Privacy policy
Data Processing Policy
THE RIGHTS OF NATURAL PERSONS CONCERNED
PERSONAL DATA SHOULD BE TAKEN INTO ACCOUNT
TABLE OF CONTENTS
INTRODUCTION
CHAPTER I - THE DATABASE TITLE
- CHAPTER - DATABASE DOCUMENTS
- Tradford IT Service Provider
III. SECURITY OF DATA MANAGEMENT LEGISLATION
- Data management based on the consent of the person concerned
- Data management based on the fulfillment of a legal obligation
- Facilitating the Rights of the Rights
ARC. CHAPTER - VISITING DATA MANAGEMENT ON THE TRADFORD WEBSITE - APPLICATION OF COOKIE
CHAPTER V - INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED
INTRODUCTION
Of natural persons as regards the processing of personal data and on the free movement of such data and Directive 95/46/EC and repealing Regulation the EUROPEAN PARLIAMENT and of the Council (EU) REGULATION (2016/679 hereinafter referred to as the regulation) provides that the controller shall take appropriate measures to ensure that the personal data of the persons concerned, the treatment of each of the information in a concise, transparent, comprehensible and easily accessible form, in a clear and understandable language, and to put the controller facilitates the exercise of the rights concerned.
The obligation to inform the data subject in advance of the information on the right to information self-determination and the freedom of information in CXII. law also provides.
By following the information provided below, we comply with this statutory obligation.
The information must be published on Tradford's website or sent to the person concerned at its request.
CHAPTER I
THE DATABASE TITLE
The publisher of this information, at the same time the Data Manager:
Brand Name: Tradford
Head office: 2040 Budaörs Ebner Gy. Köz 2.
Tax ID No.:
Representative: Gyula Szarvas
Phone: +36309772648
Fax: [de]
Website: www.tradford.com
('Tradford'),
CHAPTER II
DATA PROCESSING TITLE
Data Processor: afor a natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data controller; (Regulation Article 4 8)
The use of the data processor does not require the prior consent of the data subject, but it is necessary to inform him / her. Accordingly, we provide the following information:
- Tradford IT Service Provider
Tradford uses a data processor to maintain and manage its website who manages IT services (hosting service) and manages the personal information provided on the website, for the duration of our contract, and the personal data stored on the server.
This data processor is named as follows:
Company name: Profitárhely Limited liability company
Head office: 6000 Kecskemét, Szolnoki út 23.
Company registration number: 01-09-909968
Tax number: 14571332-2-42
Representative: Zoltán Kárpáti
Phone number: 06 1 789 2789
E-mail address: iroda@tarhely.eu
Website: www.tarhely.eu
- Postal Services, Delivery, Sending Shipment
These processors receive from Tradford the personal data necessary for the delivery of the ordered product (name, address, telephone number) and use it to deliver the product.
These providers are:
"Magyar Posta Zrt"
Flat rate
Company name:
Registered office:
Tax ID No.:
Represented by:
Phone number:
CHAPTER III
INSURANCE OF LEGALITY OF DATA MANAGEMENT
- Data management based on the consent of the person concerned
(1) If Tradford wishes to perform data management based on consent, the consent of the person concerned for handling his / her personal data shall be requested by the content and information contained in the data request form set out in the Data Management Policy.
(2 Hit is also a matter of concern that the person concerned when viewing Tradford's website will check such a box, make technical adjustments for the use of information society services, and any other statement or action that has the relevant consent in that context clearly indicates the intended management of your personal information. Silence, the foreground square or non-action is therefore not a consent.
- Contribution shall cover all data management activities for the same purpose or purposes. If data management serves multiple purposes at a time, the consent must be given for all data management purposes.
- If the consent of the party concerned is provided in the context of a written statement that applies to other matters, such as the conclusion of a contract of sale or service, the request for consent must be presented in a clearly distinct manner from these other cases, in a clear and easily accessible form, with simple language. Any part of such a declaration containing the consent of the person concerned that violates the Decree shall not have binding force.
(5) the conclusion of the contract, not link Tradford fulfillment as a contribution to the processing personal data, which are not necessary for the performance of the contract.
(6) The withdrawal of consent should be allowed in the same simple way as the granting of the consent.
(7) If the personal data has been collected with the consent of the data subject, the data controller may handle the data recorded without the need for a different legal provision for the fulfillment of the legal obligation that he or she may have, without further special consent and withdrawal of the consent of the person concerned.
- Data management based on the fulfillment of a legal obligation
(1) In the case of data processing based on a legal obligation, the provisions of the applicable law shall govern the scope of the manageable data, the purpose of data management, the length of the data storage, and the addressees.
(2) Data management based on the fulfillment of a legal obligation is independent of the consent of the party concerned, as data management is defined by law. In this case, the data controller must be informed prior to the processing of the data that the data is compulsory and that the data subject must be clearly and thoroughly informed about all the facts related to his or her data management, including the data and legal basis of data management, data handling and data processing , the duration of the data handling, if the personal data of the person concerned is handled by the data controller on the basis of the legal obligation that he or she is responsible for, and on who can know the data. The information should also include the rights and remedies available to the data subject in question. In the case of mandatory data handling, information may also be disclosed by making public the reference to the legal provisions containing the foregoing information.
- Facilitating the Rights of the Rights
You must ensure that you exercise your rights in Tradford's data management.
CHAPTER IV
VISITOR DATA MANAGEMENT ON TRADFORD WEBSITE - APPLICATION OF COOKIE
- A visitors to the website should be informed about the use of cookies and to do sois technically essential except session cookies - your contribution should be sought.
- General information about cookies
2.1. Cookie is a data that the visited website sends to the visitor's browser (variable name value) to store it and later the same website can fill its contents. Cookies can be valid, valid until the browser closes, but for an unlimited period of time. Later on, all HTTP (S) requests will also send this information to the server. This changes the data on the user's machine.
2.2. The essence of the cookie is that by the very nature of the web site services you need to designate a user (eg entering the page) and can handle it accordingly. The danger lies in the fact that this user is not always aware of and may be able to follow the user from the web site operator or other service provider whose content is built in the page (e.g. Facebook, Google Analytics), creating a profile, and in that case the cookie content can be considered as personal information.
2.3. Types of Cookies:
2.3.1. Technically indispensable session (s): without which the page simply would not work functionally, they would be used to identify the user, it needs to be handled if you have entered what you did in the basket, etc. This typically stores a session-id; other data is stored on the server, making it safer. There is a security aspect when the session cookie value is not well generated, there is a risk of session hijacking, so it is imperative that these values are generated properly. Other terminology is called a session cookie for each cookie that is deleted at the time of exit from the browser (a session is a browser usage from start to exit).
2.3.2. Cooking Cookies: So you name cookies that comment on the user's choices, such as how you want the user to see the page. These types of cookies are essentially the setting data stored in the cookie.
2.3.3. Cooking Cookies: Although they do not have much to do with 'performance', they usually call cookies that gather information about the user's behavior, time spent, and clicks on the site they visit. These are typically third party applications (e.g. Google Analytics, AdWords, or Yandex.ru cookies). They are suitable for profiling from the visitor.
Learn more about Google Analytics cookies here:
https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
To learn more about Google AdWords cookies:
https://support.google.com/adwords/answer/2407785?hl=hu
2.4. Accepting or enabling cookies is optional. You can reset your browser settings to reject all cookies or to indicate when a cookie is just being sent. Most browsers accept cookies automatically as default, but they can usually be changed to prevent automatic acceptance and offer options every time.
See the links below for the most popular browser cookie settings• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq• Safari: https://support.apple.com/hu-hu/HT201265
However, we also note that certain site features or services may not function properly without cookies.
