+36 1 249- 1735 | iroda@demmler.hu | 1037 Budapest, Bécsi út 81.
PRIVACY AND DATA PROCESSING RULES AND INFORMATION
DEMMLER & TÓTH CONSULTING AND TRAINING
LIMITED LIABILITY COMPANY
DEMMLER INTERNATIONAL CONSULTANCY AND TRAINING
LIMITED LIABILITY COMPANY
2nd edition
2021.01.
1. THE DATA CONTROLLERS
DEMMLER & TÓTH Consulting and Training Limited Liability Company (registered office: 1037 Budapest, Bécsi út 81.) and DEMMLER INTERNATIONAL Consulting and Training Limited Liability Company (registered office: 1037 Budapest, Bécsi út 81.) (hereinafter together referred to as “Data Managers”) Regulation 2016/679 / EU (GDPR) and Act CXII of 2011 on the right to information self-determination and freedom of information. In order to comply fully with the legal provisions pursuant to the Act, the present data protection and data management regulations and prospectus (hereinafter: the “Regulations”) shall be available to the Clients at the registered office and branch of the Data Controllers.
These regulations regulate the scope, method, purpose and other circumstances of the use of the personal data of the Data Subject providing the data. The Policy is also a privacy statement for the employees (owners, employees and trainers) of the Data Controllers.
Data of the Data Controllers and the Data Processor
Company name: DEMMLER & TÓTH Consulting and Training Limited Liability Company
Headquarters: 1037 Budapest, Bécsi út 81.
Phone number: +36… 1 / 249-1735
Email Address: iroda@demmler.hu
Company name: DEMMLER INTERNATIONAL Consulting and Training Limited Liability Company
Headquarters: 1037 Budapest, Bécsi út 81.
Phone number: +36… 1 / 249-1735
Email Address: iroda@demmler.hu
The Data Controllers do not employ a Data Protection Officer.
Data controllers carry out their daily activities in co-operation with each other, the details of which are regulated in separate agreements, based on which the entire administration of both Companies, including data processing, is performed by DEMMLER INTERNATIONAL Consulting and Training Limited Liability Company.
2. DEFINITION
personal data: any information relating to an identified or identifiable natural person (Data Subject)
data handling: any operation or set of operations on personal data or data files, whether automated or non-automated, such as collecting, recording, organizing, segmenting, storing, transforming or altering, querying, accessing, using, transmitting, distributing or otherwise making available harmonization or interconnection, restriction, deletion or destruction;
data controller: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data; where the purposes and means of the processing are defined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be defined by Union or Member State law;
data transmission: making the data available to a specific third party;
data processor: the natural or legal person, public authority, agency or any other body that processes Personal Data on behalf of the Data Controller;
addressee: the natural or legal person, public authority, agency or any other body to whom or with which the Personal Data is disclosed, whether a third party or not. Public authorities that may have access to Personal Data in the context of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the Data Processing;
affected: any natural person identified or identifiable, directly or indirectly, on the basis of specific personal data;
delete data: making the data unrecognizable in such a way that it is no longer possible to recover them;
consent of the person concerned: a voluntary, specific and well-informed and unambiguous declaration of the data subject's consent to the processing of the Personal Data concerning him or her, by means of a statement or an act which unequivocally expresses the confirmation;
privacy incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data that is transmitted, stored, or otherwise handled.
3. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA
Personal Information:
1. be processed lawfully and fairly and in a manner that is transparent to the Data Subject ("legality, fairness and transparency");
2. collected only for specified, explicit and legitimate purposes and not treated in a way incompatible with those purposes; further processing of Data for the purpose of archiving in the public interest, for the purpose of scientific and historical research or for statistical purposes ("purpose limitation") shall not be considered incompatible with the original purpose by law;
3. they must be appropriate and relevant to the purposes of the Data Management and limited to what is necessary ("data protection");
4. they must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that Personal Data which is inaccurate for the purposes of the Data Processing is deleted or rectified without delay ("accuracy");
5. it must be stored in a form that allows the identification of the Data Subject only for the time necessary to achieve the purposes for which the Personal Data are processed; personal data may only be stored for a longer period if the processing of Personal Data is carried out in accordance with the law for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, appropriate technical and organizational measures to protect the rights and freedoms of data subjects ("limited storage");
6. The processing of personal data must be carried out in such a way as to ensure adequate security of the Personal Data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to the data ("integrity and confidentiality"), using appropriate technical or organizational measures.
