Data Processing Guide
- Mollia Zrt. -
Mollia Zrt. (hereinafter: Data Controller; Our Company) considers the protection of personal data important and attaches great importance to it in its business relationships.
Our company respects the confidentiality of personal data and always observes the data protection legislation, in particular the GDPR [on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation), Regulation (EU) 2016/679 of the European Parliament and of the Council] and this Data Processing Guide (hereinafter Guide).
The purpose of this Guide is to set out the principles, aims and other facts of data processing in accordance with the relevant legal provisions, which determine the aim, duration and way of processing the personal data provided by you, and the legal enforcement and remedy options that you have in relation to data processing.
2. / Definition of concepts used in this Guide
The following is a summary of the key concepts used in this Guide.
- Personal data: shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; Your e-mail address, telephone number, home address, for example, qualify as personal data.
- Data processing:regardless of the process used, any operation or set of operations on the data, in particular the collection, registration, recording, systematisation, storage, modification, utilization, query, transmission, forwarding, coordination or linking, blocking, erasure and destruction of the data, and preventing further use thereof.
- Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Mollia Zrt. qualifies as a data controller.
- Data processing: any activity involving personal data in connection with data processing operations carried out on behalf of the Data Controller, regardless of the method and means used to perform the operations and the place of application, provided that the activity is performed on the data.
- Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller qualifies as a data processor.
- Data Subject: a natural person identified or identifiable according to any information.
- Web site: mollia.hu, the website operated by the Data Controller.
- Grt.: Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity.
- Szt.:Act C of 2000 on Accounting.
3./ The Data Controller
Company name: Mollia Private Company Limited by Shares
Registered office and mailing address: 2100 Gödöllő, Knézich Károly utca 35.
Registration number: 13-10-041669
Authority in charge of registration: Court of Registration of the Tribunal of Budapest Region
Web site: https://www.mollia.hu/index.php/en/
Name and contact details of the Data Controller’s representative:
Name: Ignác Siba chief executive officer
Mail address: 2100 Gödöllő, Knézich Károly utca 35.
4./ Principles of data processing
The following is a summary of the data processing principles that the Data Controller fully applies throughout the term of data processing, in accordance with the provisions of Article 5 of the GDPR.
- Legality, fairness and transparency:
The Data Controller basically and in most cases collects and processes personal data obtained directly from the Data Subject. The processing of the personal data of the Data Subject is always lawful and fair and transparent for the Data Subject. The Data Controller makes the currently valid wording of the Guide publicly available and accessible continuously on the Website free of charge, without obligation. The Data Controller shall not process the supplied personal data for dishonest purposes or purposes other than those set out in this Guide and shall always act in accordance with the applicable legislation in the course of its data processing activities.
The Data Controller may process personal data only for the clear and lawful purposes indicated in the Guide. If the Data Controller intends to process the personal data already supplied for other purposes than specified above, the Data Controller shall inform the Data Subject fully and in advance (primarily by e-mail). In order to provide a complete overview of the individual data processing purposes, the Data Controller gives information in this Guide on the purpose, duration and legal basis of all personal data. The Data Controller applies these requirements as binding on itself.
- Storage limitation:
The Data Controller stores the personal data of the Data Subject in a form that enables the identification of the data subjects only for the time necessary for accomplishing the purpose of the processing of the personal data. For example, exclusively pursuant to GDPR Article 6 paragraph (1) clause (a), the Data Controller shall process personal data processed with the express and voluntary consent of the Data Subject until the Data Subject requests erasure, until the withdrawal of the consent.
- Data minimization:
It is the aim of the Data Controller to process only the most needed and relevant personal data in connection with its activities. In each case, these are data that are really needed for the given data processing. The Data Controller shall act in accordance with the provisions of this Guide if it shall request the Data Subject to provide further data in addition to the personal data listed in the Guide.
