Name of data management organization Botrytis Winehotel Limited Liability Company

Established : 3909 Mad, Batthyany street 10.

Number of tax: 23060933-2-05

Registration Nr.: 05-09-020848

The representative of the data controller is: Karoly Istvan Kovacs

The revision and maintenance of this policy is carried out annually depending on legislative changes. The provisions of the regulations shall be interpreted in accordance with the provisions of the other regulations of the company. If there is a conflict between these provisions and other policies regarding the protection of personal data, the provisions of this Privacy Policy shall prevail.

Privacy legislation:

  • yearly CXII. Law on Information Self -Determination and Freedom of Information (Info Act)
  • European Union 2016/679 EU decree
  • yearly law on the Civil Code
  • yearly LXVI. Act on registration of citizens’ personal data and address
  • yearly CXXXIII. act on the rules of personal and property protection and private investigator activity
  • yearly I. Act No on the labor code 10.§ (1) és (3)
  • yearly CXXII. Act on Social Security Benefits and Coverage of these Benefits
  • The Social Security benefits 1997.yearly. LXXX. Law
  • Mandatory health insurance 1997. yearly LXXXIII. law
  • On personal income tax 1995. yearly. CXVII. law

 

 

 

TABLE OF CONTENTS

  1. PURPOSE OF THE POLICY
  2. SCOPE OF THE POLICY
    • Personal scope
    • Period of application
  3. DEFINITIONS

3.PRINCIPLES

4.LEGAL BASIS FOR DATA PROCESSING

  1. Consent of the data subject
  2. Performance of contract
  3. Compliance with a legal obligation to which the controller is subject or protection of the vital interests of the data subject or of another natural person
  4. Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, enforcement of the legitimate interests of the controller or of a third party.

 

  1. WHO HAS ACCESS TO THE DATA
  • RIGHTS OF THE DATA SUBJECT
    • Right to information
    • Right of access by the data subject
    • Right to rectification and erasure
    • Right to rectification
    • Right to erasure („right to be forgotten”)
    • Right to restriction of processing
    • Notification obligation related to rectification or erasure of personal data or restriction of processing
    • Right to data portability
  • Right to object
  • Right to object

Right not to automated decision-making

The data subject’s right to lodge a complaint and seek redress

      •  Right to lodge a complaint with a supervisory authority.
      •  Right to an effective judicial remedy against a supervisory authority
      •  Right to an effective judicial remedy against the controller or processor
  • Limitations
  • Communication of a personal data breach
  • PROCEDURE APPLICABLE AT THE REQUEST OF THE DATA SUBJECT
  • PROCEDURE IN CASE OF PERSONAL DATA BREACH
  • THE COMPANY’S DATA PROCESSING ACTIVITIES IN THE CONTEXT OF THE EMPLOYMENT RELATIONSHIP
  • Data processing prior to the establishment of the Employment Relationship
  • Data processing during the tendering process for the recruitment of workers
  • Data processing during job aptitude assessment
  • Data processing during the employment relationship
  • Data processing within the framework of labour records
  • Monitoring of the employee’s conduct in the employment relationship
  • Data processing related to the use of the email account provided by the Company to the employee
  • Monitoring the use of laptops, tablets and telephones provided to employees. Check an employee’s Internet usage at work Track company carse.

 

  1. OTHER ACTIVITIES AND DATA SUBJECTS AFFECTED BY DATA PROCESSING
  1. Data processing based on a legal obligation
    1.  Data processing related to the fulfilment of anti-money laundering obligations
    2. Data processing necessary for the fulfilment of accounting obligations
    3. Data processing related to the fulfilment of tax and contribution obligations
    4. Data processing during requests for information and requests for quotations

 

XII.  RULES RELATING TO DATA PROCESSING

  1. The General rules on data processing

XIII. PROVISIONS ON DATA SECURITY

  1. Principles for implementing data security.
    1. Protection of the IT records of the Company
    2. Protection of the Company’s paper records
  1. INFORMATION ON THE PLACEMENT AND DATA MANAGEMENT PURPOSE OF CAMERAS
  2. VIZA SYSTEM

XVI.  OTHER PROVISIONS

  1. PURPOSE OF THE POLICY

The purpose of this policy is to establish the internal rules setting out the data protection and data management policy of our Company (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), by enforcing which the Company ensures respect for the right to the protection of personal data of data subjects during the processing and processing of personal data of data subjects in all its activities and services.

By accepting these rules, the Company declares compliance with the principles set out in Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, hereinafter referred to as „Regulation”.

 

 

 

  1. SCOPE OF THE POLICY
  2. Personal scope

The scope of this policy covers the Company and the natural persons to whom its data processing activities extend. The data processing activity set out in this policy is aimed at the personal data of natural persons. The Policy does not apply to personal data processing that involves legal persons or which, in particular, applies to businesses that are established as legal entities, including the name and form of the legal entity and contact details of the legal person. Legal entities are associations, business associations, cooperatives, associations and foundations.

  1. 2.  Period of application

This policy shall be valid from the date of its establishment until further provision or until the date of its revocation.

