PRIVACY AND DATA PROTECTION

Application of the Privacy and Data Protection Policy

Name of the organisation: City House Market Ltd
Location of the organisation: 3/A, Izabella street, Budapest, 1077, Hungary
Person responsible for the content of the Code: Tamás Váraljai
Date of entry into force of these rules: 5st of September 2023

This policy sets out rules on the protection of natural persons with regard to the processing of personal data and on the free flow of personal data. It applies to specific data processing activities and to the issuing of instructions and notices governing data processing.

The obligation to employ (designate) a Data Protection Officer applies to all public authorities or other bodies with a public task (irrespective of the data they process) and other organisations whose main activity is the systematic, large-scale monitoring of individuals or which process large numbers of special categories of personal data.

Data Protection Officer (DPO):

Name: Tamás Váraljai
Contact: iroda@talents.hu

Scope of the Rules

This policy is valid until revoked and applies to the officers, employees and Data Protection Officer of the organisation.

Date: 5st of September 2023

Purpose of the Rules

The purpose of this policy is to harmonise the requirements of the other internal rules of the organisation with regard to data management activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the adequate processing of personal data.

In its activities, the organisation aims to fully comply with the legal requirements for the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council.

Furthermore, an important purpose of issuing this policy is to ensure that, by knowing and complying with it, the organisation’s employees are able to lawfully process the data of natural persons.

Key concepts, definitions

  • the GDPR (General Data Protection Regulation) is the new EU Data Protection Regulation
  • controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
  • ‘processing’ means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
  • personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • third party: a natural or legal person, public authority, agency or any other body which is not the same as the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act unambiguously expressing his or her consent, that he or she signifies his or her agreement to the processing of personal data relating to him or her;
  • restriction of processing: the marking of stored personal data for the purpose of limiting their future processing;
  • pseudonymisation: the processing of personal data in such a way that it is no longer possible to identify the natural person to whom the personal data relate without further information, provided that such further information is kept separately and technical and organisational measures are taken to ensure that no association with an identified or identifiable natural person is possible; 
  • ‘filing system’ means a set of personal data structured in any way, whether centralised, decentralised or structured according to functional or geographical criteria, which is accessible on the basis of specified criteria;
  • ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;

Guidelines for data management

The processing of personal data must be lawful, fair and transparent for the data subject.

Personal data shall be collected only for specified, explicit and legitimate purposes.

The purposes for which personal data are processed must be adequate, relevant and limited to what is necessary.

Personal data must be accurate and kept up to date. Inaccurate personal data must be deleted without delay.

Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary. Personal data may be stored for longer periods only if the storage is for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes.

Personal data shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by appropriate technical or organisational measures.

The principles of data protection shall apply to any information relating to an identified or identifiable natural person.

An employee of the organisation who is responsible for data processing shall be liable to disciplinary action, compensation, civil and criminal liability for the lawful processing of personal data. If an employee becomes aware that personal data he or she is processing is inaccurate, incomplete or out of date, he or she shall correct it or have it corrected by the person responsible for recording it.

Processing of personal data

Because natural persons can be associated with online identifiers, such as IP addresses and cookie identifiers, provided by the devices, applications, tools and protocols they use, this data, combined with other information, can and may be used to profile and identify natural persons.

The processing may only take place if the data subject gives his or her freely given, specific, informed and unambiguous consent to the processing of the data by means of a clear affirmative action, such as a written, including electronic, or oral statement.

Consent to the processing shall also be deemed to be given where the data subject ticks a box when visiting the website. Silence, pre-checking a box or inaction does not constitute consent.

Consent is also deemed to be given if a user makes the relevant technical settings when using the electronic services or makes a statement or takes an action which clearly indicates the data subject’s consent to the processing of his or her personal data in the context of the processing.

