Data processing information

DATA PROCESSING INFORMATION

ON THE RIGHTS OF THE NATURAL DATA SUBJECT

 FOR THE PROCESSING OF HIS/HER PERSONAL DATA

TABLE OF CONTENTS

INTRODUCTION

CHAPTER I – DESCRIPTION OF THE CONTROLLER

CHAPTER II – DESCRIPTION OF THE DATA PROCESSORS

  1. IT service provider of our Company
  2. Book-keeping service provider of our Company
  3. Postal services, delivery, mail order delivery
  4. Security services

CHAPTER III – DATA PROCESSING RELATED TO EMPLOYMENT

  1. Records of labour and staff
  2. Data processing related to eligibility examinations
  3. Data processing of employees applying for work, applications, CVs
  4. Data processing for the checking of the use of e-mail boxes
  5. Data processing for the checking of computers, laptops, tablets
  6. Data processing for the checking of internet use at work
  7. Data processing for the checking of the use of company mobile phones
  8. Data processing for the use of GPS navigation systems
  9. Data processing for the camera monitoring at work

CHAPTER IV – DATA PROCESSING RELATED TO CONTRACT

  1. Processing of the data of contractual partners – records of customers, suppliers
  2. Contact details of the natural person representatives of legal entity customers, buyers, suppliers
  3. Information on the use of cookies
  4. Community directives / Data processing on the Facebook site of the Company

CHAPTER V – DATA PROCESSING BASED ON LEGAL OBLIGATION

  1. Data processing to fulfil tax and accountancy responsibilities
  2. Data processing of disbursers

CHAPTER VI – OVERVIEW OF THE RIGHTS OF THE DATA SUBJECT

CHAPTER VII – DETAILED INFORMATON ON THE RIGHTS OF THE DATA SUBJECTS

CHAPTER VIII – SUBMISSION OF THE REQUEST OF THE DATA SUBJECT, ACTIONS OF THE CONTROLLER

INTRODUCTION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation) lays down that the controller takes appropriate actions in order to render each information on the processing of data for the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, furthermore the controller promotes the execution of the rights of the data subject.

 

The obligation for information for the data subject is laid down in the Act CXII of 2011 about the right of information self-determination and information freedom, as well.

 

The information described below should serve as the fulfilment of our legal obligation referred to above.

 

The information should be published on the website of the Company or should be sent for the data subject upon his/her request.

CHAPTER I

DESCRIPTION OF THE CONTROLLER

Issuer of this information and controller, as well:

Trade name: MERICO Components Zrt

Registered office: 9081 Győrújbarát, Kisbaráti major

Trade register number: Cg.08-10-001826

Tax number: 11701743-2-08. 

Represented by: Mak Enrico Chief Executive Officer

Phone: +36-96-543-783

Fax: +36-96-543-784

E-mail address: enrico.mak@merico.net

Website: www. merico.hu

(hereinafter: Company)

 

CHAPTER II

DESCRIPTION OF DATA PROCESSORS

 

Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4 paragraph 8 of the Regulation).

 

For the employment of the data processor no prior consent of the data subject is required, but the data subject must be informed. Consequently, we render the information below:

 

  1. IT service provider of our Company

For the maintenance and management of its website our Company employs a data processor, which provides the IT services (web hosting) and thereby it manages the personal data provided on the homepage – for the duration of our contract made by it – it is responsible for the storing of personal data on the server.

This data processor is described below:

Trade name: Abakusz Kft.

Registered office: 9023-Győr, Attila utca 24

Trade register number: 08-09-004296

Tax number:11136413-2-08

Represented by: Mr. Miklós Budai

Phone:+36-96-550-212

Fax: +36-96-550-231

E-mail address:info@abakusz.hu

Website: www.abakusz.hu

  1. Bookkeeping service provider of our Company

In order to perform its tax and accountancy obligations our Company employs an external service provider by a contract on bookkeeping services, which manages also the data of natural persons being either as contracting parties or disbursers, in order to fulfil the tax and accountancy responsibilities of our Company. 

This data processor is described below:

Trade name: ICT Europa Finance Kft.

Registered office:1117-Budapest, Fehérvári út 50-52

Trade register number: 01-09-935243

Tax number:12457124-2-43

Represented by: Mr. György Lovász

Phone:+36-1-3344279

 

  1. Postal services, delivery, mail order service

 

These data processors receive the personal data necessary for the delivery of the ordered product from our Company (name, address, phone number of the data subject), and according to these data the product will be delivered.

