PREAMBLE
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter “the Regulation”) provides for the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46. that the Data Controller takes appropriate measures to provide the data subject with all information concerning the processing of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, and that the Data Controller facilitates the exercise of the data subject’s rights.
The prior information obligation of the data subject on the right to information self-determination and freedom of information is set out in Act CXII of 2011. also required by law.
We comply with this legal obligation by reading the information below.
The information shall be published on the company’s website or sent to the person concerned upon request.
CHAPTER I. – NAME OF THE DATA CONTROLLER
The publisher of this information, as well as the Data Controller:
• Company name: Packers Energo Light Kft. (hereinafter: the Company)
CHAPTER II. – NAMES OF DATA PROCESSORS
Data processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4 (8) of the Regulation)
The use of a data processor does not require the prior consent of the data subject but requires his or her information. Accordingly, we provide the following information:
1. IT service providers of The Company
Our company appointed a data processor to maintain and manage its website
who provides the IT services (hosting service), and in this context, for the duration of our contract with him, personal data provided on the website, the operation performed by him is personal storing data on the server.
Details of the service provider:
- Company name: Pegaton Studio Kft
- Address: 2700 Cegléd, Lajos u. 9.
- Company reg. no.: 13-09-131495
- TAX no.: 14904206-1-13
- Represented by: Barsi Erzsébet
2. Accounting service provider of our company
In order to fulfill its tax and accounting obligations, our Company uses an external service provider with an accounting service contract, which also handles the personal data of natural persons in a contract or paying relationship with the Company in order to fulfill the tax and accounting obligations of our Company.
This processor is called:
• Company name:
• Headquarters:
3. Postal services, delivery, parcel delivery
These data processors receive from our Company the personal data necessary for the delivery of the ordered product (name, address, telephone number of the person concerned) and use it to deliver the product.
These providers:
– Hungarian Post
– Various courier service
• Company name:
• Headquarters:
4. Security service provider
On behalf of our Data Processing Company – for the duration of our contract with it – it carries out camera surveillance at work, out and access, and data management related to them.
Name of the service provider:
• Company name:
• Headquarters:
III. CHAPTER – EMPLOYMENT DATA MANAGEMENT
1. Labor and personnel records
1. Only such data may be requested and retained from employees
obviously as well as occupational medical aptitude tests
to establish, maintain and maintain an employment relationship
and the provision of social welfare benefits
necessary and do not infringe the employee’s personal rights.
(2) Enforcement of the legitimate interests of the Company’s employers (Article 6 of the Decree)
(1) (f)) the establishment, performance or
manages the following data of the employee for the purpose of termination:
- First name, 2. Sure name, 3. date of birth, 4. mother’s name
(3) Data on illness and trade union membership shall be provided by the employer
only a right or obligation specified in the Labor Code to perform.
(4) Recipients of personal data: the head of the employer, his employer’s
authority of the Company, employees of the Company performing employment duties, and data processing.
(5) Only senior employees are the owners of the Company your personal data may be transferred.
(6) Duration of storage of personal data: termination of employment 3 years.
(7) The data subject shall be informed before the processing begins
data management in the Labor Code and the legitimate interests of the employer are
based on validation.
2. Data management related to aptitude tests
(1) Only a suitability test for the employee
applicable, which is prescribed by an employment rule, or which
exercising the right specified in the employment law,
necessary to fulfill that obligation. Before the test
workers must be informed in detail, inter alia, that:
what skills and abilities the aptitude test is aimed at assessing, a
the means and method of examination. If required by law
prior to carrying out the test, the workers must be informed of the
the title of the legislation and the exact place of the legislation.
(2) The employer is responsible for the test sheets for work suitability and readiness
both before the establishment of the employment relationship and the existence of the employment relationship
you can fill out with employees below.
(3) Work processes that are clearly employment-related
In order to provide and organize more efficiently, the
with a larger group of employees with psychological or personality traits
a test sheet suitable for research if data have come to the surface during the analysis
they cannot be linked to individual employees, i.e. anonymously
the data is processed.
(4) The range of personal data that can be processed: the fact of suitability for the job, and the necessary conditions for this.
(5) Legal basis for data processing: legitimate interest of the employer.
(6) The purpose of the processing of personal data is to establish an employment relationship, maintaining, filling a job.
Recipients or categories of recipients of personal data:
test results of the tested workers or the test taker specialist. The employer can only receive that information whether or not the subject is fit for work conditions must be provided for this. Details of the study and its full documentation is not available to the employer.
(8) Duration of processing of personal data: termination of employment
3 years after.
3. Management of data of employees applying for hiring, applications, CVs
(1) The scope of personal data that can be processed: the name of the natural person,
date of birth, place, mother’s name, address, qualifications, photo, telephone number, email address, employer’s record of the applicant (if there is).
