Introduction
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter "the Regulation") requires that the controller takes appropriate measures to provide the data subject with all information relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, and to facilitate the exercise of the data subject's rights.
The obligation to inform the data subject in advance is also provided for in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
The following information is provided to comply with this legal obligation.
The information must be published on the company's website or sent to the person concerned on request.
Chapter I
Name of the controller
The publisher of this information is also the Data Controller:
Company name: Ramasoft Data Services and Information Technology Ltd.
Head office: 1074 Budapest, Dohány u. 12-14.
Company registration number: 01-10-045266
Tax number: 13531096-2-42
Representative Dr. Márton Radnai CEO
Phone number: +361-269-3209
Fax: -
E-mail address: [email protected]
Website: www.ramasoft.hu
(hereinafter referred to as "the Company")
Chapter II
Name of data processors
Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4(8) of the Regulation)
The use of a processor does not require the prior consent of the data subject, but the data subject must be informed. Accordingly, the following information is provided:
1. Our company's accounting, payroll and labour service provider
To meet its tax and accounting obligations, our Company uses an external service provider under an accounting service contract to manage its
Personal data of natural persons who have a contractual or paying relationship with our Company, including tax and accounting obligations of our Company
for the purpose of.
This data processor is called:
Company name: Struktúra Coop Zrt.
Headquarters: 1119 Budapest, Fehérvári út 85. building C. 4. floor
Company registration number: 01-10-047564
Tax number: 24148397-2-43
Chapter III
Employment-related data processing
1. Labour and personnel records
(1) Only such data and medical examinations of the fitness for employment as are necessary for the establishment, maintenance and termination of the employment relationship and for the provision of social welfare benefits and which do not infringe the employee's individual rights may be requested from employees and kept.
(2) The Company shall process the following data of the employee for the purposes of the establishment, performance or termination of the employment relationship for the purposes of the legitimate interests of the employer (Article 6(1)(f) of the Regulation):
1. name
2. name at birth,
3. date of birth,
4. mother's name,
5. your address,
6. your nationality,
7. tax identification number,
8. Social security number,
9. pensioner's permanent number (in the case of a retired worker),
10. telephone number,
11. e-mail address,
12. identity card number,
13. number of the official certificate of residence,
14. bank account number,
15. online ID (if available)
16. start and end date of employment,
Job 17,
18. a copy of a document certifying your education and vocational training,
Photo 19,
20. CV,
21. the amount of your salary, data on your wages and other benefits,
22. the amount of the debt to be deducted from the employee's wages on the basis of a final decision or a legal provision or written consent, and the right to deduct it,
23. the evaluation of the employee's work,
24. the manner and reasons for termination of employment,
25. depending on the job, a certificate of good character
26. a summary of the occupational aptitude tests,
27. in the case of membership of private pension funds and voluntary mutual insurance funds, the name of the fund, its identification number and the employee's membership number,
28. in the case of foreign workers, passport number; name and number of the document certifying entitlement to work,
29. data recorded in the records of accidents to workers;
30. data necessary for the use of welfare services, commercial accommodation;
31. data recorded by the Company's cameras, access control systems and location systems used for security and asset protection purposes.
(3) The employer shall process data relating to sickness and trade union membership only for the purpose of fulfilling a right or obligation under the Labour Code.
(4) The recipients of personal data are: the head of the employer, the person exercising the employer's authority, the employees of the Company performing labour-related tasks and
data processors.
(5) Only personal data of employees in managerial positions may be transferred to the owners of the Company.
(6) Duration of storage of personal data: 3 years after termination of employment.
(7) The data subject shall be informed before the processing starts that the processing is based on the Labour Code and the legitimate interests of the employer.
2. Processing of data related to aptitude tests
(1) An employee may only be subjected to an aptitude test which is required by a rule governing the employment relationship or which is necessary for the exercise of a right or the performance of an obligation specified in a rule governing the employment relationship. Prior to the examination, employees shall be informed in detail, inter alia, of the skills and abilities to be assessed and the means and methods of the examination.
If the legislation requires the test to be carried out, workers should be informed of the title of the legislation and the exact place where it is located.
(2) Employers may have employees fill in test forms for fitness and readiness for work both before the employment relationship is established and during the employment relationship.
