Skip to content
Home » Privacy Statement

Privacy Statement

Information on data management

Data protection

Data maintenance information

About the rights of the natural person concerned

Regarding the maintenance of personal information

Table of contents

Introduction

Chapter 1 – The Appointment of the Data Administrator

Chapter 2 – Appointment of Data Processors

2.1. Accounting service provider of our company

Chapter 3 – Data management linked to a contract

3.1 Administration and registration of the details of our contractual partners

3.2. The contact details of the legal persons as customers who are represented by a natural person

3.3. Management of visitors’ data on the company’s future website – information on the use of cookies.

3.4. Contact through the contact details indicated on the company’s website.

Chapter 4: Data management in connection with the employment relationship

4.1. Labor and Personnel Registration

4.2. Data management of employees who apply for admission, applications, CVs

4.3. Data management related to the control of the use of the e-mail box

4.4. Data management related to computer and laptop control

4.5. Data management in connection with controlling the use of company mobile phones

4.6. Data management in connection with the use of the GPS navigation system

4.7. Data management related to monitoring by the camera on the workplace

Chapter 5 – Data management based on legal obligations

5.1. Data management for the purpose of fulfilling tax and accounting obligations

5.2. Payer Data Management

Chapter 6 – Detailed information about the rights of the data subject

Chapter 7 – Submission of the request from the data subject, actions taken by the data manager

Introduction

REGULATION No. 2016/679 of the EUROPEAN PARLIAMENT AND COUNCIL (EU) (hereinafter: Regulation) writes in relation to the protection of maintenance of personal data of natural persons, the flow of such data, or the repeal of Regulation No. 95 /46/EK stipulates that the data manager takes appropriate measures to provide the data subject with all information about the management of their personal data in a concise, transparent, clear and easily accessible form, formulated in a clear and generally understandable way, or that the data manager promotes the exercise of the rights of the data subject.

The preliminary information obligation of the data subject is also prescribed by the Act CXII of 2011 on the right to information self-determination and freedom of information.

With the information below, we are fulfilling our legal obligations.

The information must be published on the company’s website after it has been designed, or sent to the person concerned upon request.

Chapter 1

The designation of the data administrator

The publisher of this information, at the same time the data manager:

Company name: PRI-MO-RA 2000 Ltd.

Location: 5000 Szolnok 0585/5. hrsz.

Company registration number: 16 09 006715

VAT number: 12778069-2-16

Representative: Boronkay Anasztázia

Telephone number: +3656/526-195

Fax: +3656/240-365

E-mail address: info@primora.hu

(hereinafter: the company)

Chapter 2

The designation of the data processors

Data processor: the natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data manager. (Regulation No. 4, Article 8)

The preliminary consent of the data subject is not required to use the data processor, but his information is necessary. Accordingly, we provide the following information:

2.1. Accounting service provider of our company

Our company, in order to meet its tax and accounting obligations, uses an accounting service provider contract to use an external service provider who manages the personal data of natural persons who are in contractual or payment contact with our company, with the purpose that our company to meet onerous tax and accounting obligations.

The designation of this data processor is as follows:

Company name: SzámTan Számviteli Iroda Kft.

Location: 5000 Szolnok, Rét utca 4.

Company registration number: 16-09-011328

VAT number: 14877281-2-16

Representative: Nagy Erzsébet Tünde

Telephone number: 30/8334020

Chapter 3

Data management linked to a contract

3.1. Administration and registration of the details of our contractual partners

3.1.1. With the legal title “Performing the contract”, our company manages the name, residential and delivery address, VAT number, telephone number, e-mail address, website name, account number (or fence parameters) within the company manager software after the appointment of the natural person who is in the contract with him, with the purpose of concluding the contract, performing it, canceling it and granting a contract discount. The management marked in this point is considered lawful even if the data management takes place before the conclusion of the contract at the request of the person concerned in order to take necessary steps. The addressees of the personal data are: the employees of the company, their partners who perform accounting and tax tasks and their data processors. Period of storage of personal data: 8 years after the termination of the contract.

3.1.2. Before starting the data management, the data subject must be informed that the data management is based on the legal title “performance of the contract”, the information can be formulated in the contract or in the information sheet on data management. The data subject must be informed about the transfer of his personal data to the data processor.

3.2. The contact details of the legal persons as customers who are represented by a natural person

3.2.1. Contact details of legal entities as customers representing natural persons are registered by the company in the company manager’s system. Scope of manageable natural data: name, address, phone number, e-mail address, possibly online identifier of the represented natural person.

