Privacy policy
on the rights of the natural person concerned with regard to the processing of his or her personal data

This Notice sets out the internal rules for the Company's data processing activities in order to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation).

The establishment and amendment of the Prospectus is at the discretion of the Executive Director.

Gödöllő, 24 May, 2018

Introduction

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter "the Regulation") requires that the controller takes appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject's rights.

The obligation of prior information of the data subject is also provided for in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

The following information is provided to comply with this legal obligation.

The information shall be published on the company's website or sent to the person concerned upon request.

Chapter I: Name of the controller

(hereinafter referred to as "the Company") 

Chapter II: Identification of data processors

Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4(8) of the Regulation)

The use of a data processor does not require the prior consent of the data subject, but the data subject must be informed. Accordingly, the following information is provided:

1. Our IT service provider

For the maintenance and management of its website, our Company uses a data processor who provides IT services (hosting service) and, within the framework of this service, processes the personal data provided on the website for the duration of our contract with him/her, and the operation performed by him/her is the storage of personal data on the server.

This data processor is:

Company name: PROMPT-H Számítástechnikai Oktatási, Kereskedelmi és Szolgáltató Kft.
Address: 2100 Gödöllő Testvérvárosok útja 28.
Company registration number: 13-09-078201
Tax number: 12337545-2-13
Representative: Dr. Lengyel József ügyvezető igazgató
Phone number: (28) 430-695
Fax: –
E-mail address: office@prompt.hu
Website: www.prompt.hu

2. Our company's accounting service provider

Our Company uses an external service provider for the fulfilment of its tax and accounting obligations through an accounting service contract, which also processes personal data of natural persons who have a contractual or paying relationship with our Company, for the purpose of fulfilling the tax and accounting obligations of our Company.

The name of this data processor is as follows:

Company name: T.REX Könyvelő és Adótanácsadó Kft.
Address: 1185 Budapest, Nyíregyháza u. 62.
Company registration number: 01-09-666924
Tax number: 12343502-2-43
Representative: Berényi Erika
Phone number: +36 (1) 292-2339

3. Postal services, delivery, parcel delivery

These data processors receive from our Company the personal data (name, address, telephone number of the data subject) necessary for the delivery of the ordered product and use this data to deliver the product. These service providers are: Magyar Posta

4. Security service provider

Our company does not use a data processor to perform these tasks, and our company carries out the surveillance, access and entry to the workplace and the related data processing itself..

Chapter III: Employment-related data processing

1. Labour and personnel records

(1) Only such data and medical examinations of the fitness for employment as are necessary for the establishment, maintenance and termination of the employment relationship and for the provision of social welfare benefits and which do not infringe the employee's individual rights may be requested from employees and kept.

(2) The Company shall process the following data of the employee for the purposes of the establishment, performance or termination of the employment relationship for the purposes of the legitimate interests of the employer (Article 6(1)(f) of the Regulation):

1. name,
2. name at birth,
3. date of birth,
4. mother's name,
5. address,
6. nationality,
7. tax identification number,
8. social security number,
9. retired person's registration number (in the case of a retired worker),
10. telephone number,
11. e-mail address,
12. identity card number,
13. official residence card number,
14. bank account number,
15. online identifier (if available)
16. start and end date of employment,
17. job title,
18. a copy of the document proving your education and training,
19. photograph,
20. curriculum vitae,
21. amount of salary, details of salary and other benefits,
22. the amount of the debt to be deducted from the employee's wages, or the right to deduct it, on the basis of a final decision or a legal provision or written consent,
23. an assessment of the employee's work,
24. the manner and reasons for termination of employment,
25. depending on the job, his or her character record,
26. a summary of the occupational aptitude tests,
27. in the case of membership of a private pension fund or voluntary mutual insurance fund, the name of the fund, its identification number and the employee's membership number,
28. in the case of a foreign worker, passport number; name and number of the document certifying entitlement to work,
29. details recorded in the records of accidents to the worker;
30. data necessary for the use of welfare services, commercial accommodation;
31. data recorded by the Company's camera and access control systems and location systems used for security and property protection purposes.

(3) The employer shall process data relating to sickness and trade union membership only for the purpose of fulfilling a right or obligation under the Labour Code.