(3) In order to improve the efficiency of work processes and the organisation of work, a test form suitable for psychological or personality traits research may be completed by a large group of employees only if the data revealed during the analysis cannot be linked to individual employees, i.e. the data are processed anonymously.
(4) The scope of personal data that may be processed: the fact of suitability for the job and the conditions required for this.
(5) Legal basis for processing: legitimate interest of the employer.
(6) The purpose of the processing of personal data is: the establishment and maintenance of an employment relationship, the filling of a position.
(7) Recipients or categories of recipients of personal data: the results of the investigation may be disclosed to the employees investigated or to the investigator conducting the investigation. The employer may only receive information on whether or not the person examined is fit for the job and on the conditions for the job. However, the employer cannot know the details of the examination or its full documentation.
(8) Duration of the processing of personal data: 3 years after the termination of the employment relationship.
3. Processing of data on applicants, applications, CVs
(1) The personal data that may be processed are: the name, date and place of birth, mother's name, address, qualifications, photograph, telephone number, e-mail address of the natural person, employer's record of the applicant (if any).
(2) The purpose of the processing of personal data is: application, evaluation of the application, conclusion of an employment contract with the selected person. The data subject shall be informed if the application is
the employer did not choose him/her for the job.
(3) Legal basis for processing: consent of the data subject.
(4) Recipients or categories of recipients of personal data: managers and employees performing labour-related tasks who are entitled to exercise employer rights at the Company.
(5) Duration of storage of personal data: until the application or tender is assessed.
The personal data of candidates who are not selected will be deleted. The data of candidates who withdraw their application or candidature must also be deleted.
(6) The employer may retain applications only on the basis of the express, unambiguous and voluntary consent of the data subject, provided that the retention is necessary for the purposes of the processing in accordance with the law. Such consent shall be requested from candidates after the recruitment procedure has been completed.
4. Data processing related to the control of the use of your e-mail account
(1) If the Company makes an e-mail account available to the employee - the employee may use this e-mail address and account solely for the purpose of his/her job duties, in order to keep in touch with each other or to correspond with clients, other persons or organisations on behalf of the employer.
(2) The employee may not use the e-mail account for personal purposes and may not store personal mail in the account.
(3) The employer has the right to check the entire content and use of the e-mail account on a regular basis - every 3 months - and the legal basis for data processing is the legitimate interest of the employer. The purpose of the monitoring is to check compliance with the employer's provisions on the use of the e-mail account and to check the employee's obligations (§ 8, § 52 of the Labour Code).
(4) The head of the employer or the person exercising the employer's rights shall be entitled to carry out the inspection.
(5) Where the circumstances of the inspection do not preclude this, it must be ensured that the worker is present during the inspection.
(6) Prior to the check, the employee must be informed about the employer's interest in the check, who on the employer's side may carry out the check, - the rules according to which the check may be carried out (compliance with the principle of gradual approach) and the procedure to be followed, - the employee's rights and remedies in relation to the processing of data in connection with the check of the e-mail account.
(7) The principle of gradualness should be applied in the verification, so that the address and subject of the e-mail should be the primary basis for determining that it is related to the employee's job duties and not personal. The content of non-personal e-mails may be examined by the employer without restriction.
(8) If, contrary to the provisions of this policy, it can be established that the employee has used the e-mail account for personal purposes, the employee shall be requested to
the employee to delete the personal data without delay. In case of absence or non-cooperation of the employee, the personal data will be deleted by the employer upon verification. The use of the e-mail account in violation of this policy may result in the employer taking action against the employee under labour law.
may apply legal sanctions.
(9) The employee may exercise the rights set out in the chapter of this Code on data subjects' rights in relation to the processing of data involving the monitoring of an e-mail account.
5. Data processing related to the control of computers, laptops and tablets
(1) The computer, laptop, tablet provided by the Company to the employee for work purposes may be used by the employee only for the performance of his/her job duties, the Company prohibits the private use of such devices, the employee may not manage or store any personal data or correspondence on such devices. The Employer may monitor the data stored on these devices. The employer's control of these devices and the legal consequences thereof shall be governed by the provisions of point 1.4 above.
