GDPR
DATA PROTECTION AND DATA PORCESSING POLICY
of MPF Group
APPROVED BY
all companies in the MPF Group upon the resolution No. 2018. (V.24.) of the founders / members.
Introduction
As the controller the MPF Group declares that all data processing concerning the personal data of their customers and partners is in compliance with the provisions of this Policy and with the national and EU regulations in effect. The MPF Group is committed to the protection of personal data of their customers and partners and they expressly believe in the importance of respecting the right for informational self-determination of their customers and partners.
The MPF Group keeps all personal data confidential and takes all security, technical and organizational measures that guarantee the security of personal data.
This policy includes all significant data processing procedures concerning the personal data of customers and partners.
Companies in the MPF Group:
-
MPF Meta Logisztikai és Kereskedelmi Zártkörűen Működő Részvénytársaság (registered office: 1137 Budapest, Szent István park 5, Trade Registry Number: 01-10- 045556)
-
MP WIDENTA Korlátolt Felelősségű Társaság (registered office: 1137 Budapest, Szent István park 5, Trade Registry Number: 01-09-880194)
-
MPF-FÉG Kft. (registered office: 1137 Budapest, Szent István park 5, Trade Registry Number: 01-09-190506)
I. Scope of this policy
This policy covers the companies in the MPF Group who act as the controllers, all of their organizational units and all of their employees (hereinafter referred to as controller).
II. Purpose of this policy
The purpose of this policy is to ensure the realisation of protection of personal data, the realisation of rights of informational self-determination pursuant to the fundamental law and the GDPR and to establish the governing data protection and data security rules applicable for processing of personal data processed by the controller.
The data processing of MPF Group is based on voluntary consent. In certain cases, however, the processing, storage and transfer of personal data is required by law, of which requirement we inform our clients.
We raise the attention of those who disclose data to the MPF Group that if they do not disclose their own personal data they shall at their own responsibility obtain the consent of the data subjects.
III. Governing law
During processing the controller shall act in compliance with the requirements of the following legislations pursuant to the provisions of this policy:
-
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as GDPR)
-
Act CXII of 2011on Informational Self-determination and Freedom of Information (hereinafter referred to as Infotv.)
-
Act V of 2013 on the Civil Code (hereinafter referred to as: Ptk.)
-
Act I of 2012 on the Labour Code (hereinafter referred to as: Mt.)
-
Act XIX of 1998 on the Criminal Proceedings (hereinafter referred to as Be)
-
Act C of 2000 on Accounting
-
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter referred to as Eker. tv.);
IV. Definitions
Among the definitions specified in the GDPR the following terms shall be highlighted with respect to this policy:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
4. ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
9. ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
10. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘11. personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
12. ‘enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
13. ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51;
14. ‘term of processing’ means that personal data are stored until the withdrawal thereof, until the request for erasure by the data subject or for 8 years after the issuance of the invoice based on the customer number pursuant to Paragraph (2) § 169 of Számv. tv.
15. ‘supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
c) a complaint has been lodged with that supervisory authority;
V. Principles of processing
1. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).
2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).
3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation). Pursuant to this the controller does not collect and store data other than the necessary data for the realisation of the purpose of processing.
4. Processing shall be accurate and up to date. The controller shall take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).
5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed with respect to the obligation to storage required by law (storage limitation).
6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
7. The controller shall be responsible for, and be able to demonstrate compliance with the principles specified above (accountability). Therefore the controller ensures the continuous enforcement of this internal policy, the continuous supervision of processing and where it is necessary the modification and amendment of the processing procedures.
VI. Legal basis for processing
1. Processing shall be lawful only if and to the extent that at least one of the legal bases specified in Sections VI. 2-5 applies:
2. The data subject has given consent to the processing of his or her personal data for one or more specific purposes (hereinafter referred to as processing based on consent).
3. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (hereinafter referred to as processing based on contract).
4. Processing is necessary for compliance with a legal obligation to which the controller is subject (hereinafter referred to as processing based on legal obligation).
5. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (hereinafter referred to as processing based on legitimate interests).
6. The controller processes a category of personal data based only on one legal basis. The legal basis for processing may change during the processing.
VII. Rights of the data subject and the enforcement thereof
The controller ensures the following for the data subjects in compliance with the provisions of the GDPR.
1. Rights of information
The data subject shall have the rights of information with respect to all legal bases for processing.
The controller provides any information to the data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means.
2. Providing information upon the request of the data subject
When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
The controller shall provide information to the data subject on action taken on a request of the data subject in connection with the rights of the data subject without undue delay and in any event within 30 days of receipt of the request.
