Data protection

In effect from 1 September 2019.

1./ GENERAL PROVISIONS

1.1./ This Information Document contains information relating to the range of personal data processed by Egy a Természettel Nonprofit Kft. (hereinafter referred to as the “Company”), the term, purpose of and legal grounds for data processing and the rights of data subjects.

1.2./ The Company’s data processing protocol is based on the rules laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation) and Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as the “Information Act”).

1.3./ The Company adopted appropriate measures to enforce the rights of data subjects as laid down in the above two legislative acts during the processing of their personal data.

2./ PURPOSE AND EFFECT OF PRESENT INFORMATION DOCUMENT

2.1./ The purpose of this Information Document is to provide clear and understandable information for data subjects with respect to their personal data managed and/or processed by the Company and its data processors in connection with the performance of the Company’s activities, the sources of the collection thereof, the purpose of, legal grounds for and possible term of processing, the identities and contact details of controllers, their data processing activities, and the purpose of, legal grounds for and recipients of any data transfer.

2.2./ The effect of this Information Document extends to Egy a Természettel Nonprofit Kft. (hereinafter referred to as the “Controller”).

3./ NAME AND DETAILS OF CONTROLLER

Name: Egy a Természettel Nonprofit Kft.

Head office: 1122 Budapest, Maros utca 12.

Company register number: 01-09-337636

Tax number: 26658218-2-43

E-mail address: info@onewithnature2021.org

Mail address: 1122 Budapest, Maros utca 12.

Contact details of data protection officer: info@onewithnature2021.org

You can contact the Company’s data protection officer with any questions or comments you may have regarding data processing at the info@onewithnature2021.org e-mail address.

4./ TERMS

Please note that based on the Regulation, the terms used in this Information Document have the following meanings:

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: means a natural or legal person […] which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data subject: any natural person identified or identifiable, directly or indirectly, on the basis of personal data.

5./ POSSIBLE LEGAL GROUNDS FOR DATA PROCESSING

5.1./ Based on the Regulation, the processing of personal data is lawful if and to the extent at least one of the following applies:

processing is based on the data subject’s consent,

processing is necessary for the performance and conclusion of a contract,

processing is necessary for compliance with a legal obligation,

processing is necessary in order to protect vital interests (e.g. a person’s life),

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

5.2./ Where processing is based on consent, the Company as controller will be able to demonstrate that the data subject has consented to processing of his or her personal data. A consent is regarded as an appropriate legal ground for the processing of data if it is based on voluntary, specific, clear and adequate information. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject will be informed thereof. It will be as easy to withdraw as to give consent.

5.3./ If data processing is based on a legal act or a contractual obligation, a possible consequence of failure to supply data is that the data subject will not be able to use the Company’s given service or will not be able to establish a legal relationship with the Company.

5.4./ The Company as controller does not verify the personal data supplied. The supplier of the data has sole responsibility for the data supplied.

5.5./ A condition of applying the legal ground of legitimate interest is that the legitimate interest of the Company as controller intended to be protected will be in proportion to the restriction of the right to the protection of personal data. For the purpose of determining this, a prior interest assessment test must be carried out. As part of the interest assessment test, the Company as controller:

will identify its legitimate interest attached to processing the personal data constituting the subject-matter of the interest assessment test,

will determine the data subject’s interests and rights related to the personal data constituting the subject-matter of the interest assessment test,

will evaluate the data subject’s legitimate interests and the controller’s legitimate interests, and based on this will determine whether the personal data can be processed.

INTRODUCTION OF DATA PROCESSING TYPES

(purpose, legal ground, term, range of processed data)

6./ PROCESSING OF DATA OF APPLICANTS AND CONTRACTUAL PARTNERS

6.1./ Short description of processing: As part of its operations, the Company concludes a variety of contracts (in particular, but not limited to contracts of engagement, contracts for work and services, and grant contracts). The Company’s contractual partners are typically legal entitles (legal persons) to which the provisions relating to the processing of personal data do not apply. However, during the Company’s operations natural persons also submit proposals and applications for grants to the Company, and the Company likewise concludes contracts with natural persons. If the applicant or contracting party is not a business association, they are required to supply certain items of personal data to the Company for the submission of an application or the conclusion of a contract.

