GDPR

Privacy Notice

 

Being a data controller, Kematechnik Innomontage Vállalkozó Kft. – surface treatment centre – (hereinafter: the “Organisation”) considers the content of this Notice, being a legal statement, as binding on itself. It undertakes that all data processing related to its activities shall comply with the requirements set out in this policy, the applicable national legislation, as well as the legal acts of the European Union.

 

The Privacy Notice related to the data management of the Organisation shall be continuously available athttp://ki-group.hu/hu/adatvedelem.

The Organisation reserves the right to change this Notice at any time.

 

If you have any question related to this Notice, please, write to us (office@ki-group.hu) and our colleague will answer your question!

 

The Organisation is committed to protecting the personal data of its customers and partners, and considers it a key matter to respect its customers’ right of informational self-determination. It handles personal data confidentially and takes all reasonable security, technical and organisational measures designed to guarantee the security of data.

(One of the key elements in the concept of personal data is that it may relate to information about natural persons only, and consequently, information about a legal person, such as a company name, company registration number, registered office… does not qualify as personal data.)

 

In the following, a description of the Organisation’s data management is provided.

 

REGULATION (EU) NO. 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC / (General Data Protection Regulation) (hereinafter: “GDPR”) is applicable as of 25 May 2018, and under the GDPR, our company qualifies as a data controller.

 

To see the GDPR, as referenced in our Notice, use this link:

https://eur-lex.europa.eu/legal-content/HU/TXT/HTML/?uri=CELEX:32016R0679&from=HU

 

When formulating the provisions of this Notice, our Company paid special attention to the provisions of the GDPR, as well as the relevant provisions of other Hungarian laws on data protection and data management (with particular regard to the Civil Code, the Privacy Act and the Accounting Act).

 

 

Details of the data controller:

 

Name:                      Kematechnik Innomontage Kft.

Registered office:      1222 Budapest, Nagytétényi út 102

Company registration No.:          01-09-167548

Tax No.:                  10430116-2-43

Mail address             1222 Budapest, Nagytétényi út 102

Email:                     office@ki-group.hu

Phone:                     +36 1 208 6030

Fax:                         +36 1 371 1381

Website:                   www.ki-group.hu

 

Terms and definitions under Article 4 of the GDPR:

 

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

 

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

 

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

 

‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

 

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

 

‘consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

 

‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

 

‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

 

‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

 

Personal Data

 

The Organisation has summarised in tabular form the purpose, type, duration, legal basis, source and possible recipient of the processing of personal data and the grounds for the forwarding.

Processing of personal data

purpose:

type:

duration:

legal basis:

source:

recipient/reason:

Sales (customer service)

Name

Job

Phone number

Email

Until revoked

Legitimate interest

The data subject

none, possibly the Authority/see Chapter "Privacy"

Sales (facilities – e.g. contract, protocols)

Contact details (name, position, phone number, email)

Until revoked

Legitimate interest

Contracting partner

none, possibly the Authority/see Chapter "Privacy"

 

It is a special, exceptional case, where an external auditor performing an inspection in connection with the ISO certification of the Organisation requests access to documentation that includes personal data. As the external auditor is bound by confidentiality in connection with his/her activity, and no data transmission takes place, but personal data are introduced visually only, this type of data processing is allowed at the Organisation.

 

For contractual or legal obligations, where the required data is not provided, the following legal consequences may apply:

  • requesting data to fulfil legal obligations: impossibility of fulfilling the legal obligation;
  • requesting data for concluding a contract: failure of contracting;
  • requesting data to use a service: refusal to provide the service.

 

Automated decision making and profiling are irrelevant at the Organisation.

 

The transmission of data to a third country or international organisation is irrelevant at the Organisation.

 

Data protection

 

A data subject’s personal data are accessible by the employees of the data controller in connection with the performance of their tasks (preparation of offers, contracts; performance of business activities… etc.).