III.  DEFINITIONS

  1. „Data subject˝: any specific natural person identified or identifiable, directly or indirectly, on the basis of personal data.
  • „personal data: means any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • „processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • „restriction of processing˝: the marking of stored personal data with a view to limiting their processing in the future;
  • „profiling’: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • „pseudonymisation’: means the processing of personal data in such a way that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and technical and organisational measures are taken to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • „filing system˝: a set of personal data structured in any way, whether centralised, decentralised or functional or geographically available, according to specific criteria;
  • „controller˝: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • „processor˝: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  1. „recipient’: means a natural or legal person, public authority, agency or any other body, to which personal data are disclosed, whether a third party or not. Public authorities which may have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
  2. „third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  3. „consent of the data subject’: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  4. „personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  5. „genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person, which give unique information concerning his physiology or health, and which result, in particular, from the analysis of a biological sample taken from that natural person;
  6. „biometric data’: means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
  7. „data concerning health: personal data concerning the physical or mental health of a natural person, including the provision of health care services to a natural person, which reveal information about that natural person’s health;
  8. „undertaking’: means any natural or legal person, whatever its legal form, engaged in an economic activity, including partnerships and associations regularly engaged in an economic activity.

 

  1. PRINCIPLES
  • Personal data may only be processed for a specific purpose, in order to exercise a right and fulfil an obligation.
  • At all stages of data processing, the purpose of data processing must be met, the recording and processing of data must be fair and lawful. Only such personal data may be processed that is essential for the realization of the purpose of data management and suitable for achieving the purpose.
  • Personal data may only be processed to the extent and for the time necessary to achieve the purpose.
  • The Company records that it stores the personal data it manages at its registered office in the form of electronic files or on paper-based documents, while complying with the legal requirements on data security. This provision applies to all data processing and data processing activities performed by the Company.
  1. LEGAL BASIS FOR DATA PROCESSING
  2. 1.  Consent of the data subject
  • The lawfulness of the processing of personal data must be based on the consent of the data subject or on another lawful basis established by law.
  • In case of data processing based on the consent of the data subject, the data subject may give his or her consent to the processing of his or her personal data in the following form:
    • in writing, in the form of a declaration giving consent to personal data processing,
    • electronically, by the explicit conduct of the Company on its website, by ticking a box or by making technical settings when using information society services, as well as any other statement or action that clearly indicates the data subject’s consent to the intended processing of his or her personal data in the given context.
  • Silence, pre-ticked boxes or inaction therefore do not constitute consent.
  • (4) Consent covers all processing activities carried out for the same purpose or purposes.
  • If data processing serves more than one purpose at the same time, consent must be given for all processing purposes. Where the data subject’s consent is given following an electronic request, the request shall be clear, concise and shall not unnecessarily impede the use of the service for which consent is sought.
  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Before consent is given, the data subject shall be informed thereof. It should be possible to withdraw consent in the same simple way as to give it.

 

 

  1. Performance of a contract
  • Data processing is lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
    • The consent of the data subject to the processing of personal data that is not necessary for the performance of the contract should not be a condition for the conclusion of the contract.
  1. 3.  Compliance with a legal obligation to which the controller is subject or protection of the vital interests of the data subject or of another natural person
  • The legal basis for data processing is determined by law in case of compliance with a legal obligation, so the consent of the data subject is not required for the processing of his or her personal data.
    • The data controller is obliged to inform the data subject about the purpose, legal basis, duration of data processing, the identity of the data controller, as well as his rights and legal remedies.
    • The data controller is entitled to process the scope of data necessary for compliance with a legal obligation after withdrawing the consent of the data subject to him/her.
  1. Performing a task carried out in the public interest or in the exercise of official authority vested in the controller, enforcing the legitimate interests of the controller or of a third party.
  • A legitimate interest of the controller, including of the controller to whom the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests, fundamental rights and freedoms of the data subject are not overriding, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. Such legitimate interests could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, for example where the data subject is a client of or employed by the controller.
    • In order to establish the existence of a legitimate interest, careful consideration should be made, inter alia, as to whether the data subject can reasonably expect processing to take place for that purpose at the time of and in connection with the collection of personal data.
    • The interests and fundamental rights of the data subject may take precedence over the interest of the controller where personal data are processed in circumstances in which the data subjects do not expect further processing.
  1. WHO HAS ACCESS TO THE DATA
  • Personal data may be disclosed to employees of the Company with access rights related to the relevant data processing purpose, or to persons and organizations performing data processing activities for the Company on the basis of service contracts, to the extent determined by the Company and to the extent necessary for the performance of their activities.

VII.  RIGHTS OF THE DATA SUBJECT

  1. 1.      Right to information
  • The data subject shall have the right to be informed of the information related to data processing prior to commencing the activity of processing his or her data.
  • Information to be provided where personal data are collected from the data subject:
  1. The identity and contact details of the controller and, if any, of the controller’s representative;
    1. contact details of the Data Protection Officer, if any;
    2. the purpose of the intended processing of personal data and the legal basis for the processing;
    3. where processing is based on point (f) of Article 6(1) of the Regulation, legitimate interests pursued by the controller or by a third party;
    4. where applicable, recipients or categories of recipients of the personal data, if any;
    5. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate or suitable safeguards and the means by which to obtain a copy of them or where to make them available reference.
  • In addition to the information referred to in paragraph 1, the controller shall, at the time of obtaining the personal data, provide the data subject with the following additional information in order to ensure fair and transparent processing:
    • the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing of such personal data and the right to data portability;
    • where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    • on the right to lodge a complaint with a supervisory authority;
    • whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for entering into a contract, whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data;
    • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
    • the identity and contact details of the controller and, if any, of the controller’s representative;
    • contact details of the Data Protection Officer, if any;
    • the purpose of the intended processing of personal data and the legal basis for the processing;
    • the category of personal data concerned;
    • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a recipient in a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46, Article 47 of the Regulation or the second subparagraph of Article 49(1), an indication of the appropriate or suitable safeguards and the means by which to obtain a copy of them or a reference to their availability..

