Data Protection Policy

2024.

Content

Content    2

I.    CHAPTER GENERAL PROVISIONS    5

I.1. Introduction    5

I.2. Purpose of the policy    5

I.3. Scope of the policy    6

I.4. Concept definitions    6

II.    CHAPTER    9

LEGAL BASIS OF DATA MANAGEMENT    9

II.1.    Data management based on the consent of the data subject    9

II.2.    Data processing is necessary to fulfill a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract    10

II.3.    The data processing is necessary for the fulfillment of a legal obligation of the Data Controller    10

II.3.1.    Data processing for the fulfillment of tax and accounting obligations    10

II.3.2.    Data processing for payer purposes    10

II.3.3.    Data processing related to documents of permanent value according to the Archival Act    11

II.3.4.    Data processing based on other legal authorization    11

II.4.    The data processing is necessary for the enforcement of the legitimate interests of the Data Controller or a third party    11

III.    CHAPTER    12

INFORMING THE PARTIES CONCERNED    12

III.1.    Regardless of the legal basis of data processing, the Data Controller informs the data subjects of the fact of data processing as follows    12

IV.    CHAPTER    13

THE DATA PROCESSOR IS AN SINGLE DATA PROCESSOR    13

IV.1.    Labor and personnel data    13

IV.1.1.    General rules for handling employment data    13

IV.1.2.    Data management related to aptitude tests    14

IV.1.3.    Management of the data of employees applying for recruitment, applications, resumes    15

IV.1.4.    Data Processing Related to the Monitoring of Email Account Usage    16

IV.1.5.    Data management related to the control of computers, laptops and tablets    17

IV.1.6.    Data management related to the control of Internet use at work    17

IV.1.7.    Data management related to monitoring the use of company mobile phones    18

IV.1.8.    Data management related to workplace camera surveillance    18

IV.2.    Contract-related data management    20

IV.2.2.    Contact details of natural person representatives of legal entity clients, buyers, suppliers    20

IV.2.3.    Visitor data management on the Data Controller's website - Information on the use of cookies    21

IV.2.4.    Community guidelines / Data management on the Data Controller's Community page/pages    22

IV.3.    Data management related to camera surveillance    23

V.    CHAPTER    25

OTHER PROVISIONS RELATED TO DATA MANAGEMENT    25

V.1.    Data security measures    25

V.2.    Management of data protection incidents    26

V.2.1.    The concept of a data breach    26

V.2.2.    Management and Remedy of Data Protection Incidents    26

V.2.3.    Procedure for handling a data protection incident    27

V.2.3.1.    Internal report of the data protection incident    27

V.2.3.2.    External information obligations    28

V.2.3.3.    Supervisory Authority    28

V.2.3.4.    Decision on whether to notify the supervisory authority    29

V.2.3.5.    Method of notification to the supervisory authority    29

V.2.3.6.    Data subject    30

V.3.    The Rights of the Data Subject    30

V.3.1.    The data subject's right of access    32

V.3.2.    The right to erasure ("the right to be forgotten")    33

V.3.3.    The right to erasure ("the right to be forgotten")    34

V.3.4.    The right to data portability    34

V.3.5.    The Right to Object    35

V.3.6.    Automated decision-making in individual cases, including profiling    35

V.3.7.    Deadline for Processing Requests from the Customer as Data Subject    36

V.4.    Complaint to the supervisory authority    37

VI.    CHAPTER    37

ACTIVITY OF DATA PROCESSOR    37

VI.1.    Data processing activities    37

VI.2.    Data processor guarantee provision    37

VI.3.    Obligations and Rights of the Client (Data Controller)    38

VI.4.    Responsibilities and Rights of the Data Controller as Data Processor    38

VI.5.    Cooperation with the Data Controller    40

VI.6.    Conditions of the Data Controller's Data Processing Activities    40

VII.    CHAPTER    41

CLOSING PROVISIONS    41

VII.1.    Establishment and Modification of the Policy    41

VII.2.    Measures for Familiarizing Employees with the Policy    41

1. CHAPTER
   GENERAL PROVISIONS

2.  Introduction

The Data Controller declares that it conducts its data processing activities in compliance with applicable laws, relevant regulations, and official positions, and for this purpose, it will adopt the appropriate internal rules and technical and organizational measures.

At the time of issuing this policy, the Data Controller particularly considers the following as guidelines:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the Regulation).

• The provisions of Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter referred to as the Info Act).

2. Purpose of the policy

1.  The purpose of this policy is to establish internal rules and measures that ensure the Data Controller's data processing activities comply with the provisions of the Regulation, the Info Act, and other relevant legal regulations.

2.  The policy also aims to provide verification by the Data Controller of compliance with the Regulation and the principles regarding the processing of personal data outlined in Article 5.

3.  Additionally, the policy aims to serve as a clear guideline for the employees of the Data Controller in matters related to their data processing processes during their work.

3. Scope of the policy

1. This policy applies to all employees of the Data Controller in matters where they handle personal data related to natural persons or have access to personal data in any way.

2. The policy does not extend to the processing of personal data concerning legal entities, including the name and form of the legal entity, as well as data regarding the contact information of the legal entity.

