SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY

Transcription

1 SKILLSTAR 2018 NONPROFIT KFT. DATA PROTECTION POLICY 1. OBJECT AND THE SCOPE OF THE POLICY 1.1. Object of the policy The General Data Protection Regulation, which entered into force on 25 th May 2018, official title Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) (hereinafter referred to as "GDPR") established uniform rules for the protection of natural persons' data directly applicable throughout the European Union (and in certain cases beyond). GDPR establishes obligations primarily for persons who handle data for natural persons for specific purposes. The purpose of this policy is to provide a brief, comprehensible explanation on the details of the processing and data protection practices - which are based on the GDPR and the Act nr. CXII. of 2011 on informational selfdetermination and freedom of information (hereinafter referred to as "Privacy Act") - followed by the SkillStar 2018 Európai Szakmunkásverseny Szervező Nonprofit Korlátolt Felelősségű Társaság (registered seat: 1054 Budapest, Szabadság tér 7, registration authority: Company Registry Court of Budapest, Hungary; registration number: , hereinafter referred to as "SkillStar"), and, in this context, inform the data subject on their rights under the abovementioned legislation Scope of the policy This policy was prepared and published by SkillStar on the web site (hereinafter referred to as "Website"), maintained and operated by them. This policy shall be applied for all data processing by SkillStar, which affects a natural person Processing not affected by the policy Regarding the fact that GDPR only regulates the processing of personal data of natural persons, the provisions of this policy does not apply to SkillStar s processing of data which relate to a non-natural person. SkillStar considers the contact details of a nonnatural partner with a business relationship, including any contact information provided by the company or such person (e.g. phone number, address not suitable for identifying a natural person, etc.) as data mentioned in this article. 2. PROCESSING DEFINITIONS AND PRINCIPLES 2.1. Definitions The main terms used in this policy shall be interpreted as follows (according to GDPR definitions): - data subject means any natural person identified or identifiable on any processed data; a person may be identified if the identification is possible related to the processed data (in particular an identification data, such as name, number, positioning data, online identity or physical, physiological, genetic, intellectual, economic, cultural or social identity of one or more factor) in direct or indirect way; 1

2 - personal data means any information concerning the data subject; - controller means the person who manages the purposes and tools of the processing of personal data, alone or jointly with others; - processor means other person who is processing personal data on behalf of the controller; - processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction); - consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; - recipient means a natural or legal person, to which the personal data are disclosed; - personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Cases of the processing SkillStar processes the data of natural person only in accordance with the GDPR and the domestic legislation on data protection for a specific purpose, in the case of an appropriate legal basis. The time, mode and extent of the processing shall be in accordance with the purpose set out above Methods of the processing SkillStar processes and stores personal data primarily on its own assets or self-controlled devices. SkillStar s employees are authorized to process or to access the data stored on such devices only if the processing or knowledge of the data in question is necessary to perform their duties. SkillStar uses services of processor(s) in cases of the following services: (i) (ii) keeping records of labour relationships, payroll calculation; provision of legal services; (iii) provision of hotel accommodation; (iv) providing a travel organization service; (v) provision of security guard and security services related to property leasing; (vi) providing postal and mail delivery service; (vii) provision of cloud based data storage services Transfer data to countries outside the European Union SkillStar does not transfer data relating to natural persons to countries outside the European Union. 2

3 2.5. Processing of particularly sensitive personal data SkillStar does not process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data uniquely identifying a natural person, data concerning health or data concerning sex or sexual orientation. If any data subject still provides such data, SkillStar promptly deletes it. The only exceptions to the foregoing is when SkillStar according to reasons related to health status, social security, social or similar benefits or services or any obligation related to any of them concerning a natural person having a legal relationship with SkillStar, is obliged to process such data, but in this cases SkillStar shall ensure that such data are properly protected and stored and subsequently removed for the time indicated in the relevant legislation Processing personal data relating to children SkillStar processes personal data relating to a person who is below the age of 16 only in the cases specified in this policy. 3. CASES OF PROCESSING OF DATA 3.1. Processing of data related to labour contract SkillStar processes the following data in connection with labour contracts signed with its employees: - scope of the processed data: name, birth name, date and place of birth, mother s birth name, residence, tax number, social insurance number, bank account number, phone number, marital status, child s name, child s date of birth, birth name of the child s mother, child s residence, child s tax number, type of the document of qualification, the issuing institution of the document of qualification, date of the document of professional skills, retired (yes/no), starting date of retirement, pension fund number; - purpose of the processing: the identification of the person and the bank account number is necessary for performance of the labour contract, and for providing information based on Act nr. CL of 2017 on the order of taxation and the Act nr. LXXX. of 1997 on the eligibility for social security benefits and private pensions and the funding of these services, related to the labour contract, and also for the payment of the wages; - basis for the processing: processing is necessary for the performance of a contract to which the data subject is party and for compliance with a legal obligation to which the controller is subject [GDPR, point b) and c) of paragraph (1) of Article 6]; - duration of the processing: 5 th December 2028, after this date 5 (five) years from the date of termination of the contract; processors carrying out accounting or legal activity for SkillStar Processing of data related to data subject applying for job advertisement SkillStar processes the following data of data subjects applying for the job advertisements of the company: - scope of the processed data: name, birth name, date and place of birth, mother s birth name, phone number, address, residence, and all the data provided by the applier in the CV (qualification, professional experience, languages, interests, etc.); 3