(5) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing in respect of the data subject:

  1. The period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
    1. Where processing is based on point (f) of Article 6(1) of the Regulation, the legitimate interests pursued by the controller or by a third party;
    2. The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing and the right to data portability;
    3. Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    4. The right to lodge a complaint with a supervisory authority;
    5. The source of the personal data and, where applicable, whether the data originate from publicly available sources; and
    6. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

 (6) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant additional information referred to in paragraph 2.

  • Paragraphs 1 to 3 shall not apply if and to the extent that:
    • the data subject already has the information;
    • the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or in so far as the obligation referred to in paragraph 1 of this Article is likely to render possible or seriously to achieve the purposes of IMPair data processing. In such cases, the controller shall take appropriate measures, including making the information publicly available, to protect the data subject’s rights and freedoms and legitimate interests;
    • obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides for appropriate measures to safeguard the data subject’s legitimate interests; or
  • personal data must remain confidential subject to an obligation of professional secrecy imposed by Union or Member State law, including statutory confidentiality.
  1. 2.      Right of access by the data subject
  • The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    • Purposes of data processing;
    • The categories of personal data concerned;
    • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • where applicable, the envisaged period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
    • The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • the right to lodge a complaint with a supervisory authority;
    • where the data are not collected from the data subject, any available information as to their source;
    • The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject.
  • If personal data are transferred to a third country or international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  • The controller shall provide the data subject with a copy of the personal data undergoing processing. For further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format, unless otherwise requested by the data subject.
  1. Right to rectification and erasure of the data subject
  • Right to rectification

(1) The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

3.2. Right to erasure (‘right to be forgotten’) 

 

  • The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based pursuant to point (a) of Article 6(1) of the Regulation (consent to the processing of personal data) or Article 9(2)(a) of the Regulation (explicit consent) and there is no other legal basis for the processing;
    • the data subject objects to processing pursuant to Article 21 (1) of the Regulation (right to object) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of the Regulation (objection to personal processing for marketing purposes);
    • the personal data have been unlawfully processed;
    • the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
    • the personal data have been collected in connection with the offer of information society services referred to in Article 8(1).
  • Where the controller has made the personal data public and is obliged to erase the personal data at the request of the data subject, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested such data from the controller to provide them with links to, or a copy of, those personal data, or the deletion of a duplicate thereof.
  • Paragraphs 1 and 2 shall not apply where processing is necessary:
    • for exercising the right to freedom of expression and information;
    • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) of the Regulation and Article 9(3) of the Regulation;
    • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, in so far as the right referred to in paragraph (1) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • for the establishment, exercise or defence of legal claims.

 

 

 

  1. Right to restriction of processing
  • The data subject shall have the right to obtain from the controller restriction of processing where one of the following is true:
  1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    1. The processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
    2. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
    3. The data subject has objected to processing pursuant to Article 21 (1) of the Regulation; In this case, the restriction applies for the period until it is established whether the legitimate reasons of the controller override those of the data subject.
  • Where processing has been restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
  • The controller shall inform the data subject at whose request processing has been restricted pursuant to paragraph 1 in advance of the lifting of the restriction of processing.
  1. Notification obligation related to rectification or erasure of personal data or restriction of processing
  • The controller shall communicate the rectification, erasure or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
  • At the request of the data subject, the controller shall inform him of these recipients.
  1. Right to data portability
  • The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
    • processing is based on consent pursuant to point (a) of Article 6(1) of the Regulation (consent of the data subject to the processing of personal data) or point (a) of Article 9(2) of the Regulation (explicit consent of the data subject to processing) or on a contract pursuant to point (b) of Article 6(1); and
    • data processing is carried out by automated means.
  • When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible.
  • The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
  1. Right to object
  • The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her concerning him or her in the exercise of public interest or official authority or processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party (processing based on Article 6(1)(e) or (f) of the Regulation), including profiling based on those provisions. In that case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing.
  • If the data subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  • The right referred to in paragraphs 1 and 2 shall be expressly brought to the attention of the data subject at the latest at the time of the first communication with the data subject and shall be presented clearly and separately from any other information.
  • In relation to the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means based on technical specifications.
  • Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data relating to him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
  1. Right not to be subject to automated decision-making

(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

  • Paragraph 1 does not apply if the decision:
    • necessary for entering into, or performance of, a contract between the data subject and the controller,;
    • is authorised by Union or Member State law to which the controller is subject and which also lays down appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the explicit consent of the data subject.
  • In the cases referred to in points (a) and (c) of paragraph 2, the controller shall take appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  • The decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless Article 9(2)(a) or (g) applies and appropriate measures to safeguard the data subject’s rights and freedoms and legitimate interests have been taken.
  1. Right of complaint and redress of the data subject
  • Right to lodge a complaint with a supervisory authority.
  • The data subject shall have the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation if the data subject considers that the processing of personal data relating to him or her infringes this Regulation;.
  • The data subject may exercise his or her right to lodge a complaint at the following contact details:

National Authority for Data Protection and Freedom of Information address: 1055 Budapest, Falk Miksa utca 9-11., Phone: +36 (30) 683-5969, +36 (30) 549-6838, +36 (1) 391 1400, Fax +36 (1) 391-1410; Fax: +36 (1) 391-1410, e-mail: ugyfelszolgalat@naih.hu

  • The supervisory authority with which the complaint has been lodged is obliged to inform the client of the progress and outcome of the complaint, including that Article 78 of the Regulation, the client has the right to a judicial remedy.