  3.2.2. The purpose of managing personal data is: performance of the contract that the company has concluded with its partner as a legal entity, maintaining business contacts. Its legal title is: the consent of the person concerned.

3.2.3. Addressees of personal data, or categories of addressees: Company employees who perform customer service tasks.

3.2.4. Period of storage of personal data: 8 years, depending on the existence of representative quality of the data subject.

3.2.5. The representative of the customer as a legal entity must be informed of the purpose, the legal basis, the scope of the managed data, their addressees and the period of data management.

3.3. Management of visitors’ data on the company’s future website – information on the use of cookies.

3.3.1. The company has its own website, it is accessible.

3.3.2. Cookies are short data files that are placed on the user’s computer by the website visited. According to the guidelines of the European Committee, cookies (except when they are absolutely necessary for the use of the given service) can only be placed on the user’s device with the permission of the user. You can find general information about cookies on the company’s website.

3.3.3. Visitors must also be informed about the use of cookies on the company’s website in the data management information sheet. Through this information sheet, the company assures that before or when using the website related to the information society service, the visitor can at any time find out what data types are managed by the company for which data management purposes, including the management of data that are not to be brought into direct contact with the service recipient.

3.4. Contact through the contact details indicated on the company’s website

3.4.1. In the information sheet, the company informs natural persons that their personal data, which they provided when contacting the contact details on the forthcoming website of the company, will be managed for the duration of the contact.

3.4.2. Scope of manageable personal data: name of natural person (last name, first name), address, telephone number, e-mail address and online identifier.

3.4.3. Purpose of personal data management:

Contacting by electronic means, telephone, SMS

3.4.4. The legal basis for data management is the consent of the data subject.

3.4.5. Addressees of personal data, or categories of addressees: data managers and company employees.

3.4.6. The period of time of the personal data: until the contact has been established or until the consent of the person concerned is withdrawn (until the deletion request).

Chapter 4

Data management in connection with the employment relationship

4.1. Labor and Personnel Registration4.1.1. Employees may only be asked for and managed such information and such medical examinations may be carried out as are necessary at the beginning of the employment relationship, its maintenance and hiring, or to ensure social welfare benefits and do not violate the personal rights of the employee.

4.1.2. The company manages the data of employees with the legal basis of asserting the legal interests of the employer (Decree No. 6, Article (1), paragraph f) with the purpose: starting the employment relationship, its performance or its termination.

4.1.3. The company, as an employer, administers data relating to illness only for the purpose of fulfilling the right or obligation stipulated in the Labor Code.

4.1.4. The addressees of personal data are: the head of the employer, the person exercising the employer’s authority, the company’s employees who perform HR tasks and their data processors.

4.1.5. Only the personal data of employees in managerial positions may be forwarded to the owners of the company.

4.1.6. Period of storage of personal data: 50 years after termination of employment.

4.1.7. Before starting the data management, the data subject must be informed that the data management is based on the Labor Code and on asserting the legitimate interests of the employer.

4.2. Data management of employees who apply for admission, applications, CVs

4.2.1. The range of manageable personal data: name of natural person, date of birth, place of birth, mother’s name, address, educational data, photo, telephone number, e-mail address, employer’s notes on the applicant (if any).

4.2.2. Purpose of managing personal data: registration, evaluation of the application, conclusion of an employment contract with the selected person.

4.2.3. Legal basis for data management: consent of the data subject.

4.2.4. Addressees of personal data, or categories of addressees: at the company, those employees who are entitled to exercise employer rights and HR tasks.

4.2.5. The period of storage of the personal data: until the application, or until the application is evaluated. The personal details of the unselected applicants must be deleted. The details of the person who withdrew their application must also be deleted.

4.2.6. The Employer may keep applications only on the basis of the express, unequivocal and voluntary consent of the person concerned, provided that he needs to keep them in the interests of his data processing purposes, which are related to the legal regulations. He should ask the applicant for this commitment after the conclusion of the application procedure.

4.3. Data management related to the control of the use of the e-mail box

4.3.1. If the company provides the employee with an e-mail box – the employee may use this e-mail address and mailbox solely to carry out his/her tasks in his/her work area, so that employees can keep in touch with each other, or on behalf of their employer with customers , correspond to other persons and organizations.

4.3.2. The employee may not use the e-mail box for personal purposes, he may not save personal letters in the box.

4.3.3. The employer has the right to regularly check the entire content and use of e-mail boxes, while the legal basis for data management is the legitimate interest of the employer. The purpose of the control is to check the observance of the employer’s regulation regarding the mailbox, or to check the obligations of the employees (Labour Code paragraphs 8 and 52).

