Privacy Policy

INTRODUCTION

CEGP Nzrt. (hereinafter: Joint-stock company, employer), as a data controller, undertakes to ensure that all data processing related to its activities complies with the requirements set out in these regulations and the applicable national legislation, as well as with the requirements defined in the legal acts of the European Union, in particular the European Parliament and the Council (EU) 2016 /679 Regulation on the protection of natural persons in regard with the management of personal data and the free flow of such data, as well as on the repeal of Directive 95/46/EC (hereinafter: Regulation), and CXII of 2011. Act on Informational Self-Determination and Freedom of Information (hereinafter: Information TV), and Act V of 2013 on the Civil Code (hereinafter: Civil Code). The data protection guidelines and data protection information arising in connection with the data management of the data controller are continuously available at the registered office of the Joint Stock Company and are announced by means of an announcement. The data manager reserves the right to change the information. Any changes require a general meeting decision in all cases.

CHAPTER 1
BASIC PRINCIPLES AND CONCEPTS

The Joint Stock Company is committed to protecting the personal data of its customers, members, and partners, and considers it of outmost importance to respect the right of its customers and members to self-determination of information. The Joint Stock Company, as a data controller, treats personal data confidentially and takes all security, technical and organizational measures that guarantee data security.

1.1 Data controller: the natural or legal person, public authority, agency or any other member that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by the EU or by the member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by the EU or by the member state law.

The publisher of this information, also the Data Controller:

Organization name: CENTRAL EUROPEAN GASTRO PLATFORM Service Non-profit Private Limited Company.
Headquarters: 1136 Budapest, Tátra utca (street) 5/a. under 2.
Company registers number: 01-10-141094
Tax number: 28841463-2-41
Email: karoly.berecz@cegp.hu

1.2 Data processor: the natural or legal person, public authority, agency or any other member that processes personal data on behalf of the data controller. The use of the data processor does not require the prior consent of the subject, but information is required. Accordingly, we provide the following information:

The data processors of the Joint Stock Company are included in Annex 1 of the data management information sheet.

1.3 Third party: the natural or legal person, public authority, agency, or any other body that is not the same as the data subject, the data controller, the data processor or those people who have been authorized to process personal data under the direct control of the data controller or data processor.

 1.4 Data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or by making it available in other ways, coordinating, or connecting, limiting, deleting, or destroying.

1.5  Principles of data management:

  1. a) Legality, fair play, and transparency
  2. b) Bound to a goal
  3. c) Data saving (relevant data)
  4. d) Accuracy (and up-to-date records)
  5. e) Limited storability (only for the time required to reach the goal)
  6. f) Integrity and confidentiality (data security)
  7. g) Accountability

1.6 The data protection officer of the Service Provider CENTRAL EUROPEAN GASTRO PLATFORM Non-profit Private Limited Company:

Name: Károly Berecz

Contact: karoly.berecz@cegp.hu 

CHAPTER 2
DATA MANAGEMENT RELATED TO EMPLOYMENT

2.1 Labor and personnel records

2.1.1 Only such data may be requested and kept on record from employees, such occupational medical aptitude tests may be conducted, which are necessary for the establishment, maintenance and termination of employment, as well as for the provision of social welfare benefits and which do not violate the employee’s personal rights.

2.1.2 Legal basis for data management: the Company processes the following data of the employee for the purpose of establishing, fulfilling or terminating an employment relationship under legal obligation:

  1. name,
  2. birth name,
  3. Time and place of birth,
  4. His mother’s name,
  5. home address,
  6. nationality,
  7. tax identification number
  8. Social security number,
  9. pensioner identification number (in case of a retired employee),
  10. identity document number
  11. the number of the official ID card confirming the residential address,
  12. Bank account number,
  13. starting and ending date of starting work,
  14. position,
  15. a copy of a document certifying your education,
    professional qualifications,professional competence,
  16. data of previous legal relationships,
  17. the amount of your salary, data related to salary payment and other benefits,
  18. Debt to be deducted from the employee’s wages based on a legally binding decision or legislation, or written consent, and the right to do so,
  19. the way and reasons for terminating the employment relationship,
  20. moral certificate,
  21. in the case of private pension fund and voluntary mutual insurance fund membership,the name of the fund,its identification number and the employee’s membership number,
  22. data on your marital status, number of children.
  23. photo,
  24. photo number, e-mail adress

2.1.3 The Joint Stock Company, as an employer, only handles data related to illness and workers union membership for the purpose of fulfilling the right or obligation defined in Act I of 2012 in the Labor Code.

