1. PREAMBLE, OBJECTIVE OF THE RULES
1.1 ORIANA International Tanácsadó, Fejlesztő és Szolgáltató Zrt. (Seat 1037 Budapest, Montevideo utca 6. 1. em.; Registration number: 01-10-140105; VAT number: 26597694-2-41; hereinafter: „Company”) during its activity processes personal data defined in Article 4, point (1) of regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („GDPR”) originated from the Companies clients, recipients of its marketing messages and visitors to its facilities, as well as other affected persons. These rules and information on data protection (hereinafter: „Rules”) include the conditions of data processing of the Company of these personal data.
1.2 The Company, as data controller, subjects itself to the contents of these Rules, furthermore undertakes liability to that all the data management connected to its activities shall be compliant to the requirements specified in these Rules and the valid Hungarian and EU legal regulations.
1.3 The objective of these Rules is that the processing of personal and incidental sensitive data
- (a) necessary for using the services of the Company,
- (b) necessary for the popularization of the services of the Company,
- and (c) necessary for the activity of the Company
should take place pursuant to the provisions of theprevailing Hungarian and EU legal regulations on data protection. The objectiveof these Rules furthermore is that the Company previous to the processing ofpersonal data to provide clear and detailed information on all facts relatingto the processing of personal data, especially the purpose and legal basis ofthe data processing, the persons authorized to process and manage the data, theduration of the data processing, and to determine who can access the data andwhich rights and remedies are available for the affected person.
1.4 Furthermore, the objective of these Rules is that in the whole scope of services provided by the Company, the affected person can be assured of that – regardless of the affected person’s sex, nationality or home address – the affected person’s rights and basic rights of freedom, such as especially their right to private life will be respected while their personal data is processed electronically (data protection). The Company shall process the recorded personal data in confidence, by complying with the legal regulations and international recommendations on data protection and these Rules on data protection.
2. INTERPRETATION OF THE RULES, DEFINITIONS
2.1 These Rules shall be interpreted based on the principles of English language in consideration of the general legal principles of the Hungarian civil law. When interpreting these Rules, the words and phrases written in capital letters shall have the meaning conferred to them on their first place of appearance in the Rules – independently of their tense, mode and case, or whether they are singular or plural.
2.2 In harmony with the provisions of Act CXII of year 2011 on the right to possess personal data and the freedom of information (hereinafter: „Info Law”) and the regulation of GDPR where it cannot be interpreted otherwise based on the context, the terms used in low-case letters in these Rules shall mean the following:affected person/user means the natural person whose personal data the Company processes specifically but not exclusively
- a) the person who establish business relationship with the Company;
- b) the employees of the Company;
- c) persons applying for a job offered by the Company.
business advertisement information, statement, method of appearance, aimed at promoting the sales or other usage of marketable movables that can be possessed – including money, securities and financial assets and natural resources that can be utilised as things – (hereinafter jointly: the product), services, real estates, rights constituting asset value (hereinafter all of these jointly: goods) or, in connection with this objective, aimed at popularising the name, trademark, activities of the corporation or goods or brands;
controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
consent/ approval of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
contract means contracts concluded between the affected person and the Company in connection with the activities of the Company;
data processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data management fulfilling technical tasks connected to data processing operations independently of the method and tools used for their realisation and the place of usage, provided that the technical tasks are realised with data;
destruction the complete physical destruction of data carrier containing the data;
data transfer making the data available to a specified third party;
data erasure making data unrecognizable in a way that their restoring is not possible any longer;
data blocking providing data with identification marking in order to limit its further management definitely or for a specified period; instead of erasure, the Company blocks the data where the definite erasure of the data would breach the lawful interests of the affected person; blocked data shall be treated exclusively as long as the objective of data management exists, which excluded the erasure of the personal or sensitive data;
disclosure making the data available to anyone;
objection the statement of the affected person by objecting the processing of its personal data and by which it requests the erasure of the processed data;
personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
personal identification data the first and last name, maiden name, of the affected person, its sex, place and date of birth, its mother’s birth first name and last name, permanent address, place of stay, social security identification mark jointly or any of them which is or may be suitable for identifying the affected person;
pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
processor means a natural or legal person, public authority, agency or other body which manages personal data on behalf of the controller;
sensitive data personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation;
supervisory authority means the authority which is responsible for personal data and the freedom of information in Hungary, the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/. Mail address: 1387 Budapest Pf 40.)