4.3.4. The head of the employer, the exerciser of the employer’s rights, or the manager chosen by them at the workplace are entitled to control.

4.3.5. If the circumstances of the check do not exclude the possibility, it must be ensured that the employee can be present at the check.

4.3.6. When checking, the principle of gradation must be applied, so first of all, based on the e-mail address and subject, it is necessary to determine whether these belong to the tasks of the employee’s work group and are not of a personal nature. The content of e-mails that are not personal in nature can be examined by the employer without limitation.

4.3.7. If, contrary to the provisions of the current regulation, it is established that the employee used the e-mail box for personal purposes, (s)he must be asked to delete the personal data immediately. If the employee is absent or unwilling to cooperate, his/her personal details will be deleted by the employer during the inspection. Because of this use of the e-mail box, which is contrary to the current regulation, the employer can apply legal consequences under labor law to the employee.

4.3.8. The employee can live with the rights in connection with the data management associated with the control of the e-mail box, which can be found in the chapter on the rights of the data subject in this regulation.

4.4. Data management related to computer and laptop control

4.4.1. The employee may only use the computer and laptop provided by the company as the employer to the employee for the purpose of performing work to perform work in his or her work area; the company does not permit them to be used for private purposes . The employer can use this tool to check the stored data related to work performance.

4.4.2. The company as an employer can allow connection to the central server through VPN contact for the designated employees outside of working hours with the extra permission of the director with password protection.

4.5. Data management in connection with controlling the use of company mobile phones

4.5.1. The employer allows the company mobile phone to be used for private purposes and can check the phone numbers and details of all outgoing calls or the information stored in the mobile phone related to the work.

4.6. Data management in connection with the use of the GPS navigation system

4.6.1. The use of the company’s GPS navigation system in vehicles owned or used by the company, the legal basis of which is the legitimate interest of the employer and the purpose of which is the organization of work, logistics, monitoring the performance of employees’ obligations turn off.

4.6.2. The data managed: vehicle registration number, the route covered, the distance, the duration of the use of the vehicle. The company as an employer allows private use, but can control the use of the vehicle in the GPS system.

4.7. Data management related to monitoring by the camera on the workplace

4.7.1. In order to protect human life, physical integrity, personal freedom, business secrets and property protection, the company uses an internal and external monitoring system at the location and at the business premises, which enables image and sound recording, on the basis of which the behavior of the data subject, which is determined by the camera, can be regarded as personal information.

4.7.2. The legal basis of this data management is the validation of the legitimate interests of the employer and the consent of the person concerned.

4.7.3. An attention-grabbing sign, information about the fact of using the electronic monitoring system in the given area must be placed in a visible place in order to promote the orientation of third parties who want to appear in the area. This information contains the fact of observation by the electronic property protection system, or the purpose of preparing and storing the image and sound recording by the system, which also includes personal data. Furthermore, one can find out about the legal basis for data management, the place of storage of the recording, the duration of storage, the person operating the system (operator), the group of persons entitled to get to know the information and the regulations that relating to the rights of the data subjects and their enforcement.

4.7.4. Photographs of third parties (customers, visitors, guests) who enter the monitored area can only be taken and managed with their consent. Approval can also be given through an indicative behavior. Indicative behavior is, for example, if the natural person staying there enters the monitored area despite the information sign about the use of the electronic monitoring system installed there and despite the information.

4.7.5. If the recorded recordings are not used, they may be kept for a maximum of one (1) month. Use is when you wish to use the captured image or other personal information in a judicial or official proceeding.

4.7.6. The person whose right or legitimate interest relates to the recording of the data of the image, sound or image and sound recording may, within 3 working days from the recording of the image, sound or image and sound recording, demand that the administrator of the information does not destroy or delete it.

4.7.7. No electronic monitoring system can be used in such areas where monitoring violates human dignity, especially in changing rooms, showers, toilets, and also in those premises where employees spend breaks between working hours.

4.7.8. If there is no one lawfully in the work area – especially outside of working hours or on non-working days – the entire area (e.g. changing rooms, toilets, rooms intended for breaks between working hours) can be monitored.

4.7.9. Those who are authorized to do so by law are entitled to view the data recorded by the electronic monitoring system.