(4) The recipients of personal data are: the employer's manager, the person exercising the employer's authority, the Company's employees performing labour-related tasks and its data processors.

(5) Only personal data of employees in managerial positions may be transferred to the owners of the Company.

(6) Duration of storage of personal data: 3 years after termination of employment.

(7) The data subject shall be informed before the processing is started that the processing is based on the Labour Code and the legitimate interests of the employer

2. Processing of applicants' data, applications, CVs

(1) The personal data that may be processed are: the name, date and place of birth, mother's name, address, qualifications, photograph, telephone number, e-mail address of the natural person, employer's record of the applicant (if any).

(2) Purpose of the processing of personal data: application, assessment of the application, conclusion of an employment contract with the selected person. The data subject must be informed if the employer has not chosen him/her for the job in question.

(3) Legal basis for processing: consent of the data subject.

(4) Recipients or categories of recipients of personal data: managers and employees performing employment-related tasks who are entitled to exercise the rights of an employer in the Company.

(5) Duration of the storage of personal data: until the application is processed. The personal data of unsuccessful applicants shall be deleted. The data of those who withdraw their application or candidature shall also be deleted.

(6) The employer may retain applications only on the basis of the express, unambiguous and voluntary consent of the data subject, provided that the retention of the data is necessary for the purposes of achieving the data processing purposes in accordance with the law. Such consent shall be requested from candidates after the recruitment procedure has been completed.

3. Data processing related to the control of the use of your e-mail account 

1) If the Company provides the employee with an e-mail account - the employee may use this e-mail address and account solely for the purpose of his/her job duties, in order to keep in touch with each other or to correspond with clients, other persons or organisations on behalf of the employer.

2) Employees may not use the e-mail account for personal purposes or store personal correspondence in the account.

3) The employer is entitled to check the entire content and use of the e-mail account on a regular basis - every 3 months - and the legal basis for data processing is the legitimate interest of the employer. The purpose of the monitoring is to check compliance with the employer's provisions on the use of the e-mail account and to check the employee's obligations (Articles 8 and 52 of the Labour Code).

4) The head of the employer or the person exercising the employer's rights is authorised to carry out the check.

5) If the circumstances of the inspection do not preclude this, it must be ensured that the employee can be present during the inspection.

6) Prior to the check, the employee must be informed about the employer's interest in the check, who on the employer's side may carry out the check, - the rules according to which the check may be carried out (compliance with the principle of gradual approach) and the procedure to be followed, - the employee's rights and remedies in relation to the processing of data in connection with the check of the e-mail account.

7) The principle of gradualness must be applied in the monitoring, so that it can be established in the first instance from the address and subject of the email that it is related to the employee's job and not personal. The content of non-personal e-mails may be examined by the employer without restriction.

8) If, contrary to the provisions of this policy, it can be established that the employee has used the e-mail account for personal purposes, the employee shall be requested to delete the personal data immediately. In case of absence or non-cooperation of the employee, the personal data shall be deleted by the employer upon verification. The use of the e-mail account in violation of this policy may result in the employer taking legal action against the employee under labour law.

9) The employee may exercise the rights set out in the chapter of this Code on the rights of the data subject in relation to the processing of data in connection with the monitoring of the e-mail account.

4. Data processing related to the control of computer, laptop, tablet

1) The computer, laptop, tablet provided by the Company to the employee for work purposes may be used by the employee only for the performance of his/her job duties, the Company prohibits the private use of these devices, the employee may not manage or store any personal data or correspondence on these devices. The Employer may monitor the data stored on these devices. The employer's control of these devices and the legal consequences thereof shall be governed by the provisions of point 1.4 above.

5. Data processing related to the monitoring of Internet use at work

1) Employees are only allowed to access websites related to their job duties, and the employer prohibits the use of the Internet for personal purposes.

2) The Company is the holder of the Internet registrations carried out on behalf of the Company as part of the employee's job duties, and the registration must be carried out using an identifier or password that refers to the Company. If the provision of personal data is also required for the registration, the Company shall initiate the deletion of such data upon termination of the employment relationship.

3) Employee's use of the Internet at work may be monitored by the employer, for which the provisions of section 1.4 shall apply, as well as the legal consequences thereof.