third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
2.3 If it is notconcluded differently from the text otherwise:
- a) reference to any legal regulations in these Rulesincludes the incidental later modified, expanded, uniform structure of thelegal regulation in question
- b) in these Rules the titles and paragraph numbers serve exclusivelyreference and they shall be considered only together with the interpretation ofthe text of these Rules;
- c) all references to a person in these Rules mean reference to any person,company, association, government, state, state institution or authority;
- (d) any of the provisions of these Rules shall notbe interpreted in a way that it would exclude the liability or legal remedy forfraudulent statements or procedures or statements or procedures made orinitiated in bad faith.
3. NAME AND CONTACT INFORMATION OF THE CONTROLLER
3.1 Name of the Company as controller: ORIANA International Tanácsadó, Fejlesztő és Szolgáltató Zrt.
3.2 Seat of the controller: 1037 Budapest, Montevideo utca 6. 1. em
3.3 Mail (postal) address of the controller: 1037 Budapest, Montevideo utca 6. 1. em
3.4 Registration number of the controller: 01-10-140105
3.5 VAT number of the controller: 26597694-2-41
3.6 E-mail address of the controller: firstname.lastname@example.org The affected person shall acknowledge that the Company will receive only the questions, complaints of the affected person relating to its own data processing or to these Rules at the above e-mail address.
4. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA3. NAME AND CONTACT
4.1 The Company shall use and store the personal data provided by the affected person lawfully, fairly and in a transparent manner only for specified purposes determined in these Rules.
4.2 The personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3 The process of the personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
4.4 The processed personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken by the Company to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
4.5 The processed personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
4.6 The personal data shell be processed by the Company in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
4.7 The Company shall process the personal data only for the realization of the purposes specified in these Rules.
4.8 Where the affected person is a child below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The Company shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
4.9 The Company shall be responsible for, and be able to demonstrate compliance with the provisions of this paragraph.
5. OBJECTIVE OF DATA PROCESSING, PURPOSES OF PROCESSED DATA, AND DURATION OF DATA PROCESSING
5.1 Data processing related to the Company’s business activities
The Company during its business activity may process personal data. Personal data shall only be processed by the Company for the purpose of (i) identifying the affected person, distinguishing them from other affected persons, and maintaining contact with the the affected person; (ii) performing any legal or contractual relationship; (iii) performing any contract; (iv) in the event of termination of the contract, enforcement of claims and enforcement of collateral; (v) sending notices or other communications related to the services provided by the Company; (vi) the fulfillment of data processing and data reporting required by legislation; (vii) settlement of accounts and proof of obligations and rights of the parties related to any contract; (viii) processing for statistical purposes, including data collection for market analysis purposes. During the business activity of the Company personal data shall be processed based on the voluntary approval of the affected person or on purpose for the performance of a contract to which the affected person is party or in order to take steps at the request of the affected person prior to entering into a contract determined by section 5 (1) a) of Info Law and article 6 (1) (a) and (b) of the GDPR.
Where the legal basis of the data processing is the performance or preparation of a contract, the contract shall contain all the information which the affected person shall know concerning the processing of personal data, in particular the definition of the data to be processed, the duration of data processing, the purpose of use of personal data, the fact of the transfer of personal data, the recipients and the use of data processors. The contract shall state unambiguously that, by signing the contract, the affected person shall consent to the processing of his/her personal data as specified in the contract.
Where data processing is based on the consent of the affected person, the Company shall provide the affected person prior to granting consent with any information that the data subject must know about the processing of personal data, in particular the definition of the data to be processed, the duration of data processing, the purpose of use of personal data, the fact of the transfer of personal data, the recipients and the use of data processors.
Duration of data processing In the case of entering into a contract with its partners, the Company shall process the personal data for a period of five (5) years counted from the date of termination of the contractual relationship or the enforceability of the contract, and thereafter the Company shall be obliged to erase the personal data. In the case of data processing based on the consent of the affected person, the data processing shall continue until the consent is revoked or the affected person requests to delete the data, unless there is no other legal basis for data processing.
