Information and Data Protection

PRIVACY POLICY

ON THE RIGHTS OF NATURAL PERSONS

REGARDING THE PROCESSING OF THEIR PERSONAL DATA

 

 

CONTENTS

 

 

 

INTRODUCTION

 

CHAPTER 1 - NAME OF THE DATA CONTROLLER

 

CHAPTER 2 - DATA PROCESSORS

 

CHAPTER 3 - PROCESSING OF EMPLOYEES' PERSONAL DATA

 

  1. Labour and personnel records
  2. Handling of sensitive data
  3. Processing of data of employees applying for hiring, applications, CVs

 

CHAPTER 4 – PROCESSING RELATED TO CONCLUSION OR PERFORMANCE OF CONTRACTS

 

  1. Processing of natural person contracting partners’ data, registers of partners
  2. Contact details of natural persons representing legal persons

 

CHAPTER 5 – PROCESSING NECESSARY FOR COMPLIANCE WITH LEGAL OBLIGATIONS

 

  1. Processing for fulfilment of taxation and accounting requirements
  2. Processing by authorised social security agents

 

CHAPTER 6 – PROCESSING NECESSARY FOR THE PURPOSES OF THE LEGITIMATE INTERESTS

 

CHAPTER 7 – DATA PROTECTION REGISTER; SPECIFIC DATA PROCESSING ACTIVITIES

 

CHAPTER 8 – SUMMARY INFORMATION ON THE RIGHTS OF DATA SUBJECTS

 

CHAPTER 9 – DETAILED INFORMATION ON THE RIGHTS OF DATA SUBJECTS

 

CHAPTER 10 – PRESENTATION OF THE APPLICATION OF DATA SUBJECTS, MEASURES OF THE DATA CONTROLLER

 

 

INTRODUCTION

 

According to the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as Regulation) Data Controller shall implement appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language as well as to facilitate the exercise of Data Subject rights.

 

The right of prior information of the Data Subject is regulated by the Act CXII of 2011 on the right to informational self-determination and on the freedom of information.

 

With the information provided below, our company complies with these legal obligations.

 

The present Privacy Policy shall be published on company’s website and/or shall be sent to the Data Subject in case of his or her request.

 

CHAPTER 1

NAME OF THE DATA CONTROLLER

 

 

The publisher of this Privacy Policy and the Data Controller:

 

NAME OF THE COMPANY:

 

CAMPFILM Production Services Limited Liability Company

REGISTERED OFFEC:

 

H-1075 Budapest, Károly körút 3/C. V.6., Hungary,

TAXATION NUMBER:

 

14056482-2-42

COMPANY REGISTRATION NUMBER

 

01-09-886847

REPRESENTED BY:

 

Sára László and Marcell Gerő managing directors

 MAIN ACTIVITY:             

 

 

 

 

Production of motion picture, video and television programmes

 

(hereinafter referred to as Company or Data Controller)

 

 

CHAPTER 2

DATA PROCESSORS

 

Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller (Article 4 (8) of Regulation).

 

The engaging of a Data Processor does not require the prior consent of the Data Subject but requires his or her information. Accordingly, in case the Company engages a Data Processor to process the data of the Data Subject (including, inter alia, natural and legal persons providing IT, accounting, delivery or security services to the Company), it shall inform the Data Subject about the details of the Data Processor.

 

 

 

 

 

CHAPTER 3

PROCESSING OF EMPLOYEES' PERSONAL DATA

 

  1. Labour and personnel records

 

(1) Employer shall be kept and record only personal data of employees (including the medical examinations) which are necessary for the establishment, maintenance and termination of employment or the provision of social welfare benefits and which do not infringe the employee’s personal rights.