Third Information on the cookies used on the Tradford website, or of the data generated during the visit
3.1. The Data Circuit Treated: Tradford's Website may use the Web site to record and manage the following information about the visitor and the device he / she browses:• the IP address used by the visitor,• browser type,• features of the operating system of the device used for browsing (configured language)• visit date,• the visited (sub) page, feature or service.
Click
These data are kept for up to 90 days and can be used primarily to test security incidents.
3.2. Cookies on the website
3.2.1. Technically indispensable session cookies
The purpose of data management is to ensure the proper functioning of the website. These cookies are needed for visitors to browse the web site, seamlessly and fully utilize its features, services available through the web site, including - in particular - comment on the actions made by a visitor on those pages or the login user during a visit. The duration of this cookie's data management is limited to the visitor's current visit, this type of cookies will automatically be deleted from your computer when the session is completed or when the browser is closed.
The legal basis for this data management is the 2001 Electronic Commerce Services and certain Information Society Services. CVIII. Act (Dedicated) 13 / A. Paragraph (3), according to which a the provider may treat the personal data necessary for the provision of the service in order to provide the service technically indispensable. If the other conditions are identical, the service provider must choose and always operate the tools used to provide the information society service in such a way that personal data is processed only if it is strictly necessary for the provision of the service and for the fulfillment of other purposes set out in this Act required, but in this case also to the extent and time required.
3.2.1. Cooking Cookies:
They note the user's choices, for example, in what form the user wants to see the page. These types of cookies are essentially the setting data stored in the cookie.
The legal basis for data handling is the visitor's consent.
The purpose of data management is: THE increase service efficiency, increase user experience, make the site more comfortable.
This data is rather on the user's computer, the web site only accesses and recognizes the visitor (s).
3.2.2. Cooking Cookies:
Collect information about the user's behavior, time spent, and clicks on the site you visit. These are typically third party applications (e.g. Google Analytics, AdWords).
Legal Basis for Data Management: Contribution of the Contributor.
The aim of the data management is to analyze the website and send the promotional offers.
CHAPTER V
INFORMATION ON THE RIGHTS OF THE PERSON CONCERNED
- The rights of the person concerned briefly summarized:
- To promote transparent communication, communication and the exercise of the relevant case law
- Right to prior information - where personal data are collected from the data subject
- Information to the person concerned and information to be made available if personal data are not obtained from the data controller
- Right of access to the subject
- A right to rectification
- A right of cancellation ("right to forgetting")
- Right to Restrict Data Management
- A the obligation to notify or erase personal data or to restrict the processing of data
- Right to data storage
- A right to protest
- Automated decision-making in individual cases, including profiling
- Restrictions
- Informing the person concerned about the privacy incident
- A the right to complain to a supervisory authority (right to an administrative remedy)
- A effective judicial remedies against the supervisory authority
- Right to an effective remedy against data controller or data processor
- Rights of the data subject in detail:
- To promote transparent communication, communication and the exercise of the relevant case law
1.1. The data controller shall provide the data subject with all information and information on the management of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner, in particular for any information addressed to children. The information shall be provided in writing or otherwise, including, where appropriate, the electronic path. Oral information may be provided at the request of the person concerned, provided that the identity of the person concerned has been verified otherwise.
1.2. The data controller must facilitate the exercise of the rights of the data subject.
1.3. The data controller shall inform the data subject of undue delay, but in any event within one month of the receipt of the request, of the measures taken on his or her application for the exercise of his rights. This time limit may be extended by two additional months under the terms of the Regulation. to which the person concerned should be informed.
1.4. If the data controller fails to take measures in response to his request, he shall inform the data subject without delay and within one month of the receipt of the request for reasons of non-action and whether he or she may file a complaint with a supervisory authority and exercise his right of judicial redress.
1.5. The data controller provides information and action about the information and rights of the user free of charge, but fees may be charged in the cases described in the Regulation.
The detailed rules are set out in Article 12 of the Regulation.
- Right to prior information - if the personal data is collected from the person concerned
2.1. The person concerned has the right to be informed about the facts and information related to data management prior to commencing the processing of data. In this context, the person concerned should be informed:
(a) the identity and contact details of the data controller and his representative,
- b) contact details of the Data Protection Officer (if any),
(c) the purpose of the planned treatment of personal data and the legal basis for data processing,
- d) in the case of data handling based on the validation of a legitimate interest, on the legitimate interests of the data controller or third party,
(e) the addressees of personal data with whom personal data are communicated, and the categories of recipients, if any;
(e) where applicable, the fact that the data controller wishes to transmit personal data to a third country or an international organization.
2.2. In order to ensure fair and transparent data management, the data controller must inform the data subject of the following additional information:
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
(b) the right of the data subject to request the data controller to access, correct, delete or restrict the personal data relating to the data subject, and object to the handling of such personal data and the right to the data concerned to be covered;
(c) in the case of data handling based on the consent of the party concerned, the right to withdraw the consent at any time without prejudice to the lawfulness of the data processing carried out on the basis of the consent prior to the withdrawal;
(d) the right to lodge a complaint addressed to the supervisory authority;
- e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract and whether the data subject is obliged to provide personal data and the possible consequences of the lack of data provision;
(f) the existence of automated decision-making, including profiling, and at least in such cases the logic employed and information about the significance of such data management and the likely consequences for the data subject.
2.3. If the data controller wishes to perform further data processing for personal purposes other than the purpose of their collection, he / she must inform the person concerned of this different purpose and any relevant additional information prior to further processing.
The detailed rules for the right of prior information are contained in Article 13 of the Regulation.
- Information to the person concerned and information to be made available if personal data are not obtained from the data controller
3.2. Further rules are set out in Section 2 (Right to Advance Advice).
Detailed rules for this information are contained in Article 14 of the Regulation.
- Right of access to the subject
4.1. The person concerned has the right to be informed by the data controller about whether his personal data is being processed and, if such data is being processed, he has the right to personal information and to the 2-3. You will receive access to related information in this section. (Article 15 of the Regulation).
4.2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the corresponding guarantees provided for in Article 46 of the Regulation.
4.3. The data controller shall provide the data subject with a copy of the personal data subject to data handling. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.
Detailed rules for the right of access to the subject are set out in Article 15 of the Order.
- A right to rectification
5.1. The data subject shall have the right to rectify any inaccurate personal data that he or she is entitled upon request by the Data Controller without undue delay.
5.2. Taking into account the purpose of data management, the person concerned has the right to request the addition of incomplete personal data, including by means of a supplementary statement.
These rules are set out in Article 16 of the Regulation.
- A right of cancellation ("right to forgetting")
6.1. The data subject shall have the right to delete the personal data relating to him without undue delay, and the data controller shall be required to delete the personal data of the data subject without undue delay if
(a) personal data is no longer required for the purpose from which they have been collected or otherwise handled;
(b) the party concerned withdraws the consent of the data controller and does not have any other legal basis for data processing;
- c) the person concerned objects to his or her data handling and has no prior legitimate reason for data handling,
(d) the personal data has been unlawfully handled;
(e) the personal data are to be deleted in order to comply with the legal obligation imposed on the data controller in the Union or Member States' law;
(f) the provision of information society-related services offered directly to children for the collection of personal data.
6.2. The right to cancel can not be enforced if data management is required
(a) to exercise the right to freedom of expression and information;
(b) the performance of a task under the law of the Union or of a Member State applicable to the data controller, or to carry out a task carried out in the exercise of public authority exercised in the public interest or on the data controller;
(c) public interest in the field of public health;
(d) for purposes of public interest archiving, for scientific and historical research purposes or for statistical purposes, provided that the right to cancel would be likely to render impossible or seriously undermine this data management; or
- e) filing, enforcing or protecting legal claims.
Detailed rules on the right to cancel are set out in Article 17 of the Regulation.