(2) The purpose of the processing of personal data: application, assessment of the application, concluding an employment contract with the selected one. The data subject must be informed if the employer did not choose him for the job.
(3) Legal basis for data processing: consent of the data subject.
(4) Recipients or categories of recipients of personal data: a Manager, labor manager authorized to exercise employer’s rights at the company workers performing tasks.
(5) Duration of storage of personal data: The application, tender
Pending the outcome. Delete personal data of non-selected candidates needed. The data of the person who applied must also be deleted.
(6) The employer shall be express, unambiguous and voluntary only may retain applications with their consent, provided that they are achieving the purpose of data processing in accordance with the law. This consent is the conclusion of the recruitment procedure should be requested from applicants after.
4. Data management related to e-mail account usage control
(1) If the Company provides an e-mail account to the employee – on this email address and account for the employee’s job duties only you can use it in order for employees to keep through it contact each other or correspond on behalf of the employer, customers, other persons, organizations.
(2) The employee may not use the e-mail account for personal purposes.
Employers cannot store personal messages in your account.
(3) The employer is entitled to the full content and use of the e-mail account regularly – every 3 months – checked during data management its legal basis is the legitimate interest of the employer. The purpose of the check is the email account monitoring compliance with the employer’s provision for the control of employee obligations (§ 8, § 52 of the Labor Code).
(4) For inspection by the head of the employer or the rights of the employer, the practitioner is eligible.
(5) Where the circumstances of the inspection do not preclude this, ensure that the employee is present during the inspection.
Prior to the inspection, the worker must be informed that:
what is the employer ‘s interest in the inspection, employer, who can carry out the inspection, – according to which rules it can be carried out inspections (adherence to the principle of gradation) and the procedure, – what rights and remedies you have for your email account data management.
(7) The principle of graduation should be applied during the inspection, thus:
it must be established primarily from the email address and subject matter that it is
related to the employee’s job function and not for personal use. Nor the content of personal e-mails without restriction by the employer examine.
(8) If contrary to the provisions of these Regulations, it can be established, the employee used the email account for personal purposes must be used to call on the employee to provide personal information immediately delete. In the absence of the employee or in the absence of cooperation a personal data will be deleted by the employer during the inspection. The email account due to use contrary to these regulations, the employer may impose employment law consequences on the employee.
(9) The employee with the data management associated with the verification of the e-mail account in the chapter on the rights of the data subject in this PrivacyPolicy.
5. Data management and control related to computer, laptop and tablet
(1) The computer, laptop or tablet provided by the Company to the employee for the purpose of work may be used by the employee only for the performance of his / her job duties, their private use is prohibited by the Company, the employee may not handle or store any personal data or correspondence on these devices. The employer can check the data stored on these devices. For the control and legal consequences of these devices by the employer, see the above1.4. The provisions of this section shall apply.
6. Data management related to the control of Internet use at work
(1) The employee may only view websites related to his / her job duties, the use of the Internet for personal purposes at work is prohibited by the employer.
(2) The Company is the owner of the internet registrations performed on behalf of the Company as a job task, during the registration the identifier and password referring to the company shall be used. If the provision of personal data is also necessary for the registration, the Company is obliged to initiate their deletion upon the termination of employment.
(3) The employee’s use of the Internet at work may be controlled by the employer, for which and the legal consequences are set out in Section 1.4. The provisions of this section shall apply.
7. Related to data handling and controlling the use of a business cell phone
(1) The employer does not allow the company mobile phone for private use the mobile phone only for work-related purposes and the employer’s number and details of all outgoing calls, and you can check the data stored on your mobile phone.
(2) The employee must notify the employer if the company used his mobile phone for private purposes. In this case, control as such it can be continued that the employer requests a call detail from phone service provider and call the employee to the document for private calls, put the dialed numbers unrecognizable. Your employer may require you to make private calls the costs shall be borne by the employee.
(3) In other respects, the control and legal consequences of 1.4. The provisions of this section shall apply.
8. Workplace entry and exit data management
(1) Information in case of operation of access control system (non-electronic)
placed on the identity of the controller and the processing of the data how.
(2) The scope of personal data that can be processed: the name and address of the natural person, car registration number, entry, exit time.
(3) Legal basis of data management: enforcement of the legitimate interests of the employer.
(4) The purpose of the processing of personal data: protection of property, contract
monitoring the fulfillment of employee obligations.
(5) Recipients of personal data: A manager, who is authorized to exercise employer’s rights at a company, a data processor to the Company, and a property protector agent to protect the employees.
(6) Duration of storage of personal data: 6 months
9. Data management related to workplace camera surveillance
(1) Our company uses an electronic monitoring system at its headquarters, premises and premises open to the reception of customers for the protection of human life, physical integrity, personal freedom, trade secrets, and property, which also enables the recording of images, sound or images, and video. Based on this, the behavior of the data subject, which is recorded by the camera, can also be considered as personal data.
