PRIVACY POLICY
ON THE RIGHTS OF NATURAL PERSONS 
REGARDING THE PROCESSING OF THEIR PERSONAL DATA

CONTENTS

INTRODUCTION

CHAPTER 1 – NAME OF THE DATA CONTROLLER

CHAPTER 2 – DATA PROCESSORS

CHAPTER 3 – PROCESSING OF EMPLOYEES’ PERSONAL DATA

  1. Labour and personnel records
  2. Processing related to medical tests, handling of sensitive data
  3. Processing of data of employees applying for hiring, applications, CVs

CHAPTER 4 – PROCESSING RELATED TO CONCLUSION OR PERFORMANCE OF CONTRACTS

  1. Processing of contracting partners’ data, registers of customers, suppliers 
  2. Contact details of natural persons representing legal persons (clients, customers, suppliers)

CHAPTER 5 – PROCESSING NECESSARY FOR COMPLIANCE WITH LEGAL OBLIGATIONS

  1. Processing for fulfilllment of taxation and accounting requirements
  2. Processing by authorised social security agents
  3. Processing for records of permanent value according to the Act on Public Archives Act

CHAPTER 6 – PROCESSING NECESSARY FOR THE PURPOSES OF THE LEGITIMATE INTERESTS

CHAPTER 7 – SUMMARY INFORMATION ON THE RIGHTS OF DATA SUBJECTS

CHAPTER 8 – DETAILED INFORMATION ON THE RIGHTS OF DATA SUBJECTS

CHAPTER 9 – PRESENTATION OF THE APPLICATION OF DATA SUBJECTS, MEASURES OF THE DATA CONTROLLER

INTRODUCTION

According to the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as Regulation) Data Controller shall implement appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language as well as to facilitate the exercise of data subject rights. 

The right of prior information of the data subject is regulated by the Act CXII of 2011 on the right to informational self-determination and on the freedom of information.

With the information provided below, our company complies with these legal obligations.

The present Privacy Policy shall be published on company’s website and/or shall be sent to the data subject in case of his or her request. 

CHAPTER 1

NAME OF THE DATA CONTROLLER

The publisher of this Privacy Policy and the Data Controller:

NAME OF THE COMPANY: „SAM-PERSSON” Ltd.
REGISTERED OFFEC: H-8800 Nagykanizsa, Báthory utca 18. fszt. 7., Hungary
TAXATION NUMBER: 10476936-2-20
COMPANY REGISTRATION NUMBER  20-09-065547
REPRESENTED BY: Adél Scheibelhoffer managing director 
  (hereinafter referred to as Company or Data Controller)

CHAPTER 2 

DATA PROCESSORS

Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller (Article 4 (8) of Regulation).

The engaging of a data processor does not require the prior consent of the data subject, but requires his or her information. 

Accordingly, in case the Company engages a data processor to process the data of the data subject (including, inter alia, natural and legal persons providing IT, accounting, delivery or security services to the Company), it shall inform the data subject about the data of the data processor.

CHAPTER 3

PROCESSING OF EMPLOYEES’ PERSONAL DATA

  1. Labour and personnel records

(1) Employer shall be keep and record only personal data of employees (including the medical examinations) which are necessary for the establishment, maintenance and termination of employment or the provision of social welfare benefits and which do not infringe the employee’s personal rights.

(2) The Company shall process the following data of the employee for the purpose of establishing, maintaining or terminating an employment relationship for the purpose of enforcing the legitimate interests of the employer [Article 6 (1) (f) of Regulation]:

1. Name 

2. Birth name

3. Date of birth

4. Mother’s name

5. Address

6. Citizenship

7. Tax identification number

8. Social security number

9. Pensioner registration number (in case of a retired employee)

10. Phone number

11. E-mail address

12. Bank account number

13. Starting and ending date of the employment relationship

14. Position

15. Copy of a documents certifying education and professional qualifications

16. Photo

17. Curriculum vitae

18. Amount and data of wages, salaries and other benefits

19. Any debt to be deducted from the employee’s salary on the basis of a final decision or law or his / her written consent and the right of such deduction

20. Evaluation of the employee’s work

21. Method of and reasons for termination of employment

22. Summary of the suitability tests

23. In the case of membership of a private pension fund and/or a voluntary mutual insurance fund, the name of the fund, the identification number and the membership number of the employee

24. Passport number in the case of a foreign worker; the name and number of the document certifying his or her right to work

25. Data recorded in accident records of an employee

26. Data required for the use of the welfare services or commercial accommodation.

(3) The employer shall process the data concerning the employee’s illness and trade union membership only for the purpose of performing the rights and obligations specified in the Labour Code. Depending on the position, the Company may ask the employee to present his or her official „certificate of good conduct”, however, it may not be copied. 

