Data management and data security policy

I. Scope of the policy

  1. The scope of these regulations covers the entire business of MODEM Modern Debreceni Nonprofit Kft., all its organizational units and all employees (hereinafter: the business).

I./a. Data Controller Information

MODEM Modern és Kortárs Nonprofit Kft.
Registered Office and Mailing Address: 4026 Debrecen, Hunyadi u. 1-3.
Email: info@modemart.hu
Phone: +36 (52) 525-017
Data Protection Officer: Dr. Márta Enyedi
Contact: adatvedelem@modemart.hu

II. Purpose of the policy

  • The purpose of the Regulations is to ensure the enforcement of the protection of personal data in accordance with the Basic Law, the implementation of information self-determination, and to define the data protection and data security rules governing data management with regard to the personal data managed by the company.

III. Governing Laws

  • During its data management, the company must act in accordance with the regulations contained in the following legislation, in accordance with the provisions of these internal regulations:
  • Regulation (Eu) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation, hereinafter: GDPR)
    • CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: Infotv.)
    • Act V of 2013 on the Civil Code (hereinafter: Civil Code)
    • Act I of 2012 on the Labor Code (hereinafter: Mt.)

ARC. Interpretative provisions

  • Concepts defined in the GDPR, of which the following concepts should be highlighted in accordance with the nature of these internal regulations:
  1. personal data: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.
  • data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying.
  • data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law.
  • data processor: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.
  • recipient: the natural or legal person, public authority, agency or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the handling of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the data management.
  • third party: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who have been authorized to handle personal data under the direct control of the data controller or data processor.
  • registration system: a file of personal data divided in any way – centralized, decentralized or according to functional or geographical aspects – which is accessible based on specific criteria.
  • data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.
  1. representative: the natural or legal person with a place of business or residence in the European Union and designated in writing by the data controller or data processor pursuant to Article 27, who or which represents the data controller or

represents a data processor in relation to the obligations imposed on the data controller or data processor pursuant to this regulation.

  • enterprise: a natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.
  • data asset inventory: a document used to assess the scope and nature of personal data managed by the data controller.
  • technical and organizational measures: the nature, scope, circumstances and purposes of the data management, as well as the varying probability and severity of the risk posed by the data controller to the rights and freedoms of natural persons, a properly defined procedure in order to ensure and prove that the processing of personal data is in accordance with the GDPR is done in accordance with These measures are reviewed by the data controller and updated if necessary.

V. Basic principles of data management

  • The company manages the data legally and fairly, as well as in a transparent manner for the data subject (legality, fair procedure and transparency).
  • The company collects personal data only for specific, clear and legitimate purposes, and does not handle them in a way that is incompatible with these purposes (purpose limitation).
  • The company conducts data management appropriately and relevantly in terms of its purpose(s) and limited to what is necessary (data saving). Accordingly, the company does not collect or store more data than is absolutely necessary to achieve the purpose of data management.
  • The company’s data management is accurate and up-to-date. The company takes all reasonable measures to ensure that inaccurate personal data for the purposes of data management are immediately deleted or corrected (accuracy).
  • The company stores personal data in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management, subject to the storage obligation defined in the relevant legislation (limited storage capacity).
  1. The company ensures adequate security of personal data by applying appropriate technical or organizational measures, including protection against unauthorized or illegal processing, accidental loss, destruction or damage of personal data (integrity and confidentiality).
  2. The business is responsible for compliance with the basic principles detailed above, and the business proves this compliance (accountability). Pursuant to this, the company ensures the continuous enforcement of the provisions of this internal regulation, the continuous review of its data management and, if necessary, the modification and addition of data management procedures. The company prepares documentation to prove compliance with legal obligations.

VI. Legal bases for data management

  1. The processing of personal data is only legal if and to the extent that at least the provisions of 13-18. one of the legal bases specified in point is fulfilled:
  2. The data subject has given his consent to the processing of his personal data for one or more specific purposes (hereinafter: data processing based on consent).
  3. Data management is necessary for the fulfillment of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract (hereinafter: contract-based data management).
  4. Data management is necessary to fulfill the legal obligation of the company (hereinafter: data management based on legal obligation).
  5. Data management is necessary to protect the vital interests of the data subject or another natural person (hereinafter: data management based on vital interests).
  6. Data management is in the public interest or is necessary for the execution of a task carried out within the framework of the exercise of a public power authority granted to the enterprise (hereinafter: data management based on public power authority).
  7. Data processing is necessary to enforce the legitimate interests of the company or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the child concerned (hereinafter: legitimate interest based data management).
  8. In relation to the management of a given set of personal data, the company always performs data management on the basis of only one legal basis. The legal basis for data processing may change during data processing.