4. Concept definitions

The definitions of key terms relevant to this policy are contained in Article 4 of the Regulation. Accordingly, we highlight the main concepts:

1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

2. “processing”: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;

3. “restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future;

4. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

5. “pseudonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

6. “filing system”: any structured set of personal data which is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis;

7. “data controller”: the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or the law of a Member State, the data controller or the specific criteria for its designation may be provided for by Union law or the law of a Member State;

8. “data processor”: a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller;

9. “recipient”: a natural or legal person, public authority, agency, or any other body to which the personal data are disclosed, whether a third party or not. Public authorities that may receive personal data in the context of a particular inquiry under Union law or the law of a Member State shall not be regarded as recipients; the processing of such data by those public authorities shall be in compliance with the applicable data protection rules in accordance with the purposes of the processing;

10. “third party”: a natural or legal person, public authority, agency, or any other body that is not the data subject, the data controller, the data processor, or persons who are under the direct authority of the data controller or the data processor authorized to process personal data;

11. “consent of the data subject”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

12. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

2. CHAPTER

LEGAL BASIS OF DATA MANAGEMENT

1.  Data management based on the consent of the data subject 

1. In the case of data processing based on consent, the data subject's consent to the processing of their personal data shall be given in a document titled "Consent Declaration" as per Annex 1.

2. Consent is also considered to have been given if the data subject checks a box indicating consent while viewing the Data Controller's website, carries out technical settings related to the use of services related to the information society, or makes any other statement or takes any action that clearly indicates the data subject's consent to the intended processing of their personal data in that context. Silence, pre-checked boxes, or failure to act shall not constitute consent.

3. The consent extends to all data processing activities carried out for the same purpose or purposes. If the processing serves multiple purposes simultaneously, consent must be provided for all data processing purposes.

4. If the data subject gives their consent in a written statement that also pertains to other matters—e.g., entering into a service contract—the request for consent must be presented in a manner that clearly distinguishes it from these other matters, in an understandable and easily accessible form, using clear and simple language. Any part of such a statement containing the data subject's consent that violates the Regulation shall have no binding effect. The Data Controller may not condition the conclusion or performance of a contract on the data subject's consent to the processing of personal data that is not necessary for the performance of the contract.

5. Withdrawal of consent must be made as easy as giving consent.

6. If the personal data was collected with the consent of the data subject, the Data Controller may process the collected data, in the absence of any contrary legal provision, to fulfill their legal obligations without requiring any further consent, even after the data subject has withdrawn their consent.

2. Data processing is necessary to fulfill a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract

The personal data provided at the time of entering into the contract is necessary for the Data Controller to fulfill the contract. This interest serves as a sufficient legal basis for the processing of personal data. The interest remains valid as long as it is possible to enforce legitimate interests related to the fulfilled contract—that is, until the expiration of the general five-year statute of limitations for civil law claims following the fulfillment of the contract (except in cases where a shorter statute of limitations is specified by law).

3. The data processing is necessary for the fulfillment of a legal obligation of the Data Controller

   1. Data processing for the fulfillment of tax and accounting obligations

The Data Controller processes the legally mandated data of individuals who enter into a business relationship with them, as clients or suppliers, under the legal basis of fulfilling a legal obligation, specifically for compliance with tax and accounting obligations prescribed by law (accounting, taxation). The data processing is particularly based on Section 169 and Section 202 of Act CXXVII of 2017 on Value Added Tax, as well as Section 167 of Act C of 2000 on Accounting and Section CXVII of 1995 on Personal Income Tax.

2. Data processing for payer purposes

The Data Controller processes personal data of individuals—employees, their family members, employees, and other beneficiaries—required by tax laws, under the legal basis of fulfilling a legal obligation, specifically for compliance with tax and contribution obligations (determining tax, tax advance, contributions, payroll accounting, social security, pension administration). This is applicable to those who are in a payer relationship with the Data Controller, as defined by Section 31 of Article CL of 2017 on the rules of taxation (Art.). The scope of the processed data is determined by Section 50 of the Art., specifically highlighting: the personal identification data, gender, nationality, tax identification number, and social security identification number (TAJ number) of the individual. If tax laws attach legal consequences to this, the Data Controller may also process data related to the health (Section 40 of the Personal Income Tax Act) and trade union (Section 47(2)b.) membership of employees for the fulfillment of tax and contribution obligations (payroll accounting, social security administration).

3. Data processing related to documents of permanent value according to the Archival Act

1. The Data Controller processes documents classified as having permanent value under Act LXVI of 1995 on public documents, public archives, and the protection of private archival materials under the legal basis of fulfilling a legal obligation, to ensure that the permanent value part of the Data Controller’s archival material remains intact and usable for future generations. The duration of data storage is until the transfer to the public archive.

2. The Archival Act governs the recipients of personal data and other issues of data processing.

4. Data processing based on other legal authorization

The Data Controller processes personal data in the manner and on the legal basis defined in the appendices of this regulation. Accordingly, the Data Controller may also process personal data based on specific legal provisions defined in the appendices of this regulation.

4. The data processing is necessary for the enforcement of the legitimate interests of the Data Controller or a third party

The legal basis for data processing may also be the necessity for the enforcement of the legitimate interests of the Data Controller or a third party. In cases of data processing based on legitimate interests, a balancing test is always required to determine whether the interest to be enforced outweighs the interest in protecting personal data. The Data Controller is obligated to present the assessment regarding this matter.

3. CHAPTER

INFORMING THE PARTIES CONCERNED

1. Regardless of the legal basis of data processing, the Data Controller informs the data subjects of the fact of data processing as follows

The Data Controller makes the data processing notices referred to in Appendices 
2-5 available to the data subjects. The purpose of this notice is to clearly and comprehensively inform the data subjects about all facts related to the processing of their data, both before the commencement of data processing and during it. This includes, in particular, the purpose and legal basis of the data processing, the identity of the person authorized for data processing and data handling, the duration of data processing, and who may access the data.

4. CHAPTER

THE DATA PROCESSOR IS AN SINGLE DATA PROCESSOR

1. Labor and personnel data

   1. General rules for handling employment data

1. Only data necessary for the establishment, maintenance, and termination of employment, as well as for the provision of social welfare benefits, may be requested and recorded from employees, and only medical suitability examinations relevant to the job may be conducted that do not infringe upon the personal rights of the employee.

