Privacy Notice

Privacy Notice

Present Notice contains the criteria of the activities of Plazmacentrum Nyugati Kft. (registered seat: HU-1066 Budapest, Teréz körút 46. 2. em.; register number: Cg.01-09-300738, and PLAZMACENTRUM Kft. (seat: 9400 Sopron, Várkerület utca 17.; register number: Cg.08-09-026591, hereinafter the two companies referred to as the "Data Controller" or the "Company") in relation to the processing of personal data. In the following, you will be informed about the personal data processed by the Company, the purposes of and legal grounds for data processing, retention period of data processed and who may know it and access the personal data processed by the Company. You will also find detailed information below on what rights you have in relation to the processing and how you can exercise them.

If you have any questions or comments regarding the data processing or the Notice, please send them to mark@pecsvarady.hu.

In particular, the Company may amend the Privacy Notice in the event of the introduction of new data processing or changes to existing data processes, of which its donors and other natural persons concerned are informed on the website of the Data Controller.

1.) Data Controller data

Data Controller Name: Plazmacentrum Nyugati Kft.

Registration Authority: Budapest Metropolitan Court as Court of Registration

Registered seat: HU-1066 Budapest, Teréz körút 46. 2. em.

Tax number: 25997424-2-42

Data Controller Name: PLAZMACENTRUM Kft.

Registration Authority: Győr Metropolitan Court as Court of Registration

Registered seat: HU-9400 Sopron, Várkerület utca 17.

Tax number: 24283539-2-08

Data Protection Officer: dr. Pécsvárady Márk

E-mail: mark@pecsvarady.hu

Address: HU-1066 Budapest, Teréz körút 46. 2nd floor.

2.) Purposes of the Notice

The purpose of the Notice is to ensure compliance with the legal requirements of data protection, to set out, in accordance with the relevant legal provisions, the data processing principles, purposes and other facts that determine the purposes for which, for how long and how the personal data provided by the data subject are processed, and the data subject's rights of enforcement and remedies in relation to the processing.

The purpose of the Notice is to ensure that, in all areas of the services and operations provided by the Data Controller, all individuals, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.

3.) Relevant laws

The Data Controller respects the personal data of the individuals concerned and undertakes to ensure that its processing complies with the provisions of the Notice and applicable law, in particular, but not limited to:

Regulation 2016/679 of the European Parliament and of the Council (EU) (hereinafter referred to as the “GDPR” or the “General Data Protection Regulation”),
Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as the “Info tv.”),
Act CLIV of 1997 on Health Care (hereinafter referred to as the “Health Care Act”),
Act XLVII of 1997 on the processing and protection of health and related personal data (hereinafter referred to as "Act XLVII"),
EüM Decree 3/2005 (II. 10.) on quality and safety standards for the collection, testing, processing, storage and distribution of human blood and blood components and on certain technical requirements thereof (hereinafter referred to as the "EüM Decree"),
Act XLVIII of 2008 on the basic conditions and certain restrictions on commercial advertising activities (hereinafter referred to as “Grt.”)

defined provisions and consistent with other laws and directives in connection with data processing.

4.) Definitions

4.1. “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

4.2. “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

4.3. “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;

4.4. “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

4.5. „filling system” means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

4.6. „processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

4.7. „recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

4.8. „third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

4.9. „consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

4.10. „personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

4.11. „biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

4.12. „supervisory authority”: Hungarian National Authority for Data Protection and Freedom of Information (NAIH);

4.13. „system”: Controller the totality of the technical solutions that operate the Controller's services;

5.) Lawfulness of processing

Processing shall be lawful only if and to the extent that at least one of the following applies:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the Data Controller is subject;

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Where processing is based on consent, the Data Controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

6.) Principles relating to processing of personal data

Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR subject to implementation of the appropriate technical and organisational measures required by GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (”integrity and confidentiality”).

The controller shall be responsible for, and be able to demonstrate compliance with, above principles (”accountability”).

7.) Information on joint data controlling

The Plazmacentrum Nyugati Kft. (registered seat: HU-1066 Budapest, Teréz körút 46. 2. em.; register number: Cg.01-09-300738, in this I.7. point referred to as Data Controller1) as Data Controller1, PLAZMACENTRUM Kft. (registered seat: HU-9400 Sopron, Várkerület utca 17.; register number: 08-09-026591, hereinafter referred to as the "Data Controller2"), collectively referred to as “Data Controllers”, hereby inform data subjects about the joint data processing agreement between the Data Controllers in accordance with Article 26 of the General Data Protection Regulation.

