Privacy Notice and Information on the Processing of Personal Data
Name of the firm: Prompt-H Computer Education, Commerce and Service Ltd.
Seat: 2100 Gödöllő, Testvérvárosok útja 28.
VAT-number: 12337545-2-13
Company register number: 13-09-078201
Representative: Dr. József Lengyel
This Notice contains the internal rules of the Company's data processing activities for compliance with Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation).
The administrator is responsible for establishing and amending the Prospectus.
Date: Gödöllő,the 24th of May, of the year 2018
Introduction
Regulation (EC) No 2016/679 of the European Parliament and of the Council (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (hereinafter referred to as the Regulation) requires the Controller to take appropriate measures to provide the data subject with all the information concerning the processing of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, and that the Controller facilitates the exercise of the data subject's rights.
On the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC , Regulation (EU) No 2016/679 of the European Parliament and of the Council (hereinafter referred to as "the Regulation") provides that the controller shall take appropriate measures to provide any information, relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information , and that the Controller facilitates the exercise of the rights of the data subject.
The data subject's obligation to provide prior information is also required by Act CXII of 2011 on the right to informational self-determination and freedom of information.
By providing the information below, we comply with this legal obligation.
The information shall be published on the company's website or sent to the person concerned at his request.
Chapter I: Name of the data controller
The publisher of this information and the Data Controller:
Name of the firm: PROMPT-H Computer Education, Commerce and Service Ltd.
Seat: 2100 Gödöllő, Testvérvárosok útja 28.
Company register number: 13-09-078201
VAT-number: 12337545-2-13
Representative: Dr. József Lengyel
Telephone number: +36 (28) 430-695
E-mail adress: office@prompt.hu
Website: www.prompt.hu
(hereinafter referred to as the "Company")
Chapter II: Names of the data processors
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controlle
(decree 4. article 8.).
The use of the data processor does not require the prior consent of the data subject, but it is necessary to inform him/her. Accordingly, the following information will be provided:
1. IT service provider of our company
Our company does not use a data processor for the maintenance and management of its website, this task is carried out by our company itself.
2. Accounting service provider of our company
In order to fulfil its tax and accounting obligations, our Company uses an external service provider with an accounting service contract, who also processes the personal data of natural persons who have a contractual or paying relationship with our Company, for the purpose of fulfilling the tax and accounting obligations of our Company.
The name of this processor is as follows:
Name: T.REX Accountant and Tax Advisor Ltd.
Seat: 1185 Budapest, Nyíregyháza u. 62.
Company register number: 01-09-666924
VAT-number: 12343502-2-43
Representative: Erika Berényi
Telephone number: +36 (1) 292-2339
3. Postal services, delivery, parcel delivery
These data processors receive from our Company the personal data necessary for the delivery of the ordered product (name, address, telephone number of the data subject) and use it to deliver the product.
These service providers: Magyar Posta
4. Property protection service provider
Our company does not use a data processor, camera surveillance at work, entry and exit and the related data processing for these tasks.
Chapter III: Data processing in relation to employment
1. Labour and personnel records
(1) only data which are necessary for the establishment, maintenance and termination of employment or the provision of social-welfare benefits may be requested and recorded from employees and job medical aptitude tests may be carried out and the employee's personal rights are not infringed.
(2) the Company processes the following data of the employee for the purpose of establishing, fulfilling or terminating an employment relationship in order to enforce the legitimate interests of the Company's employers (Article 6(1)(f) of the Regulation):
- name
- birth name,
- date of birth,
- mother's name,
- address,
- nationality,
- tax identification mark,
- social security number,
- retired main number (in the case of a retired worker),
- telephone number,
- e-mail address,
- identity card number,
- the number of the official certificate certifying the address,
- bank account number,
- online ID (if any),
- start and end dates of commencement and completion of work,
- job
- a copy of the document certifying his educational qualifications and qualifications,
- photo
- autobiography
- the amount of his wages, data on wage payments and other benefits,
- debt to be deducted from the employee's wages on the basis of a final decision or by law or written consent, or the right to do so,
- evaluation of the worker's work,
- the manner and reasons for termination of employment,
- a moral certificate depending on the job title,
- summary of job aptitude tests,
- in the case of membership of a private pension fund and a voluntary mutual fund, the name, identification number and the employee's membership number,
- in the case of a foreign worker, passport number; the name and number of the document certifying entitlement to work,
- data recorded in the minutes of accidents suffered by workers;
- the data necessary for the use of welfare services and commercial accommodation;
- the data recorded by the camera and access control system used by the Company for security and property protection purposes, as well as by the positioning systems.
