LSH Készházak Zrt.

PRIVACY AND DATA MANAGEMENT POLICY

Application of the Privacy and Data Management Policy

Name of the organization:

LSH Készházak Zrt.

Registered office of the organization:

2461 Tárnok, Egyenlőség utca 43

Person responsible for the content of the policy:

Bakos Dániel

Effective date of the policy:

October 1, 2021

This policy establishes the rules for the protection of natural persons regarding the processing of personal data and the free movement of personal data. The provisions of this policy must be applied in specific data processing activities, as well as in the issuance of instructions and information regulating data processing.

The obligation to appoint a Data Protection Officer extends to all public authorities or other bodies performing public tasks (regardless of the type of data they process), as well as to other organizations whose main activity involves the systematic and large-scale monitoring of individuals or the large-scale processing of special categories of personal data.

The organization employs a Data Protection Officer.

In case a Data Protection Officer is appointed:

Name:

Bakos Dániel

Position: Commercial Manager

Contact: hello@lapraszerelthaz.hu

Scope of the Policy

This policy remains in effect until revoked and applies to the organization’s officials, employees, and Data Protection Officer.

Date: October 1, 2021

Purpose of the Policy

The purpose of this policy is to align the organization’s internal regulations regarding data processing activities to protect the fundamental rights and freedoms of natural persons and to ensure the proper handling of personal data.

The organization is committed to fully complying with the legal requirements for personal data processing, particularly those set out in Regulation (EU) 2016/679 of the European Parliament and the Council (GDPR).

Another important objective of issuing this policy is to ensure that employees of the organization become familiar with and comply with its provisions, enabling them to process personal data lawfully.

Key Terms and Definitions

GDPR (General Data Protection Regulation): The European Union’s new Data Protection Regulation.

Data Controller: A natural or legal person, public authority, agency, or any other body that determines the purposes and means of processing personal data, either alone or jointly with others. If the purposes and means of processing are determined by Union or Member State law, the controller or specific criteria for its designation may also be established by Union or Member State law.

Data Processing: Any operation or set of operations performed on personal data or data sets, whether automated or not, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Third Party: A natural or legal person, public authority, agency, or body other than the data subject, data controller, data processor, or those persons authorized to process personal data under the direct authority of the data controller or data processor.

Consent of the Data Subject: A freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, through a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.

Restriction of Processing: The marking of stored personal data with the aim of limiting their processing in the future.

Pseudonymization: The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organizational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.

Filing System: Any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Principles of Data Processing

The processing of personal data must be carried out lawfully, fairly, and in a transparent manner for the data subject.

Personal data may only be collected for specified, explicit, and legitimate purposes.

The purpose of processing personal data must be appropriate and relevant, and data collection should be limited to what is necessary.

Personal data must be accurate and kept up to date. Inaccurate personal data must be erased without delay.

Personal data must be stored in a form that allows identification of data subjects only for as long as necessary. Storage for a longer period is permitted only if it serves public interest archiving, scientific or historical research, or statistical purposes.

Personal data must be processed in a manner that ensures appropriate security through technical or organizational measures, protecting data from unauthorized or unlawful processing, accidental loss, destruction, or damage.

The principles of data protection must be applied to all information related to an identified or identifiable natural person.

Any employee of the organization involved in data processing is legally responsible for ensuring the lawful handling of personal data, including disciplinary, civil liability, administrative, and criminal consequences. If an employee becomes aware that the personal data they process is incorrect, incomplete, or outdated, they are obliged to correct it or request its correction from the relevant colleague responsible for data entry.

Processing of Personal Data

Since natural persons can be associated with online identifiers provided by the devices, applications, tools, and protocols they use—such as IP addresses and cookie identifiers—these data, when combined with other information, may be used to create profiles of individuals and identify them.

Data processing may only take place if the data subject has given voluntary, specific, informed, and unambiguous consent through a clear affirmative action, such as a written (including electronic) or oral statement.

Consent to data processing may also be indicated by the data subject selecting a checkbox on a website. Silence, pre-ticked checkboxes, or inactivity do not constitute valid consent.

Additionally, consent is considered given if a user configures technical settings while using electronic services or makes a declaration or action that, in the given context, clearly indicates their agreement to the processing of their personal data.