Chapter 5

Data management based on legal obligations

5.1. Data management for the purpose of fulfilling tax and accounting obligations

5.1.1. The company, with the legal title of fulfillment of legal obligations, stores the data specified in the law of natural persons who contact it in order to fulfill the tax and accounting obligations (bookkeeping, control) prescribed in the law. The data managed are in accordance with Code CXXVII of 2017, on the basis of PHARAGRAPHS §169 and §202 on VAT. Tax number, name, address, tax status, pursuant to section 167 of the Pharmagraph of Act C of 2000 on Accounting. Name, address, designation of the person or organization that prescribes the economic activity, the assigning person and the person justifying the execution of the decree or, depending on the organization, the signature of the inspector; the recipient’s signature on the receipts of stock movements and on the payment receipts, the signature of the payer on the counter receipts, pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur ID tax, primary producer ID tax, tax number.

5.1.2. The period of storage of personal data is 50 years after the termination of the legal relationship providing legal basis.

5.1.3. The addressees of the personal data: the partners and the data processors of the company who perform the accounting, payroll and social security tasks.

5.2. Payer Data Management

5.2.1. The company, with the legal title of fulfillment of legal obligation, manages the personal data required by tax laws of those data subjects – employees, their family members, employees and other recipients of other support – with whom the payer is in contact (Act CL of 2017 on the Tax Code, Article 7 § 31) with the purpose of fulfilling tax and duty obligations prescribed by law (assessment of taxes, tax advances, duties, payroll accounting, social security and pensions). The scope of the managed data is determined by Art. § 50, specifically emphasizing: natural person identification data of the natural person (including previous name and title), gender, nationality, tax number, social security number. If the tax laws add legal consequences to this, the company can manage employers’ data on their health (Szja tv. § 40) and trade union membership (Szja § 47(2)b./) with the purpose of fulfilling tax and duty obligations.

5.2.2. The period of storage of personal data is 50 years after the termination of the legal relationship providing legal basis.

5.2.3. Addressees of personal data: partners and data processors of the company who perform accounting, payroll and social security (payer) tasks.

Chapter 6

Detailed information about the rights of the data subject

Right to Prior Orientation

The data subject has the right to obtain information about the facts and information related to them before the start of data management

