Phone+36 1 476 3476
The MÁV-REC Kft. – hereafter: Enterprise - by publishing the present data processing notification, complies with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The notification should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.
The controller within the meaning of the General Data Protection Regulation is the LAC Holding Zrt. (Enterprise)
COMPANY NAME: MÁV-REC Kft.
REGISTERED SEAT: 1097 Budapest, Könyves Kálmán krt. 16.
Company registration number: 01 09 701017
VAT number: 12737794-2-43
PHONE: +36 1 476 3476
E-MAIL ADDRESS: email@example.com
Personal data will be assessed by those employees of the Enterprise who are authorised by the Enterprise, and those processors who are contracted for processing with the Enterprise whose processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Enterprise employs external processor company for running and maintaining its website.
COMPANY NAME: MÁV-REC Kft.
Company registration number: 01 09 701017
For the purposes of this Regulation:
(1) In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis, laid down by law.
(2) Consent of the data subject should be given in the following forms:
(3) Silence, pre-ticked boxes or inactivity should not therefore constitute consent
(4) Consent should cover all processing activities carried out for the same purpose or purposes. (5) If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
(6) The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
(1) Processing shall be lawful only if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(2) Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract and consent for processing unnecessary personal data should not be condition for entering the contract.
(1) In case that the lawfulness of data processing is determined by law in the event of a legal obligation, consent of the person concerned is not necessary for the processing of his or her personal data.
(2) Controller is obliged to inform the data subject about the prupose, lawfullness, time interval, the controller’s person, and about his or her rights.
(3) Controller shall process data after data subject withdrew his/her consent if it is necessary for fulfilling the Controller’s legal obligation.
(1) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
(2) At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
(3) The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing.
Data subject has right to
Right to transparency
(1)Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all information related to data processing:
(2)Information that are provided in case data are collected from the data subject:
(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(3)In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
(4) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(5) In addition to the information referred to in paragraph (4), the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(6) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph (4).(7) Paragraphs (4) to (6) shall not apply where and insofar as:
Right of access by the data subject
(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
(3) The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Right of data subject to rectification and erasure
Right to rectification
(1) The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 2Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’)
(2) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
(3) Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(4) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
(3) A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
(1) The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
(2) The controller shall inform the data subject about those recipients if the data subject requests it.
Right to data portability
(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(2) In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
(3) The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.
Right to object
(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
(3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Right not to be subject to automated individual decision-making, including profiling
(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(2) Paragraph 1 shall not apply if the decision:
(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(2)1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Right to lodge a complaint with a supervisory authority
(1) Pursuant to Article 77. every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
(2) Complaints can be submitted to the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400;Fax:+36(1)391-1410.,www:http://www.naih.hu e-mail: firstname.lastname@example.org
(3) The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Right to an effective judicial remedy against a supervisory authority
(1) Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
(2) Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.
(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
(4) Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.
Right to an effective judicial remedy against a controller or processor
(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
(2) Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
(1) Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
Communication of a personal data breach to the data subject
(1) When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
(2) The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
(3) The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
(c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
(4) If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
(1) The Enterprise will provide information to data subjects whose requests are received from an individual whose identity can be validated by Company.
(2) The Enterprise must provide a response to data subjects requests within 30 calendar days of receiving the Data Subject Request without any undue delay. In case of complex and numerous requests deadline can be prolonged for futher 2 months. Controller must inform data subject in one month about the prolonged delay and its reasons.
(3) Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
(4) If the Enterprise does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
(5) Enterprise shall provide information free of charge in the following cases: feedback on processing personal data, assess to processed data, data to be rectified, corrected, erased, restriction of processing, data portability, on objecting data processing and the notification of personal data breach.
(6) Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: charge a reasonable fee of 5000 HUF taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.
(7) The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
(8) Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
VII. PROCEDURE IN CASE OF PERSONAL DATA BREACH
(1) Personal data incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data including breaches that are the result of both accidental and deliberate causes.
(2) ‘personal data breach’ means . a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored. Personal data breach occurs if data has been deleted either accidentally or by an unauthorised person, or, in securely encrypted data, the decryption key has been lost, infection by ransomware (malicious software which encrypts the controller’s data until a ransom is paid),
(3) Providers shall without delay maintain an inventory of personal data breaches comprising the facts surrounding the breach, its effects and the remedial action taken.
(4) In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
(5) The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
(6) The notification referred to in paragraph 3 shall at least:
(7) Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
(8) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with Article 33.