2. The data of the employees managed by the Data Controller, under Article 6(1)(b) (data processing is necessary for the performance of a contract to which the data subject is a party or for steps taken at the request of the data subject prior to entering into a contract) and (c) (data processing is necessary for compliance with a legal obligation to which the data controller is subject) of the Regulation, are processed for the purpose of establishing an employment relationship as defined in Annex 1.

3. The data of the employees managed by the Data Controller, under Article 6(1)(b) (data processing is necessary for the performance of a contract to which the data subject is a party or for steps taken at the request of the data subject prior to entering into a contract) and (c) (data processing is necessary for compliance with a legal obligation to which the data controller is subject) of the Regulation, are processed for the purpose of maintaining or terminating the employment relationship as defined in Annex 2.

4. Data concerning illness and trade union membership may only be processed by the employer for the purpose of fulfilling the rights or obligations specified in the Labor Code.

5. The recipients of personal data are: the employer’s manager, the person exercising employer's rights and instructions, employees of the Data Controller performing labor-related tasks, and data processors recorded in the “record of data transfers” defined in Annex 11 of this regulation.

6. The duration of storage of personal data: as detailed by type of data in Annexes 1 and 2.

7. The data subject must be informed before the start of data processing that the processing is based on the Labor Code and is necessary for the performance of a contract or the fulfillment of a legal obligation.

8. The employer shall inform the employee about the processing of their personal data and their personal rights by providing the Notification specified in Annex 2 of this regulation simultaneously with the conclusion of the employment contract.

2.  Data management related to aptitude tests

1. Only suitability examinations prescribed by employment regulations or necessary for the exercise of rights or the fulfillment of obligations defined in employment regulations may be applied to employees. Before the examination, employees must be informed in detail, among other things, about the specific skills or abilities being assessed and the tools or methods used for the examination. If a legal regulation requires the examination to be conducted, employees must also be informed of the exact legal provision. A sample data processing notification related to this information is included in Annex 2 of this regulation.

2. Test sheets regarding work suitability and preparedness may be filled out by employees both before the establishment of the employment relationship and during its existence.

3. Psychological or personality trait assessment test sheets may only be administered to larger groups of employees for the purpose of more effective organization and execution of work processes if the data revealed during the analysis cannot be linked to individual employees, meaning that the data processing is done anonymously.

4. The scope of personal data that may be processed: the fact of job suitability and the necessary conditions for it.

5. The legal basis for data processing: compliance with a legal obligation.

6. The purpose of processing personal data: establishing and maintaining an employment relationship and filling job positions.

7. The recipients of personal data or categories of recipients: The examined employees and the professional conducting the examination may access the examination results. The employer may only receive information indicating whether the examined individual is suitable for work and what conditions need to be ensured. However, the employer may not access the details of the examination or its complete documentation.

8. The duration of personal data processing: for the duration of the employment relationship.

3.  Management of the data of employees applying for recruitment, applications, resumes 

1. The scope of personal data that may be processed is regulated by Annex 1.

2. The purpose of processing personal data: application submission, evaluation of the application, and entering into an employment contract with the selected candidate. The candidate must be informed if the employer does not select them for the given position.

3. The legal basis for data processing: Article 6(1)(b) of the Regulation, which states that the processing is necessary for the performance of a contract to which the data subject is a party, or for taking steps at the request of the data subject prior to entering into a contract.

4. The recipients of personal data or categories of recipients: A leader authorized to exercise employer rights at the Data Controller and employees with direct instructions related to the position to be filled.

5. The duration of personal data storage:

• Until the expiration of the probationary period related to the applied position.

• In the case of a withdrawn application: Immediately after the notification of the withdrawal.

6. The employer may retain applications only with the explicit, clear, and voluntary consent of the data subject beyond the duration specified in paragraph (5), provided that the retention is necessary for achieving a data processing purpose consistent with legal regulations. This consent must be sought from the applicants after the recruitment process is concluded.

4. Data Processing Related to the Monitoring of Email Account Usage

1. The Data Controller provides an email account to certain employees—this email address and account may only be used by the employee for work-related tasks, in order to facilitate communication among employees or to correspond with clients, other individuals, and organizations on behalf of the employer.

2. The employee may not use the email account for personal purposes and may not store personal messages in the account.

3. The employer is entitled to regularly monitor the entire content and usage of the email account; in this case, the legal basis for data processing is the legitimate interest of the employer (the balancing of interests assessment is included in the Data Controller's privacy documents). The purpose of the monitoring is to ensure compliance with employer provisions regarding the use of the email account, as well as to verify employee obligations.

4. The monitoring may be conducted by the employer's manager or the person exercising employer rights.

5. If circumstances permit, it should be ensured that the employee is present during the monitoring.

6. Before the monitoring, the employee must be informed about the employer's interest that necessitates the monitoring, who may conduct the monitoring on behalf of the employer, what rules apply to the monitoring (adhering to the principle of proportionality), and what the procedure entails, as well as the rights and remedies available to the employee regarding data processing associated with the monitoring of the email account.

7. The principle of proportionality should be applied during the monitoring, so initially, it should be determined from the email address and subject whether it is related to the employee's work tasks and not for personal purposes. The employer may examine the content of emails that are not for personal purposes without restriction.

8. The employer may apply labor law consequences against the employee due to the use of the email account in violation of this regulation.

9. The employee may exercise the rights outlined in the chapter of this regulation concerning the rights of data subjects regarding data processing associated with the monitoring of the email account.

5. Data management related to the control of computers, laptops and tablets

1. The computer, laptop, or tablet provided by the Data Controller for the employee's work purposes may only be used by the employee to fulfill their job responsibilities. The Data Controller prohibits the personal use of these devices; the employee may not manage or store any personal data or correspondence on them. The employer may monitor the data stored on these devices. The provisions regarding the employer's monitoring of these devices and any legal consequences are outlined in Section IV.1.4.

