GDPR Privacy Policy

PRIVACY POLICY

 

 

HRT Spedition Kft.

PREAMBLE

 

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR) introduces that the data controller makes the necessary steps that the data protection policies are available for all affected parties, each of them are concise, clear and available in an easily understandable form. Furthermore, the data controller enhances the practice of the rights of the affected parties. In addition, Act CXII of 2011 regulates the obligatory informing of the data subjects in advance about their right of informational self-determination and freedom of information.

 

 

 

CHAPTER I.

THE NAMING OF THE DATA CONTROLLER

 

The publisher of this privacy policy and the data controller:

Company name:                HRT Spedition Kft.

Headquarters:     1035 Budapest, Vörösvári u. 3. 5. em. 27.

Company registration number: Cg.01-09-936409

VAT number:         22626547-2-41

Representative:                   Hartvich, Tamás managing director

E-mail address:    adatvedelem@hrtsped.hu

Webpage:              www.hrtsped.hu

(in the following: Company)

 

CHAPTER II.

THE NAMING OF DATA PROCESSORS

 

Data processor: the natural person, legal entity, public authority, agency or any other body which processes data on behalf of the data controller (Act 4. article 8.).

 

The use of a data processor does not require the consent of the affected party but is required to be informed about it. Therefore, we would like to provide the following communication:

 

 

  1. IT provider of the Company

 

The Company stores personal data of its business partners in the Selexped program located on the server of its Budapest site (89-95 Szentendrei út, Budapest 1033). For the storage of personal data the Company does not employ the services of a third party. The Company ensures the protection of personal data ie. against unauthorized access or unauthorized change of data. Hence, the access of personal data on the server is logged, and t can always be checked who, when and what personal data has been accessed.

 

 

  1. Bookkeeping provider of the Company

 

Our Company employs an external provider to meet tax- and financial obligations. In order to meet these obligations, the provider also processes the personal data of natural persons connected to us either via contract or as payers.

 

The naming of this data processor is as follows:

Company name: Tiga, Györgyné

Headquarters: 73 Aranypatak út Budapest 1037

Company registration number: 002490

 

  1. Postal services, delivery, shipping

 

Data processors receive the necessary personal data for delivering the ordered products (name, address and phone number of the affected party) and use these data for delivery.

 

These providers are:

 

Magyar Posta

 

 

  1. Security provider, Remote security

 

The below data processor:

This data processor is employed to provide remote security via camera observation and do the administration related to our entry/exit system.

The naming of the provider:

Company name: Távfelügyelet Support Biztonságtechnikai Kft.

Headquarters:, 8 Kossuth tér, Sátoraljaújhely 3980

Company registration number: 05-09-029589

VAT number: 25878310-2-05

Representative: Lipusz, Péter director

E-mail: lipusz@gmail.com

 

  1. Billing system provider:

The following company provides the Selexped system, the customization of the program and ensures it is legally up-to-date.

The naming of the provider:

Company name: Selester Számítástechnikai és Kultúrális Szolgáltató Kft.

Headquarters: 11. 4. em 1 Kökörcsin utca, Budapest 1113

Company registration number: 01-09-710351

VAT number: 12926626243

Representative: Molnár László Viktor

Phone number: + 36 1 372 0061

E-mail: info@selester.hu; molnar.laszlo@selester.hu

  1. Legal provider

The following data processor provides ad-hoc legal representation and processes the relevant data.

 

The naming of the provider:

Company name:                                Simon Ügyvédi Iroda

Headquarters:                   2. I/3. Foglár utca Eger, 3300

VAT number:                      18582475-2-10

Representative:                 dr. Lassán Csaba lawyer

Phone number:                  36/517-107

 

III.

 

  1. data processing related to video surveillance at the workplace

 

1.1. Our Company uses video surveillance for security reasons on its headquarters, sites and public areas to protect human life, physical integrity, personal freedom, and business secrets. The electronic video surveillance system can record picture, sound or both.  Therefore, the recorded behavior of an individual is regarded as personal data.

 

1.2. The lawful basis of the usage of these data are the employer’s rightful interests and the consent of the data subject.

 

1.3. There shall be a clear, legible, visible and remarkable sign installed in the area to help inform individuals about the electronic surveillance system in place. Each camera should be indicated. We hereby inform you in the following about the fact that the security camera system is installed, the purpose of the recording and storage of audio and visual material containing personal data, the lawful basis of the data processing, the location of the recordings, the duration of the storage, the user (operator) of the surveillance system, the authorized personnel allowed to access the personal data, as well as information about the rights of indiivduals and the process of their reinforcement.