(2) The legal basis for this data processing is the enforcement of the legitimate interests of the employer and the consent of the data subject.
(3) A warning sign and information on the fact of the use of the electronic monitoring system in a given area shall be placed in a clearly visible place, in a clearly legible manner, in a manner that facilitates the information of third parties wishing to appear in the area. The information must be provided for each camera. This information shall include the fact of the monitoring carried out by the electronic security system and the purpose of making and storing the image and sound recording containing personal data recorded by the system, the legal basis of data management, the place of storage, the duration of storage, the system operator (operator) information on the identity of the data subject, the persons entitled to access the data, as well as the provisions concerning the rights of the data subjects and the procedure for their enforcement.
(4) Images and sound recordings of third parties (customers, visitors, guests) entering the monitored area may be taken and managed with their consent. Consent may also be given by implied conduct. Indicative behavior, in particular, if the natural person present enters the monitored area despite an indication or description of the use of the electronic monitoring system deployed there.
(5) The recorded recordings may be stored for a maximum of 3 (three) working days when not in use. Use is defined as the use of recorded video, sound or image and sound recordings, and other personal data as evidence in court or other official proceedings.
(6) A person whose right or legitimate interest is affected by the recording of image, sound, or image and sound recording data may request, within three working days from the recording of the image, sound and image and sound recording, by proving his or her right or legitimate interest. so that the data is not destroyed or deleted by its operator.
(7) An electronic monitoring system may not be used in a room where monitoring may infringe human dignity, in particular in changing rooms, showers, toilets or, for example, in a medical room or waiting room, or in a room where workers may take breaks from work.
(8) If no one may be legally present in the workplace, in particular outside working hours or on public holidays, the entire area of the workplace (such as changing rooms, toilets, rooms designated for breaks) may be observed.
(9) In addition to those authorized by law, the operating staff, the head and deputy head of the employer, as well as the workplace manager of the monitored area are entitled to view the data recorded by the electronic monitoring system in order to detect violations and control the operation of the system.
CHAPTER IV – DATA PROCESSES CONCERNING CONTRACTS
1. Data management of contracting partners – customers, suppliers
records
(1) The conclusion of the contract for the performance of the contract by the Company, in order to fulfill, terminate and provide a contractual discount the name and date of birth of the natural person contracted to him as a buyer or supplier name, date of birth, mother’s name, address, tax identification number, tax number, entrepreneur, primary producer card number, identity card
number, address, registered office, premises, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online ID (list of customers, suppliers, frequent purchase lists), on this data processing is considered lawful even if the data processing is a contract to take steps at the request of the data subject before concluding. Recipients of personal data: the Company with customer service employees performing tasks related to accounting, accounting, taxation employees and data processors performing tasks. Personal information duration of management: 5 years after the termination of the contract.
(2) The data subject shall be informed before the processing begins
data management is based on the title of performance of the contract, that is information
can also happen in the contract.
(3) On the transfer of personal data of the data subject to a data processor
be informed.
2. Legal person customers, buyers, suppliers natural person, contact details of its representatives
(1) The scope of personal data that can be processed: the name and address of the natural person,
phone number, email address, online ID.
(2) The purpose of the processing of personal data: the Company is a legal entity
fulfillment of the contract concluded with the partner, business relations,
legal basis: consent of the data subject.
(3) Recipients or categories of recipients of personal data: a
Employees of the Company performing customer service related tasks.
(4) Duration of storage of personal data: business relationship or
for 5 years after the term of office of the person concerned.
3. Visitor data management on the Company’s website
(1) Cookies are short data files that placed a visited website on the user’s computer. The purpose of the cookie, to facilitate the given info-communication, internet service, make it more comfortable. There are many varieties, but usually two large ones can be classified into groups. One is the temporary cookie used by the website only during a specific session (e.g., an Internet banking security identification) on the user’s device, the other type is a persistent cookie (eg the language setting of a website), which until then remains on the computer until the user deletes it. The European Commission guidelines for cookies [unless they are specific essential to use the service] only can be placed on the user’s device with the user’s permission.
(2) In the case of cookies that do not require the user’s consent, the website comes first information should be provided during your visit. It is not necessary to use cookies the full text of the prospectus to be published on the website is sufficient if the website operators briefly summarize the substance of the information and a link to the availability of the full prospectus.
(3) In the case of cookies requiring consent, the information may relate to website for the first visit in the event that cookies are used the accompanying data management already starts with the visit to the site. The function specifically requested by the user to use the cookie
information can also be displayed for this feature in connection with the use of, in this case, it is not necessary that the full text of the cookie information will be published on the website,
a brief summary of the substance of the information and a link will suffice reference to the availability of the full prospectus.
