Privacy Policy

TABLE OF CONTENTS

INTRODUCTION
CHAPTER I – IDENTIFICATION OF THE DATA CONTROLLER
CHAPTER II – IDENTIFICATION OF DATA PROCESSORS
1. Our Company’s Accounting Service Provider
CHAPTER III – DATA PROCESSING RELATED TO EMPLOYMENT
2. Personnel and Employment Records
3. Processing of Data of Job Applicants, Applications, and Resumes
4. Data Processing Related to the Monitoring of Email Account Usage
5. Data Processing Related to the Monitoring of Workplace Internet Usage
CHAPTER IV – DATA PROCESSING RELATED TO CONTRACTS
6. Processing of Contracting Partners’ Data – Customer and Supplier Records
7. Contact Information of Natural Person Representatives of Legal Entity Clients, Customers, and Suppliers
8. Visitor Data Processing on the Company’s Website – Information on the Use of Cookies
9. Contacting the Company via the Website
CHAPTER V – DATA PROCESSING BASED ON LEGAL OBLIGATIONS
10. Data Processing for Tax and Accounting Obligations
11. Data Processing by Payers
CHAPTER VI – DATA SECURITY MEASURES
12. Data Security Measures
CHAPTER VII – RIGHTS OF THE DATA SUBJECT
13. Summary Information on the Rights of the Data Subject
14. Detailed Information on the Rights of the Data Subject
CHAPTER VIII – SUBMITTING A REQUEST BY THE DATA SUBJECT, ACTIONS OF THE DATA CONTROLLER
15. Actions Taken Based on the Data Subject’s Request

INTRODUCTION

The Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: Regulation) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC, prescribes that the Data Controller must take appropriate measures to provide any information related to the processing of personal data to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Furthermore, the Data Controller must facilitate the exercise of the data subject’s rights.

The obligation for prior information to the data subject is also prescribed by Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information.

With the following notice, we fulfill this legal obligation.

CHAPTER I – DATA CONTROLLER IDENTIFICATION

This notice is issued by, and the Data Controller is:

  • Company Name: Syspro Informatika Zrt.
  • Registered Office: 1238 Budapest, Grassalkovich út 160.
  • Company Registration Number: 01-10-047176
  • Tax Number: 23520774-2-43
  • Representatives: Vas Attila, Szabó Krisztián
  • Email: info@syspro.hu

(hereinafter: Company)

CHAPTER II – DATA PROCESSORS IDENTIFICATION

A Data Processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller (Regulation Article 4(8)).

The use of a Data Processor does not require the prior consent of the data subject, but they must be informed. Accordingly, we provide the following information:

1§. Our Accounting Service Provider

Our company engages an external service provider through an accounting service contract to fulfill its tax and accounting obligations. This service provider processes the personal data of individuals who have contractual or payer relationships with our company for the purpose of meeting our tax and accounting obligations.

The designated data processor is:

  • Company Name: Huszka Zsuzsanna Sole Proprietor
  • Registered Office: 2314 Halásztelek, Béke utca 114
  • Tax Number: 69085354-1-33
  • Email: zs.huszka@freemail.hu

Our IT Service Provider

  • Company Name: RBL MARKETING Tanácsadó Kft.
  • Registered Office: 2193 Galgahévíz, Ökofalu dűlő 23/8.
  • Tax Number: 13136055-2-13
  • Email: iroda@rblmarketing.hu
  • Representative: Rönky Balázs László

CHAPTER III – DATA PROCESSING RELATED TO EMPLOYMENT

2. § Employment and Personnel Records

(1) Only data necessary for establishing, maintaining, and terminating employment relationships, as well as for providing social welfare benefits, may be requested and stored from employees. Medical fitness tests may be conducted only to the extent required for the employment relationship and must not violate the employee’s personal rights.