 

(2) The Company shall process the following data of the employee for the purpose of establishing, maintaining or terminating an employment relationship for the purpose of enforcing the legitimate interests of the employer [Article 6 (1) (f) of Regulation]:

 

1. Name

2. Birth name

3. Date of birth

4. Mother’s name

5. Address

6. Citizenship

7. Tax identification number

8. Social security number

9. Pensioner registration number (in case of a retired employee)

10. Phone number

11. E-mail address

12. Bank account number

13. Starting and ending date of the employment relationship

14. Position

15. Copy of a documents certifying education and professional qualifications

16. Photo

17. Curriculum vitae

18. Amount and data of wages, salaries and other benefits

19. Any debt to be deducted from the employee's salary on the basis of a final decision or law or his / her written consent and the right of such deduction

20. Evaluation of the employee's work

21. Method of and reasons for termination of employment

22. Summary of the suitability tests

23. In the case of membership of a private pension fund and/or a voluntary mutual insurance fund, the name of the fund, the identification number and the membership number of the employee

24. Passport number in the case of a foreign worker; the name and number of the document certifying his or her right to work

25. Data recorded in accident records of an employee

26. Data required for the use of the welfare services or commercial accommodation.

 

(3) The employer shall process the data concerning the employee's illness and trade union membership only for the purpose of performing the rights and obligations specified in the Labour Code. Depending on the position, the Company may ask the employee to present his or her official „certificate of good conduct”, however, it may not be copied.

 

(4) Recipients of personal data: employer’s manager, individual exercising the employer’s rights, members of staff and employees and partners of the Data Controller performing HR jobs.

 

(5) Duration of storage of personal data: 5 years after the termination of employment. Nevertheless, the Company is obliged to keep the documents concerning the employment and social security affiliation related to the employee's social insurance legal relationship for 5 years after reaching the age of retirement applicable to the employee or former in question.

 

(6) The Data Subject must be informed prior to the commencement of the data processing that it is based on the Labour Code and the enforcement of the legitimate interests of the employer or based on a legal obligation.

 

2. Handling of sensitive data

 

(1) Special categories of personal data (hereinafter referred to as sensitive data) may be processed only in the case of the exceptions provided for in Article 9 (2) of the Regulation. Sensitive data shall be processed in particular by the explicit consent of the Data Subject and in the event that the processing requires prior medical or occupational health objectives, the assessment of the employee’s ability to work, medical diagnosis, medical or social care or treatment, or the management of health or social systems and services.

 

3. Controlling of data of employees applying for hiring, applications, CVs

 

(1) Scope of personal data that may be processed: name, date and place of birth, mother’s name, address, qualification, photo, tax ID, social security number, bank account number, phone number, e-mail address of the applicant as well as notes prepared by the employer (if any).

 

(2) Purpose of the processing: evaluation of the application/proposal, conclusion of employment contract. Data Subject shall be informed if the employer has not chosen her for the position.

 

(3) Legal basis of the processing: the consent of the Data Subjects according to Article 6 (1) a) of the Regulation.

 

(4) Recipients or categories of recipients of the personal data: manager authorized to exercise the rights of employer at the Company, employees responsible for labour duties..

 

(5) Duration of processing of personal data: The Company will store the data for a maximum of 90 days after the evaluation of the application or proposal. The personal data of non-selected applicants shall be deleted within 90 days of the evaluation of the application/proposal. The employer shall delete the data of the person concerned who has withdrawn his/her application within 3 working days of being notified of the withdrawal.

 

(6) The employer may retain applications only with the express, explicit and voluntary consent of the Data Subject, provided that their retention is necessary to achieve the purpose of the processing in accordance with the law. This consent must be requested from applicants once the recruitment procedure has been completed.

 

CHAPTER 4

DATA PROCESSION RELATED TO CONCLUSION OR PERFORMANCE OF CONTRACTS

 

1. Processing and registering of natural person contracting partners’ data

 

(1) The Company, under the title of performing an agreement, for the purpose of entering into, performing and terminating the agreement and providing contractual discounts, processes the name, birthplace, date of birth, mother’s name, address, tax ID, number of sole trader’s licence, ID card number, pensioner’s reg. number, phone number, e-mail address, website address, bank account number, social security number of natural persons who entered into a contract with it as customers or suppliers. This processing is also considered lawful if the data processing is necessary to take action at the request of the Data Subject prior to the conclusion of the agreement. Recipients of personal data: Employees and partners of the company in position of customer service, accounting, administration and Data Processors. Period of storage of personal data: 5-10 years after termination of the agreement, subject to the character of the respective legal relationship.