5.2 Data processing related to advertising activity
Pursuant to Section 6 paragraph (1) of Advertising Law, advertisement for the purpose of direct marketing by direct contact of a natural person as a recipient of advertising (such as electronic mail or other equivalent individual communication tool, with the exception of the postal item sent by the addressee) may be communicated only if the recipient has given prior, unambiguous, and express consent to it. In harmony with the applicable law and the consent of the affected persons, the Company shall be obliged to maintain a record of the personal data provided by the affected persons who has given his/her consent. Data recorded in this register – regarding the recipient of the advertisement – may only be processed in accordance with the consent statement, until it is revoked, and may be transferred to third parties only with the prior consent of the affected person or in case if it is permitted by law.
The affected person shall therefore authorize the Company and may agree that the Company shall inform the affected person about its services by direct mail or other tools of communication (telephone, e-mail, SMS, etc.) and shall agree that the Company process his/her personal data for such purpose. The affected person may, at any time, forbid – without limitation or justification – the Company to send him/her direct marketing promotional material, and may at any time and free of charge withdraw his/her consent to send such promotional letters and to process of his/her personal data on the purpose of marketing. The affected person may declare his/her claim in this manner to the Company through the contact details specified in these Rules and through any other contact details listed on the mailings of the Company. In this case, the client will no longer be contacted by the Company for advertising purposes.
5.3 Data processing related to the employees of the Company
objective of data processing, and processed data: To comply with the registration and notification obligations according to the applicable labor law the Company shall process the following personal data of its employees based on the voluntary approval of the affected person or on the fulfillment on the Company’s obligations under the legislation stipulated in section 5 (1) a) and b) of Info Law and article 6 (1) (a) and (c) of the GDPR:
- (a) surname and forename;
- (b) surname and forename at birth;
- (c) nationality;
- (d) date and time of birth;
- (e) mother”s maiden name;
- (f) adress;
- (g) bank account number;
- (h) social security number;
- (i) type and number of identification document
The Company informs the affected person that the data processing described in this section is based on legal authorization. The consent shall be given by the affected person in the labour contract regarding the employment relationship or in a separate declaration.
5.4 Data processing related to potential employees of the company
Legal basis of the data processing related to potential employees of the Company is based on the informed and unambiguous consent statement of the affected person stipulated in section 5 (1) a) of Info Law and article 6 (1) (a) of the GDPR. The purpose of data processing is to recruit and select potential employees for the Company. By sending his/her CV and other application documents to the Company, the potential employee approve that the Company shall store, process and use the personal data provided during application in accordance with applicable laws and regulations, until the affected person withdraw his/her consent, or for a period of 1 year counted from the date of filling the relevant position.
5.5 Data management related to visitors to Company premises
The Company shall operate and install surveillance cameras for security purposes in its office, premises, and in other property owned and managed by the Company. Cameras can capture images that can be viewed and used by data controller for property protection purposes or for performing labor contracts. The legal basis of the data processing determined in this section is the necessary purposes of the legitimate interests pursued by the controller stipulated in article 6 (1) f) of the GDPR. The purpose of data processing is to protect the Company’s assets and to prevent attacks on its assets and to detect persons who have committed attacks on their assets. The recordings will be deleted by the Company if they are not used for any purpose described in this section within 3 days after the recordings were made.
5.6 Data processing on the Homepages of the Company
The system used by the Company will identify the computer of the homepage operated by the company (hereinafter referred to as: “Hompage”) user by so-called cookies. In order that all contents of the Homepage can be viewed, the user should approve the cookies. Therefore, when downloading certain parts of the Homepage, cookies will be placed on the user’s computer, which are necessary for the operation of each function of the Homepage. Cookies are small text files, which are saved by the computer and the browser and the user will not receive any information on that from the Company. Cookies are not suitable for identifying the person of the user and they live only during the session. The objective of the Company with placing the cookies is to send essential information to the visitors in a targeted way. The above information shall be used by the Company exclusively for the operation of the Homepage and statistical purposes.
While browsing the Homepage, technical information is recorded (e.g. in the form of log files, which include the user’s IP address, the date and time, the URL of the visited page). The system logs such information continuously, but it will not connect it to the information provided during usage. The users will not but only the Company will access to information collected in this way. The Company shall use the above information exclusively for the technical operation and for statistical purposes of the Homepage.
