Our limited company as manager thereof, defines the aims and manners of the management of personal data on its own or together with others, and as the processor of data manages personal data in the name of the data manager.
Data management is the total of any automated or non automated operations, thus: collection, recording,cataloguing, segmentation, storage, transformation or modification, query,access, usage, disclosure, forwarding, distribution, or provision of access by any other means, co-ordination, connection, restriction, deletion, and destruction respectively.
Data processing is a technical type of data management, there is no right over the disposal or decision over the rights.
Any kind of information is classified as personal data about the natural identified or identifiable person („the person concerned“). Identifiable is the natural person who in a direct or indirect manner can be identified based especially on some kind of identification such as name, identification number, location defininig data online identification, or the multiple identification factors pertaining to the natural person’s physiological, genetical, intellectual, economical, cultural or social identity.
Our company respects both as data manager and data processor the private sphere of all those persons who pass personal data on to us, and we are dedicated to protecting these data.
I.
Based on article 13 of the GDPR our company provides the following information to the persons concerned:
The data of the data manager:
Company name: Minorits Machinery Production Kft.
Company seat: 8676 Karád, Kossuth Lajos u. 39.
Website: www.minorits.hu
Contact person: Fürj Erzsébet
Telephone: 0036/20 269 2297
E-mail: office@minorits.hu
Data processing:
the data processing is not made use of,
or
the persons who carry out data processing:
contact details: ……………
contact details: ……………
The person who processes the data can exclusively carry out orders which have been recorded in writing.
A written agreement must be drawn up between the person managing and the person processing the data, the agreement must include the data transferred by the person managing the data and the person processing the data, as well as the activity carried out with the data.
The employees handling personal data management are bound by confidentiality.
In the interest of guaranteeing the safety of the data, the person carrying out the processing of the data also executes the organisational and the technical measures.
The person processing the data helps the person managing the data to fulfill his obligations.
Based on the decision of the person who manages the data, the person who processes the data transfers all personal data back to the data manager or deletes the existing copies with one exception: in case Member State Law or European Union Law prescribes the storage of the data.
The person processing the data helps and ensures the audits and the local inspections carried out by the data manager or the auditor accredited by the data manager.
In the event that the data processing person takes on the help of yet another data processing person, than that person is under the same obligations as the original contracting parties through the aforementioned written agreement drawn up between the person managing the data and the person processing the data.
Data protection officer:
- Based on article 37 of the GDPR our company is not obliged to appoint a data protection officer
or
- data protection officer: Fürj Erzsébet
contact: 0036/20 269 2297
Data protection requests: in the event that you have any requests or questions in connection with data management send us your query by mail to: a 7453 Mernye, Petőfi Sándor u. 50/C or electronically to office@minorits.hu. We will send you our reply without delay, but at most within 30 days to the address defined by you.
Transfer of data abroad:
- transfer abroad does take place: the data are transferred outside the European Economic Area (EEA): even in this case the data protection rights of those concerned are not infringed, the level of protection remains the same.
Its warranties: certificates and code of conduct
We exclusively forward personal data to an area outside the EEA area if the third country is able to provide an adequate protection level, the ability of which is determined by European Commission.
- The country outside the EEA to which we forward data: Serbia
the country of Serbia meets the necessary level and is on the list of the countries of the Commission which can be regarded as safe.
- The country outside the EEA where we forward data: USA.
In the USA, it is the addressee Company which assures to adhere by the conditions laid down in the Privacy Shield Agreement.
or:
The addressee Company in the USA cannot ensure that it will adhere to the conditions laid down in the Privacy Shield Agreement, but it complies with the following conditions, and based on this, the personal data can be forwarded:
- the parties apply the conditions defined in the data protection agreement of the European Commission or;
- the parties apply Binding Corporate Rules (BCR) as approved by the Data Protection Authority or;
- the data gets forwarded to an enterprise which has already joined an approved code of conduct or;
- the company has an approved certification mechanism.
II.
Our company’s aim, legal basis and duration of data management:Aims of data management:
Our company carries out data management for the following purposes in conformity with regulations:
- a) for the provision of machinery production services we manage the data of our customers out of legal obligation and the maintenance of customer relations ;
- b) as marketing activity for possible clients;
- c) the management of the data of employees and applicants (with conditions defined in a separate regulation );
- d) the management of the contact details data of our contractual partners with the purpose of performing the contract ;
- e) fulfilling the orders of our customers;
Legal basis of data management:
GDPR 6th article (1) section point a) : consent of the person concerned
GDPR 6th article (1) section point b) pont: necessary for contract performance
GDPR 6th article section (1) point c) : necessary to fulfill legal obligations
GDPR 6th article section (1) point a) : rightful interest, discretion of interest is always needed
The legal basis of the particular data management activities:
a) the filling out of invoices in conformity with the regulations of accountancy: legal basis: GDPR 6th article section (1) point c)
b) contact: legal basis: (the data of the employees of the partners and the data management thereof: a) legal basis: GDPR 6th article section (1) point f). The rightful interest of the data manager: continuity of the course of business .
management of the data of employees: legal basis: GDPR 6th article section (1) points b), c).
management of the data of our contractual partners: legal basis: GDPR 6th article section (1) point b)
marketing activity: legal basis: GDPR 6th article section (1) point a).