 

(2) Prior to the commencement of the processing, the natural person concerned shall be informed that the processing is based on the right of execution of the contract and that the information may be provided in the contract. The Data Subject shall be informed of the transfer of his or her personal data to a Data Processor.

 

2. Contact details of natural persons representing legal persons

 

(1) Scope of personal data that may be processed: name, address, phone number, e-mail address of the natural person.

 

(2) Purpose of the processing: fulfilment of the contract concluded with the partner of the Company, business relations.

 

(3) Legal basis of the processing: fulfilment of the contract, enforcement of the legitimate interests of the Company, consent of the Data Subject.

 

(4) Recipients or categories of recipients of the personal data: employees of the Company performing customer service tasks.

 

(5) Period of storage of personal data: 5 years after the end of the business relationship or the status of the representative of Data Subject.

 

CHAPTER 5

PROCESSING NECESSARY FOR COMPLIANCE WITH LEGAL OBLIGATIONS

 

1. Processing for fulfilment of taxation and accounting requirements

 

(1) The Company processes the data of natural persons entering into a business relationship with it as a customer or supplier for the purpose of fulfilling the taxation and accounting obligations (bookkeeping, taxation) prescribed by the applicable legislation.

 

(2) Legal basis of the processing of given personal data for the purpose of fulfilling the taxation and accounting obligations is the fulfilment of taxation and accounting legal requirements. The period of storage of personal data concerned: 8 years after the end of the legal relationship.

 

(3) Recipients or categories of recipients of the personal data: partners, employees and Data Processors of the Company performing taxation, accounting, payroll and social security tasks.

 

2. Processing by authorised social security agents

 

(1) In order to fulfil its legal obligations, the Company processes the personal data of the relevant Data Subjects – employees, employees’ family members, recipients of other benefits – required by law for the fulfilment of statutory taxation and contribution obligations (assessment of tax, tax advance, contributions, payroll accounting, social security, pension administration).

 

The scope of the processed data is determined by the legislation in force on the taxation system, with special emphasis on the natural identity data of the natural person (including his/her previous name and title, gender, citizenship, taxation identification number, social security number). In case the relevant laws on taxation impose legal consequences on this, the Company may also process the data of the employees regarding their health and trade union membership for the purpose of fulfilling taxation and contribution obligations (payroll accounting, social security administration).

 

(2) The period of storage of personal data concerned: 8 years after the end of the legal relationship.

 

(3) Recipients or categories of recipients of the personal data: employees and Data Processors of the Company performing taxation, accounting, payroll and social security tasks.

 

CHAPTER 6

PROCESSING NECESSARY FOR THE PURPOSES OF THE LEGITIMATE INTERESTS

 

(1) The Company is entitled to process personal data pursuant to Article 6 (f) of the Regulation, if the processing is necessary to enforce the legitimate interests of the Data Controller or a third party.

 

CHAPTER 7

DATA PROTECTION REGISTER; SPECIFIC DATA PROCESSING ACTIVITIES

 

  1. The Data Controller handles the following data when carrying out the tasks below:

Controlled data

Purpose of data management

Category of Data Subject (Whose data is it? E.g. partner, employee)

Term of data storage

Legal basis for data controlling under Article 6(1) of the GDPR Regulation

name, date of birth, mother's name, address, tax ID, social security number, bank account number, telephone number, e-mail address

preparation of job description, employment contract

employee

5 years

GDPR Article 6 (1) a)

name, place and date of birth, mother's name, address, tax identification No, entrepreneur's ID number, personal ID number, telephone number, e-mail address, bank account number, social security number, pensioner’s reg. number

entering into agreements with contractual partners

natural person partner

5-8 years

GDPR Article 6 (1) b)

representative's name, address, e-mail address, bank account number, company details

entering into agreements with contractual partners

legal entity partner, its representative

5 years

GDPR Article 6 (1) b)

name, address, mother's name, place and date of birth, personal ID number (or other identification number), phone number, e-mail a.