7th Right to Restrict Data Management
7.1. In the case of limitation of data processing, such personal data may only be managed with the consent of the person concerned, with the exception of storage, with the submission, validation or protection of legal claims or in the protection of the rights of a natural or legal person, or in the public interest of the Union or of a Member State.
7.2. The data subject shall have the right to request that the Data Controller restricts the processing of data if one of the following conditions is met:
(a) the person concerned disputes the accuracy of the personal data; in this case, the restriction concerns the period of time that the Data Controller may check the accuracy of the personal data;
(b) data manipulation is unlawful and the data subject is opposed to the deletion of the data and, instead, requests that they be restricted;
- c) the Data Controller no longer needs personal data for data processing, but the data subject requires them to submit, enforce, or protect legal claims; or
(d) the person concerned objected to the data handling; in that case, the restriction applies to the period during which it is established that the legitimate reasons for the data controller have priority over the legitimate grounds of the party concerned.
7.3. The person concerned must be informed in advance of the discontinuation of the data handling.
The relevant rules are set out in Article 18 of the Regulation.
- A the obligation to notify or erase personal data or to restrict the processing of data
The data controller informs all addressees of any rectification, deletion or data limitation with whom or with which personal information has been communicated, unless this proves impossible or requires disproportionate effort. At the request of the data subject, the data controller shall inform the addressees thereof.
These rules are contained in Article 19 of the Regulation.
- Right to data storage
9.1. Subject to the conditions set out in this Decree, the data subject shall have the right to receive the personal information provided to him by a data controller in a fragmented, widely used machine-readable format and shall be entitled to transmit this data to another data controller without obstructing the the data controller who has provided the personal data if he / she is
(a) the processing of data is either a contribution or a contract; and
(b) data management is carried out in an automated manner.
9.2. The person concerned may also request the direct transfer of personal data between data controllers.
9.3. The exercise of the right to hold data shall be without prejudice to Article 17 of the Regulation (The right to cancel ("the right to be forgiven"). The right to adduceability is not applicable in the case where data processing is necessary for the performance of a task in the public interest or in the exercise of its public authority powers conferred on the data controller. This right should not adversely affect the rights and freedoms of others.
Detailed rules are set out in Article 20 of the Regulation.
- A right to protest
10.1. The person concerned has the right to object at any time to the processing of personal data in the public interest, the performance of a public task (Article 6 (1) (e)) or legitimate interest (Article 6 (f)), including profiling based on those provisions too. In this case, the data controller may not process the personal data unless the data controller proves that the data processing is justified by compelling reasons of lawfulness that prevail over the interests, rights and freedoms of the data subject, or for the purpose of submitting, enforcing or protecting legal claims related.
10.2. If your personal data is handled for direct business, the person is entitled to object at any time to the handling of personal data relating to that purpose, including profiling, if it is related to direct business acquisition. If a person objects to the personal data being handled for direct business purposes, personal data may no longer be handled for that purpose.
10.3. These rights must be explicitly mentioned in the notice of first contact with the person concerned at the latest, and the relevant information must be clearly and completely separate from any other information.
10.4. The right to protest can also be exercised by automated means based on technical specifications.
10.5. If the personal data are handled for scientific and historical research purposes or for statistical purposes, the data subject is entitled to object to the processing of personal data relating to his / her own personal situation, unless it is necessary for the performance of a task for public interest purposes.
The relevant rules are contained in the Article of the Regulation.
- Automated decision-making in individual cases, including profiling
11.1. The data subject shall be entitled to exclude the scope of a decision based solely on automated data management, including profiling, which would have a bearing on him or would have a significant effect on him.
11.2. This right shall not apply if the decision is:
(a) it is necessary for the conclusion and performance of the contract between the data subject and the data controller;
(b) be made available to the data controller by means of Union or Member State law which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
Is based on the data subject’s explicit consent
11.3. In the cases referred to in points (a) and (c), the data controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention, submit an objection.
Further rules are set out in Article 22 of the Regulation.
- Restrictions
The law of the Union or of the Member States applicable to a data controller or data processor may restrict the scope of rights and obligations (Articles 12 to 22, Article 34 and Article 5) by means of legislative measures if the restriction respects the essential content of fundamental rights and freedoms.
The conditions for this restriction are laid down in Article 23 of the Regulation.
- Informing the person concerned about the privacy incident
13.1. If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller must inform the data subject of the data protection incident without undue delay. This information must clearly and easily explain the nature of the privacy incident and provide at least the following information:
(a) the name and contact details of the Data Protection Officer or other contact person providing further information;
(c) the likely consequences of a data protection incident;
(d) measures to be taken or planned by the data controller to remedy a data protection incident, including, where appropriate, measures to mitigate any adverse consequences resulting from a data protection incident.
13.2. The data subject need not be informed if any of the following conditions are met:
(a) the data controller has implemented adequate technical and organizational protection measures and applies those measures to the data covered by the data protection incident, in particular the measures, such as the use of encryption, which are unintelligible to unauthorized persons make the data;
(b) after the data protection incident, the data controller has taken further measures to ensure that high risk for the rights and freedoms of the person concerned is no longer likely to be realized;
(c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that such information is equally effective.
Further rules are set out in Article 34 of the Regulation.
- A the right to complain to a supervisory authority (right to an administrative remedy)
The person concerned has the right to lodge a complaint with a supervisory authority, in particular in the Member State where he or she is habitually resident, in the workplace or in the suspected breach, if the person concerned considers that the processing of personal data relating to him violates the Regulation. The supervisory authority to which the complaint has been filed shall inform the client about the procedural developments and the outcome of the complaint, including the fact that the client is entitled to seek judicial redress.
These rules are contained in Article 77 of the Regulation.
- A effective judicial remedies against the supervisory authority
15.1. Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall be entitled to effective judicial remedies against the legally binding decision of the supervisory authority.
15.2. Without prejudice to other administrative or non-judicial remedies, all parties concerned shall be entitled to an effective remedy if the competent supervisory authority does not deal with the complaint or within three months shall not inform the person concerned of the procedural developments or results of the complaint submitted.
15.3. The procedure against the supervisory authority shall be initiated before the courts of the Member State in which the supervisory authority is situated.
15.4. If a supervisory authority commits a decision against which a body has previously issued an opinion or made a decision under the unity mechanism, the supervisory authority shall send that opinion or decision to the court.
These rules are set out in Article 78 of the Regulation.
- Right to an effective remedy against data controller or data processor
16.1. Without prejudice to any available administrative or non-judicial remedies, including the right to complain to the supervisory authority, all concerned shall be entitled to an effective judicial remedy if it considers that their rights under this Regulation have been infringed as a result of the non-compliance of their personal data with this Regulation.
16.2. The data controller or processor shall be initiated before the court of the Member State in which the data controller or the processor is established. Such proceedings may be instituted before the courts of the Member State in which the person concerned is habitually resident, unless the data controller or the data processor is a public authority of a Member State acting within the scope of his public authority.
These rules are set out in Article 79 of the Regulation.
Done at Budaörs, January 25, 2018
______________________
Privacy policy
DATA MANAGEMENT POLICY
Company name:
|
Tradford |
Registered office: |
|
TAX REGISTRATION NO: |
|
INCORPORATION NO.
|
|
represented by: |
Szarvas Gyula |
: |
(hereinafter referred to as Brand Holder) |
Regulation (EC) No 2016/67 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and Regulation / 46 / EC (General Data Protection Regulation).
Determining and modifying the Code belongs to the brand owner.
Done, Budaörs May 5, 2018, 5 days ago
__________________________
brand owner
Attention!
Read the Guide before making any adjustments.
Blue-marked items are subject to revision, modification or deletion if the relevant provision is not applied by the company.