6. Data processing related to the monitoring of Internet use at work
(1) Employees may only access websites related to their job duties, and the employer shall prohibit the use of the Internet for personal purposes at the workplace.
(2) The Company shall be the holder of the Internet registrations carried out on behalf of the Company as a job-related task, and the Company's ID and password shall be used during the registration. If the provision of personal data is also required for the registration, the Company shall be obliged to delete such data upon termination of the employment relationship.
to initiate the Company.
(3) The employer may monitor the employee's use of the Internet at the workplace, which and the legal consequences thereof shall be governed by the provisions of section 1.4.
7. Data processing related to the control of the use of company mobile phones
(1) The employer shall not permit the private use of a company mobile phone, the mobile phone shall be used only for work-related purposes and the employer may monitor the caller identification and data of all outgoing calls and the data stored on the mobile phone.
(2) The employee shall notify the employer if he/she uses the company mobile phone for private purposes. In this case, the control may be carried out by the employer requesting a call detail from the telephone service provider and asking the employee to make the numbers called unrecognisable on the document in the case of private calls. The employer may require the employee to bear the cost of private calls.
(3) Otherwise, the provisions of section 1.4 shall apply to the control and its consequences.
Chapter IV
Contract-related data processing
1. Contractor data management - register of customers, suppliers
(1) The Company shall process the name, name of the natural person contracted with it as a buyer or supplier, name of the natural person, name of the person's birth, date of birth, mother's name, address, tax identification number, tax number, entrepreneur's or farmer's identity card number, personal identity card number for the purpose of the conclusion, performance, termination or granting of a contractual discount, address, address of the registered office, address of the establishment, telephone number, e-mail address, website address, bank account number, customer number (customer number, order number), online identifier (list of customers, suppliers, frequent buyer lists), This processing is also considered lawful if the processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract. Recipients of personal data: employees of the Company performing customer service tasks, employees performing accounting and tax tasks, and data processors. Duration of processing of personal data: 5 years after the termination of the contract.
(2) The data subject shall be informed before the processing starts that the processing is based on the legal basis of the performance of the contract, this information may also be provided in the contract.
(3) The data subject shall be informed of the transfer of his or her personal data to a processor.
2. Contact details of natural person representatives of legal person customers, buyers, suppliers
(1) The scope of personal data that may be processed: the name, address, telephone number, e-mail address, online identifier of the natural person.
(2) Purpose of the processing of personal data: performance of a contract with a legal entity partner of the Company, business relations, legal basis: the data subject
consent of.
(3) Recipients or categories of recipients of personal data: employees of the Company performing customer service tasks.
(4) Duration of the storage of personal data: 5 years after the business relationship or the data subject's capacity as a representative has been established.
3. Community Policy / Data Management on the Company's Facebook page
(1) The Company maintains a Facebook page for the purpose of publicizing and promoting its products and services.
(2) A question above the Company's Facebook page does not constitute a formal complaint.
(3) The Company does not process personal data posted by visitors to the Company's Facebook page.
(4) Visitors are subject to the Facebook Privacy and Terms of Service.
(5) In the case of publication of illegal or offensive content, the Company may exclude the person concerned from membership without prior notice or delete his/her post.
(6) The Company is not responsible for any content or comments posted by Facebook users that violate the law. The Company shall not be liable for any errors, malfunctions or problems arising from the operation of Facebook or from changes in the operation of the system.
4. Processing for direct marketing purposes
(1) Unless otherwise provided by a separate Act, advertising may be communicated to a natural person as the recipient of the advertising by direct solicitation, in particular by electronic mail or other equivalent means of individual communication, with the exception of the provisions of Act XLVIII of 2008, only if the recipient of the advertising has given his or her prior, clear and express consent.
(2) The scope of personal data that the Company may process for the purpose of advertising mailing enquiries: the name, address, telephone number, e-mail address, online identifier of the natural person.
(3) The purpose of the processing of personal data is to carry out direct marketing activities related to the Company's activities, i.e. sending advertising publications, newsletters, current offers in printed (postal) or electronic form (e-mail) on a regular or periodic basis to the contact details provided at the time of registration.
(4) Legal basis for processing: consent of the data subject.