That 30 days period may be extended by 60 further days where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within 30 days of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
The information and action shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
3. Compulsory provision of information
3.1 Where personal data relating to a data subject are collected directly from the data subject (especially including clients), the controller shall provide the data subject with all of the following information:
a) the identity and the contact details of the controller and of the controller's representative;
b) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
c) where the processing is based on legitimate interests, the legitimate interests pursued by the controller or by a third party;
d) the recipients or categories of recipients of the personal data, if any;
3.2 The controller shall, at the time when personal data are first obtained, provide the data subject with the following further information:
a) the period for which the personal data will be stored
b) the existence of the right to request from the controller access to and rectification or in the event of processing in relation to certain legitimate interests the erasure of personal data or restriction of processing concerning the data subject or, in the event of processing in relation to certain legitimate interests to object to processing as well as the right to data portability;
c) where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
d) the right to lodge a complaint with a supervisory authority (Hungarian National Authority for Data Protection and Freedom of Information, hereinafter referred to as Authority or NAIH);
e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
3.3 Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in Section 3.2.
3.4 The controller shall comply with the obligation to provide information pursuant to the following. Information included in Section 3.2. shall be published on the website of the controller (under the title ‘Data protection and data processing policy’) in such a way that it is easy to be found and accessed by anyone.
4. Right of access
The data subject shall have the right of access with respect to all legal bases for processing.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
d) where possible, the envisaged period for which the personal data will be stored;
e) the existence of the right to request from the controller the rectification or in the event of processing in relation to certain legitimate interests the erasure of personal data or restriction of processing concerning the data subject or, in the event of processing in relation to certain legitimate interests to object to processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data are not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The controller shall provide a copy of the personal data undergoing processing.
For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
5. Right to rectification
The data subject shall have the right to rectification with respect to all legal bases for processing.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
6. Right to erasure (right to be forgotten)
The data subject shall not automatically have the right to erasure (to be forgotten) in the even of all legal bases for processing.
The controller shall have the obligation to erase personal data concerning the data subject without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based (in the event of processing based on consent), and where there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing in the event of processing based on the legal basis pursuant to Section VI./5. (processing based on legitimate interests);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
The controller shall not fulfil the request of the data subject to erase the data if the processing is necessary for compliance with a legal obligation which requires processing by law to which the controller is subject.
If the controller receives a request for erasure, the controller shall examine whether the request for erasure has been sent by the data subject. In order to do so the controller may request data for the identification of the contract between the data subject and the controller (e.g. contract number, date of the contract), the identification number of the document issued by the controller to the data subject, the provision of personal identification data concerning the data subject which are kept by the controller (however, the controller shall not request such further data for identification concerning the data subject that the controller does not keep a record of).
If the controller shall comply with the request for erasure, he or she shall take every step to erase the personal data from any and all database.
The controller prepares a record of the erasure to prove the occurrence of the erasure. The record is signed by the representative of the controller. The record of the erasure shall include the following:
a) the name of the data subject
b) the category of the personal data that has been erased
c) the time of the erasure.
The controller shall inform everyone to whom the personal data have been transferred of the obligation to erase such data.
7. Right to restriction of processing
7.1 The data subject shall have the right to restriction of processing with respect to all legal bases for processing.
7.2 The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to processing pursuant to processing under Section VI./5. (which is processing based on legitimate interests); in this case the restriction shall apply for the term while it is being established whether the legitimate grounds of the controller override those of the data subject.
7.3 Where processing has been restricted under the previous Section, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
7.4 The controller shall inform everyone to whom the personal data have been transferred of the obligation.
8. Right to object
The data subject shall have the right to object in the event of processing based on legitimate interests (legal basis for processing).
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
9. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her in the event of processing based on consent or processing based on contract if the processing is carried out by automated means.
The controller ensures that the data subject receives the personal data concerning him or her that have been provided to the controller by the data subject and the data subject has the right to transmit those data to another controller.
VIII. Records of processing activities
1. The controller maintains the records of processing activities as a result of the accountability principle in order to be able to record and verify compliance with the GDPR.
2. The controller shall maintain a record of processing activities under its responsibility. That record shall contain at least the following information:
a) records of data transfer
b) requests for exercise the rights of the data subject and the records of responds thereto by the controller
c) requests by authorities and the records of responds thereto by the controller
d) records of requests for termination of processing
e) record of clients
f) records of marketing requests
g) records of processing personal data in relation to employment
h) records of recruiting workforce
i) records of data breaches
3. The controller shall maintain a record of processing activities specified in Section VIII/2. under its responsibility. That record shall contain the following information:
a) the name and contact details of the controller and the controller's representative;
b) the purposes of the processing;
c) a description of the categories of data subjects and of the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed
e) the envisaged time limits for erasure of the different categories of data;
f) a general description of the technical and organisational security measures.
