THE PRIVACY NOTICE OF MEDIMPEX TRADING PRIVATE LIMITED COMPANY
LAST UPDATE: 13. OCTOBER 2021
Budapest-1385494.9
Contents
- GENERAL INFORMATION……………………………………………………………………………………… 3
- THE UPDATING OF AND ACCESS TO THE NOTICE………………………………………………….. 3
- SPECIFIC DATA PROTECTION TERMS AND CONDITIONS…………………………………………. 3
- THE SCOPE OF DATA PROCESSED AND DATA PROCESSING PURPOSES…………………. 3
- DATA SECURITY (TECHNICAL AND ORGANISATIONAL) MEASURES………………………… 13
- THE DATA PROTECTION RIGHTS OF DATA SUBJECTS AND THEIR OPTIONS FOR JUDICIAL REMEDY….14
Budapest-1385494.9
- GENERAL INFORMATION
Regarding clients, the contact persons of contractual partners, the addressees of marketing messages, the visitors of facilities, (including other data subjects) (“Data Subject/s”) MEDIMPEX Kereskedelmi Zartkoruen Mukodo Reszvenytarsasag (MEDIMPEX Private Limited Company (“Company”) processes pieces of information that are deemed to be “personal data” under Article 4.1 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”). This privacy notice (“Notice”) provides information about the controlling and processing of these personal data, the rights of data subjects concerning the processing and controlling of their data, together with judicial remedy options available to them.
The contact details of the Company
The registered office of the Company: 1134 Budapest, Lehel utca 11.
The company registration number of the Company: Cg. 01-10-043448
The Company is registered with the company register of the Companies House of the Metropolitan General Court (Fovarosi Torvenyszek Cegbirosaga)
The phone number of the Company: +36 20 259 61 72 The e-mail address of the Employer: titkarsag@medimpex.hu The website of the Employer: www.medimpex.hu
The representative of the Employer and his contact details: Zsolt Viktorin,
- THE UPDATING OF AND ACCESS TO THE NOTICE
The Company reserves the right to amend this Notice unilaterally with the amendments taking effect subsequently, having also regard to restrictions and limitations stipulated in the relevant pieces of legislation, by giving the data subjects preliminary notification in good time. This Notice may, in particular, be amended if changes in legislation, the practice followed by the data protection authority, a business or employee need, a new activity involving the processing of personal data, a newly discovered security risk or feedback from data subjects make such amendment/s necessary. During the course of conducting communication in connection with this Notice or data protection matters, and also while keeping contacts with data subjects, the Company may use the contact details of the data subjects available to the Company for the purposes of establishing and keeping contacts. Upon request, the Company shall, for instance, forward to the data subject a copy of the current version of this Notice, or certify that the data subjects familiarised themselves with the Notice.
- SPECIFIC DATA PROTECTION TERMS AND CONDITIONS
In certain individual cases, specific data protection terms and conditions may also need to be applied of which the data subjects shall receive a separate notification. Examples include the notice concerning the operation of the electronic surveillance system (cameras) or the notice regarding cookies used by the Company on their websites.
- THE SCOPE OF DATA PROCESSED AND DATA PROCESSING PURPOSES
The purposes, legal bases and duration of data processing, together with the scope of data processing, the parties eligible for access, including the scope of the recipients of data transfers shall be outlined in the table below. If a data processing purpose is necessary for the enforcement of the legitimate interests of the Company or a third party, the Company shall make the test used for assessing legitimate interests available provided a request to this effect is submitted using any of the contact details set forth above. The Company specifically draws the attention of data subjects to the fact that the data subject is entitled to object at any time to the processing of their personal data based on a legitimate interest, on grounds relating to his or her particular situation, including profiling, based on the provisions mentioned. In such a case the Company shall no longer process the personal data unless it demonstrates compelling legitimate
Budapest-1385494.9
grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
If, according to this Notice, the period of processing is identical with the period of limitation until the end of which a claim can be asserted, upheld and enforced, an act interrupting limitation shall extend the period of processing until the new date on which the claim becomes time-barred (Section 6: 25 (2)) of Act V of 2013 on the Civil Code – “Civil Code”). If the period of limitation was suspended but the obstacle causing suspension ceases to exist, it shall continue to be possible to assert, uphold and enforce a claim for a period of one year (to be calculated from the date on which the obstacle is removed) or for three months (provided the limitation period is one year or a shorter period), even if the period of limitation has already ended, or the period remaining is shorter than the one referred to above (Section 6: 24 (2)) of the Civil Code).