These services providers are:

The Hungarian Post Office

Carrier service

Trade name: DPD Hungária Kft.

Registered office:1158-Budapest, Késmárk u. 14 B.ép.

Trade register number: 01-09-888141

Tax number:13034283-2-42

Represented by: Mr. Szabolcs Czifrik

Phone: +36-1-5016200

 

 

  1. Security service provider

 

On behalf of our Company this data processor – for the duration of the contract made with it – carries out camera monitoring at work and the associated processing.

Name of the service provider: “Megoldás” Kft.

Trade name: “Megoldás” Kft.

Registered office: 1046-Budapest, Podmaniczky u. 57. 2.em. 14

Trade register number:01-09-196903

Tax number: 22468091-2-08

Represented by: Mr. Csaba Pákozdi

Phone: +36-30-9299135

 

 

CHAPTER III

DATA PROCESSING RELATED TO EMPLOYMENT

 

  1. Records of labour and staff

 

(1)  In terms of the employees solely such data may be requested and recorded, and such job-related medical eligibility examinations may be carried out which are necessary for the establishment, maintenance or termination of employment and for the provision of social-welfare benefits, provided that these examinations do not infringe the individual rights of the employee.

(2) By reason of the enforcement of the legal interests of the Company as employer (Article 6 paragraph (1) clause f) of the Regulation) the following data of the employee are managed for the purpose of the establishment, performance or termination of the employment:

  1. name
  2. birth name
  3. date of birth,
  4. mother’s name,
  5. address,
  6. nationality
  7. tax ID,
  8. social security number,
  9. pension registration number (for retired employees),
  10. phone number,
  11. e-mail address,
  12. identity card number,
  13. number of the official certificate about residence,
  14. bank account number,
  15. online identifier (if any)
  16. initial and final date of the commencement of employment,
  17. job,
  18. copy of the document for the verification of the highest education, qualification,
  19. photo,
  20. CV,
  21. amount of wage, data related with wage payment and other benefits,
  22. any debts to be deducted from the wage of the employee by virtue of a legally binding decision or by law, or due to the written consent of the employee, as well as the reasons thereof,
  23. evaluation of the activity of the employee,
  24. method of, and reasons for the termination of employment,
  25. good conduct certificate subject to the given job,
  26. summary of the job-related eligibility examinations,
  27. for the membership to a private pension insurance and voluntary mutual insurance, the name, ID-no. of the insurer and the membership number of the employee,
  28. for foreign employees, passport number; name and number of the document for work permit,
  29. data registered in the records of any accidents in which the employee was involved,
  30. data required for the use of welfare services and commercial accommodations,
  31. camera and access control system applied at the Company for security and safeguarding purposes,

and any data recorded by geographical positioning systems.

(3) Data concerning illness and trade union membership are managed by the employer only in order to meet any right or obligation defined by the Labour Code.

(4) Recipients of the personal data are: head of the employer, exerciser of the powers of the employer, employees and data processors of the Company responsible for labour duties.

(5) The owners of the Company can have access only to the personal data of the senior officials.

(6) Duration of the storing of personal data: 3 years of the termination of employment. 

(7) The data subject must be informed prior to the commencement of the data processing that the data processing is based on the Labour Code and the enforcement of the legitimate interests of the employer.  

  1. Data processing in relation with eligibility examinations

(1) For the employee only such eligibility examination may be applied which is provided for by a rule for employment, or which is required to exercise a right or to meet an obligation defined by a rule for employment. Prior to the examinations the employees must be informed in detail among others what skills and capacities the eligibility examination is focused on, and by what means and method the examination takes place. If the examination is provided for by law, then the employees must be informed on the title of the law and the exact paragraph of the law, as well.

(2) The employer can make the employees fill in the test sheets concerning the eligibility and preparedness for work either before the establishment of employment or during the existence thereof.

(3) Test sheets clearly in relation with employment aimed at a more efficient provision and organization of the workflows may be completed by a larger group of employees only for the searching of psychological or personality features, provided that the data coming to surface during the assessment cannot be connected to either particular employee, that is the processing of the data takes place anonymously.  

(4) Range of the personal data eligible for processing: fact of the eligibility for the given job, the associated terms and conditions.