(5) Recipients or categories of recipients of personal data: employees of the Company performing customer service tasks, employees of the Company's IT service provider performing server services as data processors, employees of the Postal Service in case of postal delivery.
(6) Duration of storage of personal data: until consent is withdrawn.
Chapter V
Data processing based on legal obligations
1. Processing of data for tax and accounting obligations
(1) The Company shall process the data of natural persons doing business with the Company as customers and suppliers as defined by law for the purpose of fulfilling its legal obligations, tax and accounting obligations (accounting, taxation). §-of the Act of 2000 on Accounting: name, address, designation of the person or organisation ordering the transaction, signature of the person ordering the transaction and the person certifying the execution of the order, and, depending on the organisation, the signature of the controller; on the stock movement vouchers and cash management vouchers, the signature of the recipient, and on the counterfoils, the signature of the payer, and, pursuant to Act CXVII of 1995 on Personal Income Tax: entrepreneur's identity card number, farmer's identity card number, tax identification number.
(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll and social security functions.
2. Payer data processing
(1) The Company shall fulfil its tax and contribution obligations prescribed by law (assessment of tax, tax advances, contributions,
processes the personal data of the data subjects - employees, their family members, employees, recipients of other benefits - with whom it has a relationship as a payer (Act 2017:CL on the Rules of Taxation (Art.), § 7.31.) for the purposes of payroll, social security and pension administration. The scope of the data processed is defined in Art. Article 50 of the Act defines the data processed, specifically highlighting the following: the natural person's natural person identification data (including previous name and title), gender, nationality, tax identification number, social security number (social security number). If the tax laws impose a legal consequence, the Company may process data relating to employees' membership of health (Section 40 of the Social Security Act) and trade unions (Section 47(2) b) of the Social Security Act) for the purposes of meeting tax and contribution obligations (payroll accounting, social security administration).
(2) The period of storage of personal data shall be 8 years after the termination of the legal relationship giving rise to the legal basis.
(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll, social security (payroll) functions.
3. Processing of documents of permanent value under the Archives Act
(1) The Company shall, in the performance of its legal obligation, manage its documents of permanent value pursuant to Act LXVI of 1995 on public records, public archives and the protection of private archival material (Archives Act), in order to ensure that the permanent part of the Company's archival material is preserved intact and in a usable condition for future generations. Duration of storage: until the transfer to the public archives.
(2) The recipients of personal data and other aspects of data management are governed by the Archives Act.
Chapter VI
Summary information on the rights of the data subject
In this section, for the sake of clarity and transparency, we briefly summarise the rights of the data subject, the detailed rules for exercising which are set out in
information is given in the next chapter.
Right to prior information
The data subject has the right to be informed of the facts and information relating to the processing before the processing starts (Articles 13-14 of the Regulation).
Detailed rules are explained in the next chapter.
Right of access of the data subject
The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if so, to obtain
processing is in progress, has the right of access to the personal data and related information specified in the Regulation (Article 15 of the Regulation).
Detailed rules are explained in the next chapter.
The right to rectification
The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration (Article 16 of the Regulation).
Right to erasure ("right to be forgotten")
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay upon his or her request and the controller shall be obliged to erase personal data relating to him or her without undue delay where one of the grounds specified in the Regulation applies (Article 17 of the Regulation).
Detailed rules are explained in the next chapter.
Right to restriction of processing
The data subject shall have the right to obtain, at his or her request, restriction of processing by the controller if the conditions laid down in the Regulation are fulfilled (Article 18 of the Regulation).
Detailed rules are explained in the next chapter.
Obligation to notify the rectification or erasure of personal data or restriction of processing
The Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients (Article 19 of the Regulation).
The right to data portability
Subject to the conditions set out in the Regulation, the data subject has the right to receive personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data (Article 20 of the Regulation).
Detailed rules are explained in the next chapter.
The right to protest
The data subject has the right to object at any time, on grounds relating to his or her particular situation, on the basis of Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation (Article 21 of the Regulation).
Detailed rules are explained in the next chapter.
Automated decision-making on individual cases, including profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her (Article 22 of the Regulation).
Detailed rules are explained in the next chapter.
