Privacy Policy

PRIVACY POLICY

ON THE RIGHTS OF THE NATURAL PERSON CONCERNED

REGARDING THE PROCESSING OF THE PERSONAL DATA

TABLE OF CONTENTS

INTRODUCTION

CHAPTER I – NAME OF THE DATA CONTROLLER

CHAPTER II – NAMES OF DATA PROCESSORS

2. Our company’s accounting service provider

CHAPTER VI – CONTRACT – RELATED DATA PROCESSES

1. Management of data of contracting partners – register of customers and suppliers

2. Contact details of natural person representatives of legal entity customers, buyers, suppliers

§ 19 Visitor data management on the Company’s website – Information on the use of cookies

§ 22 Community Guidelines / Data Management on the Company’s Facebook page

CHAPTER V – LEGAL OBLIGATIONS

1. Data management for tax and accounting purposes

2. Payer data management

VI. CHAPTER  – SUMMARY INFORMATION ON THE RIGHTS OF THOSE CONCERNED

VII. CHAPTER  – DETAILED INFORMATION ON THE RIGHTS OF THOSE CONCERNED

VIII. CHAPTER – SUBMISSION OF THE APPLICATION OF THE PERSON CONCERNED, MEASURES OF THE DATA CONTROLLER

INTRODUCTION

REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) (hereinafter “the Regulation”) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 provides that the Data Controller takes appropriate measures to provide the person concerned with all information concerning the processing of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and comprehensible manner, and that the Data Controller facilitates the exercise of the rights of the person concerned. 

The obligation of prior information of the person concerned is also prescribed by Act CXII of 2011 on the right to information self-determination and freedom of information.

We comply with this legal obligation by providing the information below.

The information shall be published on the company’s website or sent to the person concerned upon request.

CHAPTER I.

NAME OF DATA CONTROLLER

The publisher of this information, as well as the Data Controller:

Company name: Globálvám Ltd.

Headquarters: 44 / A. Második street, Pápa, 8500

Company registration number: 19-09-502228

Tax number: 11335234-2-19

Representative: Szilárd Gyimóti

(hereinafter: the Company)

CHAPTER II.

NAME OF DATA PROCESSORS

Data processor: any natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller; (Article 4 (8) of the Regulation)

The use of a data processor does not require the prior consent of the person concerned, but requires the information of the person concerned. Accordingly, we provide the following information:

1. Our company’s accounting service provider

In order to fulfill its tax and accounting obligations, our Company uses an external service provider with an accounting service contract, which also handles the personal data of natural persons in a contract or paying relationship with the Company in order to fulfill the tax and accounting obligations of our Company.

Name of this data processor:

Company name: ELANOX Ltd.

Headquarters: 67. Celli street, Pápa, 8500

Tax number: 12524705-2-19

Representative: Klára Nagy

Phone number: +36-89/777-720

CHAPTER IV.

CONTRACT – RELATED DATA PROCESSES

1. Management of data of contracting partners – register of customers and suppliers

(1) The Company for the purpose of concluding, fulfilling, terminating the contract, providing a contractual discount manages the name, birth name, date of birth, mother’s name, home address, tax identification number, tax number, entrepreneurial, primary producer ID number, identity card number, home address, registered office address, site address, telephone number, e-mail address, website address, bank account number, customer number (account number, order number), online ID (list of customers, suppliers, frequent purchase lists) of the natural person contracted as a buyer or supplier. Such data processing is also considered lawful if the data processing is necessary to take steps at the request of the person concerned before concluding the contract. Recipients of personal data: employees of the Company performing customer service-related tasks, employees performing accounting and tax tasks, and data processors. Duration of processing of personal data: 5 years after the termination of the contract.

(2) The person concerned shall be informed before the start of the data processing that the data processing is based on the right to perform the contract, this information may also be provided in the contract.

(3) The person concerned shall be informed of the transfer of his or her personal data to the data processor.
 

2. Contact details of natural person representatives of legal entity customers, buyers, suppliers

(1) The scope of personal data that can be managed: the name, address, telephone number, e-mail address and online ID of the natural person.