TABLE OF CONTENTS
CHAPTER I GENERAL PROVISIONS
Section 1. Purpose and Scope of the Code
- Definitions
- SECURITY OF DATA MANAGEMENT LEGISLATION
- 3 Data management based on the consent of the party concerned
Section 4 Data management based on the fulfillment of a legal obligation
Section 5 Information Management Information of the Company
ARC. CHAPTER II - CONTRACT MANAGEMENT RELATED TO CONTRACT
Article 16 Management of contract partner data - register of buyers and suppliers
Article 17 Contact details of representatives of natural persons, buyers and suppliers of natural persons
- 19 Visitor data management at Tradford's website - Information on the use of cookies
- 20 Registration on Tradford's website
Section 21 Data management related to newsletter service
CHAPTER V - DATA MANAGEMENT BASED ON LEGAL OBLIGATIONS
Section 25 Data management for the purpose of fulfilling tax and accounting obligations
Section 26 Payroll Data Management
Section 27. Data management for documents of lasting value under the Archives Act
- CHAPTER 2 - DATA-ADMINISTRATIVE MEASURES
Data security measures
VII. CHAPTER 2 - TRADFORD DATA PROCESSING ACTIVITY
Section 32 Obligations and rights of the custodian (data controller)
VIII. CHAPTER 2 - TREATMENT OF DATA PROTECTION INCIDENTS
Section 35 Definition of the Data Protection Incident
Section 36 Treatment and remedy of data incidents
- 37 Records of data protection incidents
- CHAPTER - DATA PROTECTION IMPACT ASSESSMENT AND PRELIMINARY CONSULTATION
Section 38 Data Protection Impact Assessment and Prior Consultation
CHAPTER X - RIGHTS OF THE PERSON CONCERNED
- 39 Information on the rights of the person concerned
FINAL PROVISIONS
Section 40 Establishment and amendment of the Code
Section 41 Measures to introduce the Rules
ANNEXES
Appendix 1 |
Privacy Policy for Contribution Based Personal Data |
Appendix 2 |
Information on the rights of the natural person concerned for handling his personal data |
Annex 6 |
Privacy Policy for a contract with a natural person |
ANNEX 7 |
Contributing statement for the handling of contact details of a legal person's contractual partner's natural person |
Annex 9a |
General contract terms for data processing - standard |
CHAPTER I
GENERAL PROVISIONS
Section 1 Purpose and Scope of the Code
(1) the purpose of this Regulation to lay down rules and measures of internal accumulation which will ensure that the company's controller and a data processor activity conforms to the European Parliament and of the Council (EU) REGULATION (2016/679 April 2016 27.) of natural persons as regards the processing of personal data and on the free movement of such data and Directive 95/46/EC and repealing Regulation (General Regulation, hereinafter referred to as data protection), and the right to self-determination and freedom of information on the 2011. annual CXII. Act (hereinafter referred to as Infotv.).
(2) The scope of this Code applies to the treatment by the Company of personal data relating to a natural person.
(3) Individual entrepreneurs, individual companies, primary producers, customers and suppliers shall be considered natural persons for the purposes of this Code.
(4) The scope of this Code does not extend to personal data processing that applies to legal persons, including the name and form of the legal entity, as well as the details of the access of a legal person. (GDPR (14))
- Definitions
Definitions for the purposes of this Code are set out in Article 4 of the Regulation. Accordingly, highlight the main concepts:
First "personal data"means any information relating to an identified or identifiable natural person ("concerned"); a natural person may be identified, directly or indirectly, based on one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of an identifier such as name, number, positioning data, online identifier or natural person identified;
Second "data handling"means any operation or operation of any personalized data or data files in an automated or non-automated manner, such as collecting, capturing, rendering, compiling, storing, modifying or modifying, querying, inspecting, using, communicating, distributing or otherwise making available by way of coordination, interconnection, restriction, deletion or destruction;
Third "Limitation of data management"means the designation of stored personal data to limit their future management;
4th 'Profiling'means any form of automated processing of personal data whereby personal data are evaluated for the assessment of certain personal characteristics associated with a natural person, in particular for the analysis of features related to work performance, economic situation, health status, personal preferences, interest, reliability, behavior, residence or movement or forecasts;
5th "Naming"means the handling of personal data in a way that, without the use of additional information, no longer identifies the specific natural person concerned with the personal data provided that such additional information is stored separately and provided technical and organizational measures to ensure that the identified or identifiable natural persons, this personal data can not be linked;
6th "registration system"means personal data in any way, centralized, decentralized or functional or geographic, accessible on the basis of defined criteria;
7th "Controller"means a natural or legal person, a public authority, agency or any other body that determines the purposes and means of handling personal data individually or with others; where the purposes and means of data management are defined by Union or national law, the data controller or the particular aspects of the designation of the data controller may also be defined by Union or national law;
8th "Processor"means any natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data controller;
9th "addressee"means a natural or legal person, a public authority, agency or any other body with whom or with which personal data is communicated, whether or not it is a third party. Public authorities which have access to personal data in an individual investigation in accordance with Union or national law shall not be considered recipients; the management of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;
10th "third party"means a natural or legal person, a public authority, an agency or any other body other than the data subject, data controller, data processor or persons authorized to manage personal data under the direct control of the data controller or data processor;
11th "The consent of the party concerned"means a voluntary, specific and appropriate informed and explicit statement of the will of the person concerned by which he or she indicates the statement or confirmation by means of an unambiguous expression of his consent to his or her consent to the processing of personal data concerning him;
12th "Privacy incident": a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise treated.
CHAPTER II
INSURANCE OF LEGALITY OF DATA MANAGEMENT
- 3 Data management based on the consent of the party concerned
(1) If Tradford wishes to perform data management based on consent, the consent of the person concerned for handling his / her personal data is Appendix 1 as well as information and information.
(2 H it is also a matter of concern that the person concerned when viewing Tradford's website will check such a box, make technical adjustments for the use of information society services, and any other statement or action that has the relevant consent in that context clearly indicates the intended management of your personal information. Silence, the foreground square or non-action is therefore not a consent.
- Contribution shall cover all data management activities for the same purpose or purposes. If data management serves multiple purposes at a time, the consent must be given for all data management purposes.
- If the consent of the party concerned is provided in the context of a written statement that applies to other matters, such as the conclusion of a contract of sale or service, the request for consent must be presented in a clearly distinct manner from these other cases, in a clear and easily accessible form, with simple language. Any part of such a declaration containing the consent of the person concerned that violates the Decree shall not have binding force.
(5) Tradford may not conclude a contract to fulfill its obligations to provide personal data that is not required for performance of the contract.
(6) The withdrawal of consent should be allowed in the same simple way as the granting of the consent.
(7) If the personal data has been collected with the consent of the data subject, the data controller may handle the data recorded without the need for a different legal provision for the fulfillment of the legal obligation that he or she may have, without further special consent and withdrawal of the consent of the person concerned.
Section 4 Data management based on the fulfillment of a legal obligation
(1) In the case of data processing based on a legal obligation, the provisions of the applicable law shall govern the scope of the manageable data, the purpose of data management, the length of the data storage, and the addressees.
(2) Data management based on the fulfillment of a legal obligation is independent of the consent of the party concerned, as data management is defined by law. In this case, the data controller must be informed prior to the processing of the data that the data is compulsory and that the data subject must be clearly and thoroughly informed about all the facts related to his or her data management, including the data and legal basis of data management, data handling and data processing , the duration of the data handling, if the personal data of the person concerned is handled by the data controller on the basis of the legal obligation that he or she is responsible for, and on who can know the data. The information should also include the rights and remedies available to the data subject in question. In the case of mandatory data handling, information may also be disclosed by making public the reference to the legal provisions containing the foregoing information.
- 5 Tradford's data management information
(1) Tradford's general data management information is provided by Appendix 2 included.