The Data Controllers are affiliated companies in accordance with Act LXXXI of 1996 on Corporate Tax and Dividend Tax, and consequently their activities are coordinated. In order to ensure efficient plasma sales and to protect the health of the data subjects, the Data Controllers share personal data related to plasma sales and process them jointly as necessary.

The processing is based on the legal interest of the Data Controllers, which is to ensure safe plasma delivery to all donors.

Data Controllers may process donors' personal data only in relation to the plasma donation.

Data subjects may exercise their rights under the General Data Protection Regulation in relation to and against any controller.

The Data Controllers shall designate Data Controller1 as the common contact person for the purpose of fulfilling requests received from data subjects (postal address: HU-1066 Budapest, Teréz körút 46. 2. floor; e-mail: mark@pecsvarady.hu).

II. AREAS OF DATA PROCESSING:

1.) Applying for an aptitude test

Scope of data controlled:

Name (surname and first name), e-mail address, telephone number (optional), date of birth

Purpose of data controlling: deciding whether the data subject is fit to donate plasma at the Data Controller

Legal basis for data controlling: consent of the data subject

Duration of data controlling: until the appearance or non-appearance on the booked date, until the cancellation / cancellation of the reservation, and until the withdrawal of the consent.

Data processors (recipients):

FutureWeb Design Korlátolt Felelősségű Társaság (seat: 4467 Szabolcs, Szabadság út 22., Cg.15-09-088763, info@futureweb.hu) The activities of the data processor include the operation of the Data Controller's website and the provision of the IT infrastructure.

Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). The activity of the data processor covers the operation of the infrastructure necessary for correspondence with the donor.

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

2.) Appointment of donors for plasma donation

Scope of data controlled:

Name (surname and first name), donor number, donor plasma donation number, nearest available time, donor time reservation, e-mail address, telephone number

Purpose of data controlling: Informing donors about the number of plasma donations that have already taken place and enabling the verification of the controlled data and identifying and contacting the person making the appointment in connection with the appointment.

Legal basis for data controlling: consent of the data subject

Duration of data controlling: until the appearance or non-appearance on the booked date, until the cancellation / cancellation of the reservation, and until the withdrawal of the consent.

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

3.A.) Data management related to plasma donation as a healthcare service

Scope of data controlled:

Name (surname and first name), birth name, donor number, donor plasma donation number, donor appointment booking, mother's birth name, place and time of birth, e-mail address, telephone number, place of residence / address, citizenship, social security (TAJ) number, health data required for plasma donation

Purpose of data controlling: implementation of plasma donation as a health care service.

Legal basis for data controlling: consent of the data subject

Duration of data controlling: retains all health and personal data related to the health service that are part of the health documentation in accordance with the law for 30 years from the data collection in accordance with Eüak. Section 15. Subsection 9.

Data processors (recipients):

Invitech ICT Services Kft. (seat: 2040 Budaörs, Edison utca 4., Cg.13-09-190552 The activity of the data processor covers the operation of the servers of the Data Controller.

The Data Controller hereby informs the data subjects that continuous medical activity is required for the performance of the activities stated above. The specialists are the data processors of the Company, with whom the Company concludes a data processing agreement in a separate form.

3.A.) Data management related to filling a questionnaire regarding plasma donation habits

Scope of data controlled:

Purpose of data controlling: providing a better plasma donation service and surveillance of donor satisfaction.

Legal basis for data controlling: consent of the data subject

Data processors (recipients):

Invitech ICT Services Kft. (seat: 2040 Budaörs, Edison utca 4., Cg.13-09-190552 The activity of the data processor covers the operation of the servers of the Data Controller.

4.) Complaints handling

Scope of data controlled:

Personal data provided by the complainant in the complaint (typically: name, e-mail address, home address) as well as personal and, where applicable, medical data contained in the complaint

Purpose of data controlling: complaint handling, investigation of the circumstances of the case affected by the complaint and handling of the complaint.

Legal basis for data controlling: legal obligation (Eütv. 29. § (1))

Duration of data controlling: 5 years from the investigation of the complaint (according to Section 29 (4) of the Eütv., complaints must be registered and the documents related to the complaint and its investigation must be kept for 5 years).