The aim of the Data Controller is to keep the personal data already recorded updated and accurate, and the Data Controller takes all reasonable measures to accomplish this aim. The Data Subject can also help with keeping the data accurate and up to date, by reporting changes in their data or rectifying the data provided.
- Principle of data protection, integrity and confidentiality:
The Data Controller gives priority to the protection of the personal data provided to it, therefore it takes all necessary and expected technical and other organizational steps and implements all processes adapted to the current state of technological development. The Data Controller basically stores the personal data provided to it digitally, while data taken, recorded on paper are stored also on paper. The Data Controller shall especially implement the following technical and organizational measures in order to prevent or eliminate personal data breaches:
- prevents unauthorized access to personal data, as well as unauthorized data entry, data modification, data erasure by passwords and encryption procedures;
- stores personal data processed on a paper basis in locked premises protected by alarm and monitored by camera, or in a lockable cabinet;
- uses only legitimate, continuously monitored software in its internal computer systems.
- Accountability:the data controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.
5./ Data processing aims, the procedure of data processing
The following is a summary of the cases (data processing aims) in which the Data Subject’s personal data are processed in practice.
If our Company enters into a contract or agreement with a natural person, we process his/her data provided in the contract.
Personal data: name, address, sole trader’s registration number (in case of sole traders), tax number.
Purpose of data processing: conclusion and fulfilment of a contract.
Legal basis of data processing: contract conclusion [Article 6 (1) (b) of the GDPR]
Duration of data processing: we store the data for 8 years from the termination of the contract (with regard to the limitation period according to the Civil Code, and also taking into account the retention period of 8 years pursuant to Article 169 (2) of the Accounting Law (Sztv.).
Our company is obliged to retain the invoices generated in connection with its activities in accordance with the accounting and tax rules.
Personal data: name, address, tax number.
Purpose of data processing: administration related to issuing and receiving invoices.
Legal basis of data processing: Compliance with legal requirements. [Article 6 (1) (c) of the GDPR]
Term of data processing: We store accounting documents for 8 years, pursuant to Article 169 (2) of Sztv.
Contact persons for contractual purposes:
In many cases, the contract concluded by our Company also contains the personal data of the contact persons of the contracting party.
Personal data: name, e-mail, telephone number.
Purpose of data processing: maintenance of contact, in order to fulfill the contract.
Legal basis of data processing: legitimate interest. [Article 6 (1) (f) of the GDPR]
Duration of data processing: the duration of data processing is the same as the duration of the retention of the contract, given that they are inseparable, as these data constitute part of the contract. We store the data for 8 years from the termination of the contract.
It is the aim of the Data Controller to send information to the Data Subject through his/her e-mail contact from time to time, in accordance with the provisions of Article 6 of Grt.
Personal data: email address.
Legal basis for data processing: this data processing is based on the data subject’s express and voluntary consent [Article 6 (1) (a) of GDPR], which can be granted by clicking on “Subscribe” under the “Newsletter” menu item available on the web site.
Term of data processing: Pursuant to Article 6 (3) of Grt., the Data Controller is entitled to data processing until the Data Subject has withdrawn his/her consent.
The subscription may be cancelled by the Data Subject at any time, without restriction or giving grounds, free of charge.
If the Data Controller advertises an open job opportunity within the company, interested persons may apply for it by submitting their resume.
The purpose of data processing: to follow a job application, to hire an employee for the advertised job.
Personal data: The scope of the personal data processed is the data content of the submitted resume, which is determined at the discretion of the Data Subject. Minimum data: name, address, qualifications, language skills, telephone number, e-mail address.
Legal basis of data processing: data processing is based on the explicit and voluntary consent of the Data Subject [Article 6 (1) (a) of GDPR].
Duration of data processing: until the withdrawal of the data subject’s consent, but no later than the closing of the call for job applications.
Registration on the web site:
The web site offers the option of registration and browsing as a registered user.
Aim of data processing: registration on the Web site.
