1. Preamble
1.1. The protection of natural persons with regard to the processing of their personal data is a fundamental right. Article 8 (1) of the Charter of Fundamental Rights of the European Union (Charter) and Article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) stipulate that everyone has the right to the protection of personal data concerning him or her.
1.2. This Policy shall apply to the processing of personal data in whole or in part by automated means and to the processing by non-automated means of personal data which is part of a registration system or which is intended to be made part of a registration system.
2. Concept Definitions
2.1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); identifiable is a natural person who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
2.2. “data processing” means any operation or operations performed on personal data or files in an automated or non-automated manner, including collection, recording, systematization, classification, storage, transformation or alteration, query, insight, use, communication by transmission, distribution or otherwise making available, coordination or linking, restriction, deletion or destruction;
2.3. “restriction of processing” means the indication of stored personal data in order to limit their future processing;
2.4. 'registration system' means a pool of personal data in any way, whether centralised, decentralised or functional or geographical, accessible on the basis of specific criteria;
2.5. 'controller' means the natural or legal person, public authority, agency or any other body which, independently or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller shall be determined by Union or may also be laid down by the law of the Member States;
2.6. “processor” means a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller;
2.7. “recipient” means the natural or legal person, public authority, agency or any other body with whom or to whom personal data are disclosed, whether third parties or not. Public authorities which have access to personal data in accordance with Union or Member State law in the context of an individual investigation shall not be considered as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;
2.7. “recipient” means the natural or legal person, public authority, agency or any other body with whom or to whom personal data are disclosed, whether third parties or not. Public authorities which, in the context of an individual investigation, have access to personal data in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;
2.9. “consent of the data subject” means a voluntary, specific and appropriate informed and unambiguous declaration of the data subject's will by which the data subject indicates, by means of a statement or an unambiguous act of confirmation, that he or she consents to the processing of personal data concerning him or her;
2.10. 'data protection incident' means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed;
2.11. 'undertaking' means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships and associations engaged in regular economic activities;
2.12. 'Regulation' means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
3. Principles and entitlements
Personal data:
3.1. its management must be carried out lawfully and fairly and in a transparent manner for the data subject (“legality, due process and transparency”);
3.2. the collection is carried out only for specific, clear and legitimate purposes and is not treated in a manner incompatible with those purposes; further processing of data for archiving purposes in the public interest, scientific and historical research or statistical purposes shall not be considered incompatible with the original purpose in accordance with Article 89 (1) (“purpose binding”);
3.3. they must be adequate and relevant to the purposes of the processing and be limited to what is necessary (“data saving”);
3.4. be accurate and, where necessary, up to date; all reasonable measures must be taken to ensure that personal data inaccurate for the purposes of the processing are promptly deleted or corrected (“accuracy”);
3.5. its storage must take place in a form that allows the identification of data subjects only for the time necessary to achieve the purposes for which the personal data are processed
3.6. The processing of personal data shall be carried out in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage to data ('integrity and confidentiality') by means of appropriate technical or organisational measures.
4. Legality of data processing
4.1. The processing of personal data is lawful only if and to the extent that at least one of the following is fulfilled:
4.1.1. the data subject has given his consent to the processing of his personal data for one or more specific purposes;
4.1.2. the processing is necessary for the performance of a contract to which the data subject is a party or necessary to take steps at the request of the data subject prior to the conclusion of the contract;
4.1.3. the processing is necessary for the fulfilment of a legal obligation relating to the controller;
4.2. If the processing is based on consent, the controller must be able to prove that he or she has consented to the processing of the personal data of the data subject. To do this, the controller signs a written declaration with the holder, which he stores.
4.3. The data subject shall have the right to withdraw his or her consent at any time. The revocation of consent does not affect the legality of data processing based on consent, page 4/11 before the withdrawal. Before giving consent, the data subject must be informed of this. Withdrawal of consent shall be as simple as giving it.
4.4. If the purposes for which the controller processes personal data do not or no longer require the identification of the data subject by the controller, the controller is not obliged to retain, obtain or process additional information in order to identify the data subject solely for compliance with the Regulation.
5. Rights of the data subject
5.1. The data subject has the right to receive feedback from the controller as to whether his or her personal data is being processed and, if such processing is ongoing, he or she has the right to have access to the personal data and the following information:
5.1.1. the purposes of data processing;
5.1.2. the categories of personal data concerned;
5.1.3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
5.1.4. where applicable, the intended duration of storage of the personal data or, if this is not possible, the criteria for determining this period;
5.1.5. the right of the data subject to request from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
5.1.6. the right to lodge a complaint addressed to a supervisory authority;
5.1.7. The controller shall provide the data subject with a copy of the personal data subject to data processing upon request.
5.2. If the controller fails to take action on the data subject's request, he shall inform the data subject without delay and no later than one month from receipt of the request of the data subject of the reasons for failure to take action and that the data subject may lodge a complaint with a supervisory authority and exercise his or her right of judicial remedy.