(2) In order to enforce the Company’s legitimate interests (Regulation Article 6(1)(f)), the following employee data may be processed for the establishment, execution, or termination of an employment relationship:

  1. Name
  2. Birth name
  3. Date of birth
  4. Mother’s name
  5. Address
  6. Nationality
  7. Tax identification number
  8. Social Security Number (TAJ)
  9. Pension identification number (for retired employees)
  10. Phone number
  11. Email address
  12. Identity card number
  13. Residence permit number
  14. Bank account number
  15. Online identifier (if applicable)
  16. Employment start and end dates
  17. Job position
  18. Copy of education and professional qualification certificates
  19. Photograph
  20. Resume (CV)
  21. Salary details, payment, and other compensation information
  22. Deductions from salary based on final judgment, legal regulation, or written consent
  23. Performance evaluation of the employee
  24. Reasons and method of employment termination
  25. Criminal record (depending on job position)
  26. Summary of occupational medical examinations
  27. Pension fund and voluntary mutual insurance fund membership details, including fund name, ID number, and employee membership number
  28. Passport number and work permit details for foreign employees
  29. Records of work-related accidents
  30. Data required for welfare services and corporate lodging benefits

(3) Data related to illness and trade union membership may only be processed by the employer in compliance with the Labor Code for the fulfillment of legal rights or obligations.

(4) Recipients of personal data: the employer’s executives, persons exercising employer’s rights, employees handling human resources tasks, and data processors.

(5) Only senior employees’ personal data may be transferred to the company’s owners.

(6) Retention period of personal data: 3 years after the termination of employment.

(7) The data subject must be informed before data processing begins that the processing is based on the Labor Code and the employer’s legitimate interests.

(8) Upon signing the employment contract, the employer provides the employee with the Information Notice in accordance with Appendix 3 of the Company’s Data Processing Policy regarding the handling of personal data and the data subject’s rights.

3. § Processing of Personal Data of Job Applicants, Applications, and Resumes

(1) Scope of personal data processed: applicant’s name, date and place of birth, mother’s name, address, qualification data, photograph, phone number, email address, and any employer’s notes regarding the applicant (if available).

(2) Purpose of personal data processing: evaluation of the application, recruitment process, and concluding an employment contract with the selected candidate. Applicants must be informed if they are not selected for the position, in which case their application and resume will be deleted from the Company’s records.

(3) Legal basis for data processing: the data subject’s consent.

(4) Recipients of personal data: authorized company personnel involved in recruitment, including HR and management personnel responsible for hiring decisions.

(5) Retention period of personal data: Data will be retained until the completion of the selection process. Personal data of unsuccessful candidates must be deleted. Data of applicants who withdraw their application will also be deleted. The deletion applies to all forms of data storage, including paper documents, which will be securely destroyed, and electronic records, which will be removed from all data storage systems.

(6) The employer may only retain applications with the explicit, clear, and voluntary consent of the data subject, provided that retention is necessary for a legitimate data processing purpose in compliance with relevant laws. This consent must be requested from the applicants after the recruitment process has concluded.

4. § Data Processing Related to the Monitoring of Email Account Usage

(1) If the Company provides an email account to the employee, the employee may use this email address and account exclusively for work-related tasks. The purpose is to facilitate communication between employees or for correspondence with clients, other individuals, or organizations on behalf of the employer.

(2) The employee may not use the email account for personal purposes or store personal emails in the account.

(3) The employer is entitled to regularly monitor the full content and usage of the email account every three months. The legal basis for this data processing is the employer’s legitimate interest. The purpose of the monitoring is to verify compliance with employer regulations regarding email account usage and to ensure compliance with employee obligations (Mt. 8.§, 52. §).

(4) The employer’s executive or the person exercising employer rights is authorized to conduct the monitoring.

(5) If the circumstances of the monitoring do not preclude it, the employee must be allowed to be present during the monitoring.

(6) Before the monitoring takes place, the employee must be informed about:

  • The employer’s legitimate interest in conducting the monitoring,
  • Who will perform the monitoring on behalf of the employer,
  • The rules under which the monitoring will be conducted (including compliance with the principle of proportionality) and the procedure to be followed,
  • The employee’s rights and legal remedies concerning data processing related to email account monitoring.

(7) The principle of proportionality must be applied during the monitoring. As a first step, the employer must determine, based on the email address and subject line, whether the email relates to the employee’s work duties or is for personal use. The employer may review the content of non-personal emails without restrictions.

(8) If it is determined that the employee has used the email account for personal purposes contrary to this policy, the employee must be instructed to immediately delete any personal data. If the employee is absent or refuses to cooperate, the employer shall delete the personal data during the monitoring process. Unauthorized personal use of the email account may result in employment-related consequences.