(2) The purpose of the processing of personal data: fulfillment of the contract concluded with the partner of the Company’s legal entity, business relations, legal basis: the consent of the person concerned.

(3) Recipients of personal data and categories of recipients: employees of the Company performing customer service-related tasks.

(4) Duration of storage of personal data: for 5 years after the existence of the business relationship or the status of the representative concerned.

§ 19 Visitor data management on the Company’s website – Information on the use of cookies

(1) Cookies are short data files placed on the user’s computer by the website visited. The purpose of the cookie is to make the given infocommunication and internet service easier and more convenient. There are many varieties, but they can generally be classified into two major groups. One is a temporary cookie that a website places on a user’s device only during a specific session (e.g.: during the security authentication of an Internet bank), and the other type is a persistent cookie (e.g.: a website’s language setting) that remains on the computer until the user deletes it. According to the guidelines of the European Commission, cookies [unless they are absolutely necessary for the use of the given service] may only be placed on the user’s device with the user’s permission.

(2) In the case of cookies that do not require the user’s consent, information shall be provided during the first visit to the website. It is not necessary for the full text of the cookie information to appear on the website, it is sufficient for the website operators to briefly summarize the essence of the information and to indicate the availability of the full information via a link.

(3) In the case of cookies requiring consent, the information may also be related to the first visit to the website in the event that the data processing associated with the use of cookies already begins with a visit to the website. If the use of a cookie is related to the use of a function specifically requested by the user, the information may also be displayed in connection with the use of this function. In this case, it is not necessary for the full text of the cookie information to appear on the website, a short summary of the essence of the information and a reference to the availability of the full information via a link will suffice.

(4) The visitor shall be informed about the use of cookies on the website in the data management information according to Annex 2. With this information, the Company ensures that the visitor can find out before and at any time during the use of the information society-related services of the website, for which data management purposes the Company manages which types of data, including the handling of data that cannot be directly contacted by the user.

Managed data of visitors of the Website

When using the website, different types of cookies may be installed on the device of the visitor concerned (see Point 11 for details on cookies). Each cookie can store the visitor’s IP address or part of it, the type of browser, information about the use of the website (time of visit, pages visited, duration of the session, number of clicks).

If a visitor to the Website marks it as “liked” using the Facebook plugin placed on the site, or if he/she subscribes to the Facebook page of the Website, the Data Controller manages the data (name, profile picture) of the affected Facebook profile.

§ 22 Community Guidelines / Data Management on the Company’s Facebook page

(1) The Company maintains a Facebook page for the purpose of introducing and promoting its products and services.

(2) A question asked on the Company’s Facebook page does not qualify as an officially submitted complaint.

(3) The personal data published by the visitors on the Facebook page of the Company are not handled by the Company.

(4) Visitors are governed by the Facebook Privacy and Service Terms.

(5) In the event of the publication of illegal or offensive content, the Company may exclude the person concerned from the membership or delete his/her comments without prior notice.

(6) The Company is not responsible for data contents or comments that violate the law published by Facebook users. The Company shall not be liable for any errors or malfunctions resulting from the operation of Facebook or for a problem caused by changing the operation of the system.

CHAPTER V.

DATA MANAGEMENT BASED ON LEGAL OBLIGATIONS

1. Data management for tax and accounting purposes

(1) In order to fulfill a legal obligation of the Company, it manages the data, specified by law, of the natural persons who enter into business relations with it as a customer or supplier, for the purpose of fulfilling tax and accounting obligations (bookkeeping, taxation) according to the law. The data managed pursuant to § 169 and § 202 of Act CXXVII of 2017 on Value Added Tax, in particular: tax number, name, address, tax status, pursuant to § 167 of Act C of 2000 on Accounting: the name, address, indication of the person or body ordering the transaction, the person issuing the voucher and certifying the implementation of the provision and, depending on the organization, the signature of the inspector; on the receipts of stock movements and cash management certificates the signature of the recipient, on the counter-receipts the signature of the payer, pursuant to Act CXVII of 1995 on Personal Income Tax: number of the business license, number of the primary producer card, tax identification number.