4. The controller shall maintain the records in writing, in electric form.
IX. Security of personal data
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 of the GDPR or an approved certification mechanism as referred to in Article 42 of the GDPR may be used as an element by which to demonstrate compliance with the requirements set out in Section IX/1. of this policy.
4. The controller shall take steps to ensure that any natural person acting under the authority of the controller who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
5. In order to realise the security of personal data the controller uses physical, logical and administrative controls together.
6. The controller uses the following physical controls:
a) the controller ensures the avoidance of entry of unauthorised persons to the building/offices of the controller by an access control system that is capable of prevent the entry of unauthorised persons;
b) the controller ensures that no unauthorised persons can physically access the data processed by the controller in order to avoid the unauthorised access to the data processed by the controller electronically and in written form.
7. The controller uses the following logical controls: the controller ensures that only authorised persons can access the data processed by the controller.
8. The controller uses the following administrative controls:
a) the controller ensures that any possible access to the personal data would be traced in the documentation [logging of activities]
b) the controller ensures the establishment of such document management procedure by which the mistakenly provided documents containing personal data are identified as soon as possible and are known to the fewest possible persons.
X. Personal data breaches
1. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
2. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
3. The controller may not notify the personal data breach to the authority if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
4. Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification.
5. If the personal data breach shall be notified to the authority, the notification shall:
a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b) communicate the name and contact details of the contact person providing information
c) describe the likely consequences of the personal data breach;
d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
7. The notification pursuant to Section IX/6. shall describe the nature of the personal data breach in clear and plain language, and shall:
a) communicate the name and contact details of the contact person providing information
b) describe the likely consequences of the personal data breach;
c) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8. The communication to the data subject shall not be required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
XI. Processing the personal data of clients
1. An interest balancing test shall be conducted pursuant to the provisions of the GDPR:
a) subject of the processing
b) establishment of the legitimate interests as a legal basis
c) personal data that are processed
d) the purpose of the processing
e) naming the legitimate interest of the controller
f) which rights of the data subjects can be infringed
g) interest balancing test
h) what measures and safeguards are used by the controller in order to adequately protect the personal data collected this way.
2. The interest balancing test(s) concerning the personal data being processed is/are attached hereto as an annex hereof.
XII. Processing data in relation to employment
1. The controller includes the provisions of Sections VII./3.1. and 3.2. regarding job applications in the ‘Data protection and data processing policy’ pursuant to VII./3.4. The controller shall refer to the ‘Data protection and data processing policy’ by indicating its availability in the job advertisement.
2. If the controller wishes to store the documents provided by the applicant after the position is filled, the controller shall obtain the consent of the applicant. The consent shall be voluntary, clear and explicit and it shall be based on receipt of adequate information. Therefore the declaration of consent shall at least include the following:
a) the identity and the contact details of the controller's representative;
b) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (based on consent);
c) the period for which the personal data will be stored;
d) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject;
e) the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
f) the right to lodge a complaint with a supervisory authority;
3. After the evaluation of the applications the data carriers containing the personal data of the unsuccessful applicants shall be returned within 90 days - upon request - or they shall be destroyed if the consent of the applicants is not obtained for the use such personal data for further applications. A record of the destruction (erasure) shall be prepared.
4. The controller processes the data of the employees pursuant to Mt. and the controller shall inform them pursuant to the manner specified in Mt. and complying with the principles for processing specified in the GDPR.
5. The controller informs the employees on the processors employed by the controller, their identity and the category of personal data that has been transferred to such processors.
6. During processing with respect to employment typically the following legal bases occur:
a) based on employment contract
b) based on legal obligation
c) based on legitimate interests.
7. If the controller processes data based on Section XII/6. c) the following interest balancing test shall be conducted pursuant to the provisions of the GDPR:
a) naming the legitimate interest of the controller
b) who are the data subjects and which rights are infringed
c) interest balancing test
d) what measures and safeguards are used by the controller in order to adequately protect the personal data collected this way.
8. The interest balancing tests conducted with regard to the categories of personal data shall be accessible by the employees.
XIII. Provisions for giving effect and final provisions
-
This ‘Data protection and data processing policy’ shall take effect on 25 May 2018 upon the resolution No. 2018. (V.24.) of the founders passed by the companies in the MPF Group on 24 May 2018.