Privacy Notice & Policies
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (hereinafter referred to as the Regulation) that the Data Controller shall take appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, understandable and easily accessible form, in a clear and comprehensible manner, and that the Data Controller facilitates the exercise of the rights of the data subject.
The obligation of prior information of the data subject on the right to self-determination and freedom of information in CXII. law.
By providing the information below, we are fulfilling this legal obligation.
The information shall be published on the company’s website or sent to the person concerned upon request.
I. CHAPTER
NAME OF DATA MANAGER
Company Information
Company name: SYSTEMFOX Consulting Korlátolt Felelősségű Társaság
Seat: 1117 Budapest, Irinyi József utca 4-20. B. ép.
Registration number: 01 09 306120
Tax number: 12914821-2-43
Representative: Lábár Csaba, ügyvezető
Phone number: +36-30 4699933
E-mail: info@systemfox.com
Website: www.systemfox.com
II. CHAPTER
DESCRIPTION OF DATA PROCESSORS
Data processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4, Regulation 8)
The data processor does not need the prior consent of the data subject, but it needs to be informed. Accordingly, we provide the following information:
Our company uses a data processor to maintain and manage its website, which provides IT services (hosting services), and manages the personal data provided on the website during the period of the contract with it, and the operation it carries on storing personal data on the server.
IT service provider
Company name: IONOS SE
Seat: Elgendorfer Str. 57 56410 Montabaur, Germany
Registration: Amtsgericht Montabaur / HRB 24498
Phone number: +49 (0) 721 170 5522
E-mail: info@ionos.de
Website: www.ionos.de
In order to fulfill its tax and accounting obligations, our Company uses an external service provider to manage its personal data of natural persons contracted or paid by our Company for the purpose of meeting our Company’s tax and accounting obligations.
Accounting service provider
Company name: Kalibra INVEST Kft
Seat: 2040 Budaörs, Holdfény utca 27-29
Registration number: 13 09 144396
Tax number: 23147128-2-13
Representative: Kisgergely Sándor
III. CHAPTER
CONTRACT DATA TREATMENTS
1. Managing Contracting Party Data – Records of Buyers and Suppliers
(1) The Company manages the name, birth name, date of birth, mother’s name, address, tax identification number, tax number, business name, tax identification number, tax number, entrepreneurial, primary producer of the natural person contracted as a customer, supplier, contract for the performance of the contract. ID card number, ID card number, address, seat, address, phone number, e-mail address, website address, bank account number, customer number (customer number, order number), online ID (list of buyers, suppliers, list of purchases), This data management is considered lawful even if the data processing is necessary to take action at the request of the data subject prior to the conclusion of the contract. The recipients of personal data are: the Company’s employees, accountants, tax employees and data processors who perform customer service tasks. Duration of the processing of personal data: 5 years after the termination of the contract.
(2) The data subject shall be informed prior to the commencement of the data processing that the data processing is based on the contract performance law, which may also be provided in the contract.
(3) The personal data of the data subject shall be communicated to the data logger.
2. Legal entity customer, customer, supplier natural person contact details
(1) The scope of manageable personal data is the name, address, telephone number, e-mail address, and online ID of the natural person.
(2) Purpose of the processing of personal data: fulfillment of the contract concluded with the Company’s legal entity partner, business relations, legal basis: consent of the data subject.
(3) Recipients of personal data or categories of recipients: Employees of the Company performing customer service tasks.
(4) Duration of the storage of personal data: 5 years after the existence of the business relationship or the quality of the representatives concerned.
3. Visitor data management on the Company’s website
(1) Cookies are short data files placed on the user’s computer by the website visited. The purpose of the cookie is to make it easier and more convenient for the given infocommunication and internet service. There are many varieties, but they can usually be divided into two large groups. One is the temporary cookie that the website only places on a user’s device during a particular session (eg, under the security identification of an internet bank), and the other is the permanent cookie (eg, the language setting of a website), which until then remains on the computer until the user deletes it. On the basis of the European Commission’s guidelines, cookies may be placed on the user’s device only with the permission of the user, unless they are strictly necessary for the use of the service.
