Budapest

Data protection statement

Data processing guide on the processing of the personal data of business and professional partners, contracting parties and third parties affected by them

 

1. Identification of the data controller

 

Hungarian Investment Promotion Agency

Seat: H-1055 Budapest, Honvéd utca 20.

Postal address: H-1055 Budapest, Honvéd utca 20.

E-mail: [email protected]

Telephone: +36 1 872 6520

Fax: +36 1 872 6699

Website: www.hipa.hu

 

2. Purpose of the Data Processing Guide

 

The purpose of this Data Processing Guide is to ensure that the Hungarian Investment Promotion Agency shall fully comply, when processing data of its business and professional partners, contracting parties maintaining a legal relationship with them and third parties affected by them, furthermore, persons affected by authorization of entry into its corporate headquarters and by the use of the camera surveillance system, with the legal requirements applying to the control of personal data, especially with the provisions contained in Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation or GDPR).

 

3. National legislation serving as the basis of data processing

 

The following legislation applies to data processing activity performed by the Hungarian Investment Promotion Agency:

  • Act CXII of 2011 on Informational self-determination and freedom of information (hereinafter: Infotv.),
  • Act LXVI of 1995 on Public Records, Public Archives and the Protection of Private Archives,
  • Government Decree 183/2014. (VII. 25.) on the Hungarian Investment Promotion Agency,
  • Government Decree 335/2005. (XII. 29.) on the common provisions of document management in public administrative bodies.

 

4. Persons subject to the Data Processing Guide

 

The Data Processing Guide shall apply to the processing of the personal data of the persons defined in section 2.

 

Customers, partners who are sole traders, one-person companies shall be treated for the purposes of the Data Processing Guide according to the rules applying to natural persons.

 

5. Conceptual Definitions

 

The definitions of concepts applied in the Data Processing Guide are contained in Section 4 of the General Data Protection Regulation.

 

6. Data processing related to contracts

 

6.1. Processing of data of contact persons, representatives

 

The scope of processed data and the purpose of data processing

 

personal data

the purpose of data processing

Name

Establishment and maintenance of connections with contractual partners, suppliers, consultants, professional partners, investors, in the case of site registration, property owners or natural persons designated by them and customers, as well as exercising rights and obligations arising from contracts.

Position

E-mail address

Telephone number

 

 

 

Legal basis of data processing

 

The Hungarian Investment Promotion Agency collects and controls the data of contact persons according to its legitimate interests. Concerning the processing of the data of contact persons, the Hungarian Investment Promotion Agency has assessed the impact thereof on the data subjects, and found that this data processing does not involve any restrictions that would be disproportionate and unnecessary concerning the interests, fundamental rights and freedom of the data subjects.

 

In the case of a contractual legal relationship this processing shall be considered legitimate even if processing is necessary prior to the conclusion of the contract, in order to take steps at the request of the data subject.

 

Personal data may be transferred, for the purpose of processing, to the Hungarian Post for posting and transport, or to a contracted courier service.

 

Duration of data processing

 

The Hungarian Investment Promotion Agency shall process data of contact persons, if they are not contained in the contract, until the date that is absolutely necessary in order to fulfil the contract, but not longer than a term of 5 years following the termination of the contract in any case, if they constitute part of the contract, then for a term of 8 years following the termination of the contract.

 

6.2. Keeping records of contracts

 

The scope of processed data and the purpose of data processing

 

personal data

the purpose of data processing

Name

Processing, registration of contracts involving financial commitment.

 

 

 

 

 

 

Legal basis of data processing

 

The Hungarian Investment Promotion Agency controls the personal data contained in its contract registration system according to its legitimate interests. Concerning the processing of the data contained in its contract registration system, the Hungarian Investment Promotion Agency has assessed the impact thereof on the data subjects, and found that this data processing does not involve any restrictions that would be disproportionate and unnecessary concerning the interests, fundamental rights and freedom of the data subjects.

 

Duration of data processing

 

The Hungarian Investment Promotion Agency controls the personal data contained in its contract registration system for a period of 8 years following the termination of the contract.

 

7. Operation of the camera system, control of entry in the building

 

 The scope of processed data and the purpose of data processing

 

Cameras are installed in the registered office of the Hungarian Investment Promotion Agency exclusively for security and property protection reasons, the system is not aimed at observing and controlling the activities and work of the employees. The cameras survey the leased parking lots, the corridors, elevators and the garage. None of the cameras surveys the areas designated for the employees to spend their breaks during working time or the restrooms. The cameras only record images (or: images and sounds).