VIII. DATA PROCESSING ON WEBSITE
Information on the data of the website visitors
Registration, newsletter subscription
(1) The legal basis of data processing is registration, and the consent of user is the legal basis of newsletter subscription. This is provided by the user by ticking the checkbox under „registration” and „newsletter subscription” text on the website.
(2) Data subjects of registration and newsletter subscription: natural persons who intend to subscribe the newsletter of the Enterprise, and intend to register to the website and whose consent is given to process his/her personal data.
(3) Data processed for email subscription: name, email address.
(4) Data processed for registration: name, postal address, email address, phone number, entry password.
(5) Purpose of data processing in case of newsletter subscription: providing information about the services and products, news and events of the Enterprise.
(6) Purpose of data processing in case of registration: contact details for preparing a contract, providing free access services of the website, providing access to the website contents that are not publicly assessable.
(7) Persons entitled to data management (who can assess data) in case of newsletter subscription and registration: managing director of the Enterprise, employee responsible for customer relations, data processors responsible for the Enterprise’s website.
(8) Personal data will be stored until data subject unsubscribes from newsletter. The duration of data control: from subscribing until unsubscribing from newsletters, in case of registration: until deleting the registration data by request of the data subject.
(9) Data subject may unsubscribe from receiving newsletters and may request erasure of his/her registration data. Data subject can unsubscribe from newsletter by clicking the un-subscription link in the email footer, or by sending a letter to the Enterprise.
Data processing for Direct marketing purposes
(1) Processing for direct marketing purposes shall be lawful if the data subject has given clear and explicit consent to the processing of his or her personal data for direct marketing purposes. The user’s prior consent is provided on the website of the Enterprise by ticking the consent checkbox following the information about the data process regulation. „Consent to be reachable for direct marketing purposes”.
(2) Consent can be given by the data subject by sending the data sheet via post.
(3) Data subjects: natural persons who expressed clear consent for the Enterprise for managing his/her personal data for direct marketing purposes.
(4) Purpose of data control: sending promotional, publicity or communications activity on our services and products, sending offers, notifying promotions by email or by post.
(5) Persons entitled to data management: managing director of the Enterprise, employees responsible for customer service and marketing
(6) Description of the data involved in data control: name, postal address, phone number, email address.
(7) The duration of data control: until data subject withdraws consent to data processing for direct marketing purposes.
(1) The Enterprise managing personal data of natural persons contracting with the Enterprise (customers, clients, transporters) related to their contract. Data subjects must be informed about processing their personal data.
(2) Data subjects: natural persons who establish contractual relationship with the Enterprise
(3) The legal basis of data control is the performance of contract, the purpose of the data control is to keep in touch with the contract, to enforce the claim arising from the contract and to comply with contractual obligations.
(4) Persons entitled to data management: managing director of the Enterprise, employees responsible for customer service, accountants employed by the Enterprise.
(5) Description of the data involved in data control: name, address, seat, phone number, email address, tax number, bank account number, number of business licence
(6) The duration of data control: 5 years after the expiry of contract.
(1) Enterprise shall process personal data only in accordance with the present Regulation for data processing purposes.
(2) The Enterprise shall take the technical and organizational measures, and shall develop the rules of procedure, that are needed to ensure that the provisions of the GDPR, and other relevant legal provisions on data protection should be enforced.
(3) Data must be protected by the Enterprise by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and in a way to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.
(4) Technical and organisational measures implemented by the Enterprise for data security are described in the Data Protection Regulation of the Enterprise.
(5) In determining the measures to ensure security of processing, the Enterprise shall proceed taking into account the latest technical development and the state of the art of their implementation. Where alternate data processing solutions are available, the one selected shall ensure the highest level of protection of personal data, except if this would entail unreasonable hardship for the data controller.
(1) Controllers shall make arrangements for and carry out data processing operations in a way so as to ensure full respect for the right to privacy of data subjects in due compliance with the provisions of this Act and other regulations on data protection.
(2) Enterprise declares that the data processor may not make any decision on the merits of data processing and shall process any and all data entrusted to him solely as instructed by the controller; the processor shall not engage in data process for his own purposes and shall store and safeguard personal data according to the instructions of the controller.
(3) The Enterprise shall be held liable for the legitimacy of his instructions with regards to data processing.
(4) Enterprise must inform data subjects about the name and address (seat) of the technical data processor.
(5) The data processor shall not be permitted to subcontract another data processor according to the notice of the data controller.
(6) Contracts for the process of data must be made in writing. Any company that is interested in the business activity for which personal data is used may not be contracted for the process of such data.
Budapest, 23 May 2018