Privacy policy

I./

PREAMBLE

By establishing this Privacy Policy, Credit Control Menedzsment Korlátolt Felelősségű Társaság (head office: 1138 Budapest, Madarász Viktor utca 47-49.; registration authority: Court of Registration of the Budapest Metropolitan Court; registration number: 01-09-562111; tax number: 12177705-2-41) attains one of its most basic objectives pursued during the provision of its services, namely the protection of personal data that can be associated with natural persons who contact us. Respecting people’s right to informational self-determination and their basic constitutional right related to the protection of their personal data is of the utmost importance to us. This is also enshrined in the Hungarian constitution. In order to do this as fully as possible, we treat all personal data that we acquire during our operation confidentially and have all security, technical and organisational measures in place that guarantee the safety of the data.

 II./

INTRODUCTORY PROVISIONS

 1./      Scope of the Policy

1.1./     The personal scope of the Policy applies to all organisational units of the company, its employees and persons who are related to it contractually or otherwise, and who perform personal data processing.

1.2./     The Policy shall enter into force on 25 May 2018, superseding the Privacy Policy dated 30 November 2015.

1.3./     The material scope of the Policy applies to all personal data managed by the company, as well as to the processing operations performed on them, regardless of the place of their creation, management and processing, and the form in which they appear.

 

2./      Explanatory provisions

2.1./     For the purposes of this Policy, the terms defined in Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR” or “Regulation”) and Section 3 of Act CXII of 2011 on the right of informational self-determination and on freedom of information and regulation (hereinafter: “Info Act”) shall apply.

 

3./     Data processing principles

3.1./     The company is liable to comply with data protection rules.

3.2./     The employee of the company who processes data is liable for damages and has criminal liability for the lawful handling of personal data obtained in the exercise of his or her duties and responsibilities, as well as for the lawful exercise of his or her access rights to the company's records.

3.3./     The company must process personal data lawfully - i.e. with an appropriate legal basis and purpose, and fairly – respecting the data subject's right to informational self-determination.

3.4/     The company must process personal data in a transparent manner in relation to the data subject. The principle of transparency means that the data subject must clearly see where the data is collected from, how it is used, how the company views it or performs other data processing operations on it, and finally, to what extent and for how long the data processing lasts. The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that the company use clear and plain language in such communication. The principle applies in particular to informing the data subjects about the identity of the company and the purpose of the processing, as well as to the fact that data subjects have the right to receive confirmation and information from the company about the data processed about them.

3.5/     No personal data shall be processed by the company unless it is indispensable and suitable for achieving the purpose of the data processing, and only to such an extent and for such a duration as is necessary to achieve the given purpose. In order to ensure that the personal data is not kept longer than necessary, time limits should be established by the company for erasure or for a periodic review.

3.6/     If the company becomes aware that the personal data it is processing is inaccurate, incomplete or outdated, it must rectify the situation.

3.7/     Personal data should be processed by the company in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to, or unauthorised use of, the personal data and/or the equipment used for the processing.

3.8/     Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the company undertakes to implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk, in particular:

-        the pseudonymisation and encryption of personal data;

-        the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used for the processing of personal data;

-        the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

-        a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3.9/     The company shall take measures to ensure that any natural person acting under its direction, who has access to personal data, does not process the same except upon the instruction of the company, unless they are required to do so by a Member State law or European Union law.

3.10./     The company is liable to comply with the principles regarding the processing of personal data, and must also be able to prove such compliance.

3.11./     Accountability measures taken by the company include in particular:
-        publishing privacy notices
-        preparing a data map and recording processing operations
-        training and education
-        internal complaint management
-        conducting data protection impact assessments
-        auditing
-        data minimisation, pseudonymisation and other data security measures
-        selection and use of appropriate data processors
-        proper handling of personal data breaches
-        appointment of a data protection officer.

III./

LEGAL BASIS FOR PROCESSING

 1./ General rules

1.1./     Processing of personal data by the company is lawful only if and to the extent that at least one of the following applies:

-        contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,

-        legal obligation: processing is necessary for compliance with a legal obligation to which the company is subject,

-       legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the company, except where such interest is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

-       consent: the data subject has given their consent to the processing of their personal data for one or more specific purposes.