4. Information about the use of cookies
(1) In accordance with the general internet practice, our Company also uses cookies on its website. A cookie is a small file that contains a series of characters that are placed on a visitor’s computer when it visits a website. When you visit that site again, the cookie allows the site to recognize the visitor’s browser. Cookies can also store user settings (eg selected language) and other information. Among other things, they collect information about the visitor and his device, memorize the visitor’s individual settings, they can be used e.g. when using online shopping carts. Cookies generally facilitate the use of the website, help the website provide a real web experience for users and provide an effective source of information, and ensure that the website operator monitors the operation of the website, prevents abuse and ensures the smooth and appropriate quality of the website.
(2) The website of our company records and manages the following data about the visitor and the device used by him / her when using the website:
• the IP address used by the visitor, • the type of browser, • the characteristics of the operating system of the device used to browse (set language), • the time of the visit, • the (sub) page, function or service visited.
(3) Acceptance and authorization of the use of cookies are not mandatory. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. Although most browsers automatically accept cookies by default, they can usually be changed to prevent automatic acceptance and offer a choice each time.
You can find information about the cookie settings of the most popular browsers at the following links:
• Google Chrome:
https://support.google.com/accounts/answer/61416?hl=hu
• Firefox:
https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11:
http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10:
http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9:
http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8:
http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge:
http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari:
https://support.apple.com/hu-hu/HT201265
However, please note that some website features or services may not work properly without cookies.
(4) The cookies used on the website are not in themselves suitable for identifying the user.
(5) Cookies used on the company’s website:
1. Technically essential session cookies
These cookies are necessary for visitors to browse the website, to use its functions smoothly and fully, the services available through the website, and, in particular, to note the visitor’s actions on those pages during a visit. The duration of the processing of these cookies only applies to the current visit of the visitor, this type of cookies is automatically deleted from your computer when the session is closed or the browser is closed.
The managed data set: AVChatUserId, JSESSIONID, portal_referer.
The legal basis for this data management is Act CVIII of 2001 on certain issues of electronic commerce services and information society services. Act (Elkertv.) 13 / A. § (3).
The purpose of data management is to ensure the proper functioning of the website.
2. Consent Cookies:
These provide an opportunity for the Company to remember the user’s choices regarding the Website. The visitor may prohibit this data processing at any time before and during the use of the service. This data may not be linked to the user’s identification data and may not be passed on to third parties without the user’s consent.
2.1. Useful cookies:
The legal basis for data management is the visitor’s consent.
The purpose of data management: To increase the efficiency of the service, to increase the user experience, to make the use of the website more convenient.
The duration of data management is 6 months.
2.2. Performance cookies:
Google Analytics cookies – Learn more here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google AdWords Cookies – Learn Here:
https://support.google.com/adwords/answer/2407785?hl=hu
CHAPTER V – LEGAL OBLIGATIONS
1. Data management for the purpose of fulfilling tax and accounting obligations
(1) The Company manages the data of natural persons who enter into business relations with it as a customer or supplier for the purpose of fulfilling tax and accounting obligations (accounting, taxation) prescribed by law. The data managed is general
CXXVII of 2017 on sales tax. TV. Pursuant to § 169 and § 202, in particular: tax number, name, address, tax status, pursuant to § 167 of Act C of 2000 on Accounting: name, address, the indication of the person or organization ordering the economic operation, the signature of the person issuing the voucher and certifying the implementation of the provision and, depending on the organization, the inspector; on the receipts of stock movements and cash management receipts, the signature of the recipient, on the counter-receipts the signature of the payer, on the personal income tax Act CXVII of 1995. according to law: number of business card, number of primary producer card, tax identification mark.
(2) The period of storage of personal data is 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security tasks.
2. Payer data management
(1) In order to fulfill its legal obligations, the Company manages the personal income tax (contribution, tax advance, determination of contributions, payroll accounting, social security, pension administration) of the persons concerned – employees, their family members, employees, recipients of other benefits. data with which its payers (Act 2017: CL. on the Order of Taxation (Art.) § 7 31.) are related. The scope of the processed data is defined in Article 50 of the Art., With special emphasis on: natural personal identification data of the natural person (including the previous name and title), gender, citizenship, tax identification number of the natural person, social security identification sign (Social security number). If the tax laws impose a legal consequence on this, the Company may manage the data on the members’ health (§ 40 of the Personal Income Tax Act) and trade union (§ 47 (2) b. /) Personal income tax purposes for the fulfillment of tax and contribution obligations (payroll accounting, social security administration).
(2) The period of storage of personal data is 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payer) tasks.
3. Data management for documents of lasting value according to the Archives Act
(1) In order to fulfill its legal obligation, the Company manages Act LXVI of 1995 on Public Documents, Public Archives and the Protection of Private Archival Material. (Archives Act) for the purpose of preserving the permanent value of the Company’s archival material in good condition and in a usable condition for future generations. Data storage time: until delivery to the public archive.