Personal data concerning health include data relating to the health of a data subject which contains information about his or her past, present or future physical or mental health. This includes:

  • registration for health services;
  • a number, symbol or data allocated to an individual for the purpose of identifying that individual for health purposes;
  • information derived from the testing or examination of a body part or body constituent, including genetic data and biological samples;
  • information relating to the illness, disability, disease risk, medical history, clinical treatment or physiological or biomedical condition of the data subject, irrespective of its source, which may be, for example, a doctor or other health professional, a hospital, a medical device or a diagnostic test.

Genetic data shall be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person and which are the result of the analysis of a biological sample taken from the person concerned, in particular chromosomal analysis or analysis of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) or any other element enabling information equivalent to that which may be obtained from them to be extracted.

Children’s personal data deserve special protection, as they may be less aware of the risks, consequences, safeguards and rights associated with the processing of personal data. This special protection should apply in particular to the use of children’s personal data for marketing purposes or for the purpose of creating personal or user profiles.

Personal data should be processed in a manner which ensures an adequate level of security and confidentiality, inter alia, in order to prevent unauthorised access to and use of personal data and the means used to process personal data.

All reasonable steps must be taken to ensure that inaccurate personal data are corrected or deleted.

Lawfulness of processing

The processing of personal data is lawful if one of the following conditions is met:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is a party or is necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the protection of the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Processing shall be lawful within the meaning of the above where it is necessary in the context of a contract or the intention to conclude a contract.

Where the processing is carried out in the performance of a legal obligation to which the controller is subject or where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing must have a legal basis in Union law or the law of a Member State.

Processing shall be regarded as lawful where it is carried out for the purpose of protecting the life of the data subject or the interests of another natural person referred to above. Personal data should in principle be processed on the basis of the vital interests of another natural person only if there is no other legal basis for the processing in question.

 Some types of personal data processing may serve both important public interests and vital interests of the data subject, for example where processing is necessary for humanitarian reasons, including when necessary for the monitoring of epidemics and their spread, or in the event of a humanitarian emergency, in particular a natural or man-made disaster.

The legitimate interests of the controller, including the controller with whom the personal data may be shared, or of a third party, may provide a legal basis for the processing. Such legitimate interest may, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller, such as in cases where the data subject is a client of the controller or is employed by the controller.

The processing of personal data strictly necessary for the purpose of preventing fraud also constitutes a legitimate interest of the controller concerned. Processing of personal data for direct marketing purposes may also be considered to be based on legitimate interest.

In order to establish the existence of a legitimate interest, it is necessary to carefully consider, inter alia, whether the data subject could reasonably expect, at the time and in the context of the collection of the personal data, that processing for the purposes in question would take place. The interests and fundamental rights of the data subject may prevail over the interests of the controller where personal data are processed in circumstances in which the data subjects do not expect further processing.

The legitimate interests of the controller concerned should be deemed to include the processing of personal data by public authorities, computer emergency response units, network security incident management units, operators of electronic communications networks and service providers and security technology service providers to the extent that such processing is strictly necessary and proportionate to ensure network and information security.

The processing of personal data for purposes other than those for which they were originally collected shall be permitted only if the processing is compatible with the original purposes for which the personal data were originally collected. In this case, a separate legal basis other than the legal basis which made the collection of the personal data possible is not necessary.

The processing of personal data by public authorities for the purposes of achieving the aims of officially recognised religious organisations as laid down in constitutional law or in public international law is considered to be in the public interest.

Consent of the person concerned, conditions

  • Where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data.
  • Where the data subject gives his or her consent in the context of a written statement which also relates to other matters, the request for consent must be communicated in a manner clearly distinguishable from those other matters.
  • The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal. The data subject shall be informed before consent is given. The withdrawal of consent shall be made possible in the same simple manner as the giving of consent.
  • In determining whether consent is voluntary, the utmost account should be taken of the fact, inter alia, whether the performance of the contract, including the provision of services, is made conditional on consent to the processing of personal data which are not necessary for the performance of the contract.
  • The processing of personal data in relation to information society services offered directly to children is lawful when the child is at least 16 years of age. In the case of children under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person having parental authority over the child.