(5) Legal basis for the data processing: legitimate interest of the employer.

(6) Purpose of the processing of personal data: the establishment, maintenance of employment, occupation of a job.

(7) Recipients and categories of recipients of the personal data are: The result of the examination can be made known for the examined employees and the professional who carried out the examination. The employer can have access only to information whether the examined person is suitable for the job or not, and what conditions should be provided for that. The details of the examination and the entire documentation thereof remain, however, hidden for the employer.

(8) Duration of the processing of the personal data: 3 years of the termination of employment.

  1. Processing of the data of employees applying for work, applications, CVs

(1) Range of the data which can be processed: name, date and place of birth of the natural person, mother’s name, address, data for mail delivery, photo, phone number, email address, notes (if any) made by the employer about the applicant. 

(2) Purpose of the processing of personal data: to evaluate the application, to conclude a contract of employment with the selected person. The person concerned should be informed if the employer has selected other than him/her for the job.

(3) Legal basis for the data processing: consent of the data subject.

(4) Recipients of the personal data and the categories of the recipients: manager authorized to exercise the rights of employer at the Company, employees responsible for labour duties. 

(5) Duration of the storing of personal data: Until the application is evaluated. The personal data of applicants who have not been selected must be erased. Data must be also erased for persons, who have withdrawn from the application.

(6) The employer can keep the applications only if the explicit, clear and voluntary consent of the data subject is in place, provided that the employer needs this keeping in order to achieve its purpose of data processing in compliance with the laws. The said consent must be requested from the applicants as soon as the application procedure is closed.

  1. Data processing related to the control of the use of email boxes

(1) If the Company makes an email box available for the employee, this email address and box can be used by the employee solely for the purpose of his/her job in order that the employees could communicate with each other via this box, or they could exchange mail with customers, other persons or entities.  

(2) The employee is not authorized to use the email box for private purposes, personal mail cannot be stored there.

(3) The employer is authorized to control the full contents and the use of the email box on a regular basis – every 3 month – and this time the legal basis of data processing is the legitimate interest of the employer. The control aims at the checking of the observance of the employer’s instruction for the use of the email box, as well as at the checking of the obligations of the employee (articles 8 and 52 of the Labour Code).

(4) The control may be carried out by the head of the employer or the exerciser of the rights of the employer.

(5) If it is not excluded by the conditions of the control, it must be ensured that the employee be there at the control.

(6) Prior to the control the employee must be informed on by what interest of the employer the control takes place, who is authorized to carry out the control on part of the employer, – according to what rules the control can take place (observation of the gradualism) and what is the course of the procedure, – what rights and remedies are available for the employee for the data processing in connection with the control of the email box.

(7) During the control gradualism is to be applied, therefore it must be stated primarily from the address and the subject matter of the email, that it is connected with a task of the job of the employee rather than private. The contents of non-private emails may be examined by the employer without restriction.

(8) If contrary to the provisions of these instructions it can be found that the employee has used the email box for private use, the employee must be requested to erase the personal data without delay. In the absence of the employee or in case of the failure of his/her cooperation the personal data will be erased by the employer. Due to any use of the email box contrary to these instructions the employer has the power to apply legal consequences of the labour law against the employee.

(9) As to the data processing associated with the control of the email box the employee may have the rights described in the chapter about his/her rights concerned.

  1. Data processing related to the control of computers, laptops, tablets

(1) Computers, laptops, tablets made available by the Company for the employee for the purpose of working can be used by the employee solely for the duties of his/her job, the private use of these are prohibited by the Company, the employee is not authorized to process or store any of his/her personal data or correspondence on these data carriers. For the control of these data carriers by the employer and for the legal consequences thereof the provisions under clause 1.4 above are otherwise governing.

  1. Data processing related to the control of the internet use at work

(1) The employee is authorized to view websites only, which are in relation with the tasks of his/her job, the internet use at work for private purpose is prohibited by the employer.

(2) It is the Company, which is the authorized entity of the internet registrations carried out on behalf of the Company as a task of a job, and during registration an ID and password referring to the Company must be applied. If personal data must be also provided for the registration, the erasure of these must be initiated by the Company as soon as the employment is terminated.

(3) The internet use of the employee at work can be controlled by the employer, for which and for its legal consequences the provisions in clause 1.4 are governing.

