Terms of data protection

DATA HANDLING INFORMATION

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation) provides that the Data Handler should take proper measures in order to provide to the person concerned all the information with regard to the handling of personal data in a coherent, transparent, clear and accessible form, drawn up unequivocally and explicitly, as well as to that the Data Handler should facilitate the practising of the rights of the person concerned.   
Act CXII of 2011 on the right of self-determination and the freedom of information also prescribes the obligation to provide prior information to the person concerned.
With the information given below we fulfil our regulatory obligation.
The information must be published on the web page of the company, or it must be sent to the person concerned on request.

TITLE OF THE DATA HANDLER

Animation Film Production and Distribution Limited Liability Company of Kecskemét
Short name: KECSKEMÉTFILM Ltd.
Registered address: HU-6000 Kecskemét, Liszt Ferenc utca 21.
Company register no.: Cg. 03 09 102262
Represented by: Ferenc Mikulás managing director
Tax registration no.: 11029245-2-03
Electronic contact: kfilm@kecskemétfilm.hu
Website: www.kecskemetfilm.hu
Phone no.: 00 36 76 481788
hereinafter: Company or Data Handler
 
TITLE OF THE DATA PROCESSORS
 
The data processor is a natural or legal person, public body, agency or any other body which handles public data on behalf of the data handler; (Article 8, Regulation 4).
The use of data processors does not require the prior approval of the person concerned, but information must be provided to him or her. Accordingly, we are giving the following information:
The data processor performing the maintenance and management of the website of our Company which handles the personal data given on our website for the duration of our effective contract:
 
Virtualcom Software House Limited Liability Company
Short name: Virtualcom Software House Ltd.
Registered address: HU-6034 Helvécia, Taál B. u. 23.
E-mail address: info@virtualcom.hu
 
The data processor performing the operation of the informations system of our Company:
 
BESTCOM Financial Consulting and Computer Technology Services Limited Liability Company
Short name: BESTCOM Ltd.
Registered address: HU-6000 Kecskemét, Kőhíd utca 10.
Electronic contact: bestcom@bestcom.hu
 
The logistics service providers of our Company are Hungarian Post Ltd., GLS General Logistics Systems Hungary Ltd. and FedEx Trade Networks Transport & Brokerage (Hungary) Ltd., which guaranteed it in a statement that they will provide the protection of personal data in conformity with the legal regulations. They further also made a statement that during all of their activities they will utilise only partners (subcontractors) which are in compliance with the requisites expected and required by the effective data protection legal regulations. 

 
INFORMATION ABOUT THE SPECIFIC HANDLING OF DATA
 
Information about data handling based on the approval of the person concerned
 
1. In case our Company wishes to carry out data handling based on approval, it must request the approval of the person concerned for the handling of his or her personal data with a data request sheet with the content and information determined in the data handling regulation.
2. It also constitutes an approval, if the person concerned marks a box on the internet website of our Company during the viewing of the website, he or she carries out technical settings related to this during the use of the services connected to information society, or any other statement or act, which explicitly indicates the approval of the person concerned in the given context to the planned handling of his or her personal data. Therefore, remaing silent, a box checked in advance or non-action do not constitute an approval.  
3. An approval applies to all data handling activities carried out for the same purpose or purposes. If the data handling serves several purposes at the same time, the approval must be given for all the data handling purposes.
4. If the person concerned gives his or her approval in the framework of a written statement which also relates to other matters – e.g. the conclusion of a sales or service contract – the request for approval must be disclosed in a way that is distinct from such matters, in a perspicuous and easily accessible form and with a clear and simple language. Any part of a statement containing the approval of the person concerned, which violates the Regulation, shall have no binding force.    
5. The Company shall not bind the conclusion or the performance of a contract to the giving of an approval of the handling of personal data which are not necessary for the performance of the contract.  
6. The revocation of an approval shall be facilitated in the same simple way as the granting of it.
7. If the uptake of the personal data takes place with the approval of the person concerned, the data handler, in the absence of divergent regulations, may handle the data taken for the purpose of the fulfilment of the legal obligations related to it without a further separate approval, as well as following the revocation of the approval by the person concerned.

