DATA PROCESSING NOTICE
1. PURPOSE AND SCOPE OF THE NOTICE
1.1. Purpose of the Notice
Taking effect on 25 May 2018, the general data protection regulation (whose official title is Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, hereinafter, the “GDPR”) lays down uniform rules that must be applied throughout the European Union (any, in certain cases, also beyond it) in relation to the protection if the data of natural persons GDPR primarily establishes obligations for persons processing the data of natural persons for specific purposes. This Notice aims to give a short and easy to understand introduction on the details of the data processing and data protection practices of KAPTÁR irodák Korlátolt Felelősségű Társaság (registered address: 1065 Budapest, Révay köz 4.; registering authority: Court of Registration of Metropolitan Court of Justice); company registry number: 01-09-967198; tax number: 23473861-2-42; hereinafter referred to as “KAPTÁR”), which have been developed with a view to the provisions of Act CXXII of 2011 on the right to informational self-determination and the freedom of information (hereinafter referred to as “Info Act”) and, in this context, inform the data subjects, affected by the data processing carried out by it, about their rights provided by the legislation defined above.
1.2. Scope of application of the Notice
This Notice has been prepared and published by KAPTÁR. This Notice applies to data processing by KAPTÁR where the person affected by the data processing is a natural person.
1.3. Data processing not covered by this Notice
Given that GDPR covers only the processing of the data of natural persons, the information in this Notice does not apply to the processing by KAPTÁR of data that do relate to non-natural persons. KAPTÁR considers the following as falling in this category:
- Name and position of the person(s) acting in business relations as the representatives of non-natural person partners in a business relationship with KAPTÁR (e.g. companies), as well as any other data shown in the business card made available by any person acting as a representative;
- Any business contact details of non-natural person partners in a business relationship with KAPTÁR or any contact details provided as such (e.g. telephone number, email address, etc.).
- DATA PROCESSING TERMS AND PRINCIPLES
2.1. Terms and definitions
The terms of this Notice and listed here below (in accordance with the definitions of the GDPR) are defined as follows:
- ‘Data subject’ means a natural person who is identified or identifiable based on any data processed. A person is identifiable if the data processed allows identification, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘Personal data’ means any information relating to the data subject;
- ‘Controller’ means the person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- ‘Processor’ means any other person which processes personal data on behalf of the controller;
- ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction);
- ‘Consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- ‘Recipient’ means any person to which the personal data are disclosed;
- ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
2.2. Instances of processing
KAPTÁR processes the data of natural persons always in accordance with the provisions of the GDPR and national legislation applicable to data protection, for specific purposes and based on adequate legal ground. The duration, method and scope of processing shall comply with the above-mentioned purpose.
2.3. Method of processing
KAPTÁR is processing personal data by using equipment it controls on the one hand and by using processor on the other hand. A continuously updated list of the processors used in relation to the processing under this Notice is available on the kaptarbudapest.hu website (hereinafter referred to as “Website”).
2.4. Processing of particularly sensitive personal data
KAPTÁR does not process particularly sensitive data, that is, personal data concerning the data subject’s racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, health or genetic status, or sexual orientation or gender identity. Should any data subject disclose any such data, KAPTÁR will immediately arrange for the deletion of the data. An exception to the above is when a natural person contracted with KAPTÁR discloses data concerning his or her health status in order to use health, social security, social or related care or service or fulfil an obligation related to any of the foregoing, in which case KAPTÁR ensures that such data are adequately protected, stored for the period defined by the law and deleted thereafter.
2.5. Processing of personal data concerning children
KAPTÁR does not process personal data concerning data subjects under the age of 16. Should any data subject disclose any such data, KAPTÁR will immediately arrange for the deletion of the data.
- INSTANCES OF PROCESSING
3.1. Processing of data required to perform contracts in the context of core business
In the context of its ordinary course of business, KAPTÁR processes the following data in relation to the contracts made with natural person accounts:
- Scope of processed personal data: name, date of birth and place of birth, mother’s birth name, home address, telephone number, e-mail address;
- Legal ground for processing: processing is necessary for the performance of a contract to which the data subject is party (GDPR Article 6(1)(b));
- Purpose of processing: natural person accounts use the services provided by KAPTÁR personally, which requires proper identification of the contracting account;
- Duration of processing: 5 (five) years from the termination of the contract with the account;
- Persons authorised for processing: owners of KAPTÁR (hereinafter referred to as “Owners”), executive officers of KAPTÁR (hereinafter referred to as “Executive Officers”); staff employed by KAPTÁR (hereinafter referred to as “Employees”), processors providing cloud-based data storage, Internet hosting, electronic mail, postal, electronic payment, electronic entry, marketing, accounting and legal services to KAPTÁR.
