the bolytv.hu for website visitors and registered users
Download
Application of the Data Protection and Data Management Policy
|
Name of organization: |
Sághy-Sat Kft |
|
Registered office: |
7754 Bóly Ady Endre u. 9 |
|
Person responsible for policy content: |
Sághy Ferenc |
|
Effective date of the policy: |
25.05.2018 |
This policy establishes rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The provisions of the policy shall be applied during specific data processing activities and when issuing instructions and notices regulating data management.
The obligation to appoint a Data Protection Officer applies to all public authorities or other bodies performing public tasks (regardless of the data processed), as well as other organizations whose core activities consist of systematic and large-scale monitoring of individuals or which process special categories of personal data in large quantities.
The organization employs a Data Protection Officer.
In the case of employing a Data Protection Officer:
|
Name: |
Sághy Ferenc |
|
Position: |
Managing Director |
|
Contact: |
69-368-162 |
Scope of the Policy
This policy is valid until revoked; its scope extends to the organization's officers, employees, and the organization's Data Protection Officer.
Date: Bóly 23.05.2018
Purpose of the Policy
The purpose of this policy is to harmonize the provisions of other internal policies of the organization regarding data processing activities in order to protect the fundamental rights and freedoms of natural persons, and to ensure the proper handling of personal data.
The organization intends to fully comply with the legal requirements for the processing of personal data during its activities, particularly those contained in Regulation (EU) 2016/679 of the European Parliament and of the Council.
An important goal of issuing the policy is also that by becoming familiar with and complying with it, the organization's employees are able to carry out the processing of natural persons' data lawfully.
Significant Concepts, Definitions
the GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union
controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; if the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
processing: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
third party: a natural or legal person, public authority, agency or any other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
the data subject's consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future;
pseudonymization: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
filing system: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Principles of Data Processing
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Personal data shall be collected for specified, explicit and legitimate purposes.
The purpose of processing personal data shall be adequate, relevant and limited to what is necessary.
Personal data shall be accurate and kept up to date. Inaccurate personal data shall be erased without delay.
Personal data shall be stored in a form that permits identification of data subjects for no longer than is necessary. Storage for longer periods is permitted only if it is for public interest archiving, scientific and historical research, or statistical purposes.
Processing of personal data shall be carried out in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The principles of data protection shall be applied to any information relating to an identified or identifiable natural person.
The employee of the organization carrying out data processing is liable to disciplinary, compensation, misdemeanor and criminal liability for the lawful handling of personal data. If the employee becomes aware that the personal data processed by them is incorrect, incomplete, or outdated, they are obliged to correct it or initiate its correction with the colleague responsible for recording the data.
Processing of Personal Data
Since natural persons can be associated with online identifiers provided by the devices, applications, tools and protocols they use, such as IP addresses and cookie identifiers, these data, combined with other information, are suitable and can be used to create profiles of natural persons and identify a given person.
Data processing may only take place if the person concerned gives their voluntary, specific, informed and unambiguous consent to the processing of the data by a clear affirmative action, such as a written - including electronic - or oral statement.
Ticking a box when viewing an internet website is also considered consent to data processing. Silence, a pre-ticked box or inaction does not constitute consent.
Consent is also deemed to be given if a user makes technical settings to this effect when using electronic services, or makes a statement or action that clearly indicates the data subject's consent to the processing of their personal data in the given context.
Personal health data include data relating to the health status of the data subject which carry information about the past, current or future physical or mental health status of the data subject. These include:
registration for health care services;
a number, symbol or data assigned to a natural person for the purpose of uniquely identifying them for health purposes;
information derived from the testing or examination of a body part or substance of the body, including genetic data and biological samples;
information regarding the disease, disability, risk of disease, medical history, clinical treatment or physiological or biomedical status of the data subject, regardless of its source, which may be, for example, a doctor or other health professional, a hospital, a medical device or a diagnostic test.
Genetic data shall be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person and which is the result of the analysis of a biological sample taken from the person concerned – in particular chromosome analysis, or the examination of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or the examination of any other element that allows information equivalent to that obtainable from these to be obtained.