Data Controllers are responsible for compliance with the above and must be able to demonstrate such compliance ("accountability").
Data controllers do not control the personal data provided to them. The person who provided the data is solely responsible for the accuracy of the information provided.
4. SCOPE OF DATA PROCESSED, LEGAL BASIS AND PURPOSE OF DATA PROCESSING, ACCESS TO DATA PROCESSED, RULES FOR DELETION
Definition of Stakeholders in relation to Data Controllers:
1. Staff
Owner a registered member of the Data Controllers or its representative
Employee has an employment contract with any of the Data Controllers
(consultant / office): natural person in a legal relationship
Subcontractor training and / or consulting with any of the Data Controllers
(trainer / consultant): Natural person in a contractual relationship for the sale and / or retention of
2. Contacts
Customer contact: A natural person specified by the Principal in a contractual relationship with data controllers
Potential Not yet in a contractual relationship with data controllers,
customer contact: but a representative of a potential Principal whose contact is public or voluntary
Suppliers Agent in a contractual relationship with data controllers
contact: natural person as defined by
3. Participants
Counseling participant: A natural person participating in advice held by data controllers and delegated by his / her Employer
Training participant: A natural person participating in training held by data controllers and delegated by his / her Employer
Open training participant: A natural person participating in open training held by data controllers, typically delegated by his / her Employer
Data controllers shall process the personal data of the Data Subject on the basis of a legal obligation or the clear and prior consent of the Data Subject for the period prescribed by law or until the withdrawal of the consent.
Exceptions to this are the contact details of the Data Subjects for identification and / or communication purposes, and the legal basis is the legitimate interest of the Data Controllers to be able to perform their contracts and then to prove the performances. Section 169 of Act C of 2000 on Accounting and Act CL of 2017 on the Order of Taxation. Pursuant to Section 78 of the Act, Data Controllers shall retain such performance certificates generated in the course of their activities until the end of the 8th year following the performance of the Participant data and the termination of the cooperation with respect to the Contact and Subcontractor data.
The Data Controllers shall ensure that the consents given by the Data Subject may be revoked at any time, without restriction or justification, free of charge. Upon receipt of the data subject's statement contained in this paragraph, the Data Controllers shall delete the data subject's name and other provided data within 3 (three) working days.
Additional legal obligations concerning the activities of Data Controllers, which also determine the duration of data processing:
Data controllers in accordance with Act LXXVII of 2013 on Adult Education. Pursuant to the provisions of Section 21 of the Act, they are obliged to process the data of participants in adult education specified by law.
The data subjects' personal data may be accessed by the Data Controllers' owners, employees and authorized subcontractors at the Data Controllers' headquarters and in the cloud storage provided by the Data Controllers. The owners, employees and subcontractors of the Data Controllers are obliged to fulfill the same data protection and confidentiality obligations as the Data Controllers.
Access to data stored in the cloud is a two-factor process. Protected by MFA identification. The data stored in the cloud is backed up on the local computer of the employees involved, the use of which is subject to a username and password. The data is used exclusively by the Data Controllers and will not be disclosed to third parties, except as provided by law.
Data controllers may use an additional data processor (eg system operator, software developer, accountant, payroll accountant). Data controllers are not responsible for the data management practices of such third parties.
Upon expiration of the data processing period, the Data Controllers will delete the personal data of the Data Subject in a manner that makes it impossible to identify the data subject.
- Paper documents are destroyed by shredding, depending on the quantity, either with their own equipment or with the help of a specialist supplier.
