I. DATA CONTROLLER
Seyu Solutions Kft. (hereinafter: Data Controller, Company) creates the below report of data-process in order to ensure the legal process of data management and the rights of the affected.
|Name of data controller:||Seyu Solutions Kft.|
|Registration number of the company:||06 09 024603|
|Seat of data controller||6758 Röszke, Dózsa György utca 58|
|Electronic adress of data controller:||email@example.com|
|Representative of data controller:||Vecsernyés Tamás, Executive Director|
The Company controls the personal data under the relevant legislation but most importantly under the below laws:
- Act CXII of 2011 on the right of informational determination (hereinafter Info. tv.),
- the regulation No 2016/679 of the European Parliament and Council (EU) about the protection of natural persons in relation to the processing and free flow of personal data as well as the repeal of 95/46/EK Directive (hereinafter: Regulation or GDPR)
- Act V of 2013 on the transitory and authorising provisions related to the entry into force of the New Civil Code, (hereinafter: CC)
- Act CXXVII: of 2007 about value added tax (VAT), and
- Act C. of 2000 about accounting
The Company processes the data on a confidential basis, it makes every IT, informational security and other security measure which is necessary in order to keep the data confidential.
II. OBJECTIVE OF DATA PROCESSING: Data processing in order of billing
Goal of data processing
The goal of the Data Controller is issuing invoices and to keep certified copies of them
- in the Act CXXVII. of 2007 about value added tax (VAT), paragraph 159. (1) and paragraph 169. and
- as established in the Act C. of 2000 about accounting, paragraph 169. (2)
Processed personal data
Data established in VAT paragraph 169., but at least:
b) billing address
c) tax identification
Legal basis of data-processing
The legal basis of data processing during issuing invoices is the Regulation article 6. para (1) point c), that is fulfilling the legal obligation as described above.
Source of personal data
The affected. Because the affected is the source of the data, the Data Collectors gives information directly in case of any change in the addition of data.
Addresses of provided personal data
Only those employees of the Data Controller treat the personal data whose functionality concerns responsibility is the administration.
In the issue of billing the Data Controller uses the data-processor below:
Address : 6725 Szeged Borbás utca 19.
ABC Accounting Adószakértő és Tanácsadó Kft.
Address : 1115 Budapest, Keveháza u. 1-3
Head office : 7773 Villány, Móra F. u. 1-3.
a company whose duties involve accounting and billing.
As the Company stores the invoices electronically, the data-processor has access to the personal data while acting on its own account.
The data-processing programs use the personal data of the affected only in the ways established by the Data Controller in contract in accordance the instructions of the Data Controller. In the regard of data processing the program does not have the decision-making right. The data-processing programs commit obligation of confidentiality and contractual guarantee about the data.
The transfer of personal data to third countries or to international organisations
The Data Controller does not transfer the personal data of the affected to third country or to any international organisation.
Period of data-processing
The Data Controller processes the personal data in accordance of the Act C. of 2000. article 169. para (2) for 8 years from the date of issue.
Automatized decision making and profile creating
Neither of it happens during the data processing.
Providing personal data
Processing the data must be based on law and mandatory.
III. RIGHTS OF THE AFFECTED IN RELATION OF DATA-PROCESSING
Right to information
The affected has the right to get information about the data-processing, which is provided by the Data Controller with this information report.
Data-processing based on consent
In case any process of data is based on consent, the affected is entitled to withdraw it anytime. The affected only has the right to withdraw the consent about the data if it does not have any other legal basis for processing it. In case processing of the affected personal data does not have other legal basis, the Data Controller deletes it definitively and irrevocably after the withdrawal. The withdrawal of the consent does not affect the legality of data-processing before the withdrawal.
Right to grant for access
The Data Controller informs the affected in case of application if it is processing the personal data. If it is the Data Controller ensures access for the personal data and for information below:
a) objectives of data-processing;
b) categories of affected personal data;
c) those addressed or categories of addressed who the Data Controller shared or will share the data with, including particularly third countries and international organisations;
d) planned period of storing personal data, or if it is not possible the factors of determination of the period;
e) able to request the correction, to delete or to limit the processing of data and is able to object against processing personal data;
f) right to make a complaint to any supervisory authority or to launch judicial procedure
g) if the Data Controller did not collect the data directly from the affected, every available information about the source;
h) in case of automatized decision making, including profile creating but at least about the logic behind it, ergo about the importance of the data-processing in relation of the affected and the consequences.