6. Data processing related to the control of the use of company mobile phones 

1) The employer does not allow the private use of the company mobile phone, the mobile phone can only be used for work-related purposes and the employer can monitor the caller ID and details of all outgoing calls and the data stored on the mobile phone.

2) The employee must report to the employer if the company mobile phone is used for private purposes. In this case, the employer may carry out the check by requesting a call detail from the telephone service provider and asking the employee to make the numbers called unrecognisable on the document in the case of private calls. The employer may require the employee to bear the cost of private calls.

3) In all other respects, the provisions of point 1.4 shall apply to the control and the consequences.

7. Data management in relation to the timesheet system

Our company uses an electronic access control system at its headquarters for the purpose of monitoring employee obligations. The identification data (name and address) of authorised access holders processed for the operation of the electronic access control system are stored

(a) in the case of regular access, at the end of the period of access, but no later than 12 months after the data were generated,

b) The access database data may only be disclosed to the asset protection service or to the investigating authority or the authority responsible for criminal offences or irregularities in the event of suspicion of a criminal offence or irregularity or on request.

8. Data processing in relation to workplace CCTV

1) Our Company uses an electronic surveillance system to protect human life, physical integrity, personal liberty, trade secrets and property in its headquarters, premises and premises open to customers, which allows image recording, and therefore the behaviour of the data subject recorded by the camera can be considered personal data.

2) The legal basis for this processing is the legitimate interests of the employer and the consent of the data subject.

3) The fact that an electronic surveillance system is being used in a given area must be indicated by a clearly visible and legible sign, which must be clearly visible and legible, and must be displayed in a way that informs third parties wishing to enter the area. The information shall be provided for each camera. This information shall also include information on the fact of surveillance by the electronic asset protection system, the purpose of the recording and storage of the images containing personal data recorded by the system, the legal basis for the processing, the place where the recording is stored, the duration of the storage, the identity of the person using (operator) the system, the persons who are authorised to access the data and the provisions on the rights of the data subjects and the procedures for exercising them. The information is set out in Annex 5 to these Rules.

4) Pictures of third parties (customers, visitors, guests) entering the monitored area may be taken and processed with their consent. Consent may also be given by impulse. Impulses may be given in particular where the natural person entering the monitored area is
electronic surveillance system installed in the area.

5) Recorded recordings may be kept for a maximum of 3 (three) working days if not used. The use of the recorded images and other personal data as evidence in judicial or other official proceedings shall be considered as use.

6) Any person whose right or legitimate interest is affected by the recording of the data of the image recording may, within three working days of the recording of the image recording, request that the data not be destroyed or deleted by the controller by providing evidence of his or her right or legitimate interest.

7) No electronic monitoring system may be used in premises where such monitoring could be offensive to human dignity, in particular in changing rooms, showers, toilets or, for example, in a doctor's room or the adjoining waiting room, or in premises designated for the purpose of workers' breaks.

8) If no one is legally allowed to be present in the workplace, in particular outside working hours or on public holidays, the entire workplace (e.g. changing rooms, toilets, break rooms) may be monitored.

9) In addition to those authorised by law, the data recorded by the electronic surveillance system may be viewed by the operating staff, the employer's manager and deputy manager, and the workplace manager of the area monitored, for the purposes of detecting infringements and checking the operation of the system.

Chapter IV: Contract-related processing

1. Processing of contracting partners' data - register of customers, suppliers 

(1) The Company shall process the name, name of the natural person contracted with it as a buyer or supplier, name of the natural person, name of the person's birth, date of birth, mother's name, address, tax identification number, tax number, entrepreneur's or farmer's identity card number, personal identity card number for the purpose of the conclusion, performance, termination or granting of a contractual discount, address, address of the registered office, address of the establishment, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, frequent buyer lists), This processing is also considered lawful if the processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: employees of the Company performing customer service tasks, employees performing accounting and tax tasks, and data processors. Duration of processing of personal data: 5 years after the termination of the contract.

(1) The data subject must be informed before the processing starts that the processing is based on the legal basis of the performance of the contract, such information may be given to
also in the contract.

(2) The data subject shall be informed of the transfer of his or her personal data to a processor.

2. Contact details of natural person representatives of legal person customers, buyers, suppliers

(1) The scope of personal data that may be processed: name, address, telephone number, e-mail address, online identifier of the natural person.