  1. A) The information to be provided when the personal information is collected from the data subject.
  2.  If the personal information of the data subjects is collected by him/her, the data manager shall provide the data subject with all of the following information at the time of acquiring the personal data:
  3. a) the identity and contact details of the data manager – and if there is one – that of the representative;
  4. b) the availability of the data protection officer, if there is one;
  5. c) the purpose of the planned management of personal data, or the legal basis for data management;
  6. d) in the case of data management based on Regulation number 6, article number 1 paragraph f) (fair enforcement of interests), the fair interests of the data manager or those of the third party;
  7. e) where applicable, the addressees of the personal data, or the categories of addressees, if there are any;
  8. f) under the circumstances of the fact that the data manager wishes to transfer the personal data to a third country or to an international organization, further the presence or absence of the compliance decision by the committee or in the case of data transfer referred to in Articles 46, 47 or in second subparagraph of (1) first paragraph of Article 49, the designation of the relevant and suitable guarantees, as well as reference to the methods used to obtain their copies or reference to their availability.
  9. In addition to the information mentioned in point 1, at the time of acquiring personal information, the data manager provides the data subject with the following additional information in order to ensure honest and transparent data management:
  10. a) about the period of storage of personal data or, if this is not possible, about the aspects of determining this period;
  11. b) about the right of the data subject to ask the data manager for access to his/her personal data, to correct it, delete it or limit its management and to object to the management of such personal data, or about his right to the data portability;
  12. c) a RIn the case of data management based on point a) in paragraph (1) of Article 6 of the Regulation (consent of the data subject) or point a) of paragraph (2) in Article 9 (consent of the data subject), the right to withdraw at any time that does not affect the lawfulness of data management based on the consent before its withdrawal;
  13. d) the right to lodge a complaint with the supervisory authority;
  14. e) whether the provision of personal data is based on a legal regulation or on a contract or whether it is a prerequisite for the conclusion of a contract, or whether the person concerned is obliged to provide personal data, and what the possible consequences of failure to provide data are can;
  15. f) the fact of automated decision-making mentioned in paragraph (4) of Article (1) of Decree 22, including profiling, as well as understandable information, at least in these cases, relating to the logic used and the meaning of such a data management and what likely consequences it will have on the data subjects.
  16. If the data manager wishes to carry out further data management on the personal data for a purpose different from the purpose of their collection, before further data management he must inform the data subject about this different purpose and all relevant additional information specified in paragraph (2) are mentioned.
  17. Items 1-3 do not apply if and to what extent the data subject already has the information.
  18. (Regulation Article 13)
  1. B) Information to be provided if the personal information is not acquired from the data subject
  2. If the personal data are not obtained from the data subject, the data manager shall provide the data subject with the following information:
  3. a) the identity and contact details of the data manager and his deputy – if there is one;
  4. b) the availability of the data protection officer – if there is one;
  5. c) the purpose of the planned management of personal data, as well as the legal basis of data management;
  6. d) the categories of personal data of the data subject;
  7. e) the addressees of the personal data, or the categories of addressees, if there are any;
  8. f) Under the circumstances of the fact that the data manager wishes to transfer the personal data to an addressee in a third country or to an international organization, further the presence or absence of the compliance decision of the committee or, in the case of data transfer, the provisions of Article 46, 47 or in the second subparagraph of (1) first paragraph of Article 49, the designation of the relevant and suitable guarantees, as well as the reference to the methods used to obtain their copies or the reference to their availability.
  9.  In addition to the information mentioned in point 1, the data manager provides the data subject with the following additional information, which is necessary for the data subject to ensure honest and transparent data management:
  10. a) the period of storage of personal data or, if this is not possible, the aspects of determining this period;
  11. b) if the data management is based on point f (fair interest) of paragraph (1) of Article 6 in the Regulation on the fair interest of the data manager or the third party;
  12. c) the right of the data subject to ask the data controller for access to their personal data, to correct, delete or limit their management and to object to the management of such personal data, or the right of the data subject to the data portability;
  13. d) in the case of data management based on point a) in paragraph (1) of Article 6 of the Regulation (consent of the data subject) or point a) of paragraph (2) in Article 9 (consent of the data subject), the right to withdraw in any time that does not affect the lawfulness of data management based on the consent before its withdrawal;
  14. e) The right to lodge a complaint with any supervisory authority;
  15. f) the source of the personal information and whether the information came from publicly available sources, if any; and
  16. g) the fact of automated decision-making referred to in paragraph (4) of Article (1) of Regulation 22, including profiling, as well as understandable information, at least in these cases, relating to the logic used and the meaning of such logic data management and what likely consequences it will have on the data subject.
  17. The data manager provides the information according to the 1st and 2nd points based on the following:
  18. a) taking into account the specific circumstances of the management of personal data, within a reasonable period of time, but no later than within one month;
  19. b) if the personal data are used for the purpose of contacting the data subject, at least on the occasion of the first contact with the data subject; or
  20. c) if the information is likely to be communicated to other addressees as well, at the latest when the information is communicated for the first time.
  21. If the data manager wishes to carry out further data management on the personal data for a purpose different from the purpose of their collection, before further data management he must inform the data subject about this different purpose and all relevant additional information specified in paragraph (2) are mentioned.
  22. Points 1-5 do not apply if and to what extent:
  23. a) the data subject already has the information;
  24. b) if the provision of said information proves impossible or would require a disproportionate effort, especially for the purpose of public archiving, scientific and historical research or statistics in the case of data management under the conditions and guarantees in paragraph (1) of Article ( 89) in the Regulation or if the mentioned obligation in paragraph (1) of this article would presumably render impossible or seriously jeopardize the achievement of the objectives of this data management. In such cases, the data manager must take appropriate measures in the interest of the rights, freedoms and fair interests of the data subject, including the public availability of the information;
  25. c) the acquisition or communication of the information is expressly required by the Union or Member State law applicable to the data controller, which prescribes the appropriate measures to protect the legitimate interests of the data subject; or
  26. d) the personal information must remain confidential due to professional confidentiality required by Union or Member State law, including confidentiality based on legal rules.
  27. (Regulation Article 14)

Right of access of the data subject

  1. The data subject is entitled to receive feedback from the data manager as to whether his data is being managed and if such data management is in progress, he is entitled to access personal data and the following information:
  2. a) the objectives of data management;
  3. b) the categories of personal data concerned;
  4. c) those addressees or categories of addressees to whom personal data has been or will be communicated, including in particular addressees from third countries or international organizations;
  5. d) if necessary, the planned period of storage of personal data or, if this is not possible, the aspects of determining this period;
  6. e) the right of the data subject to ask the data manager to correct, delete or limit the processing of personal data in excess of him or her and to object to the processing of such personal data;
  7. f) the right to lodge a complaint with any supervisory authority;
  8. g) if the information has not been obtained from the person concerned, all available information relating to its source;
  9. h) the fact of automated decision-making referred to in paragraph (4) of Article (1) of Regulation 22, including profiling, as well as understandable information, at least in these cases, relating to the logic used and the meaning of such logic data management and what likely consequences it will have on the data subjects.
  10. If personal data is transferred to a third country or to an international organization, the person concerned has the right to obtain information about the relevant guarantees under Article 46 of the Regulation regarding the transfer.
  11. The data manager provides the data subject with a copy of the personal data that is the subject of data management. For the additional copies requested by the data subject, the data manager may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise. The right relating to the right to a copy cannot adversely affect the rights and freedoms of others.
  12. (Regulation Article 15)