Information on any data processing not specified in this Notice shall be provided at the time of the data collection. The court, prosecutor, investigating authority, acting authority, administrative authority, the National Authority for Data Protection and Freedom of Information, the National Bank of Hungary (Magyar Nemzeti Bank) or other bodies may, based on the authority granted under the provisions of law, request the data controller to provide information, disclose or provide data, or make available documents. Provided that the exact purpose and scope of the data provision have been specified, the Organisation shall disclose only such personal data and to such extent to the authorities, as strictly necessary to achieve the purpose of the request. Furthermore, the lawyer representing the data controller shall also have access to the personal data, where a dispute arises between the data subject and the data controller.

 

The data controller shall store the personal data provided by the data subject at the headquarters of the Organisation that shall take adequate security measures (storage of hardcopy documents in locking cabinets and digital content on a secure server, 24-hour guard service on site) to protect them (e.g. against unauthorized access or alteration).

 

Information on rights

 

The data subject may request the data controller access to and rectification or erasure of personal data, or restriction of processing concerning the data subject, as well as object to the processing of such personal data or dispose of his/her the right to data portability. The data subject shall be obliged to notify the Organisation without delay of any changes in his/her data!

 

Right of access: The data subject shall have the right to access personal data and related information (as detailed in Article 15 of the GDPR). Basically, the Regulation stipulates that this service must be provided free of charge, however, where costs are justified by either the complexity or simply the frequency of the data request, the controller may also charge a fee. (Data collection can be time consuming!)

 

Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

 

Right to deletion: The data subject shall have the right to request from the data controller the erasure of personal data concerning him or her without undue delay and the data controller shall have the obligation to erase personal data without undue delay, as set out in Articles 17 (1) and (2) of the GDPR. Paragraph (3) includes restrictions where paragraphs (1) and (2) do not apply.

 

Right to restriction of processing: If the data subject objects to the data processing, and does not want the Organisation to erase the data from the system, but to stop processing it instead, he or she and the data controller may arrange this as laid down in Article 18 of the GDPR.

 

Right to data portability: The data subject shall have the right to access the personal data concerning him or her that he or she has provided to the data controller in a structured, widely used, machine-readable format, as specified in Article 20 of the GDPR.

 

Right to object: The data subject shall have the right to object to the processing of his or her personal data at any time, with reference to reasons related to his or her situation, in line with the provisions of Article 21 of the GDPR.

 

Right of withdrawal: The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

As regards the notification obligation concerning the rectification or erasure of personal data or the restriction of data processing, the data controller shall notify all recipients of any rectification or erasure, or the restriction of data processing, as described in the foregoing, to whom the personal data has been disclosed, unless this proves impossible or would require disproportionate efforts. The data controller shall inform the data subject about those recipients if the data subject requests it.

 

 

 

Right of appeal in relation to data processing

 

If the data subject wishes to make a complaint about the data processing, he or she can do so at:

Name:                      National Authority for Data Protection and Freedom of Information

Registered office:      1125 Budapest, Szilágyi Erzsébet fasor 22/C

Mail address:            1530 Budapest, P.O. box 5

Phone:                     +36 1 391 1400

Fax:                         +36 1 391 1410

Email:                     ugyfelszolgalat@naih.hu

Website:                   http://www.naih.hu

 

In case of a breach of the data subject’s rights, he or she may take legal action against the data controller as well.

 

Personal data breach

 

The GDPR provides that the competent authority (National Authority for Data Protection and Freedom of Information – NAIH) must be notified of the breach in most cases, and that records must be kept of such breaches. Such breaches include, for example, any theft, loss or destruction of the data.

At the Organisation, these records can be accessed by the Executive Director only. The records include the following: date of breach; duration of breach; description of breach; category of personal data concerned; number and group of affected data subjects; quantity of data; possible consequences, risks; measures taken; notifications.

 

Budapest, 01 October 2020