Table of contents
- A brief description of data process
- Proportionality and necessity of processing
- Overview of the legal basis and purposes of data processing
- Register for the performance of contractual obligations
- Register for company management
- Legitimate interests register
- Sales (lead) register
- Information for the data subjects
- Determination of the legal basis
- Data recording
- Data classification
- Data storage and data management
- Completion, correction, update
- Withdrawal of consent
- Restriction and termination of processing
- Erasing data
- Data transmission
- Data Management Flowchart
- Information to stakeholders
- Data subject’s right to lodge a complaint
- Data subject”s right to be forgotten (right of erasure)
- Right of the data subject to object
This privacy notice describes the processing of personal data in services provided by Székely Family and Company Kft. as data controller under the European General Data Protection Regulation (GDPR) and informs the data subjects on the process, their rights and the obligations of the data controller. This document seeks, within the framework of regulatory framework, to fully comply with the requirements of clarity and pertinence, in simple, comprehensible language. In the event of any interpretation issue, the company’s data protection officer will be happy to provide further information at the request of the data subject.
Székely Family and Company Ltd.,
1191 Budapest Main street 11. 7/20.,
Dr. jur. Zoltán Székely
- Microsoft https://privacy.microsoft.com/en-us
- Google https://policies.google.com/privacy?hl=en-US
- Automattic https://automattic.com/privacy/
- Key-Soft Computing Nyrt. https://bizxpert.com/privacy-policy/
- Barion https://www.barion.com/en/privacy-notice/
- PayPal https://www.paypal.com/us/webapps/mpp/ua/privacy-full
- Stripe https://stripe.com/en-hu/privacy
- Billingo https://www.billingo.hu/adatkezelesi-tajekoztato
We use data processors through software and cloud services for corporate administration, such as data storage, documentation, payment, transactions and communication with customers.
The general purpose of the processing the performance of the contractual obligations of Székely Family and Company Llc., ensuring the operation of the company, secure legitimate interests and sales activities. In exceptional cases, processing of data may also serve the purpose of complaint handling or authorized by legal order or by law. The data process is performed through registers, each allocated to a purpose and a legal basis. Also, in accordance with the requirements of data minimization and storage limitation, one physical database is serving several registers. A data will be permanently deleted when it is no longer processed in any of the registers.
The Székely Family and Company Llc. only processes data which is serving mutual interest of the data subject and the company or other specified, explicit and legitimate purposes recognized by law. This includes processing which is mandatory under law or legal order. We only process data when there is a purpose and we do not process data longer than is strictly necessary, without prejudice to archiving purposes.
An overview of legal bases and purposes of data processing by Székely Family and Company:
- The data shall be processed in the register necessary for the fulfilment of contractual obligations where ‘processing is necessary for the performance of a contract in which the data subject is a party or necessary to take action at the request of the data subject prior to the conclusion of the contract’ (Article 6 of the GDPR para (1) sub b). For example, when you draft a contract or track its progress, issue certification of performance or invoice we use the data to produce documents in this context and for this purpose.
- In order to manage and operate the company, we process the data if ‘the processing is necessary to fulfil the legal obligation of the controller’(Article 6 of the GDPR, para (1) sub (c)). This includes tax returns, payrolls, registers of safety training, employee registration, other documents and protocols to be kept according to Hungarian Law.
- In order to pursue our legitimate interests, we process the data where ‘ processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’ (Article 6. Of the GDPR para (1) sub (f)). This includes the records of an incident by our CCTV operated in areas with restricted access, data necessary to pursue legal or financial claims, recorded dispute settlement teleconferences or meetings.
- We process the data for the specific purpose of business networking, sales and marketing if ‘the data subject has given consent to the processing of his or her personal data for one or more specific purposes’ (Article 6 of GDPR para (1) sub (a)). The objective is to provide business opportunities for us as well as for the person concerned and includes access to our channels on social networks. This is how we link potential consortium partners, such as the mutual transfer of their email address and names.