 

The camera system is provided by the landlord of the building, the Hungarian Investment Promotion Agency does not have direct access to it and, with the exception of the camera surveying the parking lots, none of the employees or contractual partners of the Hungarian Investment Promotion Agency is able to see the monitors showing live footage.

If required, the Hungarian Investment Promotion Agency may be granted access to the camera recordings (e.g. in the case of crimes against persons or property), in which case it shall proceed in full compliance with the valid applicable legislation.

During admission control in the buildings, the name of the relevant person is recorded.

 

personal data

the purpose of data processing

Image recording

In exceptional cases, management of incidents that occurred within the scope of the provision of security and property protection services in the building and affecting the Hungarian Investment Promotion Agency (as well).

Name

Control of entry in the building.

 

 

Legal basis of data processing

 

The Hungarian Investment Promotion Agency processes any personal data processed by it related to admission control according to its legitimate interests. Concerning the processing of the data related to admission control, the Hungarian Investment Promotion Agency has assessed the impact thereof on the data subjects, and found that this data processing does not involve any restrictions that would be disproportionate and unnecessary concerning the interests, fundamental rights and freedom of the data subjects.

 

Duration of data processing

 

The Hungarian Investment Promotion Agency shall erase any personal data processed related to admission control within 3 workdays following the date of data collection (admission).

 

Data transfer

 

In the case of procedures initiated owing to the suspicion of any infraction or crime, if required, the landlord of the building may transfer the image recording to the Hungarian Investment Promotion Agency, which the Hungarian Investment Promotion Agency shall deliver to the competent authorities, if necessary.

 

8. Reception of delegates

The scope of processed data and the purpose of data processing

 

 

 

 

personal data

the purpose of data processing

Name

Reception of delegates, optionally, participation in the management of the travel.

Position

Place and date of birth

Passport details

 

Legal basis of data processing

 

The Hungarian Investment Promotion Agency shall process any personal data collected and processed related to the reception of business, professional partner delegates according to its legitimate interests. Concerning the processing of the personal data of delegates, the Hungarian Investment Promotion Agency has assessed the impact thereof on the data subjects, and found that this data processing does not involve any restrictions that would be disproportionate and unnecessary concerning the interests, fundamental rights and freedom of the data subjects.

 

Duration of data processing

 

The Hungarian Investment Promotion Agency shall retain the personal data provided to it concerning the reception of delegates according to the applicable rules contained in the Document Management Policy.

 

9. Control of contract fulfilment

The scope of processed data and the purpose of data processing

 

personal data

the purpose of data processing

Name

Control of contract fulfilment

Position

E-mail address(in certain cases)

Phone number(in certain cases)

 

Legal basis of data processing

 

The Hungarian Investment Promotion Agency shall process any personal data processed related to the fulfilment of contracts according to its legitimate interests. Concerning the control of contract fulfilment, the Hungarian Investment Promotion Agency has assessed the impact thereof on the data subjects, and found that this data processing does not involve any restrictions that would be disproportionate and unnecessary concerning the interests, fundamental rights and freedom of the data subjects.

 

Duration of data processing

 

The Hungarian Investment Promotion Agency shall retain the personal data processed related to the control of contract fulfilment for a period of 8 years following the termination of the contract.

 

10. The transfer of personal data and using the services of a data processor

 

The transfer of the personal data of data subjects shall take place in a traceable manner, based on the relevant legal requirements.

 

The Hungarian Investment Promotion Agency is entitled to send to its partner any personal data related to contractual partners and employees designated as contact persons with customers.

 

The Hungarian Investment Promotion Agency shall transfer any personal data of its employees to countries outside the European Union or to international organizations pursuant to the relevant provisions of GDPR.

 

11. Data security measures

 

In respect of data processing by the Hungarian Investment Promotion Agency, regardless of the purpose and legal basis thereof, the Hungarian Investment Promotion Agency shall perform those technical and organizational measures and develop those procedural rules that are necessary for implementing the General Data Protection Regulation and the requirements contained in the Infotv.

 

The Hungarian Investment Promotion Agency applies appropriate legal, technical and IT measures to protect the data against accidental or illegal destruction, losses, alteration, damage, unauthorized publication and unauthorized access.