(2) Duration of storage of personal data of the legal relationship based on legal basis after termination is 8 years.

(3) Recipients of personal data: employees and data processors of the Company performing tax, accounting, payroll accounting and social security tasks.

2. Payer data management

(2) The Company manages the personal data of the relevant parties – employees, their family members, workers, recipients of other benefits – prescribed by tax laws, for the purpose of fulfilling legal obligations and fulfilling statutory tax and contribution obligations (tax, tax advance, determination of contributions, payroll accounting, social security administration) with whom the payers (2017: CL Act on the Taxation System § 7 31.) are connected. The scope of the processed data is defined by § 50 of the Act CL of 2017 on the taxation system, with special emphasis on: the natural personal identification data of the natural person (including the previous name and title), gender, citizenship, natural person’s tax identification number, social security identification number. If the tax laws impose a legal consequence on this, the Company may process the data on the health (Section 40 of Act CXVII of 1995 on Personal Income Tax) and trade union membership (Section 47 (2) b. / Of Act CXVII of 1995 on Personal Income Tax) of the employees for the purpose of fulfilling tax and contribution obligations (payroll accounting, social security administration).

(2) Duration of storage of personal data of the legal relationship based on legal basis after termination is 8 years.

(3) Recipients of personal data: employees and data processors of the Company performing tax, payroll accounting, social security (payer) tasks.

CHAPTER VI.

SUMMARY OF THE RIGHTS OF THE PERSON CONCERNED

For the sake of clarity and transparency, this chapter briefly summarizes the rights of the person concerned, detailed information on the exercise of rights is given in the next section.

Right to prior information

The person concerned has the right to be informed of the facts and information related to the data processing before the data processing starts.

(Articles 13 to 14 of the Regulation)

Details are provided in the next chapter.

The right of access of the person concerned

The person concerned has the right to receive feedback from the Data Controller as to whether the processing of his/her personal data is in progress and, if such data processing is in progress, the person concerned has the right to access the personal data and related information specified in the Regulation.

(Article 15 of the Regulation).

Details are provided in the next chapter.

Right to rectification

The person concerned has the right to have inaccurate personal data concerning him/her rectified by the Data Controller at his/her request without undue delay. Taking into account the purpose of the data processing, the person concerned has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary statement.

(Article 16 of the Regulation).

Right of cancellation (“right to forget”)

1. The person concerned has the right to request the Data Controller to delete personal data concerning him/her without undue delay, and the Data Controller is obliged to delete personal data concerning the person concerned without undue delay if any of the reasons set out in this Regulation apply.

(Article 17 of the Regulation)

Details are provided in the next chapter.

Right to restrict data processing

At the request of the person concerned who is entitled to request the Data Controller to restrict the data processing if the conditions specified in the Regulation are met.

(Article 18 of the Regulation)

Details are provided in the next chapter.

Obligation to notify in connection with the rectification or erasure of personal data or restrictions on data processing

The Data Controller shall inform all recipients to whom or with whom the personal data have been communicated of any rectification, erasure or restriction of data processing, unless this proves impossible or requires a disproportionate effort. Upon request, the Data Controller shall inform the person concerned of these recipients.

(Article 19 of the Regulation)

The right to data portability

Subject to the conditions set out in the Regulation, the person concerned is entitled to receive personal data concerning him/her made available to a Data Controller in a structured, widely used, machine-readable format and to transfer such data to another Data Controller without hindering from the Data Controller to whom the person concerned have provided the personal data.

(Article 20 of the Regulation)

Details are provided in the next chapter.

Right to protest

The person concerned has the right to object at any time for reasons related to his/her situation to Article 6 (1) (e) of the Regulation (the necessity for the performance of a task in the public interest or in the exercise of a public authority conferred on the Data Controller) or (f) (the data processing is necessary for the legitimate interests of the Data Controller or of a third party).