(2) Purpose of the processing of personal data: performance of a contract with a legal entity partner of the Company, business relations, legal basis: the data subject
consent of the data subject.

(3) Recipients or categories of recipients of personal data: employees of the Company performing customer service tasks.

(4) Duration of the storage of personal data: 5 years after the business relationship or the data subject's capacity as a representative.

3. Visitor data management on the Company's website

(1) Cookies are short data files placed on the user's computer by the website visited. The purpose of the cookie is to make the given infocommunication, internet service easier and more convenient. There are several types, but they generally fall into two broad categories. One is the temporary cookie, which is placed on the user's device by the website only during a particular session (e.g. during the security identification of an online banking transaction), and the other is the persistent cookie (e.g. a website's language setting), which remains on the computer until the user deletes it. According to the European Commission's guidelines, cookies [unless strictly necessary for the use of the service] can only be placed on the user's device with the user's permission.

(2) In the case of cookies that do not require the user's consent, information shall be provided during the first visit to the website. It is not necessary for the full text of the cookie notice to appear on the website, but it is sufficient for website operators to provide a brief summary of the substance of the notice and a link to the full notice.

(3) In the case of cookies requiring consent, the information may also be linked to the first visit to the website, if the processing of data associated with the use of cookies starts as soon as the page is visited. Where the use of the cookie is linked to the use of a function explicitly requested by the user, the information may also be provided in relation to the use of that function. Even in this case, it is not necessary for the full text of the cookie notice to be displayed on the website, a brief summary of the substance of the notice and a link to the full notice.

4. Information about the use of cookies

(1) In accordance with common Internet practice, our Company also uses cookies on its website. A cookie is a small file containing a series of characters that is placed on a visitor's computer when they visit a website. When you visit that site again, the cookie enables the site to recognize the visitor's browser. Cookies may also store user preferences (e.g. language chosen) and other information. Among other things, they may collect information about the visitor and his or her device, remember the visitor's individual preferences, or be used, for example, when using online shopping carts. In general, cookies facilitate the use of the website, help the website to provide users with a real web experience and an effective source of information, and enable the website operator to monitor the functioning of the site, prevent abuse and ensure the smooth and adequate provision of services on the website.

(2) Our Company's website records and manages the following data about the visitor and the device used for browsing when using the website:

• the IP address used by the visitor,
• the type of browser,
• the characteristics of the operating system of the device used for browsing (language set),
• the time of the visit,
• the (sub)page, function or service visited.

(3) Acceptance or authorisation of the use of cookies is not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. While most browsers automatically accept cookies by default, these can usually be changed to prevent automatic acceptance and will offer you the choice each time.

You can find out about the cookie settings of the most popular browsers by following the links below:

Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amitweboldak-használnak
Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-11
Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-10-win-7
Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-9
Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internetexplorer/delete-manage-cookies#ie=ie-8
Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacyfaq
Safari: https://support.apple.com/hu-hu/HT201265

That said, please note that certain website features or services may not function properly without cookies.

(4) The cookies used on this website are not in themselves capable of identifying the user.

(5) Cookies used on the Company's website:

(a) technically necessary session cookies

These cookies are necessary to enable visitors to browse the website, to use its functions smoothly and fully, to use the services available through the website, including, but not limited to, the annotation of the actions performed by the visitor on the pages concerned during a visit. The duration of the processing of these cookies is limited to the current visit of the visitor, and this type of cookie is automatically deleted from his/her computer at the end of the session or when the browser is closed.

The managed data body is: AVChatUserId, JSESSIONID, portal_referer.

The legal basis for this data processing is Article 13/A (3) of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (Elkertv.).

The purpose of the processing is to ensure the proper functioning of the website.

b) Cookies requiring consent:

These allow the Company to remember the user's choices about the website. The visitor can opt-out of this processing at any time before and during the use of the service. These data cannot be linked to the user's identification data and cannot be transferred to third parties without the user's consent.

c) Cookies to facilitate use:

The legal basis for processing is the consent of the visitor. The purpose of the processing is to increase the efficiency of the service, to enhance the user experience and to make the use of the website more convenient. To enhance the user experience and improve the user experience.

d) Performance cookies:

Google Analytics cookies - you can find out more here: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google Ads cookies - you can find out more here: https://support.google.com/adwords/answer/2407785?hl=hu

5. Community Policy / Data management on the Company's Facebook page

(1) The Company maintains a Facebook page for the purpose of publicizing and promoting its products and services.

