Privacy Policy Hungary
DATA PROTECTION AND PRIVACY POLICY
Application of privacy and data protection policy
Organization name: Klass Wagen Hungary Kft.
Registered office of the organization: 1185 Budapest(a), Üllői út 822.
Person responsible for the content of this policy: Móricz Ferencz
Date of coming into force: January 1st, 2024
Other documents related to this Policy:
Documents and policies that contain, for example, a written statement of consent to data processing or, in the case of websites, a mandatory privacy notice, should be attached to and managed together with the Privacy and Data Protection Policy.
In addition to this policy, please see our Terms and Conditions and Cookie Policy.
This policy sets out rules on the protection of natural persons with regard to the processing of personal data and on the free movement of personal data. It applies to specific data processing activities and to the issuance of instructions and notifications governing data processing.
The obligation to employ (appoint) a data protection officer extends to all public authorities or other bodies with public tasks (irrespective of the data they process), as well as to other organizations whose main activity is the systematic, large-scale monitoring of natural persons or which process a large number of special categories of personal data.
The organization □ employs x does not employ does not employ a data protection officer.
Scope of the regulation/policy
This policy is valid until revoked and applies to officers, employees and the Data Protection Officer within the organization.
Date: Budapest, January 1st, 2024
Móricz Ferencz
Manager of the organization
Purpose of the policy
The purpose of this policy is to harmonize the requirements of the organization's other internal rules on data management activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the appropriate processing of personal data.
The Organization aims to fully comply with the legal requirements on the processing of personal data, in particular Regulation (EU) No 679/2016 of the European Parliament and of the Council, in the course of its activities.
Another important purpose of issuing this policy is to ensure that, by being aware of and complying with it, the organization's employees are able to lawfully handle the data of natural persons.
Key concepts, definitions
- GDPR (General Data Protection Regulation) is the new EU data protection regulation
- operator: the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are laid down by Union or Member State law, the data controller or the specific criteria for designating the data controller may also be laid down by Union or Member State law;
- Processing: any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller;
- personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- third party: a natural or legal person, public authority, agency or any other body other than the data subject, the data controller, the processor or the persons who, under the direct authority of the data controller or the processor, are authorized to process personal data;
- consent of the data subject: a voluntary, specific, informed and unambiguous expression of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data relating to him or her by means of an unambiguous statement or affirmation;
- restriction of processing: marking stored personal data for the purpose of restricting their further processing;
- pseudonymization: the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separate and that technical and organizational measures are taken to ensure that no link can be established between the personal data and identified or identifiable natural persons;
- system of record: a set of personal data structured in any way, whether centralized, decentralized or structured according to functional or geographical criteria, which is accessible on the basis of specific criteria;
- data breach incident: a breach of security that results in the accidental or unlawful destruction, accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Data management principles
The processing of personal data must be lawful, fair and transparent for the data subject.
Personal data may only be collected for specified, explicit and legitimate purposes.
The purposes for which personal data is processed must be adequate, relevant and limited to what is necessary.
Personal data must be accurate and up-to-date. Inaccurate personal data must be deleted without delay.
Personal data must be stored in a form which permits identification of data subjects for no longer than necessary. Personal data may be stored for longer periods only if the storage is for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes.
Personal data must be processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by the use of appropriate technical or organizational measures.
The data protection principles shall apply to all information relating to an identified or identifiable natural person.
An employee of the organization who is a data controller is liable to disciplinary action, damages, civil and criminal liability for lawful processing of personal data. If an employee discovers that the personal data he or she is processing is inaccurate, incomplete or out of date, he or she must correct it or have it corrected by the person responsible for recording it.
Processing of personal data
Because individuals may be associated with online identifiers, such as IP addresses and cookie identifiers, provided by the devices, applications, tools and protocols they use, this data, combined with other information, may be matched with, and used to profile and identify, such individuals.
The processing of data and information may only take place if the data subject gives his or her free, specific, informed and unambiguous consent to the processing of his or her data by means of a clear and express affirmative action, such as a written, including electronic, or oral statement.
Consent to the processing of personal data shall also be deemed to be given if the data subject ticks a box to that effect when visiting the website. Silent action, automated ticking of a box by the data controller or inaction shall not constitute consent.