(Article 21 of the Regulation)

Details are provided in the next chapter.

Automated decision making in individual cases, including profiling

The person concerned shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects on him/her or would be similarly significantly affected.

(Article 22 of the Regulation)

Details are provided in the next chapter.

Restrictions

Union or Member State law applicable to the Data Controller or processor may, by means of legislative measures, restrict the application of Articles 12 to 22 and Article 34, in accordance with the rights and obligations set out in Article 12 to 22.

(Article 23 of the Regulation)

Details are provided in the next chapter.

Informing the person concerned about the data protection incident

If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the person concerned of the data protection incident without undue delay.

(Article 34 of the Regulation)

Details are provided in the next chapter.

Right to complain to the supervisory authority (right to official legal redress)

The person concerned has the right to lodge a complaint with a supervisory authority, in particular in his/her habitual residence, workplace or in the Member State where the alleged infringement took place, if he/she considers that the processing of personal data concerning him/her infringes the Regulation.

 (Article 77 of the Regulation)

Details are provided in the next chapter.

Right to an effective judicial remedy against the supervisory authority

All natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority, or if the supervisory authority does not deal with the complaint or does not inform the person concerned within three months of the progress or outcome of the complaint.

(Article 78 of the Regulation)

Details are provided in the next chapter.

The right to an effective judicial remedy against the data controller or processor 

Any person concerned shall have the right to an effective judicial remedy if, in his/her opinion, his/her rights under this Regulation have been infringed as a result of improper processing of his/her personal data.

(Article 79 of the Regulation)

Details are provided in the next chapter.

CHAPTER VII.

DETAILED INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED

Right to prior information

The person concerned has the right to be informed of the facts and information related to the data processing before the data processing starts

A) Information to be provided if personal data are collected from the person concerned

1. If personal data concerning the person concerned are collected from the person concerned, the data controller shall provide the person concerned with all of the following information at the time the personal data are obtained:

(a) the identity and contact details of the data controller and, if any, of the controller ‘s representative;

(b) the contact details of the Data Protection Officer, if any;

(c) the purpose of the intended processing of the personal data and the legal basis for the processing;

(d) in the case of data processing based on Article 6 (1) (f) of the Regulation (legitimate interests validation), the legitimate interests of the data controller or of a third party;

e) where applicable, the recipients of the personal data, or categories of recipients, if any;

(f) where applicable, the fact that the data controller intends to transfer the personal data to a third country or an international organization, and the existence or absence of a Commission decision on adequacy, or in the case of the transmission referred to in Article 46, Article 47 or the second subparagraph of Article 49 (1) of the Regulation, the indication of the appropriate and suitable guarantees and the means of obtaining a copy thereof, or a reference to their availability.

2. In addition to the information referred to in Point 1, the data controller shall, at the time of acquisition of the personal data, provide the person concerned with the following additional information in order to ensure fair and transparent data processing:

(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

(b) the right of person concerned to request the data controller to access, rectify, delete or restrict the processing of personal data concerning him/her and to object to the processing of such personal data and of the right of the person concerned to data portability;

(c) in the case of processing based on Article 6 (1) (a) of the Regulation (consent of the person concerned) or Article 9 (2) (a) (consent of the person concerned) of the Regulation, the right to withdraw the consent at any time, which does not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal;

(d) the right to lodge a complaint to the supervisory authority;

(e) whether the provision of personal data is based on a legal or contractual obligation or a precondition for the conclusion of a contract, whether the person concerned is obliged to provide personal data and the possible consequences of not providing such data;

(f) the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing and the expected consequences for the person concerned.

3. If the data controller intends to carry out further processing of personal data for a purpose other than that for which they were collected, it shall inform the person concerned of that different purpose and of any relevant additional information referred to in paragraph 2 before further processing.

