Data Privacy Statement
Data Privacy Statement of GÉPBÉR-SZÍNPAD SZOLGÁLTATÓ KORLÁTOLT FELELŐSSÉGŰ TÁRSASÁG on managing data of contractual partners
This Data Privacy Statement (hereinafter: „Statement”) provides information to the data subjects on data management carried out by GÉPBÉR-Színpad Kft. (Hereinafter: „Controller”) in connection with their contractual relationships, based on the Decree 2016/679 of the European Parliament and of the Council (EU) („GDPR” or „Decree”) , with particular reference to Article 13 and 14.
The principle of fair and transparent data management requires the data subject to be informed of the facts and purposes of the data management. Information relating to the management of personal data relating to the data subject shall be provided to the data subject at the time of collection or, where the data is collected from sources other than the data subject, within a reasonable period, taking the circumstances of the case into account. Where personal data may lawfully be communicated to another recipient, the data subject shall be informed about this upon the first communication to the recipient. If the controller is unable to provide the data subject with information on the origin of the personal data as they come from different sources, general information should be provided.
1. The Controller and their Contact Details
- Company name of the Controller: GÉPBÉR-Színpad Szolgáltató Korlátolt Felelősségű Társaság
- Registered address / postal address: H-6000 Kecskemét, Izsáki út 8.
- Registered number: 03-09-125536
- Tax identification number: 24184100203
- E-mail address: firstname.lastname@example.org
- Telephone: +36 70 511 4701
- Home page: https://www.gepberszinpad.com/
The current effective data of the Company can be found in the documents creating a legal relationship (e.g. offer, contract) or available in the free and public register at www.e-cegjegyzek.hu after entering the Company's name or other identification data (registered number, tax number).
If you wish to obtain further information about the Company's data management or would like to exercise your rights under this Statement, you may do so in writing at the above contact details.
2. Management of the Data of the Data Subject
2.1. Data subjects
The Data Controller may manage the personal data of the following natural persons [„Data Subject (s)”] when managing data relating to its contractual partners:
- contractual partner (private parties, independent entrepreneurs);
- legal representative, employee, contact person, designee, other performance assistant (e.g. Sub-contractor, employee, temporary agency worker) of a contractual partner (company, organization) (partner);
- in the case of a partner using service, the employee taking personal responsibility for the subject of the service, other entitled person (e.g. user of a rented car);
- recipient of a newsletter;
- Person participating in a promotion.
Detailed information on each type of Stakeholders can be found in Annex 1 of the Statement.
2.2. Access to personal data, types of personal data managed
The managed personal data are provided by
- the Data Subject themselves, or
- the partner
to the Data Controller via the document on which the legal relationship is based or issued during the creation of the legal relationship (contract, statement of consent, etc.).
The Data Controller also collects personal data through information obtained from authentic and public databases operated by the courts, the National Tax and Customs Office (NAV) or other state organizations, in accordance with the objectives and legal basis set out in Annex 2.
The types of personal data processed in relation to the Data Subjects are detailed in Annex 2 of the Statement.
2.3. Individual data management purposes and legal bases
2.3.1. Performance of the contract
The processing of personal data is necessary in order to fulfil the contractual obligations of the Data Controller.
The detailed terms and conditions for the provision of services under the contract are set out in the contract governing the given legal relationship and its annexes.
The duration of this data management is the same as the duration of the contract.
Given that without the provision of the above mentioned personal data (data provision), the Data Controller or the Partner will not be able to fulfil its contractual obligations, the Partner or the Data Subject shall be obliged to personally provide the personal data to the Data Controller. Failure to provide the data may result in the performance of the Contract being impossible and the Data Controller becoming entitled to withdraw from the contract.
If the legal basis for the specific data management is the performance of the contract, the Data Controller shall also manage the data of the Data Subject after the termination of the contract, in order to present, enforce and protect the legal claims arising from the Contract.
The Data Controller shall retain the personal data of the Data Subject not already deleted for five years following the failure of the contract or the termination of the contract, in accordance with the general statute of limitations of Act V of 2013 on the Civil Code. In the case of certain special-purpose contracts (e.g. construction-installation contracts, public procurement contracts), this period may be longer than 5 years by a provision of the contract or a law.