  1. Data processing related to the control of the use of company mobile phones

(1) The employer does not allow the private use of company mobile phones, mobile phones can be used only for purposes in relation with the work, and the employer is authorized to check the call numbers and data of any outgoing calls and the data stored on the mobile phones.

(2) The employee is obliged to notify the employer if he/she has used the company mobile phone for private purpose. In this case the checking can be carried out so that the employer requests detailed call records from the phone service provider, by requesting the employee to make the called number unrecognizable on the document in the case of private calls. The employer may provide for that the costs of private calls be borne by the employee.

(3) Otherwise, the provisions in clause 1.4 are governing for the control and its legal consequences.

  1. Data processing related to the use of GPS navigation systems

 

(1) The legal basis for the use of a GPS system is the legitimate interest of the employer, aiming at the organization of work, logistics, the control of the fulfilment of the obligations of the employee.

(2) Processed data: registration number of the motor vehicle, driven route, distance, duration of the motor vehicle use.

(3) The control can be made only during working hours and the geographical location of the employees cannot be checked beyond the working hours. Otherwise the provisions in clause 1.4 are governing for the control by the employer and for its legal consequences.

  1. Data processing related to camera monitoring at work

(1) Our company uses an electronic monitoring system at its registered office, site (excluding offices) in order to safeguard human life, physical integrity, personal freedom, trade secrets and for security, which ensures video-, audio-, or video- and audio recordings, and on the basis of these the behaviour of the person concerned can be deemed personal data, too, which is recorded by the camera.

(2) The legal basis for this data processing is the enforcement of the legitimate interests of the employer and the consent of the data subject.  

(3) As to the fact of the use of an electronic monitoring system in the given area a clear sign as information should be installed on a well visible place in a well eligible manner in order to promote the orientation of third parties who wish to appear in the area. The information sign should be rendered for each camera. This information comprises also information on the fact of the monitoring pursued by the electronic security system, as well as on the purpose of the recording and storing of the video- and audio recordings recorded by the system including personal data, on the legal basis of the data processing, the location of the storing of the recordings, the duration of storing, the identity of the user (operator) of the system, the range of persons authorized to know the data, and on the provisions about the rights of the data subjects and the order of the enforcement thereof.

(4) Any video- and audio recordings about the third parties entering the monitored area (customers, visitors, guests) may be made and processed only subject to their consent. This consent can be rendered also by implied conduct. The implied conduct includes in particular if the natural person staying there enters the monitored area in spite of the information sign describing the use of the electronic monitoring system placed there.  

(5) The records made can be kept not longer than 3 (three) working days if they are not used any more. The term use is defined so that the video-, audio, or video- and audio recordings as well as any other personal data are intended for use as evidence at a judicial or other official proceedings.

(6)  Those whose right or legitimate interest is affected by the recording of the video-, audio-, or video- and audio data may request within three working days of the recording of the video-, audio-, or video- and audio data, that these data be not destructed or erased by the controller thereof.

(7) It is not allowed to install any electronic monitoring system in premises, where the monitoring may infringe the human dignity, in particular in dressing rooms, shower rooms, water closets or for instance in medical rooms, and in the waiting room connected thereto, as well as in premises which serve as a room for relaxation for the employees at work.

(8) If nobody is allowed to stay lawfully in the area of the working place – in particular beyond working hours and on bank holidays – then the full territory of the working place (such as the dressing rooms, water closets, premises serving for relaxation) can be monitored.

(9) The data recorded by the electronic monitoring system may be viewed in addition to those authorized thereto by law by the processing staff, the head of the employer and his/her deputy, as well as the head of the working place of the monitored area in order to detect any infringements and to control the operation of the system.

 

CHAPTER IV

DATA PROCESSING RELATED TO CONTRACT

 

  1. Processing of the data of contracting partners – records of buyers, suppliers

(1) For the purpose of the execution, fulfilment, termination of a contract or rendering of any contractual discount the Company – on the basis of the fulfilment of the contract – processes the data of natural persons entering into contract with it as buyers or suppliers, including name, birth name, date of birth, mother’s name, address, tax ID, tax number, number of the sole trader’s licence and the certificate of licensed traditional small-scale producers, number of the identity card, address, registered office, site, phone number, email address, website, bank account number, buyer number (customer number, purchase order number), online ID (list of buyers, suppliers, list of regular customers). This data processing is deemed lawful even if the data processing is necessary to take actions upon request of the data subject prior to the conclusion of the contract. Recipients of the personal data are: employees responsible for the tasks of customer service at the Company, employees for bookkeeping and taxation, and data processors. Duration of the processing of personal data: 5 years as of the termination of the contract.                            