  13. The right to erasure (“right to be forgotten”)
  1. The data subject is entitled to have the data manager delete personal data relating to him or her without undue delay at his request and the data manager is obliged to delete personal data relating to the data subject if one of the reasons listed below applies:
  2. a) the personal information is no longer used for the purpose for which it was collected or otherwise managed;
  3. b) the data subject within the meaning of point a) paragraph (1) of Article 6 of the Regulation or within the meaning of point a) paragraph (2) of Article 9 withdraws his or her consent, which is the reason for the data management, and so the data management has no legal reason more;
  4. c) the data subject objects to his data management pursuant to paragraph (1) of Article 21 of the Regulation and there is no overriding legitimate reason for the data management or the data subject objects to the data management pursuant to paragraph (2) of Article 21;
  5. d) the personal data was managed unlawfully;
  6. e) the personal data must be deleted in order to comply with a legal obligation imposed by Union or Member State law applicable to the data controller;
  7. f) personal data is collected in connection with the provision of information society-related services referred to in paragraph (1) of Article 8 of the Regulation.
  8. If the data manager has published the personal data and is obliged to delete them in the sense of the previous point 1, taking into account the available technology and the costs of implementation, he takes the appropriate expected steps – including technical measures – to inform the data manager managing the data, that the data subject has asked you to delete the links relating to the personal data mentioned or the copies of this personal data, or their duplicates.
  9. Points 1 and 2 do not apply if data management is necessary:
  10. a) for the purpose of exercising the right to freedom of expression and information;
  11. b) for the purpose of fulfilling the obligation under the applicable European Union or Member State law that requires the management of personal data, or for reasons of public interest or for the purpose of performing a task assigned to the data manager in the exercise of public authority;
  12. c) in accordance with points i) and h) of paragraph (2) of Article 9 of the Regulation, and paragraph (3) of Article 9, respectively, due to the public interest affecting the field of public health;
  13. d) in accordance with paragraph (1) of Article 89 of the Regulation for the purpose of public archiving, scientific and historical research or for statistical purposes, when the right referred to in point 1 would likely make such data management impossible or jeopardize it; or
  14. e) to present legal claims, to validate them, or to protect them.
  15. (Regulation Article 17)

Right to restriction of data management

  1. The data subject is entitled to have the data manager limit the data management at his request if one of the following is true:
  2. a) the data subject contests the accuracy of the personal data, in which case the limitation applies to the period of time that allows the data manager to control the accuracy of the personal data;
  3. b) the data management is unlawful and the data subject opposes the deletion of the data, instead demanding the restriction of their use;
  4. c) the data manager no longer needs the personal data for the purpose of data management, but the data subject needs them to submit legal claims, to exercise them or to protect them; or
  5. d) the data subject objected to the data management pursuant to paragraph (1) of Article 21 of the Regulation, in which case the limitation refers to the period of time until it is determined whether the legitimate reasons of the data manager prevail over the legitimate reasons of the data subject .
  6. If the data management is restricted based on point 1, this personal data, with the exception of storage, may only be used with the consent of the person concerned only to present legal claims, to assert them or to protect them or in the interest of protecting the rights of other natural or legal persons or because of the public interest of the Union or any Member State.
  7. The data manager shall inform the data subject, at whose request the data management has been restricted based on point 1, in advance about the lifting of the data management restriction.
  8. (Regulation Article 18)

Right to data portability

  1. The data subject has the right to receive personal data relating to him/her, provided by him/her to a data manager in a widely used, typed format, and is also entitled to forward this data to another data manager without prevent the data manager to whom he provided the personal data if:
  2. a) data management based on the consent under point a) paragraph (1) of Article 6 of the Regulation or under point a) paragraph (2) of Article 9 or on the contract under point b) paragraph (1) of Article 6; and
  3. b) data management is automated.
  4. When exercising the right to data portability under point 1, the data subject is entitled – if technically feasible – to request direct transfer of personal data between data managers.
  5. The exercise of this right cannot infringe Article 17 of the Regulation. The above right does not apply if the data management is in the public interest or if it is necessary for the performance of the task performed by the data manager in the exercise of the power delegated to him.
  6. The right mentioned in point 1 cannot be detrimental to the rights and interests of others.
  7. (Regulation Article 20)