The Data Controller also used to manage and still partially manages personal data on the basis of the contracts concluded before the entry into force of the Decree (25 May 2018) on the legal basis detailed in this section. However, according to the Decree, the obligation to provide information on the fact of data management is not required if the provision of information to the Data Subject proves impossible or would require a disproportionate effort on the part of the Data Controller. Taking this into consideration, the Data Controller shall inform the Data Subject about the fact of data management with a legal basis originating from before the entry into force of the Decree, due to its many aspects, not by personal request, but by publishing this Statement on its website.
2.3.2. Fulfilment of a legal obligation
The Data Controller may also manage the personal data of the Data Subject for the purpose of fulfilling legal obligations. The specific legal obligations are described in Annex 2 to the Statement.
Given that the data management under this section is a legal obligation of the Data Controller, the provision of personal data is mandatory, failure to provide the data may result in the performance of the Contract being impossible and the Data Controller becoming entitled to withdraw from the contract, or the Data Controller may refuse to perform the Contract.
2.3.3. Legitimate interest of the Data Controller and / or a third party
The Data Controller may also manage the personal data of the Data Subject based on legitimate interests. If data management is based on this legal basis, the Data Controller shall, before commencing the data management, determine the necessary and proportionate level of data management in the interest weighing test.
Given that the processing of data under this section is in the legitimate interest of the Data Controller or a third party, the provision of personal data is mandatory, and failure to provide such data may result in the Data Controller's refusal to enter into or perform the contract.
2.3.4. Voluntary contribution of the Data Subject
The processing of personal data is subject to the consent of the Data Subject (freely given, specific, informed and unambiguous declaration of their will). Consent may be given by the Data Subject
- separately from other statements in the contract for the provision of the service, or
- in a separate statement.
Providing consent is voluntary, and the Data Subject has the right to withdraw their consent at any time, without limitation, by sending a notice addressed to the Data Controller. The Data Subject may send the notice to any of the contact addresses detailed in Article 1 of the Statement. In the notification, the Data Subject must indicate in an identifiable manner to what data management they wish to withdraw their consent.
If the personal data of the Data Subject is being managed for the purposes of promotional or other games of chance, the Data Controller shall inform the Data Subjects about the data management related to it in a separate form of communication.
Withdrawal of the consent will have no consequences for the Data Subject. However, the withdrawal of consent shall not affect the lawfulness of the data management executed on the basis of consent, carried out prior to the withdrawal.
3. Recipients of Personal Data
The Data Controller may transfer the Personal Data of the Data Subject to the following persons or organizations:
- to the organization responsible for the work safety, quality assurance and certification activities, entrusted by the Data Controller, which shall be considered as a joint controller with the Data Controller in respect of the personal data provided in this circle. If an organization entrusted with the task of work safety and quality assurance outsources this task to a third party, this third party shall be considered a data processor.
- to organization (s) providing back office services to the Data Controller (finance and accounting, HR, IT, legal department), who shall be considered data processors for the data transmitted.
- to the partner.
- on the basis of statutory provisions to the authority specified by the statute.
The Data Controller does not transfer personal data to any third country.
4. Rights of the Data Subject
4.1. Right to access
The Data subject has the right to receive feedback from the Data Controller whether their personal data is being managed, and, if such management is in progress, to have access to the personal data and the following information:
- the purposes of data management in relation to the specific personal data,
- The categories of the specific personal data,
- the categories of recipients to whom the personal data of the data subject have been or will be communicated, including in particular third country recipients; international organizations (in the case of transfers to third country recipients and international organizations, the Data Subject has the right to request information whether such transfers are carried out subject to appropriate safeguards),
- the intended period for which the specific personal data will be stored, or, if this is not possible, the criteria for determining this period,
- the rights of the data subject (right of rectification, erasure or limitation, right to data portability and right of objection against the management of such personal data),
- the right to submit a complaint to a supervisory authority,
- if the Data Controller has not obtained the data from the Data Subject, any available information available about the source,
- the fact of making an automated decision on the personal data concerned, including profiling; where such data processing is carried out, the information must include the logic used and the importance of such processing, and information on the expected consequences for the Data Subject.
