XIV. Other provisions

- The Data Controller's manager shall explain the provisions of this Policy to all employees of the Data Controller. 

- The Controller's manager shall ensure that all employees of the Controller comply with the provisions of this Policy. For the purpose of implementing this obligation, the Controller's administrator shall require that the employment contracts of the Controller's employees be amended to include a declaration of the employee's commitment to comply with and enforce this Policy.  

- The establishment and amendment of this Policy is the responsibility of the Data Controller's Chief Executive Officer. 

XV. Request, complaint, remedy

If any data subject has any questions or comments regarding the Data Controller's data management activities, he/she may submit his/her question/request/comment to the Data Controller at any of the contact details indicated in this Policy. Depending on the subject of the request, the Controller shall act in accordance with the provisions of these Rules.

You can lodge a complaint or seek redress from the following bodies:

National Authority for Data Protection and Freedom of Information Address: 1055 Budapest,

9-11 Falk Miksa Street. 

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

www: http://www.naih.hu

ail: ugyfelszolgalat@naih.hu

In case of violation of the rights of minors in relation to offensive, hateful, exclusionary content, rectification, rights of a deceased person, defamation of reputation:

National Media and Infocommunications Authority 1015 Budapest, Ostrom u. 23-25.

Mailing address: 1525. Pf. 75

Tel: (06 1) 457 7100

Fax: (06 1) 356 5520

E-mail: info@nmhh.hu

The data subject may take legal action if his or her rights are infringed. The court will rule on the case out of turn. It is the Data Controller's responsibility to prove that the processing complies with the law. The competent court has jurisdiction to rule on the case. In addition to the general rule of jurisdiction, the place of residence or habitual residence of the data subject shall be a ground for the jurisdiction of the court.

In the event that the Data Controller infringes the personal rights of the data subject by unlawful processing of the data subject's data or by breaching the requirements of data security, the data subject may claim damages or compensation from the Data Controller. 

XVI Annexes

Annex 1: "Information on data management on the websites operated by the Data Controller"

This Notice shall be deemed to be Annex 1 to the Data Controller's Policy ("General Data Protection Policy"). This Notice describes in detail the data processing activities of the Controller in relation to its website activities. This Notice shall be read in conjunction with and in accordance with the relevant Policy and its Annexes. For matters not covered by this Policy, the general provisions of the Policy and the specific provisions of its further annexes shall prevail.

 

1. Introduction

 

Name of the data controller: ODOL Consulting Kft.

Headquarters: 4032, Debrecen, Menyhárt József tér 5 fsz 1

Company registration number: 09-09-035656

Tax identification number: 32431438-2-09

Contact: +36 20 666 7170; info@reloflow.hu;

Name and contact details of the authorised representative: Ferenc Suhaj, Managing Director with independent right of representation (+36 20 666 7170; info@reloflow.hu)

 

Websites operated by the Data Controller:

·       www.reloflow.hu 

 

The scope of the processing covered by this Notice:

- processing of data relating to visitors to the Sites ("cookie"/customer data processing)

- newsletter service

- shopping on the website

- redeem vouchers purchased

- marketing

 

2. Processing of data relating to visitors to the Sites ("cookie"/customer data processing)

 

We use cookies to provide you with content, to analyse our website and for possible advertising purposes in order to provide you with a convenient browsing and shopping experience.

 

2.1. General information

- During the visits to the website of the Data Controller, one or more cookies/cookies are sent to the computer of the person visiting the website, through which his/her browser(s) will be identified, provided that the person visiting the website has given his/her explicit (active) consent to this in advance, after having been clearly and unambiguously informed, by his/her further browsing behaviour.

- A "cookie" is a small packet of information that the server sends to the browser, and the browser sends back to the server for each request directed to the server.

- Cookies are used solely to improve the user experience and automate the login process. The cookies used on the website do not store personally identifiable information.

- Cookies are short data files placed on the user's computer by the website visited. The purpose of the cookie is to make the given infocommunication or internet service easier and more convenient. There are several types, but they generally fall into two broad categories. One is the temporary cookie, which is placed on the user's device by the website only during a particular session (e.g. during the security identification of an online banking transaction), and the other is the persistent cookie (e.g. a website's language setting), which remains on the computer until the user deletes it. According to the European Commission's guidelines, cookies [unless strictly necessary for the use of the service] can only be placed on the user's device with the user's permission. 