 1.2./     The properly selected legal basis for processing determines the exercisability of the rights available to the data subject:

 

Right to erasure

Right to data portability

Right to object

Contract

yes

yes

none

Legal obligation

none

none

none

Legitimate interest

yes

none

yes

Consent

yes

yes

no, but can be withdrawn

 

2./      The individual legal bases

2.1./     Contractual obligation serves as a sufficient legal basis for processing the data necessary for the legal steps taken in the event of non-performance of the contract (in particular, direct satisfaction of the claim from the collateral of the contract, assignment, the filing of a lawsuit or the initiation of an enforcement procedure). The data processing in question is necessary to enforce the legally guaranteed and unilaterally exercisable rights of the party asserting the claim.

2.2./     Data processing for compliance by the company with a legal obligation is prescribed in particular by the following laws and regulations:

 -        Section 6(3), Sections 8-9 and Sections 11-13/A of Act CXXII of 2011 on the Central Credit Information System
-        Section 12(1) and Section 169(2) of Act C of 2000 on Accounting
-        Section 161(2) and Subsections (2) - (3) of Section 288 of Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises,
-        Section 3(2) of Government Decree 42/2015 (III. 12.) on the protection of the IT systems of financial institutions, insurance and reinsurance companies, investment firms and commodity exchange service providers
-        Section 81(1) of Act I of 2012 on the Labour Code
-        Subsections (1) - (2) of Section 50, Section 78(4), and Section 3 of Annex 1 of Act CL of 2017 on the Rules of Taxation
-        Subsection (1) and Subsections (3)-(3a) of Section 48 Act CXVII of 1995 on Personal Income Tax
-        Section 46(2) and Section 47(1) of Act LXXX of 1997 on the eligibility for social security benefits and private pensions and the funding for these services
-        Section 5(1), Sections II.1.3, II.1.7, III.1 and V.1-2. of Annex 1 of MNB Decree 28/2014 (VII. 23.) on the rules of the handling of complaints by financial organisations
-        Section 3(3) of Govt. Decree 435/2016 (XII. 16.) on the detailed rules of complaint management procedures and complaint management regulations of investment firms, payment institutions, institutions issuing e-money, trade voucher issuers, financial institutions and independent payment service intermediaries.

2.3./     It may be deemed a legitimate interest when there is a material, legally regulated relationship between the data subject and the controller, especially in cases where the data subject is a customer or employee of the company.

2.4./     The company’s legitimate interest can be established if
 -        it is lawful,
-        it is precisely formulated in order to be compared to the interests and fundamental rights of the data subject during the interest balancing test,
-        it represents a real (i.e. not theoretical) interest.

2.5./     The existence of a legitimate interest, the necessity of processing, and the proportionality of the restriction of the data subject’s rights can be examined and verified by performing the interest balancing test. The steps of the interest balancing test are as follows:
-        Step 1: determine what the purpose of processing is
-        Step 2: determine whether processing is absolutely necessary to achieve the purpose
-        Step 3: identify the legitimate interest of the company and establish the lawfulness of the interest
-        Step 4: based on the lawful interest what personal data needs to be processed and for how long
-        Step 5: determine the data subject's possible interests (the points they can raise against data processing)
-        Step 6: establish why the interests of the company limit the fundamental rights and freedoms of the person concerned in a proportional manner.

2.6./     Processing based on consent is permitted only if the data subject gives their voluntary, specific, informed and unambiguous consent to the processing of data by a clear affirmative act, such as by a written or oral statement.

2.7/     Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for each of them.

2.8./     Where processing is based on consent, the company must be able to demonstrate that the data subject has consented to the processing.

2.9./     With consent-based processing, the company strives to provide the data subject with a pre-formulated statement of consent, which is made available to the data subject in an understandable and easily accessible form, using clear and simple language.

2.10./     In order for the consent to be deemed as informed consent, the data subject must at least be aware of the identity of the company and the purpose of processing. Consent should not be deemed as voluntarily given if the data subject has no real or free choice or is unable to refuse consent without suffering a detriment. The consent shall not be deemed voluntary, furthermore, if it does not allow for separate consent to each and every processing operation.