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data or biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons is prohibited, unless the data subject has given his or her explicit consent to the processing of those personal data for one or more specific purposes.

The processing of personal data relating to decisions on criminal liability and to criminal offences and related security measures may take place only if they are processed by a public authority.

Processing that does not require identification

If the purposes for which the controller processes the personal data do not or no longer require the identification of the data subject by the controller, the controller is not obliged to retain additional information.

Where the controller can demonstrate that it is not in a position to identify the data subject, it shall, where possible, inform the data subject accordingly by appropriate means.

Information and rights of the data subject

The principle of fair and transparent processing requires that the data subject be informed of the fact and purposes of the processing.

Where personal data are collected from the data subject, the data subject should also be informed of the obligation to provide the personal data and of the consequences of not providing the data. This information may also be supplemented by standardised icons to provide the data subject with general information about the envisaged processing in a prominent, easily understandable and clearly legible form.

The information relating to the processing of personal data concerning the data subject should be provided to the data subject at the time of collection or, where the data have been collected from another source than the data subject, within a reasonable period, having regard to the circumstances of the case.

The data subject shall have the right of access to the data collected concerning him or her and the right to exercise that right simply and at reasonable intervals in order to ascertain and verify the lawfulness of the processing. Each data subject should have the right to be informed, in particular, of the purposes for which personal data are processed and, where possible, the period for which the personal data are processed,

In particular, the data subject should have the right to have his or her personal data erased and no longer processed where the collection or other processing of the personal data is no longer necessary in relation to the original purposes of the processing or where the data subjects have withdrawn their consent to the processing of the data.

Where personal data are processed for direct marketing purposes, the data subject should have the right to object, free of charge and at any time, to the processing of personal data relating to him or her for such purposes.

Review of personal data

In order to ensure that the storage of personal data is limited to the necessary period, the controller shall set time limits for erasure or periodic review.

Periodic review period set by the head of the organisation: 1 year.

Tasks of the data controller

The controller shall apply appropriate internal data protection rules to ensure lawful processing. These rules cover the powers and responsibilities of the controller.

The controller has the obligation to implement appropriate and effective measures and to be able to demonstrate that the processing activities comply with the applicable law.

This regulation should be made taking into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

The controller shall implement appropriate technical and organisational measures, taking into account the nature, scope, context and purposes of the processing and the varying degrees of likelihood and severity of the risk to the rights and freedoms of natural persons. It shall review and, where necessary, update other internal rules on the basis of these rules.

The controller or processor shall keep adequate records of the processing activities carried out under its authority. Each controller and processor shall cooperate with the supervisory authority and make these records available on request in order to monitor the processing operations concerned.

Rights in relation to data processing

The right to request information

Any person may request, through the contact details provided, information about what data the organisation processes, on what legal basis, for what purpose, from what source and for how long. The request will be sent to the contact details provided without undue delay and within 30 days at the latest.

Right to rectification

Any person may request the rectification of any of his/her data through the contact details provided. Such a request must be acted upon promptly and within 30 days at the latest, and information must be sent to the contact details provided.

Right to erasure

Any person may request the deletion of his or her data through the contact details provided. Upon request, this must be done without undue delay and within a maximum of 30 days and information must be sent to the contact details provided.

Right to blocking, restriction

Any person may request the blocking of his or her data through the contact details provided. The blocking shall last as long as the reason stated makes it necessary to store the data. Upon request, this must be done without undue delay and within a maximum of 30 days and information must be sent to the contact details provided.

Right to object

Any person may object to the processing of personal data using the contact details provided. The objection shall be examined and a decision shall be taken on its merits within the shortest possible time from the date of the request, but not later than 15 days, and the decision shall be communicated to the contact details provided.

Enforcement possibilities in relation to data processing

National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, PO Box 5.