 

1.4. Third parties (customers, visitors and guests) entering the observed area may be recorded and the recordings may be processed with their consent. Consent may be granted by implied conduct as well. It is especially regarded as implied conduct if the natural person walks in the observed area despite the signs informing about the usage of the electronic surveillance system.

 

1.5. The saved recordings may be stored for maximum 3 (three) working days, unless they are used. By usage it is meant that the visual- or audio recording or any other personal data is used as evidence during a litigation or any other public proceedings.

 

1.6. The person whose right is affected by the storage of audio or visual or audiovisual recordings may request that the data is not destroyed or erased by justifying their right or lawful interest within three working days after the recording of the audio or visual or audiovisual material.

 

1.7. It is not allowed to apply an electronic surveillance system in areas where observation would harm human dignity, especially in dressing rooms, showers, washrooms or doctor’s room and the related waiting room, or in the recreation  area.

 

1.8. If no one is lawfully allowed to be in the work area, then the complete area (ie. dressing rooms, washrooms or doctor’s room and the related waiting room, or the recreation areas) may be observed.

 

1.9. Authorized personnel permitted to watch the recorded data are those authorized by the law. In addition, the operating personnel, the employer manager and acting manager and the manager of the observed area, for the purpose of discovering violation of the law or for checking the functionality of the system.

 

 

 

CHAPTER IV.

Data control related to contracts

 

  1. Data management of contractual partners – administration of customers, suppliers

 

1.1. On the grounds of executing the contract, the Company controls the name, birth name, time of birth, mother’s name and address, VAT registration number, VAT number, sole trader's licence number, primary produce license number, identification number,  address, address of headquarter and sites, phone number, e-mail address, webpage link, bank account number, payer number (customer number, order number), online ID number (lists of buyers and suppliers, regular customer list)
of natural persons who enter in contract with us as  customers or suppliers
to make, fulfill, terminate, provide contractual discounts. The data management qualifies as rightful even if the data management is a prerequisite for fulfilling the request of the affected party. The recipients of personal data: employees and data processing personnel filling customer service, bookkeeping, tax management roles. The duration for handling personal data: until 5 years after the termination of contract.

1.2. The data subjects must be informed that the data management is on the grounds of executing the contract. They may be informed within the contract as well.

 

1.3. The data subject must be informed if their data is transferred for data processing.

  1. Contact details of natural person representatives of legal entity customers, buyers, suppliers

 

2.1. The following data may be managed: name, address, phone number, e-mail address and online username of the natural person.
2.2. The purpose of personal data management: the execution of the contract made with the legal entity partner of our Company, keep contact with business partners on the grounds of the consent of the data subject.
2.3. The recipients of the personal data and the categories of recipients: employees of the Company fulfilling customer service roles.

 

2.4. Duration of storing personal data: the duration of the business relation resp. 5 years after termination, or 5 years after termination of the contact person being representative.

 

 

  1. Data management of visitors on the Company website

 

3.1. Cookies are short data files that the visited webpage places on the computer of the user. The aim of using cookies is to make the given infocommunication resp. internet service easier and more comfortable. There are numerous kinds but they typically fall into two main groups. One of them is the temporary cookie, which is placed on the computer of the user only during a specific work process (during the security identification of an internet banking process). The other kind is the permanent cookie (language settings of a webpage), which remains on the computer of the user until it is deleted. According to the guidelines of the European Committee cookies may only be placed on a user’s computer if consent is granted.

 

3.2. In the case of cookies which do not require the user’s consent, the user must be informed during the first visit on the webpage. It is not required that a full description is put on the webpage about the cookies. It is satisfactory if there is a short summary of the cookies and a link referring to the full documentation.

 

3.3. Visitors may be informed about cookies that require consent during their first visit on the webpage, if data management starts right at the point of the first visit. If the usage of the cookie relates directly to a function requested by the user, they may be informed connected to the usage of that function. In this case it is not required either that a full description is put on the webpage about the cookies. It is satisfactory if there is a short summary of the cookies and a link referring to the full documentation.

