Data Management Notice
- Data controller
Name: MED-PLAST 2000 Hungary Kft.
Title:2013 Pomáz, Mártírok u. 1-3.
Data controller representative: Ferenc Péter
Contact details of the Data Controller regarding data protection:adatvedelem@medplast.hu
This information is the unilateral commitment of the data controller in accordance with Regulation 2016/679 of the European Parliament and Council (EU) (April 27, 2016) and the relevant national legislation.
This information may be unilaterally modified and/or revoked by the Data Controller at any time, with the simultaneous notification of the Data Subjects. The information is published on the website or, depending on the nature of the change, by direct notification of the interested parties.
- Purpose of data management
2.1 Selection of new personnel for the Data Controller
Searching for new employees, recruiting, posting job advertisements, receiving and storing job applications, pre-screening applicants, interviewing, handling tests, trial jobs, and resumes.
Legal basis for data management: Contribution
Scope of processed data: Name, address, e-mail, phone, data provided in CV
Planned deadline for data management: The last working day of March of the 2nd year following the application or until the Data Subject’s consent is revoked.
2.2 Termination of establishment or modification of an employment relationship
The entry and exit process of employees, establishment, modification, termination, and termination of employment contracts.
Legal basis for data management: Contract
Scope of processed data: Name, birth name, date of birth, mother’s name, address, nationality, tax identification number, social security number, pensioner identification number (for retired employees), telephone number, e-mail address, identity card number, number of official ID card confirming residential address, bank account number, online identifier (if applicable), start and end date of employment, CV
Planned deadline for data management: For the period specified by law
2.3 Contact with partners, customers, suppliers
Contact with partners, customers, potential customers, and suppliers, issuing quotations, entering into contracts, managing and recording contact data, personal contact, taking orders by telephone, participating in events and related ancillary services, reconciliation and updating of contact information.
Legal basis for data management: Legitimate interest – It is the Data Controller’s legitimate interest to register contact details for the performance of contracts
Scope of processed data: Name, address, e-mail address, telephone, company name, position
Planned deadline for data management: The last working day of March of the 4th year following the termination of the partnership agreement or until the Data Subject objects.
2.4 Issuance of an invoice, as well as the issuance of related mandatory documentation for the performance of services
Issuance of an invoice, as well as the issuance of related mandatory documentation for the performance of services.
Legal basis for data management: Legal obligation
Scope of processed data: Contact name, e-mail address, position
Planned deadline for data management: At least 8 years
2.5 Receiving/handing over orders in the organization’s warehouse
Warehouse issue, goods receipt for legal entities, During the issue or receipt of the goods, the data of the receiver/handover of the goods are recorded on the issue receipt.
Legal basis for data management: Legitimate interest – It is the legitimate interest of the data controller to register the data of its contacts and the receiving natural person in order to fulfill the contract.
Scope of processed data: Name, Photo ID number, Vehicle registration number
Planned deadline for data management: The last working day of March of the 4th year following the termination of the partnership agreement or until the Data Subject objects.
2.6 Management and filing of contracts
Management and registration of contracts, registration of contracts related to the activities of the Data Controller, management of the contact details of the contracting party and keeping them up to date when the contract is concluded, details of the contracting party’s proxies, and keeping them up-to-date.
Legal basis for data management: Legitimate interest – The data controller has a legitimate interest in keeping the data of the contact person.
Scope of processed data: Name, telephone, position, e-mail, signature
Planned deadline for data management: The last working day of March of the 4th year following the termination of the contract or until the Data Subject objects.
2.7 Management of Request for Proposals
Questions received by the Organization’s central email address, registering and responding to requests for proposals, and issuing offers.
Legal basis for data management: Legitimate interest – Legitimate interest – The legitimate interest of the data controller is to maintain pre-contractual contact and record contact person data.
Scope of processed data: Name, address, e-mail address, telephone, unique identifier
Planned deadline for data management: From the date of receipt of the request for proposals until the last working day of March of the 5th year or until the Data Subject objects.
2.8 Order Management
Registration of orders.