appearing in a documentary

adult character in a documentary

5 years

GDPR Article 6 (1) a)

minor and legal guardian: name, address, mother's name, place and date of birth, in case of legal guardian also the personal ID number (or other identification number), phone number, e-mail address

appearing in a documentary

minor character in a documentary

5 years

GDPR Article 6 (1) a)

name, address, mother's name, place and date of birth, personal ID number (or other identification number)

entering into an agreement with the main character of a documentary

main character in a documentary

5 years

GDPR Article 6 (1) b)

name, address, mother's name, place and date of birth, personal ID number (other identification number)

Entering into an agreement concerned with subsidy

legal entity partner, its representative

10 years

GDPR Article 6 (1) b)

 

The above data are received by the Data Controller in paper or electronic form and stored at its headquarters in physical form in hard copy and digitally scanned. Identifiable photographs are stored by the Data Controller on Google Drive cloud storage or on a physical back-up hard drive, also at its offices.

 

At cost control, the contracts may be inspected by the financial grantor of the project or, if the project is seeking indirect public film support, by the Hungarian National Film Office.

 

(2) Data processing on the Facebook page of the Data Controller

 

The Data Controller maintains a Facebook page for the purpose of publicising and promoting its activities and productions and informing about events related to such activities and productions.

Personal data posted by visitors to the Data Controller's Facebook page are not processed by the Data Controller.

Visitors are subject to the Facebook Privacy and Terms of Privacy and Service.

In the event of publication of illegal or offensive content, the Data Controller may ban the Data Subject as a user or delete his/her posts without prior notice.

The Data Controller is not responsible for any content or comments posted by Facebook users that violate the law. The Data Controller is not liable for any errors, malfunctions or problems resulting from changes in the operation of Facebook.

 

CHAPTER 8

SUMMARY INFORMATION ON THE RIGHTS OF DATA SUBJECTS

 

For the sake of clarity and transparency, this chapter briefly summarizes the Data Subject's rights.

 

Right to prior information

The Data Subject shall have the right to be informed of the requirements and conditions of the processing of personal data prior to the collecting and processing of his or her personal data.


Right of access by the Data Subject

The Data Subject shall have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and all relevant information listed in the Regulation.

 

Right to rectification

The Data Subject has the right, taking into account the purposes of the processing, to request the correction of inaccurate personal data and completion of incomplete personal data without undue delay, including by means of a supplementary declaration.

 

Right to erasure ("right to be forgotten")

The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the grounds specified in the Regulation.

 

Right to restriction of processing

The Data Subject shall have the right to obtain from the Data Controller restriction of processing where the conditions specified in the Regulation are fulfilled.

 

Notification obligation regarding rectification or erasure of personal data or restriction of processing

In case the Data Subject has the right to rectification, erasure or restriction of processing, the Data Controller is required to communicate this rectification, erasure or restriction to all recipients to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

 

Right to data portability

According to the terms of the Regulation, the Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided. In exercising the right to data portability under this chapter, the Data Subject shall have the right, if technically feasible, to request the direct transfer of personal data between data controllers.

 

Right to object

Each Data Subject shall have the right to object, on grounds relating to his or her situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6 (1) (e) or (f) of the Regulation, including profiling based on those provisions.

In this case the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or the processing serves to assert, exercise or defend legal claims.

 

Automated individual decision-making, including profiling

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

 

Restrictions

Union or Member State law to which the Data Controller or Data Processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard and in addition complies with the provisions of Article 23 of the Regulation.

 

Communication of personal data breaches to Data Subjects

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the Data Subject without undue delay.

 

Right to lodge a complaint with a supervisory authority

The Data Subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, place of work or place of alleged infringement, if the Data Subject considers that the processing of personal data relating to him or her infringes this Regulation..

 

Right to an effective judicial remedy against a supervisory authority

Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or where the supervisory does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged.