 2.1.4 Recipients of the personal data: the manager of the employer, the exercise of employer’s authority, the employees and data processors of the Company performing labor and payroll tasks.

2.1.5 Duration of storage of personnel/employment documents containing personal data: 50 years.

2.1.6 Before data processing begins, the data subject must be informed of the legal basis of the data processing, i.e. that the data processing is based on the provisions of the Labor Code and the enforcement of the legitimate interests of the employer.

2.1.7 At the same time as the employment contract is concluded, the employer informs the employee about the handling of his personal data and personal rights by handing over an information sheet.

2.1.8 Upon termination of the employee’s employment, copies of all related documents must be provided at the employee’s request.

2.1.9 When the employee’s employment is terminated, only the data specified in the law can and must be kept.

2.1.10 After the termination of the employment relationship, all parties are bound by an obligation of confidentiality

2.2 Data management related to aptitude tests

2.2.1 The employee may only be subject to an aptitude test that is required by a law relating to an employment relationship, or which is necessary to exercise a right or fulfill an obligation defined in a law relating the employment relationship. Before the examination, the employees must be informed in detail about, among other things, what kind of skills and abilities the aptitude test is aimed at assessing, and what means, and methods are used for the examination. If a law requires the examination to be carried out, the employees must be informed of the title and the exact location of the law.

2.2.2 The employer regularly obliges employees to carry out a work suitability test both before the establishment of the employment relationship and during the existence of the employment relationship and may oblige in exceptional cases.

2.2.3 The scope of personal data that can be handled: the fact of job suitability and the necessary conditions for it.

 2.2.4 Legal basis for data management: the legitimate interest of the employer.

2.2.5 The purpose of processing personal data: establishing and maintaining an employment relationship, filling a position.

2.2.6 Recipients of personal data and categories of recipients: the results of the examination can be known to the examined employees or the specialist conducting the examination. The employer can only receive information on whether the examined person is suitable for the job or not, and what conditions must be provided for this. However, the employer cannot know the details of the investigation or its complete documentation.

2.2.7 Duration of processing personal data: 3 years after termination of employment.

2.3 Management of the data of employees applying for recruitment, applications, resumes

2.3.1 The range of personal data that can be processed: the natural person’s name, place and date of birth, mother’s name, address, qualification data, photo, telephone number, e-mail address, CV, copies of education, application materials, employer’s note on the applicant (if there is).

2.3.2 Legal basis for data management: consent of the data subject.

2.3.3 The purpose of handling personal data: application, application evaluation, conclusion of an employment contract with the selected candidate. The person concerned must be informed if the employer did not choose them for the given position. In the latter case, the applicant’s application materials must be returned to them, and their data must be destroyed.

2.3.4 Recipients of personal data and categories of recipients: the head of the Company entitled to exercise employer rights, employees performing labor/personnel tasks.

2.3.5 Duration of personal data storage: until the application or tender is evaluated. The personal data of applicants who are not selected must be deleted. The data of the person who withdrew their application must also be deleted. The Company stores the data listed in chapter “2.1 Labor and personnel records” about the person selected for the position, and deletes other data provided by the applicant (e.g., other CV data).

2.3.6 The Joint Stock Company may retain unsuccessful tenders only based on the express, clear and voluntary consent of the person concerned, provided that their retention is necessary in order to achieve the purpose of data management in accordance with the law. This written consent must be requested from the applicants no later than after the end of the admission procedure.

2.3.7 The Joint Stock Company can view the applicant’s social media profile.

2.4 Data management related to checking the email account usage

2.4.1 The Joint Stock Company provides the employee with an e-mail account – the employee can only use this e-mail address and account for the purpose of their job duties, in order for the employees to keep in touch with each other or correspond with clients, other people and organizations on behalf of the employer.

2.4.2 The employee may not use the e-mail account for personal purposes, may not store personal mail in the account, or subscribe to newsletters and lists.

2.4.3 The employer is entitled to check the entire content and use of the e-mail account at any time. The legal basis for data management is the legitimate interest of the employer. The purpose of the inspection is to verify compliance with the employer’s provision regarding the use of the e-mail account, as well as to verify the employee’s obligations.

