GDPR

Part I - General provisions

§ 1 The purpose of these regulations is to ensure the enforcement of data protection rights and data security requirements, to prevent unauthorized access, unauthorized alteration and disclosure of data, and to provide for the procedural rules to be followed in the event of data protection incidents.

§ 2. (1) The scope of the regulations extends to the processing of personal data at Garota Kft., With the exception of the processing of data related to non-litigation proceedings within the competence of a notary.

Part 2 - Processing of personal data

§ 3. (1) With regard to data processing at Garota Ltd., the data controller is the managing director
(hereinafter referred to as "data controller").

(2) Personal data of the data controller shall be provided only in accordance with Act CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: the Information Act) and on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Furthermore, it may be managed in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 repealing Regulation (EC) No 95/46 (hereinafter referred to as the GDPR) to the extent and for the minimum time necessary to achieve that objective. If the purpose of the data processing has ceased or the data processing is otherwise unlawful, the data must be deleted.

§ 4 The data subject shall be informed of the purpose of the data processing before the collection of the data, as well as whether the data provision is voluntary or obligatory, as well as the legal consequences of the non-provision of the data. In the case of mandatory data provision, the legislation ordering data processing must also be indicated. The information shall also cover, in particular, the data subject's rights and remedies in relation to the processing. This information may be provided in writing or in the form of a notice on the data controller's website.
§ 5 The employees who process data at the data controller are obliged to keep the personal data they know as a professional secret. Only those who have made a statement of confidentiality may be employed in such a position.

§ 6 The security of data processing by the data controller is guaranteed by the following technical and organizational measures:

(a) personal data stored electronically may be accessed only by employees authorized to do so by virtue of their job, after entering their access password;
(b) regular backups;
(c) a statement of confidentiality made by employees;

§ 7 In the case of any processing of personal data which is not based on a legal provision and for which there is no legal basis for the processing pursuant to Article 6 (1) (b), (d) or (f) of the GDPR, the data subject's explicit consent must be sought before the processing begins. .
§ 8 In the course of data processing, personal data may be processed for the period specified in the law and, in the absence of an express legal provision, in the period specified in paragraph (2).

§ 9 The data controller is entitled to process the personal data of the employee related to his / her work. To protect the security of this personal information, paper records should be stored in a locked cabinet.

{if you have a camera system}

§ 10 Pursuant to Article 6 (1) (f) of the GDPR, the data controller operates an electronic surveillance system (cameras) for security and control purposes in accordance with Article 6 (1) (f). This must be clearly visible at the entrance to the office. Employees shall be informed by the controller of the legal provisions governing the processing of personal data recorded by the electronic monitoring system. The information is provided in a document independent of the employment contract, the completion of which is certified by the employees signing this document.

{if you have an office vehicle and a GPS tracker in it}
§ 11 The data controller is entitled to inspect the personal data recorded by the GPS tracking devices of the vehicles owned by the data controller during use during working hours. No personal data may be collected by the GPS tracking device when used outside of business hours.

{if you have a taxi card}

When using taxi cards in the name of the data controller and made available to employees, the organizations organizing and organizing the transport of passengers shall record the personal data related to the trip, which shall be sent to the data controller, to which the data controller shall have access. Taxi cards provided to employees can only be used for work purposes.

{if you have an office mobile phone}

§ 12 The office mobile phone provided to the employee by the data controller may be used with a signal code. The employee is obliged to ensure that personal data and his / her password code, which he / she became aware of in connection with his / her work, cannot be accessed by unauthorized persons. The employee is obliged to report the theft or loss of the office mobile phone to the data controller immediately.

{if you have an office laptop}

The office laptop provided to the employee by the data controller can be used with a password. The employee must ensure that the personal data and password that he / she becomes aware of in connection with his / her work are not accessed by unauthorized persons. To do this, switch off the device or lock it with a screen lock when not in use. It is not possible to conduct official business in a public place in such a way that an unauthorized person can see the machine. When connected to a public Wi-Fi network, you cannot conduct an office unless the employee is also connected to a virtual private network (VPN). The employee must immediately report the theft or loss of the office laptop to the data controller.
The personal computer used by the employee in the data controller's office can be used with a password. The employee must ensure that the personal data and password that he / she becomes aware of in connection with the work is not accessible to unauthorized persons. To do this, you must turn off the device or lock it with a screen lock when not in use, especially when you are not in your office.

The office mobile phone, office laptop and personal computer provided for employees can be used for work. If the employee stores his / her personal data on the office mobile phone, office laptop or personal computer, by placing his / her personal data on the device, he / she acknowledges that the data controller can access them.

In the event of a breach of the preceding paragraph, the employee shall be deemed to be the controller, and the obligations imposed on the controller and the related liability shall be borne by him or her.