Legal basis for data management: Legitimate interest – It is the legitimate interest of the data controller to register the data of the contact person and the recipient to fulfill the order
Scope of processed data: Name, address, e-mail address, telephone, unique identifier
Planned deadline for data management: At least 8 years
2.9 Delivery of orders
Delivery to customers using forwarding and courier companies
Legal basis for data management: Legitimate interest – It is the legitimate interest of the data controller to register the data of its contacts and the recipient to fulfill the contract
Scope of processed data: Contact name, phone number, e-mail address
Planned deadline for data management: The last working day of March of the 4th year following the termination of the contract or until the Data Subject objects.
2.10 Management of statistical cookies (Cookies) necessary for the basic functioning of the website
The Data Controller places cookies and web beacons on the website to recognize the user who has visited the website before; map the visitor’s interests; improve the visitor’s user experience and display personalized content for the visitor, as well as for the security and improvement of the website.
Legal basis for data management: Legitimate interest – The Data Controller has a legitimate interest in mapping the interests of the visitor; improving the visitor’s user experience and displaying personalized content for the visitor, improve the website’s security.
Scope of processed data: IP address, unique identification number, dates, times
Planned deadline for data management: Until the end of the session.
2.11 Google Analytics
The website measures visitor data, in which the transmitted data is not suitable for identifying the persons concerned.
Legal basis for data management: Legitimate interest – the Data Controller has a legitimate interest in optimizing and monitoring its services.
Scope of processed data: The transmitted data are not suitable for identifying the data subject
Planned deadline for data management: Until the Data Subject protests.
2.12 Advertising service(s) and providing information to partners
About new or renewed services, inquiries for direct business acquisition or marketing purposes with advertising content, customer satisfaction measurement, surveys, invitations to marketing events, eDM, and telephone inquiries with the involvement of telemarketing services.
Legal basis for data management: Contribution
Scope of processed data: Name, company name, e-mail address, telephone
Planned deadline for data management: Until the data subject withdraws his consent
2.13 Advertising service(s) and providing information to partners
About new or renewed services, inquiries for direct business acquisition or marketing purposes with advertising content, customer satisfaction measurement, surveys, invitations to marketing events, eDM, and telephone inquiries with the involvement of telemarketing services.
Legal basis for data management: Legitimate interest – The legitimate interest of the Data Controller is to obtain direct business
Scope of processed data: Name, company name, e-mail address, telephone
Planned deadline for data management: Until the Data Subject protests.
- 14 Operation of an electronic video surveillance system
Protecting the security of the Data Controller’s premises, protecting the Data Controller’s property, protecting the health and property of the Data Controller’s employees and visitors, and investigating the circumstances of accidents and crimes that may occur.
Legal basis for data management: Legitimate interest – It is the Data Controller’s legitimate interest to protect its assets and control access.
Scope of processed data: Image of the natural person, recording of a motion picture (further on, recording together)
Planned deadline for data management: Maximum 30 days
2.15 Event Registration
Management of registrations related to corporate events organized by the data controller.
Legal basis for data management: Contribution
Scope of processed data: Name, Company name, Position, Email address, Phone number
Number of adult guests, number of children (under 16 years of age).
Planned deadline for data management: Until the consent of the affected person is revoked, but for a maximum of 3 years.
2.16 Photo and video documentation of the event
The Data Controller takes photos and videos of the events it organizes, which can be published on the Data Controller’s website and Facebook page, and stored in its organizational databases.
Legal basis for data management: Legitimate interest – The Data Controller has a legitimate interest in the storage and use of recordings made at the events it organizes in order to effectively present the organization in person.
Scope of processed data: Face and body image
Planned deadline for data management: Until the Data Subject protests.
2.17 Accounts Receivable Management
Data management and data storage related to the collection of debts owed to the Data Controller.
Legal basis for data management: Legitimate interest – The legitimate interest of the Data Controller is the collection of debts related to the provision of services and the related data management.
Scope of processed data: Name, place of birth, date of birth, mother’s name, tax identification number, other property data for mortgage registration, personal data of co-owners
Planned deadline for data management: Until the Data Subject’s protest is deemed legitimate
or until the debt is settled.
2.18 Data management related to the GDPR
Data management related to the GDPR.
Legal basis for data management: Legal obligation
Scope of processed data: Name, Data protection identifier, Stakeholder request, date, type, content, Stakeholder request result, Incident date, documentation, result
Planned deadline for data management: Not to be scrapped
- Advertisement of service(s) and provision of information to those concerned
About new or renewed services, direct business acquisition, or marketing inquiries containing advertising, customer satisfaction measurement, invitations to marketing events, conferences
Legal basis for data management: Legitimate interest – The legitimate interest of the data controller is to obtain direct business
Scope of processed data: e-mail, name
By using a service, the data subject provided the data controller with the following data. In this information, the data controller informs the data subject that the data managed according to the requirements set out in point 2 will be reclassified as a legitimate interest and used for direct business acquisition.