(2) Tradford's data management shall ensure the exercise of the rights of the data subject.
CHAPTER III
DATA MANAGEMENT RELATED TO EMPLOYMENT
Section 6 Labor and Staff Register
- Workers shall only be required to keep and keep records and carry out job medical examinations which are necessary to establish, maintain and eliminate employment, provide social welfare benefits and do not infringe the individual's rights to the employee.
(2) Enforcement of the legitimate interests of Tradford by the employer (Article 6 (1) (f)) for the purpose of establishing, completing or terminating an employment relationship, the following information of the employee shall be handled:
First name
2nd birth name,
Date of birth
Mother's name:
Address 5,
- nationality,
- tax identification number,
- TAJ number,
9th pension number (for a retired worker),
Phone number 10,
- e-mail address,
ID Number
- number of attestation,
14th bank account number,
- Online ID (if applicable)
- starting and ending dates for entering work,
17th job,
- a copy of the certificate of qualifications,
Photo 19,
- Curriculum vitae,
The amount of the 21st wages, wages and other benefits,
- the debt to be deducted from the employee's wages on the basis of a decision or a law or a written consent of the employee,
- a evaluation of employee's work,
- a the way of termination of employment, reasons,
- a moral certificate depending on the job position
A summary of job suitability tests,
- in the case of a pension fund and a voluntary mutual insurance fund, the name, identification number and employee's membership number of the fund,
- for a foreign worker passport number; the name and number of the document certifying work entitlement,
Data recorded in accident records of 29 workers;
- a welfare services, commercial information;
- a At Tradford, a camera and access control system for security and privacy purposes,
or data recorded by the positioning systems.
(3) Data on sickness and union membership shall be handled by the employer only for the purpose of fulfilling the law or obligation set out in the Labor Code.
(4) The addressees of the personal data are the employer's head, the practitioner of the employer's right, the Tradford employment employees and data processors.
(5) Traders' owners may only be transferred to the personal data of senior executives.
(6) The duration of the storage of personal data: 3 years after termination of employment.
(7) Prior to the processing of data, the data subject must be informed that the processing of data is based on the Labor Code and the validation of the employer's legitimate interests
(8) At the same time as the employer concludes the contract of employment Appendix 3 informs the employee about the handling of his or her personal data and personal rights.
Section 7 Data management related to suitability tests
- An employee shall only be eligible for an aptitude test prescribed by an employment rule or is required to exercise the right laid down in the employment relationship and to fulfill his obligations. Before the test remployees must be informed, inter alia, of the skill and ability of the aptitude test, the means and method of the test. If legislation requires that the investigation be carried out, employees should be informed about the legal title and the exact legal status. This sample of data management information related to this policy is governed by these rules Annex 4 included.
(2) Tests of workability and preparedness may be submitted by the employer to the employees before the establishment of the employment relationship and during the existence of the employment relationship.
(3) In order to provide more work and workflow in a clearer sense of work, a test sheet suitable for the study of psychological or personality traits with a larger group of workers may be filled out only if the data revealed in the analysis can not be linked to each particular worker, data processing.
(4) The scope of manageable personal data is the factual capacity of the job and the necessary conditions.
(5) The legal basis for data handling is the legitimate interest of the employer.
(6) The purpose of the processing of personal data is to establish, maintain, occupy an employment relationship.
(7) Addressees of personal data or categories of recipients: The examination results can be found by the investigated workers or the investigator. The employer can only get the information that the person being examined is fit for work or not and what conditions are provided for it. However, the details of the examination or its full documentation are not available to the employer.
(8) The duration of the processing of personal data: 3 years after termination of employment.
Section 8 Handling data of employees applying for admission, applications, curricula vitae
(1) Personal data can be handled: the name, date of birth, place of birth, mother's name, address, qualification data, photo, phone number, e-mail address, employer's note on the applicant (if any).
(2) The purpose of the personal data is to apply for a job, to apply for a contract, to conclude a contract of employment with the chosen person. The person concerned should be informed if the employer has not chosen him for that job.
(3) Legal basis for data processing: the consent of the party concerned.
(4) Addressees of the personal data or categories of recipients: Traders who are entitled to exercise their employer's rights and who perform work duties.
(5) Duration of the storage of personal data: Until the application and the application. Personal data of non-selected applicants must be deleted. You must also delete the details of your application and your application.
(6) The employer may only keep the applications on the basis of the express, explicit and voluntary consent of the concerned party, provided that they are necessary to maintain them in order to achieve their data management objective in accordance with the law. This contribution shall be requested from the candidates after the closing of the recruitment process.
CHAPTER IV
DATA MANAGEMENT RELATED TO CONTRACT
Article 16 Management of contract partner data - register of buyers and suppliers
(1) the contract is therefore the Tradford contract, termination of contract, to provide handles with discount, vendors contracted natural person's name, date of birth, date of birth, name of mother name, address, tax ID, VAT registration number, entrepreneurial, in respect of card number, ID card number, home address, home telephone number, site address, email address, website address, contact number, account number, customer number ( order number), online ID (customers, suppliers, törzsvásárlási a list of lists), This is considered a lawful data processing, even if the processing before the conclusion of the contract at the request of the relevant steps are needed. Personal Data is addressed to Tradford employees, accounting, taxation employees and data processors performing customer service tasks. The duration of the storage of personal data is 5 years after termination of the contract.
(2) Prior to the processing of data, the natural person concerned shall be informed that the processing of data is based on the performance of the contract and the information may also be provided in the contract. The transfer of the data subject's personal data to the data processor shall be provided. The text of the Privacy Policy relating to a contract with a natural person is governed by this Policy Annex 6 included.
Article 17 Contact details of representatives of natural persons, buyers and suppliers of natural persons
(1) Personal data can be handled: the name, address, telephone number, e-mail address and online identifier of the natural person.
(2) The purpose of personal data management is to perform a contract with a partner in a Tradford legal entity, business relationship and legal basis: the consent of the person concerned.
(3) Addressees of the personal data or categories of recipients: Tradford customer service.
(4) Duration of personal data storage: 5 years after the business relationship or the quality of the representative concerned.
(5) The template of the survey form is the present Regulation Appendix 7 included. This statement must be disclosed to the person concerned by the customer, buyer or supplier and by signing the declaration he must apply for his / her personal data processing. The statement must be kept up to the date of the data handling.
- 19 Visitor data management at Tradford's website - Information on the use of cookies
(1) cookie is a data that the website you visit sends to the visitor's browser (variable name value) to store it and later the same web site can fill its contents.
(2) Only users of the electronic communications terminal may be stored or accessed on the data provided by the relevant user in the light of their clear and complete information, including for the purposes of data processing (Article 155 of Act C of 2003.4. According to this, at Tradford's website at the first visit, a brief summary of the application of the cookies should be given to the visitor and a link should be made to the full availability of the information (Data management information in Annex 2). With this information, Tradford ensures that the visitor can access the information society-related services of the website and at any time during their use of Tradford's data management purposes, which types of data are handled, including the handling of data that can not be directly accessed by the recipient.
(3) The Electronic Commerce Services and the Information Society Services Issues of 2001. CVIII. Act (Dedicated) 13 / A. Section (3) of the Constitution a the provider may treat the personal data necessary for the provision of the service in order to provide the service technically indispensable. If the other conditions are identical, the service provider must choose and always operate the tools used to provide the information society service in such a way that personal data is processed only if it is strictly necessary for the provision of the service and for the fulfillment of other purposes set out in this Act required, but in this case also to the extent and time required.
- 20 Registration on Tradford's website
(1) On the website, the registrant natural person may enter its consent to the processing of his / her personal data by ticking the relevant box. It is forbidden to check the box in advance.
(2) Personal data can be handled: the name (surname, first name), address, telephone number, e-mail address, online identifier, billing, mailing name and address of the natural person.