For marketing activity purposes our facebook webpage is also under operation, however, no independent data base is established and no profile creation is done.
f) on-line registration legal basis: GDPR 6th article section (1) point a)
the operation of a security camera legal basis: GDPR 6th article section (1) point f) The rightful interest of the data manager: protection of assets, in the case of employees it is the rightful interest of the employer as defined in the Employment Code.
In case of the management of the personal data on a legal basis of the person concerned, we carry out a discretion of interest, during the course of which:
- we identify and record the rightful interest
- we identify and record the interests and rights of the person concerned
- necessity and proportionality , discretion of interest based on boundness to purpose, data frugality, discretion on the basis of the principle of limited storage
- we inform the person concerned about the discretion of interest
The person concerned has the right to protest, based on which we will not continue to manage the personal data further, except if the management of data is made necessary by a coercive reason (eg. data in connection with employment that are necessary to manage )
There is no coercive reason in the case of direct marketing, in the event of protestation, the data must be deleted. (Direct marketing includes the advertisements which seek out the potential clients directly. This can happen electronically, by a phone call, by mail, etc. Each method has its valid regulations. The person concerned here will be the adressee of the advertisement, that is, the person who the ad will reach or at who it is directed. The personal data of the person concerned can be mangaged eg: by the oprator of a webpage or a webshop.)
The duration of data management :
Out of legal obligations we keep the invoices for at least 8 years. The storage of the documents which are the basis of the filled out invoices is 8 years.
The storage of the documents which are the basis of the employment relationship is: 50 years.
The period for storing the data provided for contact purposes is 1 year after the contact has ceased.
Storage of data related to contract performance: 5 years.
III.Rights of persons concerned :In connection with personal data the person concerned has righs laid down in the regulations.
a) right to access (getting to know the data, the fact, whether data management takes place) ;
b) the correction of a data in case it is obsolete or incorrect ;
c) deletion (exclusively in the case of data management based on consent);
d) restriction of the management of the data;
e) prohibition of the use of personal data for direct marketing purposes ;
f) the transfer of personal data to a third party service provider or the prohibition thereof ;
g) requesting a copy of personal data from any data management; or
h) protestation about the use of personal data.
IV.
Data management incident:
A damage to the safety of data which results in the accidental or illegal destruction, loss, modification, unauthorized publication or illegal access to the managed personal data.
Our company ensures the data safety adequate to the risk extent connected with data management, in case of damage thereto, our data protection officer or in case there is no data protection officer the data manager/processor will report the incident without deley but within 72 hours by the latest after becoming aware of it, to the authorities, and will likewise inform the persons concerned.
Our company will immediately take the necessary security measures after it has become aware of the data protection incident, to stop and remedy the damage which was the basis of the incident.
The persons concerned will be informed about the measures carried out and their results.
V.
Legal Remedy Information:
Hungary’s data protection supervisory authority is: : Nemzeti Adatvédelmi és Információszabadság Hatóság or National Data Protection and Free Information Authority (hereafter: NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, e-mail address: ugyfelszolgalat@naih.hu). The person concerned can lodge a complaint with NAIH in case, in his/her opinion the management of the personal data pertaining to him/her is not in conformity with legal regulation obligations.
Based on the decision of NAIH a judicial review may be initiated.
VI.
Information about registries:
Our company manages and processes the data legally, transparently and controllably in the interest of this we manage the following registries:
1. registry of data management
-until GDPR comes into effect NAIH administers it based on §65 of Information Law or Infotv.
its contents are:
series number
activity
managed data
data management purpose
legal base for data management
manner of storage and duration
name and contact details of data manager
name and contact details of data protection officer
forwarding of data, addressees,
technical and organisational measures
the registration of data management has to be administered separately as an activity.
2. registry of data forwarding
its contents:
series number
date
addressee
forwarding of data to a third country
sphere of personal data
purpose of data management/processing
legal basis of data management/processing
name and contact details of data manager
name and contact details of data protection officer
technical and organisational measures
tentative deadline set for the deletion of data
other data defined in legal regulations (eg: chamber identification number of auditor .
3. registry of the stopping of data management
its contents:
series number
date of request
name of the person concerned , identification data
content of request
name of measure taken
date of measure taken
name and contact details of data manager
name and contact details of data protection officer
4. registry of data protection incidents
its contents:
series number
time of incident
name of incident
persons concerned
personal data concerned
effect of incident
measures taken
name and contact details of data manager
name and contact details of data protection officer
5. registry of queries and anwers to authorities by the persons concerned
its contents:
series number
topic and time of query
sphere of persons concerned
personal data concerned
measures taken
name and contact details of data manager
name and contact details of data protection officer
6. registry of activity of data protection officer
its contents:
series number
time of activity
activity
compliance-control
effect examination-remark
co-operation with supervising authority
7. registry of „lost data”, queries
its contents:
series number
arrival date
topic of request
measure taken (eg. return)
name and contact details of data manager
name and contact details of data protection officer
8. registry of advanced data protection effect-examination előzetes
its contents:
series number
time of effect examination
description of operations,purpose of data management, rightful interest
examination of necessity, proportionality
analysis and management of risks
name and contact details of data protection officer
opininion of data protection officer
Date : Mernye, 25 th May, 2018