VII. Inventory of data assets

  • The company prepares an inventory of data assets for the purpose of creating technical and organizational measures for data management in the scope of its activities, in accordance with the obligations prescribed by GDPR and legislation. The data asset inventory contains all the data managed by the company.
  • In connection with the company’s data management activities, the following are defined in the data asset inventory:
  1. the person concerned: customer
  2. name and purpose of data management: performance of auditing activities
  3. scope of processed data: n years, email address, telephone number, billing address, delivery address
  4. the legal basis for data management is a contract
  5. duration of data management: 8 years according to the Accounting Act
  6. who can access personal data within the company’s organization: administrative staff
  • to whom the data may be forwarded: chamber

VIII. The rights of the data subject and their enforcement

  • In accordance with the provisions of the GDPR, the company provides the following to the data subjects.

Right to information

  • The data subject has the right to information regarding all legal grounds for data processing.
  • The company provides information to those concerned in a concise, transparent, comprehensible and easily accessible format, in a clear and comprehensible manner.
  • The information must be provided in writing or in another way, including, where applicable, the electronic way.

Information at the request of the data subject

  • Verbal information can also be provided at the request of the data subject, provided that the identity of the data subject has been verified in another way.
  • The company informs the data subject without undue delay, but in any case within 30 days of receipt of the request, about the measures taken following the data subject’s request regarding other data subject rights.
  • If necessary, taking into account the complexity of the application and the number of applications, the 30-day deadline can be extended by another 60 days. The company informs the data subject of the extension of the deadline, indicating the reasons for the delay, within 30 days of receiving the request. If the data subject submitted the request electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.
  • Information and measures must be provided free of charge.
  • If the data subject’s request is clearly unfounded or – especially due to its repeated nature – excessive, the company, taking into account the administrative costs associated with providing the requested information or information or taking the requested measure:
  • may charge a reasonable fee, or
  • can refuse to take action based on the request.
  • It is the responsibility of the company to prove that the request is clearly unfounded or excessive.

Mandatory information

  • If the company has obtained the data directly from the data subject (this includes, in particular, customers), the company will definitely provide information on the following:
  1. the identity and contact details of the company’s representative, if any;
  2. the contact details of the data protection officer, if any;
  3. the purpose of the planned processing of personal data, as well as the legal basis for data processing;
  4. in the case of data processing based on legitimate interest, the legitimate interests of the company or a third party;
  5. where applicable, recipients of personal data;
  6. where appropriate, the fact that the company wishes to transfer personal data to a third country or international organization.
  • At the time of the first acquisition of personal data, in addition to the above, the company also informs the data subjects of the following:
  1. on the duration of storage of personal data;
  2. on the data subject’s right to request from the company access to personal data relating to him or her, their correction, deletion or restriction of processing in the case of data processing for certain legal bases, and to object to the processing of such personal data in the case of data processing for certain legal bases, as well as the data subject’s right to data portability ;
  3. the right to revoke data processing based on consent at any time, which does not affect the legality of data processing carried out on the basis of consent before the withdrawal;
  4. on the right to submit a complaint addressed to the supervisory authority (National Data Protection Authority, hereinafter: Authority or NAIH);
  5. about whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract, as well as whether the data subject is obliged to provide personal data, and what possible consequences the failure to provide data may have.
  • If the company intends to carry out further data processing of personal data for a purpose other than the purpose of their collection, it shall inform the data subject of this different purpose and of all relevant additional information mentioned in point 34 prior to further data processing.
  • The company can comply with the mandatory information in several ways.
  1. The company publishes the information contained in point 34 (“Data Management Information”) on its website in such a way that it can be easily found and easily accessed by anyone.
  • In addition to or instead of publication on the website, the company may choose to make the “Data Management Information” available as an attachment to the contract. In this case, it is sufficient for the relevant circle of stakeholders

to make data management information available to the data subject. The “Data Management Information” cannot form part of the General Terms and Conditions (GTC).