(2) For cookies that do not require the user’s consent, information should be provided during the first visit of the website. It is not necessary for the full text of the cookie information to appear on the website;
(3) In the case of cookies that require consent, the information may be related to the first visit of the website if the processing of the data associated with the use of cookies begins already by visiting the site. If the use of the cookie is related to the use of a function specifically requested by the user, the information may also be displayed in connection with the use of this function. In this case, it is not necessary for the full text of the cookie information to appear on the website;
4. Information on the use of cookies
(1) Our Company uses cookies on its website in accordance with the general Internet practice. A cookie is a small file that contains a set of characters and is placed on the visitor’s computer when it searches for a website. When you visit the site again, the cookie allows the site to recognize the visitor’s browser. Cookies can store user settings (such as your preferred language) and other information. Among other things, they collect information about the visitor and their device, note the custom settings of the visitor, and use them for example. when using online shopping carts. Cookies generally facilitate the use of the website, help the website provide a true web experience for users, and provide an effective source of information, and provide the website operator with the ability to monitor the site, prevent abuse, and provide seamless and high quality services on the website.
(2) During the use of the website, the website of the Company records and manages the following information about the visitor and the device used for browsing:
• the IP address used by the visitor
• browser type,
• Features of the operating system of the device used for browsing (set language),
• date of visit,
• the visited (sub) page, function or service.
(3) Acceptance and authorization of the use of cookies is optional. You can reset your browser settings to reject all cookies or to indicate when a cookie is being sent. While most browsers automatically accept cookies as a default, they can generally be changed to prevent automatic acceptance and offer the option of choosing each time.
You can find the cookie settings for the most popular browsers at the links below
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en_US
• Firefox: https://support.mozilla.org/en/kb/sutik-engedelyezese-es-tiltasaamit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/home/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/home/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/home/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/home/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/support/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/home/HT201265
However, we would like to point out that some site features or services may not work properly without cookies.
(4) Cookies used on the website are not per se suitable for identifying the person of the user.
(5) Cookies used on the Company’s website:
1. Session cookies that are technically essential
These cookies are necessary for visitors to browse the website, to use its functions seamlessly and fully, the services available through the website, such as, in particular, the visitor’s comments on the pages in question during a visit. The duration of data processing for these cookies is limited to the actual visit of the visitor, after the session has ended, or when the browser is closed, this type of cookies is automatically deleted from your computer.
The managed data set is AVChatUserId, JSESSIONID, portal_referer.
The legal basis for this data management is the 2001 CVIII on certain aspects of electronic commerce services and information society services. (Elkertv.) 13 / A. (3).
The purpose of data management is to ensure the proper functioning of the website.
2. Contributing Cookies:
These provide an opportunity for the Company to comment on the user’s website choices. The visitor may prohibit this processing at any time prior to and during the use of the service. These data may not be linked to the identity of the user and may not be transferred to a third party without the consent of the user.
2.1. Usage Cookies:
The legal basis for data management is the visitor’s consent.
The purpose of data management: Increasing the efficiency of the service, increasing the user experience, making the use of the website more convenient.
The duration of data management is 6 months.
2.2. Performance Cookies:
Google Analytics Cookies – Find Out Here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Google AdWords Cookies – Find Out Here:
https://support.google.com/adwords/answer/2407785?hl=hu
5. Data management related to newsletter service
(1) The natural person registering for the newsletter service on the website may, by ticking the relevant box, give his consent to the processing of his personal data. It is forbidden to check the box in advance. Your newsletter may be unsubscribed from the newsletter by using the "Unsubscribe" newsletter, or in writing or by e-mail, which means withdrawing your consent. In this case, all unsubscribe data must be deleted immediately. The text of the information to be placed on the newsletter subscription page is contained in Annex 7 to these Rules.
(2) The scope of manageable personal data is the name of the natural person (surname, first name), e-mail address.
(3) The purpose of the processing of personal data is:
1. Send newsletter on the Company’s products and services
2. Send advertising material
(4) Legal basis for data processing: consent of the data subject.
(5) Recipients of personal data or categories of recipients: employees of the Company’s IT service provider who perform tasks related to the Company’s customer service and marketing activities, for the purpose of fulfilling the hosting service,
(6) Duration of the storage of personal data: until the newsletter service is in place or until the consent of the data subject is withdrawn (until a request for cancellation).
6. Community Guidelines / Data Management on the Company’s Facebook page
(1) To promote and promote the products and services of the Company, a Facebook page is maintained.
(2) The question on the Company’s Facebook page does not constitute an official complaint.