(3) Data on illness and trade union membership are processed by the employer only for the purpose of fulfilling the right or obligation specified in the Labour Code.
(4) recipients of personal data: the employer's manager, the holder of the employer's authority, the Company's employees and data processors performing labour tasks.
(5) only the personal data of senior employees can be transferred to the owners of the Company.
(6) duration of personal data storage: 3 years after termination of employment.
(7) The data subject must be informed before the start of data processing that the processing is based on the Labour Code and the enforcement of the legitimate interests of the employer.
2. Processing of employee data, applications, CVs
(1) the scope of personal data that can be processed: the name, date of birth, place of birth, mother's name, address, qualification data, photo, telephone number, e-mail address, employer's record of the applicant (if any).
(2) the purpose of the processing of personal data: application, evaluation of the application, conclusion of an employment contract with the selected person. The data subject shall be informed if the employer has not chosen him/her for the job in question.
(3) Legal basis of data processing: consent of the data subject.
(4) recipients of personal data and categories of recipients: managers entitled to exercise employer's rights at the Company, employees performing labour duties.
(5) duration of personal data storage: until the competition or application is evaluated. The personal data of unelected applicants shall be deleted. The data of the person who has withdrawn his/her application or application must also be deleted.
(6) the employer can retain applications only on the basis of the explicit, unambiguous and voluntary consent of the data subject, provided that their retention is necessary in order to achieve his or her purpose of data processing in accordance with the law. This consent shall be requested from applicants after the completion of the recruitment procedure.
3. Data processing related to the verification of the use of an e-mail account
(1) If the Company makes an e-mail account available to the employee – this e-mail address and account may be used by the employee only for the purpose of his/her duties, in order for the employees to keep in touch with each other through it, or to correspond with clients, other persons and organizations on behalf of the employer.
(2) the employee cannot use the e-mail account for personal purposes, he may not store personal mail in the account.
(3) the employer is authorized to check the entire contens and use of the e-mail account on a regular basis every 3 months, in which the legal basis for data processing is the legitimate interest of the employer. The purpose of the audit is to check compliance with the employer's provision on the use of the e-mail account, as well as to (Mt. 8.§, 52. §) control it.
(4) The employer's manager or the holder of the employer's rights is authorized to the inspection.
(5) If the circumstances of the inspection do not preclude this possibility, it is necessary to ensure that the worker is present during the inspection.
(6) Before the inspection, the employee must be informed of the employer's interests in the audit, who can carry out the audit on the employer's part – according to which rules the verification can take place (compliance with the principle of graduality) and what the procedure is – and what rights and remedies are available in relation to the data processing that goes with the verification of the e-mail account.
(7) The principle of graduality should be applied during the verification, so that it should be determined primarily from the e-mail address and subject matter that it relates to the employee's job function and is not for personal purposes. The content of non-personal e-mails may be examined by the employer without restriction.
(8) If, contrary to the provisions of this Policy, it can be concluded that the employee used the e-mail account for personal purposes, the employee shall be asked to delete the personal data without delay. in the event of the absence or lack of cooperation of the employee, the personal data shall be deleted by the employer at the time of the inspection. Due to the use of the e-mail account contrary to this policy, the employer may apply labour law consequences to the employee.
(9) the employee may exercise the rights described in the section on the rights of the data subject in connection with the processing of data involving the verification of the e-mail account.
