In general, cookies make the use of the website easier, allow the website to provide a real web experience for users and to represent an efficient source of information and, furthermore, they allow website operators to supervise site operation, prevent abuse and ensure uninterrupted and appropriate quality services.
(2) Our Company’s website records and processes the following data concerning visitors and the devices used for browsing:
• IP address used by the visitor,
• browser type,
• features of the operating system of the device used for browsing (language setting),
• date of visit,
• page (subpage), function, service visited.
Visitors receive no separate notification on the placement of cookies.
(3) Accepting and authorising the use of cookies is not mandatory. Browser settings may be reset to disable all cookies, or to give notification if the system sends a cookie. Although most browsers automatically accept cookies by default, this can usually be changed as per the instructions provided on the given site in order to prevent automatic acceptance and to prompt the user each time.
For information on the cookie settings of the most popular browsers click on the links below
• Google Chrome: httpss://support.google.com/accounts/answer/61416?hl=hu
• Firefox: httpss://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: https://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: https://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: https://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: https://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: https://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: httpss://support.apple.com/hu-hu/HT201265
However, be advised that certain website functions or services may not work properly without cookies.
(4) Cookies used on the website are not suitable on their own to identify the user.
(5) Cookies used on the Company’s website:
- Technically indispensable session cookies
These cookies are required for the visitors to be able to browse the website, to use all of its functions smoothly, to use the services available via the website, thus among others to remember the actions performed on the site by the visitor during a session. Such cookies only process data for the period of the visitor’s current visit, and such cookies are automatically erased from the visitor’s computer at the end of the session or when the browser is closed.
Scope of data processed: UserId (only for admin users)
The legal basis for such data processing is Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society-Related Services (E-commerce Act).
The purpose of data processing: to ensure the proper operation of the website.
- Cookies requiring consent:
They allow the Company to remember the user’s choices related to the website. Visitors may block such data processing prior to and during the use of the service. The data collected cannot be linked to the identification data of the user and cannot be transferred to third parties without the user’s consent.
2.1. GDPRCookie consent cookie:
It is used to save settings relating to cookies enabled or disabled by the user.
2.2. Functional cookies:
– there are currently no such cookies used by the website
2.3. Analytical cookies:
These cookies are used to collect information on how visitors use the website. We improve the website by making use of such information. Cookies collect data anonymously, including the number of visitors to the website and the pages visited.
Google Analytics cookies – Details available here:
httpss://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
- Registration on the Company’s website
The Company’s website (https://tatarpek.hu/) does not require registration.
- Community guidelines / Data processing on the Company’s Facebook page
(1) The Company operates a Facebook page for the purpose of promoting its products and services.
(2) Questions asked on the Company’s Facebook page do not qualify as complaints officially lodged.
(3) The Company does not process the personal data disclosed by visitors on the Company’s Facebook page.
(4) Visitors are subject to the Privacy Policy and Terms of Service of Facebook.
(5) If unlawful or offensive content is published, the Company may remove the given data subject from the members or delete their post or comment.
(6) The Company is not liable for data content and comments posted by users in breach of the law. The Company is not liable for any errors or malfunctions arising from the operation of Facebook or any problems arising from changes to the operation of the system.
- Data processing for direct marketing purposes
(1) Unless otherwise provided by a separate act, advertisements may only be conveyed to natural persons by way of direct contact (direct marketing), such as through electronic mail or equivalent individual means of communications, subject to the exception set out in Act XLVIII of 2008, with the express prior consent of the person to whom the advertisement is addressed.
(2) Scope of personal data that may be processed by the Company for the purpose of delivering advertisements: natural person’s name, address, telephone number, email address, online identifier.
(3) The purpose of personal data processing is to conduct direct marketing activities related to the Company’s activities, namely to regularly or periodically send advertising publications, newsletters, current offers in electronic form (email) to the contact details provided at registration.
(4) Legal basis of data processing: data subject’s consent.
(5) The recipients or categories of recipients of the personal data: employees of the Company performing customer service tasks, employees of the Company’s IT provider providing server services as data processor, and employees of the post in the case of postal deliveries.
(6) Maximum period for which personal data will be stored: until consent is withdrawn.
CHAPTER V
DATA PROCESSING BASED ON LEGAL OBLIGATIONS
- Data processing to perform tax and accounting obligations
(1) Under the legal title of performing legal obligations, for the purpose of complying with statutory tax and accounting obligations (book-keeping, taxation), the Company processes the statutory data of natural persons in business relationship with it as customers or suppliers. The data processed, pursuant to Sections 169 and 202 of Act CXXVII of 2007 on Value Added Tax are, in particular: tax number, name, address, tax status; pursuant to Section 167 of Act C of 2000 on Accounting: name, address, the description of person or organisation ordering the economic transaction, the signatures of the payment authoriser or ordering the implementation of provisions or the auditor depending on the organisation; the signatures of recipients on certificates of inventory movement and cash management certificates, the signatures of payers on counter-receipts; pursuant to Act CXVII of 1995 on Personal Income Tax: sole trader’s license number, primary producer license number, tax ID number.