Information about the handling of the data of clients, contracting partners and contact persons

1. By virtue of the realisation of the contract the Company shall handle the name, name at birth, date of birth, mother’s name, residential address, tax identification number, tax registration number, entrepreneurship or primary producer identification number, personal identification number, registered address, business site address, phone number, email address, website address, bank account number, customer number (client number, order number) and online identification number of the person concluding the contract with it for the purpose of the conclusion, fulfilment or cancellation of the contract, or for providing a contractual discount. Such data handling shall be construed as legal even if it is required for making steps carried out on request from the person concerned. The consignees of the personal data: the employees carrying out tasks related to customer service, the employees carrying out accounting and taxation tasks, and the data processors of the Company. The duration of the storage of the personal data shall be 5 years from the expiry of the contract. 
2. The legal basis of the handling of the data of a natural person given in the contract for accounting and taxation purposes is the fulfilment of a legal regulation; in this case the duration of data storage shall be 8 years. 
3. The Company shall handle the personal data given in the contract, as well as the residential address, email address and phone number, and online identification of a natural person – signing the contract – acting on behalf of a legal person concluding a contract with it, for the purpose of keeping contact and the practising of the rights and obligations arising from the contract, by virtue of legitimate interest. The duration of the storage of such data shall be 5 years from the expiry of the contract. In case of data handling based on legitimate interest it shall be the emphasised right of the person concerned to object to the handling of his or her data.     
4. The Company shall handle the name, address, phone number, email address and online identification number of the natural person – not signing the contract – specified as a contact person in the contract concluded with it for the purpose of keeping contact and the practising of the rights and obligations arising from the contract by virtue of legitimate interest, considering that the contact person has a legal relationship of employment with the contracting party, so such data handling does not have a disadvantageous effect on the rights of the person concerned. The contracting party declares that he informed the contact person concerned of the handling of data related to the nature of the contact person. The duration of the storage of such data shall be 5 years following the existence of the nature of the contact person.    
5. As regards all the persons concerned the consignees of the personal data shall be: the managing director, the employees carrying out tasks related to customer service, the contact persons, the employees carrying out accounting and taxation tasks, and the data processors of the Company.
6. The personal data may be transferred for data processing for the purpose of taxation and audits, and for the purpose of deliveries to Hungarian Post or a commissioned courier service.
7. The handling of data shall be deemed legal, if it is required in the framework of any contract or contracting intention (Preamble 44), or if it is necessary for making the steps prior to the conclusion of the contract on request from the person concerned (Article 6 (1) b./). Therefore, by virtue of the fulfilment of a contract the personal data collected in the framework of contractual offers can also be handled according to this paragraph. The Company shall inform the offerer or the consignee of the offer of this at the time of the making or the receiving of the offer.     

Providing information about data handling based on the fulfilment of legal obligations
 
1. In case of data handling based on a legal obligation the provisions of the legal regulation serving as a basis apply to the scope of data that can be handled, the purpose of data handling, the duration of data storage and the consignees.
2. Any data handling based on the pretense of the fulfilment of legal obligations is independent of the approval of the person concerned, as the handling of data is determined by a legal regulation. In such cases the person concerned must be informed prior to the start of the handling of his or her data that the data handling is obligatory, as well as the person concerned must be informed in a clear an unambiguous way prior to the start of the handling of his or her data of all the facts related to the handling of his or her data, thus especially the purpose and the legal basis of the handling of the data, the person entitled to the handling and the processing of the data, the duration of the handling of the data, whether the data handler handles the personal data of the person concerned based on a legal obligation concerning him, and who may get to know the data. The providing of information must also cover the rights and the possibilities of the person concerned for legal remedies as regards data handling. In the case of an obligatory handling of data the providing of information may also take place by making a reference to the legal regulatory provisions containing the information above public.
 