Source of data: The Data Controller legitimately managed the Data Subjects’ data for other data management purposes.
Planned deadline for data management: Until the protest
- Consequences of failure to provide data
Possible consequence of failure to provide data: Failure of the purpose of data management.
- Scope of stakeholders
The partners or future partners who have a contract with the data controller and the contact persons provided by them, as well as visitors to the Organization’s website, persons who provide data through the website, and job applicants through the website.
- Range of mandatory data
The Data Controller does not mark the data that must be filled in separately on the individual data entry interfaces, on which all data are required to be entered. On those interfaces where not all data entry is mandatory, the data manager indicates the data fields that must be entered by displaying an asterisk*.
- Children
Our products and services are not intended for persons under the age of 18, and we ask that persons under the age of 18 do not provide Personal Data to the Data Controller. If we become aware that we have collected personal data from a child under the age of 18, we will take the necessary steps to delete the data as soon as possible.
- Information on the use of a data processor
In the course of data management, the data controller primarily forwards the data-to-data processors contracted with it and independent data controllers for the performance of the contract.
Categories of data processors: Website, newsletter, and sales service provider – Judit Péter, sole proprietor; IT operator; Accounting service provider; Event organizer; Photo-video service provider; Hostess service provider; Legal advisor; GDPR consultant.
Recipient categories: Forwarder; Carrier service provider; Authorities; Social media sites; Hungarian Post.
- The circle of persons entitled to access the data
The data manager will not transfer the data obtained to third parties, except for the data processor(s) specified in point 8. Only employees of the data controller and designated employees of the data processor(s) can see the recorded data.
The Data Protection Manager, the IT operator, and the Managing Director can access the recordings previously recorded by the electronic monitoring system. Upon request, the Data Subject may only access recordings made of his/her person in the presence of one of the aforementioned persons. In all cases, you must request access in writing to the Data Protection Officer.
In each case, the Data Controller prepares a record of the access, which the company stores for 1 year.
9.1 They are entitled to restrict the images of the electronic surveillance system
The restriction of recordings recorded by the electronic surveillance system can only be implemented in cases where the Data Controller has detected an event that is likely to endanger the goal of the electronic surveillance system.
At the request of the Data Subject, the processing of recordings made of his/her own person may be restricted. The Data Subject must request the blocking in writing to the Data Protection Officer, indicating its purpose and expected duration.
The Data Controller prepares a record of each step of the blocking process, which the Data Controller stores for 1 year.
- Management of data received from third parties
If the User/Partner does not provide his/her data to the Data Controller, but that of another natural person, in this case, the User/Partner is solely responsible for providing the data with the consent, knowledge, and adequate information of this natural person. The Data Controller is not obliged to investigate their existence. The Data Controller draws the attention of the User/Partner to the fact that if he does not comply with this obligation, and therefore the Data Subject asserts a claim against the Data Controller, the Data Controller may transfer the asserted claim and the amount of the related damage to the User/Partner.
- Rights of data subjects
The Data Subject at the contact details indicated in Point 1 with the Data Controller,
- may ask you to provide information about the management of your personal data,
- you can request the correction of your data,
- you can request information about data management
- you can request the deletion of your personal data and restriction of data management,
The affected party may exercise the above rights at any time.
The Data Subject can also deliver it to the Data Controller at one of the contact addresses indicated in Point 1.
- you can request the transfer of your data to another data manager if the data management is based on a contract or consent and is handled by the Organization within the framework of an automated procedure.
- can provide for the withdrawal of your previously given consent to data management
The Data Controller will deal with or reject the report (provided with reasons) within 1 month at the latest after the submission of the request – in exceptional cases, within a longer time limit than allowed by law. The Data Subject will be informed in writing of the results of the investigation.
- 1 Cost of information
The Organization provides the measures and the necessary information free of charge for the first time.
If the Data Subject requests the same data for the 2nd time within a month, which has not changed during this time, the Data Controller will charge an administrative fee.
- The basis for accounting for administrative costs is the hourly cost of the current minimum wage as an hourly rate.