2.11/   The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing that was carried out based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

3./     Processing of special categories of personal data

3.1/     Personal data which is, by its nature, particularly sensitive in relation to fundamental rights and freedoms, merits specific protection as the context of its processing could create significant risks to the data subject’s fundamental rights and freedoms. Personal data referring to racial or ethnic origin, political opinion, religious or worldview beliefs, trade union membership, genetic and biometric features, health, and sexual life or sexual orientation is deemed sensitive data.

3.2./     No sensitive data may be processed by the company unless the data subject has given his or her consent to the processing of sensitive data for one or more purposes (for example, for preventive health or occupational health purposes, or for assessing the employee's ability to work).

IV./

RIGHTS OF THE DATA SUBJECT

1./      General Provisions

1.1./     With respect to the processing of his or her personal data by the company the data subject has a right to

a)   be informed of the facts and information related to the data processing before the data processing starts (“right of preliminary information”).

b)   ask the company to make his or her personal data and information related to its processing available to him or her (""right to access"")

c)   ask the company to rectify or supplement his or her personal data upon request or where prescribed by the law (""right to rectification"")

d)   ask the company to restrict the processing of his or her personal data upon request or where prescribed by the law (""right to restrict data processing"")

e)     request the company to erase his or her personal data upon request or where prescribed by the law (""right to erasure"")

f)    ask the company to disclose the personal data he or she provided to the company in a structured, commonly used and machine-readable format (“right to data portability”)

g)   object to the processing of his or her data, on grounds relating to their particular situation (“right to object”)

h)     turn to the National Authority for Data Protection and Freedom of Information or to a court “(right to legal remedy”).


2./      Special provisions

Right to information

2.1./     The company must inform the data subject of the fact and the purposes of processing. Where the personal data is collected by the company from the data subject, the data subject should be informed of whether he or she is obliged to provide the personal data, and of the legal consequences of not providing the data. If the data is obtained from the data subject, the information must be provided to the data subject at the time of data recording, whereas if the data does not originate from the data subject, then it should be provided within a reasonable period of time, but no later than one month, following the collection of the personal data, and if the data is used to keep contact with the data subject, at the time of the first contact.

2.2./     However, it is not necessary to inform the data subject if

a)   the data subject already has the relevant information,

b)   the recording or disclosure of personal data is required by law, or

c)   informing the data subject proves to be impossible or would require a disproportionate effort.

2.3./     The data subject must be informed of the following:

What information has to be provided?

Data originating from the data subject

Data not originating from the data subject

the identity and contact details of the Controller

yes

yes

name and contacts of the Data Protection Officer

yes

yes

the legal basis and purpose of data processing

yes

yes

in case of processing based on legitimate interest, the legitimate interest of the Controller

yes

yes

the categories of personal data concerned

no

yes

recipients of personal data

yes

yes

data transfer abroad

yes

yes

duration of data processing

yes

yes

rights of the data subject

yes

yes

in the case of data processing based on consent, the right to withdraw consent

yes

yes

sources of personal data

no

yes

whether the disclosure of personal data is based on legislation or a contractual obligation, the data subject is obliged to provide personal data, and the consequences of failure to provide such data

yes

no

is there automated decision-making

yes

yes

 

2.4./     The information provided to the data subject must be concise, easily accessible and understandable, and it must be formulated in clear and easy to understand language.

 

Right to access

2.5./     The company must inform the data subject upon request whether his or her personal data is being managed by the company itself or by a data processor, as well as about the information listed in Clause 2.3.

2.6./     The company shall provide information free of charge, without any undue delay but no later than within 25 days after the receipt of the request in writing (by post or email).

2.7./     The company may refuse to provide information if

a)   the requester is not requesting information about his or her own data,

b)   the requester cannot credibly prove that he or she is the person affected by the processing.

2.8./     If the company rejects the data subject’s request, it shall inform the requester of the reasons for the rejection and the available legal remedies.

 
Right to rectification

2.9./     If the personal data processed by the company or a data processor acting on its behalf are inaccurate, incorrect or incomplete, then it shall, especially if requested to do so by the data subject, promptly correct or rectify the data or – if it is compatible with the purpose of the data processing – supplement it with additional personal data submitted by the data subject or with a statement made by the data subject concerning the personal data being processed. The company shall rectify any data that is not correct provided that the necessary data is available (e.g. from a public register).