  8. Right to appeal

  1. The data subject has the right, for reasons related to his own situation, to object, however, to the management of his personal data under point e) of paragraph (1) of Article 6 of the Regulation (data management is in the public interest or it is necessary to perform the task that the Data Manager performs within the exercise of the power delegated to him) or to object to point f) (data management is necessary to validate the legitimate interests of the third party or the Data Manager), including profiling based on based on the mentioned regulations. In this case, the data manager can no longer manage the personal data, unless the data manager proves that the data management is justified by legitimate reasons of compelling force, which prevail over the interests, rights and freedoms of the data subject or which refer to the Submission, enforcement or protection of legal claims.
  2. If the management of personal data is done directly in the interest of business acquisition, the person concerned has the right, however, to object to the management of personal data relating to him for this purpose.
  3. If the person concerned objects to the management of personal data directly in the interest of business acquisition, then personal data for this purpose cannot be managed further.
  4. The person concerned must be made aware of the right mentioned in points 1 and 2 when first contacting them and the information related to it must be presented clearly and separately from other information.
  5. Related to the use of services related to the information society and derogating from Directive 2002/58/EC, the data subject may also exercise the right to object using automated means based on technical regulations.
  6. If the management of personal data pursuant to paragraph (1) of Article 89 of the Regulation is used for the purpose of scientific and historical research or statistics, the person concerned has the right to object to the management of personal data concerning him for reasons related to his own situation to protest, except when the administration is necessary in the interests of carrying out a task on public property.
  7. (Regulation Article 21)

Automated decision-making on individual matters, including profiling

  1. The person concerned is entitled to the effect of the decision, which is based exclusively on automated data management, including profiling, not extending to him/her, which would have a legal effect on him/her or similarly affect him to a significant extent.
  2. Point 1 does not apply if the decision:
  3. a) necessary for the conclusion of the contract between the data subject and the data manager or in the interest of the performance of the contract;
  4. b) the making of the decision makes possible such Union or Member State law applicable to the data controller, which also establishes measures serving the rights and freedoms of the data subject and the protection of his or her legitimate interests; or
  5. c) based on the express consent of the data subject.
  6. In the cases referred to in points a) and c) of point 2, the data manager is obliged to take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least that right of the data subject that he asks for human intervention on the part of the data manager, expresses his point of view and objects to the decision.
  7. The decisions referred to in point 2 cannot be based on the special categories of personal data referred to in paragraph 1 of Article 9 of the Regulation, unless point a) or g) of paragraph 2 of Article 9 applies and it is interest of the rights, freedoms and fair interests of the person concerned to take appropriate measures.
  8. (Regulation Article 22)

Restrictions

  1. Union or Member State law applicable to the data manager or data processor may limit the effect of the rights and obligations set out in Article 5 with legislative measures, as far as the Regulations in Articles 12-22 and 34 are concerned, in accordance with the rights specified in Articles 12-22 and obligations when the limitation respects the substance of fundamental rights and freedoms, and when it is necessary to protect the below and is a proportionate measure in a democratic society:
  2. a) national security;
  3. b) national defence;
  4. c) public safety;
  5. d) carry out prevention, investigation, investigation of crimes or criminal proceedings, enforcement of criminal sanctions, including protection against dangers threatening public safety and prevention of these dangers;
  6. e) other important objectives of public interest of the Union or any Member State, in particular the important economic or financial interest of the Union or any Member State, including monetary, fiscal and national budget issues, public health and social security;
  7. f) the protection of judicial independence and judicial processes;
  8. g) in the case of regulated employment, the prevention, investigation, investigation of ethical violations and the implementation of procedures related to them;
  9. h) in the cases referred to in points a)-e) and g) – even occasionally – control, investigative or regulatory activities related to the failure of state tasks;
  10. i) the protection of the data subject or the protection of the rights and freedoms of others;
  11. j) assertion of civil rights claims.
  12. The legislative measures referred to in point 1 contain detailed regulations, at least where appropriate:
  13. a) for data management purposes or for categories of data management,
  14. b) for the categories of personal data,
  15. c) for the effect of the introduced restrictions,
  16. d) for misuse, or for unauthorized access or for the guarantees that want to prevent the forwarding,
  17. e) to determine the data manager or to determine the categories of data managers,
  18. f) for the period of data storage, as well as for the applicable guarantees, considering the data management or the nature, effect and objectives of the data management categories,
  19. g) for the risks affecting the rights and freedoms of those affected, and
  20. h) for the rights of data subjects to obtain information about the restriction, except where it may adversely affect the purpose of the restriction.
  21. (Regulation Article 23)

