DATA PROTECTION AND DATA PROCESSING POLICY

 

 

1. Purpose of the Policy. 1

2. Controller’s company data. 2

3. Definitions. 2

4. Principles of data processing. 3

5. Notification of data subjects. 4

6. Rights of the Data subjects 8

7. Controller’s obligations. 9

8. Miscellaneous provisions. 13

 

 

1. Purpose of the Policy

 

Computer Partner Kft. (hereafter referred to as the "Controller") accepts the following data processing policy on the day and place stated hereunder, in order to comply with Regulation (EU) 2016/679 of the European Parliament and of the Council applicable from May 25th, 2018 (hereinafter referred to as: GDPR) and the relevant Hungarian legislation, in particular Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereafter referred to as "Privacy Act").

The purpose of the Policy is to set forth the data protection and data processing principles and rules applied by the Controller and the data protection and data processing policy of the Controller.

The Policy is applicable to the Controller and other organizations of the Controller which have a place of business in the European Economic Area (EEA) or which process the personal data of natural persons in the EEA. 

This Policy is binding on all employees of the Controller or persons working for the Controller on the basis of an agency agreement.

2. Controller’s company data

 

Name:

 

Computer Partner Kft.

Principal place of business (mailing address):

H-1118 Budapest, Brassó út 169-179/A.

 

Company registration number:

01-09-064272

 

Tax number

10317565-2-43

 

Data protection registration number:

GDPR-1/2018

 

Phone:

+36 1 309 0510

 

E-mail address:

info@computer-partner.hu

 

3. Definitions

 

All the definitions in this section are defined in Article 4 of the GDPR as follows:

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special categories of personal data means personal data related to racial or ethnic origin, political opinion, religious or philosophical beliefs or trade union membership; genetic and biometric data for the unique identification of natural persons; personal data related to the health, sexual life or sexual orientation of the natural persons.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Controller’s main establishment: as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Processor’s main establishment: as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Pseudonymisation: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

Supervisory authority means an independent public authority, which is established by a Member State pursuant to Article 51; In Hungary this role is fulfilled by the National Authority for Data Protection and Freedom of Information (H-1125 Budapest, Szilágyi Erzsébet fasor 22/c, https://www.naih.hu/panaszuegyintezes-rendje.html, hereinafter referred to as “NAIH”).

 

4. Principles of data processing

 

4.1   Legality, fairness and transparency

 

Personal data processing shall be performed legitimately and fairly, and it shall be transparent for the data subject.

 

4.2   Targeted data processing

 

Collecting personal data can only be performed for a specific, clear and legitimate purpose and cannot be processed in a way that is incompatible with these purposes; it is not considered to be incompatible with the original purpose if data is processed for the purposes of public interest archiving, for further scientific and historical research purposes or for statistical purposes.

 

4.3   Data frugality

 

Personal data shall be appropriate and relevant for the purposes of data processing and should be limited to the need.

 

4.4   Accuracy

 

Personal data shall be accurate and, if necessary, up-to-date; all reasonable measures shall be taken to delete or correct inaccurate personal data for the purposes of data processing.

 

4.5   Limited transparency[E1] 

 

Personal data shall be stored in a form that allows the identification of the data subject only for the time necessary for the purposes of personal data processing; personal data may only be stored for a longer period of time if the processing of personal data takes place for the purposes of public interest archiving, for further scientific and historical research purposes or for statistical purposes, with respect to the implementation of the appropriate technical and organizational measures in order to protect the rights and freedoms of the data subjects set forth in the GDRP.

 

4.6   Integrity and trust

 

Personal data should be processed in such a way as to ensure adequate security of personal data, including the protection against unauthorized or unlawful handling, accidental loss, destruction, or damage to data by using appropriate technical or organizational measures.

 

4.7   Accountability

 

The Controller is responsible for compliance with Article 4 and shall be able to verify this compliance.

 

5. Notification of data subjects

The main establishment of Controller defined in Section 2 in the Union is located in Budapest, Hungary. However, the Controller holds the same position in 2 additional limited liability companies registered in the EU. The three companies belong to the same owners and have similar/identical scope of activities.