(3) The purpose of the processing of personal data is:
- A fulfillment of the services provided on the website.
- Contact, by electronic, telephone, SMS, and postal inquiry.
- Information on Tradford's products, services, contract terms, and promotions.
- Advertising bulletins can be sent electronically and by post via the information.
- A website analysis.
(4) The legal basis for the processing of data is the consent of the party concerned.
(5) Addressees of personal data or categories of recipients: Tradford employees of the Tradford IT Service Provider, who are responsible for customer service and marketing activities.
(6) The duration of the storage of personal data: until the registration / service is active or until the consent of the person concerned is withdrawn (up to the date of its cancellation).
Section 21 Data management related to newsletter service
(1) A natural person who registers a newsletter service on the website may enter its consent to the processing of his / her personal data by ticking the relevant box. It is forbidden to check the box in advance. During the subscription, the Privacy Statement (Annex 2) must be made available with a link. You may unsubscribe from this newsletter by using the "Unsubscribe" newsletter or by writing or e-mail at any time, which means that your consent is revoked. In this case, all unsubscribers must be deleted immediately.
(2) The scope of the personal data to be handled is the name of the natural person (surname, first name) and e-mail address.
(3) The purpose of the processing of personal data is:
- Send a newsletter about Tradford's products and services
- Sending a Bulletin
(4) Legal basis for data processing: contribution of the party concerned.
(5) Addressees of personal data or categories of recipients: Tradford employees of the Tradford IT Service Provider, who are responsible for customer service, marketing activities, and data processing,
(6) The duration of the storage of personal data: up to the existence of the news service or until the consent of the party concerned is withdrawn (until its application for a declaration of invalidity).
CHAPTER V
DATA MANAGEMENT BASED ON LEGAL OBLIGATIONS
Section 25 Data management for the purpose of fulfilling tax and accounting obligations
(1) Tradford shall treat the statutory data of natural persons acting as buyers, as suppliers, for the fulfillment of statutory tax obligations and accounting obligations (accounting, taxation). The data processed are based on the CXXVII of 2017 on General Sales Tax. TV. 169. §, and § 202-on the basis of, in particular: the VAT number, name, address, tax status, the accounting of 2000. law C 167 a year. under §: name, address, of the person or entity ordering an economic operation of entitlement and the implementation of the provisions of the organization supporting the person, depending on the controller; the movement documents and money management by the documents ellennyugtákon, the signature of the person making the personal income tax act of 1995. annual CXXI. on the basis of the law: in respect of business card number, card number, tax ID.
- The period of storage of personal data shall be eight years after the legal relationship with which the legal basis is terminated.
(3) Personal data are addressed to Tradford's employees and data processors in taxation, bookkeeping, payroll and social security tasks.
Section 26 Payroll Data Management
(1) Tradford is obliged to treat the persons concerned - workers, their family members, employees and other recipients - in accordance with the statutory tax and contribution obligations (tax, advance advance, payment of contributions, payroll, social security, pension administration) (2017: Act CL of the Order of Taxation (Art. 7.§ 31). The scope of the data processed is described in Art. (Including the previous name and title), gender, nationality, tax identification number of the natural person, and social security identification number (TAJ number) of the natural person. If the tax laws have a legal consequence, Tradford can handle the health of employees (See TV. 40.§) and trade union (Section 47.§ (2) b) /) for the purpose of completing and paying contributions (payroll, social security administration).
- The period of storage of personal data shall be eight years after the legal relationship with which the legal basis is terminated.
(3) Personal data are addressed to Tradford's employees and data processors in taxation, payroll and social security (paying) duties.
Section 27. Data management for documents of lasting value under the Archives Act
(1) Tradford's legal obligation is to treat the public records, public archives and the protection of the private archives material in Act LXVI of 1995. (Archives Act), with a view to preserving the durable value of Tradford's archive material intact and usable for future generations. Date of storage: until delivery to the public archives.
- The addressee of the personal data shall be: Tradford's manager, records manager, filing officer, and co-worker of the public archives.
CHAPTER VI
ADMINISTRATIVE MEASURES
Data security measures
(1) For the purposes of personal data protection, Tradford is obliged to take all technical and organizational measures and to establish the procedural rules necessary for the enforcement of the Decree and the Infotv.
(2) The Data Controller shall protect the data with appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access thereto.
(3) Tradford classifies and manages personal data as confidential. Workers require a confidentiality obligation for the processing of personal data, to which the Annex 10 shall apply. Accessing personal data is restricted by the granting of Tradford's eligibility levels.
(4) Tradford protects IT systems by firewall and provides virus protection.
(5) Tradford's employees can connect their own computing devices, data storage and recording devices to workstations.
(6) Tradford carries out electronic data processing and registration through a computer program that meets the requirements of data security. The program ensures that the data is only targeted and under controlled conditions only to persons who need it in order to perform their duties.
- The automated processing of personal data shall provide the data controller and the data processor with further measures:
(a) preventing unauthorized data entry;
(b) prevent the use of automatic data processing systems by unauthorized persons by means of data transmission equipment;
(c) verifiability and determination of which organs may be transmitted or transmitted by means of data transfer equipment using personal data;
(d) the verifiability and determination of which personal data, when and to whom it has been introduced into the automatic data-processing systems;
(e) the repair of installed systems in case of malfunction and
- f) to report on errors occurring during automated processing.
(8) Tradford ensures the control of incoming and outgoing communications by electronic means in order to protect personal information.
(9) Sharing of personal data handled by Tradford is prohibited.
(10) It is strictly forbidden to visit sites that download files, download games, chat, sex services at the workplace and on Tradford's devices.
(11) The use of unauthorized programs received or downloaded from external sources is prohibited!
(12) Only the competent administrators have access to the ongoing work and to the documents in progress, and documents containing personnel, wage and labor and other personal data must be kept securely closed.
(13) It is necessary to ensure adequate physical protection of data and the means and documents that carry them.
CHAPTER VII
TRADFORD DATA PROCESSING ACTIVITY
Section 32 Obligations and rights of the custodian (data controller)
- Data Controller is entitled to verify the performance of the contract activity with the Data Processor.
- The data controller shall be liable for the legality of the instructions of the data controller regarding the tasks specified in the contract, but the Data Processor shall immediately notify the Data Manager if the Data Handler's instruction or its implementation is in violation of the law.
- The Data Controller is obliged to inform the natural persons concerned about the processing of this contract, if required by law, to obtain their consent.
CHAPTER VIII
TREATMENT OF DATA PROTECTION INCIDENTS
Section 35 Definition of the Data Protection Incident
(1) Privacy Incident :: Damage to security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled; (Article 4 of Regulation 12)
(2) The most common reported incidents include: losing a laptop or mobile phone, storing personal data in an unsafe manner (eg waste paper); unauthorized transmission of data, unauthorized duplication, transmission of client and customer contact lists, server attacks, break site.
Section 36 Treatment and remedy of data incidents
(1) The prevention, management, and observance of privacy laws are the responsibility of Tradford's leader.
(2) Access and access tests shall be logged on IT systems and continuously analyzed.
(3) If Tradford's employees are in charge of a data protection incident during their duties, they must immediately notify Tradford's manager.
(4) Tradford's employees are required to report to Tradford's manager or employer's rights if they detect a privacy incident or event.
(5) A privacy incident can be registered at Tradford's central e-mail address and telephone number where employees, contractors, stakeholders can report underlying events and security weaknesses.
(6) In the event of reporting a privacy incident, Tradford's manager, with the involvement of the IT, financial and operational manager, shall immediately review the notification, identifying the incident, deciding whether it is a real incident or a false alarm. It is necessary to examine and establish:
the. the date and place of the incident,
- the description of the incident, its circumstances, its effects,
- the scope, the numeracy of the data compromised during the incident,
(d) the scope of the persons concerned, compromised data
- a description of the measures taken to deal with the incident,
- a description of the measures taken to prevent, remedy and reduce the damage.