Restrictions
Union or Member State law applicable to the controller or processor may restrict by legislative measures in accordance with Articles 12 to 22 and Article 34 and the rights and obligations set out in Articles 12 to 22 (Article 23 of the Regulation).
Detailed rules are explained in the next chapter.
Informing the data subject about the personal data breach
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject of the personal data breach without undue delay (Article 34 of the Regulation).
Detailed rules are explained in the next chapter.
The right to lodge a complaint with a supervisory authority (right to official redress)
The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation (Article 77 of the Regulation).
Detailed rules are explained in the next chapter.
Right to an effective judicial remedy against the supervisory authority
All natural and legal persons have the right to an effective judicial remedy against a legally binding decision of a supervisory authority which is addressed to them, or if the supervisory authority does not deal with the complaint or does not inform the person concerned of the procedural developments or the outcome of the complaint within three months (Article 78 of the Regulation).
Detailed rules are explained in the next chapter.
The right to an effective judicial remedy against the controller or processor
Any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.
Detailed rules are explained in the next chapter.
Chapter VII
Detailed information on the rights of the data subject
Right to prior information
The data subject shall have the right to be informed of the facts and information relating to the processing before the processing starts.
A) Information to be provided where personal data are collected from the data subject
1. When personal data relating to the data subject are collected from the data subject, the controller shall provide the data subject with all of the following information at the time the personal data are obtained:
(a) the identity and contact details of the controller and, where applicable, the controller's representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purposes for which the personal data are intended to be processed and the legal basis for the processing;
(d) in the case of processing based on Article 6(1)(f) of the Regulation (legitimate interests), the legitimate interests of the controller or a third party;
(e) where applicable, the recipients of the personal data or categories of recipients, if any;
(f) where applicable, the fact that the controller intends to transfer the personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and adequate safeguards and a reference to the means of obtaining a copy or the availability of copies.
2. In addition to the information referred to in point 1, the controller shall, at the time of obtaining the personal data, in order to ensure fair and transparent processing, provide the data subject with the following additional information:
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
(b) the data subject's right to request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the data subject's right to data portability;
(c) in the case of processing based on Article 6(1)(a) (consent of the data subject) or Article 9(2)(a) (consent of the data subject) of the Regulation, the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of the personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract, whether the data subject is under an obligation to provide the personal data and the possible consequences of not providing the data;
(f) the fact of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, clear information on the logic used and the significance of such processing and its likely consequences for the data subject.
3. Where the controller intends to further process personal data for a purpose other than that for which they were collected, the controller shall inform the data subject of that other purpose and of any relevant additional information referred to in paragraph 2 prior to further processing.
(4) Points (1) to (3) do not apply if and to the extent that the data subject already possesses the information (Article 13 of the Regulation).
B) Information to be provided where the personal data have not been obtained from the data subject
1. Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and contact details of the controller and, where applicable, the controller's representative;
(b) the contact details of the Data Protection Officer, if any;
(c) the purposes for which the personal data are intended to be processed and the legal basis for the processing;
d) the categories of personal data concerned;
e) the recipients of the personal data or categories of recipients, if any;
(f) where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1) of the Regulation, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy or their availability.
2. In addition to the information referred to in point 1, the controller shall provide the data subject with the information necessary to ensure fair and transparent processing for the data subject.
the following additional information necessary to ensure:
(a) the duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
(b) where the processing is based on Article 6(1)(f) (legitimate interest) of the Regulation, the legitimate interests of the controller or a third party;
(c) the right of the data subject to request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her and to object to the processing of personal data and the right to data portability;
(d) in the case of processing based on Article 6(1)(a) (consent of the data subject) or Article 9(2)(a) (consent of the data subject) of the Regulation, the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) the source of the personal data and, where applicable, whether the data originate from publicly available sources; and
(g) the fact of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
3. The controller shall provide the information referred to in points 1 and 2 as follows:
(a) within a reasonable period, having regard to the specific circumstances in which the personal data are processed, and in any event no later than one month from the date on which the personal data were obtained;
(b) where the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; or
(c) if the data are likely to be disclosed to another addressee, at the latest when the personal data are disclosed for the first time.
