Privacy notice
1. Preamble
1.1 The protection of natural persons with regard to the processing of their personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) lay down that everyone has the right to the protection of personal data relating to him or her.
1.2 This Policy applies to the processing of personal data wholly or partly by automated means and to the processing of personal data which form part of a filing system or are intended to form part of a filing system by non-automated means.
2. Definitions
2.1 "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.2 "processing" means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.3. "restriction of processing" means the marking of stored personal data for the purpose of restricting their future processing;
2.4. "filing system" means a set of personal data, structured in any way, whether centralised, decentralised or structured according to functional or geographical criteria, which is accessible on the basis of specific criteria;
2.5 "controller" means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
2.6 "Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
2.7. "recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data is disclosed, whether or not a third party. Public authorities which may have access to personal data in accordance with Union or Member State law in the context of an individual investigation shall not be considered as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing;
2.7. "recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data is disclosed, whether or not a third party. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
2.9. "data subject's consent" means a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
2.10. "Data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2.11. 'undertaking' means any natural or legal person, regardless of its legal form, engaged in an economic activity, including partnerships or associations carrying on a regular economic activity;
2.12. "Regulation" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
3. Principles and entitlements
Personal data:
3.1. be processed lawfully and fairly and in a transparent manner for the data subject ("lawfulness, fairness and transparency");
3.2. be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes ("purpose limitation") in accordance with Article 89(1) shall not be considered incompatible with the original purpose;
3.3. be adequate, relevant and limited to what is necessary for the purposes for which the data are processed ("data minimisation");
3.4. be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay ("accuracy");
3.5. be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
3.6. be handled in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage ("integrity and confidentiality"), by using appropriate technical or organisational measures.
4. Lawfulness of data processing
4.1 The processing of personal data is lawful only if and to the extent that at least one of the following conditions is met:
4.1.1. the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes;
4.1.2. the processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into the contract;
4.1.3. the processing is necessary for compliance with a legal obligation to which the controller is subject;
4.2 Where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data. To this end, the controller shall have the data subject sign a written declaration, which shall be stored.
4.3 The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject must be informed of this before consent is given.
4.4 Where the purposes for which the controller processes the personal data do not or no longer require the identification of the data subject by the controller, the controller is not required to retain, obtain or process additional information in order to identify the data subject for the sole purpose of complying with the Regulation.
5. Rights of the data subject
5.1 The data subject has the right to receive feedback from the controller as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:
5.1.1. the purposes of the processing;
5.1.2. the categories of personal data concerned;
5.1.3. the recipients or categories of recipients to whom or which the personal data have been or will be disclosed;
5.1.4. where applicable, the envisaged duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
5.1.5. the right of the data subject to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
5.1.6. the right to lodge a complaint with a supervisory authority;
5.1.7 The data controller shall provide the data subject with a copy of the personal data processed, upon request.
5.2 If the controller fails to act on a request from the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.
5.3 Where personal data relating to the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:
5.3.1. the identity and contact details of the controller and, where applicable, the controller's representative;
5.3.2. the contact details of the Data Protection Officer, if any; 5 / page 11.
5.3.3. the purposes for which the personal data are intended to be processed and the legal basis for the processing;
5.4 The controller shall, at the time of obtaining the personal data, in order to ensure fair and transparent processing, provide the data subject with the following additional information:
5.4.1. the duration of the storage of personal data or, if this is not possible, the criteria for determining this duration;
5.4.2. the data subject's right to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the data subject's right to data portability;
5.4.3. the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
5.4.4. the right to lodge a complaint with a supervisory authority;
5.4.5. whether the provision of the personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of not providing the data;
5.4.6 Where the controller intends to further process personal data for a purpose other than that for which they were collected, the controller must inform the data subject of that other purpose and of any relevant additional information before further processing.
5.5 The data subject has the right to receive feedback from the controller as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:
5.5.1. the purposes of the processing;
5.5.2. the categories of personal data concerned;
5.5.3. the recipients or categories of recipients to whom or which the personal data have been or will be disclosed;
5.5.4. where applicable, the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
5.5.5. the right of the data subject to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
5.5.6. the right to lodge a complaint with a supervisory authority;
5.5.7. where the data have not been collected from the data subject, any available information on their source;
5.5.8. The controller shall provide the data subject with a copy of the personal data processed.
5.6 The data subject shall have the right to obtain from the controller, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.
5.7.The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay, and the controller shall be obliged to erase personal data relating to him or her without undue delay, if one of the following grounds applies:
5.7.1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
5.7.2. the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
5.7.3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
5.7.4. the personal data have been unlawfully processed;
5.7.5. the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller;
5.8 The data subject shall have the right to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data, if:
5.8.1. the processing is based on consent or a contract; and
5.8.2. the processing is carried out by automated means.
6. Obligations of the controller
6.1 The controller shall implement appropriate technical and organisational measures to ensure and demonstrate that personal data are processed in accordance with this Regulation, taking into account the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons. Those measures shall be reviewed and, where necessary, updated by the controller.