  • If the company did not obtain the data handled as part of its activities based on legal obligations directly from the data subject, then the company does not have the obligation to provide information to the data subject as described in points 33 and 34.

Right of access

  • The data subject is entitled to the right of access in relation to all legal grounds for data management.
  • The data subject has the right to receive feedback from the company as to whether his personal data is being processed, and if such data processing is underway, he is entitled to access the personal data and the following information:
  1. the purposes of data management;
  2. categories of personal data concerned;
  3. recipients or categories of recipients to whom or to which the company has disclosed or will disclose the personal data;
  4. where appropriate, the planned period of storage of personal data;
  5. the right of the data subject to request from the company the correction of personal data relating to him, the deletion or restriction of the processing of this data in the case of data processing tied to certain legal bases, and the right to object to the processing of such personal data in the case of data processing tied to certain legal bases;
  6. the right to submit a complaint to the supervisory authority;
  7. if the data were not collected from the data subject, all available information about their source;
  8. the fact of automated decision-making, including profiling, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management and the expected consequences for the data subject.
  • The company provides a copy of the personal data that is the subject of data management to the data subject.
  • For additional copies requested by the data subject, the company may charge a reasonable fee based on administrative costs, the amount of which is contained in the company’s pricing regulations, other regulations, or other documents.

Right to rectification

  • The data subject has the right to rectification in relation to all legal grounds for data processing.
  • In the event of a request to this effect from the data subject, the company shall correct inaccurate personal data concerning the data subject without undue delay. The data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.

Right to deletion (forgetting).

  • The data subject does not automatically have the right to erasure (forgetfulness) in relation to data management related to all legal grounds.
  • The company will delete the personal data of the data subject without undue delay if one of the following reasons exists:
  1. the personal data are no longer needed for the purpose for which they were collected or otherwise processed;
  2. the data subject withdraws the consent that forms the basis of the data management (in the case of data management based on consent), and there is no other legal basis for the data management;
  3. the data subject objects to the data processing, and there is no overriding legal reason for the data processing in the case of the data processing legal bases applied according to points 17 and 18 (data processing based on public authority authorization or legitimate interest);
  4. personal data has been processed illegally;
  5. personal data must be deleted in order to fulfill the legal obligation prescribed by EU or member state law applicable to the company.
  • The company will not comply with the data subject’s request for deletion if the data management is necessary to fulfill the legal obligation applicable to the company that requires the processing of personal data.
  • If the company receives a cancellation request, the first step is to check whether the cancellation request really originates from the right holder. To this end, the business may request data for identifying the existing contract between the data subject and the business (for example, contract number, contract date), the identification number of the document issued to the data subject by the business, and the personal identification data registered about the data subject (however, the business may not request additional data such as , which is not registered about the person concerned).
  • If the company has to comply with the deletion request, it is obliged to do everything possible to ensure that the personal data is deleted from all databases.
  • The company records the cancellation in order to be able to prove that the cancellation took place. The protocol is signed by the representative of the company or by the person(s) who has the right to do so based on their job description. The cancellation protocol includes:
  1. the name of the person concerned
  2. the deleted personal data type
  3. the date of deletion.
  • The company informs all those to whom the personal data has been forwarded about the obligation to delete.

The right to restrict data processing

  • The data subject has the right to restriction in relation to all legal grounds for data processing.
  • The company restricts data processing at the request of the data subject if one of the following is true:
  • the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the company to verify the accuracy of the personal data;
  • the data processing is illegal and the data subject opposes the deletion of the data and instead requests the restriction of its use;
  • the company no longer needs the personal data for the purpose of data management, but the data subject requires them to submit, enforce or defend legal claims; obsession

f) the data subject objected to the data processing in the case of data processing legal bases applied in accordance with points 17 and 18 (data processing based on public authority authority or legitimate interest); in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the business take precedence over the legitimate reasons of the data subject.

  • If data management is subject to restrictions based on the previous point, such personal data, with the exception of storage, will only be processed with the consent of the data subject, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of another natural or legal person, or the European Union or a member state can be handled in the important public interest.
  • The company informs all those to whom the personal data has been transmitted about the obligation.

Protest

  • The data subject has the right to protest in the case of data processing legal grounds based on public authority or legitimate interest.
  • In the event of a request for objection from the data subject, the company may no longer process the personal data, unless it proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are necessary for the presentation, enforcement or defense of legal claims are connected.
  • If personal data is processed for the purpose of direct business acquisition, the data subject has the right to object at any time to the processing of his personal data for this purpose.
  • If the data subject objects to the processing of personal data for the purpose of direct business acquisition, then the personal data may no longer be processed for this purpose.