(9) Regarding data processing associated with email account monitoring, the employee may exercise the rights outlined in the relevant section of this policy concerning the rights of the data subject.

5. § Data Processing Related to the Monitoring of Workplace Internet Usage

(1) The employee may only access websites related to their job duties; the employer prohibits personal use of the internet at the workplace.

(2) Any online registrations made in connection with job duties on behalf of the Company must be registered under the Company’s name. During registration, identifiers and passwords associated with the Company must be used. If personal data is required for the registration, the Company must ensure its deletion upon termination of employment.

(3) The employer may monitor the employee’s workplace internet usage, which is subject to the provisions and legal consequences outlined in §8.

CHAPTER IV

DATA PROCESSING RELATED TO CONTRACTS

6. § Processing of Contracting Partners’ Data – Customer and Supplier Records

(1) The Company processes personal data for the purpose of contract fulfillment, including contract creation, execution, termination, and provision of contractual discounts. The processed personal data includes the name, birth name, date of birth, mother’s name, address, tax identification number, tax number, business license number, farmer’s license number, personal ID number, registered address, headquarters, business premises address, phone number, email address, website URL, bank account number, customer number (client ID, order number), and online identifier (customer, supplier lists, loyalty lists) of the individual contracting as a customer or supplier.
This data processing is considered lawful even if it occurs before the contract is signed, based on the request of the data subject to take preparatory steps.

The recipients of personal data include the Company’s senior executives, employees responsible for customer service, accounting, and taxation, as well as the Company’s data processors. The retention period for personal data is five (5) years after the contract’s termination.

Personal data is transferred to the Company’s contracted accounting firm for taxation and bookkeeping purposes.

(2) Before processing begins, the data subject must be informed that the processing is based on contract fulfillment. This information may also be included in the contract. The data subject must also be informed if their personal data is transferred to a data processor. The data processing clause related to contracts with individuals is detailed in Appendix 4 of the Company’s Data Processing Policy.

7. § Contact Details of Natural Persons Representing Legal Entity Clients, Customers, and Suppliers

(1) The scope of personal data processed includes the name, birth name, date of birth, mother’s name, address, tax identification number, contact details (phone number, email address), and online identifier of a natural person representing a legal entity in connection with the contract’s execution.

(2) Personal data is transferred for taxation and bookkeeping purposes to the accounting firm contracted by the Company.

(3) The purpose of data processing is to execute contracts with the Company’s legal entity partners and to maintain business relations. The legal basis for processing is the data subject’s consent.

(4) The recipients of the personal data include the Company’s senior executives and employees handling customer service.

(5) The retention period for personal data is two (2) years after the termination of the business relationship or the data subject’s role as a representative.

The sample data collection form is included in Appendix 5 of the Company’s Data Processing Policy. Employees handling client, customer, or supplier relationships must inform the data subject of the declaration and obtain their signed consent for data processing and transfer. The declaration must be retained for the duration of data processing.

8. § Visitor Data Processing on the Company’s Website – Information on the Use of Cookies

(1) Cookies are small data files that the visited website places on the user’s computer. The purpose of cookies is to facilitate and enhance the usability of the online communication and internet services. There are various types of cookies, but generally, they fall into two main categories. One type is the temporary (session) cookie, which is placed on the user’s device only during a specific session (e.g., for security authentication during online banking). The other type is a persistent cookie (e.g., storing a website’s language setting), which remains on the computer until the user deletes it. According to the European Commission’s guidelines, cookies [except those strictly necessary for the use of a given service] may only be placed on a user’s device with their consent.

(2) For cookies that do not require user consent, information must be provided upon the first visit to the website. It is not necessary to display the full cookie policy on the website; a short summary of the essential points is sufficient, with a link directing users to the full policy.

(3) For cookies requiring user consent, information may also be provided upon the first visit to the website if data processing associated with cookie use begins immediately when the page is accessed. If the use of cookies is related to a function explicitly requested by the user, the information may also appear alongside that function. In this case, too, a short summary of the key points is sufficient, with a link directing users to the full policy.