3.2. Processing of employment-related data
KAPTÁR is processing the following data in relation to the employment contracts it concludes:
- Scope of processed personal data: name, date of birth and place of birth, mother’s birth name, home address, tax ID, social security ID, bank account number, telephone number, e-mail address;
- Legal ground for processing: processing is necessary for the performance of a contract to which the data subject is party and for compliance with a legal obligation to which KAPTÁR is subject (GDPR Articles 6(1)(b) and 6(1)(c));
- Purpose of processing: proper identification of the employee and awareness of the bank account number are required for the conclusion of employment contracts, complying with the reporting obligations under Act CL of 2017 on the rules of taxation and Act LXXX of 1997 the eligibility for social security benefits and private pensions and the funding for these services, as well as the payment of wages;
- Duration of processing: 5 (five) years from the termination of the contract with the account;
- Persons authorised for processing: Owners, Executive Officers; processors providing accounting, payroll and legal activities for KAPTÁR.
3.3. Processing of the data of data subjects applying for a job
KAPTÁR is processing the following data of natural persons applying for vacancy notices posted by it:
- Scope of processed personal data: name, date of birth and place of birth, mother’s birth name, home address, telephone number, e-mail address, other data disclosed by the data subject in the CV (e.g. studies, experience, languages, areas of interest, etc.);
- Legal ground for processing: data subject’s consent (GDPR Articles 6(1)(a)), which the data subject provides by submitting his or her CV (implication) or an explicit declaration included therein (based on the information in the vacancy notice);
- Purpose of processing: to identify candidates for job vacancy notices and best possible assessment of their eligibility for the vacancy they wish to fill (qualifications, professional skills), as well as to ensure that KAPTÁR can directly contact candidates who were not originally hired when a similar vacancy is advertised;
- Duration of processing: 1 (one) year from the submission of the CV;
- Persons authorised for processing: Owners, Executive Officers.
3.4. Process of data recorded by the camera system operated by KAPTÁR
KAPTÁR is processing the following data in relation to the closed-circuit camera system itoperates in the community office located at 1065 Budapest, Révay köz 4 (hereinafter referred to as “Community Office”):
- Scope of personal data involved in processing: image;
- Legal ground for processing: consent of the data subject (GDPR Article 6 (1) a)), which the data subject grants by entering the area of the Community Office (implication) (based on the notice on the operation of a camera system, which is posted at the entrance to the Community Office);
- Purpose of processing: protection of property concerning the equipment and installations of the Community Office, in accordance with the provisions of Act CXXXIII of 2005 on security services and the activities of the private investigators;
- Duration of processing: three (3) working days of recording;
- Persons authorised for processing: Executive Officers.
3.5. Processing related to the fingerprint entry system
KAPTÁR is processing the following data of natural persons who choose to use the fingerprint entry system which facilitates entering the Community Office as follows:
- Scope of personal data involved in processing: fingerprint;
- Legal ground for processing: consent of the data subject (GDPR Article 6 (1) a)), which the data subject grants by entering into a contract with KAPTÁR (based on the information provided at the time of contracting);
- Purpose of data processing: to facilitate entering the Community Office by the contracted accounts of KAPTÁR who wish to avail themselves of the possibility to use fingerprint entry system
- Duration of processing: 5 (five) years from the termination of the contract with the account;
- Persons authorised for processing: processor providing the electronic entry service to KAPTÁR (owing to the technical solution applied in this respect, neither KAPTÁR, nor the processor used for processing, nor any third party can access any personal data under this Section).
- RIGHTS OF NATURAL PERSONS CONCERNED BY THE PROCESSING
4.1. Right to request information
Every data subject has the right to request information as to whether KAPTÁR is processing any personal data concerning him or her. In any case, the information should include the following:
- Identity and contact details of the controller;
- Purpose and legal ground of the processing;
- Persons to whom the data are planned to be disclosed;
- Planned duration of processing;
- Notice on any other rights under this Chapter;
- Where processing is based on the data subject’s consent, notice of the possibility of withdrawing such consent;
- Identification of the supervisory authority competent in the context of processing.
Where the data processed are provided by other than the data subject, the notice must indicate the source of the data as well.
4.2. Right to access
Every natural person has the right to request information as to whether KAPTÁR is processing any personal data concerning him or her. If so, the data subject has the right to know the following:
- Purpose of the processing;
- Scopeof personal data involved in the processing;
- Persons to whom the data have been or are planned to be disclosed;
- The planned duration of the processing;
- The source of the data (if they have been provided by other than the data subject).
The information must also include a notice on other rights under this Chapter and state the name of the supervisory authority competent in the context of processing.
4.3. Right to rectification
Every data subject has the right to request the rectification of any inaccurate personal data concerning him or her processed by KAPTÁR.
4.4. Right to erasure
Every data subject has the right to obtain the erasure of personal data concerning him or her processed by KAPTÁR if:
- The personal data are no longer necessary in relation to the purpose for which they were processed;
- The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed;
- The personal data have to be erased for compliance with a legal obligation under the law which the controller is subject.