Providing information about data handling carried out for the purpose of the fulfilment of taxation and accounting obligations  

1. The Company shall handle the data of natural persons contacting it as prescribed by law for the purpose of the fulfilment of taxation and accounting obligations (bookkeeping, tax payment) prescribed by law, by virtue of the fulfilment of its legal obligations. The data handled based on Paragraph 169 and Paragraph 202 of Act CXXVII of 2017 are specifically: the tax identification number, name, address, identification of the person or organisation ordering the economic operation, the person making the remittance and verifying the implementation of the action, as well as the signature of the controller depending on the organisation; the signature of the recipient of the vouchers of stock movements and cash handling, the signature of the payer on the receipts, based on Act CXVII of 1995 concerning personal income tax: the number of the entrepreneurship identification card, number of the primary producer identification card and tax identification number.
2. Data handling related to the maintenance of road usage logs and journey forms: the Company shall handle the data specified by law of the company motor vehicle usage and the usage of the private motor vehicles of employees for official and business purposes (name of motor vehicle driver, type and licence plate of the motor vehicle, the date and purpose of the journey, route taken, name of business partner visited) by virtue of a legal obligation, for the purpose of cost accounting, the issuance of vouchers, the determination of tax bases and the calculation of fuel savings. The relevant legal regulation is Act CXVII of 1995 (Personal Income Tax Act), Paragraph 27, Section /2/, Article 6 of Annex 3 and Article 7 of Annex 5.  
3. The duration of the storage of personal data shall be 8 years following the expiry of the legal relationship providing the legal basis.
4. The consignees of the personal data shall be the employees and data processors serving the taxation, bookkeeping, payroll and social security tasks of the Company.
 
Providing information about the data handling of a disbursement entity

1.  The Company shall handle the personal data of the persons concerned – employees, their family members, and other persons receiving benefits – as prescribed by taxation laws, by virtue of the fulfilment of legal regulations, for the purpose of meeting the taxation and contribution obligations prescribed by law (assessment of taxes, tax advances and contributions, payroll services, social security and pension administration), with whom it has a disbursement relationship (Act CL of 2017 concerning taxation (Article 7, Paragraph 31). The scope of the data handled is specified by Paragraph 50 of the Article, especially emphasising from this: the personal identification data of a natural person (including his or her previous name and also his or her title), gender, citizenship, the tax identification number and the social security identification number of the natural person. In case the tax laws attach a legal consequence to it, the Company may handle the data related to the membership of health care (Paragraph 40 of the Personal Income Tax) and trade unions (Paragraph 47, Section (2) b./) for the purpose of the fulfilment of tax and contribution obligations (payroll and social security administration).    
2. The duration of the storage of personal data shall be 8 years from the expiry of the legal relationship providing a legal basis.
3. The consignees of the personal data: the employees and data processors carrying out the taxation, payroll administration and social security (disbursement) tasks of the Company.  
 
Providing information about data handling related to records with a permanent value according to the Archives Act

1. By virtue of the fulfilment of legal obligations the Company shall handle the records qualifying as having a permanent value under Act LXVI of 1995 (Archives Act) concerning the protection of public records, public archives and private archives for the purpose of keeping the archives material of the Company with a permanent value safe and sound also for the future generations. The duration of the data storage shall be until the conveyance to the public archives.
2. The conisignees of the personal data: the director of the Company, the employee carrying out record handling and record archiving, and the employee of the public archives.
 
Promoting the rights of the person concerned

The Company shall ensure the practising of the rights of the person concerned during all of its data handling.