During the operation of the Homepage, automatically, technically recorded data may be stored in the system for a reasonable period from the time of their generation to ensure the operation of the system. The controller ensures that these automatically recorded data cannot be interconnected with other personal data, except in cases that are legally binding. If the user has terminated his or her consent to the management of his or her personal data or has been unsubscribed from the service, then his/her personal data will not be identifiable excluding for investigation authorities or for their experts.
By accepting the Rules, the affected person shall acknowledge that during the usage of the Homepage, he/she shall not share content or shall not send messages, which
- (a) breaches other people’s honor, dignity;
- (b) impeaches other persons for their national, ethnic origin race, affiliation to a religious group or presumed debt;
- (c) impeaches any services, business companies, without grounds, in bad faith or with the aim of discrediting.
The Company will erasure such personal data immediately and call the affected person to fulfil the above requirements. Should the affected person behave in the same way, by breaching the above rules after the notice, the Company, without any further notice, reserves the right to itself to erasure the data of the affected person.
6. GENERAL REGULATIONS OF DATA PROCESSING
6.1 The Company informs the affected person that no process of sensitive data takes place.
6.2 It is the voluntary decision of the affected person whether or not to give the personal data included in paragraph 5 of the Rules to the Company but without the recording of personal data specified in above most of the services provided by the Company cannot be used by the affected person. In case the affected person gives the data of a third party while using the services of the Company or in case the affected person causes any harm, the Company shall be entitled to claim compensation for damages from the affected person. The Company will not verify the personal data given to the Company. Exclusively the person providing the data shall be liable for the authenticity, truth of the provided data. Any affected person, when providing its e-mail address shall undertake liability for that only this person that has provided the contact information will use the services from the e-mail address.
6.3 The Company may request the affected person to provide other personal data as well subject to the condition that the Company shall specify the purpose of data processing before requesting so. Recording personal data shall be voluntary in each case and if certain personal data is not provided this fact shall not influence the services provided by the company.
6.4 Should the Company process personal or sensitive data of the affected person pursuant to any provisions of laws, then the Company shall inform the affected person on such data management operation, the purpose and duration of the operation before executing the – by also specifying the legal reference. Before requesting any personal data, the Company shall inform the affected person that the provision of the data in question is voluntary and based on the approval of the affected person or it is compulsory and is based on legal regulations.
6.5 The Company shall be entitled to use the personal data in a way that the data shall be deprived of its relationship to the affected person and for statistical purposes. The Company undertakes that it will be impossible to connect such data to any of the affected persons after their statistical processing.
6.6 The affected person shall acknowledge that the Company may process the provided personal data with the aim of safety data agreement, may request the copy of the affected person’s personal identity card with the aim of controlling the authenticity of personal data which the affected person can send to the Company either in a scanned form via e-mail or by regular mail but which shall be subject to special data processing approval. The Company shall store the personal data recorded during safety data control in its protected information system and only temporarily and after the completion of the safety data control the Company shall destroy the photocopy sent by the affected person. The Company shall inform the affected person on the purpose and further conditions of data processing realised via safety data control when requesting the information. The affected person shall acknowledge that courts, prosecutors, investigation authorities or authorities of minor infractions might contact the Company with the aim of requesting, transferring personal data or making documents available to them. The Company shall disclose to authorities personal data only in a quantity and to an extent, which is definitely necessary for achieving the purpose of the request upon the lawful requests from authorities – if the authority has specified the accurate purpose and the scope of information.
6.7 Where processing is based on consent affected person shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The processing shall be continued if there is any other legal basis of data processing.
7. ACCESS TO THE PROCESSED DATA, DATA MANAGEMENT AND DATA TRANSFER
7.1 Access to the processed data
Primarily the Company and the internal employees of the Company shall be entitled to know the personal data and they shall not publish or disclose the personal data to any third parties and they shall use the personal data for the purposes specified in the Rules. Within the scope of operation of its information system, the Company may use the services of a data processor person (e.g. system operator, system administrator.The Company shall be entitled to transfer the affected person’s personal data to its subcontractors. Before selecting its partners, the Company prepared such selections with utmost care. Such partners shall treat the confidential information acknowledged by them when fulfilling their liabilities and providing their services, subject to the provisions of legal regulations.