 

The Hungarian Investment Promotion Agency imposes the obligation of confidentiality on persons employed by it concerning the control of personal data, which the relevant person shall acknowledge by signing a statement of confidentiality upon his or her appointment or upon the conclusion of his or her contract of employment. The Hungarian Investment Promotion Agency restricts access to personal data by defining levels of authorization. 

 

The Hungarian Investment Promotion Agency protects its information systems by firewall and provides antivirus protection for them, and it uses such a data storage system accessible by the appropriate passwords that only provide access through a dedicated user privilege management system to authorized parties.

 

The Hungarian Investment Promotion Agency performs electronic data processing, record keeping by computer software, which complies with the requirements of data security. The software ensures that only such persons may have access to the data, for a specified purpose and under controlled circumstances, who need such access for the fulfilment of their job duties.

 

Furthermore, in the electronic processing of personal data the Hungarian Investment Promotion Agency ensures:

a)     the prevention of unauthorized data entry;

b)     prevention of the use of the automated data processing systems by unauthorized persons;

c)     the opportunity to verify and determine what are the entities to which the personal data have been or could be transferred;

d)     the opportunity to verify and determine what personal data were added to the electronic data processing systems, when and by whom;

e)     the opportunity of restoring the operated systems in the case of malfunction, and

f)      to create reports on any errors occurring in electronic processing.

 

in order to protect personal data, the Hungarian Investment Promotion Agency shall arrange for the control of incoming and outgoing electronic communication.

 

The Hungarian Investment Promotion Agency does not allow the use of unverified computer software received from external sources or the downloading of such software.

 

Only competent, authorized employees shall have access to documents under work in progress, processing.

 

12. Management of personal data breaches

 

12.1. The definition of personal data breach

 

A personal data breach means a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

Cases of personal data breach include, for example, loss of an official mobile telephone or any data carrier, storage of documents containing personal data in violation of the manner defined in the Document Management Policy; transfer of personal data through channels not classified as safe, attacks against its various servers, hacking of websites.

 

12.2. Management of personal data breaches

 

The prevention, control of personal data breaches and compliance with the relevant legal requirements shall be the responsibility of the Hungarian Investment Promotion Agency.

 

The Hungarian Investment Promotion Agency shall log accesses and access attempts on the IT systems and analyse these as necessary.

 

If employees of the Hungarian Investment Promotion Agency authorized for control notice a personal data breach while performing their duties, they shall notify the president of the Hungarian Investment Promotion Agency immediately.

 

The employees of the Hungarian Investment Promotion Agency shall report to the data protection Officer of the Hungarian Investment Promotion Agency if they notice a personal data breach or any event implying a personal data breach. The personal data breach may be reported on the central email address, phone number of the Hungarian Investment Promotion Agency.

 

Whenever a personal data breach has been reported, the data protection Officer of the Hungarian Investment Promotion Agency shall immediately investigate the report, in which the breach shall be identified, and it shall be decided whether there was an actual breach or a false alarm. The following shall be investigated and identified:

  • the time and place where the breach occurred,
  • the description, circumstances and effects of the breach,
  • the scope and number of data that were compromised by the breach,
  • the scope of persons affected by the compromised data,
  • a description of the actions taken in order to control the breach,
  • a description of the actions taken in order to prevent, control, mitigate the damage.

 

Whenever a personal data breach occurs, the Hungarian Investment Promotion Agency shall accurately identify the affected systems, persons, data, furthermore, it shall separate and arrange for the collection and retention of evidence confirming the occurrence of the data breach. Once the above actions have been completed, the Hungarian Investment Promotion Agency shall start recovery from damages and the restoration of legitimate operation.

 

12.3. Keeping records of personal data breaches

 

The Hungarian Investment Promotion Agency shall keep records of personal data breaches, which shall include:

 

a)     the scope of the relevant personal data;

b)     the scope and number of persons affected by the personal data breach;

c)     the date and time of the personal data breach;

d)     the circumstances and effects of the personal data breach;

e)     actions taken in order to control the personal data breach;

f)      any other data defined in the rule of law requiring data processing.

 

The Hungarian Investment Promotion Agency shall retain the data applying to the personal data breaches included in the records for a period of 5 years. 

 

 

13. Maintenance of data protection records

 

Pursuant to the General Data Protection Regulation, the Hungarian Investment Promotion Agency keeps the following records:

  • Records of data control and data processing activities,
  • Records of personal data breaches.