2.10./     The company shall be exempt from the obligation to rectify if

a)   no accurate, true or full personal data is available, and the data subject also fails to provide such data, or

b)   there is serious doubt as to the veracity of the data provided by the data subject.

2.11./     If the company rejects the data subject’s request, it shall inform the requester of the reasons for the rejection and the legal remedies available within 25 days of receiving the request at the latest.

 

Right to erasure

2.12./     The company shall erase the data subject's personal data without undue delay if

a)   the processing is unlawful,

b)   the data subject withdraws his or her consent to the processing and there is no other legal ground for processing,

c)   the erasure of data has been ordered by the law, a legal act of the European Union, the Authority, or a court

d)   the personal data must be erased in order to comply with a legal obligation in the EU or Member State law to which the company is subject; or

e) the data subject objects to the processing pursuant to and there are no overriding legitimate grounds for the processing.

 

2.13./     Section 2.12 shall not apply if the data processing is necessary for compliance with a statutory obligation or for asserting, enforcing or defending a legal claim.

2.14./     If the company rejects the data subject’s request, it shall inform the requester of the reasons for the rejection and the legal remedies available within 25 days of receiving the request at the latest.

 

Right to restriction of processing

2.15./     The company shall restrict the processing of data if

a)   the data subject disputes the accuracy or correctness of the personal data processed by the company or the data processor acting on its behalf, and the accuracy and correctness of the personal data being processed cannot be unambiguously determined, until the situation is clarified;

b)   the processing is unlawful and the data subject objects to the erasure of the personal data and requests the restriction of its use instead for as long as the legitimate interest on the basis of which the erasure is deferred (e.g. asserting a claim) exists;

c)   the data subject has objected to processing; in this case the restriction shall be valid until it is determined whether the legitimate interests of the company override those of the data subject.

 

2.16./      During the period of restriction on data processing, the company or the data processor acting on its behalf may perform any processing activity on the personal data affected by the restriction other than storage of the same only with the data subject's consent, or in order to enforce the data subject's legitimate interest or as required in the law, the relevant international treaty, or in a binding legal act of the European Union.

2.17./     The company shall notify the data subject before the withdrawal of the restriction on processing.

2.18./     The method used to restrict the processing of personal data is that the company temporarily blocks access for users, and it must clearly indicate the fact of the restriction of data processing in the IT system.

2.19./     If the company rejects the data subject’s request, it shall inform the requester of the reasons for the rejection and the legal remedies available within 25 days of receiving the request at the latest.

 

Right to data portability

2.20./     Where the processing of personal data is carried out automatically, the data subject shall be allowed to receive personal data concerning him or her which he or she provided to the company, in a structured, commonly used, machine-readable and interoperable format, and to transmit the same to another controller. This right can be exercised if the data processing is based on the consent of the data subject or is necessary for the performance of a contract.

2.21./     If the company rejects the data subject’s request, it shall inform the requester of the reasons for the rejection and the legal remedies available within 25 days of receiving the request at the latest.

 

Right to object

2.22./     The company shall ensure that any data subject can object to the processing of data relating to his or her unique situation even if the data processing is otherwise lawful. In this case, the company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the legitimate interests, rights and freedoms of the data subject or are necessary for the establishment, exercise or defence of legal claims.

2.23./     The company must inform the data subject of the right to object upon first contact.

2.24./     If the company rejects the data subject’s request, it shall inform the requester of the reasons for the rejection and the legal remedies available within 25 days of receiving the request at the latest.

 

Right to legal remedy

2.25./     In the event of a violation of his or her rights, the data subject may file a complaint with the authority, the contact details of which are as follows: National Authority for Data Protection and Freedom of Information – 1225 Budapest, Szilágyi Erzsébet fasor 22/c.

 2.26./     Notwithstanding the Authority's decision, if the data subject's rights have been violated, he or she may file an action against the company to a court that has jurisdiction based on the location of the company’s registered office.

