Data protection and data processing policy

APPLICATION OF THE DATA PROTECTION AND DATA PROCESSING POLICY

Name of entity:	META-VULK KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG
Registered seat of entity:	1222 Budapest, Zentai u. 43.
Person responsible for the content of the policy:	Csikós András managing director Csikó Bors managing director
Effective date of the policy:	May 25, 2018.

This regulation sets forth the rules for the protection of natural persons with regard to the processing of personal data and on the free movement of personal data. The provisions of the policy are to be applied in actual data protection operations and when issuing instructions and information that regulate data protection.

The obligation to employ (appoint) a data protection officer is valid for public authorities or any other bodies performing public functions (independently of what data they process), and for any other entity whose main activity is the systematic, large-scale surveillance of people, or where the special categories of personal data are processed in large quantities.

This organization does not employ a data protection officer.

The Data Protection Declaration and the Data Protection Information form an integral part of this Data Protection Policy.

SCOPE OF THE POLICY

This policy is valid until revoked and is to be applied for the officials and employees of the entity.

Budapest, May 25, 2018.

1) Purpose of the policy

The purpose of this policy is to harmonize the internal rules of the other regulations of the organization with regard to data protection operations to ensure the protection of the fundamental rights and freedoms of natural persons, and to ensure that personal data are processed appropriately.

The organization intends to fully comply with the legal obligations related to the processing of personal data, with special regard to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council.

Furthermore, this policy also aims to enable the employees of the organization to lawfully process the data of natural persons by becoming aware of and complying with this policy.

2) Important terms and definitions

• GDPR (General Data Protection Regulation) is the new data protection regulation of the European Union;
• controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
• data processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
• personal data: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
• third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
• consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• restriction of processing: means the marking of stored personal data with the aim of limiting their processing in the future;
• pseudonymization: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
• filing system: means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
• personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

3) Principles of data processing

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Personal data shell be collected specified, explicit and legitimate purposes.

Personal shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Personal data shall be accurate and shall be kept up to date. Inaccurate personal data shall be erased without delay.

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

The principles of data protection shall be applied to every information that relates to identified or identifiable natural persons.

The employee of the organization performing data processing operations has disciplinary, liability, punitive and criminal responsibility for the lawful processing of the personal data. If the employee discovers that the personal data being processed is incorrect, deficient or outdated, he or she shall rectify it or request the administrator recording the data to rectify it.

4) Processing of personal data

Since natural persons can be associated with the online identifiers revealed by the devices, applications, equipment and protocols they use, e.g. IP addresses and cookie identifiers, these data, when combined with other information, can be used to create and are suitable for profiling natural persons and to identify a specific person.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

Data subject’s acceptance of the data processing includes the data subject ticking a box when visiting an Internet website. Silence, pre-ticked boxes or inactivity do not therefore constitute consent.

Consent is also given when a user, while using the electronic services, chooses technical settings for these services or makes another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.

Personal data concerning health include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. These include the following:

• registration for the provision of health care services;
• a number, symbol or data assigned to a natural person to uniquely identify the natural person for health purposes;
• information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples;
• any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles.

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.

Every reasonably measure must be taken in order to rectify or erase inaccurate personal data

5) Lawfulness of data processing

Data processing is lawful where one of the following applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

In accordance with the above, data processing is lawful when it becomes necessary in the framework of a contract or an intention to enter into a contract.

Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law.

The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.

Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security by public authorities, by computer emergency response teams, network security incident response teams, by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required.

The processing of personal data by official authorities for the purpose of achieving the aims, laid down by constitutional law or by international public law, of officially recognized religious associations, is carried out on grounds of public interest.

6) Consent of data subject, conditions

• If the data processing is based on consent, data controller shall be obliged to be able to prove that the data subject has consented to the processing of his or her data.
• If data subject provides his or her consent in the framework of a written declaration that relates to other matters as well, the request for consent should be communicated in a way that is clearly distinguishable from other matters.
• The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. Withdrawing the consent shall be made as easy as giving the consent.
• When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
• In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited, except where the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.

Processing of personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority.

7) Data processing that does not require identification

If the purposes for which a controller processes personal data do not or no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain additional information.

Where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible.

8) Rights of and information provided to the data subject

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.

If the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardized icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.

The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case.