(1) A question posted on the Company's Facebook page does not constitute a formal complaint.

(2) The Company shall not process personal data posted by visitors to the Company's Facebook page.

(3) Visitors are subject to the Facebook Privacy and Terms of Service.

(4) In the event of publication of illegal or offensive content, the Company may exclude the person concerned from membership or delete his/her post without prior notice.

(5) The Company is not responsible for any illegal content or comments posted by Facebook users. The Company shall not be liable for any errors, malfunctions or problems arising from the operation of Facebook or from changes in the operation of the system.

6. Data management in the Company's webshop

(1) Purchases made in the webshop operated by the Company shall be considered as a contract, subject to Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, and to Government Decree 45/2014 (26.II.) on the detailed rules of contracts between consumers and businesses.

(2) The Company may process the natural personal identification data and address of the customer registering in the webshop for the purposes of creating, defining the content of, amending and monitoring the performance of the contract for the provision of information society services, invoicing the fees arising therefrom and enforcing claims in connection therewith, pursuant to Article 13/A(1) of Act CVIII of 2001, and the telephone number, e-mail address, bank account number and online identifier of the customer registering in the webshop, and pursuant to the consent.

(3) For billing purposes, the Company may process personal data relating to the use of information society services, address, and data concerning the time, duration and place of use of the service, pursuant to Article 13/A(2) of Act CVIII of 2001.

(4) The recipients or categories of recipients of personal data are: employees of the Company performing tasks related to customer service and marketing activities, as data processors, employees of the Company's tax and accounting company for the purpose of fulfilling tax and accounting obligations, employees of the Company's IT service provider for the purpose of fulfilling hosting services, employees of the courier service for the purpose of delivery data (name, address, telephone number).

(5) Duration of the processing of personal data: until the registration/service is completed or until the data subject's consent is withdrawn (request for deletion), in case of a purchase, for 5 years after the year of purchase.

Chapter V: Processing based on legal obligations

1. Processing of data for tax and accounting obligations 

(1) The Company shall process the data of natural persons who have business relations with the Company as customers or suppliers for the purpose of fulfilling legal obligations, tax and accounting obligations (bookkeeping, taxation) as provided by law.  §-of the Act of 2000 on Accounting: name, address, designation of the person or organisation ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order, and, depending on the organisation, the signature of the controller; on the stock movement vouchers and cash management vouchers, the signature of the recipient, and on the counterfoils, the signature of the payer, and, pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur's identity card number, farmer's identity card number, tax identification number.

(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.

(3) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security functions.

2. Payer data processing

(1) The Company shall process the personal data of the data subjects - employees, their family members, workers, recipients of other benefits - with whom it has a relationship as a paying agent (Act 2017:CL. on the Rules of Taxation (Art.), § 7.31.) for the purposes of fulfilling its legal obligations, tax and contribution obligations (tax, advance tax, contributions, payroll, social security, pension administration). The scope of the data processed is defined in Art. Article 50 of the Act defines the data processed, specifically highlighting the following: the natural person's natural person identification data (including previous name and title), gender, nationality, tax identification number, social security number (social security number). If the tax laws impose a legal consequence, the Company may process data relating to employees' membership of health (Section 40 of the Social Security Act) and trade unions (Section 47(2) b) of the Social Security Act) for the purposes of meeting tax and contribution obligations (payroll accounting, social security administration).

(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.

(3) Recipients of the personal data: employees and data processors of the Company performing tax, payroll, social security (payroll) tasks.

3. Processing of data for the purpose of complying with anti-money laundering obligations 

(1) The Company shall process the personal data of its customers, their representatives and beneficial owners for the purpose of preventing and combating money laundering and terrorist financing in the performance of a legal obligation pursuant to Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (Pmt. ): a) the surname and given name of a) natural person, b) surname and given name at birth, c) nationality, d) place and date of birth, e) mother's name at birth, f) address, or, in the absence thereof, place of residence, g) type and number of identification document; number of official identity card proving address, copies of the documents presented.