4. Points 1-3. shall not apply if and to the extent that the data subject already has the information.

(Article 13 of the Regulation)

B) Information to be provided if personal data have not been obtained from the person concerned

1. If the personal data have not been obtained from the person concerned, the data controller shall provide the person concerned with the following information:

(a) the identity and contact details of the data controller and, if any, of the data controller ‘s representative;

(b) the contact details of the Data Protection Officer, if any;

(c) the purpose of the intended processing of the personal data and the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients of the personal data, or categories of recipients, if any;

(f) where applicable, the fact that the data controller intends to transfer the personal data to a third country or an international organization, and the existence or absence of a Commission decision on adequacy, or in the case of the transmission referred to in Article 46, Article 47 or the second subparagraph of Article 49 (1) of the Regulation, the indication of the appropriate and suitable guarantees and the means of obtaining a copy thereof, or a reference to their availability.

2. In addition to the information referred to in Point 1, the data controller shall provide the person concerned with the following additional information necessary to ensure fair and transparent data processing for the person concerned:

(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

(b) where the processing is based on Article 6 (1) (f) of the Regulation (legitimate interest), the legitimate interests of the data controller or of a third party;

(b) the right of the person concerned to request the data controller to access, rectify, delete or restrict the processing of personal data concerning him /her and to object to the processing of such personal data and of the right of the person concerned to data portability;

(e) the right to lodge a complaint with a supervisory authority;

(f) the source of the personal data and, where applicable, whether the data come from publicly available sources; and

(g) the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing and the expected consequences for the person concerned.

3. The data controller shall provide the information referred to in Points 1 and 2 as follows:

(a) within a reasonable time after receipt of the personal data, but not later than one month, taking into account the specific circumstances of the processing of personal data;

(b) if the personal data are used for the purpose of contacting the person concerned, at least at the time of the first contact with the person concerned, or;

(c) if the data are expected to be communicated to another recipient, at the latest on the first communication of personal data.

4. If the data controller intends to carry out further processing of personal data for a purpose other than that for which they were obtained, it shall inform the person concerned of that different purpose and of any relevant additional information referred to in Point 2 before further processing.

5. Points 1-5. shall not apply if and to the extent that:

(a) the person concerned already has the information;

(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for the purposes of archiving in the public interest, for scientific and historical research or for statistical purposes, subject to the conditions and guarantees of Article 89 (1) of the Regulation, or where the obligation referred to in paragraph 1 of this Article is likely to make it impossible or seriously jeopardize the achievement of the purposes of such processing. In such cases, the data controller shall take appropriate measures, including making the information publicly available, to protect the rights, freedoms and legitimate interests of the person concerned;

(c) the acquisition or disclosure of the data is expressly required by Union or Member State law applicable to the data controller, which provides for appropriate measures to protect the legitimate interests of the person concerned; or

(d) personal data must remain confidential under an obligation of professional secrecy imposed by a law of the Union or of a Member State, including a legal obligation of professional secrecy.

(Article 14 of the Regulation)

The right of access of the person concerned

The person concerned has the right to receive feedback from the Data Controller as to whether the processing of his/her personal data is in progress and, if such data processing is in progress, he/she has the right to access the personal data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular third country recipients or international organizations;

(d) where applicable, the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;

(e) the right of the person concerned to request the data controller to rectify, erase or restrict the processing of personal data concerning him/her and to object to the processing of such personal data;

(f) the right to lodge a complaint with a supervisory authority;

(g) if the data were not collected from the person concerned, all available information on their source;

(h) the fact of the automated decision-making referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in those cases, comprehensible information on the logic used and the significance of such processing and the expected consequences for the person concerned.

2. Where personal data are transferred to a third country or to an international organization, the person concerned shall be entitled to be informed of the appropriate guarantees for the transfer in accordance with Article 46 of the Regulation.