6.2./ Legal ground for processing: Article 6(1b) can be identified as legal ground for data processing as processing is necessary for the conclusion of a contract with the Company and the performance of the contract so concluded.

6.3./ Purpose of processing: The purpose of data processing is the establishment and maintenance of a contractual relationship, the performance of the contract, in the case of grant contracts, the verification of the obligations of settlement and reporting, and of the fulfilment of the Company’s obligations of reporting and settlement.

6.4./ Range of processed personal data: Name, name at birth, mother’s name, place and date of birth, address, tax identifier, social security number, bank account number, e-mail address.

6.5./ Term of processing: The Company preserves the personal data placed at its disposal for 10 years.

6.6./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

7./ PROCESSING OF CONTACT PERSON DETAILS STATED IN CONTRACTS

7.1./ Short description of processing: The contracts concluded as part of the Company’s operations often contain contact person details.

7.2./ Legal ground for processing: Article 6(1f) of the Regulation can be identified as legal ground for data processing, meaning a legitimate interest connected to the establishment and maintenance of a contractual relationship between the partner and the Company. In the event of processing based on a legitimate interest, an interest assessment test must be carried out, and the data subjects must be informed of the findings thereof. The Company carried out the necessary interest assessment test. The interest assessment test confirms that the Company’s legitimate interest does not impose a disproportionate restriction on the right of contact persons to the protection of their personal data.

7.3./ Purpose of processing: Maintenance of a contractual relationship as a lawful processing purpose.

7.4./ Range of processed personal data: Name, e-mail address and telephone number of appointed contact person.

7.5./ Term of processing of personal data: 10 years.

7.6./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

8./ PROCESSING OF PERSONAL DATA SUPPLIED IN RESPONSE TO REQUESTS FOR DATA ON THE GROUNDS OF PUBLIC INTEREST

8.1./ Short description of processing: The Company as an agency carrying out public responsibilities often receives requests for data from natural persons on the grounds of public interest.

8.2./ Legal ground for processing: Processing is necessary for compliance with a legal obligation. [Article 6(1c) of Regulation.] Relevant legislative act: Section 26(1) of the Information Act.

8.3./ Purpose of processing: Compliance with a statutory obligation as a lawful purpose of processing. The data applicant’s personal data can only be processed to the extent necessary for complying with the request, assessing the request on the basis of the criterion set forth in Section 29(1a) of the Information Act, and payment of the fee charged for compliance with the request.

8.4./ Range of data processed: Data applicant’s name and contact details to which any information and notifications related to the request for data can be sent [Section 29(1b) of the Information Act.].

8.5./ Term of processing: 1 year [Section 29(1a) of the Information Act.]

8.6./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

9./ PROCESSING OF PERSONAL DATA OF PERSONS REGISTERING FOR THE COMPANY’S EVENTS

9.1./ Short description of processing: The Company regularly organises public and private events where attendance is subject to written registration.

9.2. / Legal ground for processing: Data subject’s voluntary consent [Article 6(1c) of Regulation]. If a natural person confirms attendance of an event organised by the Company via registration and as part of such registration supplies his or her name, telephone number and e-mail address, he or she consents to the processing by the Company of the personal data supplied in the interest of attendance of the given event.

9.3./ Purpose of processing: The purpose of processing is to ensure the attendance of persons who registered for the Company’s given event, to keep records of the persons who registered for attendance for the purpose of determining the number of persons intending to attend the given event and verifying their right to enter the event, and responding to the requests, questions and complaints of data subjects.

9.4./ Range of personal data processed: Registering person’s name, e-mail address and telephone number.