- In the case of cookies that do not require the user's consent, information should be provided during the first visit to the website. It is not necessary for the full text of the cookie notice to appear on the website, but it is sufficient for website operators to briefly summarise the substance of the notice and provide a link to the full notice.

- In the case of cookies requiring consent, the information may also be linked to the first visit to the website, if the processing of data associated with the use of cookies starts as soon as the page is visited. Where the use of the cookie is linked to the use of a function explicitly requested by the user, the information may also be provided in relation to the use of that function. Even in this case, it is not necessary for the full text of the cookie notice to be displayed on the website, a brief summary of the substance of the notice and a link to the full notice.

 

2.2. Settings for cookies

- As described above, cookies may be stored by our company as Data Controller on the data subject's (website visitor's) device if this is strictly necessary for the functioning of the website. In all other cases, and for all other types of cookies, the prior explicit consent of the data subject is required for the use and storage of cookies. 

- The Data Controller uses several types of cookies. Some of the cookies are placed on the data subject's device by the Data Controller, others are placed on the data subject's device by data processors or third party service providers.

- The data subject can review his or her current cookies in relation to the website operated by the Data Controller that is currently being visited at any time via the relevant website under the "cookie policy" section and change the settings. Data Subjects T are informed that when reviewing the cookies, they will be given the opportunity to obtain information on the exact name of the cookies used, the purpose of the cookie and the storage period of the cookie.

- In addition, browsers typically offer the possibility for the data subject to change their cookie settings. Changing cookie settings in the browser is usually done via the {menu} {preferences} {privacy and security} {cookies}. 

 

2.3. Categorisation of used cookies

 

2.3.1. Essential cookies

 

The website used by the data subject cannot function properly without the essential cookies. Without these cookies, the data subject will not be able to use the website he or she has visited.

 

2.3.2. Preferential, preference cookies

 

Preferential cookies allow us to remember information that changes the way the website behaves or looks (e.g. language preference, region preference, etc.)

 

2.3.3. Statistical cookies

 

Through the collection and reporting of data in an anonymous form, statistical cookies help the Data Controller to understand, analyse and use the way visitors (data subjects) interact with the website they visit.

 

2.3.4. Cookies for marketing purposes

 

We use personalised marketing cookies to track visitors' website activity. The goal is to serve the most relevant ads to individual users, display content that is relevant to their preferences, and encourage them to be active.

 

2.3.5. Unclassified cookies

 

Unclassified cookies are cookies that are still under classification with individual cookie providers.

 

2.4. Request for information

If any data subject has any questions regarding the processing of cookies, he or she may request information via the contact details provided by the Data Controller.

 

3. Newsletter service

 

(1) The legal basis for data processing in the case of newsletter subscription is the voluntary consent of the data subject, which the data subject gives by ticking the box(es) next to the text "newsletter subscription" on the Controller's website after being informed about the processing of his or her data.

(2) The data subject in case of newsletter subscription: any natural person who subscribes to the newsletter of the Data Controller and gives his/her consent to the processing of his/her personal data.

(3) Data processed in the case of newsletter subscriptions: name, e-mail address.

(4) The purpose of data processing in the case of newsletter subscription: to inform the data subject about the services and products of the Data Controller, changes in them, to inform about news and events, to send economic advertising, to send e-mail messages/newsletters containing marketing enquiries.  

(5) The recipients of the data (who may know the data) in case of newsletter subscription: the Data Controller's manager, customer contact staff, data processor's staff performing the tasks related to the operation of the Data Controller's website. 

(6) Duration of data processing in the case of newsletter subscriptions: until consent is withdrawn and until unsubscription.

(7) The data subject may unsubscribe from the newsletter at any time. The unsubscription to the newsletter shall be made by clicking on the unsubscribe link in the footer of the e-mails sent to the data subject, by postal letter sent to the Data Controller's headquarters.

 

4. Shopping on a website

 

(1) The online sale of goods and services on the Company's website, the conclusion of contracts (purchases) by electronic means is subject to Act CVIII of 2001 (Eker tv.). Purchases on the website are not subject to registration. 