3. The Data Controller shall make a copy of the personal data, which is the subject of data processing, available to the person concerned. The Data Controller may charge a reasonable fee based on administrative costs for additional copies requested by the person concerned. If the person concerned has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the person concerned requests otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

Right of cancellation (“right to forget”)

1. The person concerned has the right to request the Data Controller to delete personal data concerning him/her without undue delay, and the Data Controller is obliged to delete personal data concerning the person concerned without undue delay if any of the following reasons exists:

(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;

(b) the person concerned withdraws his/her consent under Article 6 (1) (a) or Article 9 (2) (a) of the Regulation and there is no other legal basis for the processing;

(c) the person concerned objects to the data processing pursuant to Article 21 (1) of the Regulation and there is no overriding legitimate reason to process the data, or the person concerned objects to the data processing pursuant to Article 21 (2);

(d) personal data have been processed unlawfully;

(e) personal data must be deleted in order to fulfill a legal obligation to which the data controller is subject under applicable Union or Member State law;

(f) personal data have been collected in connection with the provision of information society services referred to in Article 8 (1) of the Regulation.

2. If the Data Controller has disclosed personal data and is obliged to delete it pursuant to Paragraph 1 above, it shall take reasonable steps, including technical measures, taking into account the available technology and the costs of implementation, in order to inform the other Data Controllers, that the person concerned has requested that the links to the personal data in question or a copy or duplicate of such personal data be deleted from them.

3. Points 1 and 2 shall not apply if the processing is necessary:

(a) for the purpose of exercising the right to freedom of expression and information;

(b) for the purpose of fulfilling an obligation under Union or Member State law applicable to the Data Controller to process personal data or performing a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;

(c) in the public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of the Regulation;

(d) in accordance with Article 89 (1) of the Regulation, for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where the right referred to in Point 1 is likely to make such processing impossible or seriously jeopardize; or

e) to submit, enforce or defend legal claims.

(Article 17 of the Regulation)

Right to restrict data processing

At the request of the person concerned, who is entitled to request the Data Controller to restrict the data processing  if one of the following conditions is met:

(a) the person concerned disputes the accuracy of the personal data, in which case the restriction shall apply for a period which allows the Data Controller to verify the accuracy of the personal data;

(b) the data processing is unlawful and the person concerned opposes the erasure of the data and instead requests that their use be restricted;

c) the Data Controller no longer needs the personal data for the purpose of data processing, but the person concerned requests them in order to submit, enforce or protect legal claims; or

(d) the person concerned has objected to the data processing in accordance with Article 21 (1) of the Regulation; in this case, the restriction shall apply for the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the person concerned.

2. Where the processing is subject to a restriction pursuant to paragraph 1, such personal data, with the exception of storage, shall be subject to the consent of the person concerned or to the submission, enforcement or protection of legal claims or the protection of the rights of another natural or legal person, or important public interest of the Union or of a Member State.

3. The Data Controller shall inform in advance the person concerned, at whose request the data processing has been restricted pursuant to Point 1, of the lifting of the data processing restriction.

(Article 18 of the Regulation)

The right to data portability

The person concerned is entitled to receive personal data concerning him/her made available to a Data Controller in a structured, widely used, machine-readable format and to transfer such data to another Data Controller without hindering from the Data Controller to whom the person concerned has provided the personal data.

(a) the data processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) of the Regulation or on a contract pursuant to Article 6 (1) (b); and

(b) the data processing is carried out in an automated manner.

2. In exercising the right to data portability pursuant to Paragraph 1, the person concerned shall have the right, if technically feasible, to request the direct transfer of personal data between Data Controllers.

3. The exercise of this right shall be without prejudice to Article 17 of the Regulation. That right shall not apply where data processing is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data Controller.

4. The right referred to in Paragraph 1 shall not adversely affect the rights and freedoms of others.

(Article 20 of the Regulation)

Right to protest

1. The person concerned has the right to object at any time for reasons related to his/her situation to Article 6 (1) (e) of the Regulation (necessary for the performance of a task in the public interest or in the exercise of a public authority conferred on the Data Controller) or (f) (the processing is necessary for the legitimate interests of the Data Controller or a third party), including profiling based on those provisions. In this case, the Data Controller may not further process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the person concerned or which are related for the submission enforcement and protection of legal claims.

2. Where personal data are processed for the purpose of direct business acquisition, the person concerned shall have the right to object at any time to the processing of personal data concerning him/her for that purpose, including profiling, insofar as it relates to direct business acquisition.