9.5./ Term of processing: If as part of the registration the registrant consents to the processing of his or her personal data until the withdrawal of such consent as well as to the sending of invitations to further events, the Company will erase the data subject’s personal data within 3 business days of the withdrawal of his or her consent. In the absence of such consent, the Company will erase the data subject’s personal data within 3 business days of the event.

9.6./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

10./ PROCESSING OF PERSONAL DATA OF ATTENDEES OF THE COMPANY’S EVENTS

10.1./ Short description of processing: The Company regularly organises public and private events where recordings – photographic and/or video recordings – are made of the images of attendees, performing artists and speakers. In every instance, the Company obtains the consent of performing artists and speakers to the recording of their images in the contracts concluded with such performing artists and speakers. The Company informs other persons attending its events of the rules related to the processing of their personal data – images – in the invitation sent in connection with the event and the present Information Document.

10.2./ Legal ground for processing: Data subject’s voluntary consent [Article 6 (1a) of Regulation.]. If natural persons attend a public or private event of the Company, the Company informs the attendees on a preliminary basis that at the event images will be taken and/or video recordings will be made of the attendees. In this case, attendance as implied conduct amounts to voluntary consent to the recording of their images as well as to the processing, use and disclosure by the Company of their images as personal data.

10.3./ Purpose of processing: The purpose of processing is to record and popularise the Company’s given event.

10.4./ Range of personal data processed: Images of attendees of event.

10.5./ Term of processing: 10 years.

10.6./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

11./ DOCUMENT AND E-MAIL DATA PROCESSING

11.1./ Short description of processing: The documents generated during the Company’s operations exist both in hard copy and in scanned format. The hard copies of documents are stored in the Company’s offices. Electronic documents are stored on the software scripts operating the Company’s websites and on the Company’s own server.

11.2./ Legal ground for processing: In the case of every document, the legal ground for processing depends on the legal ground for the processing of the personal data contained therein; meaning that no separate legal ground for processing can be identified in the case of document management.

11.3./ Purpose of processing: Preserving the data and information featured in paper-based and electronic documents, making them available for further use, and complying with the Company’s various legal obligations (e.g. reporting and settlement obligations, obligations relating to the preservation and forwarding of public deeds).

11.4./ Range of personal data processed: Personal data featured in paper-based and electronic documents.

11.5./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

12./ PROCESSING CONCERNING WEBSITE VISITORS, COOKIES

12.1./ The Company uses cookies on its websites, and so there is processing in relation to the visitors of these websites.

12.2./ Websites operated by the Company:

https://onewithnature2021.org/

https://nimrod.hu

12.3./ Short description of processing: Information relating to website visiting constitutes personal data if such data can be associated with the data subject. Range of data subjects: all data subjects visiting the websites.

12.4./ Purpose of processing: Generating statistics, tracking visitors.

12.5./ Legal ground for processing: The legal ground for processing is the data subject’s consent under Article 6(1a) of the Regulation.

12.6./ Range of personal data processed: client ID, dates and times.

12.7./ Term of processing: Session cookie: for identification on entry, PHP session id: erased with closing down of browser.

12.8./ Linked IT systems: Software scripts operating the Company’s websites and the Company’s own server.

 

13./ MAILING OF NEWSLETTERS

13.1./ Purpose of processing: The Company informs registered users of important events organised by the Company or its partners as well as of the Company’s promotions, prize games, product offers, etc. in newsletters. The purpose of processing is the mailing of newsletters to registered users in the interest of keeping data subjects informed.

13.2/ The legal ground for processing is based on Article 6(1a) of the Regulation (consent). Range of data processed: Data subject’s name and e-mail address. Term of processing: The Company processes data until the data subject requests the erasure of his or her data by unsubscribing from the newsletter and/or sending an e-mail message to info@onewithnature2021.org.

13.3./ Data of processors used by the Company:

– operator of the Company’s e-mail system

− provider operating the Company’s websites

− the Company’s server operating provider.