- The number of working hours used for information is calculated at the above hourly rate.
- Furthermore, in the case of a paper-based information request, the printing cost of the answer is at cost price and the cost of postage.
11.2 Refusal to provide information
If the data subject’s request is unfounded, he is not entitled to information, or if the Organization, as a data controller, can prove that the Data Subject has the requested information, the data controller will reject the request for information.
If the data subject’s request is excessive due to its repetitive nature, the Organization may refuse to act based on the request if
- For the third time within a month, the person concerned lives in the same subject area 15-22. with a request to exercise your rights under Art.
11.3 Right to protest
The data subject has the right to object at any time to the processing of his personal data based on the legal basis of legitimate interest or public authority.
In this case, the Organization may no longer process the personal data, unless it proves that the data processing is justified by compelling, legitimate reasons that take precedence over the interests, rights, and freedoms of the data subject, or that are related to the presentation, enforcement or defense of legal claims.
If you establish that the legal basis of the protest is well-founded, you will terminate the data management as soon as possible – including data transfer and further data collection. It notifies all those to whom it previously forwarded the Data Subject’s data about the objection.
Processing the request is free of charge, except for unfounded or excessive requests, for which the Data Controller may charge a reasonable fee corresponding to its administrative costs. If the Data Subject does not agree with the decision made by the Data Controller, he may go to court.
- Information on data security measures
The Data Manager manages the data in a closed system.
The data manager takes care of default and built-in data protection. To this end, the Data Controller applies appropriate technical and organizational measures to:
- accurately regulates access to data.
- allow access only to persons who need the data to perform the task with it, and even then only the data that is minimally necessary to perform the task can be accessed;
- carefully select the data processors it entrusts and ensure the security of the data with an appropriate data processing contract.
- ensure the immutability (data integrity), authenticity, and protection of the processed data.
The Data Controller applies reasonable physical, technical, and organizational security measures to protect Data Subjects, especially against their accidental, unauthorized, or illegal destruction, loss, alteration, transmission, use, access, or processing. The Data Controller shall immediately notify the Data Subject in the event of unauthorized access to or use of personal data that is known to pose a high risk to the Data Subject.
If it is necessary to transmit Data Subject data, the Data Controller ensures the appropriate protection of the transmitted data, for example by encrypting the data file. The Data Controller is fully responsible for the processing of Data Subjects carried out by third parties.
The Data Controller also ensures that the Data Subject’s data is protected against destruction or loss with appropriate and regular backups.
- Analytical Services
The Data Controller uses the Google Analytics service to track page statistics and user demographic data, interest, and behavior on websites. The Organization also uses Google Search Console to optimize the website for search engines and measure user satisfaction. Google provides the option to limit the use of analytics services. Visit Google’s page to opt out of the use of data by Google Analytics.
https://tools.google.com/dlpage/gaoptout
- Applicable laws
Legislation governing the data processing carried out by the Data Controller:
- Regulation 2016/679 (EU) on the protection of natural persons about the processing of personal data and on the free flow of such data (hereinafter: “GDPR”),
- CXII of 2011 on the right to information self-determination and freedom of information. law
(hereinafter: “Info Law”),
- Act C of 2000 on accounting (hereinafter: “Accounting Act”),
- Act V of 2013 on the Civil Code (hereinafter: “Civil Code”),
- CLV of 1997 on consumer protection. Act (hereinafter: “Consumer Protection Act”)
- CXXXIII of 2005 on the rules for personal and property protection and private investigative activities. Act (hereinafter: “Asset Protection Act”).
- Remedy
Any affected, if in its judgment
- the Data Controller restricts the enforcement of its rights or rejects its request to this effect, the National Data Protection and Freedom of Information Authority may initiate an investigation by notification to investigate the legality of the Data Controller’s action;
- during the processing of your personal data, the Data Controller violates the legal regulations for the processing of personal data,
- may request the conduct of the official data protection procedure of the National Data Protection and Freedom of Information Authority, or
- you can go to court against the Data Controller and, depending on your choice, you can initiate the lawsuit before the competent court according to your place of residence or place of residence.
Contact details of the National Data Protection and Freedom of Information Authority:
President: dr. Attila Péterfalvi
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36-1-3911400
E-mail:ugyfelszolgalat@naih.hu
www.naih.hu
Budapest, 25.03.2021