(3) The Company does not manage the personal information published by visitors on the Company’s Facebook page.
(4) Visitors are subject to Facebook’s Privacy and Service Terms.
(5) In the case of unlawful or abusive content publishing, the Company may exclude the affected person from the membership without prior notice or delete its comment.
(6) The Company is not responsible for any data content or comments that violate the law published by Facebook users. The Company shall not be liable for any problems arising from any failure, malfunction, or change in the operation of the system resulting from the operation of Facebook.
7. Direct marketing for data management
(1) Unless otherwise provided by a separate law, advertising by direct contact of a natural person as a recipient of advertising (direct marketing), in particular by electronic mail or other equivalent means of individual communication – in 2008 XLVIII. may be communicated only if the recipient of the advertisement has expressly and explicitly agreed to it.
(2) The scope of personal data that can be managed by the Company for the purpose of advertising-addressing is the name, address, telephone number, e-mail address, and online ID of the natural person.
(3) The purpose of the processing of personal data is to carry out direct marketing activities related to the Company’s activities, ie regular or periodic sending of advertising publications, newsletters, current offers in printed (post) or electronic form (e-mail) to the contact details provided at registration.
(4) Legal basis for data processing: consent of the data subject.
(5) Recipients of personal data and categories of recipients: Employees of the Company who perform tasks related to customer service, as data processors, employees of the Company’s IT service provider, employees of postal services and Post employees.
(6) Duration of storage of personal data: until withdrawal of consent.
IV: CHAPTER
LEGAL OBLIGATIONS ON DATA TREATMENT
1. Data management for the purpose of meeting tax and accounting obligations
(1) The Company manages the legal data of natural persons who have entered into business relations with the customer as a supplier or supplier for the purpose of fulfilling a legal obligation by means of a law, the fulfillment of tax and accounting obligations prescribed by law (accounting, taxation). The data processed is in accordance with the CXXVII of 2017 on VAT. TV. Under §§ 169 and 202, in particular: tax number, name, address, tax status, pursuant to Section 167 of Act C of 2000 on Accounting: name, address, person or organization ordering the transaction , the signatory and the person who certifies the execution of the provision and, depending on the organization, the signature of the inspector; on the receipts of the stock movements and on the cash management documents the signature of the recipient, the payer on the counterparties, the CXVII of 1995 on personal income tax. Law: Number of ID card, number of primary farmer certificate, tax identification number.
(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) Addressees of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security tasks.
2. Payer data management
(2) The Company manages the personal data of the persons concerned – employees, members of their families, employees, other beneficiaries – in compliance with the law, the fulfillment of tax and contribution obligations prescribed by law (tax, tax advance, contributions, payroll, social security administration), with whom your payers (2017: CL. Act on Taxation (Art. 7) 31). The range of data processed is defined in Art. 50 of the Art. (Social security number). If the tax laws have a legal effect to this, the Company may manage the data on the health (Szja tv. 40§) and trade union (Szja 47§ (2) b.
(2) The period of storage of personal data shall be the period prescribed by law after the termination of the legal relationship giving rise to it.
(3) Addressees of personal data: employees and data processors of the Company performing tax, payroll, social security (payer) tasks.
3. Data management for money laundering obligations
(1) The Company manages its clients, their representatives and the actual owners of Ll. (a) natural person (a) family and forenames, (b) birth and family names, (c) nationality, (d) place of birth, time, (e) mother’s birth name, (f) home address or, failing that, place of residence; (g) the type and number of its identification document; the number of the official certificate attesting the address, the copy of the presented documents. (Section 7).
(2) The addressees of the personal data are: the Company’s employee performing customer service tasks, the Company’s manager and the Company’s Pmt. designated person.
(3) Duration of storage of personal data: 8 years after the termination of the business relationship or execution of the transaction order. (Pmt.§ 56 (2))
V. CHAPTER
DETAILED INFORMATION ABOUT THE RELEVANT RIGHTS
Right to preliminary information
The data subject is entitled to be informed of facts and information related to data management prior to the commencement of data management.