Personal data: e-mail address, name, username.
Legal basis for data processing: based on the explicit and voluntary consent of the data subject [Article 6 (1) (a) of GDPR.]
Duration of data processing: until the cancellation of registration.
We use so-called cookies when someone browses our Web site. Cookies do not cause any harm to your computer. Cookies can have several functions, including, among others, the collection of information, memorizing user settings, giving the website owner an opportunity to learn about user habits, or, for example, certain cookies are necessary for the operation and functionality of the web site. You can manage your cookie settings at any time in your browser settings.
You can set the application of cookies (enabling/disabling) in your browser in the following way:
- Internet Explorer: https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies
- Microsoft Edge: https://support.microsoft.com/hu-hu/help/10607/microsoft-edge-view-delete-browser-history
- Firefox: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito
- Google Chrome: https://support.google.com/chrome/answer/95647?hl=hu&co=GENIE.Platform=Desktop
- Safari: https://support.apple.com/hu-hu/guide/safari/sfri11471/mac
- / General data processors
The Data Controller is entitled to deliver the documents generated in the course of its activities to its accountant.
The hosting provider performs data processing activities in connection with the Web site.
8./ Enforcement of rights and availability of remedies
In the following part we summarize those rights of the Data Subject the he/she may enforce against the Data Controller.
Rules for the exercise of the rights of the data subject:
The Data Controller shall provide the requested information without undue delay, but no later than within one month from the request for information. Where necessary, in consideration of the complexity of the application and the number of applications, this deadline may be extended by another period of two months. The Data Controller shall notify the Data Subject on the extension of the deadline, indicating the reasons of the delay, within one month following the receipt of the application.
If the Data Controller does not take action at the request of the Data Subject, the Data Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the Authority and seeking a judicial remedy.
If the Data Controller has reasonable doubts about the identity of the person submitting the request, it may also request the submission of additional information necessary to confirm his/her identity.
- Communication with the Data Controller:
- Right to access:
The Data Subject has the right to request feedback from the Data Controller at any time as to whether the processing of his/her personal data is in progress or, if data processing is in progress, the Data Subject has the right to access his/her personal data to the following extent.
The data processing related information provided by the Data Controller as part of access may contain especially the following:
- the purposes of the processing;
- the scope of processed data;
- the recipients of the data transmission;
- the expected duration of the data processing or, if it cannot be determined, the criteria for determining the duration;
- the rights exercisable by the Data Subject;
- the right to submit a complaint to the Authority;
- the source and legal basis of the information collected by the Data Controller.
The Data Subject is entitled to notify the Data Controller of any change in his/her personal data (by e-mail or regular mail, as provided above). The Data Controller shall implement the data change within 8 days from the receipt of the request. If the Data Subject fails to report the change in his/her personal data without delay, the Data Subject shall bear the consequences thereof. If the personal data provided are untrue and the Data Controller is in possession of the true personal data, the Data Controller will automatically rectify the personal data.
- Erasure of data:
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay, particularly where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws his or her consent to data processing, and there is no other legal basis for data processing (the withdrawal does not have any retroactive impact on the legitimacy of data processing);
- the Data Subject objects to the processing of data based on a legitimate interest;
- the personal data have been unlawfully processed by the Data Controller;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
The Data Controller is not obliged to erase the processed personal data even if the above circumstances apply, if data processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest;
- for statistical or archiving purposes or for scientific and historical research purposes, in so far as erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defence of legal claims.
- Objection to data processing:
The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on a legitimate interest. In this case the Controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
- Right to restriction of processing
The Data Subject shall have the right to obtain from the Controller restriction of processing where one of the following conditions applies.
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing pursuant pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.
Where processing has been restricted subject to the above provisions, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. If the restriction of data processing has been lifted, the Data Controller shall notify of this fact the Data Subject who requested the restriction.