Processing of Health-Related Personal Data

Health-related personal data includes information concerning the data subject’s past, present, or future physical or mental health condition. This category encompasses:

Registration for healthcare services;

A number, identifier, or data assigned to a natural person for individual identification for healthcare purposes;

Information derived from testing or examination of a body part or bodily substance, including genetic data and biological samples;

Any information related to the data subject’s illness, disability, risk of illness, medical history, clinical treatment, physiological or biomedical condition, regardless of the source, which may include a doctor, other healthcare professionals, hospitals, medical devices, or diagnostic tests.

Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person, obtained through the analysis of a biological sample taken from the data subject. This includes, in particular, chromosome analysis, the examination of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or any other element that enables the extraction of equivalent information.

Children’s personal data deserves special protection, as they may be less aware of the risks, consequences, safeguards, and rights related to the processing of personal data. This special protection should particularly apply to the use of children’s personal data for marketing purposes or for the creation of personal or user profiles.

Personal data must be processed in a manner that ensures an appropriate level of security and confidentiality. This includes measures to prevent unauthorized access to personal data and the tools used for data processing, as well as unauthorized use of such data.

All reasonable steps must be taken to correct or delete inaccurate personal data.

The processing of personal data is considered lawful if at least one of the following conditions is met:

  • The data subject has given their consent for the processing of their personal data for one or more specific purposes.
  • The processing is necessary for the performance of a contract in which the data subject is a party, or for taking steps at the request of the data subject before entering into a contract.
  • The processing is necessary for compliance with a legal obligation to which the data controller is subject.
  • The processing is necessary to protect the vital interests of the data subject or another natural person.
  • The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests, fundamental rights, or freedoms of the data subject that require the protection of personal data, especially if the data subject is a child.

Based on the above, data processing is considered lawful if it is necessary within the framework of a contract or a contractual intention.

If data processing is carried out to fulfill a legal obligation applicable to the data controller or if it is necessary for performing a task in the public interest or exercising official authority, the processing must have a legal basis in Union law or the law of a Member State.

Data processing is also deemed lawful when it is carried out to protect the life of the data subject or another mentioned natural person. The processing of personal data based on the vital interests of another natural person should, in principle, only occur when no other legal basis is applicable.

Certain types of personal data processing may serve both an important public interest and the vital interests of the data subject. This may include cases where data processing is necessary for humanitarian reasons, such as tracking pandemics and their spread, or in humanitarian emergencies, particularly in cases of natural or man-made disasters.

A data controller—including a controller to whom personal data may be disclosed—or a third party may establish a legal basis for processing based on legitimate interest. Such legitimate interest may exist, for example, when there is a relevant and appropriate relationship between the data subject and the data controller, such as in cases where the data subject is a customer of the data controller or is employed by them.

The processing of personal data that is strictly necessary for the prevention of fraud is also considered a legitimate interest of the data controller. Similarly, the processing of personal data for direct marketing purposes may also be regarded as based on a legitimate interest.

To determine the existence of a legitimate interest, careful consideration must be given to various factors, including whether the data subject could reasonably expect, at the time of data collection and in relation to it, that their data might be processed for the specific purpose in question.

The interests and fundamental rights of the data subject may override the interests of the data controller if personal data is processed under circumstances where the data subjects do not anticipate further data processing.

The processing of personal data by public authorities, computer emergency response teams (CERTs), network security incident response units, electronic communications network operators and service providers, as well as security technology service providers, is considered a legitimate interest of the respective data controller when it is strictly necessary and proportionate to ensure network and information security.

Processing of personal data for purposes other than those for which they were originally collected is only permitted if the new processing purpose is compatible with the original purpose of data collection. In such cases, a separate legal basis beyond the original legal basis for data collection is not required.

The processing of personal data by authorities for the purpose of achieving the constitutional or international public law objectives of officially recognized religious organizations is considered to be in the public interest.

Consent of the Data Subject – Conditions

  • If data processing is based on consent, the data controller must be able to demonstrate that the data subject has given their consent to the processing of their personal data.
  • If the data subject provides consent as part of a written declaration that also concerns other matters, the request for consent must be presented in a clear and distinguishable manner from those other matters.
  • The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject must be informed of this before giving consent. Withdrawing consent must be as easy as giving it.
  • When determining whether consent was given voluntarily, special consideration must be given—among other factors—to whether the performance of a contract, including the provision of services, is made conditional on consent to process personal data that is not necessary for the performance of that contract.
  • The processing of personal data in relation to information society services offered directly to children is only lawful if the child is at least 16 years old. If the child is under 16 years old, the processing of their personal data is only lawful if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data intended to uniquely identify a natural person, health data, and data concerning a natural person’s sex life or sexual orientation, is prohibited—except where the data subject has given explicit consent for the processing of such personal data for one or more specific purposes.