A) Information to be provided when personal data is collected from the data subject
1. Where personal data relating to the data subject are collected from the data subject, the controller shall make available to the data subject at the time when the personal data are obtained:
(a) the identity and contact details of the controller and, if any, of the controller;
(b) the contact details of the data protection officer, if any;
(c) the purpose of the intended management of the personal data and the legal basis for the processing;
(d) in the case of data processing based on Article 6 (1) (f) of the Regulation (legitimate interest validation), the legitimate interests of the controller or of a third party;
(e) where applicable, the recipients of the personal data or categories of recipients;
(f) where applicable, the fact that the controller wishes to transfer personal data to a third country or an international organization, as well as the existence or absence of a Commission conformity decision or Article 46, Article 47 or Article 49 (1) of the Regulation; (c) in the case of the transmission referred to in the second subparagraph of paragraph 1, the indication of appropriate and suitable guarantees and the methods of obtaining a copy of them or their availability.
2. In addition to the information referred to in paragraph 1, the controller shall inform the data subject at the time of the acquisition of personal data, in order to ensure fair and transparent data management, of the following additional information:
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
(b) the right of the data subject to apply to the controller for access, rectification, erasure or restriction of personal data relating to him or her and to object to the processing of such personal data and his / her right to data portability;
or the legality of the data processing carried out on the basis of consent prior to the revocation;
(d) the right to lodge a complaint with the supervisory authority;
(e) whether the provision of personal data is based on a statutory or contractual obligation or a prerequisite for the conclusion of a contract, and whether the data subject is obliged to provide personal data and what the possible consequences of failure to provide the data may be;
(f) the fact that automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the Regulation, as well as at least in these cases the logic used and understandable information on the significance of such processing and the data subject; what are the expected consequences.
3. Where the controller wishes to process further data for personal purposes other than for the purpose for which they were collected, he shall inform the data subject of this different purpose and of any additional relevant information referred to in paragraph 2 before further processing.
4. Referring to 1-3. points are not applicable if and to what extent the data subject already has the information.
(Article 13 of Regulation)
B) Information to be provided if personal data were not obtained from the data subject
1. Where personal data have not been obtained from the data subject, the controller shall provide the following information to the data subject: \ t
(a) the identity and contact details of the controller and, if any, of the controller;
(b) the contact details of the data protection officer, if any;
(c) the purpose of the intended management of the personal data and the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients of the personal data or categories of recipients, if any;
(f) where applicable, the fact that the controller wishes to transfer personal data to a third country recipient or to an international organization, as well as to the existence or absence of a Commission conformity decision, or to Article 46, Article 47 or Article 49 of the Regulation. in the case of the transmission referred to in the second subparagraph of Article 1 (1), indication of appropriate and suitable guarantees and of the means by which they may be obtained or reference to their availability.
2. In addition to the information referred to in point 1, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent data management for the data subject: \ t
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
(b) if the processing is based on Article 6 (1) (f) of the Regulation (legitimate interest), on the legitimate interests of the controller or a third party;
(c) the right of the data subject to apply to the controller for access to, rectification, erasure or restriction of personal data relating to him or her and to object to the processing of personal data and his / her right to data portability;
or the legality of the data processing carried out on the basis of consent prior to the revocation;
(e) the right to lodge a complaint with a supervisory authority;
(f) the source of the personal data and, where appropriate, whether the data originate from publicly available sources; and
(g) the fact that automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the Regulation, as well as at least in these cases the logic used and understandable information on the significance of such processing and the data subject; what are the expected consequences.
3. The controller shall provide the information referred to in points 1 and 2 as follows:
(a) taking into account the specific circumstances of the processing of personal data, within a reasonable time limit after receipt of the personal data, but no later than one month;
(b) if personal data are used for the purpose of liaising with the data subject, at least at the time of first contact with the data subject; or
(c) at the latest at the time of the first communication of personal data, if the data are expected to be communicated to another addressee.
4. If the controller wishes to process further data for personal purposes other than for the purpose for which it was obtained, it shall inform the data subject about this different purpose and all relevant additional information referred to in point 2 before further processing.
5. does not apply if and to the extent:
(a) the data subject already has the information;
or or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously jeopardize the achievement of the purposes of this data management. In such cases, the controller shall take appropriate measures, including public disclosure of the information, to protect the rights, freedoms and legitimate interests of the data subject;
(c) the acquisition or communication of data is expressly provided for by the Union or Member State law applicable to the controller which provides for appropriate measures to protect the data subject’s legitimate interests; or
(d) personal data must remain confidential on the grounds of professional secrecy imposed by Union or Member State law, including statutory confidentiality obligations.