4. Data processing related to the control of computers, laptops and tablets
The computer, laptop and tablet provided by the Company to the employee for the purpose of work may be used by the employee only for the performance of his duties, their private use is prohibited by the Company, and on these devices the employee cannot process or store any personal data or correspondence. the employer may check the data stored on these devices. The employer's control and legal consequences of these assets are otherwise governed by the provisions of point 1.4 above.
5. Data processing related to the control of internet use at work
(1) the employee can only view websites related to his job title, the employer prohibits the use of the Internet for personal purposes at work.
(2) the Company is the holder of internet registrations carried out on behalf of the Company as the job task, during the registration the identification and password referring to the company must be used. If the provision of personal data is also necessary for registration, the Company is obliged to initiate the deletion of the personal data upon termination of the employment relationship.
(3) the use of the employee's internet at work can be controlled by the employer, which and its legal consequences are governed by the provisions of section 1.4.
6. Data processing related to the control of the use of company mobile phones
(1) the employer does not allow the private use of the company mobile phone, the mobile phone can only be used for work-related purposes, and the employer can check the number and data of all outgoing calls, as well as the data stored on the mobile phone.
(2) the employee is obliged to report it to the employer if he has used the company mobile phone for private purposes. In this case, the verification can be carried out by the employer requesting a call details from the telephone service provider and inviting the employee to make the numbers called on the document unrecognizable in the case of private calls. the employer may require the costs of private calls to be borne by the employee.
(3) Furthermore, the control and its legal consequences shall be governed by the provisions of point 1.4.
7. Data processing related to the timesheet system
Our company uses an electronic access control system at its headquarters for the purpose of controlling employee obligations. stores the identification data (name and address) of the persons entitled to enter managed for the operation of the electronic access control system
a) in the case of regular entry, on termination of the right to enter, but no later than 12 months after the date on which the data were generated,
b) the data of the entry database may only be transferred to the investigating authority or to the infringement authority in the event of suspicion of a property protection service or a criminal offence or offence, or on request.
8. Data processing related to camera surveillance at work
(1) Our company uses an electronic surveillance system for the purpose of human life, physical integrity, personal freedom, protection of trade secrets and property protection in its premises open for reception, which allows image recording, on the basis of which the behavior of the data subject can also be considered as personal data, which is recorded by the camera.
(2) The legal basis for this processing is the enforcement of the legitimate interests of the employer and the consent of the data subject.
(3) The fact that the electronic monitoring system is used in a given area shall be marked and informed in a clearly visible place, legibly and in a way that facilitates the orientation of third parties wishing to appear in the area. the information shall be provided for each camera. This information shall include the fact of surveillance by the electronic property protection system and the purpose for which the image recorded by the system containing personal data is taken and stored, the legal basis for data processing, the place where the recording was stored, the duration of storage, the person using the system (operator), the persons authorized to know the data and the provisions concerning the rights of data subjects and the order in which they are enforced. information. the information is set out in Annex 5 to this Policy.
(4) images of third parties entering the monitored area (customers, visitors, guests) can be taken and managed with their consent. consent may also be given by implied conduct. In particular, if the natural person staying there enters the area despite a signal or description of the use of the electronic monitoring system placed there.
(5) the recorded recordings may be retained for a maximum of 3 (three) working days in the absence of use. Use shall be deemed to be the intended use of the recorded image recording and other personal data as evidence in judicial or other official proceedings.
(6) A person whose right or legitimate interest is affected by the recording of the image recording may, within three working days of the recording of the image, request that the data be not destroyed or deleted by its operator by proof of his or her right or legitimate interest.
(7) No electronic surveillance system shall be used in rooms in which surveillance may prejudice human dignity, in particular in changing rooms, showers, lavatories or, for example, in medical rooms or in the associated waiting room, or in rooms designated for the purpose of taking an inter-work break for workers.