The processing of personal data related to criminal convictions, offenses, or related security measures may only take place if it is carried out under the authority of a public body.

Data Processing Without Identification

If the purposes for which the data controller processes personal data do not or no longer require the identification of the data subject, the data controller is not obliged to retain additional information to enable identification.

If the data controller can demonstrate that they are not in a position to identify the data subject, they should inform the data subject accordingly, where possible, in an appropriate manner.

Information and Rights of the Data Subject

The principle of fair and transparent data processing requires that the data subject be informed about the fact and purposes of data processing.

If personal data is collected directly from the data subject, they must also be informed whether they are required to provide the personal data and the potential consequences of failing to do so. This information may be supplemented with standardized icons to provide the data subject with clear, easily understandable, and well-readable general information about the intended data processing.

The data subject must receive information about the processing of their personal data at the time of data collection. If the data is not collected directly from the data subject but from another source, the information should be provided within a reasonable period, taking into account the circumstances of the case.

The data subject has the right to access the personal data collected about them and should be able to exercise this right easily and at reasonable intervals to verify and assess the lawfulness of data processing. Every data subject must have the right to know, in particular, the purposes of personal data processing and, if possible, the duration for which the personal data will be processed.

The data subject has the right to request the deletion of their personal data and to prevent further processing if the data is no longer necessary for the original purposes for which it was collected or otherwise processed, or if they withdraw their consent to data processing.

If personal data is processed for direct marketing purposes, the data subject must be granted the right to object to the processing of their personal data for such purposes at any time, free of charge.

Review of Personal Data

To ensure that the storage of personal data is limited to the necessary duration, the data controller establishes deletion or regular review deadlines.

The regular review period established by the organization’s management is 1 year.

Responsibilities of the Data Controller

The data controller implements appropriate internal data protection regulations to ensure lawful data processing. This regulation covers the scope and responsibilities of the data controller.

The data controller is responsible for implementing appropriate and effective measures and must be able to demonstrate that data processing activities comply with applicable legal requirements.

This regulation must be adopted considering the nature, scope, context, and purposes of data processing, as well as the risks posed to the rights and freedoms of natural persons.

The data controller implements appropriate technical and organizational measures based on the nature, scope, context, and purposes of data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of individuals. According to this policy, other internal regulations are reviewed and updated as necessary.

The data controller or data processor maintains appropriate records of the data processing activities carried out within their competence. All data controllers and data processors must cooperate with the supervisory authority and make these records available upon request for the purpose of monitoring the relevant data processing operations.

Rights Related to Data Processing

Right to Request Information

Any individual may request information via the designated contact details regarding what personal data the organization processes, on what legal basis, for what purpose, from what source, and for how long. A response must be provided without delay, but no later than 30 days from the request, sent to the provided contact address.

Right to Rectification

Any individual may request the modification of their personal data via the designated contact details. The request must be processed without delay, but no later than 30 days, and the individual must be informed via the provided contact address.

Right to Erasure (Right to be Forgotten)

Any individual may request the deletion of their personal data via the designated contact details. The request must be fulfilled without delay, but no later than 30 days, and the individual must be notified accordingly via the provided contact address.

Right to Restriction of Processing

Any individual may request the restriction of their data via the designated contact details. The restriction remains in place as long as the stated reason justifies the storage of the data. The request must be fulfilled without delay, but no later than 30 days, and the individual must be informed accordingly.

Right to Object

Any individual may object to data processing via the designated contact details. The objection must be reviewed as soon as possible, but no later than 15 days from the request submission. A decision must be made regarding its validity, and the individual must be informed of the outcome via the provided contact address.

Legal Remedies Related to Data Processing

National Authority for Data Protection and Freedom of Information

Postal Adress: Hungary, 1530 Budapest, Pf.: 5.

Adress: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (kukac) naih.hu
URL https://naih.hu
Coordinates: É 47°30’56”; K 18°59’57”

If a data subject’s rights are violated, they have the right to take legal action against the data recipient or the data controller. The court will handle the case as a priority.