 

 

Right to an effective judicial remedy against a Data Controller or Data Processor

Each Data Subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the Regulation.

 

CHAPTER 9

DETAILED INFORMATION ON THE RIGHTS OF DATA SUBJECTS

 

Right to prior information

The Data Subject shall have the right to be informed of the requirements and conditions of the processing of personal data prior to the collecting and processing of his or her personal data.

 

A) Information to be provided where personal data are collected from the Data Subject

1. Where personal data relating to a Data Subject are collected from the Data Subject, the Data Controller shall, at the time when personal data are obtained, provide the Data Subject with all of the following information:

(a) the identity and the contact details of the Data Controller and, where applicable, of the Data Controller's representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6 (1) of the Regulation, the legitimate interests pursued by the Data Controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any

(f) where applicable, the fact that the Data Controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1) of the Regulation, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

 

2. In addition to the information referred to in paragraph 1, the Data Controller shall, at the time when personal data are obtained, provide the Data Subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

(d) the right to lodge a complaint with a supervisory authority

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

 

3. Where the Data Controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the Data Controller shall provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

 

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the Data Subject already has the information.

 

B) Information to be provided where personal data have not been obtained from the Data Subject

1. Where personal data have not been obtained from the Data Subject, the Data Controller shall provide the Data Subject with the following information:

(a) the identity and the contact details of the Data Controller and, where applicable, of the Data Controller's representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the Data Controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1) of the Regulation, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

 

2. In addition to the information referred to in paragraph 1, the Data Controller shall provide the Data Subject with the following information necessary to ensure fair and transparent processing in respect of the Data Subject:

 

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) where the processing is based on point (f) of Article 6 (1) of the Regulation, the legitimate interests pursued by the Data Controller or by a third party;

(c) the existence of the right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning the Data Subject and to object to processing as well as the right to data portability;

(d) where processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(g) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

 

3. The Data Controller shall provide the information referred to in paragraphs 1 and 2:

 

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the Data Subject, at the latest at the time of the first communication to that Data Subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

 

4. Where the Data Controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the Data Controller shall provide the Data Subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

 

 

 

5. Paragraphs 1 to 4 shall not apply where and insofar as:

 

(a) the Data Subject already has the information;

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 (1) of the Regulation or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the Data Controller shall take appropriate measures to protect the Data Subject's rights and freedoms and legitimate interests, including making the information publicly available;

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the Data Controller is subject and which provides appropriate measures to protect the Data Subject's legitimate interests; or

(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

 

Right of access by the Data Subject

 

1. The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

 

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the Data Subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

 

2. Where personal data are transferred to a third country or to an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

 

3. The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Data Controller may charge a reasonable fee based on administrative costs. Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

 

Right to erasure (‘right to be forgotten’)

1. The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

 

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the Data Subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) of the Regulation, and where there is no other legal ground for the processing;

(c) the Data Subject objects to the processing pursuant to Article 21 (1) of the Regulation and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21 (2) of the Regulation;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the Regulation.

 

2. Where the Data Controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Data Processors which are processing the personal data that the Data Subject has requested the erasure by such Data Processors of any links to, or copy or replication of, those personal data.

 

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

 

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of the Regulation;

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the Regulation in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

 

Right to restriction of processing

1. The Data Subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:

 

(a) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;

(b) the processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;

(d) the Data Subject has objected to processing pursuant to Article 21 (1) of the Regulation pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

 

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

 

3. A Data Subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the Data Controller before the restriction of processing is lifted.

 

Right to data portability

1. The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the Data Controller to which the personal data have been provided, where:

 

(a) the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1) of the Regulation; and

(b) the processing is carried out by automated means.

 

2. In exercising his or her right to data portability pursuant to paragraph 1, the Data Subject shall have the right to have the personal data transmitted directly from one Data Controller to another, where technically feasible.

 

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

 

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

 

Right to object

1. The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) of the Regulation, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

 

2. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

 

3. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

 

4. At the latest at the time of the first communication with the Data Subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the Data Subject and shall be presented clearly and separately from any other information.