(2) The data subject must be informed prior to the commencement of the data processing that the data processing is based on the legal title “performance of contract”, this information can be rendered also in the contract.

(3) The data subject must be notified that his or her personal data have been forwarded to the controller.  

 

  1. Contact details of the natural person representatives of legal entity customers, buyers, suppliers

(1) Personal data eligible for processing: name, address, phone number, email address, online ID of the natural person.

(2) Purpose of the processing of personal data: performance of the contract concluded with the legal entity partner of the Company, business communication, its legal basis: consent of the data subject.

(3) Recipients of the personal data, and categories of recipients: employees responsible for the customer service for the Company.

(4) Duration of the storing of personal data: 5 years as of the termination of the business relationship, or the termination of the capacity of the data subject as representative.

  1. Data processing of the visitors of the website of the Company

(1)  Cookies are short data files placed by the visited homepage on the computer of the user. Cookies are intended to facilitate and to make more comfortable the given infocommunication, internet service. They have several types, but they can be classified in two large groups in general. The one is the temporary cookies which are placed on the data carrier of the user by the homepage only during a given operation (e.g. during the security identification of an internet banking), and the other is the permanent cookie (e.g. language setting of a homepage), which remains on the computer as long as it is erased by the user. By virtue of the directives of the European Commission cookies may be placed on the data carrier of the user only with the consent of the user [unless they are absolutely necessary for the use of the given service].

(2) For cookies not requiring the consent of the user information must be rendered when the homepage is visited for the first time. It is not necessary to display the full text of the information for cookies on the homepage, it is enough that the operators of the homepage give a brief summary of the essence of the information, by referring to the access details of the full information via a link.  

(3) For cookies requiring a consent the information can connect also to the first visit of the homepage if the data processing associated with the use of cookies begins already by the visiting of the site. If the use of the cookie is connected to the use of the function explicitly requested by the user, then the information can also be displayed in relation with the use of this function. It is not necessary in this case either to display the full text of the information for cookies on the homepage, it is enough to give a brief summary of the essence of the information, by referring to the access details of the full information via a link.

  1. Information on the use of cookies

 

(1)  As it is a usual internet practice, our Company also uses cookies on its website. The cookie is a small file containing a row of characters, which appears on the computer of the visitor, when he/she visits a given website. When he/she visits this website again, the website is able to recognize the browser of the visitor due to the cookies. The cookies can store settings of the user (e.g. selected language) and other information, as well. They collect among others information on the visitor and his/her data carrier, they will remember the individual settings of the visitor, they can be used for example when the online shopping baskets are used. In general the cookies facilitate the use of the website, they promote that the website be a real web adventure and efficient source of information for the users, furthermore they enable the operator of the website to control the operation of the site, to prevent any misuse and to provide the undisturbed services at a high level on the site.

(2) During the use of the website the homepage of our Company records and processes the following data about the visitor and the data carrier used by him/her for browsing:
• the IP address used by the visitor,
• the type of the browser,
• features of the operating system of the data carrier used for browsing (language set),
• time of the visit,
• the visited (sub)site, function or service.

(3) The acceptance and approval of the use of cookies are not obligatory. You can reset the settings of your browser in order that it refuses all cookies or report if the system is just sending a cookie. Although the majority of the browsers automatically accept cookies as default, but these can be changed in general in order that the automatic acceptance be prevented and the option of selection be offered at each time.

For the cookie settings of the most popular browsers, please see the links below:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/hu-hu/HT201265

Beyond all the above you should remember, however, that certain website functions or services may not function correctly without cookies.  

 

(4) The cookies used on the website themselves are not suitable for the identification of the person of the user.

(5)  Cookies used on the website of the Company:

  1. Session cookies absolutely needed in terms of technology

These cookies are necessary in order that visitors can browser on the website, use the functions thereof and the services accessible through the website smoothly and fully, including but not limited to the remembering the operations, which were carried out by the visitor on the given site during a given visit. The duration of the data processing of these cookies applies solely to the current visit of the visitor, and as soon as the operation is finished or the browser is closed, this type of the cookies is automatically erased from the computer.

