I. The appointment of the data controller
RSM Hungary Adótanácsadó és Pénzügyi Szolgáltató Zártkörűen Működő Részvénytársaság
- Company seat: H-1139 Budapest, Váci str. 99-105. Balance Hall Building 4th Floor
- Correspondence address: H-1139 Budapest, Lomb str. 30-32.
- Corporate registration number: 01-10-045727
- E-mail: info@rsm.hu
- Telephone: +36 1 886 3700
- Website: https://pages.rsm.hu
The controller has not appointed a data protection officer.
II. Legal provisions under which the data processing takes place
To the type of data processing described in this document, the following legal provisions apply:
- Act No CXII of 2011 on the right to informational self-determination and freedom of information;
- Regulation (EU) 2016/679 of European Parliament and of the Council;
- Act No LIII of 2017 on prevention of money laundering and financing of terrorism.
III. Definitions
- „data subject”: a natural person identified or identifiable based on any information;
- „personal data”: any information respective of the subject;
- „data of public interest”: any information or knowledge recorded in any manner or form that is not considered personal data, and which is being processed by, relevant to the activities of, or arose in connection with the public function of any natural or legal person having public or municipal responsibilities or any other corresponding public duties or functions set out in the applicable legislation, irrespective of its manner of processing, its individual or collective nature, and thus especially of it being data relating to competencies, organisational structure, professional activities and the evaluation thereof that also covers effectiveness, the types of data held, the legislation governing operation, and data in connection with economic management and contracts concluded;
- „data publicly available due to public interest”: any data that is not considered data of public interest, and to which access, or the availability or knowing thereof is ordered by the law as a matter of public interest;
- „special categories of personal data (special data)”: personal relating to racial or ethnic origin, political ideas, religious or philosophical beliefs, and trade union membership, and genetic and biometric data used for the personal identification of natural persons, medical data, data concerning the sexual life or sexual orientation of natural persons, and personal data relating to criminal records;
- „identifiable natural person”: a natural person is identifiable if his or her identify can be ascertained, either directly or indirectly, in particular by reference to an identifier such as name, number, location data, online identifier, or one or more factors relating to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity thereof;
- „data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- „restriction on data processing”: flagging of personal data stored, with the intent of restricting their processing in the future;
- „profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- „filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
- „controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- „processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- „recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- „third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- „the data subject’s consent”: any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed;
- „personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- „enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
- „group of undertakings”: a controlling undertaking and its controlled undertakings;
- „supervisory authority”: an independent public authority created in accordance with Article 51 of the Regulation, which in Hungary is the Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information);
- „processing of personal data across borders”:
- a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
- b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
- „information society service”: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
IV. Data processing on the website run by the controller, newsletter data processing, and processing of personal data with regards to the conclusion of contracts
1. Scope of data processed and the purpose of the processing
a) name: for identification of customers and other third parties for the purpose of being able to provide adequate information to the contact person sought; data processing also takes place regarding the conclusion of contracts, in order to comply with the obligation for identification set out by the law on money laundering;
b) date and place of birth: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
c) mother’s maiden name: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
d) nationality: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
e) address: with regards to the conclusion of contracts, data processing takes place in order to comply with the obligation for identification set out by the law on money laundering;
f) person represented: it may allow more precise identification of the customers and other third parties;
g) phone number: it allows for easier contact, and after the conclusion of the contract is necessary for maintaining contact;
h) e-mail address: it allows for easier contact, and if consent is given, we will use it to send newsletters;
i) cookies: To be able to fully benefit of certain services of the website, we would like to recommend enabling cookies. A cookie is a small passage containing personalised information which the data subject’s browser stores on their computer. The purpose of cookies is to aid us in identifying recurring visitors, implementing customised visitor functions, and managing user logins (identification, verification). If you are seeking to learn more about our cookies, you can obtain additional information on the following website:
https://europa.eu/youreurope/citizens/cookies/index_en.htm;
j) Data given by Google (Google Analytics service): data processing is carried out solely for statistical purposes, for the Controller to be able to improve user experience using the website’s traffic data;
k) Data given by Rocket Science Group (Mailchimp service): data processing is carried out for the Controller to receive feedback on how widely the newsletter is read, and to be able to introduce changes if necessary.
l) all other information is given voluntarily.
2. Legal basis for data processing
The legal basis for data processing is the voluntary consent of the data subject, and it also takes place in order to comply with the obligation for identification set out by the law on money laundering; The data subject subscribes voluntarily to newsletters and enables the cookies freely.
In the event the requested data is not given, contacting or sending the newsletter can be hindered. In the event the data required by the provisions of the law on money laundering is not given, conclusion of contract will be rendered impossible.
If you are seeking to learn more about Google Analytics, you can obtain additional information on the following website:
https://support.google.com/analytics#topic=3544906
You can also restrict the access of Google Analytics with the use of the application downloadable from the following website:
https://tools.google.com/dlpage/gaoptout?hl=en
3. Period of data processing
Data given in relation to job application will be processed and erased by the Controller in accordance with Clause I.
The data required by the provisions of the law on money laundering may be processed for a period of 8 years following termination of customer relationship, after which it shall be erased.
Data given during call for proposal – in the event of a contract is not concluded – will be stored for a period of 3 years.
Data given during the conclusion of the contract will be erased 1 year after the 8 years of minimum retention period for accounting documents underlying the accounting records directly or indirectly, set out in Article 169(2) of Act No C of 2000 on accounting.
Data given in relation to subscription to newsletters will be erased when consent is withdrawn, but no later than a period of one year following the termination of that service.
