GDPR

Scope of the processed data

Information required for submitting a quote via the website

In connection with the above data processing, the Data Controller draws attention to the fact that if the applicant does not provide all of the above data, failure to provide the data may result in exclusion from the selection process.

1.4 Recipients of personal data, categories of recipients

Pursuant to Act LXXVII of 2013, the Data Controller is obliged to transfer the participants' data to the following partner:

• Name of the recipient

• Category of the recipient

• Activity involving the recipient

1.5 Processing of sensitive data

The Data Controller does not process sensitive data.

1.6 Data pertaining to the data subject obtained from other sources

The Data Controller does not obtain data pertaining to the data subject from other sources.

1.7 Rights of data subjects

The applicant may request the Data Controller to access, correct, or delete their personal data, and in certain cases may also request the restriction of data processing and object to the processing of personal data. The applicant also has the right to data portability and to lodge a complaint with a supervisory authority, as well as the right to legal remedy and, in the case of automated decision-making in individual cases, the right to choose the effect of the decision and to request human intervention.

In the case of consent-based data processing, the applicant is also entitled to withdraw their consent at any time, which does not affect the lawfulness of data processing carried out on the basis of consent prior to withdrawal.

A) Right of access

The applicant is entitled to request information at any time regarding whether and how their personal data is processed by the Data Controller, including the purposes of data processing, the recipients with whom their data has been shared, the source from which the Data Controller obtained the data, the retention period, any rights relating to data processing, information on automated decision-making and profiling, and, in the case of transfer to a third country or international organisation, information on the relevant safeguards. When exercising their right of access, applicants are also entitled to request a copy of the data. In the case of requests submitted electronically, unless the applicant requests otherwise, the Data Controller shall provide the requested information electronically (in PDF format). If the applicant's right of access adversely affects the rights and freedoms of others, in particular their business secrets or intellectual property, the Data Controller shall be entitled to refuse the applicant's request to the extent necessary and proportionate. If the applicant requests multiple copies of the above information, the Data Controller shall charge a reasonable fee proportional to the administrative costs of producing the additional copies, at a rate of HUF 200 per copy/page.

B) Right to rectification

The Data Controller shall rectify or supplement the personal data relating to the applicant at their request. If there is any doubt about the rectified data, the Data Controller may ask the applicant to provide the Data Controller with appropriate proof of the rectified data, primarily in the form of a document. If the Data Controller has disclosed the personal data of the applicant exercising this right to other persons (i.e., recipients such as data processors), the Data Controller shall inform these persons immediately after rectifying the data, provided that this is not impossible or does not require a disproportionate effort on the part of the Data Controller. At the request of the applicant, the Data Controller shall inform the applicant of these recipients.

C) Right to erasure (“right to be forgotten”)

If the applicant requests the easure of some or all of their personal data, the Data Controller shall erase it without undue delay if:

•the Data Controller no longer needs the personal data for the purpose for which it was collected or otherwise processed;

•the data processing is based on the applicant's consent, but the applicant has withdrawn their consent and there is no other legal basis for the data processing;

•the data processing is based on the legitimate interests of the Data Controller or a third party, but the applicant has objected to the data processing and — except for objections to data processing for direct marketing purposes — there are no overriding legitimate grounds for the data processing;

•the personal data has been unlawfully processed by the Data Controller, or

•the erasure of personal data is necessary to comply with a legal obligation.

If the Data Controller has disclosed the personal data concerned by this right to other persons (i.e. recipients, such as data processors), the Data Controller shall inform these persons immediately after the erasure, provided that this is not impossible or does not require a disproportionate effort on the part of the Data Controller. At the request of the applicant, the Data Controller shall inform them of these recipients. The Data Controller is not obliged to erase personal data in all cases, in particular where the processing is necessary for the establishment, exercise, or defense of legal claims.

D) Right to restriction of processing

The applicant may request the restriction of the processing of their personal data in the following cases:

•the applicant disputes the accuracy of the personal data – in this case, the restriction applies to the period of time that allows the data controller to verify the accuracy of the personal data;

•the processing is unlawful, but the applicant opposes the erasure of the data and requests the restriction of their use instead;

•the Data Controller no longer needs the personal data for data processing purposes, but the applicant requires them for the submission, enforcement, or protection of legal claims; or

•the applicant has objected to the processing of their data – in this case, the restriction applies for the period until it is determined whether the legitimate grounds of the Data Controller take precedence over the legitimate grounds of the applicant.

Restriction of processing means that the personal data subject to restriction shall, with the exception of storage, not be processed by the Data Controller or shall only be processed within the scope to which the applicant has consented or the Data Controller has such consent. Even in the absence of consent, the Data Controller may process data that is necessary for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State of the European Union. The Data Controller shall inform the applicant in advance of the lifting of the restriction on data processing. If the Data Controller has disclosed the personal data concerned by this right to other persons (i.e., recipients such as data processors), the Data Controller shall inform those persons of the restriction of processing without delay, unless this proves impossible or involves a disproportionate effort on the part of the Data Controller. At the request of the applicant, the Data Controller shall inform these recipients.

E) Right to object

If the legal grounds for data processing relating to the applicant is the legitimate interest of the Data Controller or a third party, the applicant has the right to object to the data processing. The Data Controller is not obliged to comply with the objection if the Data Controller proves that

•data processing is justified by compelling legitimate grounds that override the interests, rights, and freedoms of the applicant, or

•data processing is related to the establishment, exercise, or defence of the Data Controller's legal claims.

G) Right to complain, right to judicial remedy

If the applicant considers that the processing of their personal data by the Data Controller violates the data protection laws in force at any given time, in particular the provisions of the General Data Protection Regulation, they have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information ("NAIH"). The contact details of the NAIH are as follows:

• Website: http://naih.hu/

• Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

• Postal address: 1530 Budapest, P.O. Box 5.

• Phone: +36-1-391-1400

• Fax: +36-1-391-1410

• Email: ugyfelszolgalat@naih.hu

The applicant has the right to lodge a complaint with another supervisory authority, in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement.

Regardless of their right to lodge a complaint, applicants may also take legal action in the event of the above infringement of their rights. In the case of the Data Controller, the competent court is the Fővárosi Törvényszék (Budapest High Court); applicants may also file a suit at the court with jurisdication at their place of residence. The contact details of the courts in Hungary can be found at the following link: http://birosag.hu/torvenyszekek. The applicant may also file a suit in the court with jurisdiction and competence in the Member State of their habitual residence, if the data subject's habitual residence is in another Member State of the European Union. The applicant is also entitled to appeal to the courts against a legally binding decision of the supervisory authority concerning the applicant. The applicant is also entitled to judicial redress if the supervisory authority fails to address the complaint or fails to inform the applicant within three months of the progress or outcome of the proceedings relating to the complaint submitted. The applicant has the right to entrust a non-profit organisation or association properly constituted in accordance with the law of an EU Member State that has statutory objectives which are in the public interest and the protection of data subjects' rights and freedoms with regard to the protection of their personal data, with the submission of the complaint on the applicant's behalf, the judicial review of the supervisory authority's decision, filing a suit, and enforcing their right to compensation on their behalf.

1.8 Automated decision-making, profiling

The Data Controller does not use automated decision-making or profiling when processing data relating to applicants.

***

Effective: 25 May 2018