(4) The visitor must be informed about the use of cookies on the website in the data processing policy detailed in Appendix 2. With this policy, the Company ensures that the visitor can learn about the purposes of data processing, the types of data processed, and any non-directly identifiable data handling at any time before and during the use of the website’s digital services.

9. § Contacting the Company Through the Website

(1) A natural person contacting the Company through the website can give consent for their personal data to be processed by ticking the relevant checkbox. Pre-checking this box is prohibited.

(2) The scope of personal data that may be processed includes:

  • The natural person’s name (surname, first name)
  • Address
  • Phone number
  • Email address
  • Online identifier

(3) The purpose of personal data processing:

  1. To fulfill services provided on the website.
  2. Contacting the individual via electronic, telephone, SMS, or postal communication.
  3. Providing information about the Company’s products, services, contract terms, and promotions.
  4. Analyzing website usage.

(4) The legal basis for data processing is the data subject’s consent.

(5) Recipients and categories of recipients of personal data: The Company’s senior executives, employees handling customer service and marketing activities, and the Company’s IT service provider employees responsible for hosting services.

(6) The duration of personal data storage: Until the contact/service remains active or until the data subject withdraws consent (requests deletion).

CHAPTER V

DATA PROCESSING BASED ON LEGAL OBLIGATIONS

10. § Data Processing for Taxation and Accounting Obligations

(1) The Company processes personal data based on legal obligations, for fulfilling statutory taxation and accounting obligations (bookkeeping, taxation) concerning individuals who establish a business relationship with the Company as customers or suppliers. The processed data is determined by applicable laws, including but not limited to:

  • Tax number, name, address, tax status as per Act CXXVII of 2017 on VAT, §§169 and 202
  • Name, address, designation of the individual or organization authorizing the transaction, signatory for financial transactions, verifying personnel, and internal auditor’s signature (if applicable), as per Act C of 2000 on Accounting, §167
  • Business license number, farmer’s license number, tax identification number under Act CXVII of 1995 on Personal Income Tax.

(2) The retention period for personal data is eight (8) years after the termination of the legal relationship serving as its basis.

(3) Recipients of personal data: The Company’s employees and data processors responsible for taxation, bookkeeping, payroll, and social security administration.

11. § Data Processing for Payer Obligations

(1) The Company processes personal data based on legal obligations for fulfilling statutory taxation and contribution obligations (determining taxes, tax advances, contributions, payroll, and social security administration) regarding individuals with whom it has a payer relationship, including employees, their family members, workers, and other beneficiaries. The scope of processed data is defined by the Act CL of 2017 on Taxation, §50, and includes but is not limited to:

  • Natural person’s identification data (including previous names and titles)
  • Gender
  • Nationality
  • Tax identification number
  • Social security number (TAJ)

If stipulated by tax laws, the Company may process employees’ health-related data (§40 of the Personal Income Tax Act) and trade union membership data (§47(2)(b) of the Personal Income Tax Act) for payroll and social security administration.

(2) The retention period for personal data is eight (8) years after the termination of the legal relationship serving as its basis.

(3) Recipients of personal data: The Company’s employees and data processors responsible for taxation, payroll, and social security (payer) administration.

CHAPTER VI

DATA SECURITY MEASURES

12. § Data Security Measures

(1) The Company is obliged to implement technical and organizational measures and establish procedural rules necessary to enforce the GDPR and the Hungarian Information Act in relation to all its data processing activities and legal bases to ensure the security of personal data.

(2) The Data Controller protects the data through appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure, or unauthorized access.

(3) The Company classifies and handles personal data as confidential. Employees are subject to a confidentiality obligation regarding personal data processing, which is regulated by the confidentiality clause in Appendix 7 of this policy. The Company restricts access to personal data by assigning access levels.

(4) The Company protects its IT systems with a firewall and provides antivirus protection.

(5) The Company carries out electronic data processing and record-keeping using a computer program that meets data security requirements. The system ensures that data can only be accessed for specific purposes and under controlled conditions by authorized personnel necessary for their duties.