(8) If no one is legally allowed to stay in the workplace, in particular during off-hours or on public holidays, the entire area of the workplace (such as changing rooms, lavatories, rooms designated for inter-work breaks) can be observed.
(9) In addition to those authorized to do so by law, the management staff, the employer's manager and his/her deputy, as well as the head of the monitored area, shall be entitled to view the data recorded by electronic monitoring system for the purpose of detecting infringements and verifying the functioning of the system.
Chapter IV: Contract-related data processing
1. Managing contracting partner data—registering customers and vendors
For the purpose of concluding, performing, terminating the contract, the Company handles the name, birth name, date of birth, mother's name, address, tax identification number, tax number, entrepreneurial, progenitor's id card number, address, registered office, site address, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number) for the purpose of concluding, fulfilling, terminating the contract, providing a contract discount. (list of customers, suppliers, master purchase lists), this processing is considered lawful even if the processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract. recipients of personal data: employees, accounting, tax-related employees and data processors of the Company performing customer service tasks. duration of processing of personal data: 5 years after the termination of the contract.
(a) The data subject must be informed before the start of the data processing that the data processing is based on the performance of the contract, that information can also be provided in the contract.
(b) The data subject shall be informed of the transfer of his or her personal data to the processor.
2. Contact details of natural person representatives of legal entity customers, customers and suppliers
(1) the scope of personal data that can be processed: the name, address, telephone number, e-mail address, online ID of the natural person.
(2) the purpose of the processing of personal data: performance of the contract with the partner of the legal entity, business relations, legal basis: consent of the data subject.
(3) recipients of personal data and categories of recipients: employees of the Company performing customer service tasks.
(4) the duration of the storage of personal data: 5 years after the existence of the business relationship or the quality of the representatives of the data subject.
3. Visitor data processing on the Company's website
(1) The cookies are short data files placed on the user's computer by the website visited. the purpose of the cookie is to make the relevant info communications and internet service easier and more convenient. There are several varieties, but as a rule they can be divided into two large groups. One is the temporary cookie that the website places on the user's device only during a given session (e.g. during the security identification of an Internet banking), the other type is the persistent cookie (e.g. the language setting of a website), which remains on the computer until the user deletes it. According to European Commission guidelines, cookies (unless strictly necessary for the use of the service) can only be placed on the user's device with the user's permission.
(2) in the case of cookies that do not require the user's consent, information must be provided during the first visit to the website. It is not necessary that the full text of the cookie notice be displayed on the website, it is sufficient for the operators of the website to briefly summarize the essence of the information and refer to the availability of the full information via a link.
(3) in the case of cookies requiring consent, the information may also be related to the first visit to the website if the processing involving the use of cookies begins already by visiting the site. If the use of the cookie is related to the use of the function specifically requested by the user, the information may also appear in connection with the use of this function. In this case, it is not necessary for the full text of the cookie notice to appear on the website, a brief summary of the substance of the information is sufficient, and a link to the availability of the full information.
4. Information about the use of cookies
(1) In accordance with common internet practice, our Company also uses cookies on its website. a cookie is a small file that contains a series of characters that is placed on a visitor's computer when it visits a website. When you visit a website again, the cookie allows the website to recognize the visitor's browser. cookies may also store user preferences (e.g. language of choice) and other information. Among other things, they collect information about the visitor and his/her device, remember the visitor's individual preferences, and may be used e.g. when using online shopping baskets. cookies generally facilitate the use of the website, help to provide users with a true web experience and an effective source of information, as well as ensure that the website operator is monitored for the operation of the site, preventing abuse and ensuring the smooth and adequate quality of the services provided on the website.
(2) The website of our company records and processes the following data about the visitor and the device he/she uses to browse the website:
- the IP address used by the visitor,
- browser type,
- features of the operating system of the device used for browsing (language set),
- date of visit,
- the (sub)page, function or service you visit.
However, please note that some website features or services may not function properly without cookies.
(4) the cookies used on the website are in themselves not suitable for identifying the user.