- Letters and calendar entries from the trainer and sales accounts are automatically deleted after 2 years, which is set up by the service provider. Letters are manually archived from office mailboxes after 2 years at the latest, and after 8 years from the archives, which are controlled by the office manager.
- The administrator permanently deletes documents in the cloud.
The map of the data managed by the Data Controllers can be found in No. 1 of these Regulations. contained in the Annex.
5. DATA MANAGEMENT RELATED TO THE WEBSITE OPERATED BY DATA CONTROLLERS
During visits to data controllers' websites, one or more cookies - a micro-application sent by the web server to the browser and then returned by the browser to the server each time a request is made to the server - are sent to the computer of the person visiting the website. through which its browser will be uniquely identifiable, provided that the person visiting the website has given his / her express (active) consent to his / her further browsing of the website after clear and unambiguous information.
Cookies only work to improve the user experience and to automate the login process. The cookies used on the website do not store personally identifiable information, and the Data Controllers do not process personal data in this regard.
In case of a question concerning data management, the user can send an electronic message to the Data Controllers directly by clicking on the email address indicated on the website (iroda@demmler.hu).
There is no mandatory element in the content of the electronic message sent by the User, however, in order for the Data Controllers to be able to contact the User, it is advisable to enter his / her name and e-mail address in the user's message. This personal data is used by the Data Controllers for communication purposes, and the legal basis for its data processing is the voluntary consent of the User. If there is no further action to be taken by the Data Controllers after the arrival of the electronic message with the sender, the Data Controllers shall delete the message within 60 days at the latest.
6. DESCRIPTION OF THE RIGHTS RELATED TO THE DATA PROCESSING CONCERNED
Right of access: the Data Subject is entitled to receive feedback from the Data Controllers as to whether the processing of his / her Personal Data is in progress and, if such Data Processing is in progress, is entitled to have access to the Personal Data and the information listed in the Regulation;
Right of rectification: the Data Subject has the right to have inaccurate Personal Data relating to him / her rectified by the Data Controllers without undue delay upon request. Taking into account the purpose of the Data Management, you have the right to request that the incomplete Personal Data be supplemented, inter alia, by means of an additional statement;
The right to delete: the Data Subject has the right to have the Data Controllers delete the Personal Data relating to him / her without undue delay upon request, and the Data Controllers are obliged to delete the Personal Data concerning the Data Subject without undue delay under certain conditions;
Right to forget: if the Data Controllers have disclosed the Personal Data and are obliged to delete it, they shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the data controllers that the Data Controller requested the deletion of the links to the Personal Data in question or a copy or duplicate of such Personal Data;
Right to Restrict Data Management: The Data Subject has the right to restrict the Data Management at the request of the Data Controllers if any of the following conditions are met:
- the Data Subject disputes the accuracy of the Personal Data, in which case the restriction shall apply to the period of time that allows the Data Controllers to verify the accuracy of the Personal Data;
- the Data Management is illegal and the Data Subject objects to the deletion of the data and instead requests a restriction on their use;
- the Data Controllers no longer need the Personal Data for the purpose of Data Management, but the Data Subject requests it in order to submit, enforce or protect legal claims;
- the Data Subject protested against the Data Management; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the Data Subject;
Right to data portability: the Data Subject has the right to receive the Personal Data relating to him / her made available to him / her by a Data Controller in a structured, widely used machine-readable format and to transfer this data to another Data Controller without hindering this the Data Controller to whom you have provided the Personal Data;
Right to protest: The Data Subject has the right to object at any time to the processing of his / her Personal Data, including profiling based on the said provisions, for reasons related to his / her own situation;
Protest in case of direct business acquisition: if the processing of Personal Data is for the purpose of direct business acquisition, the Data Subject has the right to object at any time to the processing of Personal Data relating to him for this purpose, including profiling, if it is related to direct business acquisition. If the Data Subject objects to the processing of Personal Data for the purpose of direct business acquisition, the Personal Data may no longer be processed for this purpose;
Automated decision-making in individual cases, including profiling: the Data Subject has the right not to be covered by a decision based solely on automated Data Management, including profiling, which would have a legal effect on him or her or would be significantly affected;
The preceding paragraph shall not apply if the decision:
• necessary for the conclusion or performance of the contract between the Data Subject and the Data Controllers;
• EU or Member State law applicable to the Controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject; obsession
• based on the express consent of the Data Subject.