Consent shall also be deemed to be given where a user, in the course of using the electronic services, makes the relevant technical settings or makes a statement or takes an action which, in the relevant context, clearly indicates that the data subject consents to the processing of his or her personal data.
Personal health data includes data relating to the health of a data subject, containing information about his or her past, present or future physical or mental health. This includes:
- Database record/evidence for health services;
- a number, symbol or data attributed to a natural person for the purpose of individually identifying that person for health purposes;
- information obtained from testing or examination of a body part or constituent material, including genetic data and biological samples;
- information relating to the disease, disability, risk of illness, medical history, clinical treatment, or physiological or biomedical condition of the person, regardless of its source, which may be, for example, a doctor or other health professional, a hospital, a medical device or a diagnostic test.
Genetic data is defined as personal data relating to the inherited or acquired genetic characteristics of a natural person and resulting from the analysis of a biological sample taken from that person, in particular chromosome analysis or analysis of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) or any other element allowing the extraction of information equivalent to that which can be obtained from them.
Children's personal data deserve special protection because they may be less aware of the risks, consequences, safeguards and rights associated with the processing of personal data. This special protection should apply in particular to the use of children's personal data for marketing purposes or for the purpose of creating personal or user profiles.
Personal data must be processed in a manner ensuring an adequate level of security and confidentiality, in particular in order to prevent unauthorized access to or use of personal data and the means used to process personal data.
Every reasonable step must be taken to correct or delete inaccurate personal data.
Lawfulness of processing
Processing of personal data is lawful if one of the following conditions is met:
- the data subject has consented to the processing of his/her personal data for one or more specific purposes;
- the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to the conclusion of the contract;
- processing is necessary for compliance with a legal obligation to which the data controller is subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party unless those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.
As set out above, processing is lawful if it is necessary in the context of a contract or the intention to conclude a contract.
Where the processing is carried out in the performance of a legal obligation to which the data controller is subject or if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing must have a legal basis in Union law or in the law of a Member State.
Processing shall be considered lawful when it is carried out for the purpose of protecting the life of the data subject or the interests of another natural person referred to above. Processing of personal data based on the vital interests of another natural person should, in principle, take place only if there is no other legal basis for the processing in question.
Some types of processing of personal data may serve both important public interests and the vital interests of the data subject, for example when processing is necessary for humanitarian reasons, including when it is necessary to monitor epidemics and their spread or in the event of a humanitarian emergency, in particular a natural or man-made disaster.
The legitimate interest of the data controller - including the data controller with whom the personal data may be shared - or of a third party may constitute a legal basis for processing. Such a legitimate interest may be, for example, where there is a relevant and appropriate relationship between the data subject and the data controller, such as where the data subject is a customer or an employee of the data controller.
Processing of personal data strictly necessary for the prevention of fraud is also considered to be in the legitimate interest of the data controller concerned. Processing of personal data for direct marketing purposes may also be considered to be based on legitimate interest.
In order to establish the existence of a legitimate interest, it is necessary to carefully analyze, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of the personal data, that the processing for the purposes for which the data were collected would take place. The interests and fundamental rights of the data subject may override the interests of the data controller where personal data is processed in circumstances where the data subjects do not expect further processing.
The processing of personal data by public authorities, cyber emergency response units, network security incident management units, network operators and providers of electronic communications services and providers of security technology services, to the extent strictly necessary and proportionate to ensure network and information security, shall be deemed to be in the legitimate interest of the data controller concerned.
Processing of personal data for purposes other than those for which they were originally collected is only permitted if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, a separate legal basis other than the legal basis which made the collection of personal data possible is not necessary.
The processing of personal data by public authorities for the purposes of officially recognized religious organizations, as defined by constitutional law or public international law, is considered to be in the public interest.
Consent of the data subject, conditions
- Where processing is based on consent, the data controller must be in a position to demonstrate that the data subject has given his consent to the processing of his personal data.
- Where the data subject gives his or her consent in a written statement which also relates to other matters, the request for consent must be communicated in a manner which is clearly distinguishable from those other matters.
- The data subject shall have the right to withdraw consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject shall be informed before consent is given. Withdrawal of consent shall be possible in the same simple manner as giving consent.
- In determining whether consent is voluntary, the most important consideration should be that, inter alia, consent to the processing of personal data which is not necessary for the performance of the contract, including for the provision of services, has become a condition for the performance of the contract.