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

5.) Recording telephone conversations

Scope of data controlled:

Voice of the person concerned and personal data made during the telephone conversation, date, duration and number of the call

Purpose of data controlling: the general purpose of recording telephone conversations is to prove what was said during the conversation. n the case of complaints made by telephone, the aim is to accurately record the complaint. In addition, the goal is to continuously improve the quality of service provision, adequate response to telephone inquiries and the services of the Data Controller.

Legal basis for data controlling: The legal basis for the data processing is your consent as a data subject, which you give by continuing the call after being alerted to the recording (GDPR Article 6. (1) a)). Furthermore, the legitimate interest of the Data Controller for quality assurance and enforcement is a legal basis (GDPR 6. Article (1) f)).

The Company, as a data controller, considers that the activities of the Company under this section, which serve the security of the Company and the donor, meets the provisions of the legitimate interest as stated in Article 6 (1) (f) of the GDPR, or the measures provided by the Company to ensure the rights of the data subjects do not infringe the interests or fundamental rights and freedoms of the data subjects in such a way as to override the legitimate interests of the Company.

The Company has decided to process the data referred to in this section for the security of the Company and the data subjects because it complies with Article 6 (1) (f) of the GDPR as a legal basis.

Duration of data controlling: 5 years from the end of the call, in case of complaints 5 years from the closing of the complaint (general deadline for claims).

Data processor (recipient): Magyar Telekom Nyrt. (seat: 1097 Budapest, Könyves Kálmán körút 36., Cg.01-10-041928). The activities of the data processor include the recording and preservation of sound recordings.

6.) Data controlling related to other inquiries, customer satisfaction questionnaire, and contact

Scope of data controlled:

Name, telephone number, e-mail address, additional personal data included in the inquiry, report, customer satisfaction questionnaire

Purpose of data controlling: collecting, evaluating feedback on service quality and improving the quality of service. In other cases, answering reports, inquiries and questions.

Legal basis for data controlling: legitimate interest (GDPR 6. (1) f)).

The Company has decided to process the data referred to in this section for the security of the Company and the data subjects because it complies with Article 6 (1) (f) of the GDPR as a legal basis.

Duration of data controlling: 5 years from the closing of the request (general deadline for claims).

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

7.) Data controlling of job applicants and data controlling related to the recruitment database

Scope of data controlled:

Name, telephone number, e-mail address, additional personal data provided in the CV

Purpose of data controlling: Filling jobs, compiling your own recruitment database.

Legal basis for data controlling: The legal basis for data management is your consent as an applicant, which you provide to the Data Controller by submitting your application (GDPR 6. Article (1) a)).

The legal basis for the establishment of the recruitment database is the legitimate interest of the Data Controller in filling the posts (GDPR 6. Article (1) f)).

The Company has decided to process the data referred to in this section for the security of the Company and the data subjects because it complies with Article 6 (1) (f) of the GDPR as a legal basis.

Duration of data controlling: 2 years after the submission of the application in the case of an unsuccessful application and the inclusion of the data in the Data Controller's own recruitment database in the case of persons included in the recruitment database.

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

8.) Data controlling related to the operation of electronic security system

Scope of data controlled:

Image

Purpose of data processing: The Data Controller operates and operates a camera system in its territory, in the customer waiting premises, for the purpose of property protection. No cameras were placed in the test rooms, donor test rooms and plasma donation room. The recordings are stored by the Data Controller only on its own servers in a locked room, with enhanced data security measures. Unauthorized persons may not access the recordings, only to the extent necessary for the authorized employees of the Data Controller to perform their duties.

Legal basis for data controlling: legitimate interest (GDPR 6. (1) f)).

The Company has decided to process the data referred to in this section for the security of the Company and the data subjects because it complies with Article 6 (1) (f) of the GDPR as a legal basis.

Duration of data controlling: 3 days after recording, until transmission to the official measure in case of detection of a serious violation.

9.) Marketing activity

Scope of data controlled: name, email address, phone number.

Purpose of data controlling: sending electronic newsletters containing a commercial advertising message to the data subject, information on current news and products.

Pursuant to Section 6 of the Grt., the data subject consents in advance and expressly to contact the Data Controller with his / her contact details (e.g. e-mail address or telephone number) provided on the data sheet prepared for this purpose with his / her advertising offers and other items.

Subject to the provisions of this Prospectus, the data subject consents to the processing of the personal data of the Data Controller necessary for the sending of advertising offers. The Data Controller shall not send unsolicited advertising messages and may unsubscribe from sending offers free of charge without any restriction or justification.