(2) The maximum period for which personal data will be stored: 8 years from the termination of legal relationship providing legal basis.
(3) Recipients of the personal data: the employees and data processors performing fiscal, accounting, payroll and social security tasks of the Company.
- Payer-related data processing
(1) The Company, under the legal title of performing legal obligations, processes, for the purpose of complying with tax and contribution payment obligations (determining taxes, tax advances, contributions, payroll, social security and pension administration), the personal data of data subjects with whom the Company has a payer relationship, employees, their family members, persons receiving other benefits, as specified by law (Section 7 (31) of Act CL of 2017 on the Rules of Taxation (Taxation Act.)). The scope of data processed is determined by Section 50 of the Taxation Act, in particular: natural personal identification data of natural persons (including former name and title), gender, nationality, tax ID number, and social security number. If legal consequences are stipulated by tax laws, the Company may process the health-related data (Section 40 of the Personal Income Tax Act) and trade union membership-related data (Section 47 (2) b) of the Personal Income Tax Act) of employees for the purpose of complying with tax and contribution payment obligations (payroll, social security administration).
(2) The maximum period for which personal data will be stored: 8 years from the termination of legal relationship providing legal basis.
(3) Recipients of the personal data: the employees and data processors performing taxation, accounting, payroll and social security (payer) tasks of the Company.
- Data processing related to records of permanent value pursuant to the Archives Act
(1) The Company, under the legal title of performing legal obligations, processes its records of permanent value pursuant to Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives (Archives Act) in order to ensure that its records of permanent value in the Company’s archives are protected and preserved in intact and serviceable condition for future generations. Duration of data storage: until handover to the public archives.
(2) The provisions of the Archives Act shall apply to the recipients of personal data and other issues of data processing.
- Data processing for the purpose of complying with anti-money laundering obligations
(1) The Company, under the legal title of performing legal obligations, for the purpose of preventing and combating money laundering and terrorist financing, processes the data specified in Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (Anti-Money Laundering Act) of its customers, their representatives and their beneficial owners: a) natural person’s a) first and last name, b) first and last name at birth, c) nationality, d) place and date of birth, e) mother’s name at birth, f) address, in absence thereof the place of residence, g) the type and number of identification document; number of address card, a copy of the documents submitted (Section 7).
(2) Recipients of personal data: employees of the Company performing customer service tasks, the manager of the Company and the person appointed by the Company pursuant to the Anti-Money Laundering Act.
(3) Maximum period for which personal data will be stored: 8 years from the termination of business relationship or the completion of the transaction order. (Section 56 (2) of the Anti-Money Laundering Act)
CHAPTER VI
SUMMARY OF DATA SUBJECT’S RIGHTS
For the sake of clarity and transparency, this chapter briefly summarises the rights of data subjects with detailed information concerning the exercising such right included in the next chapter.
Right to preliminary information
The data subject shall have the right to receive information on facts and data relating to data processing prior to the start of such data processing.
(Articles 13-14 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right of access by the data subject
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and related information as specified in the Regulation:
(Article 15 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
(Article 16 of the Regulation)
Right to erasure (‘right to be forgotten’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds specified in the Regulation applies.
(Article 17 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right to restriction of processing
The data subject shall have the right to obtain from the Controller restriction of processing where the criteria specified in the Regulation apply.
(Article 18 of the Regulation)
Information on detailed rules is provided in the next chapter.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
(Article 19 of the Regulation)
Right to data portability
The data subject shall have the right, subject to the conditions specified in the Regulation, to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided.
(Article 20 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller) or (f) (processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party) of Article 6(1) of the Regulation.
(Article 21 of the Regulation)
Information on detailed rules is provided in the next chapter.
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(Article 22 of the Regulation)
Information on detailed rules is provided in the next chapter.
Restrictions
Union or Member State law to which the Controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, the rights and obligations applicable to personal data processing in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard (e.g. national security, public security, the protection of judicial proceedings).
(Article 23 of the Regulation)
Information on detailed rules is provided in the next chapter.
Communication of a personal data breach to the data subject
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay.
(Article 34 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right to lodge a complaint with a supervisory authority (right to seek judicial remedy)
Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.
(Article 77 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right to an effective judicial remedy against a supervisory authority
All natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
(Article 78 of the Regulation)
Information on detailed rules is provided in the next chapter.
Right to an effective judicial remedy against a controller or processor
Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
(Article 79 of the Regulation)
Information on detailed rules is provided in the next chapter.