Processed data range: AVChatUserId, JSESSIONID, portal_referer.

Legal basis for this data processing is article 13/A section (3) of the Act CVIII of 2001 about certain issues of electronic commercial services and the information social services (Hung. abbr.: Elkertv.)

Purpose of the data processing: to ensure the proper operation of the homepage.

 

  1. Cookies requiring a consent:

These enable the Company to remember the selections made by the user in relation with the homepage. Prior to the use and during the use of the service the visitor may prohibit this data processing at any time. These data cannot be connected with the identification data of the user and they cannot be disclosed to any third parties without the consent of the user.

 2.1. Cookies to promote the use:

Legal basis for the data processing is the consent of the visitor.

Purpose of the data processing: To increase the effectiveness of the service, to improve the user’s adventure, to make the use of the homepage more comfortable.

Duration of the data processing: 6 months.

2.2.  Cookies to provide performance:

For more details on Google Analytics cookies – see:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

For more details on Google AdWords cookies  – see:

https://support.google.com/adwords/answer/2407785?hl=hu

  1. Community directives / Data processing on the Facebook site of the Company

(1) The Company operates a Facebook site in order to make its products, services known and more popular.

(2) Questions published on the Facebook site of the Company are no official complaints. 

(3) Personal data published by visitors on the Facebook site of the Company are not processed by the Company.

(4) For visitors the Terms and Conditions for Data Protection and Service of Facebook are applicable.

(5) In case of the publication of any illegal or infringing contents the Company is authorized to exclude the data subject from the members without prior notice or it can delete his/her remarks.

(6) The Company is not liable for any data contents and remarks published by Facebook users, which are contrary to the law. The Company is not liable for any error, breakdown arising from the operation of the Facebook, or for any problem resulting from the alteration of the operation of the system.

CHAPTER V

DATA PROCESSING BASED ON LEGAL OBLIGATIONS

 

  1. Data processing to meet tax and accountancy responsibilities

(1) By title of the fulfilment of a legal obligation the Company processes the legally required data of natural persons coming into contact with it as buyers and suppliers, in order to meet its taxation and accountancy responsibilities defined by law (bookkeeping, taxation). The processed data include, in accordance with articles 169 and 202 of the Act CXXVII of 2017 about value added tax, in particular: tax number, name, address, taxation status; according to article 167 of the Act C. of 2000 about accountancy: name, address, description of the person or entity who or which ordered the business transaction, signature of the person making the remittance and the person confirming the execution of the order as well as of the controller subject to the entity; signature of the receiver on the documents of the inventory movements and the cash-flow, signature of the person paying in on the counter-receipts; according to the Act CXVII of 1995 about personal income tax (hereinafter: Szja.): number of the sole trader’s license, number of the certificate of the licensed traditional small-scale producer, tax ID.    

(2) Duration of the storing of personal data is 8 years of the termination of the legal relations serving as legal basis.

(3) Recipients of the personal data are: employees and data processors of the Company responsible for bookkeeping, payroll calculation and social security matters.

  1. Data processing of disbursers

(1) By virtue of the fulfilment of a legal obligation the Company processes the personal data provided for by tax laws of those data subjects – employees, their family members, workers, persons receiving other benefits – with whom it has relations as disbursers (Act 2017:CL about the order of taxation (hereinafter: Art.) article 7 section 31) in order to fulfil the legally defined obligations for the payment of taxes and contributions (assessment of taxes, tax advance payments, contributions, payroll calculation, social security and pension administration). The range of the processed data is defined in article 50 of Art, in particular: the data for natural identification of natural persons (including the former name and title), gender, nationality, tax ID of the natural person, his/her social security number. If this is combined with legal consequences by the laws, the Company may process the data of the employees concerning health care (§ 40 Szja.) and the membership of a trade union (§ 47 section (2)b/ Szja.) in order to fulfil the obligations of the payment of taxes and contributions (payroll calculation, social security administration).

(2) Duration of the storing of personal data is 8 years of the termination of the legal relations serving as legal basis.

(3) Recipients of the personal data are: employees and data processors of the Company responsible for taxation, payroll calculation, social security matters (disbursement).

CHAPTER VI

OVERVIEW OF THE RIGHTS OF THE DATA SUBJECT

In this chapter we give a brief overview of the rights of the data subject for the purpose of transparency, the detailed information on the exercise of which is described in the next chapter.