9.2.  Right to an effective judicial remedy against a supervisory authority

  • Without prejudice to any other administrative or non-judicial remedy, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
  • Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy if the complaint is not dealt with by the competent supervisory authority, or fails to inform the data subject within three months of the progress or outcome of a complaint lodged pursuant to Article 77 of the Regulation.
  • Proceedings against a supervisory authority must be brought before the courts of the Member State where the supervisory authority is established.
  • Where proceedings are brought against a decision of a supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority is obliged to send that opinion or decision to the court.

9.3.   Right to an effective judicial remedy against the controller or processor

  • Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
  • Proceedings against a controller or processor must be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may also be brought before the courts of the Member State of habitual residence of the data subject, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

 

 

 

  1. Restrictions
  • Union or Member State law to which the controller or processor is subject may restrict by legislative measures the provisions of Articles 12 to 22 and 34 and consistent with the rights and obligations provided for in Articles 12 to 22 the scope of the rights and obligations set out in Article 5, where the restriction respects the essence of the fundamental rights and freedoms, and a necessary and proportionate measure in a democratic society to safeguard:
    1. 1. national security;
    2. 1. national defence;
    3. 2. public security;
    4. 3. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
    5. other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
    6. 6. protection of judicial independence and judicial proceedings;
    7. 7. for regulated professions, the prevention, investigation, detection and prosecution of breaches of ethics;
    8. (8) in the cases referred to in points (a) to (e) and (g), monitoring, investigative or regulatory activities relating to the exercise of public authority, even occasionally;
    9. 9. the protection of the data subject or the rights and freedoms of others;
    10. 10. Enforcement of Civil Claims.
  1. The legislative measures referred to in paragraph 1 shall, where appropriate, include detailed provisions at least:
    1.  the purposes or categories of processing,
    2.  the categories of personal data,
    3.  the scope of the restrictions imposed,
    4.  safeguards against misuse or unauthorised access or transfer,
    5.  to determine the controller or categories of controllers,
    6.  the duration of the storage and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing,
    7.  the risks to the rights and freedoms of data subjects, and
    8.  the right of data subjects to be informed of the restriction, unless this may adversely affect the purpose of the restriction.
  1. Communication of a personal data breach
  • Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  • The communication to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and shall state at least the

The name and contact details of the data protection officer or other contact person providing further information, the likely consequences of the personal data breach, the measures taken or planned by the controller to remedy the data protection breach, including, where appropriate, measures to mitigate any adverse consequences resulting from the personal data breach.

  • The data subject need not be informed as referred to in paragraph 1 if any of the following conditions are met:
    • the controller has implemented appropriate technical and organisational protection measures and those measures were applied to the data affected by the personal data breach, in particular those that render the personal data unintelligible to persons who are not authorised to access them, such as encryption;
    • the controller has taken further measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is no longer likely to materialise;
    •  the provision of information would involve a disproportionate effort. In such cases, the data subjects should be informed by means of publicly available information or a similar measure should be taken to ensure that the data subjects equally effective information.
  • If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered whether the personal data breach is likely to result in a high risk, may require it to do so or may decide that one of the conditions referred to in paragraph 3 has been fulfilled.

VIII.  PROCEDURE APPLICABLE AT THE REQUEST OF THE DATA SUBJECT

  • The Company facilitates the exercise of the rights of the data subject, it may not refuse to fulfill the request to exercise the rights of the data subject set out in this policy, unless it proves that it is not in a position to identify the data subject.
  • The Company shall inform the data subject of the measures taken in response to the request without undue delay, but in any event within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.
  • Where the data subject makes the request by electronic means, the information shall, where possible, be provided by electronic means, unless otherwise requested by the data subject.
  • If the Company does not take action on the request of the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy.
  • The Company shall provide the data subject free of charge with the information detailed in Chapter VI, Section 1 of this Regulation pursuant to Articles 13 and 14 of the Regulation, as well as the information and measures pursuant to Articles 15 to 22 and 34 of the Regulation (feedback on the processing of personal data, access to processed data, rectification, completion, erasure of data, restriction of data processing, data portability, objection to data processing, notification of a personal data breach).
  • If the request of the data subject is manifestly unfounded or excessive, especially due to its repetitive character, the data controller, taking into account the administrative costs involved in providing the requested information or communication or taking the requested action, may charge a fee of HUF 5000 or refuse to act on the request.
  • The burden of proving that the request is manifestly unfounded or excessive lies with the controller.
  • Without prejudice to Article 11 of the Regulation, where the controller has reasonable doubts as to the identity of the natural person making a request pursuant to Articles 15 to 21 of the Regulation, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
  1. PROCEDURE IN CASE OF A PERSONAL DATA BREACH
  • A personal data breach within the meaning of the Regulation is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • The loss or theft of a device containing personal data (laptop, mobile phone) qualifies as a personal data breach, or if the code used to decrypt the file encrypted by the data controller becomes unavailable, becomes inaccessible, infection by ransomware (ransomware), which makes the data processed by the data controller inaccessible until the ransom is paid, attacking the IT system, e-mail containing erroneously sent personal data, e-mail, publication of address list, etc.
  • If a personal data breach is detected, the representative of the Company shall immediately conduct an investigation to identify the personal data breach and determine its possible consequences. The necessary measures must be taken to prevent damage.
  • Notify a personal data breach to the competent supervisory authority without undue delay and, where possible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.
  • The processor shall notify the controller of the personal data breach without undue delay after becoming aware of it.
  • In the notification referred to in paragraph 3, at least:
    • describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the breach;
    • communicate the name and contact details of the data protection officer or other contact point providing further information;
  • describe the likely consequences of the personal data breach;
  • describe the measures taken or planned by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences resulting from the personal data breach.
  • • If and insofar as it is not possible to provide the information at the same time, it may be communicated in instalments at a later stage without undue further delay.
  • • The controller shall keep a record of personal data breaches, indicating the facts related to the personal data breach, its effects and the remedial measures taken. Such records shall enable the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.