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. Every data subject should therefore have the right to know the purposes for which the personal data are processed, where possible the period for which the personal data are processed.

In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, or where a data subject has withdrawn his or her consent to the processing of personal data concerning him or her.

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing of the personal data concerning him or her at any time and free of charge.

9) Supervising personal data

In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

Deadline for the periodic review established by the leader of the organization: 1 year.

10) Responsibility of the data controller

Data controller implements internal data protection rules to ensure lawful data processing. These rules are to be applied in connection with the authority and responsibility of controller.

Data controller is responsible for implementing effective and proper measures and being able to demonstrate that its data protection operations comply with the effective legislation.

These rules must be determined with regard to the nature, scope, context and purposes of processing, as well as the risks affecting the rights and freedoms of natural persons.

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures. Based on these rules, other internal rules will be reviewed and updated where necessary.

Data controller or processor shall maintain appropriate records on the data processing operations carried out in its responsibility. Every data controller and data processor shall be obliged to cooperate with the supervisory authorities and on request make these records available with the purpose of monitoring those data processing operations.

11) Rights in connection with data processing

Right to request information

Any person may request information via the contact details provided with regard to which of his or her personal data are processed by the organization and on what legal grounds, for what data processing purpose, from which source and for how long. On his or her request, information must be sent without delay, but not later than within 30 days, to the contact details he or she has provided.

Right to rectification

Any person may request data controller via the contact details provided to rectify any of his or her data. On his or her request, measures must be taken without delay, but not later than within 30 days, and information must be sent to the contact details he or she has provided.

Right to erasure

Any person may request data controller to erase any of his or her data via the contact details provided. On his or her request, this must be performed without delay, but not later than within 30 days, and information must be sent to the contact details he or she has provided.

Right to blocking and restriction

Any person may request data controller to block access to any of his or her data via the contact details provided. Access shall be blocked as long as the reason provided necessitates such blocking. On his or her request, this must be performed without delay, but not later than within 30 days, and information must be sent to the contact details he or she has provided.

Right to object

Any person may object to his or her data being processed via the contact details provided. Objection shall be reviewed within the shortest possible time after the request has been submitted, but not later than within 15 days, and decision shall be made whether the case is well-founded and information shall be sent to the contact details provided.

Enforcement of rights in connection with data processing

National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, Pf.: 5.

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (at) naih.hu
URL https://naih.hu

Data subject has the right to turn to the court if his or her rights have been violated. The court will act with emergency. The data subject, at their discretion, may file the case at the court with jurisdiction at his or her residence or at his or her temporary residence.

12) Responsibilities of the organization to ensure suitable data protection

• Data protection awareness. Professional preparedness must be ensured to achieve compliance with the legislation. Employees must be trained professionally and must be aware of the policy.
• The purpose, criteria of the data processing and the concept of the processing of personal data must be overviewed. Lawful data processing must be ensured in compliance with the data protection and data processing policy.
• Providing proper information to the data subject. Care must be taken with regard to the fact that – if processing is based on consent – in case of a doubt the controller must be able to prove that the data subject has consented to the data processing.
• Information provided to the data subject must be concise, easy to access and easy to understand, therefore it must be written and displayed in clear and understandable terms.
• Transparent processing requires that the data subject be informed of the existence of the processing operation and its purposes. Such information must be provided prior to the beginning of the processing, and data subject has the right to be informed until the processing has terminated.
• Data subject affected by the processing has the following rights:
  • access to the data concerning him or her;
  • rectification of personal data;
  • erasure of personal data;
  • restricting the processing of personal data;
  • objection to profiling and automated data processing;
  • right to data portability.
• Data controller shall inform data subject without delay but not later than one month after the request has been received. Where necessary, having regard to the complexity of the request and the number of the requests, this deadline may be prolonged by two months. The obligation to provide information may be complied with by implementing a secure online system where the data subject may easily and quickly access the necessary information.
• The data processing performed by the organization must be reviewed and the right to informational self-determination must be ensured. Where data subject withdraws his or her consent that provided the grounds for processing, his or her data must be erased without delay when requested by the data subject.
• Data subject’s consent should unmistakably reveal that data subject has consented to the processing. If the processing is based on data subject’s consent, in case of a doubt the controller must be able to prove that the data subject has consented to the data processing operations.
• Where personal data of children are processed, extreme care should be taken to comply with the rules of processing. In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.
• Unlawful processing of personal data must be reported to the supervisory authority. Controller must – if possible, within 72 hours of becoming aware of the personal data breach – file a report to the supervisory authority, except where the personal data breach will likely not generate risks with regard to the rights of the natural person.
• In certain cases, it may be justified to perform a data protection impact assessment prior to processing. The impact assessment must observe how the envisaged processing operations impact on the protection of personal data. If the data protection impact assessment determines that the processing will likely result in high risk, controller must consult the supervisory authority prior to the processing of the personal data.
• If the core activities, by their nature, scope or purposes, include such processing operations that require the regular, systematic and large-scale surveillance of the data subjects, a data protection officer must be appointed. Appointing a data protection officer aims to strengthen data protection.