7. DEADLINE FOR ACTION BY DATA CONTROLLERS
The Data Controllers shall, without undue delay, and in any case within 1 month of receipt of the request, inform the Data Subject of the action taken on the above requests.
If necessary, the above deadline may be extended by 2 months. The Data Controllers shall inform the Data Subject of the extension of the deadline, indicating the reasons for the delay, within 1 month from the receipt of the request.
If the Data Controller fails to take action on the Data Subject's request, it shall inform the Data Subject without delay, but no later than one month after receipt of the request, of the reasons for the non-action and of the Data Subject's right to appeal to a supervisory authority.
8. PRIVACY INCIDENT
8.1.Internal records
Data controllers shall keep records of Data Protection Incidents in all cases (hereinafter referred to as “Internal Records”).
8.2. Informing data subjects about a data protection incident
If the Data Protection Incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controllers shall inform the Data Subject of the Data Protection Incident without undue delay.
The information provided to the Data Subject shall clearly and intelligibly describe the nature of the Data Protection Incident and the name and contact details of the contact person for further information; the likely consequences of the Privacy Incident must be described; describe the measures taken or planned by the Data Controllers to remedy the Data Protection Incident, including, where appropriate, measures to mitigate any adverse consequences arising from the Data Protection Incident.
The Data Subject need not be informed if any of the following conditions are met:
• the Data Controllers have implemented appropriate technical and organizational protection measures and these measures have been applied to the Data Affected by the Data Protection Incident, in particular those measures, such as the application of encryption, which make it impossible for persons not authorized to access Personal Data; data;
• the Data Controllers have taken additional measures following the Data Protection Incident to ensure that the high risk to the Data Subject's rights and freedoms is no longer likely to materialize;
• the information would require a disproportionate effort. In such cases, Stakeholders shall be informed through publicly available information or a similar measure shall be taken to ensure that Stakeholders are similarly effectively informed.
If the Data Controllers have not notified the Data Subject of the Data Protection Incident, the Supervisory Authority may, after considering whether the Data Protection Incident is likely to involve a high risk, order the Data Subject to be informed.
8.3. Reporting privacy incidents to the authority
The Data Protection Incident shall be reported by the Data Controllers to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the Data Protection Incident, unless the Data Protection Incident is not likely to endanger the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must be provided.
9. ENFORCEMENT OPPORTUNITIES FOR STAKEHOLDERS
Complaints against possible violations of Data Controllers can be lodged with the National Data Protection and Freedom of Information Authority:
National Data Protection and Freedom of Information Authority
1125 Budapest, Szilágyi Erzsébet avenue 22 / C.
Mailing address: 1530 Budapest, Mailbox: 5.
Phone: +36 -1-391-1400
Fax: + 36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The Data Subject also has the opportunity to take legal action in the event of a breach of his or her rights.
10. OTHER PROVISIONS
In all cases where the Data Controllers intend to use the provided data for a purpose other than the purpose of the original data collection, they shall inform the Data Subject thereof and obtain their prior express consent, or provide him or her with an opportunity to prohibit the use.
Data Controllers reserve the right to unilaterally amend these Regulations with prior notice to Stakeholders. After the entry into force of the amendment, the Data Subject accepts the provisions of the amended Regulations by implicitly using the service.
11. GOVERNING LEGISLATION
In matters not regulated in these Regulations, the following legal acts shall otherwise apply:
a) Act V of 2013 on the Civil Code 2:43. §-the;
b) Article CXII of 2011 on the right to information self-determination and freedom of information. Law;
(c) Regulation (EU) No 2016/679 (GDPR);
Budapest, January 4, 2021
Demmler & Tóth Kft. Demmler International Kft