- The processing of personal data in connection with information society services offered directly to children is lawful where the child is at least 16 years of age. In the case of children under the age of 16, the processing of children's personal data is lawful only if and to the extent that consent has been given or authorized by the person having parental authority over the child.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, of genetic data or biometric data revealing the identity of natural persons, of data concerning health and of personal data concerning the sex life or sexual orientation of natural persons shall be prohibited, unless the data subject has given his or her explicit consent to the processing of such personal data for one or more specific purposes.
The processing of personal data relating to decisions on criminal liability and offences and related security measures may only take place if they are processed by a public authority.
Processing of data not requiring identification
Where the purposes for which the data controller processes personal data do not or no longer require the identification of the data subject by the data controller, the data controller shall not be obliged to retain additional information.
Where the data controller can demonstrate that he is unable to identify the data subject, he shall inform the data subject accordingly, where possible by appropriate means.
Information and rights of the data subject
The principle of fair and transparent processing requires that the data subject is informed about the fact and purposes of the processing.
Where personal data is collected from the data subject, the data subject must also be informed of the obligation to provide the personal data and of the consequences of not providing the data. This information may also be supplemented by standardized icons to provide the data subject with general information on the intended processing in a visible, easily understandable and legible form.
Information concerning the processing of personal data relating to the data subject must be provided to the data subject at the time of collection or, where the data have been collected from a source other than the data subject, within a reasonable time having regard to the circumstances of the case.
The data subject shall have the right of access to the data collected relating to him or her and the right to exercise that right in a simple manner and at reasonable intervals in order to establish and verify the lawfulness of the processing. Every data subject should have the right to be informed, in particular, of the purposes for which personal data is processed and, where possible, of the period for which the personal data is processed,
In particular, the data subject has the right to have his or her personal data erased and no longer processed if the collection or further processing of personal data is no longer necessary in relation to the original purposes of the processing or if the data subjects have withdrawn their consent to the processing.
Where the processing of personal data is carried out for direct marketing purposes, the data subject should have the right to object at any time, free of charge, to the processing of personal data concerning him or her for such purposes.
Review of personal data
In order to ensure that the storage of personal data is limited to the period necessary, the data controller will set deadlines for deletion or periodic review.
Periodic review period set by the head of the organization: 1 year. |
Tasks/duties of the data controller
The data controller shall apply appropriate internal data protection rules to ensure lawful processing. These rules cover the powers and responsibilities of the data controller.
It is the responsibility of the data controller to implement appropriate and effective measures and to be able to demonstrate that the processing activities comply with applicable law.
Such regulation should be made taking into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.
The data controller shall implement appropriate technical and organizational measures, taking into account the nature, scope, context and purposes of the processing and the different degrees of risk to the rights and freedoms of natural persons, which vary in likelihood and severity. It shall review and, where necessary, update other internal rules on the basis of these rules.
The data controller or processor shall keep adequate records of the processing activities carried out under his/her authority. Each data controller and processor shall cooperate with the supervisory authority and shall make those records available on request to monitor the processing operations concerned.
Data processing rights
Right to request information
Any person may request information, via the contact details provided, about what data the organization processes, on what legal basis, for what purpose, from what source and for how long. The request will be sent to the contact details provided without undue delay and at the latest within 30 days.
Right of correction
Any person may request an amendment to any of his/her data using the contact details provided. Such a request will be dealt with promptly and at the latest within 30 days and the information will be sent to the contact details provided.
Right to deletion
Any person may request the deletion of their data using the contact details provided. Upon request, this must be done without undue delay and at the latest within 30 days, and the information must be sent to the contact details provided.
Right to blocking, restriction
Any person may request the blocking of their data by using the contact details provided. Blocking will last for as long as the reason indicated makes it necessary to store the data. Upon request, this must be done without delay and within a maximum of 30 days, and the information must be sent to the contact details provided.
Right to object
Any person may object to the processing of their data using the contact details provided. The objection will be examined and a substantive decision will be taken as soon as possible from the date of the request, but no later than 15 days, and information about the decision should be sent to the contact details provided.
Enforcement possibilities in relation to data processing
National Authority for Data Protection and Freedom of Information
(Nemzeti Adatv delmi s Inform ci szabads g Hat s g)
Mail address: 1530 Budapest(a), Pf.: 5.