6. Data management related to the control of Internet use at work

1. The employee may only view websites related to their job responsibilities; the employer prohibits personal internet use at work.

2. For internet registrations conducted on behalf of the Data Controller as part of job duties, the Data Controller is the rightful owner, and an identifier and password referring to the Data Controller must be used during registration. If personal data is also required for the registration, the employee must initiate its deletion upon the termination of their employment.

3. The employer may monitor the employee's internet usage at work, and the provisions regarding this monitoring and its legal consequences are outlined in Section IV.1.4.

7. Data management related to monitoring the use of company mobile phones

1. The employer does not permit the personal use of company mobile phones; the mobile phone may only be used for work-related purposes. The employer has the right to monitor all outgoing call numbers and data, as well as the information stored on the mobile phone.

2. The employee is required to report to the employer if they have used the company mobile phone for personal purposes. In this case, the monitoring may proceed by the employer requesting a call detail record from the phone service provider and instructing the employee to render the numbers of personal calls unrecognizable on the document. The employer may require the employee to bear the costs of personal calls.

3. Additionally, the provisions regarding monitoring and its legal consequences are outlined in Section IV.1.4. 

8. Data management related to workplace camera surveillance 

1. The data controller employs an electronic surveillance system for asset protection purposes at its headquarters, some of its sites, and in areas open for customer service. This system allows for image recording, and the behavior of individuals captured by the camera is considered personal data.

2. The legal basis for this data processing is the consent of the individual concerned.

3. A clearly visible and easily readable warning sign must be placed in a way that facilitates the awareness of third parties who may enter the area, indicating the presence of the electronic surveillance system. This notification must be provided for each camera and should include information about the surveillance conducted by the electronic asset protection system, the purpose of recording and storing images and sounds containing personal data, the legal basis for data processing, the location where the recordings are stored, the duration of storage, the identity of the person operating the system, the categories of persons authorized to access the data, as well as provisions regarding the rights of the individuals concerned and how to enforce those rights. A template for this notification is included in Appendix 2 of this regulation.

4. Recorded footage may be retained for a maximum of 15 (fifteen) working days in the absence of usage. Usage is defined as the intention to use the recorded image or other personal data as evidence in judicial or other administrative proceedings.

5. Anyone whose rights or legitimate interests are affected by the recording of the footage may request, within three working days from the date of recording, that the data controller does not destroy or delete the data, substantiating their rights or legitimate interests.

6. An electronic surveillance system may not be used in any room where surveillance could violate human dignity, particularly in changing rooms, showers, restrooms, or in any area designated for employees’ breaks.

7. If no one can lawfully be present on the workplace premises—especially outside of working hours or on non-working days—then the entire workplace area (including changing rooms, restrooms, and designated break areas) may be monitored.

8. In addition to those authorized by law to view the data recorded by the electronic surveillance system, the operator staff, the employer's manager and deputy, and the workplace manager of the monitored area are also authorized to review the data for the purpose of uncovering violations and monitoring the operation of the system.

 

2. Contract-related data management

   1. Management of contractual partners' data - register of customers

1. The data controller processes the data of the natural person contracted as a customer for the purposes of concluding, fulfilling, terminating the contract, and providing contractual benefits under the legal basis of contract performance, as defined in Appendices 3 and 4. This data processing is considered lawful even if it is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

The recipients of the personal data are: employees of the data controller responsible for customer service tasks, employees handling accounting and taxation tasks, and data processors.

The duration of storage for the personal data is five years following the termination of the contract.

2. Before commencing data processing, the data subject must be informed that the processing is based on the performance of the contract; this information may be provided in the contract itself. The data subject must also be informed about the transfer of their personal data to a data processor. The text of the data processing notification related to the contract with the natural person is included in Appendix 3 of this regulation.

2. Contact details of natural person representatives of legal entity clients, buyers, suppliers

1. The scope of personal data that can be processed includes: the natural person's name, address, phone number, email address, and online identifier.

2. The purpose of processing personal data is: to fulfill the contract with the legal entity partner of the Company and for business communication.

3. The legal basis for data processing: the legitimate interest of the data controller (the balancing test is documented in the data controller's privacy documents).

4. The recipients of the personal data, or the categories of recipients: employees of the Company responsible for customer service tasks.

5. The duration of storage for the personal data: for a period of 5 years following the end of the business relationship or the representative capacity of the data subject.

3.  Visitor data management on the Data Controller's website - Information on the use of cookies 

1. Cookies are short data files placed on the user's computer by the visited website. The purpose of cookies is to facilitate and enhance the specific information and communication technology services provided over the internet. There are many types of cookies, but they can generally be categorized into two main groups. One is the temporary cookie, which is placed on the user's device only during a specific session (e.g., during the security identification of online banking), while the other type is the persistent cookie (e.g., for language settings on a website), which remains on the computer until the user deletes it. According to the European Commission's guidelines, cookies [except those that are strictly necessary for the use of the service] can only be placed on the user's device with the user's consent.

2. For cookies that do not require user consent, information must be provided during the first visit to the website. It is not necessary for the full text of the cookie policy to appear on the website; it is sufficient for the website operators to briefly summarize the essence of the information and provide a link to the complete policy.

3. In the case of cookies that require consent, the information can also be related to the first visit to the website if the data processing associated with the use of cookies begins with visiting the page. If the application of the cookie is related to a function explicitly requested by the user, then the information can also be presented in connection with the use of that function. In this case, it is not necessary for the full text of the cookie policy to appear on the website; a brief summary of the essence of the information and a link to the complete policy are sufficient.