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

E-mail: ugyfelszolgalat (at) naih.hu

URL https://naih.hu

coordinates: N 47°30’56”; E 18°59’57”

The data subject may take the data controller to court in case of violation of his/her rights. The court shall rule on the case out of turn. The data subject may also bring the action before the competent court of his or her place of residence or domicile, at the data subject’s choice.

Tasks of the organisation to ensure adequate data protection

  • Data protection awareness. Ensure professional competence to comply with the law. Staff training and awareness of the rules is essential.
  • Review the purpose of data management, the criteria for data management, the concept of personal data management. Ensure lawful processing and processing in accordance with the data protection and data management policy.
  • Provide appropriate information to the data subject. Attention should be paid to the fact that, where processing is based on the data subject’s consent, the controller must, in case of doubt, prove that the data subject has given his or her consent.
  • The information provided to the data subject should be concise, easily accessible and easily understandable and should therefore be drafted and presented in clear and plain language.
  • Transparent processing requires that the data subject is informed of the fact and purposes of the processing. The information should be provided prior to the start of the processing and the right to be informed should be available to the data subject until the end of the processing.
  • The main rights of the data subject are the following:
  • access to personal data concerning him or her;
  • rectification of personal data;
  • erasure of personal data;
  • restriction of the processing of personal data;
  • object to profiling and automated processing;
  • the right to data portability.
  • The controller shall inform the data subject without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The obligation to provide information can be ensured by the operation of a secure online system through which the data subject can easily and quickly access the necessary information.
  • A review of the organisation’s data processing activities should be carried out, ensuring that the right to information self-determination is respected. At the request of the data subject, data should be deleted without delay where the data subject withdraws the consent on the basis of which the processing was carried out.
  • The data subject’s consent shall unambiguously indicate that the data subject consents to the processing. Where the processing is based on the data subject’s consent, the controller should, in case of doubt, prove that the data subject has consented to the processing operation.
  • In the case of personal data processing of children, particular attention should be paid to compliance with the rules on data processing. The processing of personal data in relation to information society services offered directly to children is lawful when the child is at least 16 years old. In the case of children under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person having parental authority over the child.
  • In the event of unlawful processing or processing of personal data, the supervisory authority must be notified. The controller must make the notification to the supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of the personal data breach, unless the personal data breach is unlikely to pose a risk to the rights of the natural person.
  • In certain cases, it may be appropriate for the controller to carry out a data protection impact assessment prior to processing. The data protection impact assessment should assess the impact of the envisaged processing operations on the protection of personal data. If the DIA concludes that the processing is likely to present a high risk, the controller should consult the supervisory authority before processing personal data.
  • Where the main activities involve processing operations which, by their nature, scope or purposes, require systematic and systematic large-scale monitoring of data subjects, a data protection officer should be appointed. The appointment of the DPO should aim at strengthening data security.

Data security

In particular, appropriate measures must be taken to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage and against inaccessibility resulting from changes in the technology used.

In order to protect the electronically managed data files in the registers, appropriate technical arrangements should be in place to ensure that the data stored in the registers cannot be directly linked and attributed to the data subject.

When designing and applying data security, account should be taken of the state of the art. A choice should be made between several possible data processing solutions which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.

Data Protection Officer (DPO)

The appointment of a Data Protection Officer is mandatory based on the following criteria:

  • the processing is carried out by public authorities or other bodies with a public-service mission, with the exception of courts acting in their judicial role;
  • the main activities of the controller or processor involve processing operations which, by their nature, scope or purposes, require systematic and systematic large-scale monitoring of data subjects;
  • the main activities of the controller or processor relate to the processing of a large number of personal data relating to decisions on criminal liability and to the processing of data relating to criminal offences.

Where the appointment of a DPO is mandatory, the following rules apply:

The Data Protection Officer shall be appointed on the basis of professional competence and in particular expert knowledge of data protection law and practice and the ability to perform the processing.