(4) Recipients of personal data: employer’s manager, individual exercising the employer’s rights, members of staff and processors of the Controller performing HR jobs, and the data processors.

(5) Duration of storage of personal data: 5 years after the termination of employment. 

Nevertheless, the Company is obliged to keep the documents concerning the employment and social security affiliation related to the employee’s social insurance legal relationship for 5 years after reaching the age of retirement applicable to the employee or former in question.

(6) The data subject must be informed prior to the commencement of the data processing that it is based on the Labour Code and the enforcement of the legitimate interests of the employer or based on a legal obligation.

2. Processing related to medical tests, handling of sensitive data

(1) For the employee only such eligibility examination may be applied which is provided for by a rule for employment, or which is required to exercise a right or to meet an obligation defined by a rule for employment. Prior to the test, employees must be informed in detail on the skill or ability, which will be assessed during the aptitude test and the means and the methods involved in the test. When the test is required by law, the employees must also be informed of the title of the legal regulation and the exact provisions therein.

(2) The employer may have the employees complete the test sheets determining suitability and preparedness either before establishing or during employment.

(3) Larger groups of employees can only be asked to complete test sheets clearly related to employment and suitable for establishing psychological or personal traits in the interest of ensuring more effective performance and organisation of work processes if the data revealed cannot be linked to specific employees, i.e. data are processed anonymously.

(4) Scope of personal data that may be processed: the fact of job suitability and the required conditions thereof.

(5) Legal basis of the processing: performance of the employment contract or enforcement of the legitimate interests of the employer.

(6) Purpose of the processing: establishment or maintenance of employment, to fill the position. 

(7) Recipients or categories of recipients of the personal data: The result of the examination can be made known for the examined employees and the professional who carried out the examination. The employer may receive only information on whether the tested individual is suitable or not for the job, and the conditions that have to be provided for it. However, the details of the tests and its entire documentation shall not be disclosed to the employer.

(8) Duration of processing of personal data: 5 years after the termination of employment, while the period of storage of occupational health data as part of the medical records is at least 30 years from the data collection, at least 50 years as part of the final report. 

(9) Special categories of personal data (hereinafter referred to as sensitive data) may be processed only in the case of the exceptions provided for in Article 9 (2) of the Regulation. Sensitive data shall be processed in particular by the explicit consent of the data subject and in the event that the processing requires prior medical or occupational health objectives, the assessment of the employee’s ability to work, medical diagnosis, medical or social care or treatment, or the management of health or social systems and services.

3. Processing of data of employees applying for hiring, applications, CVs

(1) Scope of personal data that may be processed: name, date and place of birth, mother’s name, address, qualification, photo, phone number, e-mail address of the applicant as well as notes prepared by the employer (if any). 

(2) Purpose of the processing: evaluation of the application/proposal, conclusion of employment contract. Data subject shall be informed if the employer has not chosen her for the position.

(3) Legal basis of the processing: the consent of the data subject according to Article 6 (1) a) of the Regulation.

(4) Recipients or categories of recipients of the personal data: manager authorized to exercise the rights of employer at the Company, employees responsible for labour duties.. 

(5) Duration of processing of personal data: The Company will store the data for a maximum of 90 days after the evaluation of the application or proposal. The personal data of non-selected applicants shall be deleted within 90 days of the evaluation of the application/proposal. The employer shall delete the data of the person concerned who has withdrawn his/her application within 3 working days of being notified of the withdrawal.

(6) The employer may retain applications only with the express, explicit and voluntary consent of the data subject, provided that their retention is necessary to achieve the purpose of the processing in accordance with the law. This consent must be requested from applicants once the recruitment procedure has been completed.

CHAPTER 4

PROCESSING RELATED TO CONCLUSION OR PERFORMANCE OF CONTRACTS

1. Processing of contracting partners’ data, registers of customers, suppliers 

(1) The Company, under the title of performing the contract, for the purpose of concluding, performing and terminating the contract and providing contractual discounts, processes the name, name at birth, date of birth, mother’s name, address, tax identification number, taxation number, number of sole trader’s or primary producer licence, ID card number, address, address of registered office and business site, phone number, e-mail address, website address, bank account number, customer code (client code, order code), online ID (list of customers, suppliers, regular customer lists) of natural persons who entered into a contract with it as customers or suppliers. This processing is also considered lawful if the data processing is necessary to take action at the request of the data subject prior to the conclusion of the contract. 