(6) During the automated processing of personal data, the Data Controller and Data Processor implement additional measures to ensure: a) prevention of unauthorized data entry;
b) prevention of unauthorized use of automated data processing systems via data transmission equipment;
c) traceability and verification of which entities have received or may receive personal data via data transmission equipment;
d) traceability and verification of which personal data were entered, when, and by whom, in automated data processing systems;
e) recovery of installed systems in case of failure;
f) reporting of errors occurring during automated processing.

(7) The Company ensures the monitoring of incoming and outgoing electronic communication to protect personal data.

(8) Only authorized employees may access ongoing work and documents in process. Personnel, payroll, employment, and other personal data-related documents must be securely stored.

(9) The data and the devices and documents carrying them must be physically protected appropriately. The Company’s document storage location is its registered office.

CHAPTER VII

RIGHTS OF THE DATA SUBJECT

13. § Summary of the Rights of the Data Subject

For clarity and transparency, this section provides a brief overview of the rights of data subjects. Detailed information regarding these rights is available in Section 14.

Right to Prior Information

The data subject has the right to receive information about the facts and details of data processing before it begins.
(GDPR Articles 13-14)
Further details are provided in Section 14.

Right of Access

The data subject has the right to receive confirmation from the Data Controller on whether their personal data is being processed. If processing is ongoing, they have the right to access their personal data and the information specified in the GDPR.
(GDPR Article 15)
Further details are provided in Section 14.

Right to Rectification

The data subject has the right to request the rectification of inaccurate personal data concerning them without undue delay. Considering the purposes of processing, they also have the right to request the completion of incomplete personal data, including by providing a supplementary statement.
(GDPR Article 16)

Right to Erasure (“Right to be Forgotten”)

  1. The data subject has the right to request the erasure of their personal data without undue delay, and the Data Controller is obliged to erase the personal data without undue delay if one of the conditions specified in the GDPR applies.
    (GDPR Article 17)
    Further details are provided in Section 14.

Right to Restriction of Processing

The data subject has the right to request that the Data Controller restricts data processing if the conditions specified in the GDPR are met.
(GDPR Article 18)
Further details are provided in Section 14.

Notification Obligation Related to Rectification, Erasure, or Restriction of Processing

The Data Controller informs all recipients to whom the personal data has been disclosed about any rectification, erasure, or restriction of processing, except where this proves impossible or requires disproportionate effort. Upon request, the Data Controller informs the data subject about these recipients.
(GDPR Article 19)

Right to Data Portability

Under the conditions specified in the GDPR, the data subject has the right to receive their personal data provided to the Data Controller in a structured, commonly used, and machine-readable format. They also have the right to transmit this data to another Data Controller without hindrance from the original Data Controller.
(GDPR Article 20)
Further details are provided in Section 14.

Right to Object

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data under GDPR Article 6(1)(e) (data processing necessary for a task carried out in the public interest or in the exercise of official authority) or Article 6(1)(f) (processing necessary for the purposes of legitimate interests pursued by the Data Controller or a third party).
(GDPR Article 21)
Further details are provided in Section 14.

Right Not to Be Subject to Automated Decision-Making, Including Profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
(GDPR Article 22)
Further details are provided in Section 14.

RESTRICTIONS

The rights and obligations set out in Articles 12-22 and Article 34 of the Regulation may be restricted by legislative measures under Union or Member State law applicable to the Data Controller or Data Processor, in accordance with Articles 12-22 of the Regulation.
(GDPR Article 23)
Further details are provided in Section 14.

NOTIFICATION OF A DATA BREACH TO THE DATA SUBJECT

If a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject about the data breach without undue delay.
(GDPR Article 34)
Further details are provided in Section 14.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY (RIGHT TO JUDICIAL REMEDY)

The data subject has the right to lodge a complaint with a supervisory authority—particularly in the Member State of their habitual residence, workplace, or the location of the alleged infringement—if they consider that the processing of their personal data infringes the Regulation.
(GDPR Article 77)
Further details are provided in Section 14.

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY

Any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or if the supervisory authority fails to handle the complaint or does not inform the data subject within three months about the progress or outcome of their complaint.
(GDPR Article 78)
Further details are provided in Section 14.

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A DATA CONTROLLER OR DATA PROCESSOR

Each data subject shall have the right to an effective judicial remedy where they consider that their rights under the Regulation have been infringed as a result of the unlawful processing of their personal data.
(GDPR Article 79)
Further details are provided in Section 14.