(2) The Recipients Act shall govern the recipients of personal data and other issues of data management.
CHAPTER VI.- SUMMARY INFORMATION ON THE RIGHTS OF CONCERNED
For the sake of clarity and transparency, this chapter briefly summarizes the data subject’s rights, details of which are provided in the next chapter.
The subject of the data has the right to be informed of the facts and information related to data processing before the data processing starts.
(Articles 13 to 14 of the Regulation)
Details are provided in the next section.
The data subject ‘s right of access.
The data subject has the right to receive feedback from the Data Controller as to whether the processing of his / her personal data is in progress and, if such data processing is in progress, he/she has the right to access the personal data and related information specified in the Regulation.
(Article 15 of the Regulation).
Details are provided in the next section.
Right to rectification
The data subject has the right to have inaccurate personal data concerning him / her corrected without undue delay at the request of the Data Controller. Taking into account the purpose of the data processing, the data subject has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary statement.
(Article 16 of the Regulation).
Right of cancellation (“right to forget”)
1. The data subject has the right to delete personal data concerning him / her without undue delay at his / her request, and the data controller is obliged to delete personal data concerning the data subject without undue delay if any of the reasons specified in the Decree exist.
(Article 17 of the Regulation)
Details are provided in the next section.
Right to restrict data processing
The data subject is entitled to restrict the data processing at the request of the Data Controller if the conditions specified in the order are met.
(Article 18 of the Regulation)
Details are provided in the next section.
Notification obligation related to the correction or deletion of personal data or restrictions on data processing
The Data Controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure, or restriction of data processing unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the data subject of these recipients.
(Article 19 of the Regulation)
The right to data portability
Subject to the conditions set out in the Regulation, the data subject is entitled to receive personal data concerning him/her made available to a Data Controller in a structured, widely used, machine-readable format and to transfer such data to another Data Controller without hindering the Data Controller to whom you have provided the personal data.
(Article 20 of the Regulation)
Details are provided in the next section.
Right to protest
The data subject has the right to object at any time for reasons related to his / her situation to Article 6 (1) (e) of the Regulation (necessary for the performance of a task in the public interest or in the exercise of a public authority conferred on the Data Controller) or (f) data management is necessary to enforce the legitimate interests of the Data Controller or a third party.
(Article 21 of the Regulation)
Details are provided in the next section.
Automated decision making in individual cases, including profiling
The data subject shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects on him or her or would be similarly significant.
(Article 22 of the Regulation)
Details are provided in the next section.
Limitations
Union or Member State law applicable to the controller or processor may restrict the application of Articles 12 to 22 by means of legislative measures. Articles 34 and 34 and Articles 12 to 22. in accordance with the rights and obligations set out in Article
(Article 23 of the Regulation)
Details are provided in the next section.
Informing the data subject about the data protection incident
If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the data protection incident without undue delay.
(Article 34 of the Regulation)
Details are provided in the next section.
Right to complain to the supervisory authority (right to official redress)
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he or she has his or her habitual residence, place of work or suspected infringement, if he or she considers that the processing of personal data infringes the Regulation.
(Article 77 of the Regulation)
Details are provided in the next section.
Right to an effective judicial remedy against the supervisory authority
All natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority, or if the supervisory authority does not deal with the complaint or does not inform the data subject within three months of the progress or outcome of the complaint.
(Article 78 of the Regulation)
Details are provided in the next section.
The right to an effective judicial remedy against the controller or processor
All data subjects shall have the right to an effective judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the improper processing of their personal data.
(Article 79 of the Regulation)
Details are provided in the next section.
CHAPTER VII. – DETAILED INFORMATION ON THE RIGHTS OF THOSE CONCERNED
Right to prior information
The data subject has the right to be informed of the facts and information related to the data processing before the data processing starts.
A) Information to be provided if personal data are collected from the data subject
1. If personal data concerning the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:
(a) the identity and contact details of the controller and, if any, of the controller ‘s representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purpose of the intended processing of the personal data and the legal basis for the processing;
(d) in the case of processing based on Article 6 (1) (f) of the Regulation (enforcement of a legitimate interest), the legitimate interests of the controller or of a third party;
(e) where applicable, the recipients of the personal data or the categories of recipients, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of a Commission decision on adequacy, or Articles 46, 47 or 49 (1) of the Regulation. in the case of the transmission referred to in the second subparagraph of paragraph 1, an indication of the appropriate and suitable guarantees and a reference to the means of obtaining or obtaining a copy of them.