-          Legeza & Partner GmbH (Vienna, Austria) www.legeza.at and

-          Novak Software GmbH (Hengersberg, Germany) www.novak-software.de

5.1   The purpose and the legal basis of data processing activities:

 

The scope of personal data stored is closely related to the activity of the Controllers. This activity determines the scope of data required (see Data frugality).

The Controller is involved in projects related to IT software development as a contractor or subcontractor. The human resources required for the performance of the project are provided by the company’s own professionals or by locating and hiring free (unemployed) professionals in the market who are either employed or work on the basis of a subcontractor agreement.

 

On the other hand, the tasks are also received through human relationships or over the Internet. We also store the personal data of prospects for future contact purposes.

 

The Data subjects can be allocated into the following 3 main groups:

-          employees

-          customers, cooperation partners (accounting, communication, authorities)

-          IT professionals

For example, a wide range of data of the first group is stored to constitute a basis for submitting monthly income data to authorities. Such is the performance of the legal obligation of the Data Supplier.

In case of customers and co-operating companies who belong to the second group, only the name, position and contact details of the contact person are stored (like a business card). We also store other, company-related information, but this does not contain any personal data. These constitute a basis for concluding agreements and reaching contact persons during the performance of agreements.

Finding persons (IT professionals), who belong to the third group, is the main purpose for the implementation of a potential project. This person can be our employee, or if we do not have such an employee or he or she is busy, we need to find him or her in the free (labour) market. This job opportunity can be advertised on our own website and other websites. The inquiring professional will send us a professional profile with his or her personal contact details and a description of his or her professional experience. In order to apply for a job, the professional shall also provide us with his or her professional competence, which is verified by the candidate’s professional profile. In this case, the data subject shall give his or her consent to the transfer of this data to the customer and, optionally, to its storage on our servers, so that if the application fails, we will be able to retrieve it next time for another task. This way a database of professionals is established. Professionals are generally contacted by email where we ask for their consent to process their data and notify them that they can disable data processing any time, and they can request the deletion of their data.

 

5.2   The scope of processed personal data:

The main standard in our company is that we do not provide anyone with personal data (even relatives). Data service is only provided to authorities required by law. We provide the NTCA with our employees' personal and income data.

 

The data stored is available for internal use only for our business purposes. In the case of bids, only the name of our expert is disclosed to the contracting authority, but only with the consent of the data subject.

 

Employees’ personal data:

-          name

-          photo (conditional)

-          mother's name

-          place of birth

-          date of birth

-          address

-          phone

-          e-mail address

-          tax ID

-          social security number

-          qualifications, diploma copies

-          professional profile

-          income data generated by us

Personal data of contact persons of customers and other contractual partners:

-          name

-          photo (conditional)

-          represented company

-          title

-          phone numbers

-          personal email address

-          principal place of business of the company

 

personal data of IT specialists:

-          name

-          photo

-          phone

-          personal email address

-          address

-          professional profile (photo)

 

5.3   Contact details of the Data Protection Officer/Person responsible for Data Protection:

 

István Legeza Managing Director

office phone: +36 1 309 0512

mobile phone: +36 30 949 4822

email address: legeza@computer-partner.hu

 

5.4   Recipients of processed personal data or categories of recipients:

 

-          customers

 

Basically, stored personal data are for internal use only. We are looking for potential specialists for the company's development tasks, who are contacted by email to find out if they are interested in participating in a particular project. In the case of a positive response of the data subject, we forward the updated professional profile deprived of all contact details to our customer, as an attachment to the bid. The professional profile shall contain no more than a professional curriculum vitae. If our bid is successful, we will conclude an employee or subcontractor agreement with the professionals after concluding an agreement with the customer. If necessary, we will forward contact details to both parties for the purposes of maintaining a professional contact if necessary.

 

-          Authorities (NTCA)

In case of employees, we provide personal data, including income data, on a monthly basis in accordance with statutory requirements.

 

5.5   The intended duration of the storage of personal data and, in the absence thereof, the criteria for determining the duration:

 

In case of basic data contained in the database: the duration of the company's operation. Upon the termination of the company, the database will be terminated or destroyed.

 

Data subjects are aware that their data will be removed from the database upon request at any time. Exceptions to this are the personal data of current and former employees, as it can be subject to data requests and audits by authorities in the area of tax administration and labour issues.