The 8-year data retention period stipulated in the Act C of2000 on Accounting (“Accounting Act”) shall be calculated from the date on which an accounting item associated with the specific data was generated, or on which the preparation of the financial statements/accounting relied on the specific data in any manner. In practice: if the data are included in a contract on the basis of which several performances are delivered (e.g. several consultancy services are provided under one contract), the 8-year period shall be calculated separately for each performance as a separate invoice is raised for each performance based on which that specific transaction is recognised. If the data are included in a contract that concerns, e.g. a sale and purchase transaction (handing over, taking over takes place, and following fulfilment, the contract terminates), the transaction is going to be recognised in and for that specific year, based on the contract and the invoice, and the 8-year period mentioned shall commence.
General rights of access to personal data set out in the table below shall be enjoyed by the chief executive officer, IT and the director of economic affairs. During the course of conducting their audit, the Company’s auditor (Magyar Szakertoi Holding Kft., 1115 Budapest, Ozorai utca 4. 1. em. 1.) may also become aware of personal data.
Data subjects shall always provide the Company with the relevant personal data in accordance with governing and applicable legislation. In particular, they shall obtain consent and have proper (informed consent or other) legal bases where personal data are handed over (for example: if data of contact persons, relatives are furnished). Where the Company becomes aware that the data of any data subject were furnished without his/her consent or other appropriate legal bases, the Company may immediately delete such data. Nevertheless, the data subject shall enjoy the rights and seek judicial remedies available under this Notice. The Company shall not be responsible for any damage, loss or grievance suffered by the data subjects as a result of a failure to meet their commitment or the representation they made above.
Budapest-1385494.9
The purpose of data processing | The legal basis of data processing | The scope of data | Data retention period, access rights, the recipients of data transfers |
1. Ensuring participation in promotions, advertising campaigns, sports events, press conferences –
pursuant to governing participation terms and conditions |
Article 6 (1) a) of GRPR – the voluntary consent of the data subject given in the course of participating in the promotion or the advertising campaign, pursuant to governing participation terms and conditions.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In the absence of the data subject’s consent, the specific data subject cannot participate in the given promotion, advertising campaign or prize competition. |
The persons eligible for participation and the scope of personal data processed shall be identified on a case by case basis, in accordance with governing participation terms and conditions (e.g. name, address). | Data retention period: the duration of data processing shall be identified on a case by case basis, in accordance with the governing participation terms and conditions, by considering the advertised closing date of the promotion or advertising campaign, and the period of time necessary for dispatching any possible prizes.
In the absence of such a provision, 5 years calculated from the closing date/time of the given promotion, prize competition, campaign or media appearance (general term of limitation under civil law). Persons authorised to access within the Company’s organisation: Employees of the Commercial Finished Product team |
2. The sending of newsletters (to subscribers subscribing via Facebook, at events and via the website) | Article 6 (1) a) of GRPR – the voluntary consent of the data subject given by subscribing to the newsletter.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. |
The name and e-mail address of the data subject. | Data retention period: the Company shall process the personal data until the consent given by the data subject is withdrawn.
Persons authorised to access within the Company’s organisation: employees of the commercial line of business, head of commerce |
Budapest-1385494.9
The purpose of data processing | The legal basis of data processing | The scope of data | Data retention period, access rights, the recipients of data transfers |
In the absence of the data subject’s consent, the specific data subject cannot subscribe to the newsletter. | Data are transferred to Newdoor Communications Szolgaltato Korlatolt Felelossegu Tarsasag (1044 Budapest, Ady Endre utca 23.), the advertising company that distributes the newsletters. | ||
3. The documentation of corporate events, the making of recordings | Article 6 (1) a) of GRPR (the voluntary consent of the data subject).
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In the absence of the data subject’s consent, the recordings cannot be made. Recordings made about the activity of the data subject involving public speaking/appearance, and in the event of mass/crowd scenes/recordings, the consent of the data subject in not necessary for the making and utilisation of the recordings (Section 2: 48 of the Civil Code). |
The taking of photos and/or the making of video recordings at events organised by the Company (the portrait of the data subjects). With the data subject’s consent or based on the legitimate interest of the Company (in the case of recordings made about the activity of the data subject involving public speaking/appearance, and in the event of mass/crowd scenes/recordings), the completed recordings may also be displayed on the Company’s intranet, external internet interfaces (for example the Company’s website, LinkedIn page and other social media), or on other online and offline media interfaces (for example: online or printed corporate marketing materials). | Data retention period: based on the request of the data subject, the recording may be deleted at any time. In the case of recordings that were already made available to the public, the right of withdrawal can be fully exercised only until the publishing of these materials. Third parties may save and/or make a copy of the recordings published, the Company cannot control this.