    Informing the data subject about the data protection incident

  1. If the data protection incident has a presumably high risk for the rights and freedoms of individuals, the data manager will inform the data subject of the data protection incident without undue delay.
  2. In the information provided to the data subject referred to in point 1, the nature of the data protection incident must be disclosed and at least the information and measures referred to in points b), c) and d) of paragraph (3) of Article 33 of the Regulation must be communicated.
  3. The data subject does not have to be informed, according to what is mentioned in point 1, if any of the following conditions are met:
  4. a) the data manager has taken appropriate technical and organizational protection measures and these measures have been applied with regard to the data affected by the data protection incident, in particular those measures – such as the use of encryption – which protect the data for the persons who have access to personal data are not authorized, make uninterpretable;
  5. b) after the data protection incident, the data manager has taken such further measures assuring that the high risk referred to in point 1, relating to the rights and freedoms of the data subject, is unlikely to materialize in the future;
  6. c) the information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly announced information or a similar measure must be taken that ensures similarly effective information for the data subjects.
  7. If the data manager has not yet informed the data subject about the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to have a high risk, may order the data subject to be informed or may determine the fulfillment of any of the conditions mentioned in point 3.
  8. (Regulation Article 34)

Right to lodge a complaint with the supervisory authority

  1. Without prejudice to any administrative or judicial order, all data subjects are entitled to lodge a complaint with a supervisory authority – particularly in the Member State of their habitual residence, place of work or place where the alleged violation of rights occurred – if, in the opinion of the data subject, the administration of the personal information relating to him violates this regulation.
  2. The supervisory authority where the complaint was lodged is obliged to inform the customer about the procedural developments related to the complaint and its outcome, but it should be noted that according to Article 78 of the Regulation the customer has the right to a judicial remedy seize.

Right to an effective judicial remedy against the supervisory authority

  1. Without prejudice to other administrative or non-judicial legal orders, all natural and legal persons are entitled to an effective judicial remedy against the decision of the supervisory authority that relates to them and has legally binding force.
  2. Without any damage from other administrative or non-judicial legal orders, all those affected are entitled to an effective judicial remedy if the competent supervisory authority does not deal with the complaint on the basis of Articles 55 and 56 or informs the affected person within 3 months about the procedural developments or their result related to the Article 77 complaint.
  3. Proceedings against the supervisory authority must be initiated before the court located in the Member State where the supervisory authority has its seat.
  4. If a procedure is initiated against such a decision of the supervisory authority, in connection with which the entity has previously expressed an opinion or made a decision within the framework of the uniform mechanism, the supervisory authority is obliged to send this opinion or decision to the court.
  5. (Regulation Article 78)

Right to an effective judicial remedy against the data manager or data processor

  1. Without prejudice to available administrative or non-judicial legal orders, including the right to lodge a complaint with the supervisory authority under Article 77 of the Regulation, each data subject has the right to an effective judicial remedy if, in his opinion, as a result of improper management of his personal data of this regulation his rights have been violated.
  2. The proceedings against the data manager or the data processor must be initiated before the court of the Member State where the place of activity of the data manager or the data processor is located. Such proceedings may also be instituted before the court of the Member State where the data subject has his or her habitual residence, unless the data controller or data processor is a public authority of any Member State acting in the legal sphere of public power.
  3. (Regulation 79)

Chapter 7

The submission of the request of the data subject, the actions of the data manager

7.1. The Company, as data manager, will inform the data subject, without undue delay and in any case within one month of the receipt of the request, of the measures taken based on his request, aimed at exercising his rights.

7.2. If necessary, considering the complexity and number of applications, this period can be extended by 2 months. The data manager will inform the data subject about the extension of the period, stating the reasons for the delay, within one month of receiving the request.

7.3. If the data subject submitted the request electronically, the information may also have to be provided electronically, unless the data subject requests otherwise.

7.4. If the data manager does not take any action based on the request of the data subject, he must inform the data subject of the reasons for the failure to take action no later than one month after the receipt of the request, or that the data subject may lodge a complaint with any supervisory authority and he may exercise his right to a judicial remedy.

7.5. The Company, as the data manager, provides information under Articles 13 and 14 of the Regulation and information on the rights of the data subject (Articles 15-22 and 34 of the Regulation) and the action free of charge. If the data subject’s request is clearly unfounded or excessive, particularly because of its repetitive nature, the action based on the request may be denied, taking into account the administrative costs of providing the requested information or providing the information or the requested action.

Proving that the request is clearly unfounded or excessive in character is a burden on the data manager.

7.6. If the Company, as data manager, has reasonable concerns about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the person concerned.