(5) Cookies used on the Company's website:
a) Technically essential “session” cookies
These cookies are necessary for visitors to browse the website, to use its functions smoothly and fully, the services available through the website, including, but not limited to, remembering the actions of the visitor on those pages during a visit. The duration of the processing of these cookies applies only to the visitor's current visit, after the end of the session or when the browser is closed, this type of cookies is automatically deleted from your computer.
The managed data scope: AVChatUserId, JSESSIONID, portal_referer.
The legal basis for this processing is Section 13/A (3) of Act CVIII of 2001 (Elkertv.). on certain aspects of e-commerce services and information society services
Purpose of data processing: to ensure the proper functioning of the website.
b) Cookies requiring consent
These provide an opportunity for the Company to remember the user's choices regarding the website. the visitor may prohibit this processing at any time prior to the use of the service and during the use of the service. This data shall not be linked to the identity of the user and shall not be disclosed to third parties without the user's consent.
c) Usage cookies
The legal basis for data processing is the consent of the visitor.
The purpose of data management: to increase the efficiency of the service, to increase the user experience, to make the use of the website more convenient.
The duration of data processing is 6 months.
d) Performance cookies
Google Analytics cookies
Google Ads cookies
5. Community Guidelines / Data Management on the Company's Facebook page
(1) the Company maintains a Facebook page to promote and promote its products and services.
(2) the question asked on the Company's Facebook page does not constitute a formal complaint.
(3) the company does not process the personal data published by visitors on the Company's Facebook page.
(4) visitors are governed by Facebook's Privacy and Services Terms.
(5) In the event of the publication of illegal or offensive content, the Company may exclude the data subject from the members without prior notice or delete his/her contribution.
(6) the Company is not responsible for any data content or comments that violate the law published by Facebook users. the Company is not liable for any errors, malfunctions or problems arising from the operation of Facebook.
6. Data management in the Company's webshop
(1) purchase in a webshop operated by the Company constitutes a contract, subject to Section 13/A of Act CVIII of 2001 on certain aspects of e-commerce services and information society services, as well as Section 45/2014 (II.26.) Gov. decree on detailed rules for contracts between the consumer and the business.. In case of purchase in a webshop, the title of data processing is the contract.
(2) the Company may process the natural identity data and address necessary for the identification of the customer registering in the webshop for the purpose of establishing, defining, modifying, monitoring the performance of the contract for the provision of information society services, and for the purpose of invoicing the resulting fees and enforcing claims related to it, in accordance with Section 13/A(1) of Act CVIII of 2001, as well as its telephone number, e-mail address, bank account number, online ID on the basis of consent.
(3) the Company may process natural identity data, address and data concerning the time, duration and place of use of the information society service for the purpose of invoicing, legally pursuant to Section 13/A(2) of Act CVIII of 2001.
(4) recipients of personal data and categories of recipients: employees of the Company performing tasks related to customer service and marketing activities, employees of the company performing tax and accounting tasks of the Company, employees of the Company's IT service provider for the purpose of performing the hosting service, employees of the courier service in relation to the delivery data (name, address, telephone number).
(5) duration of the processing of personal data: until the existence of the registration / service or until the withdrawal of the consent of the data subject (request for deletion), in case of purchase for 5 years after the year of purchase.
Chapter V: Processing based on legal obligations
1. Data processing for the fulfilment of tax- and accounting obligations
(1) the Company processes the statutory data of natural persons who do business with it as customers and suppliers for the purpose of fulfilling statutory tax and accounting obligations (accounting, taxation). the data processed pursuant to Sections 169 and 202 of Act CXXVII of 2017 on Value Added Tax, in particular: tax number, name, address, tax status, pursuant to Section 167 of Act C of 2000 on Accounting: name, address, indication of the person or entity ordering the transaction, person certifying the execution of the voucher and provision, and signature of the inspector depending on the organisation; on the documents of stock movements and money management documents, the signature of the recipient, the payer on the counter-receipts, pursuant to Act CXVII of 1995 on personal income tax: entrepreneurial card number, progenitor card number, tax identification number.