  1. Information about the usage of cookies

 

4.1. According to the general practice, our Company uses cookies on its website, too. The cookie is a file containing a series of characters which is placed on the visitor’s computer when they visit a webpage. When they visit the webpage next time, the cookie enables the webpage to recognize the visitor’s browser. A cookie may contain user settings (language settings) and other information. For instance, they collect information about the visitor, the visitor’s device, they store individual settings, and may use this information when using online shopping, for example. Cookies make the usage of the webpage easier in general. They enhance the user experience about the webpage, and they make it a relevant source of information. Furthermore, they ensure that the webpage operator can control functionality, thus prevent abuse and assure that the webpage can operate seamlessly at the expected level of quality.
4.2. The webpage of our Company administers and manages the following data during usage about the visitors and the device used for browsing:

  • IP address used by the visitor,
  • type of browser,
  • settings of the operating system installed on the device used for browsing (language setting)
  • date of the visit,
  • the visited (sub)page, function or service

4.3. Accepting and enabling the cookies is not mandatory. You can restore your browser’s settings so that it rejects all cookies, or alert you if the system is sending you a cookie. Although most browsers accept cookies by default, these can usually be changed so that the acceptance of cookies is not automatic and your browser offers you a choice each time a cookie is used.

You can consult the following links about the cookie settings of the most popular browsers:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/en-gb/HT201265

However, please note that it may occur that certain web functions or –services do not work as designed without the cookies.

 

4.4. The cookies used on our website are not suited to identify the person of the visitor on their own.

 

4.5. Cookies used on the webpage of the Company:

 

4.5.1. Technically essential session cookies

These cookies are necessary for visitors to browse the webpage, can fully use without issues its functions and the services available through the webpage ie. storing the operations made by the visitors during a visit among others. The data control of these data is done strictly only during the visit. This kind of cookie is automatically deleted from the computer by termination of the work session or closing the browser.
The management of data category: AVChatUserId, JSESSIONID, portal_referer.

The lawful basis for data management is the law passed about the electronic commercial services and information society services, specifically 2001. CVIII. 13/A. § (3).

Purpose of data management: ensure that the webpage functions correctly.

 

4.5.2. Cookies that require consent:

These cookies enable the storage of user choices related to the webpage. The visitor may reject this anytime prior and during the usage of the given service. These data may not be linked to the user’s data and cannot be transferred to a 3rd party without the user’s consent.

4.5.3. Cookies enhancing usage:

The lawful basis for using the data is the consent of the visitor.
The purpose of data management: enhancing the efficiency of the service, endorsing user experience and making the usage of the webpage more comfortable.
The duration of the data management is 6 months.

4.5.4. Cookies ensuring performance:

Google Analytics cookies – for details please consult:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

 

Google AdWords cookies  - for details please consult:

https://support.google.com/adwords/answer/2407785?hl=hu

 

  1. Registration of the webpage of the Company

 

5.1. The natural person registering on the webpage may give their consent to the management of their personal data by ticking the relevant checkbox in. It must not be checked in by default.
5.2. Data category that may be managed: name (first name, family name), address, phone number, e-mail address and username of the natural person.
5.3. The purpose of data management:
1. Providing of the services offered on the webpage.

  1. Establishing contact via e-mail, text message or post.
  2. Informing customers about the products, services, contract terms and discounts of the Company
  3. Commercial newsletter may be sent vie e-mail or post.
  4. Analysis of the usage of the webpage.

 

5.4. The lawful basis of the data management is the consent of the data subject.

5.5. The recipients of personal data and their categories: employees filling roles related to customer service, marketing, the IT provider of the Company as data processor and employees responsible for storage space service.

 

5.6. Duration of storing personal data: during registration / duration of the service or until the withdrawal of the user’s consent (request for deletion).
 

  1. Social guidelines / Data management on the Facebook page of the Company

6.1. The Company maintains a Facebook page to promote and raise awareness of its products and services.

 

6.2. A question asked on the Facebook page of the Company does not qualify as an officially submitted complaint.

 

6.3. Personal data published by visitors on the Facebook page of the Company is not managed by the Company.
6.4. The terms and conditions of Data protection and Services of Facebook apply to visitors.

 

6.5. If illicit or offensive content is published, the Company may exclude the data subject from the member group or delete their posts without prior notice.

 

6.6. The Company is not responsible for any unlawful content or posts published by users. The Company is not responsible for any issues, shortages or problems originating from system changes in the operation of Facebook.

chapter V.

PERSONAL DATA MANAGEMENT BASED ON LEGAL OBLIGATIONS

 

  1. Data management in order to meet tax- and financial obligations

 

1.1. Personal data of natural persons defined by the law acting as contractual customers or suppliers are managed in order to meet legal obligations such as tax- and financial obligations determined by the law.