When Székely Family and Company enters into a contract with the customer or another person on behalf of the customer or takes preparatory steps to conclude the contract, for example, it prepares and send an offer, on that legal basis it processes the following data:
- Mailing (billing) address
- Email address
- Phone number
- Other electronic contact (e.g. Facebook, Instagram, LinkedIn, Twitter ID)
- Payment information (bank account number, PayPal, Simple or other online payment ID etc.)
- Transaction history
- Username and password
- Data tracking performance of the contract (e.g. cookie logging progress in the curriculum or customer’s exam results, picture or audio recording of performance)
This register shall contain the data necessary to fulfil the legal obligations relating to the operation of the company. This includes, for example, contracts for employees and natural persons agents with employment or commissioning relationship, data for the tax authority, company email accounts for natural persons.
- Name (based on identity document)
- Identity document number
- Driver’s license number, category and period of validity
- Travel document number for a foreign natural person
- Number of visas or residence permits for a natural person from a third country
- Social security identification mark or, in the case of a foreigner, full health insurance bond number
- Tax number
- Tax deduction notes, timesheets and time offs, justification data (e.g. children’s names and tax number)
- Copy of certifications or diplomas and data contained therein (e.g. name, photo, OH identifier)
- Benchmarking data (personal data, such as number of hours worked, number of contracts successfully concluded)
- Other electronic contact (e.g. Facebook, Instagram, LinkedIn, Twitter ID)
- Images, audio and video recording (only recording with knowledge and consent of the person concerned)
- System log files (log files are generated by data processors and can only be procured based on written decision of the CEO, where appropriate)
The register contains data that cannot be covered by other registers but is inevitably necessary to pursue the legitimate interests of Székely Family and Company Kft., its customers or the company in the context of the contract performance. For example, this includes claims for damages or liability for damages against a third party, enforcement of claims relating to naturalpersons outside a contract, employment or trust relationship or the fulfilment of obligations. For example, if a visitor is involved in an accident in the company’s works, its data shall be entered in the accident report.
- Phone number
- Mailing address
- Image, audio and video recording (only recording that does not offend the dignity of the data subject, with knowledge and consent)
- Electronic log files related to system use (log files are generated by data processors and can only be processed on the basis of a written executive decision, where appropriate)
This register contains the information of natural persons who have requested or have given informed consent to contact them, subscribe to our news feeds, visit our websites or follow our channels, pages, register and participate in our events. This processing shall be based solely on the informed consent of the data subject, which may be withdrawn at any time without any adverse consequences for the data subject.
- Phone number
- Other electronic contact (e.g. Facebook, Instagram, LinkedIn, Twitter ID)
- Trackers (cookies) indicating the activity of the use of the website and previous contracts to the extent that the data subject agrees when opening the website
- Sound, pictures and video records on workshops, conferences and other meetings, with allowing the right of the data subject to request rendering its face and/or voice unidentifiable
The duration of the processing depends on the particular register.
- In the case of a register necessary for the fulfilment of contractual obligations, due to the rules of the Civil Code on the limitation of claims, the data will be processed until the termination of the contract then stored in the framework of limited processing (archives) for five years. Legislation or Grant Agreements may require a longer retention period for certain contracts (there are grants where data must be retained for 10 years after the end of the project).
- The data in the register for management of the company will be processed by Székely Family and Company Kft. until the end of the tax return period following the termination of the employment or contract and then stored for a further period of 2 years thereafter or for a period specified in other legislation or contracts (e.g. on the basis of an agent employed in a project supported under the Contract of Support Agreement) (archive) in the framework of restricted processing (archives) and then deleted from the register.
- We will only process the data in the context of the enforcement of legitimate interests in the framework of a register until the opportunities available to pursue a particular interest are exhausted or previously recognised that the processing harms the interests of the data subject which are disproportionately more important than our legitimate interests. Since advocacy may take many years in specific cases, for example at court, although we wish to manage this data as shortly as possible, it is not possible to determine the duration of the processing in advance.