4. Visitors must be informed about the use of cookies on the website in the data processing notice according to Appendix 4. With this notice, the data controller ensures that the visitor can learn at any time before and during the use of the information society services provided on the website, which personal data types are processed for which data processing purposes, including the processing of data that cannot be directly linked to the user.

4. Community guidelines / Data management on the Data Controller's Community page/pages 

1. The Data Controller maintains social media pages to promote and familiarize users with its products and services.

2. Any question posted on any social media page by the Data Controller does not constitute an officially submitted complaint.

3. The Data Controller does not process personal data posted by visitors on any social media page.

4. Visitors are subject to the Privacy and Service Terms of any social media platform.

5. In the case of publishing illegal or offensive content, the Data Controller may exclude the individual from membership without prior notice or delete their comment.

6. The Data Controller is not responsible for any content published by users of any social media platform that violates laws or regulations, nor for any errors, malfunctions, or issues arising from changes in the operation of any social media platform.

7. Any social media platform acts as a data controller when displaying advertisements to people based on the information directly provided by users on that platform. In such cases, the social media platform is responsible for complying with data protection regulations.

8. In the case of using any social media's (e.g., Facebook) "Custom Audience" product based on data files, the Data Controller is responsible for complying with data protection regulations; this is the only instance where Facebook acts as a data processor. This is because the Data Controller transfers the personal data of the data subjects to Facebook. In this case, the Data Controller is responsible for obtaining consent, and the necessary statement for obtaining consent is included in Appendix 1 of this policy.

9. The rules of this chapter apply to any social media page created by the Data Controller at any time.

3. Data management related to camera surveillance

1. The Data Controller uses an electronic surveillance system at its headquarters, certain locations, and client reception areas for the purpose of property protection, which allows for image recording. This means that the behavior of individuals observed can also be considered personal data, as recorded by the camera.

2. The legal basis for this data processing is the consent of the data subject.

3. There must be a clearly visible and legible notice placed in a manner that aids the information of any third parties wishing to enter the area regarding the use of the electronic surveillance system. This notice must be provided for each camera and should include information about the surveillance conducted by the electronic security system, the purpose of recording, storage of personal data contained in the recorded images and sounds, the legal basis for data processing, the location of data storage, the duration of storage, the identity of the person operating the system, the circle of individuals entitled to access the data, and the rights of the data subjects along with the procedures for their enforcement. A template for this notice is included as Appendix 5 of this regulation.

4. Images and sounds of third parties (clients, visitors, guests) entering the monitored area can only be recorded and processed with their consent. Consent can also be given through implied behavior. Implied behavior is particularly applicable if a person enters the monitored area despite being informed of the presence of the electronic surveillance system.

5. Recorded footage can be stored for a maximum of 3 (three) working days if not used. Usage is defined as utilizing the recorded images and any other personal data as evidence in judicial or other official proceedings.

6. Any individual whose rights or legitimate interests are affected by the recording of images can request, within three working days from the recording, that the data controller does not destroy or delete the data, providing proof of their rights or legitimate interests.

7. An electronic surveillance system cannot be used in areas where surveillance may violate human dignity.

8. Aside from those authorized by law to view the data recorded by the electronic surveillance system, the operator staff, the employer's management and deputy, and the workplace manager of the monitored area are also authorized to view the recorded data for the purpose of investigating violations and overseeing the system's operation.

5. CHAPTER

OTHER PROVISIONS RELATED TO DATA MANAGEMENT

1. Data security measures

1. The Data Controller is obligated to take the necessary technical and organizational measures and establish procedural rules to ensure the security of personal data concerning all types and legal grounds for data processing, as required by the Regulation and the Info Act.

2. The Data Controller protects the data against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure, or access through appropriate measures.

3. The Data Controller classifies and handles personal data as confidential information. It imposes a confidentiality obligation on employees regarding the handling of personal data, which must be in accordance with the stipulations in Appendix 9. Access to personal data is restricted by the Data Controller through the assignment of access levels.

4. The Data Controller protects its IT systems with firewalls and provides antivirus protection.

5. The Data Controller carries out electronic data processing and record-keeping through computer programs that comply with data security requirements. The program ensures that only authorized individuals, who require access for their duties, can access the data in a controlled manner and for specific purposes.

6. In the automated processing of personal data, the Data Controller and data processors take additional measures to ensure: 

1. Prevention of unauthorized data entry;

2. Prevention of unauthorized use of automated data processing systems by unauthorized persons through data transmission devices;

3. Verifiability and traceability of which authorities received or may receive personal data via data transmission devices;

4. Verifiability and traceability of which personal data were entered into automated processing systems, when, and by whom;

5. The recoverability of installed systems in the event of a malfunction; and 

6. The creation of reports regarding errors that occur during automated processing.

7. The Data Controller ensures the monitoring of electronic incoming and outgoing communications to protect personal data.

8. Only the responsible clerks may access documents under ongoing work and processing; personnel, payroll, labor, and other documents containing personal data must be securely locked away.

9. Proper physical protection of the data and the devices and documents that carry them must be ensured.

2. Management of data protection incidents

   1. The concept of a data breach

1. Data Protection Incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data that is transmitted, stored, or otherwise processed.

2. Management and Remedy of Data Protection Incidents

1. The responsibility for preventing and managing data protection incidents, as well as for complying with relevant legal regulations, lies with the Data Controller's management.

2. Accesses and attempted accesses to IT systems must be logged and continuously analyzed.

3. The Regulation stipulates that any data processing incident that is likely to pose a risk to the rights and freedoms of data subjects must be reported to the supervisory authority without undue delay and, where possible, no later than 72 hours from the time of awareness. If the 72-hour deadline cannot be met, the reason for the delay must be specified.

4. If the incident involves personal data, a decision must be made regarding the scope, timing, and content of communication with the affected individuals. The Regulation requires that communication should take place "without undue delay" if the incident poses a "high risk to the rights and freedoms of natural persons."