(2) The purposes of the processing in relation to purchases on the website: 

- the online sale of products 

- documenting the purchase and payment 

- identifying and contacting the customer

- the performance of contracts concluded online 

- invoicing and payment processing 

- detect suspicious transactions in online payments 

- proof of compliance with the legal obligation to provide information to consumers 

- proof of the conclusion of the contract 

- creating the contract, defining its content, amending it and monitoring its performance.

(4) In the case of purchases on the website, the legal basis for processing is the consent of the data subject, the performance of contractual and legal obligations and, in the case of fraudulent transactions, legitimate interest.

(5) The categories of data concerned by the processing are: the customer's full name, address, telephone number, e-mail address, login password, tax number, the products purchased, data related to payment transactions.  

(6) Categories of data subjects: any natural person who makes a purchase on the website of the Data Controller.

(7) The categories of data recipients are: the Data Controller's managing director; employees performing customer relations and sales-related tasks; employees of the data processor operating the Data Controller's websites; employees of the Data Controller performing accounting and invoicing tasks, data processors performing these tasks; and STRIPE PAYMENTS EUROPE LTD. (registered office: One Spencer Dock, North Wall Quay, Dublin1, VAT: IE3206488LH)

(8) Duration of processing: 

- until completion of the contract or, failing this, until 5 years after the conclusion of the contract

- if the Data Controller is obliged to retain the data under the Accounting Act, the Data Controller shall retain such data for 8 years after the purchase.

 

5. Redeeming vouchers purchased

 

(1) The Data Controller shall process the data of natural persons who have redeemed previously purchased vouchers under the voucher redemption menu on the website in connection with the performance of the contractual relationship. The data subject shall be informed of the processing of personal data and shall consent to the processing of his or her data by ticking the box.

(2) Data subjects: all natural persons who call upon the Data Controller to perform a contract by using the voucher redemption menu item.

(3) The legal basis for data processing is the performance of a contract, the purpose of data processing is to maintain contact, enforce claims arising from the contract, and ensure compliance with contractual obligations. 

(4) Recipients of personal data: the Data Controller's manager, employees of the Data Controller performing customer service and accounting tasks on the basis of their job function, data processors.

(5) Personal data processed: voucher code, full name, e-mail address, telephone number. 

(6) Duration of processing: 5 years from the termination of the contract.

 

6. Marketing

 

(1) The legal basis for the Data Controller's processing of data for marketing purposes is the data subject's consent, which is clear and explicit. The data subject shall give his or her unambiguous and explicit prior consent by ticking the box next to the text "consent to marketing enquiries" on the Controller's website, following the information on the processing of his or her data.

(2) The Data Controller may also process data for marketing purposes by sending you a newsletter and by using cookies for marketing purposes, the provisions of which are set out in Section 2 of this Policy.

(3) The data subject may also give his or her consent on paper by filling in a separate document.

(4) The data subject is any natural person who gives his or her unambiguous and explicit consent to the processing of his or her personal data by the Data Controller for marketing purposes. 

(5) The purposes of data processing are: maintaining contact; sending advertisements and offers related to the provision of services and the sale of products; sending notifications of promotions by electronic or postal means.

(6) The recipients of personal data are: the Data Controller's manager, employees performing customer service and marketing tasks on the basis of their job function and data processors performing tasks in this context, and the employees of the data processor performing tasks related to the operation of the Data Controller's website.

(7) Personal data processed: full name, address, telephone number, e-mail address.

(8) Duration of processing: until the processing of personal data for marketing purposes is withdrawn by the data subject.

 

7. Who has access to the personal data (recipients)

 

In general, in the case of the processing referred to in this Notice, access to personal data is limited to the persons authorised by the Data Controller. In this Notice, the Controller has indicated for each type of processing the persons to whom it may grant authorisation. This means that the previously designated persons may have access to the personal data for the performance of their tasks.

 

The Data Controller also uses the web analytics services of Google LLC, 1600 Amphitheatre Parkway Mountain View CA 94043, Google Analytics, Google Adwords, a data protection shield for the EU-U.S., and Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. 

 

Web analytics services also use cookies to help analyse the use of online interfaces. By providing specific and explicit consent to the use of online platforms, the data subject authorises Google Analytics and Google Adwords to transfer information generated by cookies about the use of the online platform to Google servers in the United States of America. The other cookies processed are stored on servers within the European Union. By providing specific consent on the website, the user consents to the collection and analysis of his/her data in the manner and for the purposes set out above. The above mentioned service providers use this information to evaluate and analyse the use of online interfaces by the data subject, to compile reports on the activities carried out on online interfaces and to provide other services related to the activities carried out on those interfaces and to the use of the Internet. However, it remains important to stress that the cookies used on the website do not store personally identifiable information.