13) Data security

Appropriate measures must be implemented to ensure that data are suitably protected especially against unauthorized access, alteration, transmitting, disclosure, deletion or destruction, or accidental destruction or damage, and against becoming inaccessible due to a change in the technology applied.

For the protection of the sets of data processed electronically in archives, proper technical solutions must be in place to ensure that the data stored in the archives cannot be linked directly to each other, or associated with the data subject.

When designing and implementing data protection, the current level of technology must be taken into account. Where more data protection solutions are available, the one to be applied is the one that ensures higher level data protection, except when it would result in unreasonable difficulty for the controller.

14) Personal data breach

Personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

In the absence of proper measures implemented in due time, personal data breaches may cause physical, material and non-material damage to natural persons, including, but not limited to, the loss of control over their personal data, the restriction of their rights, harmful discrimination, identity theft or identity abuse.

Personal data breaches must be reported without undue delay, at least within 72 hours, to the competent supervisory authority, except where it can be proven in line with the principle of accountability that the personal data breach will likely not result in risk to the rights and freedoms of natural persons.

The affected data subject must be informed without delay if the personal data breach will likely cause high risk to the rights and freedoms of the natural person with the purpose of enabling him or her to take the necessary measures.

15) Data processing for administration and registry

In cases that fall within the operations of the organization, personal data may be processed for the purposes of administration and registry.

Processing is based on the explicit consent of the data subject that he or she provided out of his or her free will. After providing detailed information, covering the purposes, legal grounds, duration of the processing, and the rights of the data subject, the data subject must be warned that the processing is voluntary. Consent to the processing must be recorded in writing.

Data processing for the purposes of administration and archiving shall have the following purposes:

• processing the data of the members and employees of the organizations based on legal obligation;
• processing the data of persons who are in an engagement contract with the organization, for the purposes of settlement and registry;
• data relating to points of contact of other organizations, institutions and enterprises which are in a business relationship with the organization, where data may be the contact details and identification data of natural persons.

The processing in accordance with the above is in part based on legal obligations, and on the other hand the data subject explicitly consents to the processing of his or her personal data (for example in employment contracts or by registering as a partner on a website etc.)

Where written documents containing personal data are sent to the organization (e.g. curriculum vitae, job application, other requests etc.), it must be presumed that the data subject has provided his or her consent. After the case has ended, as long as no consent has been given to further processing, the documents must be destroyed. The fact of such destruction must be documented in a protocol.

Where processing occurs with administrative purposes, personal data may only be included in the files of the actual case and in the registries. Such data is processed until the disposal of the document providing the grounds of the processing

Processing for the purposes of administration and registry must be reviewed every year and the incorrect personal data must be erased in order to ensure that the personal data are not kept longer than necessary.

Compliance with legislation must be ensured also where processing occurs for the purposes of administration and registry.

16) Data processing for other purposes

If the organization intends to process data for purposes not included in this policy, this internal policy must be properly amended at first, and new partial rules regarding the new processing purpose must be included.

17) Other documents that are part of the policy

The documents and the policies, for example the ones that include the written declaration providing consent to the processing and the ones that provide the compulsory data protection information in case of websites, must be attached to and handled in conjunction with the data protection and data processing policy.

18) Legislation providing legal grounds for data processing

• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

–       Act CXII of 2011 on Informational Self-determination and the Freedom of Information.

• Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives.
• Decree 335/2005 (XII.29.) on the General Requirements of Managing Records by Bodies Performing Public Functions. 29.
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
• Act C of 2003 on Electronic Communications.