 

14./ OTHER DATA PROCESSING

14.1./ The Company is engaged in newsletter mailing and direct marketing activities.

14.2./ The Company does not make sound recordings of telephone conversations.

14.3./ Entry into the Company’s head office at 1122 Budapest Maros utca 12. is permitted with the use of entry cards. As the Company does not request data about entries and exits, entry into and exit from the Company’s head office does not involve the processing of personal data by the Company.

15./ USE OF SERVICES OF PROCESSORS BY THE COMPANY

15.1./ As part of its activities, the Company as controller uses the services of processors in some instances. These processors record, manage and process the personal data transferred to them by the Company in harmony with the Regulation, and regarding this they are required to issue a declaration to the Company.

15.2./ For compliance with its obligations related to taxation and accounting, the Company uses the services of external providers on the basis of contracts for bookkeeping and audit services. These providers process the personal data of natural persons engaged in a contractual or payment relationship with the Company for the purpose of complying with the obligations of taxation and accounting lying with the Company.

15.3./ The Company uses the services of external processors in relation to payroll services, legal services, newspaper distribution services and public procurement consulting services.

15.4./ In the case of engaged claims collectors, the content of the specific engagement determines whether they qualify as processors or independent controllers.

15.5./ The Company transfers the necessary data to its processors on the basis of processing contracts, in the manner determined therein. The Company’s processors conduct their operations in Hungary.

16./ DATA TRANSFER

16.1./ The Company transfers personal data to entities outside Hungary.

16.2./ The Company as a majority state-owned business association is required to transfer personal data to its founder, state control agencies and in the case of aid or donations, to its donors in relation to a variety of legal relationships. If the Company is required to transfer to an agency personal data placed at its disposal in a contractual relationship established with a natural person, the Company is required to inform the data subject thereof at the time of the establishment of the legal relationship, at the latest.

16.3./ Based on Section 12(1) of Act LXVI of 1995 on the Protection of Public Deeds, Public Archives and Private Archive Materials, the Company is required to hand over to the competent public archive the full and closed annual volumes of public deeds that cannot be discarded by the end of the fifteenth year reckoned from the calendar year in which such deeds were generated.

17./ RIGHTS OF DATA SUBJECTS

17.1./ According to the definition of the Regulation, “a data subject” is a natural person identified or identifiable, directly or indirectly, on the basis of personal data. For the purposes of the Company’s data processing activities, data subjects have the following rights.

17.2./ This is to inform data subjects that before granting any request for the enforcement of rights, the Company is required to identify the person submitting the request. If the Company has well-founded doubts in connection with the identity of the natural person submitting a request, the Company may request the provision of further information necessary for confirming his or her identity.

17.3./ Any requests related to the exercise of any of the following rights are to be sent by e-mail to the e-mail address info@onewithnature2021.org, or by mail to the Company’s mail address at 1122 Budapest, Maros utca 12.

17.4./ Request for information

Data subjects have the right to receive information regarding the processing of their personal data and the enforcement of their rights. In the event of any such request, please contact the Company in writing (in an e-mail message or in a letter sent by post). The Company will provide the requested information as set forth in this Data Processing Information Document, in writing. The Company may refuse a request if it proves that it is unable to identify the data subject. This is to inform data subjects that the right to request information does not extend to data processed on the basis of statutory regulations.

17.5./ Right of access

Data subjects have the right to receive feedback from the Company on request about whether the processing of their personal data is ongoing. If such processing is ongoing, they have the right to be given access to the personal data processed as well as to the following data.