 

V./

USE OF DATA PROCESSOR

 1.1./     If the company entrusts a data processor with processing activities, the Controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of the GDPR, including for the security of processing.

1.2./     The processor shall not engage a sub-processor without the prior written authorisation of the company.

1.3./     The carrying out of processing by a processor should be governed by a contract or other legal act under European Union or Member State law. This should be binding on the processor and the controller and should set out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data, and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

1.4./     The following must be recorded in the data processing agreement:

Mandatory information

the subject matter and duration of the processing

the nature and purpose of the processing

the type of personal data involved in data processing, and the categories of data subjects

rights and obligations of the controller

Standard terms and conditions

the data processor shall process personal data exclusively according to the written instructions of the data controller

the data processor shall ensure that persons authorised to process the personal data are bound by confidentiality obligation or are subject to an appropriate statutory obligation of confidentiality

the data processor undertakes to implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk

the processor shall not engage a sub-processor except with the prior specific or general written authorisation of the controller.

the processor shall cooperate with the controller in responding to requests related to the exercise of the rights of the data subjects

the processor shall assist the controller in performing its obligations

the controller may request that the processor delete or return all the personal data to the controller after the end of the provision of processing services, and delete any existing copies

it shall make available to the controller all information necessary to demonstrate compliance with the provisions of Article 28 of the GDPR and allow for and contribute to audits, including on-site inspections, conducted by the controller or another auditor mandated by the controller

Direct liability of the processor

the processor may process personal data only in accordance with the written instructions of the controller

the processor shall not engage a sub-processor except with the prior specific or general written authorisation of the controller

during the performance of its tasks, the processor shall cooperate with the supervisory authority

the data processor undertakes to implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risk

the processor shall keep a record of all categories of processing carried out on behalf of the controller

the processor shall notify the controller of any personal data breach without undue delay after becoming aware of the same

the processor shall appoint a data protection officer in the cases specified in the GDPR

if the processor determines the purposes and means of processing in violation of Article 28 of the GDPR, it must be deemed the data controller for the processing concerned

Other terms and conditions

the processor may be subject to the procedure of the supervisory authority

an administrative fine may be imposed on the processor if it violates the provisions of the GDPR

additional sanctions may be applied to the processor if it violates the GDPR

the processor shall be liable for any damage caused by the processing if it has not complied with the rules of the GDPR applicable to processors or where it has acted negligently or contrary to the lawful instructions of the controller

the liability and compensation rules in case of violation of the GDPR must also be stated in the contract.

1.5./     After the completion of the processing, the processor should, if asked to do so by the company, return or erase the personal data, unless there is a requirement to store the personal data under European Union or Member State law to which the processor is subject.

 VI./

RECORDS OF DATA PROCESSING OPERATIONS

1.1./     In order to prove compliance with the GDPR, the company shall keep a record of the processing activities it performs.

1.2./     In the processing records, the company shall record the following:
a)   the name and contact details of the controller and the data protection officer,
b)   the purposes of data processing,
c)   the range of data subjects and the data being processed,
d)   in the case of transmission of personal data, the range of recipients,
e)     in the case of international data transfers, the range of the transferred personal data and the description of sufficient guarantees,
f)    whether or not profiling is carried out,
g)   the legal grounds of the processing operations,
h)     the date of erasure of processed personal data,
i)      a general description of the technical and organisational security measures implemented.

1.3./     The company must cooperate with the supervisory authority and make those records available to it on request, so that the authority can inspect those processing operations.

VII./

DATA PROTECTION IMPACT ASSESSMENT

1.1./     The purpose of the data protection impact assessment is to reveal the nature of processing, to examine its necessity and proportionality, and to facilitate the management of risks affecting the rights and freedoms of natural persons resulting from the processing of personal data by evaluating these risks and determining the measures for their management.

1.2./     A data protection impact assessment must be performed if any type of data processing is likely to result in a high risk to the rights and freedoms of natural persons. For this, the company must constantly evaluate the risks arising from its processing operations.

1.3./     If the company does not consider it necessary to carry out a data protection impact assessment in relation to the processing operation in question, it must document reasons for this.