Unless otherwise requested by the Data Subject, the information requested shall be provided in a widely used electronic format if the Data Subject has submitted the request electronically.
Prior to completing the request, the Data Controller may request the Data Subject to specify the content of the request, and to specify the requested information or data management activities.
If the Data Subject's right of access under this section adversely affects the rights and freedoms of others, in particular the business secrets or intellectual property of others, the Data Controller shall have the right to deny the Data Subject's request in the extent necessary and proportionate.
In the event that the Data Subject requests the above information in multiple copies, the Data Controller shall be entitled to charge a reasonable and proportionate fee for the administrative costs of producing the additional copies.
If the Personal Data indicated by the Data Subject are not managed by the Data Controller, they shall also inform the Data Subject about it in writing.
4.2. Right to rectification
The Data Subject has the right to request the rectification of personal data concerning them. In case the personal data concerning the Data Subject are incomplete, the Data Subject has the right to request the personal data to be completed.
In the exercise of the right to rectification/completion, the Data Subject shall indicate which pieces of data are inaccurate or incomplete, and shall also inform the Data Controller of the exact and complete data. In justified cases, the Data Controller shall have the right to ask the Data Subject to provide the completed data to the Data Controller in a proper way, in particular by an official document.
The Data subject shall rectify or complete the data without any undue delay.
The Data Controller shall promptly inform the persons to whom the Data Subject has communicated their personal data immediately following the completion of his or her request for their right to rectification, provided that this is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the Data Subject, the Data Controller will inform them of these recipients.
4.3. Right to deletion (“the right to forget”)
The Data Subject shall have the right to propose that the Data Controller delete their personal data (s) without undue delay if any of the following reasons exist:
- the personal data provided by the Data Subject are not required for the purpose for which they were collected or otherwise managed by the Data Controller,
- the Data Controller has processed the personal data (including sensitive data) on the basis of the Data Subject's consent, the Data Subject has withdrawn their consent in writing, and there is no other legal basis for the data processing,
- the Data Subject objects to data management based on the legitimate interest of the Data Controller, and there is no compelling legitimate reason for the Data Controller to take precedence over the interests, rights and freedoms of the Data Subject or related to the filing, enforcement or defence of legal claims,
- the Data Controller has unlawfully processed the personal data,
- the data managed by the Data Controller must be deleted in order to comply with any legal obligation under EU or national law applicable to the Data Controller,
- the Data subject objects to the data management, and there is no overriding reason for the data management.
The Data Subject shall submit a request for the deletion in writing, and shall indicate the reason for which the personal data are to be deleted.
If the Data Controller accepts the Data Subject's request for deletion, it shall delete the personal data managed from all of its records and shall inform the Data Subject accordingly.
In the event that the Data Controller is obliged to delete the Personal Data of the Data Subject, the Data Controller shall take all reasonable steps, including the use of technical measures, necessary to inform the Data Controllers who have the Personal Data of the Data Subject because of them having been disclosed of the obligatory deletion of the personal data. The Data Controller shall inform the other Data Controllers in its notice that the Data Subject has requested the deletion of links to the personal data of the Data Subject, or of a copy or a duplicate copy of such personal data.
The Data Controller shall promptly inform the persons to whom the Data Subject has communicated their personal data immediately after completing their request for the exercise of their right to deletion, provided that this is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the Data Subject, the Data Controller will inform them of these recipients.
The Data Controller shall not be obliged to delete personal data if such data processing is necessary for the following:
- the exercise of the right to freedom of expression and information,
- to comply with any obligation placed on the Data Controller under Hungarian or European Union law to manage personal data,
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,
- the pursuit of a general interest in the field of public health,
- for archiving in the public interest, for scientific and historical research or for statistical purposes, provided that the exercise of the Data Subject's right to forget is likely to render impossible or seriously compromise the processing of data,
for the filing, enforcement or defence of legal claims.