  2.4.4 The head of the employer (Chairman of the Joint Stock Company) is entitled to the inspection.

2.4.5 If the circumstances of the inspection do not exclude the possibility of this, it must be ensured that the employee can be present during the inspection.

 2.4.6 Before the inspection, the employee must be informed about the employer’s interest in the inspection, who on behalf of the employer can carry out the inspection – according to which rules the inspection can take place (adherence to the principle of gradualism) and what the procedure is – what are their rights and legal remedies in connection with the data management associated with the verification of the e-mail account.

2.4.7 During the inspection, the principle of gradualism must be applied, so it must first be established from the address and subject of the e-mail if it is related to the employee’s job duties and not for personal purposes. The employer may examine the content of non-personal e-mails without restriction.

2.4.8 If, contrary to the provisions of the information sheet, it can be established that the employee used the e-mail account for personal purposes, he must be asked to delete the personal data immediately. In case of the employee’s absence or lack of cooperation, the employer will delete the personal data during the inspection.

2.4.9 Due to the use of the e-mail account contrary to the information, the employer may apply labor law legal consequences to the employee.

2.4.10 The employee may use the rights described in the chapter on the rights of the data subject in the data management accompanying the control of the e-mail account.

2.4.11 If the employee’s employment is terminated, the partners must be informed of this fact immediately, and at the same time the partners must be informed of the time at which the employee’s email address will be terminated. The employee handling the e-mail address must be appointed until the e-mail address ceases to exist. It is forbidden to redirect the e-mail address to another e-mail address.

2.5 Data management and data storage related to the use and control of computers, laptops and pendrives

  2.5.1 The employee may only use the computer, laptop, pendrive provided by the Company for work purposes, for the performance of work duties. The use of these for private purposes is prohibited by the Company. The employee may not manage or store any personal data or correspondence on these devices. The employer can check the data stored on these devices at any time.

2.5.2 When using the pendrive, the employee must strive to protect the data stored on the pendrive, so it is necessary to protect it with a password. If the employee loses the pendrive, he must report it to his employer immediately.

2.5.3 The control and legal consequences of these devices by the employer are otherwise governed by the provisions of the previous chapter 2.4.

2.5.4 All employees have access to the data stored on the data storage devices used at the registered office of the Joint-Stock Company and to manage them only with their own rights and in accordance with their rights. The data file of the data storage can only be deleted or modified with the permission of the employer.

2.5.5 The employer does not permit the storage or use of private data on the IT device provided to the employee. Own IT devices may not be used for work.

2.6 Data management related to the control of Internet use at work

2.6.1 The employee may only view websites related to his job duties; the employer does not allow the use of internet at work for personal purposes.

2.6.2 The authorized person for internet registrations carried out on behalf of the Company as a job task is the Company, and during registration, the identifier and password referring to the Company must be used. If the provision of personal data is also necessary for registration, the Joint Stock Company must initiate their deletion upon termination of the employment relationship.

2.6.3 The employer may control the employee’s use of internet at work, which is governed by the provisions of chapter 2.4 and its legal consequences.

CHAPTER 3
DATA MANAGEMENT RELATED TO EMPLOYMENT RELATIONSHIP

3.1 When concluding commission and business contracts

3.1.1 Scope of managed data: – for commission contracts (name, date of birth, mother’s name, home address, tax number, tax identification number, account number, social security number), – for business contracts (name, date of birth, mother’s name, home address, tax number, account number, social security number, entrepreneur ID number, individual entrepreneur number).

3.1.2 The legal basis for data management: enforcement of the legitimate interests of the employer and performance of the contract.

3.1.3 Purpose of handling personal data: conclusion of contracts ensuring professional task performance.

3.1.4 Recipients of personal data and categories of recipients.

3.1.5 Duration of processing personal data: 8 years.

3.2 Notes of minutes taken by the bodies of the joint-stock company can be viewed in the Book of Resolutions for the officers and members of the joint-stock company, copies of which can be requested for a reimbursement fee.

3.2.1 The video and audio recordings that form the basis of the verbatim minutes taken at the board meetings of the Joint Stock Company can be viewed in the official premises of the Joint Stock Company during business hours. To protect the rights of the individual, it is not possible to issue a copy of them.