4.5. Right to restriction
Every data subject has the right to obtain restriction of processing the data concerning him or her processed by KAPTÁR if:
- The accuracy of the personal data is contested by the data subject (for a period required to clarify the issue);
- The processing is unlawful and the data subject opposes the erasure of the personal data;
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- The data subject has objected to processing pursuant (for a period required to clarify the issue).
4.6. Right to data portability
Every data subject shall have the right to receive the personal data concerning him or her processed by KAPTÁR in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without KAPTÁR preventing the same.
4.7. Right to object
Every data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her by KAPTÁR, which is necessary for the exercise of the legitimate interests of KAPTÁR or any third party. In this case, KAPTÁR shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Every data subject who has suffered damage as a result of an infringement of the applicable law or this privacy notice by KAPTÁR in relation to the processing of personal data concerning him or her has the right to receive compensation for the damage suffered.
4.9. Method of exercising rights
A claim falling within the scope of Sections 4.1-4.7 of this Chapter may be brought by the data subject in person or writing (by means of a message sent to the data protection contact person named in this Notice at the address of KAPTÁR at 1065 Budapest, Révay köz 4 or the email@example.com e-mail address). Data subjects may exercise the rights under Section 4.1-4.7 of this Chapter on following proper verification of their identity. After verification of the identity, the communication can be continued without physical presence through the contact details provided by the identified data subject (such as mailing address, telephone number or e-mail address). The information provided to the data subject must be compact, transparent, intelligible and easily accessible in all cases. A claim for compensation may be brought either in the form described above or by bringing an action before the competent court of jurisdiction.
- PROTECTION OF PROCESSED DATA
5.1. Protective measures
KAPTÁR strives to apply security solutions providing the greatest possible security for the data processed and stored by it and its processors but the presentation of the specific solutions is obviously beyond the scope of this Notice having regard to their purpose. Should any problem occur in relation to any of the solutions adopted, KAPTÁR takes immediate action to resolve it and improve the relevant protection or carry out any replacement necessary to achieve a higher level of security.
5.2. Handling of personal data breach
In case of a personal data breach relevant to the personal data processed by KAPTÁR, it will notify the personal data breach to the supervisory authority without undue delay and not later than 72 (seventy-two) hours after having become aware of it. The notification must disclose the nature of the breach, the scope of data subjects and data concerned, the name and contact details of the data protection contact person, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons and it is not possible to eliminate the risks or prevent the consequences, KAPTÁR will communicate the personal data breach to the data subject(s). The communication must describe the nature of the breach in a clear and plain language, the name and contact details of the data protection contact person, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach.
The establishment of KAPTÁR is located in Budapest, Hungary.
6.2. Data protection contact person
Data subjects can address questions, remarks, complaints and other requests regarding the content of this Notice and the processing by KAPTÁR to the data protection contact person of KAPTÁR at any of the following contacts:
- Data protection contact person: Áron Levendel, managing director
- E-mail: firstname.lastname@example.org
6.3. Supervisory authority
If processing by KAPTÁR violates any right or legitimate interest of any natural person, the data subject may address his or her complaint to the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) (seat: 1125 Budapest, Szilágyi Erzsébet fasor22/C.; postal address: 1530 Budapest, Pf. 5.; telephone: +36 1 391-1400; fax: +36 1 391-1410; e-mail: email@example.com).
6.4. Entry into force and amendments of this Notice
The information in this Notice applies from the date hereof, on which date this Notice is simultaneously posted on the Website. KAPTÁR reserve the right to unilaterally amend this Notice at any time without providing a case. In such case, the amendments apply from the date of the amended Notice, on which date the amended Notice is simultaneously posted on the Website.
This statement is intended to set out the data protection and processing principles applied by KAPTÁR irodák Kſt. (registered address: 1065 Budapest, Révay köz 4., company registry number: 01-09-967198, registering authority: Metropolitan Court as Court of Registration, tax number: 23473861-2-42).
When processing data, the company pays special attention to act in your interest in accordance with Act CXII of 2011 on the right to informational self-determination and the freedom of information (hereinafter referred to as “Info Act”), Act CVII of 2001 on electronic commerce and on information society services and other legislation concerning other data processing, taking into account the key informational recommendations concerning processing.
Our visitors are advised that by registering for newsletters on the www.kaptarbudapest.hu or www.kaptarcoworking.hu websites they consent to KAPTÁR irodák Kſt. sending them newsletters and registering their names and e-mail addresses provided for this purpose and transferring the same to third parties acting as technologyproviders in the course of processing in compliance with the legal requirements. Depending on the type, the newsletters provide information on our new services, campaigns, programmes and useful tips with weekly or monthly frequency. The newsletters can contain advertising messages.
Budapest, 25 May 2018
KAPTÁR irodák Kft.