In compliance with the relevant statutory regulations stipulating the protection of personal data, Edenred Magyarország Korlátolt Felelősségű Társaság (registered office / official mailing address: 1134 Budapest, Váci út 45., company registration number: 01-09-266926; electronic address: firstname.lastname@example.org and email@example.com; website address: https://edenred.hu/hu/ phone number: +36 1 413 3333, represented by: Krisztián Balázs, hereinafter: Controller) informs the persons contacting the Controller of its applied data processing method as follows.
The Controller provides services for employers in relation to allowances issued in an electronic format in accordance with the Act on Personal Income Tax. Within this framework, the Controller provides the Client’s employees with non-transferable plastic cards with a magnetic stripe or a chip for the payment of the consideration, in part or in full, of the goods sold or services provided by the Card Acceptor.
As the Controller pays special attention to the protection of personal data, it takes due care to ensure fair and transparent data processing, which is based on the fundamental prerequisite of providing appropriate information on data processing. Among others, this Data Processing Information gives information on processing Data Subjects’ personal data during data processing for interaction: about the sources and scope of the processed data, the legal grounds for, and the purpose and duration of data processing, the rights related to personal data and the options to choose between such rights, and it also contains the details of access to the places where answers are given to your questions regarding the Data Subject’s data protection practice.
|Summary of data processing for interaction between the Controller and the Data Subject|
|Purpose of data processing||Maintaining contacts between the Controller and the Data Subject|
|Legal grounds for data processing||Performance of the contract made between the Controller and the Data Subject (buyer) [GDPR Article 6 (1) a)]|
|Scope of the processed data||The Data Subject’s surname; the Data Subject’s first name; the Data Subject’s email address; the Data Subject’s phone number|
|Period of data processing||The total period of the Controller’s provision of services in respect of the Data Subject.|
Summaries merely serve the purposes of convenience. Please read the complete information.
Data Subjects include any party who establishes contacts with the Controller (hereinafter collectively: Data Subject).
The Controller receives the Data Subject’s personal data from the Data Subject during the application for establishing contacts.
The legal ground for processing personal data in relation to contacts with the Data Subject is the Data Subject’s consent [GDPR Article 6 (1) a)]. The consent may be withdrawn at any time.
The Controller processes the following data for interaction between the Controller and the Data Subject:
The Data Subject’s surname; the Data Subject’s first name; the Data Subject’s email address; the Data Subject’s phone number
For interaction between the Controller and the Data Subject, the Controller processes the personal data processed on the basis of the Data Subject’s consent until withdrawal of the consent.
In the course of service provision, the Controller passes the Data Subject’s data on to its contracted partners for data processing in the interest of service provision and in the required extent.
When the data processing period is over, the Controller erases the Data Subject’s data.
The Controller provides for the security of the processed data and takes every step required to prevent unauthorized access, modification, transmission, disclosure, deletion or destruction, and becoming inaccessible due to changes in the technique applied, i.e. in the interest of protecting the Data Subjects’ personal data in compliance with the relevant statutes.
Within the scope of the actions needed for compliance with the data security requirement, in the information technological database, the Controller processes the Data Subject’s data automatically and manually, and has taken action to ensure that the Data Subject’s data is processed in a closed system, in every case, password protected, saved on a hard disc, and that the persons authorized to obtain the data only use these systems related to and in the extent indispensable for the provision of the service.
The computer systems are equipped with firewall and appropriate anti-virus software.
The Controller performs the technical check of the system and takes action if a defect is noticed or reported.
The Controller provides for full advice to the parties authorized to have access to the data on data protection rules. To guarantee data security, the Controller’s executive officers and employees are subject to confidentiality and legal accountability in respect of the personal data obtained in the course of this activity.
At the Data Subject’s request, the Controller must provide information [GDPR Article 15 (1); right of access]:
- on the Data Subject’s data processed;
- on the purposes of the processing;
- on the categories of recipients to whom the personal data have been or will be disclosed;
- on the period of data processing;
- on the Data Subject’s rights and remedies.
Prior to initiating the procedures regulated in this section, the Data Subject is entitled to – electronically – submit a complaint to the Controller to eliminate its concerns related to data processing and restore lawfulness. Within a month, the Controller must investigate the complaint, make a record of it, adopt a decision on its grounding, and inform the Data Subject of its decision in writing, electronically. If the Controller approves the Data Subject’s complaint, it restores the lawfulness of data processing or terminates data processing – including the collection and disclosure of data. In this case the Controller may no longer process the Data Subject’s data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The Controller must notify all the parties to whom it has disclosed the data affected by the complaint about the complaint and the actions taken on its basis. The complaint handling procedure regulated in this section serves the purpose of eliminating the concerns related to data processing in the course of interaction with the Data Subject, and does not include objections to the quality of the Controller’s products or legal statements constituting waiver/termination.