4 - purpose of the processing: identification of the appliers and examination of their suitability (qualification, professional competence), making possible to reach unsuccessful applicants if a similar position becomes available; - basis for the processing: consent of the data subject [GDPR, point a) of paragraph (1) of Article 6]; - duration of processing: 1 (one) year from the submission of the CV; - persons entitled for processing and recipients: managers and employees of SkillStar Processing of data related to other contracts concluded with natural persons SkillStar processes the following data in connection with other contracts (personal service contracts, work contracts, etc.) signed with natural persons: - scope of the processed data: name, birth name, date and place of birth, mother s name, residence/seat, tax number, social insurance number, bank account number, full time employment relationship s nature, employer s name, retired (yes/no), beginning date of retirement, pension fund number; - purpose of the processing: the identification of the person and the bank account number is necessary for performance of the contract, and for providing information based on Act nr. CL of 2017 on the order of taxation and the Act nr. LXXX. of 1997 on the eligibility for social security benefits and private pensions and the funding of these services, related to the labour contract, and also for the payment of the wages; - basis for the processing: processing is necessary for the performance of a contract to which the data subject is party and for compliance with a legal obligation to which the controller is subject [GDPR, point b) and c) of paragraph (1) of Article 6]; - duration of the processing: 5 th December 2028, after this date 5 (five) years from the date of termination of the contract; processors carrying out accounting or legal activity for SkillStar Processing of data of natural persons mentioned in contracts concluded with legal persons SkillStar processes the following data in case of natural persons mentioned in contracts concluded with legal persons (e.g. administrators, contact persons): - scope of the processed data: name, phone number, address; - purpose of the processing: identification of the natural person acting on behalf of a legal persons is necessary for the performance of the contract; - basis for the processing: processing is necessary for the performance of a contract to which the data subject is party [GDPR, point b) of paragraph (1) of Article 6]; - duration of the processing: 5 th December 2028, after this date 5 (five) years from the date of termination of the contract; processors carrying out accounting or legal activity for SkillStar. 4

5 3.5. Processing of data of active participants (competitors, competition experts, volunteers, etc.) of international competition of professions EuroSkills 2018 Budapest and any event related thereto SkillStar processes the following data related to active participants concerning organization of international competition of professions EuroSkills 2018 Budapest: - scope of the processed data: name, date of birth, phone number, address, data related to food intolerance, data related to allergy, image; - purpose of the processing: registration, identification of the participants, and carrying out of travel and accommodation services, - basis for the processing: consent of the data subject [GDPR, point a) of paragraph (1) of Article 6]; - method of the processing: digital documentation; - duration of the processing: 30 th September 2019; processors providing travel, accommodation, guard or security services, international organization having the rights of the competition Processing of data of participants of international competition of professions EuroSkills 2018 Budapest, participating in frames of school community service SkillStar processes the following data related to participants concerning organization of international competition of professions EuroSkills 2018 Budapest, participating in frames of school community service: - scope of the processed data: name, date of birth, residence, mother s birth name, data related to food intolerance, data related to allergy, parent s/caretaker s name, parent s/caretaker s residence, parent s/caretaker s phone number; - purpose of the processing: registration and identification of persons participating in frames of school community service, issuing certificate to them; - basis for the processing: consent of the data subject [GDPR, point a) of paragraph (1) of Article 6]; - duration of the processing: 30 th September 2019, after this date 1 (one) year from the performance of school community service; processors providing guard and security services Processing of data of active participants (competitors, competition experts, volunteers, etc.) of international competition of professions EuroSkills 2018 Budapest and any event related thereto SkillStar processes the following data related to active participants concerning organization of international competition of professions EuroSkills 2018 Budapest: - scope of the processed data: name, date of birth, phone number, address; - purpose of the processing: registration and identification of the participants; - basis for the processing: consent of the data subject [GDPR, point a) of paragraph (1) of Article 6]; 5