4. Access to data and data protection measurements
4.1. Access to data and transmission thereof
Personal data given by the data subject can be accessed to by the appointed personnel of the Controller, the personnel of the Financial Department and the executive officers of the Controller, and the personnel of the company appointed to supply IT services.
In instances other than the above, the Controller only shares personal data with other persons, public bodies or authorities if it is required by legal provisions. Thus, if, for instance
– a legal proceedings started in relation to the data subject, and the court seized requires (inter alia) documents containing the personal data of the data subject.
– an investigative authority contacts the Controller, and requests the forwarding of (inter alia) documents containing the personal data of the employee.
– another authority, when acting in its legal capacity, requests (inter alia) documents containing the personal data of the data subject.
The Controller employs a processor with regards to the processing of the following data:
a. matters that require legal assistance: Szűcs and Partners Law Firm (registered office: 5000 Szolnok, Madách utca 35.);
b. IT solutions related to personal data: Professional Information Technology Kft. (registered office: 1107 Budapest, Fogadó utca 4. C. ép. fszt.; Corporate Reg. No.: 01-09-353262)
c. IT solutions related to hosting: Websupport Magyarország Kft. (registered office: 1132 Budapest, Victor Hugo utca 18-22., Corporate Reg. No.: 01-09-381419)
4.2. Data protection measurements
The Controller stores all data given by the data subject on the servers located in its registered office (1139 Budapest, Váci út 99-105.),the files located in the office building, and in a separate building used to store archived materials. For the processing of personal data, the Controller employs the services of Google (Analytics) and The Rocket Science Group (Mailchimp). If data given during the use of these services abroad, the location of data processing is the United States of America. The safety of the data processing is guaranteed by the Privacy Shield agreement with the United States of America. The Controller shall take appropriate measures to ensure the protection of personal data inter alia from unauthorised access or alteration. Thus, the server used to store personal data is in a closed room, to which only the personnel working at the reception, the executive officers of the Controller, and the personnel of the company appointed to supply IT services (the IT company have key, the data stored on the servers can only be accessed by personnel with a unique identifier and password, and in the case of dedicated data, authorisation is also limited, e.g. only the dedicated personnel and the executive officers of the Controller are authorised to access to the mailing list used to send out newsletters. Other than that, only the personnel of the IT company have access to digitally stored data, if necessary.
The IT company maintains daily supervision of the technical conditions necessary to the safety of the data and the storage of backup copies. Of the safe handling of data recorded in paper format, the reception service is responsible, which is available 24 hours a day.
5. Rights related to data processing
5.1. The right to request information
The data subject can request information from the controller in writing, using the contact details given in Clause I, relating to:
-
what personal data,
-
on what legal basis,
-
for what purpose of processing,
-
from what source,
-
and for what period the data is being processed,
-
to whom, when, on what legal basis, and to what personal data did the controller give access to, or to whom did it forward their personal data.
The Controller shall adhere to the data subject’s request by sending the information in mail to the address given by the employee within 30 days.
5.2. The right of rectification
The data subject can request the alteration of personal data from the controller in writing, using the contact details given in Clause I (for instance, he or she can change his or her e-mail address anytime). Prior to adhering to the request, the Controller may request adequate proof of the change in personal data (for instance in the event of change of home address, or change of name). The Controller shall adhere to the data subject’s request within 30 days and confirm it via mail to the address given by the data subject.
5.3. The right to erasure
The data subject can request the erasure of their personal data from the Controller in writing, using the contact details given in Clause I. The Controller refuses the request if it’s obligated by a legal provision or an internal policy to keep storing the personal data. If no such obligation exists, the Controller shall adhere to the data subject’s request within 30 days and confirm it via mail to the address given by the data subject.
5.4. Right to have data blocked
The data subject can request in writing that the Controller blocks their personal data, using the contact details given in Clause I. The blocking shall be maintained until the reason given by the data subject makes it necessary to do store it. The data subject may request the blocking of the data if, for instance, he or she think that the Controller has processed it unlawfully, but it is necessary for the administrative or legal proceedings that the data subject initiated that the Controller does not erase the data. In this case Controller shall store personal data until the authority or the court requests, after which it shall erase said data.
5.5. Right to data portability
The data subject is entitled to receive the data he or she provided to a controller in a structured, widely used format, readable by computer; and is entitled to forward this data to another controller; so upon request the Controller provides the data subject with the data burned on a CD.
5.6. The right to object
The data subject can object to the data processing in writing, using the contact details given in Clause I, should the Controller use or forward personal data for the purposes of direct marketing, public opinion poll, or scientific research. Thus, for instance, the data subject can object to the Controller using his or her personal data for the purpose of scientific research without consent. The data subject may object to the data processing even if it is believed that the processing is only used to comply with a legal obligation, or to enforce a given right, except for data processing based on regulatory authorization. Thus, he or she cannot object to the Controller forwarding their request containing his or her personal data to the authorities.
6. Enforcement of rights related to data processing
6.1. Initiating legal proceedings
The data subject can initiate a civil lawsuit if he or she believes his or her personal data was processed in a way that is considered unlawful. The hearing of the case falls within the jurisdiction of the general court. The list and contact data of the general courts can be found on the following link: http://birosag.hu/torvenyszekek
6.2. Notification to the Supervisory Authority
The data subject may initiate investigations via notification, claiming that by the processing of his or her personal data he or she has suffered the impairment of a right, at:
Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information):
- 1530 Budapest, Mailbox. 5.
- 1125 Budapest, Szilágyi Erzsébet fasor 22/c
- +36 1 391 1400
- +36 1 391 1410 (fax)
- Email: ugyfelszolgalat@naih.hu
- Weboldal: www.naih.hu