Recipients of personal data: Employees of the company in position of customer service, accounting, administration and data processors. Period of storage of personal data: 5 years after termination of the contract. 

(2) Prior to the commencement of the processing, the natural person concerned shall be informed that the processing is based on the right of execution of the contract and that the information may be provided in the contract. The data subject shall be informed of the transfer of his or her personal data to the data processor.

2. Contact details of natural persons representing legal persons (clients, customers, suppliers)

(1) Scope of personal data that may be processed: name, address, phone number, e-mail address, online ID of the natural person. 

(2) Purpose of the processing: fulfillment of the contract concluded with the partner of the Company, business relations.

(3) Legal basis of the processing: fulfillment of the contract, enforcement of the legitimate interests of the Company, consent of the data subject.

(4) Recipients or categories of recipients of the personal data: employees of the Company performing customer service tasks.

(5) Period of storage of personal data: 5 years after the end of the business relationship or the status of the representative of data subject.

CHAPTER 5

PROCESSING NECESSARY FOR COMPLIANCE WITH LEGAL OBLIGATIONS

1. Processing for fulfillment of taxation and accounting requirements

(1) The Company processes the data of natural persons entering into a business relationship with it as a customer or supplier for the purpose of fulfillling the taxation and accounting obligations (bookkeeping, taxation) prescribed by the applicable legislation.

(2) Legal basis of the processing of given personal data for the purpose of fulfillling the taxation and accounting obligations is the fulfilment of taxation and accounting legal requirements. The period of storage of personal data concerned: 8 years after the end of the legal relationship. 

(3) Recipients or categories of recipients of the personal data: employees and data processors of the Company performing taxation, accounting, payroll and social security tasks.

2. Processing by authorised social security agents

(1) In order to fulfil its legal obligations, the Company processes the personal data of the relevant data subjects – employees, employees’ family members, recipients of other benefits – required by law for the fulfilment of statutory taxation and contribution obligations (assessment of tax, tax advance, contributions, payroll accounting, social security, pension administration). 

The scope of the processed data is determined by the legislation in force on the taxation system, with special emphasis on the natural identity data of the natural person (including his/her previous name and title, gender, citizenship, taxation identification number, social security number). In case the relevant laws on taxation impose legal consequences on this, the Company may also processes the data of the employees regarding their health and trade union membership for the purpose of fulfillling taxation and contribution obligations (payroll accounting, social security administration).

(2) The period of storage of personal data concerned: 8 years after the end of the legal relationship. 

(3) Recipients or categories of recipients of the personal data: employees and data processors of the Company performing taxation, accounting, payroll and social security tasks.

3. Processing for records of permanent value according to the Act on Public Archives Act

(1) In order to fulfil its legal obligations, the Company processes its documents considered to be of lasting value according to the regulations of the Act LXVI of 1995 on Public Documents, Public Archives and the Protection of Private Archival Material (hereinafter referred to as Archives Act) to ensure that the permanent part of the Company’s archival material remains intact and usable for future generations. The period of storage of data: until handed over to the public archives.

(2) The recipients of the personal data and other issues concerning data processing are governed by the Archives Act. 

CHAPTER 6

PROCESSING NECESSARY FOR THE PURPOSES OF THE LEGITIMATE INTERESTS

(1) The Company is entitled to process personal data pursuant to Article 6 (f) of the Regulation, if the processing is necessary to enforce the legitimate interests of the data controller or a third party.

(2) The Company provides information on the data processing activities related to the protection of the COVID (including the legal basis and purpose of the data processing, the scope and period of the processed personal data, the measures taken to protect the data, the exercise of the rights of the data subjects and the possibilities of enforcing them) through a separate Data Protection Information.

CHAPTER 7

SUMMARY INFORMATION ON THE RIGHTS OF DATA SUBJECTS

For the sake of clarity and transparency, this chapter briefly summarizes the data subject’s rights. 

Right to prior information

The data subject shall have the right to be informed of the requirements and conditions of the processing of personal data prior to the collecting and processing of his or her personal data.


Right of access by the data subject

The data subject shall have the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data and the all relevant information listed in the Regulation.

Right to rectification

The data subject has the right, taking into account the purposes of the processing, to request the correction of inaccurate personal data and completion of incomplete personal data without undue delay, including by means of a supplementary declaration. 

Right to erasure („right to be forgotten”)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds specified in the Regulation.

Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where the conditions specified in the Regulation are fulfilled.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

In case the data subject has the right to rectification, erasure or restriction of processing, the data controller is required to communicate this rectification, erasure or restriction to all recipients to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.