2. In addition to the information referred to in point 1, the controller shall inform the data subject of the following additional information at the time the personal data were obtained, in order to ensure fair and transparent data processing:
(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
(b) the data subject’s right to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data and the data subject’s right to data portability;
(c) in the case of processing based on Article 6 (1) (a) (consent of the data subject) or Article 9 (2) (a) (consent of the data subject) of the Regulation, the right to withdraw the consent at any time which does not affects the lawfulness of data processing carried out on the basis of consent before withdrawal;
(d) the right to lodge a complaint to the supervisory authority;
(e) whether the provision of personal data is based on a legal or contractual obligation or a precondition for the conclusion of a contract, whether the data subject is obliged to provide personal data and the possible consequences of non-disclosure;
(f) the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing for the data subject. what are the expected consequences.
3. If the controller intends to carry out further processing of personal data for a purpose other than that for which they were collected, it shall inform the data subject of that different purpose and of any relevant additional information referred to in paragraph 2 before further processing.
4. Figures 1-3. shall not apply if and to the extent that the data subject already has the information.
(Article 13 of the Regulation)
B) Information to be provided if personal data have not been obtained from the data subject
1. If the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and contact details of the controller and, if any, of the controller ‘s representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purpose of the intended processing of the personal data and the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, the fact that the controller intends to transfer personal data to a recipient in a third country or to an international organization, and the existence or absence of a Commission decision on adequacy, or Articles 46, 47 or 49 of the Regulation. In the case of the transmission referred to in the second subparagraph of Article 1 (1), an indication of the appropriate and suitable guarantees and a reference to the means of obtaining or obtaining a copy thereof.
2. In addition to the information referred to in point 1, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data processing for the data subject:
(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
(b) where the processing is based on Article 6 (1) (f) of the Regulation (legitimate interest), the legitimate interests of the controller or of a third party;
(c) the data subject’s right to request from the controller access to, rectification, erasure or restriction of the processing of personal data concerning him or her and to object to the processing of personal data, as well as the data subject’s right to data portability;
(d) in the case of processing based on Article 6 (1) (a) (consent of the data subject) or Article 9 (2) (a) (consent of the data subject) of the Regulation, the right to withdraw the consent at any time which does not affects the lawfulness of data processing carried out on the basis of consent before withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) the source of the personal data and, where applicable, whether the data come from publicly available sources; and
(g) the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and at least in such cases, comprehensible information on the logic used and the significance of such data processing for the data subject. what are the expected consequences.
3. The controller shall provide the information referred to in points 1 and 2 as follows:
(a) taking into account the specific circumstances of the processing of personal data, within a reasonable time from the receipt of the personal data, but no later than one month;
(b) if the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; obsession
(c) if the data are expected to be communicated to another recipient, at the latest when the personal data are first communicated.
4. If the controller intends to process personal data for a purpose other than that for which they were obtained, it shall inform the data subject of that different purpose and of any relevant additional information referred to in point 2 before further processing.
5. Figures 1-5. shall not apply if and to the extent that:
(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for the purposes of archiving in the public interest, for scientific and historical research or for statistical purposes, subject to the conditions and guarantees of Article 89 (1) of the Regulation, or where the obligation referred to in paragraph 1 of this Article is likely to make it impossible or seriously jeopardize the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures, including making the information publicly available, to protect the rights, freedoms and legitimate interests of the data subject;
(c) the acquisition or communication of the data is expressly provided for by Union or Member State law applicable to the controller, which provides for appropriate measures to protect the legitimate interests of the data subject; obsession
(d) personal data must remain confidential under an obligation of professional secrecy imposed by a Union or Member State law, including a legal obligation of professional secrecy.
(Article 14 of the Regulation)
The data subject ‘s right of access
1. The data subject shall have the right to receive feedback from the Data Controller as to whether the processing of his or her personal data is in progress and, if such data processing is in progress, shall have the right to access the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom or with whom the personal data have been or will be communicated, including in particular recipients in third countries or international organizations;
(d) where applicable, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
(e) the data subject’s right to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
(f) the right to lodge a complaint with a supervisory authority;
(g) if the data were not collected from the data subject, all available information on their source;
(h) the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and at least in such cases, understandable information on the logic used and the significance of such data processing and the data subject. the expected consequences.
2. Where personal data are transferred to a third country or to an international organization, the data subject shall be entitled to be informed of the appropriate guarantees for the transfer in accordance with Article 46 of the Regulation.
3. The Data Controller shall provide the data subject with a copy of the personal data subject to data processing. The Data Controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.
(Article 15 of the Regulation)
Right of cancellation (“right to forget”)
1. The data subject shall have the right to have his or her personal data deleted without undue delay at his or her request, and the data controller shall be obliged to delete the personal data concerning him or her without undue delay if any of the following reasons exist:
(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;
(b) the data subject withdraws his or her consent under Article 6 (1) (a) or Article 9 (2) (a) of the Regulation and there is no other legal basis for the processing;
(c) the data subject objects to the processing pursuant to Article 21 (1) of the Regulation and there is no overriding legitimate reason to process the data, or the data subject objects to the processing pursuant to Article 21 (2);
(d) personal data have been processed unlawfully;
(e) personal data must be deleted in order to fulfill a legal obligation to which the controller is subject under applicable Union or Member State law;
(f) personal data have been collected in connection with the provision of information society services referred to in Article 8 (1) of the Regulation.