(7) In the event of a data incident occurring, the systems, persons, data involved, data shall be confined and separated, and the collection and retention of evidence supporting the incident shall be ensured. After that, you can begin restoring damage and restoring legitimate operation.
- 37 Records of data protection incidents
- Data protection incidents shall be kept in a register containing:
(a) the scope of the personal data concerned,
- b) the scope and number of persons affected by the data protection incident,
- c) the date of the data protection incident,
- d) the circumstances, the effects of the privacy incident,
(e) measures taken to remedy a data protection incident,
(f) other data specified in the law providing for data processing.
- Data relating to data incidents recorded in the register shall be kept for five years.
CHAPTER IX
DATA PROTECTION IMPACT ASSESSMENT AND PRELIMINARY CONSULTATION
Section 38 Data Protection Impact Assessment and Prior Consultation
- Where a type of data handling, in particular with new technologies, which is likely to pose a high risk to the rights and freedoms of natural persons, taking into account its nature, scope, circumstances and purposes, the data controller shall carry out an impact assessment prior to the processing of data the planned data management operations affect how personal data is protected. Similar types of data management operations that are similar to high risk are considered within a single impact assessment.
- Where a data protection impact assessment establishes that data processing is likely to involve a high level of risk for the data controller in the absence of measures to mitigate the risk, prior to the processing of personal data, the data controller shall consult the supervisory authority.
- Detailed rules for data protection impact assessment and prior consultation shall be adopted in accordance with Articles 35 to 36 of this Decree. ckkei and Infotv. shall apply.
CHAPTER X
RIGHTS OF THE PERSON CONCERNED
- 39 Information on the rights of the person concerned
(1) Rights of the persons concerned briefly summarized:
- To promote transparent communication, communication and the exercise of the relevant case law
- Right to prior information - where personal data are collected from the data subject
- Information to the person concerned and information to be made available if personal data are not obtained from the data controller
- Right of access to the subject
- A right to rectification
- A right of cancellation ("right to forgetting")
- Right to Restrict Data Management
- A the obligation to notify or erase personal data or to restrict the processing of data
- Right to data storage
- A right to protest
- Automated decision-making in individual cases, including profiling
- Restrictions
- Informing the person concerned about the privacy incident
- A the right to complain to a supervisory authority (right to an administrative remedy)
- A effective judicial remedies against the supervisory authority
- Right to an effective remedy against data controller or data processor
- The rights of the data subject in detail:
- To promote transparent communication, communication and the exercise of the relevant case law
1.1. The data controller shall provide the data subject with all information and information on the management of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner, in particular for any information addressed to children. The information shall be provided in writing or otherwise, including, where appropriate, the electronic path. Oral information may be provided at the request of the person concerned, provided that the identity of the person concerned has been verified otherwise.
1.2. The data controller must facilitate the exercise of the rights of the data subject.
1.3. The data controller shall inform the data subject of undue delay, but in any event within one month of the receipt of the request, of the measures taken on his or her application for the exercise of his rights. This time limit may be extended by two additional months under the terms of the Regulation. to which the person concerned should be informed.
1.4. If the data controller fails to take measures in response to his request, he shall inform the data subject without delay and within one month of the receipt of the request for reasons of non-action and whether he or she may file a complaint with a supervisory authority and exercise his right of judicial redress.
1.5. The data controller provides information and action about the information and rights of the user free of charge, but fees may be charged in the cases described in the Regulation.
The detailed rules are set out in Article 12 of the Regulation.
- Right to prior information - if the personal data is collected from the person concerned
2.1. The person concerned has the right to be informed about the facts and information related to data management prior to commencing the processing of data. In this context, the person concerned should be informed:
(a) the identity and contact details of the data controller and his representative,
- b) contact details of the Data Protection Officer (if any),
(c) the purpose of the planned treatment of personal data and the legal basis for data processing,
- d) in the case of data handling based on the validation of a legitimate interest, on the legitimate interests of the data controller or third party,
(e) the addressees of personal data with whom personal data are communicated, and the categories of recipients, if any;
(e) where applicable, the fact that the data controller wishes to transmit personal data to a third country or an international organization.
2.2. In order to ensure fair and transparent data management, the data controller must inform the data subject of the following additional information:
(a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
(b) the right of the data subject to request the data controller to access, correct, delete or restrict the personal data relating to the data subject, and object to the handling of such personal data and the right to the data concerned to be covered;
(c) in the case of data handling based on the consent of the party concerned, the right to withdraw the consent at any time without prejudice to the lawfulness of the data processing carried out on the basis of the consent prior to the withdrawal;
(d) the right to lodge a complaint addressed to the supervisory authority;
- e) whether the provision of personal data is based on a legal or contractual obligation or is a prerequisite for the conclusion of a contract and whether the data subject is obliged to provide personal data and the possible consequences of the lack of data provision;
(f) the existence of automated decision-making, including profiling, and at least in such cases the logic employed and information about the significance of such data management and the likely consequences for the data subject.
2.3. If the data controller wishes to perform further data processing for personal purposes other than the purpose of their collection, he / she must inform the person concerned of this different purpose and any relevant additional information prior to further processing.
The detailed rules for the right of prior information are contained in Article 13 of the Regulation.
- Information to the person concerned and information to be made available if personal data are not obtained from the data controller
3.1. If the data controller has not obtained the personal data from the data subject, the data controller shall be kept by the data controller within no more than one month after the personal data has been obtained; where personal data are used for contact with the data subject, at least when contacting the person concerned; or if it is expected to communicate with other addressees, it must notify the facts and information referred to in paragraph 2 above, the categories of personal data concerned, the source of personal data and, where applicable, the fact that the data publicly available sources.
3.2. Further rules are set out in Section 2 (Right to Advance Advice).
Detailed rules for this information are contained in Article 14 of the Regulation.
- Right of access to the subject
4.1. The person concerned has the right to be informed by the data controller about whether his personal data is being processed and, if such data is being processed, he has the right to personal information and to the 2-3. You will receive access to related information in this section. (Article 15 of the Regulation).
4.2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the corresponding guarantees provided for in Article 46 of the Regulation.
4.3. The data controller shall provide the data subject with a copy of the personal data subject to data handling. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.
Detailed rules for the right of access to the subject are set out in Article 15 of the Order.
- A right to rectification
5.1. The data subject shall have the right to rectify any inaccurate personal data that he or she is entitled upon request by the Data Controller without undue delay.
5.2. Taking into account the purpose of data management, the person concerned has the right to request the addition of incomplete personal data, including by means of a supplementary statement.
These rules are set out in Article 16 of the Regulation.
- A right of cancellation ("right to forgetting")
6.1. The data subject shall have the right to delete the personal data relating to him without undue delay, and the data controller shall be required to delete the personal data of the data subject without undue delay if
(a) personal data is no longer required for the purpose from which they have been collected or otherwise handled;
(b) the party concerned withdraws the consent of the data controller and does not have any other legal basis for data processing;
- c) the person concerned objects to his or her data handling and has no prior legitimate reason for data handling,
(d) the personal data has been unlawfully handled;
(e) the personal data are to be deleted in order to comply with the legal obligation imposed on the data controller in the Union or Member States' law;
(f) the provision of information society-related services offered directly to children for the collection of personal data.
6.2. The right to cancel can not be enforced if data management is required
(a) to exercise the right to freedom of expression and information;
(b) the performance of a task under the law of the Union or of a Member State applicable to the data controller, or to carry out a task carried out in the exercise of public authority exercised in the public interest or on the data controller;
(c) public interest in the field of public health;
(d) for purposes of public interest archiving, for scientific and historical research purposes or for statistical purposes, provided that the right to cancel would be likely to render impossible or seriously undermine this data management; or
- e) filing, enforcing or protecting legal claims.