The data managed based on 2017. CXXVII. 169.§, and 202.§ are especially: VAT number, name, address, tax status; based on 2000. C. 167.§: name, address, the name of the person or organization ordering the economical operation, the person responsible for confirmation of remittance and execution of the order and, depending on the organization, the controller’s signature; the recipient’s signature on receipts of stock movement and financial administration  and the payer’s signature on financial receipts; based on  1995. CXVII.: sole trader's licence number, primary manufacturer licence number and VAT registration number.

1.2. Duration of storing the personal data shall be 8 years after the termination of legal contract.
1.3. Recipients of the personal data: employees and data processors filling tax, bookkeeping, payroll and social security related roles.

 

  1. Payer data management

 

2.1. On the grounds of meeting legal obligations, the Company acting as payer manages personal data of affected permanent or temporary employees, persons entitled for allowances and their families,  in order to meet (tax, tax advance payment, statement of allowances, payroll, social security, pension arrangements and other) obligations defined by the law (2017:CL. Art. 7.§ 31, law about the process of tax paying). The data categories managed are defined by Art. 50.§, especially the part about personal data management of a natural person such as natural identification data (including former name and title), gender, citizenship, the tax identification number of the natural person and social security number. If the tax laws have a legal consequence, the Company may manage data related to their health (Law about personal income tax 40. §), union membership (Law about personal income tax 47. § (2) b. /) in order to meet tax and contribution (payroll, social security services) obligations.

2.2. The duration of the storage of personal data shall be eight years after termination of the legal relationship.

 

2.3. Recipients of the personal data: employees and data processors fulfilling tax, payroll, social security (payer) roles of the Company.

 

  1. Data management for documents of lasting value under the Archives Act

3.1. In compliance with Act LXVI of 1995 on public documents, public archives and the protection of private archives, (Archives Act), the Company manages its documents that represent durable value in order to preserve the durable value of the archival material of the Society intact and in usable state for future generations. Duration of data storage: until handover to the public archives.

 

3.2.  The recipients of the personal data and other questions of data handling are governed by the Archives Act.

  1. Data management to meet anti-money laundering obligations

 

4.1. The Company manages data of its clients defined by the Act LIII of 2017 on the prevention of money laundering and terrorist financing by legal entities, to prevent and arrest money laundering and terrorist financing: the natural person’s a) first and family name, b) birth name, c) citizenship, d) placeand time of birth, e) mother’s birth name, f) address, or if this is not applicable, place of residency, g) type and number of identification document t; reference number of the offical document verifying address, the copy of the presented documents (7.§).

4.2. Recipients of the personal data: personnel filling customer service roles, the manager of the Company and the person defined by the Act LIII of 2017 on the prevention of money laundering and terrorist financing.

 

4.3. Duration of data storage: 8 years after termination resp. the fulfilment of the business order (56.§(2)).

 

  1. Complaint management

 

  • The fact of the data collection, data category (natural person’s name, e-mail address, phone number, bill to name, address, tax identification number, VAT number) and the purpose of data management: identification, keep contact with business partners, the management of quality complaints, questions and problems related to the ordered product.
  • Data subjects: the customer and all other data subjects filing a complaint.
  • Duration of data management, deadline for erasing data: in compliance with CLV 1997 Consumers' Act 17 / A. Section (7) copies of the minutes about the complaint, the transcript and the reply given to it shall be preserved for 5 years.
  • Authorized personnel to access the data and recipients of personal data: data may be managed by sales and marketing employees, respecting the principles described above.
  • Informing data subjects about their rights: the data subject may request access, correction, deletion, or restriction of the data referring to their person. They may object to the use of their data, and they have the right to data portability and to withdraw their consent at any moment.
  • The access, correction, deletion, or restriction of the data, data portability or object to the data management may be initiated at the below contacts:
    - per post at the following address: HRT Spedition Kft, 3 Vörösvári út Budapest, 1035.
    - via e-mail at adatvedelem@hrtsped.hu
    - via phone at +36 1 920 0097
  • Lawful basis of data management: Article 6 (1) (c) and Article 6 (1) (c) of the Consumer Protection Act 1997. Act 17 / A. § (7). Please be informed that providing personal data is based on contractual obligations. The management of personal data is a prerequisite for entering into a contract. You are to provide the personal data for us to be able to process your complaint. Failure to provide data has the effect of us not being able to handle your complaint.

CHAPTER VI.