(2) Recipients of personal data: employees of the Company performing customer service tasks, the Company's manager and the Company's designated person pursuant to the Pmt.

(3) Duration of storage of personal data: 8 years from the termination of the business relationship or from the execution of the transaction order.

Chapter VI: Summary information on the rights of the data subject

In this chapter, for the sake of clarity and transparency, a brief summary of the data subject's rights is provided, the detailed information on the exercise of which is given in the next chapter. 

Right to prior information 

The data subject has the right to be informed of the facts and information relating to the processing before the processing starts (Articles 13-14 of the Regulation).

The detailed rules are set out in the next chapter.

Right of access of the data subject

The data subject has the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right of access to the personal data and related information specified in the Regulation (Article 15 of the Regulation).

The detailed rules are set out in the next chapter.

Right to rectification

The data subject has the right to obtain, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject has the right to request the integration of incomplete personal data, including by means of a supplementary declaration (Article 16 of the Regulation).

Right to erasure ("right to be forgotten") 

The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay upon his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay where one of the grounds set out in the Regulation applies.
(Article 17 of the Regulation)

The detailed rules are set out in the next chapter.

Right to restriction of processing

The data subject has the right to obtain, at his or her request, the restriction of processing by the controller if the conditions set out in the Regulation are fulfilled.

The detailed rules are set out in the next chapter.

Obligation to notify the rectification or erasure of personal data or restriction of processing

The Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients (Article 19 of the Regulation)

The right to data portability

Subject to the conditions set out in the Regulation, the data subject has the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data (Article 20 of the Regulation).

The detailed rules are set out in the next chapter.

The right to protest

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation (Article 21 of the Regulation).

The detailed rules are set out in the following chapter.

Automated decision-making on individual cases, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22 of the Regulation).

The detailed rules are set out in the next chapter. 

Restrictions

Union or Member State law applicable to a controller or processor may restrict by legislative measures, in accordance with Articles 12 to 22 and Article 34 and the rights and obligations set out in Articles 12 to 22 (Article 23 of the Regulation)

Detailed rules are set out in the next chapter.

Informing the data subject about the personal data breach

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject of the personal data breach without undue delay (Article 34 of the Regulation).

The detailed rules are set out in the next chapter.

Right to lodge a complaint with a supervisory authority (right to official redress) 

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation (Article 77 of the Regulation).

Detailed rules are set out in the next chapter.

Right to an effective judicial remedy against the supervisory authority 

All natural and legal persons have the right to an effective judicial remedy against a legally binding decision of a supervisory authority which is addressed to them or which does not deal with the complaint or does not inform the person concerned of the procedural developments or the outcome of the complaint within three months (Article 78 of the Regulation).

Detailed rules are set out in the next chapter.

The right to an effective judicial remedy against the controller or processor

Any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation (Article 79 of the Regulation).

The detailed rules are set out in the next chapter.

Chapter VII: Detailed information on the rights of the data subject

Right to prior information

The data subject has the right to be informed of the facts and information relating to the processing before the processing starts

A) Information to be provided where personal data are collected from the data subject 

(1) Where personal data relating to the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:

(a) the identity and contact details of the controller and, where applicable, the controller's representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purposes for which the personal data are intended to be processed and the legal basis for the processing;
(d) in the case of processing based on Article 6(1)(f) of the Regulation (legitimate interests), the legitimate interests of the controller or of a third party;
(e) where applicable, the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second paragraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy or the availability of a copy.

(2) In addition to the information referred to in point (1), the controller shall, at the time of obtaining the personal data, in order to ensure fair and transparent processing, provide the data subject with the following additional information:

(a) the duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
(b) the data subject's right to obtain from the controller access to, rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of such personal data, and the data subject's right to data portability;
(c) in the case of processing based on Article 6(1)(a) (consent of the data subject) or Article 9(2)(a) (consent of the data subject) of the Regulation, the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract, and whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data; 
(f) the fact of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation, and, at least in those cases, clear information on the logic used and the significance of such processing and its likely consequences for the data subject.

(3) Where the controller intends to further process personal data for a purpose other than that for which they were collected, the controller shall inform the data subject of that other purpose and of any relevant additional information referred to in paragraph 2 before further processing.