The lawsuit may be initiated by the data subject at their discretion, either before the court competent for their place of residence or their place of stay.

Recipient, recipients:

During the provision of our services, the data we process is managed within our company’s Administrative and CRM system.

MiniCRM Zrt. acts as a data processor, storing and managing the entered data within the MiniCRM business management system.

Data processing, integrated business management system (MiniCRM): MiniCRM Zrt.:

Address: Hungary, 1075 Budapest, Madách Imre út 13-14.

Phone: +36 1 999 0402

E-mail: help@minicrm.hu

Organizational Responsibilities for Proper Data Protection

  • Data Protection Awareness. Ensuring professional competence to comply with legal regulations. It is essential to provide employees with proper training and familiarize them with the data protection policy.
  • The purpose, criteria, and concept of personal data processing must be reviewed. Lawful data management and processing must be ensured in accordance with the Data Protection and Data Processing Policy.
  • Adequate information for the person concerned by the data processing. It should be noted that – if the data processing is based on the consent of the data subject – in case of doubt, the data controller must prove that the data subject has consented to the data processing.
  • The information provided to the data subject should be concise, easily accessible and easy to understand, and therefore it should be formulated and presented in clear and plain language.
  • A requirement of transparent data processing is that the data subject is informed about the fact and purposes of data processing. The information must be provided before the start of data processing and the data subject has the right to information during the data processing until its termination.
  • The main rights of the person affected by data processing are as follows:
  • access to personal data concerning him/her; The main rights of the person concerned by the data processing are as follows:
  • correction of personal data;
  • deletion of personal data;
  • restriction of processing of personal data;
  • objection to profiling and automated data processing;
  • the right to data portability.
  • The controller shall inform the data subject without undue delay, but no later than one month from the date of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The obligation to provide information may be ensured by operating a secure online system through which the data subject can easily and quickly access the necessary information.
  • The data processing carried out by the organization must be reviewed and the enforcement of the right to informational self-determination must be ensured. At the request of the data subject, their data must be deleted without delay if the data subject withdraws the consent that forms the basis for the data processing.
  • The consent of the data subject must clearly indicate that the data subject agrees to the processing. Where the processing is based on the data subject’s consent, in case of doubt, the controller must prove that the data subject has consented to the processing operation.
  • In the case of the processing of children’s personal data, special attention must be paid to compliance with data protection rules. The processing of personal data in relation to information society services offered directly to children is lawful if the child has reached the age of 16. In the case of a child under the age of 16, the processing of children’s personal data is lawful only if and to the extent that consent has been given or authorised by a person exercising parental responsibility over the child.
  • In the event of unlawful processing or handling of personal data, there is an obligation to notify the supervisory authority. The controller shall notify the supervisory authority without undue delay, and where feasible, no later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights of natural persons.
  • In certain cases, it may be appropriate for the controller to carry out a data protection impact assessment before processing. The impact assessment shall examine how the planned processing operations affect the protection of personal data. If the data protection impact assessment establishes that the processing is likely to result in a high risk, the controller shall consult the supervisory authority before processing the personal data.
  • Where the main activities involve data processing operations which, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale, a data protection officer must be appointed. The appointment of a data protection officer aims to strengthen data security.

Data Security

Personal data must be protected with appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental loss, damage, or inaccessibility due to changes in the applied technology.

To protect electronically processed data in records, appropriate technical solutions must be implemented to ensure that stored data cannot be directly linked or assigned to the data subject.

When designing and implementing data security measures, the current state of technology must be taken into account. Among multiple possible data processing solutions, the one ensuring a higher level of personal data protection should be chosen, unless it would impose a disproportionate burden on the data controller.

Data Protection Officer

The appointment of a data protection officer is mandatory based on the following criteria:

  • the data processing is carried out by public authorities or other bodies performing public tasks, with the exception of courts acting in their judicial capacity;
  • the main activities of the controller or processor include processing operations which, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale;
  • the main activities of the controller or processor relate to the processing of large amounts of personal data relating to decisions establishing criminal liability and criminal offences.

If the appointment of a data protection officer is mandatory, the following rules apply:

The data protection officer shall be appointed on the basis of professional competence and, in particular, expert knowledge of data protection law and practice, and suitability to perform the data processing.