CHAPTER VII
DETAILED INFORMATION ON DATA SUBJECT’S RIGHTS
Right to preliminary information
The data subject shall have the right to receive information on facts and data relating to data processing prior to the start of such data processing.
- A) Information to be provided where personal data are collected from the data subject
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
(d) where the processing is based on point (f) of Article 6(1) of the Regulation (enforcement of legitimate interest), the legitimate interests pursued by the controller or by a third party;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1) of the Regulation, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- In addition to the information referred to in Section 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability
(c) where the processing is based on point (a) of Article 6(1) (data subject’s consent) or point (a) of Article 9(2) of the Regulation (data subject’s consent), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
(f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
- Sections 1-3 shall not apply where and insofar as the data subject already has the information.
(Article 13 of the Regulation)
B) Information to be provided where personal data have not been obtained from the data subject
- Where personal data have not been obtained from the Data Subject, the Controller shall provide the Data Subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the Regulation, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
- In addition to the information referred to in Section 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1) of the Regulation (legitimate interest), the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where the processing is based on point (a) of Article 6(1) (data subject consent) or point (a) of Article 9(2) of the Regulation (data subject consent), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in Sections 1 and 2:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
- Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Section 2.
- Sections 1-5 shall not apply where and insofar as:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the Regulation or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
(Article 14 of the Regulation)
Right of access by the data subject
- The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.
- The Controller shall provide the Data Subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
(Article 15 of the Regulation)
Right to erasure (‘right to be forgotten’)
- The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the Regulation, and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.
- Where the Controller has made the personal data public and is obliged pursuant to Section 1 above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the data subject has requested the erasure by such Controllers of any links to, or copy or replication of, those personal data.
- Sections 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the Regulation;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation in so far as the right referred to in Section 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
(Article 17 of the Regulation)
Right to restriction of processing
- The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
(d) the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification whether the legitimate grounds of the Controller override those of the data subject.
- Where processing has been restricted under Section 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
- A data subject who has obtained restriction of processing pursuant to Section 1 shall be informed by the Controller before the restriction of processing is lifted.
(Article 18 of the Regulation)
Right to data portability
- The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the Regulation; and
(b) the processing is carried out by automated means.
- In exercising his or her right to data portability pursuant to Section 1, the data subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.
- The exercising of this right shall not violate Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The right referred to in Section 1 shall not adversely affect the rights and freedoms of others.
(Article 20 of the Regulation)
Right to object
- The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of Article 6(1) of the Regulation, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- At the latest at the time of the first communication with the data subject, the right referred to in Sections 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
- In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
- Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
(Article 21 of the Regulation)
Automated individual decision-making, including profiling
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Section 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
(c) is based on the data subject’s explicit consent.
- In the cases referred to in points (a) and (c) of Section 2, the Controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
- Decisions referred to in Section 2 shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
(Article 22 of the Regulation)
Restrictions
- Union or Member State law to which the Controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34 of the Regulation, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) national security;
(b) defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f) the protection of judicial independence and judicial proceedings;
(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil law claims.
- In particular, any legislative measure referred to in Section 1 shall contain specific provisions at least, where relevant, as to:
(a) the purposes of the processing or categories of processing;
(b) the categories of personal data;
(c) the scope of the restrictions introduced;
(d) the safeguards to prevent abuse or unlawful access or transfer;
(e) the specification of the controller or categories of controllers;
(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
(Article 23 of the Regulation)
Communication of a personal data breach to the data subject
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay.
- The communication to the data subject referred to in Section 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.
- The communication to the data subject referred to in Section 1 shall not be required if any of the following conditions are met:
(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in Section 1 is no longer likely to materialise;
(c) it would involve a disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
- If the Controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so, or may decide that any of the conditions referred to in Section 3 are met.
(Article 34 of the Regulation)
Right to lodge a complaint with a supervisory authority
- Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
- The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the Regulation.
(Article 77 of the Regulation)
Right to an effective judicial remedy against a supervisory authority
- Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
- Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 of the Regulation does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
- Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
- Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
(Article 78 of the Regulation)
Right to an effective judicial remedy against a controller or processor
- Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
- Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
(Article 79 of the Regulation)
CHAPTER VIII
SUBMITTING DATA SUBJECT REQUESTS,
ACTIONS BY THE DATA CONTROLLER
- The Controller shall provide information on action taken on a request aimed at the exercising of rights to the data subject without undue delay and in any event within one month of receipt of the request.
- That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
- Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
- If the Controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
- Information provided pursuant to Articles 13 and 14 of the Regulation and information and actions on data subject rights (Articles 15-22 and 34 of the Regulation) shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Controller may either:
- a) charge a fee of HUF 6,350 taking into account the administrative costs of providing the information or communication or taking the action requested,
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
- Where the Controller has reasonable doubts concerning the identity of the natural person making a request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
Tatár Pékség Kft. 24.05.2018