6 - method of processing: digital documentation; - duration of processing: 30 th November 2018; processors providing guard and security services. 4. THE RIGHTS OF THE DATA SUBJECT 4.1. Right of information The data subject shall have the right to be informed in case SkillStar processes personal data relating to him or her. The information shall contain the following: - the identity and the contact of the controller; - the purposes and the legal basics of the processing; - the envisaged duration of the processing; - information on other rights of the data subject contained in this chapter; - information on opportunity of withdrawal of consent, when the legal basis of the processing is the consent of the data subject; - the name of the supervisory authority which is competent pursuant to the processing operation. The information shall contain the source of the data, where personal data obtained from another source Right of access The data subject shall have the right to obtain from SkillStar confirmation as to whether or not personal data concerning him or her are being processed, and, where that in the case, access to the personal data and the following information: - the purposes of the processing; - the categories of personal data concerned; - people to whom the personal data have been disclosed or will be disclosed; - envisaged duration of the processing; - the source of the data, where the personal data are not collected from the data subject. The information shall contain further details concerning the other rights mentioned in this chapter and the name of the supervisory authority which is competent pursuant to the processing operation Right to rectification The data subject shall have the right to obtain from SkillStar the rectification of inaccurate personal data concerning him or her Right of erasure The data subject shall have the right to ask SkillStar to erase personal data relating to him or her in the following cases: 6

7 - personal data are no longer necessary in relation to the purposes which they were processed; - the data subject withdraws his or her consent and the processing has no other legal grounds; - the data subject objects to the processing and there are no overriding legitimate grounds; - the personal data have been unlawfully processed; - the personal data have to be erased for compliance with a legal obligation in law to which the controller is subject Right to restriction The data subject shall have the right to obtain from SkillStar restriction of the processing of the personal data relating to him or her where the following applies: - the accuracy of the personal data is contested by the data subject (for a period enabling to verify the accuracy of the personal data); - the processing is unlawful and the data subject opposes the erasure of the personal data; - the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; - the data subject has objected to processing (pending the verification whether the legitimate grounds of the controller override those of the data subject) Right to data portability The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly-used and machine-readable form and have the right to transmit those data to another controller without hindrance from SkillStar Right to object The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is necessary for the purposes of legitimate interests pursued by the SkillStar or by a third party, SkillStar shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims Right to compensation The data subject who has suffered damage as a result of an infringement of law or this policy shall have the right to receive compensation from SkillStar Law enforcement The data subject shall have the right to give a notice of the claims regarding to points of this chapter (to SkillStar or the data protection officer mentioned in this policy) in person, in writing or by . The data subject shall proof his or her identity first to be entitled to exercise the legal claim. After the proof of the identity the personal contact is no longer necessary, the communication can continue via other means and contacts (e.g. postal address, phone number, ) given by the identified data subject. The 7

8 information shall be in a concise, transparent, intelligible and easily accessible form. The compensation can be enforced in the form as mentioned above or with a law-suite in a judicial procedure. 5. PROTECTION OF THE PROCESSED DATA 5.1. Measures of protection SkillStar makes efforts to use the highest safety methods in relation to data which processed and stored by itself or SkillStar s controllers. At the same time details of these methods couldn t be mentioned in this policy regarding there nature and the purposes of them. If any problem occurs relating to any of the safety methods, SkillStar shall immediately start making steps in order to solve the problem and to make the safety method better or to change the method for a more suitable one to reach a higher safety level without undue delay Personal data breach In the case of a personal data breach relating to the processed personal data, SkillStar shall, without undue delay, but not later than 72 hours after having become aware of it, notify the competent supervisory authority about the personal data breach. The notification shall describe the nature of the personal data breach, the categories of data subjects concerned, the categories of personal data records concerned, communicate the name and contact details of the data protection officer, describe the likely consequences of the personal data breach and measures taken or proposed to be taken to address the personal data breach. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, and the risk cannot be removed or the consequences cannot be avoided, SkillStar shall communicate to the data subject without undue delay. The communication shall describe in clear and plain language the nature of the personal data breach and contain measures taken or proposed to be taken to address the personal data breach. 6. MISCELLANEOUS 6.1. Place(s) of activity The main place of activity of SkillStar is Hungary (Budapest) Data protection officer Data protection officer can be contacted with questions, comments, complaints and any other claims concerning this policy or the processing of data by SkillStar via each of the following contacts: name: dr. Krisztián Tóta status: in-house lawyer, Hungarian Chamber of Commerce and Industry postal address: Hungary 1054, Budapest Szabadság tér 7. phone number: tota.krisztian@mkik.hu 6.3. Supervisory authority Where the processing of data by SkillStar infriges the rights or legitimate interests of a natural person, the data subject shall have the right to file a complaint to Hungarian National Authority for Data Protection and Freedom of Information (registered seat:

9 Budapest, Szilágyi Erzsébet fasor 22/C.; postal address: 1530 Budapest, Pf. 5.; phone number: ; fax: ; ugyfelszolgalat@naih.hu) Entry into force, amendment This policy shall apply from the date of its publication on the Website below. SkillStar reserves the right to amend this policy unilaterally and without explanation, in which case the amendment shall apply from the date of the publication of the amended policy on the Website. Budapest, 25 th May