Address: 1125 Budapest(a), Szil gyi Erzs bet fasor 22/C.
Phone number: +36 (1) 391-1400
Fax: +36 (1) 391-1410
e-mail address: ugyfelszolgalat (kukac) naih.hu
URL: https://naih.hu
Coordinates: N 47 30'56''; E 18 59'57''
In the event of a breach of the data subject's rights, the data subject may take the data controller to court. The court shall settle the case out of court. The data subject may, at his/her choice, bring proceedings before the competent court of the place where he/she resides or is domiciled.
Tasks/duties of the organization to ensure adequate data protection
- Data protection awareness. Professional competence to comply with legislative rules must be ensured. Staff training and awareness of the rules are essential.
- Purpose of data processing, criteria and concept of personal data processing should be reviewed. Ensure lawful processing and processing in accordance with the data protection and management policy.
- Proper information to the data subject. Attention must be paid to the fact that where processing is based on the data subject's consent, the data controller must, in case of doubt, prove that the data subject has given his or her consent.
- The information provided to the data subject should be concise, easily accessible and easily understandable and should therefore be written and presented in clear and simple language.
- The transparent processing of personal data requires that the data subject is informed about the fact and purposes of the processing of his or her data. The information must be provided before the processing starts and the right to be informed is incumbent on the data subject during the processing and until the processing ceases.
- The main rights of the data subject are:
Access to the personal data concerning him/her;
Correction of personal data;
Deletion of personal data;
Restrictions on the processing of personal data;
Opposition to profiling and automated processing;
The right to data portability.
- The data controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by two additional months. The obligation to provide information may be ensured through the operation of a secure online system through which the data subject can easily and quickly access the necessary information.
- The organization's data management practices must be reviewed and the right to information self-determination must be ensured. At the request of the data subject, data must be erased without undue delay if the data subject withdraws the consent on the basis of which the processing was carried out.
- The data subject's consent must unambiguously indicate that the data subject consents to the processing. Where the processing is based on the data subject's consent, the data controller should, in case of doubt, prove that the data subject has consented to the processing operation.
- When processing children's personal data, particular attention must be paid to compliance with data processing rules. The processing of personal data in connection with information society services offered directly to children is lawful when the child is at least 16 years of age. In the case of children under the age of 16, the processing of children's personal data is lawful only if and to the extent that consent has been given or authorized by the person having parental authority over the child.
- In case of unlawful/unlawful processing or management of personal data, the supervisory authority must be notified. The data controller must make the notification to the supervisory authority without undue delay and, where possible, no later than 72 hours after becoming aware of the personal data breach, unless the personal data breach is unlikely to present a risk to the rights of the natural person.
- In certain cases, it may be appropriate for the data controller to carry out a data protection impact assessment prior to processing. The impact assessment should evaluate the impact of the intended processing operations on the protection of personal data. Where the personal data processing supervisory authority concludes that the processing is likely to present a high risk, the data controller should consult the supervisory authority prior to the processing of personal data.
- In cases where the main activities involve personal data/information processing/management operations which, by their nature, scope or purposes, require systematic and large-scale monitoring of data subjects, a Data Protection Officer should be appointed. The appointment of such an official/ officer is also intended to enhance data security.
Data security
In particular, appropriate measures must be taken to protect data against unauthorized access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.
In order to protect electronically managed data files in registers, appropriate technical measures should be taken to ensure that the data stored in those registers cannot be directly linked to the data subject and attributed to him or her.
When designing and implementing data security, the state of the art should be taken into account. Among several possible data processing solutions, the one which ensures the highest level of protection of personal data should be chosen, unless this would impose a disproportionate burden on the data controller.
Data Protection Officer
The appointment of a Data Protection Officer is mandatory on the basis of the following criteria:
- the processing is carried out by public authorities or other bodies with a public service mission, with the exception of courts acting in the exercise of their judicial function;
- the main activities of the data controller or processor involve processing operations which by their nature, their scope or their purposes require systematic and large-scale monitoring of data subjects;
- the main activities of the data controller or processor relate to the processing of a large amount of personal data relating to decisions on criminal liability and offences.
Where the appointment of a responsible official is mandatory, the following rules shall apply:
The Data Protection Officer shall be appointed on the basis of professional competence and, in particular, expert knowledge of data protection law and practice and the ability to perform the duties of a data controller.