 

 

 

 

 

  1. DATA PROCESSING ACTIVITIES OF THE COMPANY IN THE CONTEXT OF THE EMPLOYMENT RELATIONSHIP

 

  1. Data processing prior to the establishment of the Employment Relationship

Data processing prior to the establishment of the employment relationship takes place in connection with the previous application procedure and the assessment of suitability for the job.

  1.  Data processing during the tendering procedure for the recruitment of employees
  2.  The legal basis for data processing during the tendering procedure for the recruitment of employees is the consent of the data subject.
  3.  Purposes of data processing: evaluation of tenders, conclusion of employment contracts.
  4.  Data concerned by data processing: name, address, place and date of birth, education, professional qualifications, telephone number, e-mail address, likeness.
  5.  Categories of persons concerned by data processing: persons applying for a job.
  6.  Recipients of personal data: the holder of the employer’s authority, the employee(s) performing human policy tasks.
  7.  Duration of data processing: unselected applicants after the selection of the employee

the purpose of data processing ceases to exist, therefore the personal data of applicants must be deleted immediately.

  • There is also an obligation to cancel if the data subject changes his/her mind during the application process and withdraws his/her application. The applicant shall be informed of the outcome of the selection decision.
    • Data processing during job aptitude assessment

 

  • Pursuant to Section 10 (1) of the Labour Code, only two types of aptitude tests may be applied to employees: aptitude tests that are prescribed by an employment rule, and secondly, examinations that are not prescribed by an employment rule, but which are necessary in order to exercise a right or fulfil an obligation specified in the employment relationship rule.
  • In both cases of aptitude testing, employees must be informed in detail, among other things, about the skills and abilities that the aptitude test aims to assess, and what means and methods the assessment is carried out. If the law requires an inspection, employees must also be informed of the title of the legislation and the exact place of the legislation.
  • The legal basis for data processing is the legitimate interest of the employer.
  • Purpose of data processing: determination of suitability for the job, establishment of an employment relationship.
  • The persons authorized to process personal data with regard to the test result are the investigator and the examined person. The employer can only receive information about whether the person examined is suitable for the job or not, and what conditions should be provided for this. However, the details of the examination or its full documentation cannot be known to the employer.
  • Duration of processing personal data related to the aptitude test: 3 years after termination of employment.
  1. Data processing during the employment relationship
  • Data processing within the framework of labour records
  • The Company processes the personal data of employees processed in the labour register, named below, on the basis of the legitimate interest of the employer, the fulfillment of a legal obligation, the performance of a contract. Before commencing data processing activities, the Company shall inform the employee about the legal basis and purpose of data processing.
  • Scope of personal data of employees processed by the Company in the labour register:
    • name, birth name, place and date of birth, mother’s birth name,
    • address, temporary address, postal address,
    • Contact details, telephone number, e-mail address,
    • Social security number, tax identification number, identity card number, pensioner master number
    • amount of salary,
    •  bank account number,
    •  addresses and bank account numbers of attachments, deductions,
    •  children, dependents and their social security number,
    •  Nearest of kin to be notified.
    • Medical aptitude for work, trade union membership, other documents proving qualifications, certificates issued by previous employer
  • Copy of pension fund membership document, certificate of qualification
  • Categories of persons affected by data processing: employees of the Enterprise.
  • Recipients of the personal data recorded above: the person exercising the employer’s powers, the employees and data processors of the Company performing personnel activities, bookkeeping, payroll tasks.Az adatkezelés célja: munkaviszonyból eredő kötelezettségek teljesítése, (bérfizetés), munkaviszonyból eredő jogok gyakorlása. Munkaviszony létrehozása, megszüntetése.

Legal basis for data processing:

  • Act I of 2012 on the Labour Code, Section 10 (1) and (3) of Act I
  • Act CXXII of 2019 on those entitled to social security benefits and the coverage of these benefits
  • Act LXXXIII of 1997 on compulsory health insurance benefits
  • Personal income tax Act 1995. Act CXVII

Duration of data processing: 3 years after termination of employment.