- The duration of the processing based on the informed consent of the data subject is until we have the data subjects’ consent, after the data subject withdraws consent, the processing shall be terminated. The obligation to delete shall not preclude the processing of information obtained from anonymised processing for statistical purposes prior to the deletion of the data, but such information shall not contain or make the data subject recognizable.
The data subject must be provided with all information before the start of the data process. This can be done, for example, by making it legible on the website, by handing over a printed version for example on a workshop during registration, or by posting a poster or sign (typically at the entrance to an area protected by a CCTV system).
In case of a request from the data subject on providing information on the data processing, the data subject shall be informed of the range of data processed in connection with it, the data records (in order to enable right to rectification, to completion or to correction if necessary) and, in the case of automatic processing, the basic features of the algorithm (e.g. an algorithm that tries to propose the next training on the basis of the results so far) and the remaining time of processing. Information may also be provided through a web interface where the data subject can view his/her profile, in which case the answer for the request is automated.
Before starting the processing, it is necessary to examine the legal basis on which the data subject’s personal data are processed. Theoretically there may be multiple legal bases for the processing of the personal data of a particular data subject, but this may mean a difference on the types of data that can be processed. Only data which exists in the list of our register connected to the particular legal basis may be processed. For example, in the sales register, where the legal basis is a consent based on information, the social security identification mark of the data subject concerned cannot be processed even if it was previously employed and thus was legally processed in the other register before (register to ensure the operation of the company ). If no legal basis can be established, for example, the data subject has not given a consent and there is no other legal basis for the processing, the initiation of the process shall be aborted or the process shall be terminated and the data deleted.
There are two ways to start data processing: by recording the data submitted by the data subject or by tracking the data subject with its informed consent. Example for the first case is providing data to conclude a contract, for the second case, the cookies on the website or taking pictures at a workshop. Before recording, it is necessary to examine whether the legal basis for the processing exists, in particular where the consent of the data subject is required. In case of doubt, contact the data subject or the Data Protection Officer.
The data classification shall specify which personal data shall be processed in which register(s). The data may only be processed in registers for which the legal basis exists in respect of the data. The data shall be labelled according to the logical register, which can be used to determine in which records the data can be processed.
The data will then be stored and processed automated, if necessary, data can be manually processed as well. As result of processing, it is possible to carry out various transactions with the data subject, such as performance of a contract, a training, sending of a newsletter, provision of services, payment of wages, issuing of invoices etc. If there are no more ongoing transactions, the data should be automatically restricted and deleted immediately after storage time has expired (if not specified, then immediately). Statistical reports may be generated from the processed data after anonymization, and the anonymized statistical report is no longer considered as personal data.
The data subject has the right to request that its stored personal data be updated (e.g. obtaining a doctorate) to be corrected (e.g. tying, recording error) or updated according to the changed situation (e.g. change of name due to marriage, change of address due to move, new email address). This can also be done by changing data through the data subject’s user profile on the web interface by the data subject itself. For security reasons, the change must be logged (the log file belongs to the company operations registration code) and notified to the data subject shall be sent.
The data subject may withdraw its consent at any time without any unjustified disadvantage. The legal consequences included in the contract, employment contract or terms of participation, such as the termination of a particular service, restrictions on access to the operating area, the cancellation of registration for an event, shall not be perceived as an unjustified disadvantage. Withdrawal of consent should not be prevented in any way, including persuasion. The declaration of withdrawal should be possible in a simple and comprehensible manner (e.g. it can be done with a maximum of two clicks). Once the consent has been withdrawn , it is necessary to examine which personal data of the data subject may be further processed on another legal basis. The result should be brought to the attention of the data subject so that, in the event of his will, he may take action to terminate another legal basis as well (e.g. termination of a contract). As regards of data without a legal basis for processing, the termination of processing should be carried out.