The personal data of children deserve special protection, as they may be less aware of the risks, consequences and guarantees and rights associated with the processing of personal data. This special protection should primarily be applied to the use of children's personal data for marketing purposes or for the purpose of creating personal or user profiles.
Personal data must be handled in a manner that ensures an appropriate level of security and confidentiality, including for the purpose of preventing unauthorized access to or unauthorized use of personal data and the equipment used for processing personal data.
All reasonable steps must be taken to correct or delete inaccurate personal data.
Lawfulness of Processing
The processing of personal data is lawful if one of the following is fulfilled:
the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
the processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract;
the processing is necessary for the fulfillment of a legal obligation relating to the data controller;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the processing is in the public interest or is necessary for the execution of a task performed within the framework of the exercise of public authority powers vested in the data controller;
the processing is necessary for the assertion of the legitimate interests of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular if the data subject is a child.
In the sense of the above, data processing is considered lawful if it is necessary within the framework of a contract or an intention to conclude a contract.
If the data processing takes place within the framework of fulfilling a legal obligation relating to the controller, or if it is necessary for the execution of a public interest task or for the exercise of a public authority power, the data processing must have a legal basis contained in Union law or the law of a Member State.
Data processing must be considered lawful when it occurs in the protection of the data subject's life or the interests of other aforementioned natural persons. In principle, personal data processing based on the vital interests of another natural person may only take place if the data processing in question cannot be performed on any other legal basis.
Some types of personal data processing may serve both an important public interest and the vital interests of the data subject, for example in cases where data processing is necessary for humanitarian reasons, including if it is needed for tracking epidemics and their spread, or in humanitarian emergencies, particularly in cases of natural or man-made disasters.
The legitimate interest of the data controller – including the controller to whom the personal data may be communicated – or of a third party may provide a legal basis for the data processing. Such a legitimate interest may exist, for example, when a relevant and appropriate relationship exists between the data subject and the controller, such as cases where the data subject is a customer of the controller or is in their employment.
The processing of personal data strictly necessary for the prevention of fraud also constitutes a legitimate interest of the affected controller. The processing of personal data for direct marketing purposes can also be considered based on a legitimate interest.
To establish the existence of a legitimate interest, it must be carefully examined, among other things, whether the data subject can reasonably expect at the time of and in connection with the collection of personal data that data processing may take place for that purpose. The interests and fundamental rights of the data subject may prevail over the controller's interest if the personal data are processed under circumstances in which the data subjects do not expect further data processing.
The processing of personal data to the extent strictly necessary and proportionate to guarantee network and IT security by public authorities, computer emergency response units, network security incident handling units, operators of electronic communications networks and providers of services, as well as security technology service providers, constitutes a legitimate interest of the affected controller.
The processing of personal data for purposes other than those for which they were originally collected is only permitted if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, no separate legal basis is required other than the one that allowed the collection of the personal data.
The processing of personal data by authorities in order to achieve the goals set out in constitutional law or international public law of officially recognized religious organizations is considered to be based on public interest.
The data subject's consent, conditions
If the data processing is based on consent, the controller must be able to demonstrate that the data subject consented to the processing of their personal data.
If the data subject gives their consent in the context of a written declaration that also relates to other matters, the request for consent must be communicated in a way that is clearly distinguishable from these other matters.
The data subject is entitled to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to the withdrawal. Before giving consent, the data subject must be informed of this. It must be made possible to withdraw consent in the same simple way as it was given.
In determining whether consent is voluntary, the utmost consideration must be given, among other things, to whether the performance of the contract – including the provision of services – was made conditional on consent to the processing of personal data that are not necessary for the performance of the contract.
The processing of personal data carried out in relation to information society services offered directly to children is lawful if the child has reached the age of 16. In the case of a child who has not reached the age of 16, the processing of children's personal data is only lawful if and to the extent that consent was given or authorized by the person exercising parental responsibility over the child.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic and biometric data for the purpose of uniquely identifying natural persons, health data and personal data relating to the sexual life or sexual orientation of natural persons is prohibited, except where the data subject has given explicit consent to the processing of said personal data for one or more specific purposes.