Regarding printed materials, if the consent is withdrawn, the Company cannot withdraw from circulation the copies that were already put on the market, including printed copies that are not under the supervision of the Company. The data subject gives his/her consent being aware of and by accepting the above limitations. |
The purpose of data processing | The legal basis of data processing | The scope of data | Data retention period, access rights, the recipients of data transfers |
In such a case, the legal basis for the making and utilisation of the recordings is Article 6 (1) f) of GDPR (data processing is necessary to enforce the Company’s legitimate interests).
Legitimate interest: it is in the business interest of the Company to make and utilise the recordings to strengthen the Company’s business appearance/presence, to promote the Company, to encourage the employees and to foster the working environment. |
Recordings controlled and processed on the basis of the Company’s legitimate interest shall be controlled and processed by the Company until the right of the data subject to object is exercised.
Persons authorised to access within the Company’s organisation until the recordings are published: Employees of the commercial line of business, head of commerce |
||
4. The distribution of invitations to events organised by the Company | Article 6 (1) f) of GDPR (data processing is necessary to enforce the Company’s legitimate interests).
Legitimate interest: the successful and efficient organisation of the events. |
The contact data of data subjects whom the Company intends to invite: the name of the participants and the organisation they represent, other data provided by them concerning their participation (for example: arrival time, preferred presentation, etc.). | Data retention period: unless the data subject objects to the processing of his/her data, the contact data can also be used later on, after the event for the purposes distributing invitations to the events organised by the Company and for establishing contacts. The Company shall process data for a period of 5 years following the last contact with the data subject (Section 6: 22 (1) of the Civil Code – the claims become time-barred after 5 years) |
The purpose of data processing | The legal basis of data processing | The scope of data | Data retention period, access rights, the recipients of data transfers |
Persons authorised to access within the Company’s organisation:
Employees of the commercial line of business, head of commerce |
|||
5. The processing of the personal data of the contact persons of contractual partners and/or that of persons involved in the delivery of performance / / in the verification of performance for the purposes of the performance (daily level implementation) of the contract Fox example, this may include the processing of the mailing addresses of contact persons, the instructions issued to contact persons for making sure that payments are made or the sending of official notifications using contact data and pieces of information concerning contractual obligations to be discharged. For example lease contracts, supplier contracts, reports made to the authorities, the | Depending on the circumstances (i.e. whether the contract is concluded with the data subject /individual entrepreneur/ or another business): Article 6 (1) (b) of GDPR – the performance (implementation) of a contract concluded directly with the data subject / Article 6 (1) (f) of GDPR – the legitimate interest of the Company and the contracting business: the meeting of contractual obligations, the exercising of rights, the ensuring of economic cooperation between the parties.
The transfer of personal data is a contractual requirement; the Company is unable to conclude and implement the contract without personal data. |
The name, contact details (e-mail address, phone number, mobile phone number, fax number) of the contractual partners’ contact persons and also of persons involved in the delivery and verification of performance, including any other activity and communication concerning the contract involving personal data (e.g. communication received from the contact person or from any other natural person acting on behalf of the partner).
The personal data are made available to the Company by either the contractual partner or the data subjects themselves. |
Data retention period: 5 years
following the termination of the contractual relationship (Section 6: 22 (1) of the Civil Code, unless the Civil Code provides otherwise, the claims become time-barred after 5 years) Regarding the meeting of tax payment obligations: data retention period is 5 years to be calculated from the last day of the calendar year in which the tax return should have been filed, the data reported or the report made, or (in the absence of a tax return, data report or report) the tax should have been paid (Sections 78 (3) and 202 (1) of Act CL of 2017 on the Rules of Taxation – “Tax Act”). In the case of accounting source documents: data retention period is 8 years (Act on Accounting, Sections 168-169). In practice, these may include cases where the data are a part of documents supporting accounting, e.g. are included in |
The purpose of data processing | The legal basis of data processing | The scope of data | Data retention period, access rights, the recipients of data transfers |
management of technical information, the reporting of errors/defects. | documents (e.g. order) relating to the conclusion of a contract between the Company and the Partner or in the invoice raised.