1.4./     No data protection impact assessment needs to be carried out if:
a)   the data processing is not likely to result in a high risk to the rights and freedoms of natural persons.
b)   in terms of its nature, scope, circumstances and purposes, the processing is very similar to another processing operation for which a data protection impact assessment has already been made,
c)   the processing operations have been checked by the authority – under unchanged conditions – before the entry into force of the GDPR,
d)   the data processing operation has a legal basis, the law regulates the given data processing operation and a data protection impact assessment has already been carried out in relation to the given legal basis,
e)     the processing is included in the non-binding list compiled by the authority of processing operations for which no data protection impact assessment needs to be carried out.

1.5./     The Company shall review and re-evaluate the data protection impact assessment annually.

1.6./     The company must carry out the data protection impact assessment prior to data processing, with the exception of ongoing data processing, for which an assessment is needed if, in view of the changed circumstances, the continuation of data processing may constitute a high risk for the rights and freedoms of the data subjects.

1.7./     The data protection impact assessment shall be carried out by the company or an auditor commissioned by it.

1.8./     The process of the data protection impact assessment:
-        description of the planned processing
-        assessment of necessity and proportionality
-        examination of already planned measures
-        examination of the risks to rights and freedoms
-        measures aimed at managing risks
-        documentation
-        tracking and follow up.
 1.9./     The impact assessment must include at least:
-        a systematic description of the envisaged processing operations and the purposes of processing,
-        an assessment of the necessity and proportionality of the processing operations in view of the purposes of processing,
-        the risks to the rights and freedoms of Data Subjects,
-        the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of Data Subjects and other persons concerned.
1.10./   If the company is unable to take appropriate measures to reduce the risks to an acceptable level, it must consult with the authority.

VIII./

DATA BREACH

1.1./     A data breach is a security incident occurring at the company that involves a violation of personal data. Depending on the circumstances, the violation of personal data may be related to the confidentiality, accessibility and integrity of the data at the same time, or any combination of these may occur.
1.2./     If the company becomes aware of a data breach, it must report it to the authorities without undue delay, preferably no later than 72 hours after becoming aware of the same. The report must include at least the nature of the personal data breach including, where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected, the name and contact details of the data protection officer, the likely consequences of the data breach, and finally the measures taken or proposed to be taken by the company to remedy the personal data breach. It is not necessary to report if the company can prove that the data breach probably involves no risk for the rights and freedoms of natural persons. If the report cannot be made within 72 hours, the reason for the delay must be explained, and the necessary information can then be communicated to the authority also in phases.
1.3./     When the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the company must notify the data subject without undue delay. The notification should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects, the precautionary measures taken by the company and the likely consequences of the data breach as well as the name and contact details of the data protection officer. The notification of the data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory authority, respecting any guidelines provided by it or by other relevant, e.g. law-enforcement, authorities. The data subjects do not need to be notified if it would require a disproportionate effort in which case the data subjects must be informed through public communication.
1.4./     Management process of data breaches:
-       detection of the data breach
-       identification of the data breach,
-       is it likely to involve a risk to the rights and freedoms of natural persons? (if it is not, there is no notification obligation, it must only be entered in the register of data breaches)
-       if it is, is it likely to involve a high risk for the rights and freedoms of the natural persons concerned? (if it is not, the data subjects need not be notified, it must only be entered in the register of data breaches)
-       if it is, the data subjects must be individually notified, and finally
-       the above process must be documented in the register of data breaches.
1.5./     The company must document any personal data breaches, presenting the facts relating to the personal data breach, its effects and the remedial action taken.