3. If the person concerned objects to the processing of personal data for the direct acquisition of business, the personal data may no longer be processed for that purpose.

4. The right referred to in Points 1 and 2 shall be explicitly brought to the attention of the person concerned at the latest at the time of first contact and shall be clearly and separately set apart from any other information.

5. In connection with the use of information society services and by way of derogation from Directive 2002/58 / EC, the person concerned may also exercise the right to object by automated means based on technical specifications.

6. Where personal data are processed for scientific and historical research or statistical purposes in accordance with Article 89 (1) of the Regulation, the person concerned shall have the right to object to the processing of personal data concerning him/her on grounds relating to his/her situation, except if the processing is necessary for the performance of a task carried out in the public interest.

(Article 21 of the Regulation)

Automated decision making in individual cases, including profiling

The person concerned shall have the right not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effects on him/her or would be similarly significantly affected.

2. Paragraph 1 shall not apply if the decision:

(a) is necessary for the conclusion or performance of a contract between the person concerned and the Data Controller;

(b) is governed by Union or Member State law applicable to the Data Controller, which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the person concerned; or

(c) is based on the express consent of the person concerned.

3. In the cases referred to in points (a) and (c) of Point 2, the Data Controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the person concerned, including at least the right of the person concerned to request human intervention, and file an objection to the decision.

4. The decisions referred to in Point 2 may not be based on the specific categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies, and on the rights of the person concerned, appropriate measures have been taken to protect his/her freedoms and legitimate interests.

(Article 22 of the Regulation)

Restrictions

1. Union or Member State law applicable to a data controller or  data processor may, by legislative measures, limit the scope of the rights and obligations set out in Article 5 in respect of its provisions in accordance with Articles 12 to 22 and 34 of the Regulation and Articles 12 to 22, provided that the restriction respects the essential content of fundamental rights and freedoms and is a necessary and proportionate measure to protect in a democratic society:

(a) national security;

(b) national defense;

(c) public safety;

(d) the prevention, investigation, detection or prosecution of criminal offenses and the execution of criminal sanctions, including protection against and prevention of threats to public security;

(e) other important general interest objectives of general interest of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and fiscal matters, public health and social security;

(f) protection of judicial independence and judicial proceedings;

(g) in the case of regulated professions, the prevention, investigation, detection and prosecution of ethical misconduct;

(h) in the cases referred to in points (a) to (e) and (g), an inspection, investigation or regulatory activity connected with the performance of public authority, even occasionally;

(i) the protection of the person concerned or of the rights and freedoms of others;

(j) enforcement of civil right claims.

2. The legislative measures referred to in Point 1 shall, where appropriate, contain detailed provisions on at least:

(a) the purposes or categories of data processing,

(b) the categories of personal data,

(c) the scope of the restrictions imposed,

(d) guarantees to prevent abuse or to prevent unauthorized access or transmission,

(e) to define the Data Controller or to define the categories of Data Controllers,

(f) the duration of the data retention and the applicable guarantees, taking into account the nature, scope and purposes of the processing or categories of data processing;

(g) risks to the rights and freedoms of the person concerned; and

(h) the right of the person concerned to be informed of the restriction, unless this could adversely affect the purpose of the restriction.

(Article 23 of the Regulation)

Informing the person concerned about the data protection incident

1. If the data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the person concerned of the data protection incident without undue delay.

2. The information provided to the person concerned referred to in Point 1 shall clearly and intelligibly describe the nature of the data protection incident and shall include at least the information and measures referred to in Article 33 (3) (b), (c) and (d) of the Regulation.

3. The person concerned need not be informed as referred to in Point 1 if any of the following conditions is met: 

(a) the Data Controller has implemented appropriate technical and organizational security measures and these measures have been applied to the data affected by the data protection incident, in particular those measures such as the application of encryption, which makes the data incomprehensible to persons not authorized to access personal data;

(b) the Data Controller has taken further measures following the data protection incident to ensure that the high risk to the rights of the person concerned and freedoms referred to in Point 1 is no longer likely to materialize;

(c) the information would require a disproportionate effort. In such cases, the person concerned shall be informed through publicly available information or a similar measure shall be taken to ensure that the data subject is informed in an equally effective manner.