5. The Data Controller may deviate from the provisions of this policy, taking into account the individual circumstances of the incident, in order to remedy it as effectively as possible.

3.  Procedure for handling a data protection incident 

   1. Internal report of the data protection incident

1. Various types of data protection incidents may occur in practice, particularly:

1. Confidentiality Incident: This includes cases of unauthorized access to and disclosure of personal data.

2. Data Modification Incident: This includes instances of unauthorized or accidental modification of personal data.

2. If any employee of the Data Controller or any other individual with access to the company's personal data observes any data protection incident or its realistic threat, they are required to report it in detail and without delay to the management of the Data Controller and to provide all assistance in a timely manner for the comprehensive investigation and handling of the data protection incident.

3. Reported incidents must be evaluated and documented. The evaluation must specifically address the following: 

1. The date and location of the incident,

2. A description of the incident, its circumstances, and its effects,

3. The scope and quantity of the compromised data,

4. The group of individuals affected by the compromised data,

5. A description of the measures taken to mitigate the incident,

6. A description of the measures taken to prevent, remedy, and reduce the damage.

4. A register of data protection incidents must be maintained, which includes:

1. The scope of the affected personal data,

2. The number and scope of individuals affected by the data protection incident,

3. The date of the data protection incident,

4. The circumstances and effects of the data protection incident,

5. The measures taken to remedy the data protection incident,

6. Other data as specified by the legislation governing data processing.

5. The data regarding data protection incidents in the register must be retained for 5 years.

6. The incident log for the registration of data protection incidents is included in Appendix 10 of this regulation.

2. External information obligations

Following the determination that a data protection incident has occurred, the Regulation mandates the notification of two parties. These are:

1. Supervisory Authority

2. Data Subjects

The incident must be reported depending on the assessment of the risk posed to "the rights and freedoms of natural persons." Therefore, in such cases, a risk assessment must be conducted.

3. Supervisory Authority

According to the Regulation, the supervisory authority regarding the Data Controller is as follows:

4. Decision on whether to notify the supervisory authority

According to the Regulation, the Data Controller must notify the supervisory authority of a data breach, “unless the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons.”

Based on this, the Data Controller is required to assess the level and extent of the risk posed by the data breach before deciding whether to report it.

In the risk assessment process, the following factors should be considered, among others:

• the nature of the incident (see, for example, the above categories);

• the nature, sensitivity, and volume of the personal data affected by the incident;

• other relevant factors (including but not limited to the assessment of the impact of the incident).

For carrying out this risk assessment, making the decision on reporting, preparing the necessary documentation, handling communication with the affected individuals, and responding to any further questions or matters raised by them, the Data Controller shall appoint a responsible person.

The method, justification, and conclusions of the risk assessment must be documented and signed by senior management. The result of the risk assessment must include one of the following conclusions:

1. The data breach does not require reporting.

2. The data breach only needs to be reported to the supervisory authority.

3. The data breach must be reported to both the supervisory authority and the affected individuals.

5. Method of notification to the supervisory authority

If, based on the decision, a report must be made to the supervisory authority, the Regulation requires that it be done “without undue delay, and where feasible, no later than 72 hours after becoming aware of the data breach.” If, for a legitimate reason, the report is not made within the prescribed timeframe, the reason must be indicated in the report.

The report must be made to the competent data protection authority in an appropriate and secure manner.

6.  Data subject

   1. Decision on Whether to Inform the Data Subjects

The Regulation states that the data subjects must be informed about a data breach “if the data breach is likely to result in a high risk to the rights and freedoms of natural persons.”

The Regulation does not require notifying the data subjects if doing so would involve "disproportionate effort." In such cases, the data subjects should be informed through publicly disclosed information instead.

2. Method of Informing the Data Subjects

Once the decision has been made that the incident warrants informing the data subjects, the Regulation mandates that the notification should be made without undue delay.

The communication to the data subjects must “clearly and plainly describe the nature of the personal data breach” and include the following:

1. the name and contact details of the data protection officer or other contact point where more information can be obtained; 

2. a description of the likely consequences of the personal data breach; and 

3. a description of the measures taken or proposed to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

3. The Rights of the Data Subject

The data subject has the right to receive information about the facts and information related to the data processing prior to the commencement of the data processing.

The information must specifically address the following:

If personal data concerning the data subject is collected from the data subject, the Data Controller shall provide the following information to the data subject at the time of data acquisition:

a) The identity and contact details of the Data Controller and, if applicable, the representative of the Data Controller;

b) Contact details of the Data Protection Officer, if applicable;

c) The purpose of the planned processing of personal data, as well as the legal basis for the processing;

d) In the case of data processing based on legitimate interests, the legitimate interests pursued by the Data Controller or a third party;

e) The recipients of the personal data or categories of recipients;

f) Where applicable, the fact that the Data Controller intends to transfer personal data to a third country or an international organization;

g) The duration of storage of personal data, or, if that is not possible, the criteria for determining that duration;

h) The data subject’s right to request access to, rectification of, erasure of, or restriction of processing of personal data concerning them, and to object to such processing, as well as the right to data portability;

i) In the case of data processing based on the consent of the data subject, the right to withdraw consent at any time, which shall not affect the lawfulness of processing based on consent before its withdrawal;

j) The right to lodge a complaint with a supervisory authority;

k) Whether the provision of personal data is based on a legal obligation or a contractual requirement or is a prerequisite for entering into a contract, as well as whether the data subject is obliged to provide personal data and the possible consequences of failing to provide such data;

l) The existence of automated decision-making, including profiling, as well as at least in those cases information on the logic involved and the significance and expected consequences of such processing for the data subject.