Right to have prior information

The data subject is authorized to receive information on the facts and information related to the data processing prior to the commencement of the data processing.

(Articles 13 and 14 of the Regulation)

For more information on the detailed rules see next chapter.

Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the related information defined in the Regulation.

(Article 15 of the Regulation).

For more information on the detailed rules see next chapter.

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.  

(Article 16 of the Regulation).

 

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds defined in the Regulation applies.

(Article 17 of the Regulation)

For more information on the detailed rules see next chapter.

Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where the conditions defined in the Regulation apply.

(Article 18 of the Regulation)

For more information on the detailed rules see next chapter.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

(Article 19 of the Regulation)

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

(Article 20 of the Regulation)

For more information on the detailed rules see next chapter.

Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point e) (the data processing is of public interest or it is necessary to carry out a task in the framework of the exercise of a licence of public power delegated to the controller) or f) (the processing is required to enforce the legitimate interests of the controller or a third party) of Article 6(1) of the Regulation.

(Article 21 of the Regulation)

For more information on the detailed rules see next chapter.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

(Article 22 of the Regulation)

For more information on the detailed rules see next chapter.

 

Restrictions

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22.

(Article 23 of the Regulation)

For more information on the detailed rules see next chapter.

 

Communication of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

(Article 34 of the Regulation)

For more information on the detailed rules see next chapter.

Right to lodge a complaint with a supervisory authority (right to official remedy)

 

The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

(Article 77 of the Regulation)

For more information on the detailed rules see next chapter.

 

Right to an effective judicial remedy against a supervisory authority

 

Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or where the supervisory does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

(Article 78 of the Regulation)

For more information on the detailed rules see next chapter.

 

Right to an effective judicial remedy against a controller or processor

 

Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

(Article 79 of the Regulation)

For more information on the detailed rules see next chapter.

CHAPTER VII

DETAILED INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

Right to have prior information

The data subject is authorized to receive information on the facts and information related to the data processing prior to the commencement of the data processing.

  1. A) Information to be provided where personal data are collected from the data subject
  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
  2. a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  3. b) the contact details of the data protection officer, where applicable;
  4. c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  5. d) where the processing is based on point (f) of Article 6(1) of the Regulation (enforcement of legitimate interest), the legitimate interests pursued by the controller or by a third party;
  6. e) the recipients or categories of recipients of the personal data, if any;
  7. f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1) of the Regulation, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
  1. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
  2. a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  3. b) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  4. c) where the processing is based on point (a) of Article 6(1) (consent of the data subject) or point (a) of Article 9(2) (consent of the data subject) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  5. d) the right to lodge a complaint with a supervisory authority;
  6. e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  7. f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  1. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  1. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.

(Article 13 of the Regulation)

  1. B) Information to be provided where personal data have not been obtained from the data subject

 

  1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
  2. a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  3. b) the contact details of the data protection officer, where applicable;
  4. c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  5. d) the categories of personal data concerned;
  6. e) the recipients or categories of recipients of the personal data, if any;
  7. f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1) of the Regulation, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
  1. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
  2. a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  3. b) where the processing is based on point (f) of Article 6(1) of the Regulation (legitimate interest), the legitimate interests pursued by the controller or by a third party;
  4. c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
  5. d) where processing is based on point (a) of Article 6(1) (consent of the data subject) or point (a) of Article 9(2) (consent of the data subject) of the Regulation, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  6. e) the right to lodge a complaint with a supervisory authority;
  7. f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  8. g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  1. The controller shall provide the information referred to in paragraphs 1 and 2:
  2. a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
  3. c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
  1. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  1. Paragraphs 1 to 4 shall not apply where and insofar as:
  2. a) the data subject already has the information;
  3. b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the Regulation or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
  4. c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  5. d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

(Article 14 of the Regulation)

 

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
  2. a) the purposes of the processing;
  3. b) the categories of personal data concerned;
  4. c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  5. d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  6. e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  7. f) the right to lodge a complaint with a supervisory authority;
  8. g) where the personal data are not collected from the data subject, any available information as to their source;
  9. h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  1. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of the Regulation relating to the transfer.
  1. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

(Article 15 of the Regulation)

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
  2. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  3. b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the Regulation, and where there is no other legal ground for the processing;
  4. c) the data subject objects to the processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  5. d) the personal data have been unlawfully processed;
  6. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  7. f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the Regulation.
  1. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  1. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
  2. a) for exercising the right of freedom of expression and information;
  3. b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  4. c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the Regulation;
  5. d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  6. e) for the establishment, exercise or defence of legal claims.