 

8. Data transmission

 

In connection with the online sale and purchase of products via the website, as a data processing purpose, data relating to purchases made on the Internet will be transferred to STRIPE PAYMENTS EUROPE LTD. (registered office: One Spencer Dock, North Wall Quay, Dublin1, VAT: IE3206488LH) in order to enable the company to process online card transactions securely and in a traceable manner via its network. (This company has already been identified in paragraph 5(7) of this Notice.)

 

This company guarantees the security of your personal data and the transaction through its own website (secure payment gateway, secure card payment guarantee window) when you pay by card after purchase.

 

Data transmitted: full name, e-mail address, telephone number, address, billing address if different, IP address, additional data related to the payment transaction. 

 

The Data Controller does not process the data of the cardholder (e.g. its number and expiry date) in any form.

 

9. Final provisions

 

The provisions of the Code and its annexes shall apply to the data processing provisions not mentioned in this Notice, as stated at the beginning of this Notice. Thus, in particular, but not exclusively, the provisions of the Policy shall govern the rights of data subjects, data security measures and remedies.
 

Annex 2: "Information on data management in relation to the economic activities of the Data Controller" 

This Notice shall be deemed to be Annex 2 to the General Data Protection Regulation of the Controller ("General Data Protection Regulation"). This Notice describes in detail the processing of data relating to the economic activities of the Controller. It shall be read in conjunction with and in accordance with the relevant Policy and its Annexes. For matters not covered by this Notice, the general provisions of the Policy and the specific provisions of its further annexes shall prevail. 

 

1. Introduction

 

Name of the data controller: ODOL Consulting Kft.

Headquarters: 4032, Debrecen, Menyhárt József tér 5 fsz 1

Company registration number: 01 09 282683

Tax identification number: 32431438-2-09

Contact: +36 20 666 7170; info@reloflow.hu;

Name and contact details of the authorised representative: Ferenc Suhaj, Managing Director with independent right of representation (+36 20 666 7170; info@reloflow.hu)

 

The scope of the processing covered by this Notice:

- processing based on a legal obligation

- contacting

- performance of contracts.

 

We inform Data Subjects T. that the "specific" data processing related to the websites operated by the Data Controller are regulated in detail in a separate information notice, in Annex 1 of the Policy. This Policy sets out the detailed rules for the general processing of data in the course of the economic activities of the Controller.

 

2. Processing based on a legal obligation

 

2.1. Processing of data to fulfil accounting obligations

(1) The legal basis for the processing of the data of the Data Controller's natural person customers, buyers and suppliers is the fulfilment of legal obligations (Article 159 (1) of Act CXXVII of 2007), the purpose of the use of the data is to determine the mandatory data content of the invoice, issue the invoice, and perform related accounting tasks. 

(2) Data subjects: the Data Controller's natural person clients, customers, suppliers.

(3) The scope of the data processed: the names, addresses of the Data Controller's natural person customers, customers, suppliers, the serial number of the invoice issued.

(4) The following persons shall be entitled to access personal data: the manager or employee who issues the invoice as a job function, the manager or employee who performs the accounting function, or the contracted data processing partners performing such a function. The Data Controller is entitled to process personal data recorded in the course of the performance of the legal obligation referred to above for a period of 8 years from the termination of the contract (business relationship).

 

2.2. Data processing related to the fulfilment of tax and contribution obligations

(1) Pursuant to Article 50 (1) of Act CL of 2017 on the Rules of Taxation, the Data Controller shall submit monthly, by the twelfth day of the month following the month concerned, an electronic declaration of all taxes, contributions and/or data specified in paragraph (2) related to payments and benefits made to natural persons resulting in tax and/or social security obligations.

(2) Data subjects: the controller's manager, employees and their family members.

(3) Scope of the data processed: the Controller's manager, employees and their family members Art. 50 (2), highlighting the natural person's natural person identification data (including previous name and title), gender, nationality, tax identification number of the natural person, social security number. 

(4) Recipients: employees of the Data Controller performing accounting and payroll activities as part of their job duties, and data processors. 