14. § DETAILED INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT

Right to Prior Information

The data subject has the right to be informed about the facts and details of data processing before it begins.

A) Information to Be Provided If Personal Data Is Collected from the Data Subject

  1. If personal data concerning the data subject is collected directly from them, the Data Controller shall provide the following information at the time the data is obtained:
    a) The identity and contact details of the Data Controller and, where applicable, their representative;
    b) The contact details of the Data Protection Officer, if applicable;
    c) The purposes for which the personal data is intended to be processed and the legal basis for the processing;
    d) If processing is based on GDPR Article 6(1)(f) (legitimate interests), the legitimate interests pursued by the Data Controller or a third party;
    e) Where applicable, the recipients or categories of recipients of the personal data;
    f) Where applicable, whether the Data Controller intends to transfer personal data to a third country or international organization, including the existence or absence of an adequacy decision by the European Commission, or in the case of transfers under GDPR Articles 46, 47, or 49(1)(2), the appropriate safeguards and means to obtain a copy or access the data.

  2. In addition to the information listed in point 1, the Data Controller shall provide the following supplementary information to ensure fair and transparent processing:
    a) The period for which the personal data will be stored, or if this is not possible, the criteria used to determine that period;
    b) The data subject’s right to request access to, rectification or erasure of personal data, or restriction of processing, and the right to object to processing, as well as the right to data portability;
    c) If processing is based on GDPR Article 6(1)(a) (consent) or Article 9(2)(a) (explicit consent), the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    d) The right to lodge a complaint with a supervisory authority;
    e) Whether the provision of personal data is a statutory or contractual requirement or necessary to enter into a contract, and whether the data subject is obliged to provide personal data and the possible consequences of failing to do so;
    f) The existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4), and at least in such cases, meaningful information about the logic involved and the significance and expected consequences of such processing for the data subject.

  3. If the Data Controller intends to further process personal data for a purpose other than that for which it was collected, they must inform the data subject of this new purpose before further processing, along with all relevant supplementary information from point 2.

  4. Points 1-3 do not apply if and to the extent that the data subject already possesses the information.
    (GDPR Article 13)

B) Information to Be Provided If Personal Data Is Not Collected from the Data Subject

  1. If personal data is not collected from the data subject directly, the Data Controller shall provide the following information:
    a) The identity and contact details of the Data Controller and, where applicable, their representative;
    b) The contact details of the Data Protection Officer, if applicable;
    c) The purposes of the processing and the legal basis for the processing;
    d) The categories of personal data concerned;
    e) The recipients or categories of recipients of the personal data, if applicable;
    f) If applicable, whether the Data Controller intends to transfer personal data to a third country or an international organization, including the existence or absence of an adequacy decision by the European Commission, or in the case of transfers under GDPR Articles 46, 47, or 49(1)(2), the appropriate safeguards and how to obtain a copy or access the data.

  2. In addition to the information listed in point 1, the Data Controller shall provide the following supplementary information to ensure fair and transparent processing:
    a) The period for which the personal data will be stored, or if this is not possible, the criteria used to determine that period;
    b) If processing is based on GDPR Article 6(1)(f) (legitimate interests), the legitimate interests pursued by the Data Controller or a third party;
    c) The data subject’s right to request access to, rectification or erasure of personal data, or restriction of processing, and the right to object to processing, as well as the right to data portability;
    d) If processing is based on GDPR Article 6(1)(a) (consent) or Article 9(2)(a) (explicit consent), the right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal;
    e) The right to lodge a complaint with a supervisory authority;
    f) The source of the personal data and whether it came from publicly accessible sources;
    g) The existence of automated decision-making, including profiling, referred to in GDPR Article 22(1) and (4), and at least in such cases, meaningful information about the logic involved and the significance and expected consequences for the data subject.

  3. The Data Controller shall provide the information referred to in points 1 and 2:
    a) Within a reasonable period after obtaining the personal data, but at the latest within one month;
    b) If the data is used for contacting the data subject, at the time of the first communication;
    c) If the data is disclosed to another recipient, before the first disclosure.