(Article 17 of the Regulation)

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
  2. a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  3. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  4. c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  5. d) the data subject has objected to processing pursuant to Article 21(1) of the Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject.
  1. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
  1. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

(Article 18 of the Regulation)

 

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  2. a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of the Regulation or on a contract pursuant to point (b) of Article 6(1); and
  3. b) the processing is carried out by automated means.
  1. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  1. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17 of the Regulation. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  1. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

(Article 20 of the Regulation)

Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point e) (the data processing is of public interest or it is necessary to carry out a task in the framework of the exercise of a licence of public power delegated to the controller) or f) (the processing is required to enforce the legitimate interests of the controller or a third party) of Article 6(1) of the Regulation, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  1. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  1. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  1. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  1. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the Regulation, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

(Article 21 of the Regulation)

Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  1. Paragraph 1 shall not apply if the decision:
  2. a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  3. b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  4. c) is based on the data subject’s explicit consent.
  1. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  1. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1) of the Regulation, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

(Article 22 of the Regulation)

Restrictions

 

  1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 of the Regulation in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
  2. a) national security;
  3. b) defence;
  4. c) public security
  5. d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  6. e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
  7. f) the protection of judicial independence and judicial proceedings;
  8. g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  9. h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
  10. i) the protection of the data subject or the rights and freedoms of others;
  11. j) the enforcement of civil law claims.
  1. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
  2. a) the purposes of the processing or categories of processing;
  3. b) the categories of personal data;
  4. c) the scope of the restrictions introduced;
  5. d) the safeguards to prevent abuse or unlawful access or transfer;
  6. e) the specification of the controller or categories of controllers;
  7. f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
  8. g) the risks to the rights and freedoms of data subjects; and
  9. h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

(Article 23 of the Regulation)

Communication of a personal data breach to the data subject

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  1. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the Regulation.
  1. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
  2. a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  3. b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
  4. c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  1. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

(Article 34 of the Regulation)

Right to lodge a complaint with a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
  1. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the Regulation.

(Article 77 of the Regulation)

 

Right to an effective judicial remedy against a supervisory authority

 

  1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
  1. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 of the Regulation does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
  1. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
  1. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

(Article 78 of the Regulation)

 

Right to an effective judicial remedy against a controller or processor

  1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
  1. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

(Article 79 of the Regulation)

 

CHAPTER VIII

LODGING OF THE REQUEST OF THE DATA SUBJECT,

ACTIONS OF THE CONTROLLER

  1. The controller notifies the data subject without undue delay, but in any cases within one month of the receipt of the request, on the actions taken upon his or her request for the exercising of his or her rights.
  1. By taking account of the complexity of the request and the number of the requests this deadline can be extended by additional two months, if appropriate. The controller informs the data subject on the extension of the deadline within one month of the receipt of the request by indicating the reasons for the delay.
  1. If the data subject has lodged the request electronically, the information must be given as far as possible electronically, unless it is requested by the data subject otherwise.
  1. If the controller fails to take any action upon the request of the data subject, the controller informs the data subject without delay but not later than within one month of the receipt of the request about the reasons for the failure of the action as well as about the fact that the data subject may lodge a complaint to a supervisory authority and he or she may use his/her judicial remedies.
  1. The information defined in articles 13 and 14 of the Regulation and the information on the rights of the data subject (articles 15-22 and 34 of the Regulation) and the relevant actions are rendered by the controller free of charge. Where the request of the data subject is clearly without any grounds or – in particular due to its repeated nature – exaggerated, the controller has the option – subject to the administrative expenses connected to the rendering of the information requested or to the action requested – :
  2. a) to charge an amount of 6,350.- HUF, or
  3. b) to deny the action to be taken upon the request.

It is the responsibility of the controller to prove whether the request has a clearly unjustified or exaggerated nature.

  1. If the controller has well-grounded doubts as to the identity of the natural person lodging the request, he may ask for additional information to confirm the identity of the data subject.

MERICO Components Zrt.

Győrújbarát, 23 May 2018