Right to data portability

  • The data subject has the right to data portability in the case of data processing based on consent or a contract, if the data processing takes place in an automated manner.
  • The company ensures that the data subject receives the personal data he/she provides to the company in a segmented, widely used, machine-readable format, and that the data subject forwards this data to another data controller.

IX. Registration of data management activities

  • The company records the data management activities in accordance with the principle of accountability in order to be able to monitor and verify compliance with the GDPR.
  • The company keeps at least the following records of the data management activities carried out under its responsibility:
  1. record of data transfer
  2. registration of applications for the enforcement of stakeholder rights and the responses given by the company
  3. registration of official inquiries and the responses given by the company
  • registration of requests for the termination of data management
  • customer register
  • registration of inquiries for marketing purposes
  • registration of the management of personal data related to the employment relationship
  • employment record
  • registration of data protection incidents.
  • The company keeps records of the data management activities carried out under its responsibility, as specified in point 62, with the following content:
  1. the name and contact information of the business and, if any, the name and contact information of the representative of the business and the data protection officer;
  2. the purposes of data management;
  3. description of categories of data subjects and categories of personal data;
  4. categories of recipients to whom the personal data is or will be communicated
  5. where applicable, information on the transfer of personal data to a third country or international organization;
  6. if possible, deadlines for erasure of different data categories;
  7. if possible, a general description of the technical and organizational measures.
  • If the company also performs activities as a data processor, the company keeps records of all categories of data management activities performed on behalf of the company. This register contains the following information:
  1. the name and contact information of the data processor or data processors and their representatives;
  2. categories of data management activities performed on behalf of the business;
  3. where appropriate, the transfer of personal data to a third country or international organization.
  • The records are kept by the company in writing, on paper or in electronic format.

X. Data Security Provisions

  • The company implements appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the varying probability and severity of the risk posed to the rights and freedoms of natural persons, in order to ensure that guarantees a level of data security corresponding to the degree of risk.
  • Pursuant to the above, the company is obliged to guarantee the confidentiality, integrity and availability of the data it manages.
  • In order to determine the appropriate level of data security measures, the company evaluates each data file in its management from the point of view of the need for protection and classifies it into a security level.
  • In order to determine the security level of individual data management, it is necessary to analyze:
  1. the risk and expected damage associated with the unauthorized access, change, deletion of personal data handled, damage to hardware and software devices;
  2. whether a damaged data file can be restored, as well as possible restoration costs, the availability of data sources necessary to reproduce personal data, the possibility of replacing lost data from manual background records;
  3. whether, in view of the nature of the handled personal data, it is justified to apply differentiated security standards;
  4. other risk elements endangering data security.
  • In order to ensure the security of data management, the company uses a combination of physical, logical and administrative controls.
  • The enterprise applies at least the following physical controls:
  1. the business ensures that unauthorized persons cannot enter its building/office by operating an access control system capable of filtering the entry of unauthorized persons [this can be the operation of an electronic access control system; or simple key entry, where the key is only available to those authorized to enter; or any other method that ensures the achievement of the goal]
  • In order to avoid unauthorized access to the data it handles both electronically and on paper, the company ensures that no unauthorized person can physically access the data [closing offices, server rooms; application of monitor foils; placement of monitors in such a way that only authorized persons can see the data on them; only company-audited data carriers may be connected to the computers; or anything else, a method that ensures the realization of the goal].
  • The company applies at least the following logical controls:

a) the enterprise ensures that the data it manages can only be accessed by those with the appropriate authorization [determination of authorization levels by job; setting access to computer databases according to authorization levels; tying access to the internal computer network to a username and password; or any other method that ensures the achievement of the goal]

  • The enterprise applies at least the following administrative controls:
  1. the company ensures that any access to personal data can be tracked in documentation [activity logging; logging entry into the building/office (even on paper basis); or any other method that ensures the achievement of the goal]
  • the company ensures the establishment of a document management procedure so that documents containing personal data received by it in error are filtered out as soon as possible and are known to the smallest possible circle of personnel forwards it to the employee assigned to this task, or any other method that ensures the achievement of the goal]