(4) Points (1) to (3) shall not apply if and to the extent that the data subject already possesses the information (Article 13 of the Regulation).

B) Information to be provided where the personal data have not been obtained from the data subject

(1) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and contact details of the controller and, where applicable, the controller's representative;
(b) the contact details of the Data Protection Officer, if any; 
(c) the purposes for which the personal data are intended to be processed and the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy thereof or their availability.

(2) In addition to the information referred to in point (1), the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing for the data subject:

(a) the duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
(b) where the processing is based on Article 6(1)(f) (legitimate interest) of the Regulation, the legitimate interests of the controller or of a third party;
(c) the right of the data subject to request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her and to object to the processing of personal data and the right to data portability;
(d) in the case of processing based on Article 6(1)(a) (consent of the data subject) or Article 9(2)(a) (consent of the data subject) of the Regulation, the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) the source of the personal data and, where applicable, whether the data originate from publicly accessible sources; and
(g) the fact of automated processing, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

(3) The controller shall provide the information referred to in points 1 and 2 as follows:

(a) having regard to the specific circumstances in which the personal data are processed, within a reasonable period from the date on which the personal data were obtained, but not later than one month;
(b) where the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; or
(c) where the data are likely to be disclosed to another addressee, at the latest at the time of the first disclosure of the personal data.

(4) Where the controller intends to further process personal data for a purpose other than that for which they were obtained, the controller shall inform the data subject of that other purpose and of any relevant additional information referred to in paragraph 2 prior to further processing.

(5) Points 1 to 5 do not apply if and to the extent that:

(a) the data subject already has the information; 
(b) the provision of the information in question proves impossible or would involve a disproportionate effort, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, taking into account the conditions and guarantees provided for in Article 89(1) of the Regulation, or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures, including making the information publicly available, to protect the rights, freedoms and legitimate interests of the data subject;
(c) the obtaining or disclosure of the data is expressly required by Union or Member State law applicable to the controller, which provides for appropriate measures to protect the legitimate interests of the data subject; or (d) the personal data must remain confidential pursuant to an obligation of professional secrecy under Union or Member State law, including a legal obligation of secrecy.)

Right of access of the data subject

1.The data subject has the right to receive feedback from the Controller as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information:

(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; 
(d) where applicable, the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
(e) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of such personal data;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data have not been collected from the data subject, any available information concerning their source;
(h) the fact of automated processing, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

2. Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.

3. For additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The right to obtain a copy must not adversely affect the rights and freedoms of others (Article 15 of the Regulation).

Right to erasure ("right to be forgotten")

1. The data subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Controller shall be obliged to erase personal data relating to the data subject without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) or Article 9(2)(a) of the Regulation and there is no other legal basis for the processing; 
(c) the data subject objects to the processing on the basis of Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing or the data subject objects to the processing on the basis of Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data have been collected in connection with the provision of information society services referred to in Article 8(1) of the Regulation.

2. Where the Controller has disclosed the personal data and is obliged to delete it pursuant to point 1 above, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the Data Controllers that process the data that the data subject has requested the deletion of the links to or copies of the personal data in question.

3. Points 1 and 2 shall not apply where the processing is necessary:

(a) for the exercise of the right to freedom of expression and information;
(b) for the purposes of complying with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) pursuant to Article 9(2)(h) and (i) and Article 9(3) of the Regulation, on grounds of public interest in the field of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, where the right referred to in point (1) would be likely to render such processing impossible or seriously jeopardise it; or
(e) for the establishment, exercise or defence of legal claims (Article 17 of the Regulation).

Right to restriction of processing

1. The data subject shall have the right to obtain restriction of processing by the Controller at his or her request if one of the following conditions is met:

(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.

2. Where processing is restricted pursuant to point 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

3. The controller shall inform the data subject at whose request the processing has been restricted pursuant to point 1 in advance of the lifting of the restriction (Article 18 of the Regulation).

Right to data portability

1.The data subject shall have the right to receive personal data concerning him or her which he or she has provided to a Data Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another Data Controller without hindrance from the Data Controller to which he or she has provided the personal data, if:

(a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a) of the Regulation or on a contract within the meaning of Article 6(1)(b); and

(b) the processing is carried out by automated means.