1. The data subject's right of access

The data subject has the right to receive feedback from the Data Controller regarding whether their personal data is being processed and, if such processing is taking place, to access their personal data and the following information:

a) The purposes of the data processing;

b) The categories of personal data concerning the data subject;

c) The recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries and international organizations;

d) Where applicable, the intended duration of storage of personal data or, if that is not possible, the criteria for determining that duration;

e) The data subject’s right to request from the Data Controller the rectification, erasure, or restriction of processing of personal data concerning them, and to object to such processing;

f) The right to lodge a complaint with a supervisory authority;

g) If the data was not collected from the data subject, any available information about its source;

h) The existence of automated decision-making as referred to in Article 22(1) and (4) of the Regulation, including profiling, as well as at least in those cases information on the logic involved and the significance and expected consequences of such processing for the data subject.

If personal data is transferred to a third country or an international organization, the data subject has the right to be informed about the appropriate safeguards regarding the transfer as per Article 46 of the Regulation.

The Data Controller shall provide the data subject with a copy of the personal data being processed. For any additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the request is submitted electronically by the data subject, the information shall be provided in a commonly used electronic format unless the data subject requests otherwise. The right to request a copy of the data shall not adversely affect the rights and freedoms of others.

2. The right to erasure ("the right to be forgotten")

The data subject has the right to request the deletion of their personal data by the Data Controller without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if any of the following grounds apply:

a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;

b) The data subject withdraws their consent on which the processing is based, as per Article 6(1)(a) or Article 9(2)(a) of the Regulation, and there is no other legal basis for the processing;

c) The data subject objects to the processing as per Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing under Article 21(2);

d) The personal data has been processed unlawfully;

e) The personal data must be deleted to comply with a legal obligation to which the Data Controller is subject under Union or Member State law;

f) The personal data was collected in relation to the offering of information society services as referred to in Article 8(1) of the Regulation.

If the Data Controller has made the personal data public and is obliged to delete it under point 1 above, they shall take reasonable steps, taking into account available technology and the cost of implementation, to inform other Data Controllers that are processing the personal data that the data subject has requested the deletion of links to such personal data or copies or replications of such personal data.

3. The right to erasure ("the right to be forgotten")

The data subject has the right to request the restriction of processing by the Data Controller if any of the following applies:

a) The data subject contests the accuracy of the personal data, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data;

b) The processing is unlawful, and the data subject opposes the deletion of the data and instead requests the restriction of its use;

c) The Data Controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims; or

d) The data subject has objected to the processing under Article 21(1) of the Regulation; in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject.

If the processing is restricted, such personal data may only be processed, except for storage, with the consent of the data subject, or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

The Data Controller shall inform the data subject whose processing has been restricted prior to lifting the restriction.

4. The right to data portability

The data subject has the right to receive their personal data provided to a data controller in a structured, commonly used, machine-readable format, and they have the right to transmit this data to another data controller without hindrance from the original data controller if:

a) the data processing is based on consent or a contract; and

b) the processing is carried out by automated means.

When exercising the right to data portability, the data subject is entitled to request the direct transmission of personal data between data controllers, where technically feasible.

5. The Right to Object

The data subject has the right to object at any time, for reasons related to their own situation, to the processing of their personal data based on the legitimate interests pursued, including profiling based on those provisions. In this case, the data controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject or are related to the establishment, exercise, or defense of legal claims.

If the processing of personal data is for the purpose of direct marketing, the data subject has the right to object at any time to the processing of their personal data for that purpose. If the data subject objects to the processing of their personal data for direct marketing purposes, then the personal data may no longer be processed for that purpose.Az érintett jogosult arra, hogy a saját helyzetével kapcsolatos okokból bármikor tiltakozzon személyes adatainak a jogos érdek érvényesítésén alapuló kezelése ellen, ideértve az említett rendelkezéseken alapuló profilalkotást is.

6. Automated decision-making in individual cases, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would have legal effects concerning them or similarly significantly affect them.

This right cannot be exercised in cases where the decision: 

a) is necessary for the conclusion or performance of a contract between the data subject and the data controller; 

b) is permitted by applicable Union or Member State law, which also establishes appropriate measures to protect the rights and freedoms of the data subject as well as their legitimate interests; or 

c) is based on the explicit consent of the data subject.

7. Deadline for Processing Requests from the Customer as Data Subject

1. Ha az Adatkezelőnek, megalapozott kétségei vannak a kérelmet benyújtó természetes személy kilétével kapcsolatban, további, az érintett személyazonosságának megerősítéséhez szükséges információk nyújtását kérheti.

2. The Data Controller shall inform the data subject of the measures taken in response to the request to exercise their rights without undue delay, and in any case within one month of the receipt of the request.

3. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by an additional two months. The Data Controller shall inform the data subject of the extension of the deadline, specifying the reasons for the delay, within one month of the receipt of the request.

4.  If the data subject has submitted the request electronically, the information shall be provided electronically if possible, unless the data subject requests otherwise.

5. If the Data Controller takes no action in response to the request of the data subject, it shall inform the data subject without undue delay, but no later than one month from the receipt of the request, of the reasons for the inaction and that the data subject has the right to lodge a complaint with a supervisory authority and to exercise their right to judicial remedy.

6. If the request is manifestly unfounded or, in particular, due to its repetitive nature, excessive, the Data Controller may, taking into account the administrative costs of providing the requested information or taking the requested action:

a) charge a fee, or

b) refuse to act on the request.

The burden of proving that the request is manifestly unfounded or excessive lies with the Data Controller.

If the Data Controller has reasonable doubts regarding the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the data subject.

4. Complaint to the supervisory authority

Without prejudice to any other administrative or judicial remedies, every data subject has the right to lodge a complaint with a supervisory authority.