5.3. If personal data concerning the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time of obtaining the personal data:
5.3.1. the identity and contact details of the controller and, if applicable, the controller's representative;
5.3.2. contact details of the data protection officer, if any; page 5/11
5.3.3. the purpose of the intended processing of personal data, as well as the legal basis for the processing;
5.4. In order to ensure fair and transparent data processing, the controller shall inform the data subject of the following additional information at the time of obtaining the personal data:
5.4.1. the duration of the storage of personal data or, if this is not possible, the criteria for determining this period;
5.4.2. the right of the data subject to request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data, as well as the data subject's right to portability;
5.4.3. the right to withdraw consent at any time, which does not affect the lawfulness of the processing carried out on the basis of the consent before the withdrawal;
5.4.4. the right to lodge a complaint addressed to the supervisory authority;
5.4.5. whether the provision of personal data is based on a legal or contractual obligation or a prerequisite for the conclusion of a contract, and whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide the data;
5.4.6. If the controller wishes to carry out further processing of personal data for purposes other than the purpose for which they were collected, he shall inform the data subject of this different purpose and of any relevant additional information prior to further processing.
5.5. The data subject has the right to receive feedback from the controller as to whether his or her personal data is being processed and, if such processing is ongoing, he or she has the right to have access to the personal data and the following information:
5.5.1. the purposes of data processing;
5.5.2. the categories of personal data concerned;
5.5.3. the recipients or categories of recipients to whom the personal data have been or will be disclosed;
5.5.4. where applicable, the intended duration of storage of the personal data or, if this is not possible, the criteria for determining this period;
5.5.5. the right of the data subject to request from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
5.5.6. the right to lodge a complaint addressed to a supervisory authority;
5.5.7. if the data were not collected from the data subject, all available information on their source;
5.5.8. The controller shall provide the data subject with a copy of the personal data subject to data processing.
5.6. The data subject shall have the right to request the controller to rectify inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the data processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
5.7. The data subject shall have the right to request the controller to delete the personal data concerning him or her without undue delay, and the controller shall be obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons applies:
5.7.1. the personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
5.7.2. the data subject withdraws his consent, which is the basis for the processing, and there is no other legal basis for the processing;
5.7.3. the data subject objects to the processing of the data and there is no overriding legitimate reason for the processing;
5.7.4. the personal data have been processed unlawfully;
5.7.5. the personal data must be deleted in order to comply with a legal obligation under Union or Member State law applicable to the controller;
5.8. The data subject shall have the right to receive the personal data concerning him or her that he or she has provided to a controller in a structured, widely used, machine-readable format and to transmit such data to another controller without hindrance from the controller to whom he or she has made the personal data available, if:
5.8.1. the processing is based on consent or on a contract; and
5.8.2. data processing is carried out in an automated manner.
6. Obligations of the controller
6.1. The controller shall take appropriate technical and organisational measures to ensure and demonstrate that personal data are processed in accordance with the Regulation, taking into account the nature, scope, circumstances and objectives of the processing and the risk of varying probability and severity to the rights and freedoms of natural persons. These measures are reviewed by the controller and updated if necessary.
6.2. The controller shall take appropriate technical and organisational measures, such as pseudonymisation, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of the processing and the risk of varying probability and severity to the rights and freedoms of natural persons, both in determining the method of processing and in the course of processing. implement — implement the objectives of which are, on the one hand, the effective implementation of data protection principles, such as data saving, and, on the other hand, in the Regulation the incorporation of guarantees necessary to comply with the established requirements and to protect the rights of the data subjects in the process of data processing.
6.3. The controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that is necessary for the specific purpose of processing is processed. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their availability. Those measures should in particular ensure that personal data cannot, by default, become accessible to an unspecified number of persons without the intervention of the natural person.
6.4. If the processing is carried out by someone else on behalf of the controller, the controller may use only processors who provide adequate guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing complies with the requirements of the Regulation and protects the rights of data subjects.
6.5. The processor may not use an additional processor without the express or general authorisation of the controller in writing in advance. In the event of a general written authorisation, the processor shall inform the controller of any planned changes affecting the use of additional data processors or their replacement, thereby providing the controller with the opportunity to object to such changes.
6.6. The processing carried out by the processor should be governed by a contract or other legal act established under Union or Member State law which binds the processor to the controller, defining the subject matter, duration, nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The contract or other act shall contain the conditions laid down in Article 28 (3) of the Regulation.
6.7. The processor and any person acting under the control of the controller or processor with access to personal data may process such data only in accordance with the controller's instructions, unless otherwise required by Union or Member State law.