4. If the controller intends to further process personal data for a purpose other than that for which they were obtained, the controller shall inform the data subject of that other purpose and of any relevant additional information referred to in point 2 prior to further processing.
5. points 1 to 5 do not apply if and to the extent that:
(a) the data subject already has the information;
(b) the provision of the information in question proves impossible or would involve a disproportionate effort, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, taking into account the conditions and guarantees provided for in Article 89(1) of the Regulation, or where the obligation referred to in paragraph 1 of this Article would be likely to render impossible or seriously impair the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures, including making the information publicly available, to protect the rights, freedoms and legitimate interests of the data subject;
(c) the acquisition or disclosure of the data is expressly required by Union or Member State law applicable to the controller, which provides for appropriate measures to protect the data subject's legitimate interests; or
(d) the personal data must remain confidential under an obligation of professional secrecy imposed by Union or Member State law, including a legal obligation of secrecy.)
Right of access of the data subject
1.
processing is ongoing, you have the right to access your personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
(d) where applicable, the envisaged duration of the storage of the personal data or, if this is not possible, the criteria for determining that duration;
(e) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data concerning him or her; and
may object to the processing of such personal data;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data have not been collected from the data subject, any available information on their source;
(h) the fact of automated decision-making, including profiling, as referred to in Article 22(1) and (4) of the Regulation and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
2.Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.
3. The Data Controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The right to obtain a copy must not adversely affect the rights and freedoms of others (Article 15 of the Regulation).
Right to erasure ("right to be forgotten")
1.The data subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Controller shall be obliged to erase personal data relating to the data subject without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on the basis of which the processing is based, pursuant to Article 6(1)(a) or Article 9(2)(a) of the Regulation
your consent and there is no other legal basis for the processing;
(c) the data subject objects to the processing on the basis of Article 21(1) of the Regulation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing on the basis of Article 21(2);
d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data were collected in connection with the provision of information society services referred to in Article 8(1) of the Regulation.
2. If the Controller has disclosed the personal data and is obliged to erase it pursuant to point 1 above, the available technology and implementation
take reasonable steps, including technical measures, taking into account the costs, to inform the Data Controllers that process the data that the data subject has requested the deletion of the links to or copies of the personal data in question.
3. Points 1 and 2 shall not apply where the processing is necessary:
a) for the exercise of the right to freedom of expression and information;
(b) to comply with an obligation under Union or Member State law that requires the controller to process personal data or for reasons of public interest or for the purposes of
For the performance of a task carried out in the exercise of official authority vested in the controller;
(c) in accordance with Article 9(2)(h) and (i) and Article 9(3) of the Regulation, on grounds of public interest in the field of public health;
(d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation,
where the right referred to in point 1 would be likely to render such processing impossible or seriously impair it; or
(e) for the presentation, exercise or defence of legal claims (Article 17 of the Regulation).
Right to restriction of processing
1. The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to the processing pursuant to Article 21(1) of the Regulation; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.
2.Where processing is restricted pursuant to point 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
3. The Data Controller shall inform the data subject at whose request the processing has been restricted pursuant to point 1 in advance of the lifting of the restriction (Article 18 of the Regulation).
The right to data portability
1.
in a readable format, and has the right to transfer these data to another Data Controller without being prevented from doing so by the
The controller to whom you have provided the personal data if:
(a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a) of the Regulation or on a contract within the meaning of Article 6(1)(b); and
(b) the processing is carried out by automated means.
2. In exercising the right to data portability under point 1, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between Data Controllers.
3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. This right shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others. (Article 20 of the Regulation)
The right to protest
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) (processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party) of the Regulation, including profiling based on those provisions. In such a case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.
3. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.
4. The right referred to in points 1 and 2 must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the
must be clearly displayed separately from all other information.
5. In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the Regulation, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21 of the Regulation).
Automated decision-making on individual cases, including profiling
1.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Point 1 shall not apply if the decision:
(a) necessary for the conclusion or performance of a contract between the data subject and the controller;
(b) permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
(c) based on the explicit consent of the data subject.
3.In the cases referred to in points 2(a) and (c), the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.
(4) The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1) of the Regulation, unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject (Article 22 of the Regulation).