7.2 Data management
7.2.1 The controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of GDPR and ensure the protection of the rights of the data subject.
7.2.2 Processing by a processor shall be governed by a contract or other legal act, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.
7.2.3 The processor shall not process personal data except on instructions from the controller, unless required to do so by Union or Member State law.
7.2.4 On behalf of the Company the above listed processors manage personal data:
Name OF PROCESSOR
|ADDRESS OF PROCESSOR||MANAGED PERSONAL DATA||SERVICE PROVIDED|
1027 Budapest, Varsányi Irén utca 26-34. 3. lház. 6. em. 1.
Adept Consulting Kft
1139 Budapest, Forgách utca 37.
Name, e-mail address
2013 Pomáz, Huszár utca 13.
personal health record
Hubbes és Kovács Ügyvédi Iroda
1092 Budapest, Ráday u. 26.
personal data and contracts
|Microsoft Corporation||One Microsoft Way, Redmond, WA 98052-6399||personal data||IT services|
|IDDQD Kft||1136 Budapest, Hollán Ernő utca 3. 3. em. 3.a.||personal data||IT services|
|Hotjar Ltd.||Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta||website visitor statistics||website analytics|
25 First Street, 2nd Floor, Cambridge, MA 02141, United States
|name, email, website & ads statistics||marketing automation, CRM|
|Google LLC||600 Amphitheatre Parkway in Mountain View, California, United States.||website visitor statistics||website analytics, advertisement|
1037 Budapest, Montevideo utca
7.2.5 The Company reserves the right to use other processors for managing the personal data in the future. In this case the Company is obliged to inform the affected persons by sending them the modified Rules in which the new processors are listed.
8. DATA SECURITY
8.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- (a) the pseudonymisation and encryption of personal data;
- (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
8.2 The Company shall take all the measures necessary for ensuring the safety of personal data given by the users on during network communication, data storage and guarding. Access is strictly limited to personal data in order that illegal learning, illegal change and usage of personal data can be prevented. The information system and network of the Company is protected appropriately against fraud, spying, sabotage, vandalism, fire, flood, computer bugs, computer breaking that might take place during computer usage. At the same time in harmony with to the applicable legal limitations, the Company excludes its liability for data loss or damage caused by computer attacks that are beyond its control or by crimes committed by third parties.
8.3 When processing data, the Company shall preserve (1) secrecy: the Company protects personal data in a way that access to it can be possible to persons that are authorized to do so; (2) integrity: the Company protects the integrity and the accuracy of processing of personal data.
9. RIGHTS OF THE AFFECTED PERSONS
9.1 Right of information and access to personal data
The affected person shall have the right to obtain from the Company confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- (a) the purposes of the processing;
- (b) the categories of personal data concerned;
- (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) where the personal data are not collected from the affected person, any available information as to their source;
- (h) the existence of automated decision-making, including profiling, referred and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the affected person.
Where personal data are transferred to a third country or to an international organization, the affected person shall have the right to be informed of the appropriate safeguards pursuant relating to the transfer.
The Company shall provide a copy of the personal data undergoing processing. For any further copies requested by the affected person, the controller may charge a reasonable fee based on administrative costs. Where the affected person makes the request by electronic means, and unless otherwise requested by the affected person, the information shall be provided in a commonly used electronic form.
9.2 Right of rectification of personal data
The affected person shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the affected person shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
9.3 Right of erasure of personal data („right to be forgotten”)
The affected person shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies
- (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- (b) the affected person withdraws consent on which the processing is based according to point, and where there is no other legal ground for the processing;
- (c) the affected person objects to the processing pursuant;
- (d) the personal data have been unlawfully processed;
- (e) the personal data have to be erased for compliance with a legal obligation in EU or Hungarian law to;
- (f) the personal data have been collected in relation to offer of information society services directly to a child.
Where the controller has made the personal data public and is obliged pursuant to the above mentioned to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Erasure shall be refused (i) for exercising the rightof freedom of expression and information; (ii) for compliance with a legalobligation which requires processing by law to which the controller is subjector for the performance of a task carried out in the public interest or in theexercise of official authority vested in the controller; (iii) for reasons of public interest in the area ofpublic health; (iv) for archiving purposesin the public interest, scientific or historical research purposes orstatistical purposes likely to render impossible or seriously impair theachievement of the objectives of that processing; or (v) for the establishment,exercise or defence of legal claims.