  4. If the Data Controller intends to further process personal data for a purpose other than that for which it was collected, they must inform the data subject of this new purpose before further processing, along with all relevant supplementary information from point 2.

  5. Points 1-5 do not apply if and to the extent that:
    a) The data subject already has the information;
    b) Providing the information proves impossible or would require a disproportionate effort, particularly for public interest archiving, scientific or historical research, or statistical purposes, under the safeguards of GDPR Article 89(1);
    c) Data acquisition or disclosure is expressly required by Union or Member State law;
    d) The personal data must remain confidential due to professional secrecy obligations.
    (GDPR Article 14)

RIGHT OF ACCESS BY THE DATA SUBJECT

  1. The data subject has the right to obtain confirmation from the Data Controller as to whether or not their personal data is being processed, and, where that is the case, access to the personal data and the following information:
    a) The purposes of the processing;
    b) The categories of personal data concerned;
    c) The recipients or categories of recipients to whom the personal data has been or will be disclosed, including in particular recipients in third countries or international organizations;
    d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    e) The right to request from the Data Controller rectification or erasure of personal data, or restriction of processing, and the right to object to processing;
    f) The right to lodge a complaint with a supervisory authority;
    g) Where the personal data is not collected from the data subject, any available information as to their source;
    h) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation, and, at least in those cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the data subject.

  2. Where personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.

  3. The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the request is made electronically, the information shall be provided in a commonly used electronic format unless otherwise requested by the data subject. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
    (GDPR Article 15)

RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”)

  1. The data subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay, and the Data Controller is obliged to erase personal data without undue delay where one of the following grounds applies:
    a) The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    b) The data subject withdraws their consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation, and where there is no other legal ground for the processing;
    c) The data subject objects to the processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    d) The personal data has been unlawfully processed;
    e) The personal data must be erased to comply with a legal obligation under Union or Member State law to which the Data Controller is subject;
    f) The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.

  2. Where the Data Controller has made the personal data public and is obliged pursuant to paragraph 1 to erase it, the Data Controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other Data Controllers processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, that personal data.

  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    a) For exercising the right of freedom of expression and information;
    b) For compliance with a legal obligation requiring processing under Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
    c) For reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i), and Article 9(3) of the Regulation;
    d) For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), where erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    e) For the establishment, exercise, or defense of legal claims.
    (GDPR Article 17)

RIGHT TO RESTRICTION OF PROCESSING

  1. The data subject has the right to obtain from the Data Controller restriction of processing where one of the following applies:
    a) The accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
    b) The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
    c) The Data Controller no longer needs the personal data for processing purposes, but it is required by the data subject for the establishment, exercise, or defense of legal claims;
    d) The data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification of whether the legitimate grounds of the Data Controller override those of the data subject.

  2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

  3. The Data Controller shall inform the data subject who has obtained restriction of processing before the restriction is lifted.
    (GDPR Article 18)

RIGHT TO DATA PORTABILITY

  1. The data subject has the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data has been provided, where:
    a) The processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation, or on a contract pursuant to Article 6(1)(b); and
    b) The processing is carried out by automated means.

  2. In exercising their right to data portability under paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one Data Controller to another, where technically feasible.

  3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. This right shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

  4. The right under paragraph 1 shall not adversely affect the rights and freedoms of others.
    (GDPR Article 20)

RIGHT TO OBJECT

  1. The data subject has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them based on Article 6(1)(e) (public interest or official authority) or 6(1)(f) (legitimate interest) of the Regulation, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

  2. Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning them for such marketing, including profiling related to direct marketing.

  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
    (GDPR Article 21)

RESTRICTIONS

  1. Union or Member State law applicable to the Data Controller or Data Processor may restrict, by means of legislative measures, the scope of obligations and rights provided for in Articles 12 to 22 and Article 34 of the Regulation, as well as the rights and obligations under Article 5, provided that such a restriction respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society for:
    a) National security;
    b) Defense;
    c) Public security;
    d) The prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, including the prevention of threats to public security;
    e) Other important objectives of general public interest of the Union or a Member State, including monetary, budgetary, and taxation matters, public health, and social security;
    f) The protection of judicial independence and judicial proceedings;
    g) The prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions;
    h) The monitoring, inspection, or regulatory functions related to the exercise of official authority in cases referred to in points (a) to (e) and (g);
    i) The protection of the data subject or the rights and freedoms of others;
    j) The enforcement of civil law claims.