2. If the Data Controller has disclosed personal data and is obliged to delete it pursuant to paragraph 1 above, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, in order to inform the Data Controllers, that the data subject has requested that the links to the personal data in question or a copy or duplicate of such personal data be deleted.
3. Points 1 and 2 shall not apply if the processing is necessary:
(a) for the purpose of exercising the right to freedom of expression and information;
(b) to fulfill an obligation under Union or Member State law applicable to the controller to process personal data or to carry out a task carried out in the public interest or in the exercise of a public authority conferred on the controller;
(c) in the public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) and Article 9
(3) of the Regulation;
(d) in accordance with Article 89 (1) of the Regulation, for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, where the right referred to in point 1 is likely to make such processing impossible or seriously jeopardize; obsession
e) to submit, assert or defend legal claims.
(Article 17 of the Regulation)
Right to restrict data processing
1. The data subject shall have the right, at the request of the Data Controller, to restrict data processing if any of the following is met:
(a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period which allows the Data Controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests that their use be restricted;
c) the Data Controller no longer needs the personal data for the purpose of data processing, but the data subject requests them in order to submit, enforce or protect legal claims; obsession
(d) the data subject has objected to the processing in accordance with Article 21 (1) of the Regulation; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the data subject.
2. Where the processing is subject to a restriction pursuant to paragraph 1, such personal data, with the exception of storage, shall be subject to the consent of the data subject or to the submission, enforcement or protection of legal claims, may be dealt with in the important public interest of a Member State.
3. The Data Controller shall, at the request of the data subject at whose request the data processing has been restricted pursuant to Clause 1, inform in advance of the lifting of the data processing restriction.
(Article 18 of the Regulation)
The right to data portability
1. The data subject shall have the right to receive personal data concerning him or her made available to a Data Controller in a structured, widely used machine-readable format and to transfer such data to another Data Controller without being hindered by the Data Controller’s, to whom you have provided personal data if:
(a) the processing is based on a consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the Regulation or on a contract pursuant to Article 6 (1) (b); and
(b) the processing is carried out in an automated manner.
2. In exercising the right to data portability under point 1, the data subject shall have the right, if technically feasible, to request the direct transfer of personal data between Data Controllers.
3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. That law shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
(Article 20 of the Regulation)
The right to protest
1. The data subject has the right to object at any time for reasons related to his / her situation to Article 6 (1) (e) of the Regulation (processing in the public interest or necessary for the performance of a public authority task) or (f) (necessary for the legitimate interests of the Data Controller or a third party), including profiling based on those provisions. In this case, the Data Controller may not further process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which are necessary to related.
2. Where personal data are processed for the purpose of direct business acquisition, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for that purpose, including profiling, in so far as it relates to direct business acquisition.
3. If the data subject objects to the processing of personal data for the direct acquisition of business, the personal data may no longer be processed for that purpose.
4. The right referred to in points 1 and 2 shall be explicitly brought to the attention of the data subject at the latest at the time of first contact and shall be displayed in a clear and separate manner from all other information.
5. In connection with the use of information society services and by way of derogation from Directive 2002/58 / EC, the data subject may also exercise the right to object by automated means based on technical specifications.
6. Where personal data are processed for scientific and historical research or statistical purposes in accordance with Article 89 (1) of the Regulation, the data subject shall have the right to object to the processing of personal data concerning him or her on grounds relating to his or her situation, except if the processing is necessary for the performance of a task carried out in the public interest.
(Article 21 of the Regulation)
Automated decision making in individual cases, including profiling
1. The data subject shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effect or similar effect on him or her.
2. Paragraph 1 shall not apply if the decision:
(a) necessary for the conclusion or performance of a contract between the data subject and the Data Controller;
(b) is governed by Union or Member State law applicable to the controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; obsession
(c) is based on the express consent of the data subject.
3. In the cases referred to in points (a) and (c) of point 2, the Data Controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention, and file an objection to the decision.
4. The decisions referred to in point 2 may not be based on the specific categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies and the rights of the data subject, appropriate measures have been taken to protect his freedoms and legitimate interests.