In this case, the Data Controller deletes all personal data necessary for sending advertising messages from its register and does not contact the data subject with its further advertising offers.

Legal basis for data controlling: consent of the data subject.

Duration of data controlling: until the withdrawal of the statement of consent, but no later than the end of the activity.

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor extends to the provision of the mail system (Gmail).

Maximum Business Kft. (seat 1156 Budapest, Nádastó park 35. fszt. 2/A., Cg.01-09-330843). The activity of the data processor covers the performance of marketing agency tasks.

10.) Website operation

The Data Controller uses "cookies" on its website (www.nyugati.plazmacentrum.hu) in the following breakdown, which cookies are not used by the Data Controller to identify the visitor of the website:

1. Necessary cookies: these cookies are required for the operation of the site. They start automatically when the data subject visits the Data Controller's website.

2. Technical cookies: The website uses cookies placed on the computer of the website visitor in order to help us analyze the use of the website.

Technical cookies can be "permanent" or "temporary" cookies. The permanent cookie is stored by the browser until a certain time, provided that the data subject has not previously deleted it, but the temporary cookie is not stored by the browser, it is automatically deleted when the browser is closed.

3. Marketing Cookies: These cookies allow us to display or send you personalized content and ads by analyzing your use of the site and to further improve our services by using the analysis. The marketing cookies used by the Data Controller include cookies from Facebook and Google.

The Data Controller uses the following third-party cookies for the above website, ie cookies created not by the Data Controller but by an external service provider.

Google Adwords Cookies: These cookies collect data about visits to the data manager's web pages (e.g. subpages visited). They are for remarketing purposes, ie they allow you to display targeted ads on other websites based on your visits to the Data Controller's website.

Google Analytics Cookies: These cookies collect statistics about visits to the Data Controller's website in order to analyze the use of the website and the number of visitors (eg: subpages viewed, number of visitors, approximate geographical location, etc.). The Data Controller uses statistics obtained through Google Analytics on the traffic and use of your websites to improve your website.

Facebook cookies: These cookies also collect data about the use of the Data Controller's website (eg sub-pages viewed) in order to display advertisements targeted to you on Facebook..

You can find more information about the above cookies on the websites below:

https://policies.google.com/technologies/types

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

https://www.facebook.com/help/cookies/

Scope of data controlled: the IP address of the visitors to the website (website), the date of the visit, the details of the pages viewed, the browser used.

Purpose of data controlling: Operation of the website with regard to necessary cookies. In the case of technical cookies, the analysis of the website traffic data. Providing appropriate advertising for marketing cookies.

Legal basis for data controlling: in the case of necessary cookies, the legitimate interest of the Data Controller, and in the case of technical and marketing cookies, the consent of the data subject (GDPR 6. Article (1) a)).

Duration of data controlling: until the end of the use of the website in the case of necessary cookies (termination of the session), and until the end of the retention period set by Google and Facebook for the given technical and marketing cookies.

If the visitor of the website does not consent to the placement of technical and marketing cookies, you can do so by making settings (blocking, revoking) in your own browser. Disabling cookies may restrict or prevent the use of certain services.

Data processors (recipients):

Google Ireland Limited (registration number: 368047, seat: Gordon House, Barrow Street, Dublin 4, Ireland). The activity of the data processor covers the operation of necessary, technical and marketing cookies.

Facebook Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland). The activity of the data processor covers the operation of technical and marketing cookies.

The Data Controller has its own Facebook page with information about the Data Controller. The data controller does not manage data on the Facebook page. By using the Facebook page, the data subject declares that has read and accepted the terms and conditions of use of Facebook and the Privacy Policy in advance.

11.) Usage of guest Wi-Fi

Scope of data controlled: IP address

Purpose of data controlling: Providing free internet access via Wi-Fi to the donors of the Data Controller

Legal basis for data controlling: consent of the data subject (GDPR Article 6 (1) a))

Duration of data controlling: until the usage of the Wi-Fi

Data processor (recipient): FutureWeb Design Korlátolt Felelősségű Társaság (seat: 4467 Szabolcs, Szabadság út 22., Cg.15-09-088763, info@futureweb.hu). The activity of the data processor covers the creation of the IT environment necessary for the operation of the Wi-Fi system.

III.

PROCEDURE OF THE DATA CONTROLLER

1.) Data security

The Data Controller shall take all necessary security, organisational and technical measures to ensure the highest level of security of personal data and to prevent their unauthorised alteration, deletion and use.