The supervisory authority of the data controller:

The rules for submitting and handling complaints are governed by the provisions of the Regulation and the Info Act, as well as the guidelines described on the NAIH website.

6. CHAPTER

ACTIVITY OF DATA PROCESSOR

1. Data processing activities

2. The Company qualifies as a Data Processor concerning the data defined in this policy.

3. This policy shall apply to the Company's data processing activities with the deviations outlined in this chapter. In this chapter, the designation of Data Controller is the Company.

2. Data processor guarantee provision

1. The Company, as a Data Processor, guarantees—especially concerning expertise, reliability, and resources—that it will implement the technical and organizational measures necessary to ensure compliance with the requirements of the Regulation, including the security of data processing.

2. During its activities as a Data Processor, the Company ensures that individuals authorized to access the personal data of the data subject—unless they are otherwise bound by an appropriate confidentiality obligation based on law—commit to confidentiality regarding the personal data they become aware of. The text of the applicable Confidentiality Declaration is included in Appendix 9 of this policy.

3. The Data Controller has appropriate hardware and software tools and commits to implementing technical and organizational measures to ensure the legality of data processing and the protection of the rights of data subjects.

4. The Data Controller has the legal and technical conditions for electronic communication with state authorities.

5. The Company undertakes to provide the Data Controller with all information necessary to demonstrate compliance with the legal provisions regarding the use of the Data Processor.

3. Obligations and Rights of the Client (Data Controller)

1. The Data Controller has the right to monitor the execution of the activities of the Data Processor in accordance with the contract.

2. The Data Controller is responsible for the legality of the instructions related to the tasks defined in the contract; however, the Data Processor is obliged to immediately inform the Data Controller if the Data Controller's instruction or its execution would violate any laws.

3. The Data Controller is obliged to inform the affected natural persons about the data processing under this contract and to obtain their consent if required by law.

4. Responsibilities and Rights of the Data Controller as Data Processor

1. Right to Issue Instructions: During the activities of the data processor, it shall act solely on the written instructions of the Data Controller.

2. Confidentiality: During the activities of the data processor, it ensures that persons authorized to access the personal data of the data subjects—if they are not otherwise subject to a relevant confidentiality obligation based on legal regulations—shall undertake a confidentiality obligation concerning the personal data they become aware of. The applicable text of the Confidentiality Declaration is included in Appendix 9 of this regulation.

3. Data Security: The data processor shall implement appropriate technical and organizational measures to guarantee a level of data security commensurate with the risks, taking into account the current state of science and technology, the costs of implementation, and the nature, scope, circumstances, and purposes of the data processing, as well as the varying probabilities and severity of risks to the rights and freedoms of natural persons. The data processor shall take measures to ensure that natural persons acting under its authority and having access to the personal data may only process said data in accordance with the instructions of the data controller unless required otherwise by EU or member state law. The data processor shall ensure that only authorized persons have access to stored data through internal systems or direct access, and only in connection with the purposes of the data processing. The data processor shall ensure the necessary regular maintenance and development of the tools used. The data storage device shall be placed in a secured room with appropriate physical protection, ensuring its physical safety. The data processor is obliged to use persons with appropriate knowledge and experience for the performance of the tasks specified in the contract. Furthermore, it must ensure the training of the persons it employs regarding compliance with data protection legal provisions, obligations contained in this contract, and the purpose and method of data collection.

4. Engagement of Additional Data Processors: The data processor undertakes to engage additional data processors only under the conditions specified in the Regulation and the Info Act. The Data Controller provides a general authorization in this contract for the data processor to engage additional data processors (subcontractors). Before engaging the additional data processor, the data processor shall inform the Data Controller about the identity of the additional data processor and the planned tasks to be performed by the additional data processor. If the Data Controller raises an objection against the engagement of the additional data processor based on this information, the data processor may engage the additional data processor only upon fulfilling the conditions specified in the objection. If the data processor uses the services of additional data processors for certain specific data processing activities carried out on behalf of the Data Controller, it is required to enter into a written agreement and impose the same data protection obligations on the additional data processor as those contained in the contract established under this regulation between the Data Controller and the data processor, particularly ensuring that the additional data processor provides sufficient guarantees for the implementation of appropriate technical and organizational measures, thereby ensuring that the data processing complies with the requirements of this regulation. If the additional data processor fails to fulfill its data protection obligations, the data processor that engaged it shall be fully responsible to the Data Controller for the performance of the obligations of the additional data processor.

5. Cooperation with the Data Controller

a) The Company, as a data processor, shall assist the Data Controller with all appropriate means in facilitating the exercise of data subjects' rights and fulfilling related obligations.

b) The Company, as a data processor, shall support the Data Controller in meeting the obligations outlined in Articles 32-36 of the Regulation (Data Security, Data Protection Impact Assessment, and Prior Consultation), taking into account the nature of the data processing and the information available to the data processor.

c) The Company, as a data processor, shall provide the Data Controller with all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the Regulation (The Data Processor), and which enables and facilitates audits conducted by the Data Controller or another auditor appointed by the Data Controller, including on-site inspections. In this regard, the data processor shall promptly inform the Data Controller if it believes that any of its instructions violate the Regulation or national or EU data protection provisions.

6. Conditions of the Data Controller's Data Processing Activities

1. The Data Controller shall enter into a written contract with the client for the data processing activity.

2. The conditions of the Data Controller's data processing activities are set forth in Annex 8 of this policy.

7. CHAPTER

CLOSING PROVISIONS

1. Establishment and Modification of the Policy

The establishment and modification of the policy is the responsibility of the manager of the Data Controller.

2. Measures for Familiarizing Employees with the Policy

The provisions of this policy must be communicated to all employees (workers) of the Data Controller, and it must be stipulated in employment contracts that compliance with and enforcement of this policy is a significant job responsibility for every employee (worker).