(Article 14 of Regulation)
Right of access of the data subject
1. The data subject has the right to receive feedback from the Data Controller on whether personal data are being processed and, if such processing is in progress, to have access to personal data and the following information:
(a) purposes of data management;
(b) the categories of personal data concerned;
(c) the categories of recipients or recipients to whom or with whom personal data have been communicated, including in particular third-country recipients or international organizations;
(d) where applicable, the planned duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
(e) the right of the data subject to apply to the Data Controller for rectification, erasure or restriction of personal data relating to him or her and may object to the processing of such personal data;
(f) the right to lodge a complaint with a supervisory authority;
(g) if the data were not collected from the data subject, all available information on their source;
(h) the fact that automated decision-making, including profiling, as referred to in Article 22 (1) and (4) of the Regulation, as well as at least in these cases the logic used and understandable information on the significance of such processing and the data subject; expected consequences.
2. Where personal data are transferred to a third country or an international organization, the data subject shall have the right to be informed of the appropriate safeguards in accordance with Article 46 of the Regulation.
3. The Data Controller shall make available to the data subject a copy of the personal data subject to data management. The Controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject. If the data subject has submitted the application by electronic means, the information shall be made available in a widely used electronic format, unless otherwise requested by the data subject. The right to request a copy must not adversely affect the rights and freedoms of others.
(Article 15 of Regulation)
Right to delete ("the right to forget")
1. Upon request, the Data Controller shall have the right to delete personal data relating to him without undue delay, and the Data Controller shall delete personal data relating to the data subject without undue delay if one of the following reasons exists:
(a) personal data are no longer needed for the purpose for which they were collected or otherwise processed;
(b) the data subject’s consent to data processing is withdrawn by the data subject in accordance with Article 6 (1) (a) or Article 9 (2) (a) of the Regulation and the data processing has no other legal basis;
(c) the data subject objects to the processing of the data pursuant to Article 21 (1) of the Regulation and there are no legitimate reasons for the processing of the data or the data subject has objected to the processing pursuant to Article 21 (2);
d) personal data have been unlawfully treated;
(e) the personal data must be erased in order to fulfill a legal obligation under Union or Member State law applicable to the Data Controller;
(f) personal data were collected in connection with the provision of information society services referred to in Article 8 (1) of the Regulation.
2. If the Data Controller has disclosed personal data and is obliged to cancel it pursuant to paragraph 1 above, it shall take reasonable steps, including technical measures, to inform Data Controllers managing the data, taking into account the technology and implementation costs available. that the data subject has requested them to delete the relevant personal data links or a copy or duplicate of such personal data.
3. Points 1 and 2 shall not apply where data processing is necessary:
(a) to exercise the right to freedom of expression and information;
(b) fulfillment of an obligation under Union or Member State law which governs the processing of personal data or for the performance of a task carried out in the public interest or in the exercise of public authority conferred on the Data Controller;
(c) on grounds of public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) of the Regulation and Article 9 (3);
(d) in accordance with Article 89 (1) of the Regulation, for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where the right referred to in paragraph 1 is likely to render such processing impossible or seriously jeopardized; or
e) bringing, enforcing or protecting legal claims.
(Article 17 of Regulation)
Right to restrict data management
1. The data subject shall have the right to limit the data controller’s request, if one of the following is true:
(a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply to the period that allows the Data Controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject is against the deletion of the data and instead requests a restriction on their use;
c) the Data Controller no longer needs personal data for data management purposes, but the data subject requests them for the submission, validation or protection of legal claims; or
(d) the data subject has objected to the processing in accordance with Article 21 (1) of the Regulation; in this case, the limitation applies to the period until it is established whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the data subject.
2. Where data processing is subject to restrictions under point 1, such personal data, except storage, shall only be made with the consent of the data subject or for the submission, validation or protection of legal claims or the protection of the rights of other natural or legal persons, or of the Union. of an important public interest in a Member State.
3. The Data Controller shall inform the data subject, at whose request the data management has been restricted pursuant to paragraph 1, in advance of the lifting of the restriction of data management.
(Article 18 of Regulation)
Right to data storage
1. The data subject shall have the right to receive personal data concerning him / her which is made available to him / her by the Data Controller in a distributed, widely used, machine-readable format, and shall be entitled to forward such data to another Data Controller without being prevented by the Data Controller. to whom you provided personal information to you if:
(a) the processing is based on a contribution pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the Regulation or a contract pursuant to Article 6 (1) (b); and
b) data management is automated.