The Data Controller shall take all necessary measures to ensure data integrity, namely the accuracy, completeness and up-to-date status in connection with the processes of the personal data.

The Data Controller shall take appropriate measures to protect the data, particularly against unauthorised access, alteration, transmission, disclosure, deletion, accidental destruction, damage and loss of accessibility due to changes in the technology used.

The Data Controller shall save the active data from databases containing personal data.

The Data Controller shall continuously ensure virus protection on the network processing personal data.

Access to managed data and data files on the network of the Data Controller shall be secured by username and password.

In order to ensure the security of personal data processed on paper, the Data Controller applies the following measures:

- data may only be accessed by authorised persons and may not be disclosed to others;

- documents shall be kept in a secure place, protected by fire and security equipment;

- data processing staff of the Data Controller may leave the place where data processing is taking place during the day only by locking the storage device entrusted to them or by locking the office;

- data processing staff of the Data Controller lock the paper medium at the end of the work;

- in case of the personal data processed on paper are digitalised, the Data Controller applies the security rules applicable to digitally stored documents.

In order to ensure the security of personal data stored on a computer or network, the Data Controller shall apply the following measures and safeguards:

- the computers used in the processing are the property of the Data Controller or it has equivalent rights as ownership;

- the data on the computer are only accessible to persons with valid, personal and identifiable access rights

- access to the data on the computer is only possible with at least a user name and password, which are regularly changed by the Data Controller;

- all computer records relating to the data are logged in a traceable manner;

- access to data stored on the network server computer (hereinafter referred to as “server”) shall be restricted to duly authorised and designated persons;

- in case of the purpose of the processing has been achieved and the time limit for processing has expired, the file containing the data is irretrievably deleted and the data cannot be retrieved;

- in order to ensure the security of the data stored on the network the Data Controller avoids the loss of data by continuous mirroring of the server;

- the active data in databases containing personal data are daily saved, the saving is made of the entire data set on the central server and on magnetic media;

- the magnetic media which is contains the saved data is stored in a fireproof place and manner in a vault box designed for that purpose;

- virus protection on the network processing personal data is continuously ensured;

- prevent access to the network by unauthorised persons by the available computer tools and their use.

2.) Handling personal data breaches

In case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

An employee or contributor who becomes aware of a personal data breach involving personal data processed by the Data Controller must immediately notify the Data Protection Officer and the management, providing his or her name, telephone number and/or email address, the subject of the breach and whether the breach involves an IT system. The notifier may also provide additional information which is relevant to the identification and investigation of the incident.

If the data breach occurred on an IT system, the management will also inform the relevant system administrator.

Data Protection Officer, in cooperation with the IT officer in the case of the incident involving an IT system, shall investigate the notification and request the notifier to provide information, which the notifier shall promptly provide.

Information provided must include:

1. time and location of the personal data breach,

2. description of the incident, its circumstances and effects,

3. scope and quantity of the compromised data,

4. people affected by the compromised data,

5. description of the measures taken to avert the incident,

6. description of the measures taken to prevent, avert, mitigate the damage.

In connection with information provided, the Data Protection Officer, in cooperation with the IT officer in the case of the incident involving an IT system, shall propose to the area processing the data and the management relating to the necessary measures to avert the personal data breach.

Data holder informs the management and the Data Protection Officer within 2 working days after the implementation of the measures taken to avert the data breach.

Data Controller records any personal data breaches.

The register contains:

1. scope of the personal data concerned,

2. the scope and number of data subjects affected by the personal data breach,

3. time of the personal data breach,

4. the circumstances and effects of the personal data breach,

5. the measures taken to avert the personal data breach,

6. other data specified by law relating to processing.

In the event of a personal data breach, the Data Controller is obliged to keep the data in the register for 5 years.

3.) Exclusion of liability

The Data Controller shall not be liable for any errors and their consequences or for any damage caused by them due to any cause beyond its control.

For damage caused by or in connection with conduct of the breaches of the security information systems (including the use of viruses or other malicious software, unauthorised access to personal and other data, and other hacking activities), the perpetrator shall be solely liable for the conduct of such activity, Data Controller excludes its liability.

If the Data Controller becomes aware of the data subject is providing personal data of another person in breach of this Notice or otherwise in breach of the law or is using publicly available or unlawfully obtained personal or other data in breach of the law, or otherwise in breach of the provisions of this Notice, the Data Controller shall take the necessary legal actions.