Persons authorised to access within the Company: the competent departments as per the contract, the assistant to the chief executive officer |
||
6. The management of inquiries received from partners, consumers and other parties | Article 6 (1) f) of GDPR (data processing is necessary to enforce the legitimate interests of the Company, partners, consumers and other persons concerned).
The legitimate interest: the management of inquiries received by the Company, the offering of answers to questions and the mutual fulfilment of obligations existing on the basis of the contract concluded by the partners. |
The personal data concerning inquiries received by the Company, the data of the contact persons of partners, consumers and other parties necessary to maintain contacts (name, address, e-mail, address, phone number), the recording of steps taken in connection with the inquiry. | Data retention period: 5 years from the date of offering an answer to the inquiry – or in the case of a civil law contract concluded with the Company – 5 years from the termination of the legal relationship, in view of the fact that pursuant to Section 6: 22 (1) of the Civil Code, claims typically become time-barred after 5 years.
Persons authorised to access within the Company: employees of the commercial line of business, head of commerce, head of quality assurance |
7. The processing of the personal data of the contact persons of contractual partners and/or that of persons involved in the delivery of | In such cases the legal basis of data processing is the legitimate interest of the Company (Article 6 (1) f) of GDPR. The legitimate interest: the management of compliance matters concerning the contract and the taking | The name, contact details (e-mail address, phone number, mobile phone number, fax number) of the contractual partners’ contact persons and also of persons involved in the delivery and verification of | Data retention period: 5 years
following the termination of the contractual relationship (Section 6: 22 (1) of the Civil Code, unless the Civil Code provides otherwise, the claims become time-barred after 5 |
The purpose of data processing | The legal basis of data processing | The scope of data | Data retention period, access rights, the recipients of data transfers |
performance / in the verification of performance for the purposes of compliance matters associated with the contract or regarding any other actions to be taken in connection with the implementation of the contract, including the seeking of judicial remedies necessary to secure contractual rights. For example: lease contracts, supplier contracts. | of any other actions concerning the performance of the contract, including the seeking of judicial remedies necessary to secure contractual rights. | performance, including any other activity and communication concerning the contract involving personal data (e.g. communication received from the contact person or from any other natural person acting on behalf of the partner).
The personal data are made available to the Company by either the contractual partner or the data subjects themselves. |
years)
Regarding the meeting of tax payment obligations: 5 years to be calculated from the last day of the calendar year in which the tax return should have been filed, the data reported or the report made, or (in the absence of a tax return, data report or report) the tax should have been paid (Sections 78 (3) and 202 (1) of the Tax Act). In the case of accounting source documents: 8 years (Act on Accounting, sections 168-169). In practice, these may include cases where the data are a part of documents supporting accounting, e.g. are included in documents (e.g. order) relating to the conclusion of a contract between the Company and the Partner or in the invoice raised. Persons authorised to access within the Company: the competent departments as per the contract, the assistant to the chief executive officer. |
8. Operating the access control system – the recording of the time and place of entering and leaving the Company’s site and individual buildings (within the site). | Article 6 (1) f) of GDPR: the legitimate interest of the Company.
The legitimate interest: the protection of the Company’s assets in accordance with provisions on the application of electronic access systems within the meaning of Section 32 (1) of the Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (“Security Services Act”). |
The scope of data associated with entry cards made out to the name of the individual (the date/time and frequency of entering the office or other premises). In the case of a potentially arising security problem (e.g. theft, robbery) the Company may and can verify entries into the offices and other premises (e.g. which Employee entered the office via which entry point, when did he/she entered the office). | Data retention period: in the case of regular entry, upon the termination of entitlement to enter, but – regarding data generated during operation (e.g. date/time of entry) – after 6 months following the generation of such data; in the case of occasional entry, after 24 hours following leaving. (Section 32 (2)-(3) of the Security Services Act).
Persons authorised to access within the Company’s organisation: Head of Logistics and Operation, Logistics Assistant, Warehouse Manager, Ormester Vagyonvedelmi Nyrt. (the security guarding company) |
9. The processing of the data of data subjects concerning the enforcement of their data protection rights (for details pls. see Section 6) | Article 6 (1) c) of GDPR (necessary for meeting the legal obligation – data processing – of the Company in their capacity as data controller).