4. If the Data Controller has not yet notified the person concerned of the data protection incident, the supervisory authority may, after considering whether the data protection incident is likely to present a high risk, order the person concerned to be informed or establish that one of the conditions referred to in point 3 is met.

Right to complain to the supervisory authority

1. Without prejudice to other administrative or judicial remedies, any person concerned shall have the right to complain to a supervisory authority, in particular in his/her habitual residence, workplace or in the Member State where the alleged infringement took place if he/she considers that the processing of personal data concerning him/her infringes the Regulation.

2. The supervisory authority to which the complaint has been lodged shall inform the person concerned of the progress of the complaint procedure and its outcome, including the right of the person concerned to seek judicial redress under Article 78 of the Regulation.

(Article 77 of the Regulation)

Right to an effective judicial remedy against the supervisory authority

1. Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority.

2. Without prejudice to other administrative or non-judicial remedies, any person concerned shall have the right to an effective judicial remedy if the complaint is not dealt with by the supervisory authority competent under Article 55 or 56 of the Regulation, or does not inform the person concerned within three months of the progress or outcome of the proceedings under Article 77.

3. Proceedings against the supervisory authority shall be brought before a court of the Member State in which the supervisory authority has its seat.

4. Where proceedings are instituted against a decision of a supervisory authority in respect of which the Board has previously issued an opinion or decision under the consistency mechanism, the supervisory authority shall send that opinion or decision to the court.

(Article 78 of the Regulation)

The right to an effective judicial remedy against the data controller or processor

1. Without prejudice to available administrative or non-judicial remedies, including the right to complain to the supervisory authority under Article 77 of the Regulation, all persons concerned shall have the right to an effective judicial remedy, if the persons concerned consider that their personal rights under this Regulation have been infringed as a result of improper processing of their personal data.

2. Proceedings against the Data Controller or the Data Processor shall be brought before the courts of the Member State in which the Data Controller or the Data Processor is established. Such proceedings may also be instituted before a court of the Member State in which the person concerned has his/her habitual residence, unless the Data Controller or Data Processor is a public authority of a Member State acting in the exercise of its official authority.

 (Article 79 of the Regulation)

CHAPTER VIII.

SUBMISSION OF THE APPLICATION OF THE PERSON CONCERNED,

MEASURES OF THE DATA CONTROLLER

CHAPTER VIII.

SUBMISSION OF THE APPLICATION OF THE PERSON CONCERNED,

MEASURES OF THE DATA CONTROLLER

1. The Data Controller shall, without undue delay, but in any case within one month of receipt of the request, inform the person concerned of the action taken on his/her request to exercise his/her rights.

2. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The Data Controller shall inform the person concerned of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.

3. If the person concerned has submitted the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the person concerned requests otherwise.

4. If the Data Controller does not take action on the request of the person concerned, it shall inform the person concerned of the reasons for the non-action without delay, 

but no later than within one month from the receipt of the request, and that the person concerned may lodge a complaint with a supervisory authority and has the right to a judicial remedy.

5. The Data Controller shall provide information pursuant to Articles 13 and 14 of the Regulation and information on the rights of the person concerned (Articles 15-22 and 34 of the Decree) and the measure free of charge. If the request of the person concerned is manifestly unfounded or, in particular due to its repetitive nature, excessive, the Data Controller shall, taking into account the administrative costs involved in informing and providing the requested information or taking the requested action:

(a) charge a fee of HUF 6,350, or

(b) refuse to act on the request.

The burden of proving that the request is manifestly unfounded or excessive is on the Data Controller.

6. If the Data Controller has reasonable doubts as to the identity of the natural person submitting the request, the Data Controller may request the provision of additional information necessary to confirm the identity of the person concerned.

Globálvám Ltd.

44/A Második street, Pápa, 8500