4.4. Right to restrict data management
The Data Subject is entitled to propose that the Data Controller restrict the handling and use of their personal data if any of the following reasons exist:
- the Data Subject disputes the accuracy of the personal data (in which case the restriction will continue until the Data Controller verifies the accuracy of the data),
- the Data Controller has unlawfully managed the personal data, but the Data Subject requests a restriction instead of a deletion,
- the purpose of the data management for the Data Controller has ceased to exist, but the Data Subject requires them for the purpose of submitting, asserting or defending legal claims,
- the Data Subject objects to data management based on the legitimate interest of the Data Controller, and there is no compelling legitimate reason for the Data Controller to take precedence over the interests, rights and freedoms of the Data Subject or related to the filing, enforcement or defence of legal claims; in this case, the restriction shall continue to apply until it is determined that the Data Controller's legitimate reasons take precedence over those of the Data Subject.
In case of a restriction, with the exception of storage, personal data may only be processed with the consent of the Data Subject or for the purpose of asserting, enforcing or defending legal claims, or protecting the rights of any other natural or legal person, or for important public interest purposes of the European Union or any member state of the European Union.
The Data Controller shall inform the Data subject in advance of the lifting of the restriction of data management.
The Data Controller shall promptly inform the persons to whom the Data Subject has communicated their personal data immediately after completing their request for the exercise of their right to restriction, provided that this is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the Data Subject, the Data Controller will inform them of these recipients.
4.5. Right to objection
If the management of the data of the Data Subject is based on a legitimate interest, an important guarantee provision is that the Data Subject shall be provided with appropriate information and the right to object in relation to the data management. This right must be expressly brought to the attention of the Data Subject at the latest at the time of the first communication.
Based on this, the Data subject has the right to object to the management of their personal data, in which case the Data Controller may not further manage the personal data of the Data Subject, unless it can be proved that:
- the data management carried out by the Data Controller is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the Data Subject, or
- the data management is related to the filing, validation or defence of the Data Controller's legal needs.
4.6. Right to data portability
The Data Controller informs the Data Subject that they may not exercise their right to data portability under Article 20 of the GDPR, as the Data Controller does not manage personal data in an automated manner.
4.7. Right to legal remedies
4.7.1. Right to complain
If the Data Subject considers that the management of personal data carried out by the Data Controller violates the prevailing data protection laws, in particular the GDPR, he has the right to submit a complaint to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
Contact details of the National Authority for Data Protection and Freedom of Information:
- Home page: https://naih.hu/
- Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
- Postal address: H-1530 Budapest, Pf.: 5.
- Telephone: +36-1-391-1400
- Fax: +36-1-391-1410
- E-mail: email@example.com
The data subject has the right to file a complaint to a supervisory authority in another member state of the European Union, in particular in a member state different from the one of their habitual residence, place of work or the place of alleged infringements.
4.7.2. Right to apply to the courts (right of action)
Regardless of their right to complain, the Data Subject may apply to the courts if their personal data have been violated under the GDPR.
The Data Controller, as a data controller with a place of activity in Hungary, may be sued before a Hungarian court.
The Data Subject may also bring the case before the court at the place of their residence, according to the Act on Information Technology, Section 22, Paragraph (1). The contact details of the Hungarian courts can be found at the following link: http://birosag.hu/torvenyszekek.
Given that the Data Controller is not a public authority of any member state, acting by exercising its public authority rights, the Data Subject may also bring an action before the competent court having jurisdiction in the member state of their habitual residence, if the Data Subject’s habitual residence is in another member state of the European Union.
4.7.3. Other claim options
The Data Subject has the right to entrust a non-profit organization or association with filing a complaint on its behalf, reviewing the decision of the supervisory authority, bringing an action and enforcing their right to compensation; the non-profit organization or association has to be one that was established in accordance with the law of a member state of the European Union, and its statutory objectives are to serve the public interest and to protect the rights and freedoms of data subjects with regard to personal data.
5. Information Security
The Data Controller undertakes to ensure the security of the personal data and to take the technical measures to ensure that the personal data managed is protected from unauthorized access, destruction, alteration or use. Furthermore, it commits itself to inform any third party to whom personal data may be transmitted or communicated, in order to comply with its obligations in this regard.
6. Other Provisions
In the event that the Data Controller has a reasonable doubt as to the identity of the person making the request under sections 4.1 - 4.6 of the Statement, the Data Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.
The Data Controller reserves the right to modify the Statement at any time. The Data Controller shall publish the modified Statement on its website 8 days prior to the entry into force of the amendment.
* * *
Budapest, 24 May, 2018.