Detailed rules on the right to cancel are set out in Article 17 of the Regulation.
7th Right to Restrict Data Management
7.1. In the case of limitation of data processing, such personal data may only be managed with the consent of the person concerned, with the exception of storage, with the submission, validation or protection of legal claims or in the protection of the rights of a natural or legal person, or in the public interest of the Union or of a Member State.
7.2. The data subject shall have the right to request that the Data Controller restricts the processing of data if one of the following conditions is met:
(a) the person concerned disputes the accuracy of the personal data; in this case, the restriction concerns the period of time that the Data Controller may check the accuracy of the personal data;
(b) data manipulation is unlawful and the data subject is opposed to the deletion of the data and, instead, requests that they be restricted;
- c) the Data Controller no longer needs personal data for data processing, but the data subject requires them to submit, enforce, or protect legal claims; or
(d) the person concerned objected to the data handling; in that case, the restriction applies to the period during which it is established that the legitimate reasons for the data controller have priority over the legitimate grounds of the party concerned.
7.3. The person concerned must be informed in advance of the discontinuation of the data handling.
The relevant rules are set out in Article 18 of the Regulation.
- A the obligation to notify or erase personal data or to restrict the processing of data
The data controller informs all addressees of any rectification, deletion or data limitation with whom or with which personal information has been communicated, unless this proves impossible or requires disproportionate effort. At the request of the data subject, the data controller shall inform the addressees thereof.
These rules are contained in Article 19 of the Regulation.
- Right to data storage
9.1. Subject to the conditions set out in this Decree, the data subject shall have the right to receive the personal information provided to him by a data controller in a fragmented, widely used machine-readable format and shall be entitled to transmit this data to another data controller without obstructing the the data controller who has provided the personal data if he / she is
(a) the processing of data is either a contribution or a contract; and
(b) data management is carried out in an automated manner.
9.2. The person concerned may also request the direct transfer of personal data between data controllers.
9.3 . The exercise of the right to hold data shall be without prejudice to Article 17 of the Regulation ( The right to cancel ("the right to be forgiven"). The right to adduceability is not applicable in the case where data processing is necessary for the performance of a task in the public interest or in the exercise of its public authority powers conferred on the data controller. This right should not adversely affect the rights and freedoms of others.
Detailed rules are set out in Article 20 of the Regulation.
- A right to protest
10.1. The person concerned has the right to object at any time to the processing of personal data in the public interest, the performance of a public task (Article 6 (1) (e)) or legitimate interest (Article 6 (f)), including profiling based on those provisions too. In this case, the data controller may not process the personal data unless the data controller proves that the data processing is justified by compelling reasons of lawfulness that prevail over the interests, rights and freedoms of the data subject, or for the purpose of submitting, enforcing or protecting legal claims related.
10.2. If your personal data is handled for direct business, the person is entitled to object at any time to the handling of personal data relating to that purpose, including profiling, if it is related to direct business acquisition. If a person objects to the personal data being handled for direct business purposes, personal data may no longer be handled for that purpose.
10.3. These rights must be explicitly mentioned in the notice of first contact with the person concerned at the latest, and the relevant information must be clearly and completely separate from any other information.
10.4. The right to protest can also be exercised by automated means based on technical specifications.
10.5. If the personal data are handled for scientific and historical research purposes or for statistical purposes, the data subject is entitled to object to the processing of personal data relating to his / her own personal situation, unless it is necessary for the performance of a task for public interest purposes.
The relevant rules are contained in the Article of the Regulation.
- Automated decision-making in individual cases, including profiling
11.1. The data subject shall be entitled to exclude the scope of a decision based solely on automated data management, including profiling, which would have a bearing on him or would have a significant effect on him.
11.2. This right shall not apply if the decision is:
(a) it is necessary for the conclusion and performance of the contract between the data subject and the data controller;
(b) be made available to the data controller by means of Union or Member State law which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
Is based on the data subject’s explicit consent
11.3. In the cases referred to in points (a) and (c), the data controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention, submit an objection.
Further rules are set out in Article 22 of the Regulation.
- Restrictions
The law of the Union or of the Member States applicable to a data controller or data processor may restrict the scope of rights and obligations (Articles 12 to 22, Article 34 and Article 5) by means of legislative measures if the restriction respects the essential content of fundamental rights and freedoms.
The conditions for this restriction are laid down in Article 23 of the Regulation.
- Informing the person concerned about the privacy incident
13.1. If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller must inform the data subject of the data protection incident without undue delay. This information must clearly and easily explain the nature of the privacy incident and provide at least the following information:
(a) the name and contact details of the Data Protection Officer or other contact person providing further information;
(c) the likely consequences of a data protection incident;
(d) measures to be taken or planned by the data controller to remedy a data protection incident, including, where appropriate, measures to mitigate any adverse consequences resulting from a data protection incident.
13.2. The data subject need not be informed if any of the following conditions are met:
(a) the data controller has implemented adequate technical and organizational protection measures and applies those measures to the data covered by the data protection incident, in particular the measures, such as the use of encryption, which are unintelligible to unauthorized persons make the data;
(b) after the data protection incident, the data controller has taken further measures to ensure that high risk for the rights and freedoms of the person concerned is no longer likely to be realized;
(c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that such information is equally effective.
Further rules are set out in Article 34 of the Regulation.
- A the right to complain to a supervisory authority (right to an administrative remedy)
The person concerned has the right to lodge a complaint with a supervisory authority, in particular in the Member State where he or she is habitually resident, in the workplace or in the suspected breach, if the person concerned considers that the processing of personal data relating to him violates the Regulation. The supervisory authority to which the complaint has been filed shall inform the client about the procedural developments and the outcome of the complaint, including the fact that the client is entitled to seek judicial redress.
These rules are contained in Article 77 of the Regulation.
- A effective judicial remedies against the supervisory authority
15.1. Without prejudice to other administrative or non-judicial remedies, all natural and legal persons shall be entitled to effective judicial remedies against the legally binding decision of the supervisory authority.
15.2. Without prejudice to other administrative or non-judicial remedies, all parties concerned shall be entitled to an effective remedy if the competent supervisory authority does not deal with the complaint or within three months shall not inform the person concerned of the procedural developments or results of the complaint submitted.
15.3. The procedure against the supervisory authority shall be initiated before the courts of the Member State in which the supervisory authority is situated.
15.4. If a supervisory authority commits a decision against which a body has previously issued an opinion or made a decision under the unity mechanism, the supervisory authority shall send that opinion or decision to the court.
These rules are set out in Article 78 of the Regulation.
- Right to an effective remedy against data controller or data processor
16.1. Without prejudice to any available administrative or non-judicial remedies, including the right to complain to the supervisory authority, all concerned shall be entitled to an effective judicial remedy if it considers that their rights under this Regulation have been infringed as a result of the non-compliance of their personal data with this Regulation.
16.2. The data controller or processor shall be initiated before the court of the Member State in which the data controller or the processor is established. Such proceedings may be instituted before the courts of the Member State in which the person concerned is habitually resident, unless the data controller or the data processor is a public authority of a Member State acting within the scope of his public authority.
These rules are set out in Article 79 of the Regulation.
CHAPTER XI
FINAL PROVISIONS
Section 40 Establishment and amendment of the Code
Tradford's brand owner is entitled to establish and modify this Code.
Section 41 Measures to introduce the Rules
The provisions of this Code shall be communicated to all Tradford employees (including their employees) and the employment contracts must stipulate that compliance and enforcement of all employees (employed) is an essential duty. This policy is a sample of the employment contract clause Annex No. 10 included.