Right to correct personal data
The affected is entitled in any circumstances to ask the Data Controller for correction without undue delay about the personal data. The affected is entitled to ask addendum through supplementary declaration in the light of the objective of data-processing
The Data Controller draws attention to the affected about the necessity of notifying any changes as soon as possible in order to facilitate lawful data-processing and justice.
Right to erasure – right to be forgotten
The affected entitled to request the removal of it’s personal data by the Data Controller without undue delay if any of the below reason stands:
a) there is no need for personal data in the way the Data Controller collected and processed it;
b) in case of consent-based data processing it withdraws the consent and the data-processing does not have any other legal basis
c) the affected objects against the data-processing and there is no primary legal reason for data-processing, or objects against data-processing in purpose of direct marketing;
d) the Data Controller processed the personal data unlawful
e) the Data Controller must delete the personal data in order to submit legal obligation established in EU or Member State law
f) if the collection of personal data was in order to offer services in connection of informational society.
Right for restriction of data-processing
The affected is entitled to request the Data Controller to restrict data-processing if any of the reasons below stands:
a) in that case the restriction will stand for the period of time which enables the Data Controller to check the reliability of the personal data;
b) the data-processing is unlawful and instead of the cancellation of the data it requests to restrict the process of data;
c) the Data Controller does not need the personal data anymore for data-processing but the affected requires them for legal claims, validation or protection or
d) in that case the restriction stands for the period-of-time while it is not established that the legitimate reasons of the data-processor are primary in comparison with the legitimate reasons of the affected.
Right for objection
In case the legal basis for data-processing is the legitimate interest of the Data Controller (Regulation, article 6. para (1) point f)) or the data-processing is necessary for the Data Controller for the execution of tasks of public authority (Regulation article 6. para (1) point e)), the affected has the right to object to processing its personal data including profile creation based on the mentioned regulation.
In case the Data Controller processes the personal data for the purposes of direct marketing, the affected has the right to object to data-processing of that premises including profile creating if it is for that purpose. Personal data cannot be processed in the purpose of direct marketing if the affected objects to it.
Right for data portability
The affected is entitled to get the personal data in headed, widely used and machine-readable format, furthermore the Data Controller is entitled to forward these data to another data-processor in case of:
a) data-processing is based on the consent of the affected or on the contract signed in relation of Regulation (Article 6. para (1) point b); and
b) data-processing is automatized
PROCEDURE TO GRANT THE RIGHTS OF THE AFFECTED
The affected can exercise its rights by sending an email to firstname.lastname@example.org, sending a postal mail to the head office of the Data Controller (6758 Röszke, Dózsa György utca 58.) or in persona the head office of the Data Controller. The Data Controller starts the examination and fulfilment without undue delay. The Data Controller informs the affected about the measures based on the request withing 30 days of the arrival of it. In case the request is cannot be performed the Data Controllers informs the affected about the reasons of refusal and the rights of remedies.
In case of the death of the affected, a person authorized by the affected by authentic instrument, document of equivalent probative value and declaration for the Data Controller – if there is more than one declaration the latest is the valid one – can validate the rights of the affected within 5 years. If the affected did not make any declaration, according to the Civil Code any close relative is entitled to validate the rights of the affected stated in the Regulation article 16. (right for correction) and article 21. (right to object), and – if data-processing was unlawful during the life of the affected – for the Regulation article 17. (right to be forgotten) within 5 years after the death. The first close relative who exercises the rights of the affected is entitled for the validation of the rights in this para.
IV. RIGHT TO PURSUE REMEDIES
In order to validate the right of judicial remedy the affected can seize the court, if the Data Collector or other contracted data-processor violates the standards of data-processing over the law or the European Union. The court acts … in the matter. The evaluation of the trial falls into the competence of the court. The trial can be brought into court located in the residence of the affected or in the location of the State of the Data Controller.
By the reference to the violation of personal data-processing, or it is a risk that it will happen, or the rights of the affected has been limited by the Data Controller, or it refuses the request to grant these rights, anyone can initiate an investigation at the National Authority of Data Protection and Freedom of Information. The affected can report to any of the below availabilities:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Postal address : 1530 Budapest, Pf.: 5.
Address : 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
In case of a divergence of interpretation, the Hungarian report shall prevail.
Budapest, 2020. 01. 27.