The DPO may be an employee of the controller or the processor, but may also perform his or her tasks under a service contract.

The name and contact details of the data protection officer must be published by the controller or processor and communicated to the supervisory authority.

Status of the Data Protection Officer

The controller must ensure that the DPO is involved in all matters relating to the protection of personal data in an appropriate and timely manner. Ensure that the necessary resources are available to maintain the DPO’s level of expertise.

The DPO shall not accept instructions from anyone in connection with the performance of his or her duties. The controller or processor shall not dismiss or sanction the DPO in connection with the performance of his or her duties. The DPO shall be directly responsible to the top management of the controller or processor.

Data subjects may contact the DPO in all matters relating to the processing of their personal data and the exercise of their rights.

The DPO shall be bound by confidentiality or data protection obligations in the performance of his or her duties.

The DPO may perform other tasks, but there should be no conflict of interest in relation to those tasks.

Tasks of the Data Protection Officer

  • Provide information and professional advice to the controller or processor and to the staff carrying out the processing;
  • monitor compliance with the internal rules of the controller or processor relating to the protection of personal data;
  • on request, provide technical advice on the data protection impact assessment and monitor the performance of the impact assessment;
  • cooperate with the supervisory authority.

Data protection incident

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

A personal data breach may, in the absence of adequate and timely action, cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or identity fraud.

A data protection incident must be notified to the competent supervisory authority without undue delay and no later than 72 hours, unless it can be demonstrated, in accordance with the principle of accountability, that the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.

The data subject shall be informed without delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, in order to enable him or her to take the necessary precautions.

Processing for administrative and record keeping purposes

The organisation may also process personal data in the context of its activities and for administrative and record-keeping purposes.

The processing is based on the voluntary and explicit consent of the data subject, duly informed. After detailed information, including the purposes, legal basis and duration of the processing and the rights of the data subject, the data subject must be made aware of the voluntary nature of the processing. Consent to the processing shall be recorded in writing.

The processing for administrative and record-keeping purposes shall serve the following purposes:

  • processing of data of members and employees of the organisation, based on a legal obligation;
  • processing of data relating to members of the organisation’s staff, employees, employees’ representatives and employees’ employees who are subject to legal obligations and who are subject to statutory requirements;
  • contact details of other organisations, institutions and undertakings which have business relations with the organisation, which may include contact details and identification data of natural persons;

The processing of data as described above is based on a legal obligation on the one hand, and on the other hand, the data subject has given his or her explicit consent to the processing of his or her data (e.g. for the purposes of an employment contract or when registered as a partner on a website, etc.)

In the case of documents submitted to the organisation in written form (e.g. CV, job application, other submissions, etc.), including personal data, the consent of the data subject must be presumed. Once the case is closed, the documents should be destroyed in the absence of consent for further use. The fact of destruction shall be recorded in a report.

In the case of processing for administrative purposes, personal data shall be included only in the files and records of the case. The processing of these data shall continue until the destruction of the document on which the processing is based.

Processing for administrative and record-keeping purposes shall be reviewed annually to ensure that the storage of personal data is limited to the necessary period and inaccurate personal data shall be deleted without delay.

Processing for administrative and record-keeping purposes should also ensure compliance with the law

Processing for other purposes

If the organisation wishes to carry out a processing activity that is not covered by this policy, it must first supplement this internal policy accordingly or add sub-policies that are appropriate to the new processing purpose.

Other documents related to the Code

Documents and policies that contain, for example, a written statement of consent to data processing or, for example, a mandatory privacy notice for websites, should be linked to and managed together with the privacy and data protection policy

Laws on which the processing is based

  • REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation).
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
  • Act LXVI of 1995 on public records, public archives and the protection of private archival material.
  • Government Decree No 335/2005 (XII. 29.) on the general requirements for the management of records by public bodies.
  • Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.
  • Act C of 2003 on Electronic Communications.