6.2. The controller shall take into account the state of science and technology and the costs of implementation, as well as the nature, scope, context and purposes of the processing and the varying degrees of risk to the rights and freedoms of natural persons, both in determining the means of processing, and in the course of the processing, it shall implement appropriate technical and organisational measures, such as pseudonymisation, aimed at ensuring the effectiveness of data protection principles, such as data minimisation, and at incorporating into the processing the necessary safeguards to meet the requirements of the Regulation and to protect the rights of data subjects.
6.3 The controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data that are necessary for the specific purpose of the processing are processed. This obligation relates to the amount of personal data collected, the extent to which they are processed, the duration of their storage and their availability. These measures should ensure in particular that personal data cannot, by default, be made available to an indeterminate number of persons without the intervention of the natural person.
6.4 Where processing is carried out by another party on behalf of the controller, the controller may only use processors that provide adequate guarantees to implement appropriate technical and organisational measures to ensure compliance of the processing with the requirements of the Regulation and to protect the rights of data subjects.
6.5 The processor shall not engage any other processor without the prior written authorisation, on a case-by-case or general basis, of the controller. In the case of a general written authorisation, the processor shall inform the controller of any planned changes affecting the use of additional processors or their replacement, thereby giving the controller the opportunity to object to those changes.
6.6 The processing carried out by the processor shall be governed by a contract or other legal act, based on Union or Member State law, which binds the processor to the controller and which specifies the subject matter, duration, nature and purposes of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. The contract or other legal act shall contain the conditions provided for in Article 28(3) of the Regulation.
6.7 The processor and any person acting under the control of the controller or the processor who has access to the personal data may process those data only in accordance with the controller's instructions, unless they are required to do otherwise by Union or Member State law.
6.8 Each controller and, where applicable, the controller's representative, shall keep records of the processing activities carried out under its responsibility. The records shall be kept in writing, including in electronic format. Such records shall contain the following information:
6.8.1. the name and contact details of the controller and, where applicable, the name and contact details of the joint controller, the controller's representative and the Data Protection Officer;
6.8.2. the purposes of the processing; 6.8.3. a description of the categories of data subjects and the categories of personal data;
6.8.4. where possible, the time limits foreseen for the deletion of the different categories of data;
6.9 Each processor and, where applicable, the processor's representative shall keep records of all categories of processing activities carried out on behalf of the controller. The records shall be kept in writing, including in electronic format. The register shall contain the following information:
6.9.1. the name and contact details of the processor or processors and the name and contact details of any controller on whose behalf the processor is acting and, if any, the name and contact details of the representative of the controller or processor and of the Data Protection Officer;
6.9.2. the categories of processing activities carried out on behalf of each controller;
6.10 The controller or processor and, where applicable, the representative of the controller or processor shall make the register available to the supervisory authority upon request.
6.11. The controller and the processor and, where applicable, the representative of the controller or the processor, shall cooperate with the supervisory authority, at its request, in the performance of their tasks.
6.12 The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of risk to the rights and freedoms of natural persons, including, where appropriate:
6.12.1. the pseudonymisation and encryption of personal data;
6.12.2. the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
6.12.3. in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner;
6.12.4. a procedure for the regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures taken to ensure the security of data processing.
6.13. In determining the appropriate level of security, explicit account should be taken of the risks arising from the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
6.14. The controller and the processor shall take measures to ensure that natural persons who have access to personal data and who act under the control of the controller or the processor may process those data only in accordance with the controller's instructions, unless they are required to do otherwise by Union or Member State law.
7. Data protection incident
7.1 The controller shall notify a personal data breach to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the personal data breach, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay. In the notification referred to in paragraph 1, at least:
7.1.1. describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
7.1.2. the name and contact details of the Data Protection Officer or other contact person who can provide further information;
7.1.3. describe the likely consequences of the data breach;
7.1.4. describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
7.1.5 If and to the extent that it is not possible to provide the information at the same time, it may be provided in instalments at a later date without further undue delay.
7.2 The processor shall notify the controller of the personal data breach without undue delay after becoming aware of it.
7.3 The data controller shall keep a record of the data breach, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to monitor compliance with the requirements of this Article.
7.4 Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. The information provided to the data subject shall clearly and prominently describe the nature of the personal data breach and shall include at least the information and measures referred to in points 7.1.2, 7.1.3 and 7.1.4. The data subject need not be informed under this point if any of the following conditions are met:
7.4.1. the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons who do not have authorised access to the personal data;
7.4.2. the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
7.4.3. the information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.
8. Miscellaneous provisions
8.1 Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, every data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.
8.2 Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.
8.3 Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Regulation shall be entitled to compensation from the controller or processor for the damage suffered.
8.4 All controllers involved in the processing shall be liable for any damage caused by processing in breach of this Regulation.
8.4.1 The processor shall be liable for damage caused by the processing only if it has failed to comply with the obligations expressly imposed on processors by the Regulation or if it has disregarded or acted contrary to lawful instructions from the controller.
8.4.2 The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8.5 In matters not covered herein, the provisions of the Regulation shall prevail.
8.6 These Rules shall enter into force on 24 May 2018 and shall remain in force indefinitely.
Budapest, 24 May 2018.