  • Monitoring the employee’s conduct in the employment relationship
  • The employer may control the employee only within the scope of his/her conduct related to the employment relationship. The control and the means and methods used in it must not result in the violation of human dignity. The employee’s private life cannot be controlled.
  • The employer informs the employee in advance about the use of technical means to control the employee.
  •  Data processing related to the use of the e-mail account provided by the Company to the employee
  •  The Company provides an e-mail account to employees in order for employees to keep in touch with each other or to correspond with customers, other persons and organizations on behalf of the Enterprise.
  •  Employees of the Company are not permitted to use the e-mail account described above for private purposes. The head of the employer has the right to check the contents of the employees’ company e-mail account and correspondence conducted by employees every six months.
  •  Before verifying the use of the email account, the employer must inform employees of the employer’s interest in taking action.
  • • In view of the principle of gradualism, employers should develop a tiered control system in which personal data protection can be adequately enforced and the impact on employees’ privacy should be minimised.
  • • When controlling the use of an email account, as a rule, the presence of the employee must be ensured.
  • To maintain legal control of the email account, the employer must provide employees with detailed information in advance. In the information, the employer must mention, inter alia: – for what purpose and for what employer’s interests the e-mail account may be checked (or, of course, before the specific check, the employee must be informed about the employer’s interest for which the audit is being carried out),– who can carry out the inspection on behalf of the employer, – according to what rules the inspection can take place (compliance with the principle of graduality) and what is the procedure of the procedure, – what rights and remedies employees have in connection with the data processing associated with the verification of their e-mail account.
  • The employer is not entitled to check the content of private e-mails stored in the e-mail account, even if it has informed the employees in advance of the fact of the check. The employee shall be requested to delete private e-mails, if the employee does not comply with the request or is unable to delete personal data due to his absence, the employer is entitled to delete the personal data immediately upon inspection, At the same time, you may apply employment law sanctions against the employee for violating the regulations on the use of company e-mail.
  • Every six months, the employer has the right to send information to employees in the email system regarding the prohibition of private use of the company e-mail account.
  • The legal basis for the employer’s control of the e-mail account provided to the employee is the legitimate interest of the employer, its purpose is to verify the fulfillment of employee obligations and to verify compliance with the prohibition on private e-mail account use.
  • Monitoring the use of laptops, tablets and phones made available to employees
  • The employer may provide employees working in certain jobs with „corporate” laptops, tablets and phones to perform their work.
  • The employer prohibits employees from using the above mentioned devices for personal purposes. According to the above provision, it is forbidden to manage, store and use any personal data, such as photos, passwords for employee personal accounts, identifiers, e-mails, private applications, or to conduct private conversations on the above-named devices.
  • The provisions set out in point 2.2.2 shall apply to the control of the above-mentioned means, the persons carrying out the verification, the legal basis and purpose of data processing.
  • Monitoring the employee’s internet use at work
  • The employer does not allow the employee to use the Internet for personal purposes during the period of work, the employee is entitled to use the World Wide Web only within the scope of performing his/her job duties.
  • The employer shall monitor compliance with this provision in accordance with Section 2.2.1 and shall apply the labour law legal consequences set out therein.
  • The legal basis for data processing related to the employee’s use of the Internet at work

 

2.2.2. shall apply. 2.2.4.Tracking company cars

The company reserves the right to install a tracking system in its owned cars. The vehicle can only be used in connection with the company’s purposes, during which the tracking system continuously indicates the current position of the vehicle. Since the user of the vehicle can always be linked to the current position of the vehicle, this becomes personal data – the company always informs the employee using the vehicle about this.

 

How to audit: The company can inspect all assets owned by it at any time without restriction. It shall inform the employee concerned by the inspection of the fact of the inspection, in connection with the purpose of the inspection. The audit may be requested by any employee of the company if there is a likelihood of a process jeopardising the economic interests of the company

 

Incoming calls are recorded, their statutory storage period is 5 years.

 

Purpose of data processing: control of computer, e-mail address and internet access provided to the employee in accordance with the legitimate business interests of the company.

 

Scope of processed data: personal data recorded during the use of electronic devices. Legal basis for data processing: Act I of 2012, § 11 (1

 

 

 

 

 

 

 

 

  1. OTHER ACTIVITIES AND DATA GROUPS PROCESSED AFFECTED BY DATA PROCESSING
  2. Data processing based on a legal obligation
  3. Data processing related to the fulfilment of anti-money laundering obligations

 

  • The Company is a natural person acting on behalf of or on behalf of the client pursuant to Section 6 (1) of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing

be required to identify and verify identity at the time of establishing a business relationship, information indicating money laundering or terrorist financing, where a fact or circumstance arises, where customer due diligence has not already taken place; and if there are doubts about the veracity or adequacy of previously recorded customer identification data.

 

  • The Company is obliged to record the following data during identification: a natural person acting on behalf of or on behalf of the client

-first and last name;

– your first and last name at birth;

– nationality;

– place and date of birth;

– mother’s birth name;

– address or, failing that, residence;

– the type and number of your identification document.

  • Data subjects: natural persons acting on behalf of or on behalf of the client.

 

  • The manager or employee of the Company designated for customer due diligence is entitled to access personal data. The Company is entitled to process personal data recorded during customer due diligence for 8 years from the termination of the contract (business relationship).

 

  • Data processing necessary for the fulfilment of accounting obligations

 

  • The legal basis for processing the data of the natural person customers, customers and suppliers of the Company is compliance with a legal obligation (Section 159 (1) of Act CXXVII of 2007) the purpose of using the data is to establish the mandatory data content of invoices, to issue invoices and to perform related accounting tasks.
  • Data subjects: natural person customers, buyers and suppliers of the Enterprise.