XI. Management of data protection incidents

  • In the absence of appropriate and timely measures, a data protection incident can cause physical, financial or non-financial damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or identity abuse, financial loss, damage to reputation, damage to the confidential nature of personal data protected by the obligation of professional confidentiality, or other significant economic or social disadvantage affecting the natural persons in question.
  • The company shall report the data protection incident to the authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident.
  • The data protection incident does not have to be reported to the authority if the data protection incident is not likely to pose a risk to the rights and freedoms of natural persons.
  • If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.
  • If it is necessary to report the data protection incident to the authorities, then in the report:
  1. the nature of the data protection incident must be described, including – if possible – the categories and approximate number of affected persons, as well as the categories and approximate number of data affected by the incident;
  2. the name and contact details of the data protection officer or other contact person providing additional information must be provided;
  3. the likely consequences of the data protection incident must be described;
  4. the measures taken or planned by the company to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
  • If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the company shall inform the data subject of the data protection incident without undue delay.
  • In the information according to point 79, the nature of the data protection incident must be clearly and comprehensibly explained to the data subject, and the following must be communicated:
  1. the name and contact details of the data protection officer or other contact person providing additional information;
  2. the likely consequences of the data protection incident must be described;
  3. the measures taken or planned by the company to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.
  • The data subject does not need to be informed if any of the following conditions are met:
  1. the enterprise has implemented appropriate technical and organizational protection measures and applied these measures to the data affected by the data breach, in particular measures – such as the use of encryption – that make the personal data unintelligible to persons not authorized to access the personal data data;
  2. following the data protection incident, the company has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future;
  3. providing information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.
  • If the company also performs data processing activities, it shall immediately inform the data controller for whom it performs the data processing activities of the data protection incident that occurred.
  • If the company employs a data processor, it must be stipulated in the data processing contract that the data processor is obliged to immediately notify the company of any data protection incident that has occurred.

XII. Management of customer data

  • The company carries out its activities based on legal obligations on the basis of a written contract. The legal basis for data management is based on the contract, in relation to the party signing the contract and the personal data relating to it.
  • The legal basis for the processing of personal data that becomes accessible to the company in the context of the performance of the contract according to the previous point (such as the contact data included in the contract or the personal data that is necessary or deemed necessary to know during the performance of the task in accordance with the legal regulations and professional guidelines and requirements of the auditing activity based on legal obligation) is based on the legitimate interest of the business. In accordance with the provisions of the GDPR, in this case it is necessary to carry out the following interest assessment test:
  1. subject of data management
  2. determination of the legal basis of the legitimate interest
  3. the personal data to be handled
  4. purpose of data management
  5. designation of the legitimate interest of the enterprise
  6. what rights of the affected parties may be violated
  7. consideration of interests
  8. what measures and guarantees does the company apply in order to adequately protect the personal data collected in this way.
  • The interest assessment test(s) carried out regarding the management of the scope of the given personal data are attached to these regulations.

XIII. Employment-related data management

  • The company includes the information specified in points 33 and 34 regarding job applications in the “Data Management Information” according to point 36. In the job application it publishes, the company refers to the “Data Management Information” by indicating the contact information. If the company has not made the “Data Management Information” available electronically, it will include the relevant provisions in the job application.
  • If the company wishes to store the documents submitted by the job applicant even after the job application has been filled, the job applicant’s consent must be requested. The consent must be voluntary, specific, based on adequate information and clear. For this purpose, the declaration of consent must contain at least the following:
  1. the identity and contact details of the company’s representative;
  2. the purpose of the planned processing of personal data [for example, a subsequent request to fill a newly opened position] , as well as the legal basis for data processing (consent-based);
  3. the period of storage of personal data;
  4. the data subject’s right to request from the company access to personal data relating to him, their correction, deletion or restriction of processing;
  5. the data subject’s right to withdraw their consent at any time, which, however, does not affect the legality of data processing carried out on the basis of consent before the withdrawal;
  6. on the right to submit a complaint to the authority.
  • After the evaluation of the application, the data carriers containing the personal data of the unsuccessful applicants must be returned to the applicant within 90 days at their request, or destroyed in the absence of the applicant’s consent to the use of their personal data in further applications. A record of the destruction (deletion) must be taken.
  • The company manages the employees’ data based on the relevant provisions of the Mt. and informs them in the manner specified in the Mt., in compliance with the data management principles contained in the GDPR.
  • The company provides employees with information about the data processors it uses about their identity and the scope of the data transmitted to them.
  • The following legal bases may typically arise during data processing in the employment relationship:
  1. contractual [the employment contract]
  2. based on legal obligation [e.g. taxation, alimony deduction]
  3. based on legitimate interest [for example data related to workplace monitoring].
  • If the company manages data on the basis of point 92 c), then in accordance with the provisions of the GDPR, it is necessary to carry out the following interest assessment test:
  1. designation of the legitimate interest of the enterprise
  2. who are affected and what rights are violated
  3. consideration of interests
  4. what measures and guarantees does the company apply in order to adequately protect the personal data collected in this way.
  • The interest assessment test(s) carried out regarding the handling of the scope of the given personal data must be made available to the employees [for example via an internal network, as an attachment to the employment contract].