Right to data portability

According to the terms of the Regulation, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided 

In exercising the right to data portability under this chapter, the data subject shall have the right, if technically feasible, to request the direct transfer of personal data between data controllers.

Right to object

Each data subject shall have the right to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6 (1) (e) or (f) of the Regulation, including profiling based on those provisions.

In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or the processing serves to assert, exercise or defend legal claims. 

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her.

Restrictions

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard and in addition complies with the provisions of Article 23 of the Regulation.

Communication of personal data breaches to data subjects

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of their residence, place of work or place of alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.. 

Right to an effective judicial remedy against a supervisory authority

Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or where the supervisory does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

Right to an effective judicial remedy against a controller or processor

Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the Regulation.

CHAPTER 8

DETAILED INFORMATION ON THE RIGHTS OF DATA SUBJECTS

Detailed information on the rights of data subjects are provided in this chapter.

Right to prior information

The data subject shall have the right to be informed of the requirements and conditions of the processing of personal data prior to the collecting and processing of his or her personal data.

A) Information to be provided where personal data are collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6 (1) of the Regulation, the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1) of the Regulation, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

(c) where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal

(d) the right to lodge a complaint with a supervisory authority

(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

(f) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

B) Information to be provided where personal data have not been obtained from the data subject

1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49 (1) of the Regulation, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b) where the processing is based on point (f) of Article 6 (1) of the Regulation, the legitimate interests pursued by the controller or by a third party;

(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d) where processing is based on point (a) of Article 6 (1) or point (a) of Article 9 (2) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;

(g) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

3. The controller shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;

(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and insofar as:

(a) the data subject already has the information;

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 (1) of the Regulation or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or

(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where the personal data are not collected from the data subject, any available information as to their source;

(h) the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2) of the Regulation, and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21 (1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of the Regulation;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the Regulation.

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3) of the Regulation;

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the Regulation in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d) the data subject has objected to processing pursuant to Article 21 (1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject.

2. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Right to data portability

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1) of the Regulation; and

(b) the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) of the Regulation, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply if the decision:

(a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

(c) is based on the data subject’s explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9 (1) of the Regulation, unless point (a) or (g) of Article 9 (2) of the Regulation applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 of the Regulation, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a) national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or the rights and freedoms of others;

(j) the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a) the purposes of the processing or categories of processing;(b) defence;

(b) the categories of personal data;

(c) the scope of the restrictions introduced;

(d) the safeguards to prevent abuse or unlawful access or transfer

(e) the specification of the controller or categories of controllers;

(f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g) the risks to the rights and freedoms of data subjects; and

(h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

(Article 23 of the Regulation)

Communication of a personal data breach to the data subject

1.  When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

2.  The communication to the data subject referred to in paragraph 1 of the Article 34 of the Regulation shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33 (3) of the Regulation.

3.  The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

(b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Right to lodge a complaint with a supervisory authority

1.  Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.

2.  The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the Regulation.

3. In the event of a violation of his or her rights the data subject may apply to the competent court (which is the Budapest Capital Regional Court in Budapest) according to Paragraph 22 of the Act Act CXII of 2011 on the right to informational self-determination and on the freedom of information.

Remedies and complaints can also be lodged with the Hungarian National Authority for Data Protection and Freedom of Information.

Name: Hungarian National Authority for Data Protection and Freedom of Information.

Registered office: H-1055 Budapest, Falk Miksa u. 9-11., Hungary

P.O. Box: H-1363 Budapest, Pf.: 9.

Postal address: ugyfelszolgalat@naih.hu

Web: www.naih.hu

Phone number: +36 (1) 391-1400

E-mail: ugyfelszolgalat@naih.hu

Right to an effective judicial remedy against a supervisory authority

1.  Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

2.  Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 of the Regulation does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77 of the Regulation.

3.  Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4.  Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

Right to an effective judicial remedy against a controller or processor

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under the Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the Regulation.

2.  Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

CHAPTER 9

SUBMISSION OF DATA SUBJECT’S REQUEST, 

MEASURES OF THE CONTROLLER

1. The controller shall provide the information related to the action taken on a data subject’s request without undue delay and no later than one month after having received the request.

2. In the event that a request is complex, the compliance period can be extended by two months. In this case the controller shall inform the data subject of the reason for the delay within one month of receiving the request. 

3. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5.  Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 of the Regulation shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a) charge a reasonable fee of EUR 20 (twenty Euros); or

(b) refuse to act on the request.

6. Where the controller has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the data subject.

© 2023 Sam Persson Ltd.