6.8. Each controller and, if any, the controller's representative shall keep a record of the data processing activities carried out under his or her responsibility. Records must be kept in writing, including in electronic format. This register shall contain the following information:
6.8.1. the name and contact details of the controller and, if any, the name and contact details of the joint controller, the controller's representative and the data protection officer;
6.8.2. the purposes of data processing; 6.8.3. description of the categories of data subjects and categories of personal data;
6.8.4. if possible, the deadlines for the deletion of the different categories of data;
6.9. Each processor and, where applicable, the processor's representative shall keep records of all categories of data processing activities carried out on behalf of the controller. Records must be kept in writing, including in electronic format. The register shall contain the following information:
6.9.1. the name and contact details of the processor or processors and the name and contact details of any controller on whose behalf the processor acts and, if any, the name and contact details of the controller or the data processor's representative and the data protection officer;
6.9.2. the categories of data processing activities carried out on behalf of each controller;
6.10. The controller or processor and, where applicable, the controller or processor's representative shall make the records available to the supervisory authority upon request.
6.11. The controller and the processor and, where applicable, the controller or the processor's representative shall cooperate with the supervisory authority at its request in the performance of their duties.
6.12. The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and objectives of the processing and the risk of varying probability and severity to the rights and freedoms of natural persons in order to guarantee a level of data security appropriate to the degree of risk including, but not limited to, where appropriate:
6.12.1. pseudonymisation and encryption of personal data;
6.12.2. ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
6.12.3. the ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident;
6.12.4. a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures taken to guarantee the security of data processing.
6.13. When determining the appropriate level of security, specific account shall be taken of the risks arising from the processing of personal data resulting in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.
6.14. The controller and the processor shall take measures to ensure that natural persons acting under the control of the controller or processor who have access to personal data may process such data only in accordance with the controller's instructions, unless otherwise required by Union or Member State law.
7. Privacy Incident
7.1. The data protection incident shall be reported by the controller to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data breach, unless the data protection incident is not likely to entail a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons justifying the delay must be attached. The notification referred to in paragraph shall include at least:
7.1.1. describe the nature of the data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the incident;
7.1.2. the name and contact details of the data protection officer or other contact person providing further information shall be provided;
7.1.3. describe the likely consequences resulting from a data protection incident;
7.1.4. describe the measures taken or planned by the controller to remedy the data protection incident, including, where appropriate, measures to mitigate any adverse consequences resulting from the data protection incident.
7.1.5. If and insofar as it is not possible to communicate the information at the same time, it may be communicated in detail at a later date without undue delay.
7.2. The data processor shall report the data protection incident to the controller without undue delay after becoming aware of it.
7.3. The controller shall keep a record of data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it. This register shall enable the supervisory authority to verify compliance with the requirements of this Article.
7.4. If the data protection incident is likely to involve a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the data protection incident without undue delay. The information provided to the data subject shall clearly and clearly describe the nature of the data breach and shall include at least the information and measures referred to in points 7.1.2, 7.1.3 and 7.1.4. The data subject need not be informed in accordance with this point if any of the following conditions are met:
7.4.1. the controller has implemented appropriate technical and organisational protection measures and those measures have been applied to the data affected by the data breach, in particular measures, such as the use of encryption, which render the data incomprehensible to persons who are not authorised to have real access to the personal data;
7.4.2. following the data protection incident, the controller has taken further measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialise any longer;
7.4.3. information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly published information or similar measures shall be taken to ensure that data subjects are informed in a similarly effective manner.
8. Mixed provisions
8.1. Without prejudice to available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority, any data subject shall have the right to an effective judicial remedy if, in his opinion, his or her rights under this Regulation have been infringed as a result of the processing of his personal data in accordance with this Regulation.
8.2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor operates. Such proceedings may also be brought before the courts of the Member State in which the data subject is habitually resident, unless the controller or processor is a public authority of a Member State acting under public authority.
8.3. Any person who has suffered material or non-pecuniary damage as a result of a breach of this Regulation shall be entitled to compensation from the controller or the data processor for the damage suffered.
8.4. All controllers involved in processing shall be liable for any damage caused by processing in breach of this Regulation.
8.4.1. The processor shall only be liable for damage caused by the processing if it has not complied with the obligations specifically imposed on the processors laid down in the Regulation, or if it has ignored or acted contrary to the legitimate instructions of the controller.
8.4.2. The controller or the data processor shall be exempt from liability if they prove that they are not in any way liable for the event causing the damage.
8.5. In matters not regulated herein, the provisions of the Regulation shall prevail.
8.6. The date of entry into force of this policy is May 24, 2018 and is for an indefinite period.
Budapest, 24 May 20185.5.5. the right of the data subject to request from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
5.8. The data subject shall have the right to receive the personal data concerning him or her that he or she has provided to a controller in a structured, widely used, machine-readable format and to transmit such data to another controller without hindrance from the controller to whom he or she has made the personal data available, if:7.1.2. the name and contact details of the data protection officer or other contact person providing further information shall be provided;
Budapest, 24 May 2018