XIV. Provisions regarding the use of the data processor

  • If the data processing is carried out by someone else on behalf of the company [for example, payroll, server service, website operation] , the company can only use data processors who provide adequate guarantees that the data processing meets the requirements of the GDPR and that the rights of the data subjects are protected by appropriate technical and organizational measures. to implement measures.
  • The data processor may not use additional data processors without the company’s prior written authorization on a case-by-case or general basis.
  • In relation to the data processing carried out by the data processor, the company and the data processor enter into a contract. This contract defines the subject, duration, nature and purpose of data management, the type of personal data, the categories of data subjects, as well as the obligations and rights of the company.
  • The contract according to the previous point stipulates in particular that the data processor:
  1. personal data is handled solely on the basis of the written instructions of the company;
  2. ensures that the persons authorized to handle personal data undertake a confidentiality obligation or are subject to an appropriate confidentiality obligation based on legislation;
  3. apply at least the level of data security measures required by the company;
  4. respects the conditions mentioned above regarding the use of the additional data processor;
  5. taking into account the nature of the data management, with appropriate technical and organizational measures, it assists the enterprise to the extent possible in being able to fulfill its obligations with regard to responding to requests related to the exercise of the rights of the data subject;
  6. helps the company fulfill its obligations under the data protection incident, taking into account the nature of the data management and the information available to the data processor;
  • undertakes to inform the company immediately in the event of a data protection incident;
  • after the completion of the provision of the data management service, based on the company’s decision, all personal data will be deleted or returned to the company, and existing copies will be deleted, unless EU or member state law requires the storage of personal data.
  • The data processor and the person with access to personal data may only handle this data in accordance with the company’s instructions.

XIV. Implementing and closing provisions

  1. These regulations enter into force on May 25, 2018.

Appendix No. 1

Interest assessment test – regarding contractual contact data –

Subject of data management: Management of certain personal data of contact persons (hereinafter: data subjects) included in the contract for the provision of the company’s activities (hereinafter: contract)

Legitimate interest legal basis: After examining the provisions of Article 6 of the GDPR, the company came to the conclusion that the legality of processing the data of natural persons (data subjects) not included in the contract as a signatory party is Article 6 of the GDPR

According to point (1) f), it can be based on the legitimate interest of the data controller.

To be treated

personal data: Name, work telephone number and work e-mail address of the contractual contact person (data subject). Personal data is made available by the person who signs the contract as a client of the data controller.

Purpose of data management: Contact necessary to fulfill the obligations contained in the contract.

Legitimate interest: Facilitation of the effective fulfillment of the terms of the contract by the enterprise.

Affected rights that may be infringed: Right to naming; identification of a natural person based on other data

Consideration of interests: It is in the interest of the company to carry out its activities as efficiently as possible, to achieve the goal of being able to devote adequate time to the professional fulfillment of its obligations under the contract. Administrative tasks and needs related to the performance of the contract (e.g. procurement of documents) can be realized and satisfied as efficiently as possible if the contact is with a person employed by the company’s client who is responsible for these tasks and is competent to perform them. The company has a relevant and appropriate relationship with the data subject, since the data subject is employed by the client of the data controller.

Guarantees: The company only processes the data of the data subject in order to fulfill the terms of the contract.

The company is also bound by the confidentiality provisions contained in the contract.

The company has a strict internal data management procedure in force, only authorized persons have access to the data; data is not transmitted.

Summary: Based on the above, the company considers that it has a legitimate interest in managing the data of the contacts included in the contract with the customer, the legitimate interest is not overridden by the rights and freedoms of the individual.