 
DATA HANDLING OF VISITORS ON THE COMPANY’S WEBSITE – PROVIDING INFORMATION ABOUT THE APPLICATION OF COOKIES

General information about cookies

1. Visitors of the website must be informed about the application of cookies, and their approval must be asked for this.
2. A cookie is a piece of data which the website visited sends to the web browser of the visitor (in a variable name-value format), so that it can store it and later the same website can also reload its content. A cookie may have a validity period, it can be valid until the closure of the web browser, but also for an indefinite period. In the future the web browser will send this data to the server upon all HTTP(S) requests. Thereby it modifies the data on the user’s computer.
3.  The essence of a cookie is that by the nature of website services there is a need for users to be identified (e.g. that he or she entered the webpage) and to manage them accordingly. Its danger lies in that the users do not have knowledge of this in each case and it may be suitable for the operator of the webpage or for other service providers whose content is embedded in the webpage (e.g. Facebook, Google Analytics) to track the user, and thereby a profile is made of him or her, and in such cases the content of the cookie can be considered personal data.
4.  Types of cookies:
4.1. Technically indispensable session cookies: the page would simply not function without these properly, and these are necessary for the identification of the user, e.g. they are necessary to manage whether he or she has logged in or what he or she put into the shopping cart, etc. This typically the storage of a session ID, the rest of the data are stored on the server which is safer. This has a safety concern, as if the value of the session cookie is not generated properly, the danger of a session hijacking attack exists, therefore it is imperative that these values are properly generated. Other terminologies call all cookies session cookies which are deleted after exiting the browser (one session is one use of the browser from start to exit).  
4.2. Usage assisting cookies: those cookies are called this which memorise the selections of the user, such as in what format the user would like to view the page. In essence these types of cookies mean the settings data stored in the cookie.
4.3. Cookies ensuring performance: although they do not have much to do with “performance”, those cookies are called this which collect information of the behaviour, usage time and clicks of the user within the webpage visited. These typically are applications of third parties (e.g. Google Analytics, AdWords or Yandex.ru cookies). These are suitable for preparing profiles of the visitors. 
 5.  The acceptance or the authorisation of the cookies is not compulsory. You can restore the settings of your browser for it to reject all cookies or for it to indicate that the system is about to send a cookie. Although most browsers have a default setting to automatically accept cookies, this can usually be changed in order to prevent automatical acceptance and to offer the possibility of choice every time.
 

PROVIDING INFORMATION ABOUT THE RIGHTS OF THE PERSON CONCERNED
 
The rights of the person concerned in short

1. Transparent information, communication and the promotion of the practising of the rights of the person concerned
2. The right for prior information – if the personal data of the person concerned is collected
3. Providing information to the person concerned and the information to be available, if the data handler does not acquire the personal data from him or her
4. The right of access of the person concerned
5. The right for corrections
6. The right for deletion (“the right to be forgotten”)
7. The right for the limitation of data handling
8. The notification obligation related to the correction or deletion of personal data and to the limitation of data handling
9. The right to carry data
10. The right to protest
11. Automatic decision-making in unique matters, including profile making
12. Limitations
13. Providing information to the person concerned about data protection incidents
14. The right to submit complaints to the supervisory authority (the right for legal remedy at the authorities)
15. The right for an effective judicial legal remedy against the supervisory authority
16. The right for an effective judicial legal remedy against the data handler or data processor
 
The rights of the person concerned in detail
 
1. Transparent information, communication and the promotion of the practising of the rights of the person concerned
 
1. The data handler shall provide to the person concerned all the information and each piece of information related to the handling of personal data drawn up in a concise, transparent, comprehensible and articulate way, especially in the case of any information addressed to children. The information shall be provided in writing or any other way – also including electronically in given cases. On request from the person concerned the information may be provided verbally, as well, given that the personal identity of the person concerned is verified by other means.  
2. The data handler shall promote the practising of the rights of the person concerned.
3. The data handler shall inform the person concerned of the measures taken based on his or her request for the practising of his or her rights without unjust delay, but by all means within one month from the receipt of such request. This deadline can be extended by a further two months under the conditions prescribed in the Regulation, of which the person concerned must be informed.
4. If the data handler does not take measures based on the request of the person concerned, it shall inform the person concerned, without delay, but not later than within one month from the receipt of the request, of the reasons of the cancellation of the measures, as well as of that the person concerned may submit a complaint to a supervisory authority and he or she may practise his or her right for legal remedy at a court.
5. The data handler shall provide the information and the information and the measures about the rights of the person concerned free of charge, however, a fee may be charged in the cases written in the Regulation. 
The detailed rules can be found in Article 12 of the Regulation.
 
2. The right for prior information – if the personal data of the person concerned is collected
 
1. The person concerned shall be entitled to receive information prior to the start of the data handling regarding the facts and information connected to the data handling. In the framework of this the person concerned must be informed of:
a) The entity and contacts of the data handler and its representative,
b) The contacts of data safety officer (if such exists), 
c) The purpose of the planned handling of the personal data, as well as the legal basis of the data handling,
d)  In case of data handling based on the enforcement of a legal interest the interests of the data handler or a third party,
e) The consignees of the personal data – with whom the personal data are informed, as well as the categories of the consignees, if such exist,
e) in given cases the fact that the data handler wishes to forward the personal data to a third country or to an international organisation.
 