3.3. Establishment and operation of a camera system

3.3.1 The establishment and operation of the electronic surveillance system (hereinafter: camera system) owned by the Joint-Stock Company, which serves to monitor premises and areas and is equipped with a closed system technical solution, the general assembly or the sub-assembly of the building(s) directly affected by the installation of the camera system, the member and non-member can decide with the affirmative vote of at least two-thirds of the owners. In this case, the Articles of Association or other internal regulations of the Joint Stock Company must contain the data management rules necessary for the operation of the camera system – established in accordance with the provisions of the Act on the Protection of Personal Data and the Data of Public Interest. The operator of the camera system may be a person entrusted with this activity based on the contract concluded by the board of directors – defined in the law on the rules of personal and property protection and private investigative activities.

3.3.3 The camera system can be operated if the following conditions are met:

a, the camera system serves exclusively the protection of human life, physical integrity, personal freedom, the prevention and proof of illegal acts, and the protection of property owned by the Joint Stock Company,

b, the existing circumstances make it likely that legal protection cannot be achieved by any method other than the use of the recordings,

c, its application extends to the extent necessary to achieve the goals defined in point a) and does not entail a disproportionate restriction of the right of self-determination of information.

3.3.4 The camera system may not be placed in a shared room in which, due to the purpose of the room, monitoring may violate human dignity (e.g., changing room, toilet).

3.3.5 The camera system must meet the requirements of the highest level of data security and automatic recordings. The recordings must be stored for fifteen days after the recording in order to use them in criminal, regulatory or other official or court proceedings initiated due to a crime or violation committed at the location of the recording – including proceedings initiated by the person concerned or the Joint Stock Company for the purpose of asserting their rights, even civil litigation – can be used as evidence by the data controllers authorized by law. After this deadline, unused recordings must be deleted immediately so they can no longer be restored.

3.3.6 Only the operator of the system can access the recordings recorded by the camera system – except for what is stated in paragraph 3.3.7. The operator of the system is only entitled to see them if it is necessary to enforce their obligations arising from the contract and to prevent or interrupt the illegal act, and the recordings can only be forwarded to the court, the infringement or other authority. Forwarding should only take place in cases defined by law and after the data processing legal basis of the person requesting the recording has been properly verified. Recordings must be deleted immediately after forwarding them.

 3.3.7 The person whose right or legitimate interest is affected by the recording recorded by the camera system may, within fifteen days from the date of the recording, request the recording not to be destroyed or deleted by its operator by proving his right or legitimate interest. The recording must be sent immediately to inquiries or data requests from a court, prosecutor’s office, investigative authority, body conducting preparatory proceedings or other authorities. If an inquiry or data request is not made within thirty days of the request for it not to be destroyed, the recording must be deleted immediately so that they can no longer be restored.

3.3.8 The exercise of all the rights listed in the law on the protection of personal data and the disclosure of public interest data must be ensured for the natural person concerned in the recording, considering the restrictions defined therein.

3.3.9 A protocol must be drawn up on the review of the recordings, which must contain the recording, the name of the person entitled to know it, as defined in paragraph 3.3.2, as well as the reason and time for getting to know the data.

 3.3.10 The attention of people intending to enter and stay in the Joint-Stock Company building, part of the building and the area monitored by the cameras of the apartment equipped with a camera system must be drawn to the fact of the use of the electronic surveillance system in a clearly visible place, in a clearly legible manner, suitable for the appropriate information. The operator’s identity and contact information must also be indicated in the information. Upon request, the operator is obliged to inform the person concerned about all the facts related to the recording, especially its purpose and legal basis, the person authorized to operate it, the time the recordings were made and the duration of their storage, as well as who can see the recordings. The information must cover the data subject’s rights related to data management – including the rights defined in paragraph 3.3.7 – as well as his legal remedies.

CHAPTER 4
FINAL PROVISIONS

4.1 In case of violation of the data subject’s rights related to personal data protection, he/she may apply to the court. The court acts out of sequence in the case. The adjudication of the lawsuit falls within the jurisdiction of the competent Court of Law. At the choice of the person concerned, the lawsuit can also be initiated before the Court according to the place of residence or dwelling place of the person concerned.

 4.2 By filing a report with the National Data Protection and Freedom of Information Authority – https://naih.hu/online-uegyinditas.html – the data subject can initiate an investigation, citing that a violation of rights has occurred in connection with the management of his personal data, or there is a direct risk of such violation.

Made:
Szolnok, 15.09.2021.

Made by:
Dr. Gábor Őrlős Law Office
5000 Szolnok, Szapáry u. (street) 31