  1. a) purposes of processing,
  2. b) categories of personal data concerned,
  3. c) recipients or categories of recipients to whom or which personal data has been or will be transferred, including in particular recipients in third countries and international organisations,
  4. d) where appropriate, planned term of storage of personal data, or if this is not possible, criteria for determining the term of storage,
  5. e) data subjects may request the controller to rectify, erase or restrict the processing of personal data relating to their persons, and may object to the processing of such personal data,
  6. f) data subjects have the right to lodge a complaint with the competent supervisory authority,
  7. g) if the data did not originate from the data subject, all available information relating to its source,
  8. h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Company’s practice for guaranteeing the right of access: At the data subject’s request, the Company will provide a copy of the personal data constituting the subject-matter of processing. If the data subject submitted his or her request by electronic means or the personal data is processed by electronic means, the information will be provided in a commonly used electronic form, unless otherwise requested by the data subject. At the data subject’s request, the Company will respond without undue delay, but within 30 days at the latest, and if it is unable to meet a request for any reason, it is required to state its reasons. In default, the Company provides a copy of personal data free of charge. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs, while the Company may also charge a reasonable fee if there is a simpler, swifter and more cost-effective method of delivery than the method requested by the data subject.

17.6./ Right to rectification

The data subject has the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

17.7./ Right to erasure (‘right to be forgotten’)

The data subject has the right to obtain from the Company the erasure of personal data concerning him or her without undue delay and the Company has the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  3. c) the data subject objects to the processing pursuant to the relevant provision of the Regulation, and there are no overriding legitimate grounds for the processing;
  4. d) the personal data have been unlawfully processed;
  5. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject.

The Company is not required to erase the data if data processing is necessary for any of the following reasons:

  1. a) for exercising fundamental rights (rights of freedom of expression and information);
  2. b) in the event of mandatory processing (compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject);
  3. d) for reasons of public interest (e.g. for archiving purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing); or
  4. e) for the establishment, exercise or defence of legal claims.

The right to erasure cannot result in the erasure of personal data relating to the data subject which the data subject supplied for the purposes of the performance of a contract if and to the extent the personal data in question is necessary for the performance of the given contract. The right to erasure is further not applicable in cases where the term of processing is regulated by law, e.g. in the case of invoices as invoices are to be kept for a period of 8 years based on the relevant statutory rules.

If the Company has made any personal data public which it is then required to erase – taking account of available technology and cost of implementation – the Company will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. The rules of exception also apply to this case.

17.8./ Right to restriction of processing

The data subject has the right to obtain from the Company restriction of processing where one of the following applies:

a)     the accuracy of the personal data is contested by the data subject (in this case, restriction applies to a period which enables the Company to verify the accuracy of the personal data);

 

b)    the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

 

c)     the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

 

d)    the data subject has objected to processing; in this case, restriction is pending the verification whether the legitimate grounds of the Company override those of the data subject.

Where processing has been restricted, such personal data will, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing will be informed by the Company before the restriction of processing is lifted.

17.9./ Right to data portability

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company to which the personal data have been provided, where:

 

a)     the processing is based on consent or on a contract; and

 

b)    the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.

This is to inform data subjects that the right to data portability can only be exercised in the event of the combined existence of the above conditions (if the processing is based on consent or on a contract AND the processing is carried out by automated means). Therefore, the right to data portability does not apply to data processed on the basis of statutory rules. As pursuant to the guidance of the Article 29 Working Party (WP29) the right to data portability only applies to processing by automated means, it does not apply to paper-based processing.

17.10./ Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on the Company’s legitimate interest. In this case, the Company will no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

18./ MODALITIES FOR THE EXERCISE OF RIGHTS

18.1./ The Company will provide information on action taken on a request to the data subject without undue delay and in any event within 25 days of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company will inform the data subject of any such extension within 25 days of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information will be provided by electronic means where possible, unless otherwise requested by the data subject.

18.2./ If the Company does not take action on the request of the data subject, the Company will inform the data subject without delay and at the latest within 25 days of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

18.3./ Information provided on the basis of the right to information and any communication and any actions taken in connection with the exercise of rights will be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either:

  1. a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
  2. b) refuse to act on the request.

The Company will bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

19./ REMEDIES

19.1./ Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.