The legal obligation: to make sure that the rights of data subjects set forth in Articles 15-22 of GDPR can be exercised, and also to document other steps taken in connection with the enquiry. |
Personal data associated with data protection enquiries received by the Company: the data of natural persons / of the contact persons of legal entities or other organisations turning to the Company (including in particular: name, address, e-mail address, phone number), the content of the enquiry, the steps taken and the documents prepared in connection with the enquiry. For example: If the data subject requests that all his/her personal data should be deleted pursuant to the GDPR regulation, and the Company grants the request, the email requesting deletion shall nevertheless be retained. | Data retention period: for an
indefinite period of time, save as otherwise provided by a guideline issued by the data protection authority. The employees participating in replying to the question and the representative of the Company.. |
10. Archiving the consent to data processing given by data subjects, including the possible withdrawal of their declaration of consent | Article 6 (1) c) of GDPR (necessary for meeting the legal obligation – data processing – of the Company in their capacity as data controller).
The legal obligation: pursuant to Article 7 (1) of GDPR, where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data. |
If any data processing by the Company was based on consent given by the data subject, the Company shall archive the specific consent. The objective of this is to make sure that the legality of the consent can be justified at any time. If the data subject withdraws his/her consent, the Company shall also retain the declaration of withdrawal (including any related communication). The objective of this is to make sure that the Company is always aware that a specific data subject withdrew his/her consent to data processing. | Data retention period: for an
indefinite period of time, save as otherwise provided by a guideline issued by the data protection authority. The employees participating in the management of the consent and the withdrawal of the consent replying to the question and the representative of the Company. |
11. The registration of personal data breaches (including the documentation of steps taken in connection with the management of personal data breaches) | Article 6 (1) c) of GDPR (necessary for meeting the legal obligation – data processing – of the Company in their capacity as data controller).
The legal obligation: pursuant to Article 33 (5) of GDPR, the data controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial actions taken. Such records make it possible for the data protection authority to verify compliance with GDPR requirements. |
The personal data of data subjects relating to the personal data breach. | Data retention period: for an
indefinite period of time, save as otherwise provided by a guideline issued by the data protection authority. The employees participating in the management of the personal data breach, and the representative of the Company. |
- DATA SECURITY (TECHNICAL AND ORGANISATIONAL) MEASURES
5.1 IT support for the management of personal data breaches and data protection records
In this context the conducting of regular self-audits in the course of which the Company verifies if the operation of their IT system and governing corporate requirements are in line with legislative requirements. Within the framework of self-auditing, in addition to verifying compliance, the technological resilience of the Company shall also be tested (IT security review). The Company regularly analyses the records of data processed and stored in the IT systems (IT security data asset inventory), including IT security risks threatening them.
5.2 Identification systems
The Company uses a central address directory to verify user rights, with password management (stipulating and enforcing minimum password complexity and password replacement).
5.3 The management of security incidents
The Company collects and stores the technical logs of systems and applications. The Company continuously monitors the status and statistics of IT security systems.
5.4 Network security
The Company uses a multiplex, stateful firewall system to monitor and regulate network connections. The Company centrally manages the wireless networks used at its sites, thus wireless access is controlled. In order to ensure the high level of safety and security of IT systems and communication, the Company uses encrypted data channels (VPN) to connect site networks.
5.5 The protection of mobile systems
The Company keeps records of corporate mobile devices and provides a secure access channel for the corporate systems.
5.6 Vulnerability management
The Company regularly surveys, analyses and assesses IT security vulnerabilities and takes the measures necessary, based on the findings. The Company regularly installs security updates on corporate computers and devices.
5.7 E-mail content filtering
The Company uses a multiplex automated system relying on various technologies to filter out emails containing spam, phishing and malware codes. In addition, protective procedures are also applied to prevent special, protocol-based (low-level technology) attacks. Wherever possible, the Company thrives to develop a reliable and secure mailing channel by using technologies and cryptographic procedures to identify external partners.
5.8 Endpoint (e.g. computers or other devices, servers) protection
The Company uses a firewall to protect the network connection of endpoint devices. The Company equips all suitable computers and other endpoint devices with protection against malicious applications in the course of applying on-access and regular, full-machine verifications.
5.9 The physical protection of records and data
As far as the physical protection of data, electronic and paper-based records is concerned, the Company has lockable server rooms and a transparent and properly communicated (i.e. towards
the Employees) records management practice prescribing that paper-based records must be stored in lockable cabinets, in addition to stipulating that only persons with proper authorisation can have access to them.