9.4 Right to restriction of processing
The affected person shall have the right to obtain from the Company restriction of processing where one of the following applies:
- (a) the accuracy of the personal data is contested by the affected person, for a period enabling the Company to verify the accuracy of the personal data;
- (b) the processing is unlawful and the affected person opposes the erasure of the personal data and requests the restriction of their use instead;
- (c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the affected person for the establishment, exercise or defense of legal claims;
- (d) the affected person has objected to processing pursuant pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the affected persons consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of Hungary.
An affected person who has obtained restriction ofprocessing shall be informed by the Company before the restriction ofprocessing is lifted.
9.5 Right to data portability
The affected person shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- (a) the processing is based on consent or on a contract pursuant; and
- (b) the processing is carried out by automated means.
9.6 Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the mentioned above shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
The data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
9.7 Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
9.8 The affected person can exercise his/her above listed rights on one of the following contacts:
Name: ORIANA International Tanácsadó, Fejlesztő és Szolgáltató Zrt.
Korlátolt Felelősségű Társaság
Seat: 1037 Budapest, Montevideo utca 6. 1. em.
10. OBLIGATIONS OF THE AFFECTED PERSON
10.1 The affected person shall provide true, authentic personal data and – if any of the pieces of data is changed – shall correct the personal data or ask the Company to correct the information.
10.2 The Company, without any further notice, reserves the right to itself to erasure the data of an affected person that abuses the personal data of another person.
11. RECORDS OF PROCESSING ACTIVITIES
11.1 The Company shall be obliged, and the Company representative, shall maintain an electronic record of processing activities under its responsibility. That record shall contain all of the necessary information prescribed in GDPR and Info Law.
11.2 The Company and the Company representative shall make the record available to the supervisory authority on request
12. PERSONAL DATA BREACH
12.1 In the case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
12.2 When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the personal data breach to the affected person without undue delay.
12.3 The communication to the affected person shall not be required if any of the following conditions are met:
- (a) the Company has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- (b) the Company has taken subsequent measures which ensure that the high risk to the rights and freedoms of affected person is no longer likely to materialise;
- (c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the affected persons are informed in an equally effective manner.
12.4 If the Company has not already communicated the personal data breach to the affected person, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in clause 12.3. are met.
13. DATA PROTECTION OFFICER
13.1 the data protection officer of the Company:
Name: Takács Ildikó
Adress: 1037 Budapest, Lángliliom utca 2., 15. ép, fsz. 1.
Telephone no.: +36 30 377 8709
13.2 The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
13.3 Affected person may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR.
13.4 The data protection officer shall have at least the following tasks:
- (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to GDPR and to other Union or Hungarian data protection provisions;
- (b) to monitor compliance with GDPR, with other Union or Hungarian data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- (d) to cooperate with the supervisory authority;
- (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation, and to consult, where appropriate, with regard to any other matter.
13.5 The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing
14. LEGAL REMEDY
14.1 If the affected person believes that the Company by the data processing realised by itself breached these Rules or the prevailing legal regulations, then, in order to stop the presumed unlawful data processing, the affected person shall contact Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/. Mail address: 1387 Budapest Pf. 40.).
14.2 The affected person shall be entitled to initiate a legal procedure against the Company where it believes that the rights regulated the Rules are breached by the Company. The court shall act in urgency. The tribunal shall have jurisdiction in the litigation – according to the affected person’s decision – based on the home address of the affected person or the seat of the Company.
15. MODIFICATION, INTERPRETATION, EFFECTIVE DATE OF THE RULES
15.1 If the affected person believes that the Company by the data processing realised by itself breached these Rules or the prevailing legal regulations, then, in order to stop the presumed unlawful data processing, the affected person shall contact Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/. Mail address: 1387 Budapest Pf. 40.).
15.2 The affected person shall be entitled to initiate a legal procedure against the Company where it believes that the rights regulated the Rules are breached by the Company. The court shall act in urgency. The tribunal shall have jurisdiction in the litigation – according to the affected person’s decision – based on the home address of the affected person or the seat of the Company.