At the Data Subject’s request, the Controller must provide a copy of the personal data in a commonly used electronic format or another format according to the Data Subject’s choice [GDPR Article 15 (3); right to access, right to copies].
In accordance with the Data Subject’s request, we modify or rectify his or her personal data [GDPR Article 16, right to rectification].
In the interest of exercising the Data Subject’s right to access to his or her personal data and in order to rectify his or her personal data, he or she may apply to the Controller in an electronic letter sent to the email addresses firstname.lastname@example.org or email@example.com.
At the Data Subject’s request, the Controller erases the Data Subject’s personal data. The Controller may refuse fulfilment of the application for reasons specified in Article 17 (3) of GDPR, for example if the personal data are necessary for the submission and/or enforcement of a legal claim, or for compliance with a legal obligation which requires processing personal data by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller [GDPR Article 17; right to erasure].
The Data Subject may withdraw his or her consent at any time without limitation and justification, free of charge. In this case the Controller erases the data from the records without delay, unless for another purpose and based on another legal grounding processing the Data Subject’s personal data may be continued. Withdrawal may be stated either by post, in a letter sent to the Controller’s registered office, or electronically, in a letter sent to the email address firstname.lastname@example.org or email@example.com [right to withdraw consent]. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
The Data Subject is entitled to request the restriction (blocking) of processing personal data
if he or she contests the accuracy of the personal data, he or she may request blocking the data until the controller verifies the accuracy of the personal data;
if processing is unlawful and the Data Subject opposes the erasure of the personal data, and requests the restriction of their use instead;
the Controller no longer needs the personal data, but the Data Subject requests blocking for the establishment, exercise or defence of legal claims [GDPR Article 18; right to the restriction (blocking) of processing].
The Controller fulfils the blocking request by storing the personal data separately from the other personal data. Thus for example, in the case of electronic files, it saves them on an external data carrier, or transfers personal data stored on paper in a separate folder. With the exception of storage, the Controller may only process such data with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. You will be informed in advance about the release of the restriction of processing.
The Data Subject is entitled to receive his or her personal data in a a structured, commonly used and machine-readable format, and has the right to transmit these data to another controller. In addition, the Controller ensures that on an express request to this end, it directly transmits the Data Subject’s data to the other controller specified by the Data Subject [GDPR Article 20 (1) and (2); right to data portability].
Within one month following receipt of the Data Subject’s application, the Controller informs the Data Subject of any actions taken. If the application is rejected, within one month following receipt of the application, the Controller will inform you of the reasons for refusal, and of any option to submit a complaint to the Authority and seek judicial remedy.
The exercise of this right is free of charge. In certain cases the Controller may charge a fee based on administrative costs, or refuse to take action on the basis of the application, if the Data Subject requests a copy of his or her data, or if the Data Subject’s application is clearly ungrounded or – especially on account of its repeated nature – exaggerated.
The Controller retains the right to request the submission of information required for the confirmation of the Data Subject’s personal identity if it has reasonable concerns about the identity of the person who has submitted the application. Such cases include especially if the Data Subject exercises his or her right to requesting a copy, when it is justified for the Controller to make sure that the application has been submitted by the authorized person.
If in the Data Subject’s judgment the Controller has infringed upon his or her right to the protection of personal data, or the Controller performs unlawful data processing, he or she may request the Authority to open a procedure. Contact details of the Authority: postal address: H-1530 Budapest, POB.: 5.; email address: firstname.lastname@example.org; phone: +36 (1) 391-1400; website: www.naih.hu.
If the Data Subject is of the opinion that the Controller has infringed upon his or her right to the protection of personal data, he or she may also start court action and demand indemnification for any damages caused to the Data Subject by the unlawful processing of his or her data, and in the case of an infringement of his or her personality rights, the payment of earnest money. In the event of a judicial enforcement, the Data Subject may start the action at the court of his or her residence or habitation.
If the Controller modifies the Data Processing Information, it places a notice on the website to enable the Data Subject familiarize himself or herself with the modification.
If the Controller wishes to perform additional processing of the personal data for a purpose other than the purpose of obtaining them, prior to such additional processing it must notify the Data Subject of the different purpose and all the relevant additional information.
If the Controller discloses the data with other recipients, it must inform the Data Subject of this fact at the latest on the first disclosure of the personal data.
Enters into force on: 2 July, 2018