 

  • Scope of processed data: name, address, tax number of natural person customers, buyers and suppliers of the Company

 

  • The manager or employees performing invoice issuance as a job task, the manager or employee performing accounting activities are entitled to access personal data. The Company is entitled to 8 years from the termination of the contract (business relationship) to process personal data recorded in compliance with the legal obligation indicated above.

 

  1. Data processing related to the fulfilment of tax and contribution obligations

 

  • Pursuant to Section 50 (1) of Act CL of 2017 on the Rules of Taxation, the Company shall electronically declare every month, by the twelfth day of the month following the relevant month, all taxes, contributions and/or data specified in paragraph (2) related to payments and benefits made to natural persons resulting in tax and/or social security obligations
  • Scope of data subjects: the manager and employees of the Enterprise.

 

  • Scope of processed data: Head of the Enterprise, employee Art. 50. § (2), highlighting the natural identity data of the natural person (including the previous name and title), gender, nationality, tax identification number of the natural person, social security number.

 

  • Addressees: employees and data processors performing bookkeeping and payroll activities of the Company as job tasks.

 

  • The Company is entitled to process personal data recorded during the fulfilment of the legal obligation indicated above for 8 years from the termination of the legal relationship.

 

  1. Data processing during requests for information and requests for quotations
  • In connection with the services provided by the Company or the products sold, the Company provides an opportunity for third parties to request information and request for quotation.
  • The legal basis for data processing is the consent of the data subject in case of requests for information or requests for quotation.
  • Data subjects in case of requests for information or quotations: all natural persons who request information, offers and provide personal data in connection with the services and products of the Enterprise.
  • Scope of processed data: name, address, phone number, e-mail address.
  • Purpose of data processing in case of information request: identification, contact
  • The purpose of data processing in case of request for quotation: giving an offer, keeping contact.
  • The recipients of the data (who can get acquainted with the data) are the head of the Enterprise in case of requests for information or requests for quotations, employees providing customer relations.
  • Duration of data processing in case of requests for information or requests for quotations: after 30 days after providing the information or providing the offer, the Company deletes the personal data.
  • The Company does not transfer data to international organizations and third countries during data processing.

 

 

 

XII. RULES ON DATA PROCESSING

  1. General rules on data processing

 

  • The Company uses an external data processor entrusted with the personal data processed by it to perform the following tasks:
  • operation and maintenance of the Internet website,
  • fulfillment of tax and accounting obligations,
  • software operator activity
  • Individual lawyers
  • cost sharing and meter reading.
  • The rights and obligations of the data processor in relation to the processing of personal data shall be determined by the data controller within the framework of the law and special laws applicable to data processing.
  • The Company declares that in the course of its data processing activities it has no competence to make a substantive decision on data management, may only process the personal data it becomes aware of in accordance with the provisions of the data controller, may not process data for its own purposes, and is obliged to store and retain personal data in accordance with the provisions of the data controller.
  • The Company shall be responsible for the lawfulness of the instructions given to the data processor regarding data processing operations.
  • The Company is obliged to provide information to the data subjects about the identity of the data processor and the place of data processing.
  • The Company shall not authorize the data processor to use another data processor.
  • The contract for data processing must be in writing. The processing of data should not be entrusted to an organisation that has an interest in business activities using the personal data to be processed.

 

 

 

 

 

XIII. PROVISIONS ON DATA SECURITY

  1. Principles of data security implementation.
  • The Company may process personal data only in accordance with the activities set out in this policy, according to the purpose of data management.
  • The Company ensures the security of the data, undertakes to take all technical and organizational measures, which are indispensable for the enforcement of data security legislation, data protection and confidentiality rules, and who establishes the procedural rules necessary for the enforcement of the above-defined legislation.
  • The technical and organisational measures to be implemented by the

-Company shall be aimed at:

 pseudonymisation and encryption of personal data;

-ensuring continued confidentiality, integrity, availability and resilience of systems and services used to process personal data

-the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident;

-the application of a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures taken to ensure the security of processing,

 

 

  • When determining the appropriate level of security, explicit account should be taken of the risks arising from processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • The Company protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used.
  • The Company records the data managed by it in accordance with the applicable legislation, ensuring that the data can only be accessed by those employees and other persons acting in the interest of the Company who need it for the performance of their job or task.
  • The Company stores the personal data provided during each data processing activity separately from other data, provided that, in accordance with the above provision, the separate data files can only be accessed by employees with appropriate access rights.
  • The managers and employees of the Company do not transfer personal data to third parties, they take the necessary measures to exclude unauthorized access.
  • The Company grants access to personal data to those employees who have submitted to the obligation to comply with data security rules by making a confidentiality declaration regarding the personal data processed
  • When defining and applying measures for the security of data, the Company takes into account the current state of the art, and in case of several possible data management solutions, it chooses a solution ensuring a higher level of protection of personal data, unless this would pose a disproportionate difficulty.

 

  1. Protection of the IT records of the Company
  • The Company shall take the following measures necessary for the implementation of data security in respect of its IT records:
  • Provides permanent protection against computer viruses to the data files managed by it (uses real-time antivirus software.)
  • Ensures the physical protection of the hardware devices of the IT system, including protection against elemental damage,
  • Ensures protection of the IT system against unauthorized access, both in terms of software and hardware devices,
  • Take all necessary measures for the recovery of files, perform regular backups and carry out separate, secure management of backups.