 

5.6   The provision of personal data:

 

a)       is based on legislation (employees' personal data)

b)      is based on contractual obligations (contact details of employees for customers)

c)       is the prerequisite for the conclusion of an agreement (name and professional profile of IT and other professionals and the names and contact details of customer contacts).

 

5.7   The data subjects are only required to provide the personal information that is required for the conclusion of the agreements and later on for the performance of the agreement. Failure to provide data may only prevent the conclusion of the agreement.

 

5.8   The Controller does not perform automated data processing on the personal data of the data subject.

 

5.9   If the Controller intends to perform further data processing for purposes other than the purpose for which it was collected, he or she informs the data subject and obtains his/her prior express consent or gives him or her the opportunity to prohibit the use of personal data. 

 

6. Rights of the Data subjects

 

6.1   Access and other rights

 

The data subject may request access to, correction, deletion, or restriction of personal data processing relating to him or her and may object to the processing of such personal data.

 

6.2   Right to data migration

 

The data subject has the right to data migration. The data subject shall have the right to obtain personal data provided by him or her to the Service Provider in widely used machine-readable format or he or she may forward them to another Controller.

 

6.3   Right to withdraw consent

 

In the case of consent-based data processing, the right to withdraw the consent at any time, which does not affect the lawfulness of the data processing performed on the basis of the consent prior to the withdrawal.

 

6.4   Claims and complaints

 

The data subject may enforce his or her rights at court under Act V of 2013 on the Civil Code and may, in accordance with the Privacy Act, turn to NAIH and file a complaint.

 

7. Controller’s obligations

 

7.1   Data safety measures

 

Controller has taken the following measures to ensure the implementation of the data protection principles and the fulfillment of the requirements of the GDPR and the guarantees necessary to protect the rights of the data subjects.

 

The stored personal data is allocated into the following three groups:

-          contact information

-          photo

-          payroll data

-          professional profiles

-          income data

Softwares and solutions used for data storage.

-          Contact information is stored in Microsoft Outlook.

-          We have paper-based records for processing and storing labour data, but we also record the basic data such as tax number, SSN number, etc. in Outlook.

-          Professional profiles are provided by the data subjects in Microsoft Word or PDF format, and these files are stored on the central server.

-          Income data is stored in the database of the bookkeeping software. The double-entry bookkeeping module of the management software Process 3.0 v3.2 developed by Illés Kft. (Pécs) is used for this purpose. However, monthly income data is also recorded in the paper-based records.

Security considerations and solutions.

On January 1st, 2016, we terminated the application of our own server and concluded an agreement with Microsoft for the use of the Microsoft cloud server service (Microsoft Exchange), which includes full use of the latest versions of Microsoft Office 365. The big advantage of this service is that it saves the data in the cloud by itself. It's doing multiple generations of backups for troubleshooting purposes. The other big advantage over an own server is that it provides a firewall to protect unauthorized access.

Additional data security is provided by the synchronization of the company's data with the managing director's desktop and laptop as well. In other words, if data loss occurs in the cloud (never heard about it), the data will still be accessible on two computers. Because the managing director’s two computers do not sign in the cloud simultaneously, if the damage is synchronized to one computer, the other computer can be booted without an Internet access and the previous day’s state can be retrieved. Clouds also generate multiple-generation backups. If all else fails, previous data can be retrieved from there as well.

When defining certain measures, the Controller takes into account the following risks: the accidental or illegal destruction, loss, alteration, unauthorized disclosure or unauthorized access to the personal data processed. 

 

There are three workstations in the office, for the two employees including the managing director. Both persons are authorized and trained Controllers of personal data. Unauthorized access is only possible for non-ethical hackers.

 

The Controller will review and, if necessary, update the measures taken. 

 

7.2   Provision of targeted data processing

 

The Controller shall ensure that only such personal data is processed that is necessary for the particular data processing purpose. This refers to the amount of personal data collected, the extent of its processing, the duration of its storage and accessibility. It shall be ensured that personal data cannot become accessible to an undetermined number of people without human intervention by default.

 

The cloud-based server service also serves this purpose since only the Controller can sign in with his or her pre-registered computers.