The processing of personal data relating to decisions regarding criminal liability and criminal offenses, as well as related security measures, may only take place if it is handled by a public authority.
Data Processing Not Requiring Identification
If the purposes for which the controller processes personal data do not or no longer require the identification of the data subject by the controller, the controller is not obliged to maintain additional information.
If the controller can prove that they are not in a position to identify the data subject, they shall inform the data subject accordingly in an appropriate manner if possible.
Informing the Data Subject, Rights
The principle of fair and transparent data processing requires that the data subject be informed of the fact and purposes of the data processing.
If personal data are collected from the data subject, the data subject must also be informed whether they are obliged to provide the personal data and what the consequences of failing to provide the data are. This information can also be supplemented with standardized icons in order to provide the data subject with general information about the planned data processing in a highly visible, easily understandable and clearly legible form.
Information relating to the processing of personal data regarding the data subject must be provided to the data subject at the time of data collection, or if the data were not collected from the data subject but from another source, it must be provided within a reasonable period, taking into account the circumstances of the case.
The data subject has the right to access the data collected about them and to exercise this right simply and at reasonable intervals in order to establish and verify the lawfulness of the data processing. Every data subject must be ensured the right to know in particular the purposes of the processing of personal data, and if possible, the duration for which the processing of personal data applies,
The data subject is entitled in particular to have their personal data deleted and no longer processed if the collection or other processing of personal data is no longer necessary in connection with the original purposes of the data processing, or if the data subjects have withdrawn their consent given for the processing of the data.
If the processing of personal data takes place for direct marketing purposes, the data subject must be provided with the right to object at any time, free of charge, to the processing of personal data regarding them for this purpose.
Review of Personal Data
In order to ensure that the storage of personal data is limited to the necessary duration, the controller establishes deletion or regular review deadlines.
|
The regular review deadline established by the leader of the organization: 1 year. |
Tasks of the Controller
In order to ensure lawful data processing, the controller applies appropriate internal data protection rules. This regulation extends to the controller's competence and responsibility.
It is the duty of the controller to implement appropriate and effective measures, and to be able to demonstrate that the data processing activities comply with the current legal regulations.
This regulation must be established taking into account the nature, scope, circumstances and purposes of the data processing, as well as the risks to the rights and freedoms of natural persons.
The controller implements appropriate technical and organizational measures taking into account the nature, scope, circumstances and purposes of the data processing, as well as the varying probability and severity of risks to the rights and freedoms of natural persons. Based on this policy, they review other internal policies and update them if necessary.
The controller or processor maintains appropriate records of data processing activities performed based on their competence. Every controller and processor is obliged to cooperate with the supervisory authority and make these records accessible upon request in order to inspect the affected data processing operations.
Rights Related to Data Processing
The right to request information
Any person can request information through the provided contact details about what data the organization handles about them, on what legal basis, for what data processing purpose, from what source, and for how long. Upon their request, information must be sent to the provided contact details immediately, but no later than 30 days.
The right to rectification
Any person can request the modification of any of their data through the provided contact details. Measures must be taken regarding this immediately upon their request, but no later than 30 days, and information must be sent to the provided contact details.
The right to erasure
Any person can request the erasure of their data through the provided contact details. Upon their request, this must be done immediately, but no later than 30 days, and information must be sent to the provided contact details.
The right to blocking, restriction
Any person can request the blocking of their data through the provided contact details. Blocking lasts as long as the indicated reason makes it necessary to store the data. Upon request, this must be done immediately, but no later than 30 days, and information must be sent to the provided contact details.
The right to object
Any person can object to the data processing through the provided contact details. The objection must be examined within the shortest time from the submission of the request, but no later than 15 days, a decision must be made regarding its validity, and information about the decision must be sent to the provided contact details.