2. In exercising the right to data portability under point 1, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.

3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

The right to protest

1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation, including profiling based on those provisions. In such a case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.

3. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.

4. The right referred to in points 1 and 2 shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information shall be clearly displayed separately from any other information.

5. In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21 of the Regulation).

Automated decision-making on individual cases, including profiling 

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply where the decision:

(a) necessary for entering into, or performance of, a contract between the data subject and the controller;

(b) is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or

(c) based on the explicit consent of the data subject.

3. In the cases referred to in points 2(a) and (c), the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

4. The decisions referred to in point (2) shall not be based on the special categories of personal data referred to in Article 9(1) of the Regulation, unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject (Article 22 of the Regulation).

Restrictions

1. Union or Member State law applicable to a controller or processor may, by legislative measures, limit the scope of the rights and obligations set out in Article 5 in respect of the provisions of Articles 12 to 22 and Article 34 of the Regulation and in accordance with the rights and obligations set out in Articles 12 to 22, if the limitation respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to protect them:

(a) national security;
(b) national defence;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
(f) the independence of the judiciary and the protection of judicial proceedings;
(g) the prevention, investigation, detection and prosecution of ethical breaches in the regulated professions;
(h) in the cases referred to in points (a) to (e) and (g), even occasionally, control, investigation or regulatory activities related to the exercise of public authority; 
(i) the protection of the data subject or the rights and freedoms of others;
(j) the enforcement of civil claims.

2. The legislative measures referred to in point 1 shall contain, where appropriate, at least detailed provisions:

(a) the purposes or categories of processing,
(b) the categories of personal data,
(c) the scope of the restrictions imposed,
(d) safeguards against misuse or unauthorised access or disclosure,
(e) the identification of the controller or the categories of controllers,
(f) the duration of storage and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing,
(g) the risks to the rights and freedoms of data subjects; and
(h) the data subjects' right to be informed of the restriction, except where this may undermine the purpose of the restriction. (Article 23 of the Regulation)

Informing the data subject about the personal data breach

1. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.

2. The information referred to in point (1) shall clearly and plainly describe the nature of the personal data breach and shall include at least the information and measures referred to in Article 33(3)(b), (c) and (d) of the Regulation.

3. The data subject need not be informed as referred to in point 1 if any of the following conditions are met:

(a) the Data Controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
(b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in point 1 is no longer likely to materialise;
(c) the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure which ensures that the data subjects are informed in an equally effective manner.

4. If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed or determine that one of the conditions referred to in point 3 is met (Article 34 of the Regulation).

Right to lodge a complaint with a supervisory authority

1. Without prejudice to other administrative or judicial remedies, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

2. The supervisory authority to which the complaint has been lodged shall inform the data subject of the procedural developments and the outcome of the complaint, including the right to a judicial remedy under Article 78 of the Regulation (Article 77 of the Regulation).

Right to an effective judicial remedy against the supervisory authority 

1. Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.

2. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the supervisory authority competent pursuant to Articles 55 or 56 of the Regulation does not deal with the complaint or does not inform the person concerned within three months of the procedural developments concerning the complaint lodged pursuant to Article 77 or of the outcome of the complaint.

3. Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

4. Where proceedings are brought against a decision of the supervisory authority on which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court. (Article 78 of the Regulation)

The right to an effective judicial remedy against the controller or processor

1. Without prejudice to available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, any data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority (Article 79 of the Regulation).

Chapter VIII: Submission of the data subject's request, actions by the controller

1. The Controller shall inform the data subject of the measures taken in response to his or her request to exercise his or her rights without undue delay and in any event within one month of receipt of the request.

2. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request.

3. Where the data subject has made the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.

If the controller does not take action on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the lack of action and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

5. The Controller shall provide the information pursuant to Articles 13 and 14 of the Regulation and the information on the rights of the data subject (Articles 15 to 22 and 34 of the Regulation) and take action free of charge. If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:

a) charge a fee of HUF 10 000, or

(b) refuse to act on the request.

(c) The burden of proving that the request is manifestly unfounded or excessive shall lie with the Data Controller.

6. If the Controller has reasonable doubts as to the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the data subject.