IX./
DATA PROTECTION OFFICER

1.1./     It is mandatory for the company to appoint a data protection officer, regarding that the processing of personal data is of substantial nature.
1.2./     The data protection officer can be an employee of the company, but this activity can also be performed by a contracted agent.
1.3./     The data protection officer must be appointed on the basis of their professional competence and, in particular, expert-level knowledge of data protection laws and practices, as well as their suitability for management tasks.
1.4./     The company must publish the name and contact details of the data protection officer, and also report this to the authority.
1.5./     The name and contact details of the company’s Data Protection Officer: Dr. Belcsák Róbert, attorney-at-law, 1138 Budapest, Madarász Viktor utca 47-49.; [email protected]
1.6./     The company must make sure that
a) the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data,
b) the opinion of the data protection officer is always taken into account with sufficient emphasis when making decisions related to data protection,
c) all relevant information is disclosed to the data protection officer in a timely manner in order to be able to provide appropriate advice,
d) the data protection officer is immediately consulted if a data breach is detected.
1.7./     The company must support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain the data protection officer’s expert knowledge.
1.8./     The company must ensure that the data protection officer does not accept instructions from anyone in connection with their duties. The company may not sanction or dismiss the data protection officer for reasons related to their data protection duties. The data protection officer reports to the Managing Director of the company.
1.9./     The data protection officer is bound by an obligation of confidentiality in connection with their duties.
1.10./   The data protection officer may perform other tasks, but may not hold a position within the company in which they determine the purpose and means of personal data processing.
1.11./   The Data Protection Officer's tasks:
a)     provide information and professional advice to the data controller and the employees performing data processing activities regarding their obligations under the law,
b)     monitor compliance with the relevant laws and regulations and with the company's internal policies, including the assignment of responsibilities, awareness-raising of the staff involved in processing operations, and the related audits,
c)      upon request, provide advice as regards the data protection impact assessment and monitor its implementation,
d)     cooperate with the authority,
e)     act as a contact point for the authority on issues relating to data processing.
1.12./   In the performance of his/her tasks, the data protection officer must have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

X./
LIABILITY

1.1./     This policy is approved by the managing director of the company.
1.2./     The heads of departments are responsible for the implementation of this policy within their respective organisational units.
1.3./     All employees are obliged to report it if they become aware of, or even suspect, a violation of the policy. They may report to the head of department or the data protection officer.
1.4./     The employee performing the actual data processing must:
a)     retain the personal data in their possession,
b)     ensure the safe handling and storage of records containing personal data,
c)     ensure that no unauthorised persons can access the personal data they process,
d)     comply with the laws and internal regulations applicable to data processing,
e)     indicate without undue delay if they need the help of the head of department or the data protection officer in a data protection matter.

XI./
TRANSMISSION OF DATA

 1.1./     The company does not transfer personal data to third countries or international organisations outside the European Union.

XII./
DATA SECURITY

 1.1./     The company must, in particular,
-     deny access for unauthorised persons to the equipment used for data processing,
-     prevent unauthorised reading, copying, modification or removal of data storage devices,
-     prevent any unauthorised entry of personal data into the data processing system, as well as unauthorised access to, or modification or deletion of the personal data stored therein,
-     prevent the use of data-processing systems by unauthorised persons using data transfer devices,
-     ensure that persons authorised to use the data processing system only have access to the personal data specified in their access authorisation,
-     ensure that it can be verified and established to which recipient the personal data has been or may be forwarded, or has been or may be made available, by means of a data transfer device,
-     ensure that it can be subsequently checked and determined which personal data was entered into the data processing system, at which time, and by whom,
-     prevent any unauthorised access, copying, modification or deletion of personal data during its transmission or during the transport of the data storage device,
-     ensure that the data processing system can be restored in the event of a malfunction, and
-     ensure that the data processing system is functional, that errors occurring during its operation are reported, and that the personal data stored cannot be changed by operating the system improperly.
1.2./     Data security controls:
 

 

Preventing

Detecting

Responding

Organisational/administrative

regulation, designation of responsible persons, raising awareness

compliance

addressing non-compliance

Physical

restricting access (end point, network, data storage device), controlled access

physical guarding, monitoring, water and fire alarm

fire extinguishers, backup power source

Perimeter security

firewall, IPS, VPN, malware (spyware) protection, redundant architecture, content filtering

malware protection, vulnerability screening

incident management

Network

encrypted transmission, zoning, redundant architecture

SIEM (log information, log management)

backup route

End point

user authentication, malware protection

integrity protection, malware protection

backup equipment, installation of security patches

Application

secure app development, secure configuration

SIEM, vulnerability scanning

installation of security patches

Data

security backups, authorisation management, data asset inventory

access, monitoring

recovery from backup, incident management

XIII./
CLOSING PROVISION

1.1./     Upon its entry into force, this policy shall supersede the previously issued policy.