Enforcement opportunity related to data processing
National Authority for Data Protection and Freedom of Information
Mailing address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (kukac) naih.hu
URL: https://naih.hu
Coordinates: N 47°30'56''; E 18°59'57''
In the event of a violation of their rights, the data subject may turn to a court against the data recipient or the data controller. The court shall proceed with the case out of turn. The lawsuit may also be initiated by the data subject - at their choice - before the court competent for their place of residence or stay.
Tasks of the organization for appropriate data protection
Data protection awareness. Professional readiness must be ensured for compliance with legal regulations. The professional preparation of employees and their familiarity with the policy are indispensable.
The purpose of data processing, the criteria system, and the concept of personal data processing must be reviewed. Lawful data processing and data handling must be ensured in accordance with the data protection and data management policy.
Proper information of the person affected by the data processing. It must be noted that - if the data processing is based on the data subject's consent, - in case of doubt, the controller must prove that the data subject consented to the data processing.
The information provided to the data subject should be concise, easily accessible and easy to understand, therefore it must be formulated and displayed in clear and plain language.
The requirement of transparent data processing is that the data subject should receive information about the fact and purposes of the data processing. The information must be provided before the data processing begins and the right to information belongs to the data subject during the data processing until its termination.
The main rights of the person affected by the data processing are as follows:
access to personal data regarding them;
rectification of personal data;
erasure of personal data;
restriction of processing of personal data;
objection against profiling and automated data processing;
the right to data portability.
The controller informs the data subject without undue delay, but at the latest within one month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline can be extended by a further two months. The information obligation can be ensured by operating a secure online system through which the data subject can easily and quickly access the necessary information.
The data processing carried out by the organization must be reviewed, and the enforcement of the right to informational self-determination must be ensured. At the request of the data subject, their data must be deleted without delay if the data subject withdraws the consent forming the basis of the data processing.
It must clearly emerge from the data subject's consent that the data subject agrees to the data processing. If the data processing is based on the data subject's consent, in case of doubt, the controller must prove that the data subject consented to the data processing operation.
In the case of personal data processing of children, special attention must be paid to compliance with data processing rules. Processing of personal data in relation to information society services offered directly to children is lawful if the child has reached the age of 16. In the case of a child who has not reached the age of 16, the processing of children's personal data is only lawful if and to the extent that consent was given or authorized by the person exercising parental responsibility over the child.
In the case of unlawful handling or processing of personal data, a notification obligation arises towards the supervisory authority. The controller must make the notification to the supervisory authority without undue delay – if possible, no later than 72 hours after the personal data breach became known, – except where the personal data breach is unlikely to result in a risk to the rights of natural persons.
In certain cases, it may be justified for the controller to conduct a data protection impact assessment prior to the data processing. During the impact assessment, it must be examined how the planned data processing operations affect the protection of personal data. If the data protection impact assessment establishes that the data processing is likely to result in a high risk, the controller must consult the supervisory authority prior to the processing of personal data.
In the event that the core activities include data processing operations which, by their nature, scope or purposes, require regular and systematic large-scale monitoring of data subjects, a Data Protection Officer must be appointed. The appointment of the Data Protection Officer aims to strengthen data security.
Data Security
Data must be protected by appropriate measures particularly against unauthorized access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, and against becoming inaccessible due to changes in the technology used.
In order to protect datasets managed electronically in records, it must be ensured by an appropriate technical solution that the data stored in records cannot be directly linked and assigned to the data subject.
When planning and applying data security, regard must be had to the current state of technology. Among several possible data processing solutions, the one must be chosen that ensures a higher level of protection of personal data, except where this would represent a disproportionate difficulty for the controller.
Data Protection Officer
The designation of a Data Protection Officer is mandatory based on the following criteria:
the data processing is carried out by public authorities or other bodies performing public tasks, except for courts acting in their judicial capacity;
the core activities of the controller or processor include data processing operations which, by their nature, scope or purposes, require regular and systematic large-scale monitoring of data subjects;
the core activities of the controller or processor relate to the processing on a large scale of personal data relating to decisions on criminal liability and offenses.