2. For the purpose of ensuring a fair and transparent data handling the data handler must inform the person concerned about the following supplementary information:  
a) The duration of the storage of the personal data, or if this is not possible, the aspects of the determination of this duration;
b) The right of the person concerned of that he or she may request from the data handler the access of the personal data related to him or her, their correction, deletion or the limitation of their handling, and that he or she may protest the handling of such personal data, as well as about the right of the person concerned to carry on his or her data;
c) In case of data handling based on the approval of the person concerned that the right to revoke the approval of the approval at any time which does not affect the legality of the data handling performed based on the approval prior to the revocation;
d) The right to submit a complaint addressed to the supervisory authority;
e) Whether the providing of the personal data is based on a legal regulation or a contractual obligation or whether it is a precondition of the conclusion of a contract, as well as whether the person concerned is obliged to provide personal data, as well as what kind of potential consequences the omission of the providing of data may have;
f) The fact of an automatized decision making, including the making of profiles, as well as at least in such instances the logic applied, and comprehensible information about what significance the data handling may have, and what expected consequences it may have on the person concerned.
3. If the data handler wishes to carry out additional data handling for a purpose other than the collection purpose of personal data, it must inform the person concerned of this different purpose and all other relevant supplementary information prior to the additional data handling.  
The detailed rules of the right for prior information is included in Article 13 of the Regulation.
 
3. Providing information to the person concerned about the information to be available, if the data handler does not acquire the personal data from him or her

1. If the data handler does not acquire the personal data from the person concerned, the person concerned must be informed by the data handler not later than from one month from the acquiring of the personal data; if the personal data are used for making contact with the person concerned, at least at the time of the first contact with the person concerned; or if the data will expectedly be given to other consignees, at the latest at the first publication of the personal data about the facts and information written in Section 2 above, as well as about the categories of the personal data, and further of the sources of the data and in given cases about whether the data originate from publicly accessible sources.
2. The contents of Section 2 above are applicable to further rules (The right for prior information).
The detailed rules of the providing of this information are contained in Article 14 of the Regulation.

4. The right of access of the person concerned
 
1. The person concerned is entitled to receive a feedback regarding whether the handling of his or her personal data is in progress, and if such data handling is in progress, he or she is entitled to have access to the personal data and the related information (Article 15 of the Regulation). 
 
2. If the personal data are forwarded to a third country or to an international organisation, the person concerned is entitled to receive information about this forwarding as regards the proper guarantees under Article 46 of the Regulation. 

3. The data handler shall make the copy of the personal data of the scope of the data handling to the person concerned. For any additional copies requested by the person concerned the data handler may charge a reasonable fee based on administrative costs.
The detailed rules related to the rights of the person concerned related to access rights are included in Article 15 of the Regulation.
  
5. The right for corrections
 
1. The person concerned is entitled to the correction, without undue delay, by the data handler of the inaccurate personal data related to him or her.
2. By taking the purpose of the data handling into consideration, the person concerned shall be also entitled to request the supplementation of any incomplete personal data – by also via a supplementary statement.
These rules are contained in Article 16 of the Regulation.
 
6. The right for deletion (“the right to be forgotten”)
 
1. The person concerned shall be entitled to delete the personal data related to him or her on his or her request without the undue delay of the data handler, and the data handler shall be obliged to delete the personal data related to the person concerned without undue delay, if
a) there is no need for the personal data for the purpose it was collected or for what it was handled in any other way;
b) the person concerned revokes his or her approval providing the basis of data handling, and the data handling has no other legal basis;
c) the person concerned objects to his or her data handling, and there is no legal reason for the data handling with a priority right;
d) the personal data were handled against the law;
e) the personal data must be deleted for the fulfilment of a legal obligation prescribed in an EU or member state law applicable to the data handler. 
 
2. The right for deletion may not be enforced if the data handling is required for
a) the purpose of the practising of the freedom of speech and the right of orientation;
b) for the purpose of the fulfilment of an EU or member state obligation applicable to the data handler, or by public interest, or by the implementation of a task performed in the framework of practising a public license given to the data handler;
c) on the basis of public interest concerning the area of public health;
d) for the purpose of archiving of a public interest, for scientific or historical research purposes, or for statistical reasons, in case the right for deletion would make data handling presumably impossible or it would seriously jeopardise it; or 
e) for the advance, enforcement or protection of legal claims.
 