 

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the Data Subject may exercise his or her right to object by automated means using technical specifications.

 

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the Regulation, the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

Automated individual decision-making, including profiling

1. The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

 

2. Paragraph 1 shall not apply if the decision:

 

(a) is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller;

(b) is authorised by Union or Member State law to which the Data Controller is subject, and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests; or

(c) is based on the Data Subject's explicit consent.

 

3. In the cases referred to in points (a) and (c) of paragraph 2, the Data Controller shall implement suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Data Controller, to express his or her point of view and to contest the decision.

 

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9 (1) of the Regulation, unless point (a) or (g) of Article 9 (2) of the Regulation applies and suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests are in place.

 

Restrictions

1. Union or Member State law to which the Data Controller or Data Processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of the Regulation, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

 

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the Data Subject or the rights and freedoms of others;

(j) the enforcement of civil law claims.

 

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

 

(a) the purposes of the processing or categories of processing;(b) defence;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer

(e) the specification of the Data Controller or categories of data processors;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of Data Subjects; and

(h) the right of Data Subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

(Article 23 of the Regulation)

 

Communication of a personal data breach to the Data Subject

1.  When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the Data Subject without undue delay.

 

2.  The communication to the Data Subject referred to in paragraph 1 of the Article 34 of the Regulation shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33 (3) of the Regulation.

 

3.  The communication to the Data Subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

 

(a) the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

 

4. If the Data Controller has not already communicated the personal data breach to the Data Subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

 

Right to lodge a complaint with a supervisory authority

1.  Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the Data Subject considers that the processing of personal data relating to him or her infringes the Regulation.

 

2.  The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the Regulation.

 

3. In the event of a violation of his or her rights the Data Subject may apply to the competent court (which is the Budapest Capital Regional Court in Budapest) according to Paragraph 22 of the Act Act CXII of 2011 on the right to informational self-determination and on the freedom of information.

 

Remedies and complaints can also be lodged with the Hungarian National Authority for Data Protection and Freedom of Information.

 

Name: Hungarian National Authority for Data Protection and Freedom of Information.

Registered office: H-1055 Budapest, Falk Miksa u. 9-11., Hungary

P.O. Box: H-1363 Budapest, Pf.: 9.

Postal address: ugyfelszolgalat@naih.hu

Web: www.naih.hu

Phone number: +36 (1) 391-1400

E-mail: ugyfelszolgalat@naih.hu

 

Right to an effective judicial remedy against a supervisory authority

1.  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

 

2.  Without prejudice to any other administrative or non-judicial remedy, each Data Subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 of the Regulation does not handle a complaint or does not inform the Data Subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 of the Regulation.

 

3.  Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

 

4.  Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

 

Right to an effective judicial remedy against a Data Controller or a Data Processor

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each Data Subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the Regulation.

 

2.  Proceedings against a Data Controller or a Data Processor shall be brought before the courts of the Member State where the Data Controller or Data Processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the Data Subject has his or her habitual residence, unless the Data Controller or Data Processor is a public authority of a Member State acting in the exercise of its public powers.

 

CHAPTER 10

SUBMISSION OF DATA SUBJECT’S REQUEST,

MEASURES OF THE DATA CONTROLLER

 

1. The Data Controller shall provide the information related to the action taken on a Data Subject’s request without undue delay and no later than one month after having received the request.

 

2. In the event that a request is complex, the compliance period can be extended by two months. In this case the Data Controller shall inform the Data Subject of the reason for the delay within one month of receiving the request.

 

3. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

 

4. If the Data Controller does not take action on the request of the Data Subject, the Data Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

 

5.  Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 of the Regulation shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either:

 

(a) charge a reasonable administration fee; or

 

(b) refuse to act on the request.

 

6. Where the Data Controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the Data Subject.

In development

color
/
/
/
#27ccc0
style1
default
Loading posts...
#555555
none
loading
#555555
Sort Gallery
on
off
off
Newsletter Input text
on
off