(5) The Data Controller shall be entitled to process personal data recorded in the course of the performance of the legal obligation referred to above for a period of 8 years from the termination of the legal relationship.

 

3. Keeping in touch

 

3.1. Processing of data during requests for information, requests for proposals

(1) In connection with the services provided or products sold by the Data Controller, the Data Controller shall provide third parties with the opportunity to request information or to request offers.

(2) The legal basis for data processing is the consent of the data subject in the case of a request for information or a request for a proposal.

(3) In the case of a request for information or a request for a quotation, the data subject shall be any natural person who requests information or a quotation in connection with the services or products of the Data Controller and provides personal data.

(4) Data processed: name, address, telephone number, e-mail address, content of the request/question/offer.

(5) Purpose of processing in case of a request for information: identification, contact, response.

(6) The purpose of data processing in the case of a request for a proposal: to make a proposal, to maintain contact. 

(7) The recipients of the data (who may have access to the data) in the case of a request for information or a request for a quote: the Data Controller's manager, customer contact person.

(8) Duration of data processing In case of a request for information or an offer: until consent is withdrawn or 180 days after the provision of the information or the offer, the Data Controller shall delete the personal data.

 

3.2. Processing of contact details of natural person representatives of legal entity customers, buyers, suppliers

(1) The scope of personal data that may be processed: the name, address, telephone number, e-mail address, online identifier of the natural person.

(2) Purpose of processing personal data: performance of a contract with a legal entity partner of the Data Controller, business relations, 

(3) Legal basis for processing: consent of the data subject.

(4) Recipients or categories of recipients of personal data: employees of the Controller performing customer service tasks.

(5) Duration of the storage of personal data: 5 years after the business relationship or the data subject's capacity as a representative has been established.

 

4. Data processing activities related to the performance of the contract

 

(1) The Data Controller shall process the personal data of natural persons - customers, buyers, suppliers - contracting with it in the context of the contractual relationship. The data subject shall be informed of the processing of personal data. 

(2) Data subjects: all natural persons who enter into a contractual relationship with the Data Controller.

(3) The legal basis for data processing is the performance of a contract, the purpose of data processing is to maintain contact, enforce claims arising from the contract, and ensure compliance with contractual obligations. 

(4) Recipients of personal data: the Data Controller's manager, employees of the Data Controller performing customer service and accounting tasks on the basis of their job function, data processors.

(5) The personal data processed include: order data (order number, products ordered, price and total value of products), customer card number, name, address, delivery address, registered office, entrepreneur's ID number, farmer's ID number, total amount of the order, delivery method and cost, payment method, transaction code, payment made. 

(6) Duration of processing: 5 years from the termination of the contract.

 

5. Final provisions

 

The provisions of the Code and its annexes shall apply to the data processing provisions not mentioned in this Notice, as stated at the beginning of this Notice. Thus, in particular, but not exclusively, the provisions of the Policy shall govern the rights of data subjects, data security measures and remedies.
 

Annex 3: "Information on data processing in the context of employment law and employment relationships" 
 

This Notice shall be deemed to be Annex 3 to the General Data Protection Regulation of the Data Controller. This Notice describes in detail the employment law and related data processing. This Notice shall be read in conjunction with and in accordance with the relevant Policy and its annexes. For matters not covered by this Notice, the general provisions of the Rules and the specific provisions of the additional annexes thereto shall prevail. 

 

1. Introduction

 

Name of the data controller: ODOL Consulting Kft.

Headquarters: 1095 Budapest, Lechner Ödön fasor 1. Fsz. door 293.

Company registration number: 09-09-035656

Tax identification number: 32431438-2-09

Contact: https://reloflow.hu

Name and contact details of the authorised representative: Ferenc Suhaj, Managing Director with independent right of representation (+36 20 666 7170; sashalmi.attila@reloflow.hu)

 

The scope of the processing covered by this Notice:

- the controller prior to the establishment of the employment relationship

- processing during the employment relationship

 

2. Pre-employment processing

 

Data processing prior to the establishment of an employment relationship is carried out in the context of the pre-employment application procedure and the assessment of suitability for the job. 

 

2.1. Processing of data during the recruitment process 

(1) The legal basis for the processing of personal data in the context of a recruitment procedure is the consent of the data subject. 

(2) The purposes of data processing: evaluation of applications, conclusion of employment contracts.