The detailed rules related to the right for deletion are contained in Article 17 of the Regulation.
 
7. The right for the limitation of data handling

1. In case of the limitation of data handling such personal data may, with the exception if storage, can be handled only with the approval of the person concerned, or for the submission, enforcement or protection of legal claims, or for the purpose of the protection of the rights of other natural and legal persons, or for an important public interest of the European Union or one of the member states.
2. The person concerned shall be entitled to limit the data handling by the data handler on his or her request, if any of the following exists:
a) The person concerned disputes the accuracy of the personal data; in such a case the limitation applies to the duration which makes it possible for the data handler to verify the accuracy of the personal data;
b) The data handling infringes on legal regulations, and the person concerned objects to the deletion of the data and he or she instead requests the limitation of their use;
c) The data handler does not need the personal data any more for the purpose of data handling, but the person concerned requests them for the disclosure, validation or protection of legal claims; or
d) The person concerned objected to the data handling; in such a case the limitation applies to the duration in which it is determined whether the legitimate reasons of the data handler have priority over the legitimate reasons of the person concerned.
3. The person concerned must be informed of the release of the limitation of data handling in advance.  
The relevant rules are contained in Article 18 of the Regulation.
 
8. The notification obligation related to the correction or deletion of personal data and to the limitation of data handling

The data handler shall inform all addressees of all corrections, deletions or limitation of data handling which it informed of the personal data, except when this proves to be impossible or requires an unduely large effort. The data handler shall inform the person concerned about these addressees on his or her request.
These rules can be found in Article 19 of the Regulation.

9. The right to carry data

1. The person concerned is entitled, with the conditions given in the Resolution, to receive the personal data related to him or her and made available by him or her to the data handler in an articulated, widely used format readable by machine to forward such data to another data handler without the encumbering of this by the data handler to which he or she made available the personal data, if   
a) the data handling is based on approval or a contract; and
b) the data handling is carried out in an automated way.
2. The person concerned may also request the direct forwarding of personal data between data handlers.
3. The practising of the right to carry data shall not enfringe upon Article 17 of the Regulation (The right for deletion (“the right to be forgotten”). The right to carry data shall not be applied in cases where the data handling is necessary for data handling of public interests or for the implementation of the public authority licences delegated to the data handler. This right shall not have a disadvantageous effect on the rights and freedom of others.
The detailed rules are included in Article 20 of the Resolution.
 
10. The right to protest  

1. The person concerned is entitled to, for reasons related to his or her own situation, protest the handling of his or her personal data based on public interest, the implementation of a public duty (Article 6 (1) e)) or legitimate interest (Article 6 f)) at any time, also including the profile making based on the provisions mentioned. In such a case the data handler shall not handle the personal data any more, except where the data handler proves that such legitimate reasons of binding force justify the data handling which receive priority over the interests, rights and freedom of the person concerned, or which are related to the submission, enforcement or protection of legal claims. 
2. If the handling of personal data takes place for the purpose of direct business interests, the person concerned is entitled to protest the handling of the personal data related to him or her at any time, also including profile making, in case it is connected to direct business interests. If the person concerned protests the handling of personal data for the purpose of direct business interests, the personal data shall not be handled for this purpose henceforward.
3. The concerned person must be informed of these rights not later than at the time of first contact, and the information related to this must appear explicitly and separate from all other information.
4. The person concerned may also practise the right to protest with automated tools based on technical provisions.
5. If the handling of personal data takes place for scientific or historical research purposes or statistical purposes, the person concerned is entitled to protest the handling of the personal data related to him or her for reasons connected to his or her own situation, except where the data handling is necessary for the implementation of a task performed for a reason of public interest.
 
11. Automatic decision-making in unique matters, including profile making

1. The person concerned is entitled to not have the scope of decision-making exclusively based on automatic data handling – also including profile making that would have a legal effect on him or her or that would affect him or her in a similar significant way.  
2. This entitlement shall not be applied in cases where the decision-making:
a)  is required for a the conclusion or fulfilment of a contract between the person concerned and the data handler;
b) is made by virtue of such EU or member state law applicable to the data handler which also specifies proper measures serving the protection of the rights and freedom of the person concerned, as well as his or her legitimate interests; or
c) is based on the express approval of the person concerned.
3. In the cases mentioned in Sections a) and c) above the data handler shall take proper measures for the purpose of the protection of the rights, freedom and legitimate interests of the person concerned, including at least the right of the person concerned to request human intervention on the part of the data handler, to express his or her viewpoint, and to submit an objection against the decision-making.
Further rules are contained in Article 22 of the Regulation.