(2) the period for storing personal data is 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security tasks.
2. Payer data management
(1) the Company processes the personal data of the persons concerned – employees, family members, employees, other benefit recipients – required by tax laws for the purpose of fulfilling statutory tax and contribution obligations (tax, withholding tax, determining contributions, payroll, social security, pension administration) with whom it pays (Act CL of 2017 on the Rules of Taxation (Art.) § 7, §31) the scope of the data processed is set out in Art. § 50, with special emphasis on this: the natural identity data of the natural person (including the previous name and title), gender, nationality, tax identification number of the natural person, social security number (social security number).
If the tax laws have legal consequences for this, the Company may process the data relating to the health (§ 40 of szja tv.) and trade union (Szja 47.§(2) b./) for the purpose of fulfilling tax and contribution obligations (payroll, social security administration). ( SZJA-Personal Income Tax)
(2) the period for storing personal data is 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payer) tasks.
3. Data processing for the purpose of fulfilling anti-money laundering obligations
(1) the Company processes the data of its clients, their representatives and beneficial owners as defined in Act LIII of 2017 on the Prevention and Prevention of Money Laundering and Terrorist Financing (Pmt.) for the purpose of preventing and preventing money laundering and terrorist financing: (a) the surname and forename of a natural person, (b) surname and forename at birth, (c) nationality, (d) place of birth, date of birth , (e) mother's birth name, (f) address, failing this, place of residence, (g) the type and number of her identification document; the number of your official identity card attesting to your address, a copy of the documents presented. (Section 7).
(2) recipients of personal data: employees of the Company performing customer service tasks, the head of the Company and the designated person of the Company according to the Pmt.
(3) duration of personal data storage: 8 years from the termination of the business relationship or the execution of the transaction order. (Section 56(2) of the Pmt.)
Chapter VI: Summary information on the rights of the data subject
For the sake of clarity and transparency, this chapter briefly summarises the rights of the data subject, the detailed information on the exercise of which is given in the following chapter.
Right to prior information
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with information(Articles 13-14 of the Regulation). detailed rules are given in the next chapter.
Right of access of the (data) subject
The data subject has the right to receive feedback from the Data Controller as to whether or not his personal data are being processed and, if such processing is in progress, he or she has the right to have access to the personal data and the related information specified in the Regulation. (Article 15 of the Regulation). detailed rules are given in the next chapter.
Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure ('right to be forgotten’)
The data subject has the right to get the personal data concerning him/her deleted by the Data Controller without undue delay at his/her request, and the Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the reasons specified in the Order exists (Article 17 of the Regulation). detailed rules are given in the next chapter.
Right to restriction of processing
The data subject has the right get the processing of data restricted at his/her request by the Data Controller if the conditions set out in the order are fulfilled (Article 18 of the Regulation). detailed rules are given in the next chapter.
Obligation to notify in connection with the rectification or erasure of personal data or restriction of data processing
The Controller has to inform all recipients of any corrections, deletions or restrictions on data processing to whom the personal data have been disclosed, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the Controller informs these recipients (Article 19 of the Regulation).
Right to data portability
Under the conditions set out in the Regulation, the data subject has the right to receive the personal data concerning him or her which he has made available to a Data Controller in a structured, widely used, machine-readable format, and he/she has the right to transmit this data to another Controller without being hindered by the Controller to whom he/she has made the personal data available (Article 20 of the Regulation). detailed rules are given in the next chapter.
Right to object
The data subject has the right to object at any time to his or her personal data for reasons related to his or her situation under Article 6(1)(e) of the Regulation (data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the Controller) or (f) (the processing is necessary for the enforcement of the legitimate interests of the Controller or a third party (Article 21 of the Regulation).
Automated individual decision-making, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would have legal effect on him or her or similarly significantly affect him or her (Article 22 of the Regulation). detailed rules are given in the next chapter.