INFORMATION ABOUT THE RIGHTS OF THE DATA SUBJECT

 

  1. Information to be provided where personal data are collected from the data subject

 

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
  2. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  3. the contact details of the data protection officer, where applicable;
  4. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  5. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
  6. the recipients or categories of recipients of the personal data, if any;

 

  1. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available

 

  1. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
    1. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
    2. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
    3. where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
    4. the right to lodge a complaint with a supervisory authority;
    5. whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
    6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  2. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  3. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
    (Art 13)
  4. Information to be provided where personal data have not been obtained from the data subject

 

  1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

 

  1. the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. the categories of personal data concerned;
  5. the recipients or categories of recipients of the personal data, if any;
  6. where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
  7. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
  8. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  9. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
  10. the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
  11. where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  12. the right to lodge a complaint with a supervisory authority;
  13. from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
  14. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  15. The controller shall provide the information referred to in paragraphs 1 and 2:
  16. within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
  17. if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
  18. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
  19. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
  20. Paragraphs 1 to 4 shall not apply where and insofar as:
  21. the data subject already has the information;
  22. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
  23. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  24. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
    (Art 14)

 

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
  2. the purposes of the processing;
  3. the categories of personal data concerned;
  4. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  5. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  6. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  7. the right to lodge a complaint with a supervisory authority;
  8. where the personal data are not collected from the data subject, any available information as to their source;
  9. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  10. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46relating to the transfer.
  11. 1The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  12. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
    (Art 15)

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
  2. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  3. the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  4. the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  5. the personal data have been unlawfully processed;
  6. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  7. the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  8. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  9. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
  10. for exercising the right of freedom of expression and information;
  11. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  12. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  13. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  14. for the establishment, exercise or defence of legal claims.
    (Art 17)

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
  2. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  3. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  4. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  5. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
  6. Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
  7. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
    (Art 18)

 

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
  2. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  3. the processing is carried out by automated means.
  4. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  5. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. 2That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
    (Art 20)

Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
    (Art 21)

 

Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  2. Paragraph 1 shall not apply if the decision:
  3. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  4. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  5. is based on the data subject’s explicit consent.
  6. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  7. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
    (Art 22)

 

Restrictions

  1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
  2. national security;
  3. defence;
  4. public security;
  5. the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  6. other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
  7. the protection of judicial independence and judicial proceedings;
  8. the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  9. a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
  10. the protection of the data subject or the rights and freedoms of others;
  11. the enforcement of civil law claims.
  12. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
  13. the purposes of the processing or categories of processing;
  14. the categories of personal data;
  15. the scope of the restrictions introduced;
  16. the safeguards to prevent abuse or unlawful access or transfer;
  17. the specification of the controller or categories of controllers;
  18. the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
  19. the risks to the rights and freedoms of data subjects; and
  20. the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
    (Art 23.)

 

 

 

Communication of a personal data breach to the data subject

  1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
  2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3). The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
  3. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  4. the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
  5. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  6. If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
    (Art. 34)

Right to lodge a complaint with a supervisory authority

  1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
  2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
    (Art. 77)

 

 

Right to an effective judicial remedy against a supervisory authority

  1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
  2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
  3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
  4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
    (Art. 78)

Right to an effective judicial remedy against a controller or processor

  1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
  2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
    (Art. 79)

 

 

CHAPTER VIII.

THE DATA SUBJECT’S SUBMISSION OF REQUEST,
THE DATA CONTROLLER’S ACTIONS

 

  1. The data controller informs the data subject about the actions that are taken regarding their request to exercise their rights without delay but within 25 days after the arrival of the request.
  2. If needed, considering the complexity and the number of requests, this deadline may be prolonged for two extra months. The data controller informs the data subject about the prolongation indicating the reasons within a month after the receipt of the request.
  3. If the request was submitted in electronic form, the data subject should be informed electronically as well, unless they request otherwise.

 

  1. If the data controller takes no action regarding the data subject’s request, the data controller informs them without delay, but within a month after the arrival of the request of the reasons and about the fact that the data subject may lodge a complaint with a supervisory authority and have a right to judicial remedy.

 

  1. The data controller provides information concerning Articles 13-14 and about the data subject’s rights (Articles 15-22 and 34) and takes action free of charge. If the data subject’s request is clearly unfounded or, especially because of its repetitive quality, excessive, considering the administration costs related to informing or taking action, the data controller may

 

  1. charge 50000 as in fifty thousand HUF
  2. refuse to take action on the request.

 

It is the data controller’s responsibility to prove if a request is clearly unfounded or excessive.

 

  1. If the data controller has reason to doubt the identity of the natural person as requestor, they may request further information to confirm the identity of the data subject.

 

 

Date: 2018. .

 

HRT Spedition Kft.