Restrictions
1. Union or Member State law applicable to a controller or processor may, by legislative measures, restrict the scope of the rights and obligations set out in Article 5 in respect of the provisions of this Regulation which are in conformity with the rights and obligations set out in Articles 12 to 22 and Article 34, if the restriction respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society for the protection of:
a) national security;
b) defence;
c) public safety;
(d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security;
(e) other important objectives of general public interest of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
f) the independence of the judiciary and the protection of judicial proceedings;
g) in the case of regulated professions, the prevention of ethical breaches,
investigating, detecting and prosecuting;
(h) in the cases referred to in points (a) to (e) and (g), even occasionally, control, inspection or regulatory activities connected with the exercise of official authority;
(i) the protection of the data subject or the rights and freedoms of others;
j) the enforcement of civil claims.
2. The legislative measures referred to in point 1 shall contain, where appropriate, at least detailed provisions:
(a) the purposes or categories of processing,
b) the categories of personal data,
(c) the scope of the restrictions imposed,
(d) safeguards to prevent misuse or unauthorised access or disclosure,
(e) the identification of the Controller or the categories of Controllers,
(f) the duration of storage and the applicable safeguards, taking into account the nature, scope and purposes of the processing or categories of processing,
(g) the risks to the rights and freedoms of data subjects; and
(h) the right of data subjects to be informed of the restriction,
except where this might undermine the purpose of the restriction.
Informing the data subject about the personal data breach
1. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.
2. The information referred to in point 1 shall clearly and plainly describe the nature of the personal data breach and shall include at least the information and measures referred to in Article 33(3)(b), (c) and (d) of the Regulation.
3. The data subject need not be informed as referred to in point 1 if any of the following conditions are met:
(a) the Data Controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
(b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in point 1 is no longer likely to materialise;
c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or by a similar measure ensuring that the data subject is informed in an equally effective manner.
4. If the controller has not yet notified the data subject of the personal data breach, the supervisory authority, after having considered whether the personal data breach
is likely to involve a high risk, may order the person concerned to be informed or may determine that one of the conditions referred to in point 3 is met (Article 34 of the Regulation).
Right to lodge a complaint with a supervisory authority
1.Without prejudice to other administrative or judicial remedies, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
2. The supervisory authority with which the complaint has been lodged must inform the client of the procedural developments concerning the complaint and the outcome of the complaint, including the right of the client to seek judicial remedy under Article 78 of the Regulation (Article 77 of the Regulation).
Right to an effective judicial remedy against the supervisory authority
1. Without prejudice to any other administrative or non-judicial remedy, every natural or legal person shall have the right to an effective judicial remedy.
an appeal against a legally binding decision of the supervisory authority concerning him or her.
2. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the supervisory authority competent pursuant to Articles 55 or 56 of the Regulation does not deal with the complaint or does not inform the person concerned within three months of the procedural developments concerning the complaint lodged pursuant to Article 77 or of the outcome of the complaint.
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
4.
has issued an opinion or decision, the supervisory authority is obliged to send the opinion or decision to the court. (Article 78 of the Regulation)
The right to an effective judicial remedy against the controller or processor
1. Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority pursuant to Article 77 of the Regulation, any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.
2. Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority (Article 79 of the Regulation).
Chapter VIII
Submission of the data subject's request, action by the controller
1. The Controller shall inform the data subject of the measures taken in response to his or her request to exercise his or her rights without undue delay and in any event within one month of receipt of the request.
2. If necessary, taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The deadline is
the Data Controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request.
3. If the data subject has made the request by electronic means, the information shall be provided by electronic means, where possible, unless the data subject requests otherwise.
4. If the Controller does not act on the request of the data subject, without delay and at the latest within one month of receipt of the request.
inform the data subject of the reasons for the failure to act and of the right to lodge a complaint with a supervisory authority and to seek judicial remedy.
5. The Controller shall provide the information pursuant to Articles 13 and 14 of the Regulation and the information on the rights of the data subject (Articles 15 to 22 and 34 of the Regulation) and take action free of charge. If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:
(a) refuse to act on the request.
The burden of proving that the request is manifestly unfounded or excessive lies with the Data Controller.
6. If the Data Controller has reasonable doubts about the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the data subject.