 

  1. Protection of the Company’s paper records
  • The Company shall take the necessary measures to protect paper-based records, in particular with regard to physical security and fire protection
  • The manager, employees and other persons acting in the interest of the Company are obliged to securely preserve and protect the data carriers used or in their possession containing personal data, regardless of the method of recording the data, against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage
  • INFORMATION ON THE PLACEMENT AND DATA MANAGEMENT PURPOSE OF CAMERAS

In order to protect the data we manage, our values and our employees and Customers, our company has installed cameras in the area of the headquarters/site. The Annex 6 contains details about the location of the cameras, while Annex 1 contains the legal basis and purpose of data processing.

Legal basis for data processing: The placement of the cameras is made possible for our Company by Section 31 (1) of Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigator Activities (hereinafter referred to as Szvtv).

The purpose of our data processing: property protection based on the legal provision defined above. Camera surveillance has been introduced not only for employees, but also for Customers who come into contact with our Company. Our goal is to prevent possible violations and to be able to prove them.

In accordance with Section 30 (3) of the Szvtv., we have not installed cameras in places where it could violate human dignity, so there is no electronic surveillance system in the toilet or toilet either.

Information on camera surveillance and the rights of data subjects can be found at the Customer Service together with the camera surveillance sign. The data subject’s consent to the recording is considered to be by implied conduct reading this information and the absence of objection.

 

Rights of data subjects:

1.Right to erasure: Within the period of data processing, the data controller is not obliged to comply with the request to delete recordings, however, at the end of the data processing period, if it is still stored by the data controller, the data subject may exercise his right to erasure.

1.Right to blocking: the data subject who needs the recording in order to exercise his or her rights (e.g. to prove a criminal offence) may request that the data controller not delete the recording

  1. Right of access: Decree No 32/2013 of 22 December 2013 Based on the AB decision, everyone should be obliged and controllable throughout the entire process of data processing, i.e. everyone has the right to know who, where, when and for what purpose uses their personal data. The Info. Act. § 15 (4). Pursuant to this paragraph, the Company is obliged to provide information in writing upon request within 25 days.

The employees of the Company receive special information about camera surveillance.

Recipient of personal data: commissioned employees of the Company.

The cameras do not record sound.

Period of storage of personal data: Our Company is obliged to delete the recorded recordings on the 3rd working day.

  • VIZA SYSTEM

Amendment of Act CLVI of 2016 on State Tasks for the Development of Tourism Areas, which obliges accommodation service providers to record the data of accommodation service users specified by law on the storage space provided by the hosting service provider designated by the Government for the purpose specified by law.

The hosting service provider designated by the Government is the Hungarian Tourism Agency (MTÜ).

 

The tasks of the storage space introduced by the legislative amendment are performed by the Guest Information Closed Database (VIZA) system.

VIZA is an IT system protected by multiple asymmetric encryptions, in which from 1 September 2021 the personal data defined by law of all guests staying in accommodation facilities in Hungary will be stored in an encrypted manner. The accommodation provider processes the data of guests until the last day of the first year after becoming aware of them, i.e. VIZA The system keeps the data submitted to it for a maximum of two years, which can only be used by the police for the performance of their crime prevention and law enforcement tasks.

Only the police can search encrypted data stored in the VIZA system through an IT device. Search may be initiated for law enforcement, crime prevention, public order, public security, the order of the state border, the rights, safety and property of the data subject and others, and for the conduct of wanted proceedings. As a result of the search, the police will target and exclusively use the You can find out which accommodation provider the person matching your search criteria is listed as a user with, when you arrived, and when you expect to leave or leave. Subsequently, indicating the purpose of the data request, the police may also request the transmission of other data processed by the accommodation provider, which will be provided free of charge by the accommodation provider.

Data to be recorded

When the accommodation service user checks in, the accommodation provider records the following data via the accommodation management software on the storage space provided by the hosting service provider designated by the Government decree with the help of the document reader.

  • surname and forename;
  • surname and forename at birth;
  • place and date of birth;
  • Sex;
  • Nationality;
  • mother’s surname and forename at birth;
  • identification of the personally identifiable document or travel document.

It also records the following data in the property management software:

  • address of accommodation service;
  • the start and expected and actual end dates of your use of the accommodation.

Information which is not contained in the document need not be recorded.

 

The data:

  • which cannot be read by the document reader,
  • or reads incorrectly
  • The accommodation provider shall record it in the accommodation management software by manual data entry

Devices used by accommodation providers and the viza system cannot store images of scanned documents.

 

According to the laws in force in Hungary, all citizens, regardless of age, must have an official identity card (identity card, passport or driver’s license in card format), i.e. even newborns. According to the law, the recording of data is all

It is equally mandatory for the guest, so the recording of data cannot be waived based on age or other variables, e.g. fee payable for the service, discounts, length of stay, relationship with the user.

 

Personally identifiable documents containing information required by law:

  • identity card
  • driving licence
  • passport

The guest using the accommodation service presents his/her identification document to the accommodation provider for the purpose of recording the data.

 

If this document is not presented, the accommodation provider will refuse to provide accommodation.

 

XVI. OTHER PROVISIONS

  • The managing director of the Company is obliged to inform all employees of the Company about the provisions of this policy.
  • The managing director of the Company is obliged to ensure that all employees of the Company comply with the provisions of this policy. For the purpose of implementing this obligation, the managing director of the Company prescribes the amendment of the employment contracts concluded with the employees of the Company in such a way that the employee declares his commitment to comply with and enforce this policy.
  • The establishment or amendment of this policy falls within the responsibility of the managing director of the Company