(3) The data concerned by the processing: name, address, place of birth, date, education, professional qualifications, telephone number, e-mail address, photo, professional experience, other data contained in the application file sent by the applicant.

(4) The persons concerned are the natural persons applying for the job.

(5) Recipients of personal data: the employer, the employee(s) performing the human resources function, and, where applicable, the data processor acting on the instructions of the Data Controller and entrusted with the performance of the HR tasks. (In the event of the use of a data processor, the Data Controller shall inform the data subject in advance of the identity of the data processor.)

(6) Duration of data processing: after the selection of the employee, the purpose of data processing ceases to exist for the applicants who have not been selected, and therefore the personal data of the applicants shall be deleted immediately, unless the applicant has explicitly consented to the processing of his/her application file by the Data Controller in case of the subsequently proven unsuitability of the selected applicant or for the purposes of pre-selection for a new job opportunity. In the latter case, the period of data processing is set by the Controller at 1 year (12 months).

(7) The obligation to cancel the application shall also apply if the person concerned changes his or her mind or withdraws his or her application during the application process. The candidate must be informed of the result of the selection decision.

 

2.2. Processing of data during the assessment of suitability for the job 

(1) Pursuant to Article 10 (1) of the Labour Code, only two types of aptitude tests may be applied to employees: on the one hand, aptitude tests which are required by a rule on employment relationship, and on the other hand, tests which are not required by a rule on employment relationship, but which are necessary for the exercise of a right or the performance of an obligation specified in the rule on employment relationship.

(2) In both cases of the aptitude test, the (prospective) employees as the persons concerned shall be informed in detail, inter alia, about the skills and abilities to be assessed, the means and methods of the test. If the examination is required by law, employees should also be informed of the title of the law and the exact place of the law. 

(3) Legal basis for processing: legitimate interest of the employer.

(4) Purpose of data processing: to determine suitability for a job, to establish an employment relationship.

(5) The persons entitled to process personal data in relation to the test result are the examiner and the person tested. The employer may only receive information on whether or not the person examined is suitable for the job and on the conditions under which the person is suitable for the job. However, the employer cannot know the details of the examination or its full documentation.

(6) Duration of the processing of personal data relating to the aptitude test: 3 years after the termination of the employment relationship.

 

3. Data processing during the employment relationship

 

3.1. Data processing in the framework of the employment register

(1) The Data Controller shall process the personal data of the employees named below, processed in the employment records, on the basis of the employer's legitimate interest, the performance of a legal obligation, the performance of a contract. The Data Controller shall inform the employee, as the data subject, of the legal basis and purpose of the processing prior to the commencement of the processing activity.

(2) The scope of the personal data of employees processed by the Controller in the employment register:

·       Name

·       address, temporary address, postal address,

·       contact details, telephone number, e-mail address,

·       Social security number, tax identification number, identity card number,

·       the amount of your salary,

·       bank account number,

·       addresses and bank account numbers of blocking, deductions,

·       children, dependants and their social security numbers,

·       tax identification number,

·       employee contact details,

·       next of kin to be notified.

 

(3) Persons concerned by the processing: employees of the Data Controller at any given time.

(4) The recipients of the personal data recorded above are: the employer, employees of the Data Controller performing personnel, accounting, payroll and data processing tasks.

(5) Purpose of data processing: fulfilment of obligations arising from the employment relationship (payment of wages), exercise of rights arising from the employment relationship, establishment and termination of the employment relationship.

(6) Duration of data processing: 8 years after the termination of the employment relationship in the case of general employment documents (including, for example, employment contracts). In the case of employment records relating to payroll accounting and the employee's insurance relationship, 5 years after the applicable retirement age.

 

3.2 Monitoring the employee's conduct in the employment relationship

(1) The employer, as Data Controller, may monitor the employee as data subject only in the context of his or her conduct in the employment relationship. The control and the means and methods used in the course of the control shall not involve any violation of human dignity. The employee's private life shall not be subject to control.

(2) The employer shall inform the employee in advance of the use of technical means which will be used to monitor the employee.

 

3.2.1. Processing of data related to the use of an e-mail account provided by the Data Controller to the employee

 

 (1) The Data Controller shall make an e-mail account available to employees in order to enable employees to keep in touch with each other or to correspond with customers, other persons and organisations on behalf of the Data Controller.