The data controller may be an employee of the data controller or of the processor, but may also carry out his/her tasks under a service contract.
The name and contact details of the Data Protection Officer must be published by the data controller or processor and communicated to the supervisory authority.
Status of the Data Protection Officer
The data controller must ensure that the responsible official is involved in all aspects of personal data protection in an appropriate and timely manner. It must be ensured that the necessary resources are available to maintain the level of expertise of the official responsible for personal data.
The officer shall not accept instructions from anyone in relation to the performance of his/her duties. The data controller or processor shall not dismiss or sanction the official in connection with the performance of his/her duties. The person responsible shall be directly answerable to the data controller's or processor's top management.
Data subjects may contact the Data Protection Officer on all matters concerning the processing of their personal data and the exercise of their rights.
The Officer shall be subject to obligations of confidentiality or data protection in the performance of his/her duties.
The responsible official may also perform other tasks, but there must be no conflict of interest in relation to these tasks.
Tasks of the Data Protection Officer
- Providing information and professional advice to the data controller or processor and the staff carrying out the processing;
- monitoring compliance with the data controller's or processor's internal rules on the protection of personal data;
- on request, provide technical advice on the data protection impact assessment and monitor the conduct of the impact assessment;
- cooperate with the supervisory authority.
Data protection incident
A data breach is a breach of security that results in the accidental or unlawful destruction, accidental or unlawful loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A personal data breach may cause physical, material or moral harm to individuals, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse of their identity, if not adequately and timely addressed.
The competent supervisory authority shall be notified without undue delay and at the latest within 72 hours of any data protection incident, unless it can be demonstrated, in accordance with the principle of accountability, that the data protection incident is unlikely to present a risk to the rights and freedoms of natural persons.
The data subject must be informed without delay if the personal data breach is likely to lead to a high risk to the rights and freedoms of the natural person in order to enable him or her to take the necessary precautions.
Data processing for administrative and record-keeping purposes
The organization may also process personal data in the context of its activities and for administrative and record-keeping purposes.
Processing shall be based on the data subject's free and explicit consent, based on adequate information. After detailed information, including on the purposes, legal basis and duration of the processing and the rights of the data subject, the data subject shall be informed of the voluntary nature of the processing. Consent to processing shall be given in writing.
Data processing for administrative and record-keeping purposes serves the following purposes:
- The processing of data of members and employees of the organization based on a legal obligation;
- processing data of persons having a contractual relationship with the organization for contact, accounting and record-keeping purposes;
- contact data of other organizations, institutions and enterprises doing business with the organization, which may include contact and identification data of natural persons;
The processing of data as described above is based on a legal obligation, on the one hand, and on the other hand, the data subject has given his/her explicit consent to the processing of his/her data (e.g. for the purpose of an employment contract or when registering as a partner on a website, etc.).
In the case of written documents (such as CVs, job applications, other proposals, etc.) containing personal data, the data subject's consent must be presumed. After case closure, documents must be destroyed in the absence of consent for further use. The fact of destruction shall be recorded in a report.
In the case of processing for administrative purposes, personal data is included only in case files and records. The processing of these data lasts until the document on which the processing is based is deleted.
The processing for administrative and record-keeping purposes should be reviewed annually to ensure that the storage of personal data is limited to the necessary period and that inaccurate personal data should be deleted without delay.
Compliance with the law must also be ensured in the case of processing for administrative and data retention purposes.
Processing for other purposes
If the organization wishes to carry out processing that is not covered by this policy, it must first amend these internal rules accordingly or add additional rules or regulations appropriate to the new purpose of the processing.
Other documents related to this Policy
Documents and policies that contain, for example, a written statement of consent to data processing or, in the case of websites, a mandatory privacy notice, should be attached to and managed together with the Privacy and Data Protection Policy.
Legislation underlying the data processing
- REGULATION (EU) No 679/2016 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation).
- Law No CXII of 2011 on the right to informational self-determination and freedom of information.
- Law No LXVI of 1995 on public registers, public archives and protection of private archival material.
- Government Decree No. 335/2005 (29.XII.) on general requirements for the management of documents by public bodies.
- Law CVIII of 2001 on certain aspects of e-commerce services and information society services.
- Law No. C of 2003 on Electronic Communications.