Where the designation of a Data Protection Officer is mandatory, the following rules apply:
The Data Protection Officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill data processing tasks.
The Data Protection Officer may be an employee of the controller or processor, or fulfill the tasks on the basis of a service contract.
The controller or processor is mandatory to publish the name and contact details of the Data Protection Officer, and communicate them to the supervisory authority.
Legal Status of the Data Protection Officer
The controller must ensure that the Data Protection Officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Resources necessary to maintain the expert knowledge of the Data Protection Officer must be provided.
The Data Protection Officer shall not receive any instructions regarding the exercise of those tasks. The Data Protection Officer shall not be dismissed or penalized by the controller or the processor for performing their tasks. The Data Protection Officer shall directly report to the highest management level of the controller or processor.
Data subjects may contact the Data Protection Officer with regard to all issues related to processing of their personal data and to the exercise of their rights.
The Data Protection Officer shall be bound by secrecy or confidentiality concerning the performance of their tasks.
The Data Protection Officer may fulfill other tasks, but no conflict of interest shall exist regarding the tasks.
Tasks of the Data Protection Officer
Informs and provides professional advice to the controller or processor, as well as the employees carrying out data processing;
monitors compliance with the internal rules of the controller or processor regarding the protection of personal data;
provides professional advice upon request regarding the data protection impact assessment, and monitors the performance of the impact assessment;
cooperates with the supervisory authority.
Personal Data Breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In the absence of appropriate and timely action, a personal data breach can cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or identity fraud.
A personal data breach must be reported to the competent supervisory authority without undue delay, and no later than 72 hours, unless it can be proven in accordance with the principle of accountability that the personal data breach is likely not to result in a risk to the rights and freedoms of natural persons.
The data subject must be informed without delay if the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person, in order for them to take the necessary precautions.
Data processing for management and registration purposes
The organization may also process personal data in cases belonging to its activities and for management and registration purposes.
The basis for data processing is voluntary and determined consent based on the appropriate information of the person concerned. After detailed information – which extends to the purpose, legal basis and duration of data processing as well as the rights of the person concerned - the data subject must be warned of the voluntary nature of the data processing. Consent to data processing must be recorded in writing.
Data processing for management and registration purposes serves the following purposes:
data processing of members and employees of the organization, which is based on a legal obligation;
data processing of persons in an assignment relationship with the organization for contact, settlement and registration purposes;
contact details of other organizations, institutions and businesses in a business relationship with the organization, which may also be contact and identification data of natural persons;
Data processing according to the above is based on legal obligation on the one hand, and on the other hand, the person concerned explicitly consented to the processing of their data (e.g. for the purpose of an employment contract or registered as a partner on a website, etc.)
In the case of documents sent to the organization in written form – also containing personal data – (e.g. curriculum vitae, job application, other petition, etc.), the consent of the person concerned must be presumed. After the conclusion of the case – in the absence of consent for further use – the documents must be destroyed. The fact of destruction must be recorded in minutes.
In the case of data processing for management purposes, personal data appear exclusively in the documents of the given case and in records. Processing of these data lasts until the disposal of the document forming the basis of the processing.
Data processing for management and registration purposes - in order to ensure that the storage of personal data is limited to the necessary duration - must be reviewed annually, and inaccurate personal data must be deleted immediately.
Compliance with legal regulations must also be ensured in the case of data processing for management and registration purposes.
Data processing for other purposes
If the organization intends to carry out data processing that is not included in this policy, it must appropriately supplement this internal policy in advance, or attach sub-rules corresponding to the new data processing purpose.
Other documents belonging to the policy
Documents and regulations that contain, for example, a written statement consenting to data processing or, for example, in the case of websites, describe the mandatory data processing information, must be attached to and handled together with the data protection and data management policy.
Legal regulations serving as the basis for data processing
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
Act LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archive Material.
Government Decree 335/2005 (XII. 29.) on the General Requirements for the Document Management of Bodies Performing Public Tasks.
Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
Act C of 2003 on Electronic Communications.