The Data Controller states that if an infringement is detected in connection with the Data Controller's data processing, which is attributable to the Data Controller and the data subject has suffered property or non-property damage, the data subject or the party effected by the infringement is entitled to compensation from the Data Controller or Processor in accordance with Article 82 of the General Data Protection Regulation.

4.) Tasks of the data protection officer

The data protection officer shall have the following tasks:

a) to inform and advise the Data Controller and the employees who carry out processing of their obligations pursuant to Union or Member State data protection provisions;

b) to monitor compliance with Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of the GDPR;

d) to cooperate with the supervisory authority; and

e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.

The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the GDPR.

The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.

IV.

RIGHTS OF THE DATA SUBJECTS

1.) Transparent information, communication and modalities for the exercise of the rights of the data subject

The Data Controller shall take appropriate measures to provide any information and any communication under the GDPR relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject is verified by other means.

The Data Controller shall facilitate the exercise of data subject rights under the GDPR. The Data Controller shall not refuse to act on the request of the data subject for exercising his or her rights, unless the Data Controller demonstrates that it is not in a position to identify the data subject.

The Data Controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the Data Controller does not take action on the request of the data subject, the Data Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Information provided and any communication and any actions taken shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character taking into account the administrative costs of providing the information or communication or taking the action requested, the Data Controller may either:

a) charge a reasonable fee; or

b) refuse to act on the request. The Data Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Where the Data Controller has reasonable doubts concerning the identity of the natural person making the request, the Data Controller may request the provision of additional information necessary to confirm the identity of the data subject.

The Data Controller also informs the data subjects that all data subjects have the right to appeal against the Data Controller in respect of the data controller's procedure, including the right to filing a complaint, which the data subject may also submit towards the Hungarian Data Protection Agency. Detailed information on the submission of the complaint and the legal remedy can be found in section IV.9 of the Privacy Notice.

2.) Right of access by the data subject

The data subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, any available information as to their source.

The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.

3.) Right to rectification

The data subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.) Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) of the GDP, or point (a) of Article 9(2) of the GDP, and where there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of the GDPR;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject.

Where the Data Controller has made the personal data public and is obliged pursuant to erase the personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Data Controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Right to erasure shall not apply to the extent that processing is necessary:

a) for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controllers are subject;

b) for the establishment, exercise or defence of legal claims.

5.) Right to restriction of processing

The data subject shall have the right to obtain from the Data Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Data Controller override those of the data subject.

Where processing has been restricted in connection above mentioned, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the Data Controller before the restriction of processing is lifted.

6.) Notification obligation regarding rectification or erasure of personal data or restriction of processing

The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of the GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients if the data subject requests it.

7.) Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controllers, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and

b) the processing is carried out by automated means.

In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The exercise of the right referred shall be without prejudice to Article 17 of the GDPR and shall not adversely affect the rights and freedoms of others.

8.) Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

At the latest at the time of the first communication with the data subject, the right to object shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

9.) Remedies

If the data subject does not agree with the decision taken by the Data Controller, he or she may file for court action within 30 days of the notification.

The action shall be heard and determined by the regional court. The action may also be brought at the regional court having jurisdiction at the data subject’s home address or temporary address

Data subject can lodge a complaint with the National Data Protection and Freedom of Information Authority:

National Data Protection and Freedom of Information Authority

Address: HU-1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: HU-1530 Budapest, Postafiók: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

Email: ugyfelszolgalat@naih.hu

If the data subject has any complaints, comments or suggestions about the processing, he or she may also submit them to the Data Controller or the Data Protection Officer at the contact details indicated in point I.1. of this Notice.

Amendments to the Notice

The Data Controller reserves the right to amend the present Notice. In case of amendment, the Data Controller will make the amended Notice available at the reception desk at the headquarter of Data Controller or post it on its website. The amendment shall enter into force on the day following the day on which it is made available. After the amendment enters into force, the use of the services of the Data Controller shall constitute acceptance of the amendment to the processing rules.

Budapest, 25. May 2018.

The present Notice was amended on 25 November 2021, 22 December 2021 and on 25 March 2022, and the amendments have been incorporated into the text of the Notice. The present Notice will enter into force on 25 March 2022, the text of which has been consolidated with the changes.

Plazmacentrum Nyugati Kft. and PLAZMACENTRUM Kft.