2. When exercising the right to portability of data under point 1, the data subject shall have the right to request, where technically feasible, the direct transmission of personal data between Data Controllers.
3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. That right shall not apply where the processing is necessary for the performance of a task carried out in the exercise of public authority or in the exercise of official authority conferred on the Data Controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
(Article 20 of Regulation)
Right to protest
1. The data subject may at any time, for reasons connected with his or her own situation, object to his or her personal data in accordance with Article 6 (1) (e) of the Regulation (data processing required for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the Data Controller) or point (f). (based on data management for the purpose of enforcing the legitimate interests of the Data Controller or a third party), including profiling based on those provisions. In this case, the Data Controller may not further process the personal data unless the Data Controller proves that the data management is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or which are made to bring, validate or defend legal claims. related.
2. Where personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him for that purpose, including profiling, where it is related to direct marketing.
3. If the data subject objects to the handling of personal data for the purpose of direct marketing, personal data may no longer be processed for that purpose.
4. The right referred to in points 1 and 2 shall be specifically brought to its attention at the latest when first contacting the data subject and shall be clearly and separately distinguished from any other information.
5. By way of derogation from Directive 2002/58 / EC relating to the use of information society services, the data subject may exercise the right of objection by automated means based on technical specifications.
6. Where the processing of personal data is carried out for scientific and historical research purposes or for statistical purposes in accordance with Article 89 (1) of the Regulation, the data subject shall have the right to object to the processing of personal data relating to him or her, for reasons other than his own, unless: if the processing is necessary for the performance of a task carried out for reasons of public interest.
(Article 21 of Regulation)
Automated decision making in individual cases, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated data management, including profiling, which would have legal effect on him or would equally be significantly affected by it.
2. Point 1 shall not apply where the decision: \ t
(a) necessary for the conclusion or performance of a contract between the data subject and the Data Controller;
(b) it is made possible by Union or national law applicable to the Data Controller, which also lays down appropriate measures for the protection of the rights and freedoms of the data subject and the legitimate interests of the data subject; or
(c) is based on the explicit consent of the data subject.
3. In the cases referred to in points (a) and (c) of paragraph 2, the Data Controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to seek the intervention of the Data Controller; and object to the decision.
4. The decisions referred to in paragraph 2 shall not be based on the specific categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies and the rights of the data subject concerned. appropriate measures have been taken to protect their freedoms and legitimate interests.
(Article 22 of Regulation)
Limitations
1. EU or Member State law applicable to the Controller or data processor may limit the scope of Articles 12 to 22 of the Regulation by legislative measures. Articles 34 and 34 and Articles 12 to 22. In so far as it respects the essential content of fundamental rights and freedoms and the necessary and proportionate measures to protect the following in a democratic society, the scope of the rights and obligations contained in Article 5 shall be subject to the provisions of this Article in accordance with the rights and obligations laid down in Article 5: \ t
(a) national security;
b) national defense;
(c) public security;
(d) the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against and prevention of threats to public security;
(e) other overriding public interest objectives of the Union or a Member State, in particular of major economic or financial interest to the Union or a Member State, including monetary, budgetary and fiscal matters, public health and social security;
(f) protection of judicial independence and judicial procedures;
(g) the prevention, investigation, detection and prosecution of ethical misconduct in regulated professions;
(h) in the cases referred to in points (a) to (e) and (g), even occasionally, control, inspection or regulatory activities relating to the exercise of official authority;
(i) the protection of the data subject or the protection of the rights and freedoms of others;
j) enforcement of civil claims.
2. The legislative measures referred to in paragraph 1 shall, where appropriate, include detailed provisions at least: \ t
(a) for purposes of data processing or categories of data processing;
(b) categories of personal data;
(c) the scope of the restrictions imposed, \ t
(d) guarantees intended to abuse or to prevent unauthorized access or transmission;
e) to define the Data Controller or to define categories of Data Controllers;
(f) the duration of the data storage and the applicable guarantees, taking into account the nature, scope and objectives of the data management or data management categories;
(g) the risks to the rights and freedoms of those concerned;
(h) the right of the persons concerned to be informed of the restriction, unless this may adversely affect the purpose of the restriction.