(Article 22 of the Regulation)
Limitations
1. EU or Member State law applicable to the controller or processor may restrict the application of Articles 12 to 22 of the Regulation by legislative measures. Articles 34 and 34 and Articles 12 to 22. the scope of the rights and obligations set out in Article 5, provided that the restriction respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure to protect in a democratic society:
(a) national security;
b) national defense;
(c) public safety;
(d) the prevention, investigation, detection or prosecution of criminal offenses and the execution of criminal sanctions, including protection against and prevention of threats to public security;
(e) other important general interest objectives of general interest of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and fiscal matters, public health and social security;
(f) protection of judicial independence and judicial proceedings;
(g) in the case of regulated professions, the prevention, investigation, detection and prosecution of ethical misconduct;
(h) in the cases referred to in points (a) to (e) and (g), control, inspection or regulatory activity, even occasionally, in the exercise of official authority;
(i) the protection of the data subject or the protection of the rights and freedoms of others;
j) enforcement of civil claims.
2. The legislative measures referred to in paragraph 1 shall, where appropriate, contain detailed provisions on at least:
(a) the purposes or categories of data processing,
b) the categories of personal data,
c) the scope of the restrictions imposed,
(d) guarantees to prevent misuse or unauthorized access or transmission,
e) to define the Data Controller or to define the categories of Data Controllers,
(f) the duration of the data retention and the applicable guarantees, taking into account the nature, scope and purposes of the processing or categories of processing,
(g) risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed of the restriction, unless this could adversely affect the purpose of the restriction.
(Article 23 of the Regulation)
Informing the data subject about data protection incident
1. If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall, without undue delay, inform the data subject of the data protection incident.
2. The information provided to the data subject referred to in point 1 shall clearly and intelligibly describe the nature of the data protection incident and shall include at least the information and measures referred to in Article 33 (3) (b), (c) and (d) of the Regulation.
3. The data subject need not be informed as referred to in point 1 if any of the following conditions is met:
(a) the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular measures such as the use of encryption which make it incomprehensible to persons not authorized to access personal data make the data;
(b) the Data Controller has taken further measures following the data protection incident to ensure that the high risk to the data subject’s rights and freedoms referred to in point 1 is no longer likely to materialize;
(c) the information would require a disproportionate effort. In such cases, the data subject shall be informed through publicly available information or a similar measure shall be taken to ensure that the data subject is informed in an equally effective manner.
4. If the Data Controller has not yet notified the data subject of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to present a high risk, order the data subject to be informed or establish that one of the conditions referred to in point 3 is met.
(Article 34 of the Regulation)
Right to complain to the supervisory authority
1. Without prejudice to other administrative or judicial remedies, any data subject shall have the right to complain to a supervisory authority, in particular in the Member State in which he or she has his or her habitual residence, place of employment or suspected infringement, if he or she considers that personal data breach of this Regulation.
2. The supervisory authority to which the complaint has been submitted shall inform the customer of the progress of the complaint procedure and the outcome thereof, including the right of the customer to seek judicial redress under Article 78 of the Regulation.
(Article 77 of the Regulation)
Right to an effective judicial remedy against the supervisory authority
1. Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority.
2. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the supervisory authority competent under Article 55 or 56 of the Regulation does not deal with the complaint or does not inform the person concerned within three months. on developments in or outcome of a complaint under Article.
3. Proceedings against the supervisory authority shall be brought before a court of the Member State in which the supervisory authority has its seat.
4. Where proceedings are instituted against a decision of a supervisory authority in respect of which the Board has previously issued an opinion or taken a decision under the consistency mechanism, the supervisory authority shall send that opinion or decision to the court.
(Article 78 of the Regulation)
The right to an effective judicial remedy against the controller or processor
1. Without prejudice to available administrative or non-judicial remedies, including the right to complain to the supervisory authority under Article 77 of the Regulation, any person concerned shall have the right to an effective judicial remedy if he considers that his personal data have not been processed in accordance with this Regulation. their rights under this Regulation have been infringed.
2. Proceedings against the controller or the processor shall be brought before the courts of the Member State in which the controller or the processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.
(Article 79 of the Regulation)
CHAPTER VIII. – SUBMISSION OF THE APPLICATION CONCERNED, MEASURES OF THE DATA CONTROLLER
1. The controller shall, without undue delay, but in any case within one month of receipt of the request, inform the data subject of the action taken on his / her request to exercise his / her rights.
2. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.
3. If the data subject has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the data subject requests otherwise.
4. If the Data Controller fails to take action on the data subject’s request, it shall inform the data subject without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the data subject’s right to appeal to a supervisory authority. right.
5. The Data Controller shall provide the information pursuant to Articles 13 and 14 of the Decree and the information on the rights of the data subject (Articles 15-22 and 34 of the Decree) and the measure free of charge. If the data subject’s request is manifestly unfounded or, in particular, due to its repetitive nature, excessive, the Data Controller shall, taking into account the administrative costs involved in providing the requested information or information or taking the requested action:
may refuse to act on the request.
The burden of proving that the request is manifestly unfounded or excessive is on the Data Controller.
6. If the Data Controller has reasonable doubts as to the identity of the natural person submitting the request, he/she may request the provision of additional information necessary to confirm the identity of the data subject.