  2. The legislative measures referred to in paragraph 1 may include detailed provisions regarding at least:
    a) The purposes of the processing or the categories of processing;
    b) The categories of personal data;
    c) The scope of the restrictions introduced;
    d) The safeguards to prevent abuse or unlawful access or transfer;
    e) The identification of the Data Controller or the categories of Data Controllers;
    f) The storage periods and applicable safeguards considering the nature, scope, and purposes of the processing;
    g) The risks to the rights and freedoms of data subjects; and
    h) The data subjects’ right to be informed about the restriction unless this would jeopardize the purpose of the restriction.
    (GDPR Article 23)

INFORMING THE DATA SUBJECT ABOUT A PERSONAL DATA BREACH

  1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay.

  2. The notification referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in Article 33(3)(b), (c), and (d) of the Regulation.

  3. The notification to the data subject shall not be required if any of the following conditions are met:
    a) The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, in particular, those measures that render the personal data unintelligible to unauthorized persons, such as encryption;
    b) The Data Controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph 1 is no longer likely to materialize;
    c) The notification would involve disproportionate effort. In such cases, public communication or a similar measure shall be implemented to inform the data subjects in an equally effective manner.

  4. If the Data Controller has not already communicated the personal data breach to the data subject, the supervisory authority, after considering whether the breach is likely to result in a high risk, may require it to do so or may determine that any of the conditions referred to in paragraph 3 are met.
    (GDPR Article 34)

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

  1. Without prejudice to other administrative or judicial remedies, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of their personal data infringes this Regulation.

  2. The supervisory authority to which the complaint has been submitted shall inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Article 78.
    (GDPR Article 77)

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY

  1. Without prejudice to other administrative or non-judicial remedies, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

  2. Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy where the competent supervisory authority under Articles 55 and 56 of the Regulation does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged under Article 77.

  3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

  4. Where proceedings are brought against a decision of a supervisory authority which has been the subject of an opinion or decision by the European Data Protection Board under the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
    (GDPR Article 78)

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A DATA CONTROLLER OR PROCESSOR

  1. Without prejudice to available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority under Article 77, every data subject shall have the right to an effective judicial remedy where they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in non-compliance with the Regulation.

  2. Proceedings against a Data Controller or a Data Processor shall be brought before the courts of the Member State where the Data Controller or Data Processor has an establishment. Such proceedings may also be brought before the courts of the Member State where the data subject has their habitual residence unless the Data Controller or Data Processor is a public authority acting in the exercise of its public powers.
    (GDPR Article 79)

CHAPTER VIII – DATA SUBJECT REQUESTS AND DATA CONTROLLER ACTIONS

Article 15 – Actions Taken Upon Data Subject Requests

  1. The Company, as the Data Controller, shall inform the data subject without undue delay and in any event within one month of receipt of the request regarding the measures taken in response to their rights request.

  2. If necessary, considering the complexity of the request and the number of requests, this period may be extended by two additional months. The Data Controller shall inform the data subject of any such extension within one month of receiving the request, together with the reasons for the delay.

  3. If the data subject submits the request electronically, the response should also be provided electronically where possible unless the data subject requests otherwise.

  4. If the Data Controller does not take action on the data subject’s request, it shall inform the data subject without delay, and at the latest within one month, of the reasons for not taking action and their right to lodge a complaint with a supervisory authority and seek a judicial remedy.

  5. The Company, as the Data Controller, shall provide the information specified in Articles 13 and 14 of the Regulation, as well as information about the data subject’s rights under Articles 15 to 22 and Article 34, free of charge. If the data subject’s request is manifestly unfounded or excessive, particularly due to its repetitive nature, the Data Controller may:
    a) Charge a fee of €16.50 (6,350 HUF) based on administrative costs; or
    b) Refuse to act on the request.

The burden of proving the manifestly unfounded or excessive nature of the request lies with the Data Controller.

  1. If the Company, as the Data Controller, has reasonable doubts about the identity of the individual making the request, it may request additional information necessary to confirm the data subject’s identity.