12. Limitations

The EU and member state law may limit the scope of rights and obligations applicable to the data handler or data processor with legislative measures (Articles 12-22, Article 34, Section 5), if the limitation respects the essential content of basic rights and freedoms.
The conditions of this limitation are included in Article 23 of the Regulation.

13. Providing information to the person concerned about data protection incidents

1. If the data protection incident is likely to have a high risk on the rights and freedoms of natural persons, the data handler shall inform the person concerned about the data protection incident without undue delay. In such information the nature of the data handling incident and at least the following shall be provided clearly and explicitly:
a) the name and contacts of the data protection officer or another contact person providing futher information;
c) the probable consequences originating from the data protection incident must be provided;
d)  the measures taken or planned by the data handler to remedy the data protection incident must be provided, including in given cases the measures targeting the mitigation of the potential disadvantageous consequences originating from the data protection incident.
 
2. The person concerned need not be informed, if any of the following conditions exist:
a) The data handler implemented proper technical and organisational protective measures and these measures were applied as regards the data affected by the data protection incident, especially those measures – such as for instance the application of encryption – which make the data incomprehensible for persons not authorised to access personal data;
b) Following the data protection incident the data handler took such further measures which ensure that the high risk on the rights and freedom of the person concerned presumably will not happen in the foregoing;
c) The providing of the information would make undue effort. In such cases the persons concerned shall be informed via information made publicly available, os such similar measures shall be taken which ensure the similarly effective information to the persons concerned.
Further rules are contained in Article 34 of the Regulation.

14. The right to submit complaints to the supervisory authority (the right for legal remedy at the authorities)

The person concerned is entitled to submit a complaint to the supervisory authority – especially in the member state according to his or her residence, place of work or the potential location of the infringement (in Hungary at the National Data Protection and Freedom of Information Authority) – if according to the judgment of the person concerned the handling of the personal data related to him or her infringe upon the Regulation. The supervisory authority to which the complaint is submitted must inform the client of the developments of the procedure related to the complaint, also including whether the client is entitled to use judicial legal remedy.

These rules are contained in Article 77 of the Regulation.

15. The right for an effective judicial legal remedy against the supervisory authority

1. Without prejudice to the legal remedies belonging to other public adminsration and non-judicial process legal remedies all natural and legal persons are entitled to an effective judicial remedy against the legally binding decision of the supervisory authority related to him or her. 
2. Without prejudice to the legal remedies belonging to other public administration and non-judicial process legal remedies all persons concerned are entitled an effective judicial remedy, if the competent supervisory authority does not deal with a complaint, or does not inform the person concerned of the procedural developments or the results of the complaint submitted within three months. 
3. A procedure againt a supervisory authority must be initiated at the court of the member state according to the seat of the supervisory authority.
4. If a procedure is initiated against a decision of the supervisory authority as regards which the Board previously issued an opinion or brought a decision within the framework of uniformity mechanism, the supervisory authority shall be obligated to send this opinion or decision to the court. 
These rules are contained in Article 78 of the Regulation.
 
16. The right for an effective judicial legal remedy against the data handler or data processor

1. Without prejudice to the public administration or non-judicial process legal remedies available – including the right to submit complaints to the supervisory authority – all persons concerned are entitled to an effective judicial legal remedy, if according to his or her judgment his or her rights were infringed upon as a result of the unproper handling of his or her personal data under this regulation. 
2. The procedure agains the data handler or data processor shall be initiated at a court of the member state according to the operation site of the data handler or data processor. Such a procedure can also be initiated at a court of the member state according to the usual residence of the person concerned, except where the data handler or the data processor is a public body acting in the scope of public authority of one of the member states.
These rules are contained in Article 79 of the Regulation.
 
Kecskemét, 25 May 2018
                                                                                                 
 
                                                                                           Ferenc Mikulás
                                                                                         managing director

 


Accreditation


Catalogue 2019

Programme Schedule 2019