Restrictions
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 (Article 23 of the Regulation). detailed rules are given in the next chapter.
Informing the data subject about the personal data breach
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. (Article 34 of the Regulation)
Right to lodge a complaint with a supervisory authority (right to an official remedy)
The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his habitual residence, place of work or suspected infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation (Article 77 of the Regulation). detailed rules are given in the next chapter.
Right to an effective judicial remedy against a supervisory authority
All natural and legal persons are entitled to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them, or if the supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments or the outcome of the complaint lodged (Article 78 of the Regulation). detailed rules are given in the next chapter.
Right to an effective judicial remedy against the controller or processor
Each data subject are entitled to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in accordance with this Regulation (Article 79 of the Regulation). detailed rules are given in the next chapter.
Chapter VII: Detailed information on the rights of the data subject
Right to prior information
The data subject has the right to be informed of the facts and information related to the processing prior to the start of the data processing.
A) Information to be provided if personal data are collected from the data subject
(1) If personal data concerning the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:
a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
(2) In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority;
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(3) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
(4) Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information. ( Article 13. of the Regulation)
B) Information to be provided where personal data have not been obtained from the data subject
(1) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
b) the contact details of the data protection officer, where applicable;
c) the purposes of the processing for which the personal data are intended as wellas the legal basis for the processing;
d) the categories of personal data concerned;
e) the recipients or categories of recipients of the personal data, if any;
f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
e) the right to lodge a complaint with a supervisory authority;
f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(3) The controller shall provide the information referred to in paragraphs 1 and 2:
a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
(4) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
(5) Paragraphs 1 to 4 shall not apply where and insofar as:
a) the data subject already has the information;
b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or
d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. (Article 14. of the Regulation).
Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. (Article 15. of the Regulation).
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims. (Article 17. of the Regulation).
Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted. (Article 18. of the Regulation).
Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others. (Article 20. of the Regulation).
Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. (Article 2. of the Regulation).
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
c) is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place (Article 22. of the Regulation).
Restrictions
1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
a) national security;
b) defence;
c) public security;
d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
f) the protection of judicial independence and judicial proceedings;
g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
i) the protection of the data subject or the rights and freedoms of others;
j) the enforcement of civil law claims.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
a) the purposes of the processing or categories of processing;
b) the categories of personal data;
c) the scope of the restrictions introduced;
d) the safeguards to prevent abuse or unlawful access or transfer;
e) the specification of the controller or categories of controllers;
f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
g) the risks to the rights and freedoms of data subjects; and
h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction. (Article 23. of the Regulation).
Communication of a personal data breach to the data subject
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 (Article 34. of the Regulation).
Right to lodge a complaint with a supervisory authority
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 (Article 77. of the Regulation).
Right to an effective judicial remedy against a supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.(Article 78. of the Regulation).
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers. (Article 79. of the Regulation).
Chapter VIII: Proponement of the data subject's request, measures taken by the controller
1. The Controller shall inform the data subject without undue delay, but in any case within one month of receiving the request, of the measures taken following his or her request to exercise his rights.
2. Where necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. the Data Controller informs the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request.
3. If the data subject has submitted the application electronically, the information shall, as far as possible, be provided electronically, unless the data subject requests otherwise.
4. If the Data Controller does not take measures following the request of the data subject, he/she shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for not taking action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right of judicial remedy.
5. The Data Controller provides reference and information on the rights of the data subject pursuant to Articles 13 and 14 of the Regulation (Articles 15-22 and 34 ordered) and measures free of charge. If the data subject's request is clearly unfounded or excessive, in particular because of its repetitive nature, the Controller, taking into account the administrative costs involved in providing the requested information or information or taking the requested action:
a) can charge a fee of 10,000 HUF or
b) refuse taking the measure based on request.
c) the Controller is responsible for proving the clearly unfounded or excessive nature of the request.
6. If the Controller has reasonable doubts about the identity of the natural person submitting the request, he/she may request the provision of additional information necessary to confirm the identity of the data subject.