(2) Employees of the Data Controller are not allowed to use the e-mail account described above for private purposes. The head of the employer is entitled to check the contents of the employees' company e-mail accounts and the correspondence of the employees every six months. 

(3) The employer must inform the employee of the employer's interest in taking action before controlling the use of the email account.

(4) The employer shall, subject to the principle of gradualness, develop a system of gradual control, which shall adequately ensure the protection of personal data and minimise the impact of the control on the privacy of employees.

(5) As a general rule, the presence of the employee must be ensured when checking the use of the e-mail account.

(6) In order to maintain lawful control of the e-mail account, the employer must provide detailed information to the employees in advance. In the information, the employer must state, inter alia:  

(i) for what purposes and for what employer interests the e-mail account may be checked (and, of course, the employee must be informed of the employer's interest in the check before the specific check is carried out); 

(ii) who on behalf of the employer may carry out the inspection; 

(iii) the rules according to which the checks may be carried out (gradual approach); 

(iv) what the procedure is; 

(v) what rights and remedies employees have in relation to the processing of their data in connection with the monitoring of their e-mail account.

(7) The first step in the verification is to check the e-mail address and the subject of the e-mail, and then a more detailed, higher level check of the use of the e-mail account may be carried out.

(8) The employer shall not be entitled to check the content of private e-mails stored in the e-mail account, even if the employees have been informed of the fact of the check in advance. The employee shall be requested to delete the private e-mails, if the employee does not comply with the request or is unable to delete the personal data due to his/her absence, the employer shall be entitled to delete the personal data immediately upon the inspection, and at the same time may apply labour law sanctions against the employee for violation of the regulation on the use of company e-mail.

(9) Every six months, the employer shall be entitled to send information to employees in the mail system on the prohibition of private use of company e-mail accounts.

(10) The legal basis for the control of the e-mail account made available to the employee by the Data Controller is the legitimate interest of the employer, the purpose of which is to monitor the fulfilment of the employee's obligations and to monitor compliance with the prohibition on the use of private e-mail accounts.

 

3.2.2.2 Control of the use of laptops, tablets and telephones provided to the employee

 

(1) Employers may provide employees in certain jobs with "company" laptops, tablets and telephones for the performance of their work.

(2) Employers shall prohibit employees from using the above-mentioned devices for personal purposes. Pursuant to the above provision, the handling, storage, use of any personal data, such as photos, passwords, identifiers for employees' personal accounts, e-mails, private applications, or use for private conversations on the above-mentioned devices is prohibited.

(3) The provisions set out in section 3.2.1 shall apply to the control of the above-mentioned instruments, the persons carrying out the control, the legal basis and the purposes of the processing.

 

 

3.3. Ad hoc processing of data relating to employees

(1) The employer shall organise team-building trainings and other events, in which employees shall be given the opportunity to participate, with the aim of improving communication between employees, promoting more effective cooperation and increasing the level of trust between employees, and strengthening mutual respect and commitment. 

(2) The legal basis for the processing of data in the course of the activities referred to in the previous paragraph is the consent of the employee.

(3) The purpose of data management is to improve communication between employees, to facilitate more effective cooperation and increase the level of trust between employees, and to strengthen mutual respect and commitment.

(4) Persons concerned: all employees who participate in the training or other event.

(5) Scope of personal data: portraits of employees.

(6) Deadline for deletion of data: 6 months after withdrawal of consent or publication in the employer's internal system.

(7) Persons entitled to access the data (categories of recipients): visitors to the website and social platforms of the Data Controller. 

 

4. Final provisions

 

The provisions of the Policy apply to the data processing provisions not mentioned in this Notice, as stated at the beginning of this Notice. Thus, in particular, but not exclusively, the provisions of the Policy and its annexes shall govern the rights of data subjects, data security measures and remedies.
 

Annex 4: "Register of data processors" 

DATA PROCESSORS' RECORDS

 

DATA PROCESSORS

Name of data processor

Contact details of the data processor

Activity

TAX Feeling Ltd.

4027 Debrecen, Fáy András utca 19.

accounting 

KBOSS.hu Kft

1031 Budapest, Záhony utca 7/D.

billing software service 

Debrecen, 2024.02.06.

ODOL Consulting Ltd.

represented by Ferenc Suhaj, Managing Director