 

The data protection officer updates the data protection records on a daily basis. He/she shall update the records within 3 workdays.

 

14. The rights of the data subjects concerning data control

 

14.1. The right to requesting information

 

Data subjects may request information in writing through the contact details specified in section 1 from the Hungarian Investment Promotion Agency, concerning the following data processing activities of the Hungarian Investment Promotion Agency

  • what personal data of his/hers are controlled,
  • on what legal basis,
  • for what purpose of data control,
  • from which source,
  • for what period,
  • to whom, when, for what reason and to which personal was access granted, or to where his/her personal data transferred.

 

The Hungarian Investment Promotion Agency shall comply with the request for information within the shortest possible time, but in any case within 30 days, on one of the contact details provided by the data subject.

 

14.2. Right to rectification

 

Data subjects may request in writing, on the contact details provided in section 1, that the Hungarian Investment Promotion Agency should modify any of their personal details (for example, they may change their email address at any time). The Hungarian Investment Promotion Agency shall comply with the request for modification within the shortest possible time, but in any case within 30 days, about which it shall notify the data subject on one of the contact details provided by him/her.

 

14.3. Right to erasure

 

Data subjects may request from the Hungarian Investment Promotion Agency the erasure of their processed personal data, through the contact details provided in section 1.

 

If the Hungarian Investment Promotion Agency is not permitted to erase the personal data processed by it owing to a legally prescribed obligation, then the request for erasure shall be rejected pursuant to the legislative regulation in force. If there is no impediment to the Hungarian Investment Promotion Agency erasing the personal data, then the Hungarian Investment Promotion Agency shall accept the request for data erasure and the personal data shall be permanently erased within 30 days following the date when the Hungarian Investment Promotion Agency received the request, about which the data subject shall be notified in writing.

 

14.4. Right to restrict (block) the processing of personal data

 

Data subjects may request in writing, on the contact details provided in section 1, that the Hungarian Investment Promotion Agency should block their personal data. Blocking shall last as long as the cause specified by the data subject necessitates it.

 

The data subject may request the blocking of his/her data for example, if he/she believes that the Hungarian Investment Promotion Agency has processed any of his/her personal data illegally, however, it is necessary in the interest of an authority or court procedure initiated by the data subject that his/her personal data shall not be erased. In such cases the Hungarian Investment Promotion Agency shall store the personal data (or the documents containing them) until the receipt of the request note or the decision of the competent authority or court, then it shall erase the data.

 

14.5. Right to object

 

Any data subject is entitled to object, through the contact details specified in section 1, in writing against the processing of his/her personal data, if he/she is of the opinion that his/her personal data would be transferred, used by the Hungarian Investment Promotion Agency for purposes other than those defined in this Data Processing Guide, without his/her prior approval. Therefore, for example, any data subject may object to the use of his/her personal data for direct business development or direct marketing without his/her approval. The data subject may also object to data processing if data processing by the Hungarian Investment Promotion Agency is necessary for implementing the legitimate interests of the Hungarian Investment Promotion Agency, with the exception of data processing based on statutory mandate.

 

15. The opportunity of legal enforcement related to data processing

 

In addition to the enforcement of the rights specified in section 14, the data subjects have the following remedies.

 

15.1. Launch of a court procedure

 

In the case of violations detected related to the exercise of the rights of the data subject or when the data of the data subject are processed, he/she may initiate a civil lawsuit against the Hungarian Investment Promotion Agency. These lawsuits shall be adjudicated by the competent tribunal. The procedure may be initiated at a tribunal having jurisdiction for the location or place of residence of the data subject. The court shall take priority action in such cases. If a violation has been determined, then the data subject may claim compensation and tort, furthermore, the court may mandate the Hungarian Investment Promotion Agency to enable the exercise of the relevant rights.

 

See the following links for further information and for the contact details of the tribunal's:

http://birosag.hu/torvenyszekek

 

15.2. Lodging a complaint with the supervisory authority

 

If the data subject suffers an injury concerning the processing of personal data, then he/she may referred the matter to the National Data Protection and Freedom of Information Authority on any of the following contact details.

 

E-mail: [email protected]

Telephone: +36 1 391 1400

Postal address: 1530 Budapest, Pf.: 5.

Website: www.naih.hu