- Right to data portability:
Based on consent of the Data Subject and in respect of personal data processed in order to fulfill the contract, the Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided the Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided. This right may be exercised only in respect of personal data processed on the basis of consent or the performance of a contract and processed digitally.
- Initiation of proceedings by the Authority:
The Data Subject may initiate an investigation with the Authority on the grounds that an impairment of a right has occurred or is imminent in connection with the processing of his or her personal data. The Authority’s investigation is free of charge, and the costs of the investigation are advanced and borne by the Authority. No one shall be disadvantaged as a result of submitting a report the Authority. The identity of the reporting person may be disclosed by the Authority only if the investigation would not be possible without such disclosure. If the reporting person so requests, the Authority shall not disclose his/her identity, even if the investigation cannot be carried out without such disclosure.
- Enforcement of rights before a court:
In case of violation of the rights of the Data Subject, the Data Controller may refer the case to a court, the adjudication of the case falls within the jurisdiction of the court. As a main rule, the lawsuit will be conducted by the court having jurisdiction for the registered seat of the Data Controller, but it may also be initiated before the court having jurisdiction for the place of residence or habitual location of the Data Subject, as the Data Subject chooses. The jurisdiction of the court may be verified by the “Court Locator” application available on www.birosag.hu. The court will treat the case as a priority.
- Compensation and solatium
If the Data Controller should, by the unlawful processing of the personal data of the Data Subject or by violating the requirements of data security:
- cause damage to the Data Subject or someone else, it is obliged to pay compensation (damage compensation);
- violate the Data Subject’s privacy, the Data Subject may claim solatium from the Data Controller.
The Data Controller shall be released from liability for the damage caused and the obligation to pay solatium if it proves that the damage or the violation of the privacy of the Data Subject was the result of insurmountable causes falling outside the scope of data processing. There is no obligation to compensate the damage and no solatium may be claimed if the damage or the impairment caused by the breach of privacy derived from the intentional or grossly negligent conduct of the Data Subject (aggrieved party).
9./ Data security
We ensure the security of data processing, and for this purpose we take the necessary and appropriate technical and organizational measures. We ensure the confidentiality (e.g. disclosure, unauthorized access), integrity (change, modification, erasure) and availability (accessibility, recoverability) of personal data.
We meet the above requirements by the following arrangements, among others:
- by applying the proper hardware and software tools, we ensure that no unauthorized persons may have access to the tools used for data processing (hereinafter: data processing system);
- we store the electronic data in a closed, password-protected information system;
- we have introduced special arrangements for the storage of sensitive/special data;
- we prevent the unauthorized reading, copying, modification or removal of data media,
- we prevent any unauthorized recording of personal data in the data processing system or any unauthorized access, modification or erasure of the personal data stored in the system, furthermore, any use of the data processing systems by unauthorized persons, by using data transmission devices,
- by issuing internal Guides and instructions, we ensure the confidentiality of data: our personnel are required to use the data disclosed to them only and exclusively for the aim of data processing and only to the necessary extent, in such a manner that no person who does not need to process the data for their work assignments shall access the data; and the persons authorized for using the data processing system shall have access only to the personal data defined in their access authorization,
- we ensure that it is possible to verify and identify the recipients to which personal data have been or may be transmitted or made available using data transmission appliances,
- we ensure that it is possible to verify and identify retroactively which personal data were entered into the data processing system, by whom and at what time,
- we ensure that whenever data are forwarded or data media are transported, no unauthorized person shall be able to access, copy, modify, erase the data,
- we only forward personal data in possession of the proper legal basis;
- we process personal data only for the time necessary;
- we ensure that in the case of a malfunction the data processing system can be restored, we provide the opportunity of recovering the data files (data backup), we protect the data against viruses; the data media are physically protected;
- the level of IT compliance is regularly reviewed and, if necessary, improved.
The Data Controller reserves the right to amend the Guide at any time unilaterally.
This Guide is available on the web site of mollia.hu.
Budapest, 7 May 2020