(Article 23 of Regulation)
Informing the data subject of the privacy incident
1. If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the data protection incident without undue delay.
2. The information referred to in point 1 provided to the data subject shall clearly and comprehensibly describe the nature of the data protection incident and shall include at least the information and measures referred to in Article 33 (3) (b), (c) and (d) of the Regulation.
3. The data subject need not be informed as referred to in point 1 if any of the following conditions is met:
(a) the Data Controller has implemented appropriate technical and organizational safeguards, and these measures have been applied to the data affected by the data protection incident, in particular those measures, such as the use of encryption, which are incomprehensible to persons who do not have access to personal data make the data;
(b) the Data Controller, following a data protection incident, has taken additional measures to ensure that the high risk referred to in paragraph 1 reported to the data subject’s rights and freedoms is no longer likely to materialize;
(c) the information would require a disproportionate effort. In such cases, the persons concerned shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the persons concerned are equally informed.
4. If the Data Controller has not yet notified the data subject of the data protection incident, the supervisory authority, having considered whether the data protection incident is likely to pose a high risk, may order the data subject to be informed or determine whether one of the conditions referred to in point 3 has been met.
(Article 34 of Regulation)
Right to complain to the supervisory authority
1. Without prejudice to other administrative or judicial remedies, any person concerned shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he has his habitual residence, at the place of employment or in the Member State where the alleged infringement is committed, if the data subject considers that personal data relating to him were this Regulation.
2. The supervisory authority to which the complaint has been lodged shall inform the client of the procedural developments and the outcome of the complaint, including the right of the client to seek judicial remedy under Article 78 of the Regulation.
(Article 77 of Regulation)
Right to effective judicial redress against the supervisory authority
1. Without prejudice to other administrative or non-judicial remedies, any natural or legal person shall be entitled to effective judicial remedy against a legally binding decision of the supervisory authority.
2. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the supervisory authority competent under Articles 55 or 56 of the Regulation does not deal with the complaint or does not inform the person concerned within three months. (d) the procedural developments or the outcome of a complaint under Article 4.
3. Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its registered office.
4. Where proceedings are brought against a decision of a supervisory authority in respect of which the Board has previously issued an opinion or a decision under the Unity Mechanism, the supervisory authority shall send that opinion or decision to the court.
(Article 78 of Regulation)
Right to effective judicial redress against the controller or the processor
1. Without prejudice to the available administrative or non-judicial remedies, including the right to lodge a complaint with the supervisory authority pursuant to Article 77 of the Regulation, any person concerned shall be entitled to an effective judicial remedy if he considers that his personal data have not been treated in accordance with this Regulation. their rights under this Regulation.
2. Proceedings against the controller or the processor shall be instituted before the courts of the Member State where the controller or the processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject is habitually resident, unless the controller or the processor is a public authority of a Member State acting in the exercise of public authority.
(Article 79 of Regulation)
VI. CHAPTER
SUBMISSION OF THE REQUESTED APPLICATION,
DATA MANAGEMENT MEASURES
1. The Data Controller shall, without undue delay, but in any case within one month of receiving the request, inform the data subject of the action taken on his request for the exercise of his rights.
2. Where necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Data Controller shall inform the data subject about the extension of the deadline by indicating the reasons for the delay within one month of receiving the request.
3. Where the data subject has submitted the application by electronic means, the information shall, as far as possible, be provided by electronic means, unless otherwise requested by the data subject.
4. If the Data Controller fails to take action on the request of the data subject, it shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking the action and of submitting the complaint to a supervisory authority. right.
5. The Data Controller shall provide information and information on the rights of the data subject (Articles 15-22 and 34 of the Regulation) and the measure in accordance with Articles 13 and 14 of the Regulation free of charge. If the data subject’s request is clearly unfounded or, in particular because of its repetitive nature, the Data Controller, taking into account the administrative costs of providing the requested information or information or taking the requested action:
a) You may charge a fee of HUF 6,350, or
(b) refuse to take action on the basis of the application.
The Data Controller shall bear the burden of proving that the application is manifestly unfounded or excessive.
6. If the Data Controller has reasonable doubts as to the identity of the natural person submitting the request, he may request further information necessary to confirm the identity of the data subject.
SystemFox Consulting Ltd., 2018.