- THE DATA PROTECTION RIGHTS OF DATA SUBJECTS AND THEIR OPTIONS FOR JUDICIAL REMEDY
6.1 Data protection rights and judicial remedies
The data protection rights and judicial remedies available to data subjects are set out in the relevant provisions of GDPR (including, in particular, the following articles: 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80 and 82). The following summary captures the most important provisions and, based on them, the Company also provides the data subjects with information regarding their data protection rights and judicial remedy options.
The pieces of information shall be provided in writing or by other means – including also electronic means -, as the case may be. The question asked by a data subject can also be answered verbally, provided the personal identity of the data subject was verified by other means.
The Company shall provide information on actions taken on the request of the data subject in accordance with the exercise of the rights concerned (see: Articles 15-22 of GDPR), without undue delay and in any event within one month of the receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and the number of requests. The Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the Company does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
6.2 Right of access by the data subject
(1) The data subject shall have the right to obtain confirmation from the Company as to whether or not personal data concerning him or her are being processed. Where that is the case, the data subject is entitled to access the personal data and the following information:
- a) the purposes of data processing;
- b) the categories of personal data concerned;
- c) the recipients or categories of recipients of the personal data to whom the Company
communicated or will communicate the personal data, including in particular recipients in a third country or international organisations;
- d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- e) the existence of the data subject’s right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- f) the right to lodge a complaint with a supervisory authority; and
- g) where the personal data are not collected from the data subject, any available
information as to their source;
- h) the existence of automated decision-making (referred to in Article 22(1) and (4) of GDPR) including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(2) Where personal data are going to be transferred to a third country, the data subject is entitled to receive information about the appropriate safeguards regarding the transfer.
(3) The Company shall provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
6.3 Right of rectification
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her, without undue delay. Moreover, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
6.4 Right to erasure (“right to be forgotten”)
(1) The data subject shall have the right to obtain from the controller the rectification of inaccurate
personal data concerning him or her, without undue delay, where one of the following grounds applies:
- a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- b) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- d) the personal data have been unlawfully processed;
- e) the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the Company is a subject;
- f) the personal data have been collected in relation to the offer of information society services.
(2) Where the Company has made the personal data public and is obliged pursuant to provisions stated above to erase the personal data, the Company, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(3) Paragraphs (1) and (2) shall not apply to the extent that processing is necessary, among other reasons:
- a) for exercising the right of freedom of expression and information;
- b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is a subject;
- c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- d) for the establishment, exercise or defence of legal claims.
6.5 Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- a) the accuracy of the personal data is contested by the data subject, for a period enabling the Company to verify the accuracy of the personal data;
- b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- c) the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- d) the data subject has objected to processing pending the verification of whether the legitimate grounds of the Company override those of the data subject.
(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained restriction of processing shall be informed by the Company before the restriction of processing is lifted.
6.6 Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Company shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The Company shall inform the data subject about those recipients if the data subject requests it.
6.7 Right to data portability
(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
- a) the processing is based on consent or contract; and
- b) the processing is carried out by automated means.
(2) In exercising his or her right to data portability pursuant to paragraph (1), the data subject shall have the right to have the personal data transmitted directly from one controller to another (i.e. between the Company and another controller), where technically feasible.
(3) The exercising of the right referred to above should not adversely affect provisions regarding the right to erasure (“right to be forgotten”) and the rights or freedoms of others.
6.8 Right to object
(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling. In such a case the Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
(3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
(4) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
(5) Where personal data are processed for scientific or historical research purposes or statistical purposes, on grounds relating to his or her particular situation, the data subject shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
6.9 Right to lodge a complaint with the supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the provisions of GDPR. In Hungary, the competent supervisory authority is Nemzeti Adatvedelmi es Informacioszabadsag Hatosag (Hungarian National Authority for Data Protection and Freedom of Information)(website: http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11.; mailing address: 1374 Budapest, Pf. 603.; phone: +36-1-391-1400; fax: +36-1391-1410; e-mail: ugyfelszolgalat@naih.hu).
6.10 Right to an effective judicial remedy against a controller or processor
(1) The data subject shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them.
(2) The data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
(3) Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
6.11 Right to an effective judicial remedy against the Company or the processor
(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with the supervisory authority, the data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with GDPR.
(2) Proceedings against the Company or the processor shall be brought before the courts of the Member State where the Company or the processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence. In Hungary, these proceedings fall within the competence of general courts. The data subject may bring the proceedings – at his or her choice – before the competent general court as per his or her residence or habitual residence. Regarding the jurisdiction and contact details of the courts (general courts), please visit the following website: www.birosag.hu.