The data protection officer may be an employee of the controller or processor, or may perform his or her duties under a service contract.

The controller or processor shall be obliged to publish the name and contact details of the data protection officer and shall also communicate them to the supervisory authority.

Status of the data protection officer

The controller shall ensure that the data protection officer is involved in all matters relating to the protection of personal data in an appropriate and timely manner. It shall be ensured that the data protection officer has the necessary resources to maintain his/her expert knowledge.

The data protection officer shall not take instructions from anyone in the performance of his/her tasks. The controller or processor shall not dismiss or penalise the data protection officer in connection with the performance of his/her tasks. The data protection officer shall be directly accountable to the highest management of the controller or processor.

Data subjects may contact the data protection officer on all matters relating to the processing of their personal data and the exercise of their rights.

The data protection officer shall be bound by an obligation of confidentiality or an obligation of confidentiality in the performance of his/her tasks.

The data protection officer may also perform other tasks, but there should be no conflict of interest in relation to these tasks.

Duties of the Data Protection Officer

  • Provides information and professional advice to the data controller or data processor, as well as to the employees performing data processing;
  • checks compliance with the internal rules of the data controller or data processor regarding the protection of personal data;
  • upon request, provides professional advice on data protection impact assessments and monitors the implementation of the impact assessment;
  • cooperates with the supervisory authority.

Data protection incident

A data protection incident is a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data that has been transmitted, stored, or otherwise processed.

Without appropriate and timely action, a data protection incident can cause physical, material, or non-material damage to natural persons. This includes loss of control over personal data, restriction of rights, discrimination, identity theft, or misuse of identity.

A data protection incident must be reported to the competent supervisory authority without undue delay and no later than 72 hours after becoming aware of it, unless it can be demonstrated—in accordance with the principle of accountability—that the incident is unlikely to result in a risk to the rights and freedoms of natural persons.

If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the affected individual must be informed without delay so they can take the necessary precautions.

Data processing for administrative and record-keeping purposes

The organization may also process personal data in cases related to its activities or for administrative and record-keeping purposes.

The basis for data processing is the voluntary and definite consent of the data subject based on appropriate information. After detailed information – which covers the purpose, legal basis and duration of data processing and the rights of the data subject – the data subject must be warned of the voluntary nature of data processing. Consent to data processing must be recorded in writing.

Data processing for administrative and record-keeping purposes serves the following purposes:

  • data processing of the organization’s members and employees, which is based on a legal obligation;
  • data processing of persons in a contractual relationship with the organization for contact, accounting and registration purposes;
  • contact details of other organisations, institutions and businesses that have business relations with the organisation, which may also include contact and identification details of natural persons;

The data processing as described above is based on a legal obligation on the one hand, and on the other hand, on the explicit consent of the data subject to the processing of his/her data (e.g. for the purpose of an employment contract or registered as a partner on a website, etc.).

In the case of documents (e.g. CV, job application, other submission, etc.) submitted to the organization in written form – including personal data – the consent of the data subject shall be presumed. After the case is closed – in the absence of consent for further use – the documents shall be destroyed. The fact of destruction shall be recorded in a report.

In the case of data processing for administrative purposes, personal data shall be included exclusively in the documents and registers of the given case. The processing of this data shall last until the disposal of the document serving as the basis for the processing.

Data processing for administrative and registration purposes shall be reviewed annually – in order to ensure that the storage of personal data is limited to the necessary period – and inaccurate personal data shall be deleted immediately.

Compliance with legal requirements must also be ensured in the case of data processing for administrative and record-keeping purposes.

Data Processing for Other Purposes

If the organization intends to carry out data processing activities not covered by this policy, it must first update this internal regulation accordingly and incorporate the necessary additional rules relevant to the new data processing purpose.

Other documents related to the policy

Documents and regulations that, for example, contain a written statement of consent to data processing or, for example, in the case of websites, describe the mandatory data processing information, should be linked to and managed together with the data protection and data management policy.

Legislation governing data processing

  • REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Act CXII of 2011 on the right to informational self-determination and freedom of information.
  • Act LXVI of 1995 on public documents, public archives and the protection of private archival material.
  • Government Decree 335/2005. (XII. 29.) on the general requirements for document management of bodies performing public tasks.
  • Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society.
  • Act C of 2003 on electronic communications.