 

7.3   Registration obligation

 

The Controller shall keep a written record of its data processing activity, which shall contain the following information:

 

-          the name and contact details of the Controller and, if applicable, the name and contact details of the joint Controller, the Representative of the Controller and the Data Protection Officer;

 

István Legeza Managing Director phone: +36 1 309 0512 email:  legeza@computer-partner.hu

 

 

-          purposes of data processing: The data processing task of the HR assistant is to store the personal data of the data subject professionals/IT professionals after their application. After running a query, appropriate professionals shall be selected from the database and notified of the job opportunity, which notification will be responded by email if the selected professional is interested in the opportunity. In case of interest an updated professional profile is received, indicating the availability time, a quote is received or just an answer is received that the applicant is busy at the moment. Deletion of personal data may be requested. In the case of a positive feedback, the HR assistant will make an offer to the customer, which is also recorded in the database. In the case of a positive feedback from the customer (after project meetings) an agreement is concluded with the customer, then with the candidate as an employee or a subcontractor.

 

-          The description of data subject and personal data categories;

 

Employees: this includes the managing director, the HR assistant and the IT professionals. This category is the one which requires the storage of a wide range of information: name, photo, birth data, tax number, SSN, address, start and end date of employment, income data, contact information, qualification documents.

 

Customer contact details: name, phone number, website, principal place of business, position, company name; Job descriptions are received from these companies (mostly related to software development) for which they expect an offer.

 

IT professionals: name, contact details, professional profile; the latter (skills) constitute the basis of later queries. We run queries in our database based on these keywords, to find out who would be suitable for a particular job.

 

 

-          Categories of recipients who will be communicated or disclosed personal data, including third country recipients or international organizations;

 

Tax Administration (domestic only) as a recipient: We disclose the income data of employees of the company every month according to the law.

 

Customers as recipients: they can be domestic and foreign recipients. Foreigners may include countries within and outside the EU. We are writing a bid for these recipients, where we are able to prove our competency with the professional profile of our potential professionals (with or without indicating their name), but without any contact details.

 

-          Deadlines for deleting different categories of data: none.

 

-          General description of the technical and organizational measures serving data processing security purposes set forth in Section 7.1.:

Multi-generation backups provided by Microsoft Exchange;

Continuous synchronization of data permanently to two computers;

 

The Controller submits the register to the supervisory authority (NAIH) upon request.

 

7.4   Obligations for privacy incidents

 

The Controller has the following obligations regarding privacy incidents:

 

-          the incident shall be reported to the NAIH within 72 hours upon receipt of information thereof, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons;

 

-          if the notification is not filed within 72 hours, the reasons proving the delay shall also be indicated in the attachment;

 

-          the information contained in the notification may be communicated in several installments without undue delay;

 

-          the data incidents shall be recorded, indicating the facts related to it, and the applied remedying measures;

 

-          the data subject shall be notified of the data protection incident if the conditions set out in Article 34 of the GDPR are applicable, as defined therein;

 

7.5   Performance of a data protection impact assessment

 

The Controller shall perform a data protection impact assessment in accordance with Article 35 of the GDPR if the planned data processing is likely to have a high risk for the rights and freedoms of the data subjects. The purpose of the assessment is to see how the planned data processing operations affect the protection of personal data. In the course of the assessment, the Controller asks the data subjects or their representatives to comment on the planned data processing. The Controller shall, if necessary, but at least when the risk caused by the data processing operations changes, perform an assessment to evaluate whether personal data is processed in accordance with the data protection impact assessment.

 

The data of our employees is sent to the tax authority in the mandatory monthly income statements in accordance with statutory regulations. This does not pose a risk to the data subjects, because the data is transmitted via an encrypted channel on the government portal.

 

Further personal information may be disclosed to our customers (name, professional experience), but in any case by the notification and only with the consent of the data subject (sent/obtained via email or telephone conversation).

 

8. Miscellaneous provisions

 

8.1   During the performance of its tasks, the Controller cooperates with NAIH upon request.

 

8.2   The Controller shall ensure that this Policy is revised and updated as necessary.

 

8.3   The Controller is entitled to modify the content of the policy unilaterally; in this case, notification of the data subjects is required.

 

8.4   Issues not regulated in this Policy are governed by the provisions of Hungarian law on data protection, in particular the Privacy Act, and the provisions of GDPR applicable from May 25th, 2018.

 

 

 

 

Dated: Budapest, April 23rd, 2018

 

 

 

........................................................

Computer Partner Kft.