Upon termination of the legal basis, it must be verified that all clearing, deliveries and transfers in relation to the data subject have been performed by the controller (e.g. payment of a contract, the issuing of certificates for the worker). Where a register is linked to a retention obligation, the data shall be subject to temporarily restricted processing, i.e. stored in an archive (this means a separate encrypted data container within the storage space from which information cannot be automatically extracted). Subsequently, further operations on the data shall not be carried out except for deletion until a legal basis is established for their handling (e.g. Support Authority concludes the transfer of data in the context of the project’s follow-up). The data subject shall also have the right to initiate a restriction on the processing, in particular where it disputes the legal basis of the processing, the data should be clarified or completed or to prevent the deletion of data in defence of the data subject’s legitimate interests. The relevant request to restrict the processing of data should be met until the situation is clarified, but efforts should be made to resolve this as quickly as possible.
If there is no retention obligation or the storage time has expired, the data shall be deleted. If the data is also present on physical media, it is necessary to overwrite or, if this is not possible, physically destroy the carrier (e.g. smashing a DVD) to ensure that the deletion is permanent, but physical destruction must not cause environmental damage (e.g. plastic media must not be burned outdoors). This will permanently terminate the processing. The fact of the erasing shall be communicated to the data subject before it begins.
The data will not be disclosed to third parties without the expressed authorisation of the data subject valid for the particular data and transmission. An exception to this is our own contracted processors and the authorities to whom data transmission is statutory (e.g.the tax identification mark of the employee to the tax authority in the register of company operations). It shall also constitute a need to provide the data to protect the vital interests of the data subject or another natural person. An example of authorization is if the data subject agrees to hand over his name, email address and telephone number to third parties who wish to use the services of the data subject for the purpose of making business.
The data management flowchart shows the process according to ISO 5807:1985. The connectors without an arrow or with an arrow have the same meaning and is merely to facilitate interpretation. In decisions, direction “Y” means yes, direction “N” means no. Transactions shall also mean employment, other employment relationships, services provided under a subscription contract or a separate contract or free of charge.
We process personal information on laptops and mobile devices with up-to-date operating systems and software that are protected by passwords, biometrics or two-stage authentication, devices also have a drive-level encryption. Storage is encrypted and is stored in a redundant and synchronized cloud that tracks the activity. The network connections used during processing are also encrypted. We do not install unsigned or unlicensed software or connect to open, unencrypted WiFi networks. Paper-based personal information documents are kept in a lockable room, where people are only allowed to stay with our permission and supervision, and in the event of transport, we use a courier or state post office. The destruction of the media is carried out with a shredder.
Data subjects have the right to be informed about the fact of processing of their data, the data processed, and the way the data is processed. Data subjects are primarily informed in groups operating on the web interface, email or social network, where all stakeholders can view their processed data. If the data subject requests or is required in the situation (e.g. a data breach or a clear error in the data entered and rectification, the data designated for deletion and the fact of erasure, the introduction or resolution of the restriction), the data subject will be notified separately at one of the contact details.
In the process of data processing, we strive to proactively address the problems encountered and to ensure maximum cooperation with data subjects and other stakeholders. If the data subject has a complaint or comment about the processing, it shall contact our Data Protection Officer first using the contact details provided above. Nevertheless, the data subject has the right to complain to the National Data Protection and Freedom of Information Authority (www.naih.hu).
The data subject has the right to request termination of processing and the deletion of the data. In the case of the sales register, this also means the withdrawal of the consent. Otherwise, the data will be deleted if there is no justifiable purpose and legal basis to be processed. For example, on request, we will also delete contractual data for which we have already been cleared after the termination of the contract, we have no claim to each other and there is no legal order to preserve it. Data that is required to bring forward, enforce, or protect legal claims are not automatically deleted (see legitimate interest register).
The data subject may object to the processing of data in the register of legitimate interests and the processing of data in the marketing register. In the first case, it is necessary to examine whether the claim for legitimate advocacy has actually been made in contact with the person concerned. If so and justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the data subject or which relate to the submission, enforcement or protection of legal claims, the data may be further processed. In the second case, this consent shall be deemed to be withdrawn and the processing in the marketing register shall be terminated immediately.