19.2./ Without prejudice to any other administrative or non-judicial remedy, each data subject has the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months of the progress or outcome of the complaint lodged.

19.3./ Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject has the right to an effective judicial remedy where he or she considers that his or her rights under the Regulation have been infringed by the Company as a result of the processing of his or her personal data in non-compliance with the Regulation. Proceedings against the Company as controller or a processor will be brought before the courts of the Member State where the Company as controller or the processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.

19.4./ Any complaints related to the Company’s data processing practice can be lodged with the National Authority for Data Protection and Freedom of Information (NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., mail address: 1530 Budapest, Pf.: 5., telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, e-mail: ugyfelszolgalat@naih.hu, website: https://www.naih.hu) or with a court. Assessment of the lawsuit will fall within the jurisdiction of the tribunal with competence. Tribunal with competence as per head office of the Company: Metropolitan Tribunal. Alternatively, such proceedings may be brought before the tribunal where the data subject has his or her place of residence or habitual residence.

20./ DATA SECURITY MEASURES

20.1./ In the interest of ensuring the security of personal data in relation to all modes of processing, the Company will implement all technical and organisational measures and will put in place all procedural rules which are necessary for compliance with the Regulation and the Information Act.

20.2./ The Company will take appropriate measures to protect personal data against the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.

20.3./ The Company will treat personal data as confidential data. The Company will require its employees to comply with a statutory obligation of confidentiality. The Company will limit access to personal data by designating access levels.

20.4./ The Company will protect its IT systems with firewall and virus protection.

20.5./ Security requirements relating to personal data processed by the Company in hard copy:

regardless of the data carrier, only duly authorised persons will have access to all personal data; measures will be implemented to prevent any unauthorised access or unauthorised disclosure,

documents must be stored on dry premises safely lockable with a key, featuring fire protection and surveillance equipment,

staff members of the Company engaged in processing can only leave the office or the premises where processing is carried out during working hours after locking away such documents or locking the premises,

these security rules also apply to working from home.

20.6./ In the interest of adhering to the security requirements applicable to personal data stored on computers, networks or in the cloud:

the Company will determine security requirements in relation to computers used for the processing of personal data,

personal data stored on computers, networks or in the cloud can only be accessed with valid, personalised and identifiable access authorisation,

if the objective of the processing of personal data has been achieved, the time limit of processing has expired or the lawful nature of processing has ceased for any reason, the file containing such data will be erased irreversibly in such a way that the data contained therein can no longer be retrieved,

the Company will provide for firewall security and other virus protection of computers,

during the processing of personal data, there is continuous security saving, while in network systems security saving is carried out at regular intervals,

the Company will provide for the IT protection of the personal data processed by it with the use of appropriate, modern computer devices and IT methods.

20.7./ During the automated processing of personal data, the Company will implement further measures:

  1. a) to prevent unauthorised data entry;
  2. b) to prevent the use of automated data processing systems by unauthorised persons with the means of data transmission equipment;
  3. c) to safely control and verify to which agencies personal data have been transferred or could be transferred with the means of data transmission equipment;
  4. d) to safely control and verify who entered which personal data in the automated data processing systems and when;
  5. e) to restore the availability of installed systems in the case of any disruption (reinstallation, restoration of data to status of last saving) and
  6. f) to ensure the generation of reports about any errors occurring during automated processing.

20.8./ Web hosting services are operated by the Company itself.

20.9./ Only authorised personnel have access to pending cases and documents under processing, the Company keeps documents containing personal data safely locked away, and ensures that only authorised personnel have access to the keys to such premises (filing cabinets).

21./ ENTRY INTO FORCE AND AMENDMENT OF DATA PROCESSING INFORMATION

21.1./ Date of entry into force of Data Processing Information Document: 1 September 2019.

21.2./ The Company reserves the right to amend and update this Information Document unilaterally, without prior notification, effective from a date following such amendment.