§ 13. The employee is obliged to store his e-signature card in such a way that the risk of loss or theft is minimal. The e-signature card and the codes required for its use (PIN, PUK) cannot be stored in the same place.

An employee may not leave a document containing personal information on his desk when he is not in his office.

The data controller may record incoming telephone calls with the consent of the data subject.
§ 14 A record shall be kept of all data transfers made to the data controller, which shall contain the information required by Infotv. Section 15 (2).

The data stored in the data transfer register may be deleted after 5 years in the case of data transfer concerning personal data and after 20 years in the case of data transfer concerning special data.

§ 15 A request for data transfer from a legal person or natural person other than the data controller not mentioned in paragraph (2) may be complied with only if the data subject authorizes the data controller to do so in writing. The data subject may also give such authorization in advance, which may cover a certain period of time and a specific group of legal or natural persons making the request.

(2) Irrespective of the statement made by the person concerned, requests from the authorities dealing with criminal matters (police, court, prosecutor's office) and the national security services shall be complied with.

(3) It is not possible to inform the body or person concerned by the request or any other body or person about the request received from the national security services, its fact, content or the action taken.
§ 16 The IT application for keeping the register shall keep a log of the data transmission - if it is performed from the electronically maintained register - in accordance with the legal provisions concerning the register.

(2) The data in the logbook shall be kept for the period prescribed in the legislation on registration from the time of their creation, and the technical means necessary for accessing them shall be provided.

§ 17 On the basis of the available data, the data controller shall examine the existence of the conditions for the transfer of data, the feasibility of the request and, if necessary, provide further information.

(2) On the feasibility of the request, the data controller shall comply with the provisions of Act CCXXII of 2015 on the general rules of electronic administration and trust services. in the case of a request of a cooperating body according to law (hereinafter: cooperating body), it shall decide within 3, otherwise within 15 days. In the event of a refusal to transmit data, a cooperating body may initiate a consultation, which shall be held within 3 days.

3. If the conditions for the transfer are met, the data shall be made available to the body or person making the request. The costs incurred in connection with the transmission of the data shall be borne by the body or person making the request.

§ 18 The transfer of personal data to a country outside the European Union or to an international organization may take place in accordance with the relevant provisions of the GDPR, with the consent of the data controller.
§ 19 A data management record shall be kept of the data management activities performed by the data controller concerning the personal data covered by these regulations.

2. The data management register shall not be public and may be consulted by the supervisory authority in the performance of its tasks under the GDPR.

(3) The data controller shall keep the data management register electronically.

(4) The data controller is obliged to ensure the immediate transfer of changes affecting the personal data processing carried out by him or her in the data processing register.

§ 20 GDPR 15-22. The data subject may submit a request relating to the exercise of his or her rights under Article 1 to the controller in writing or by electronic means.

2. The controller shall decide on the request within one month of receiving it, after consulting the Data Protection Officer, and shall inform the data subject of the action taken on the request or, if no action is taken, of the reason for the complaint or appeal to the supervisory authority. the possibility of

§ The Data Protection Officer is directly responsible to the Data Controller.

2. The Data Protection Officer shall not take instructions from anyone in connection with the performance of his or her duties.

3. The Data Protection Officer shall be able to intervene in an appropriate and timely manner in all matters relating to the processing of personal data.

4. The Data Protection Officer shall be bound by the obligation of professional secrecy with regard to information obtained in the performance of his or her duties. This obligation shall continue to apply to the Data Protection Officer after leaving office.
III. Part 2 - Dealing with Privacy Incidents

§ 22 In the event of a data protection incident (hereinafter: incident), the employee who notices it shall notify the data controller by e-mail or telephone immediately, but no later than within 24 hours of its detection.

2. The controller shall immediately investigate the incident, with the involvement of the Data Protection Officer, to determine whether it is likely to endanger the rights and freedoms of natural persons.

3. Where, on the basis of the results of an investigation pursuant to paragraph 2, the incident is likely to endanger the rights and freedoms of natural persons,

(a) no later than 72 hours after the detection of the incident, the controller shall notify the incident to the supervisory authority by electronic means, in accordance with Article 33 (3) of the GDPR,
(b) take the necessary technical or organizational measures to deal with the incident.

4. Where, as a result of an investigation pursuant to paragraph 2, an incident is likely to pose a high risk to the rights and freedoms of natural persons, the controller shall, in addition to the measures provided for in paragraph 3, inform the data subject without undue delay. Any of the conditions set out in Article 34 (3) of the GDPR are met.

§ 23 The data controller shall keep an electronic register of incidents, in which the facts related to the incident, its effects and the measures taken to remedy it shall be indicated.



Part I - Final provisions

§ 24. These regulations shall enter into force on 25 May 2018.

§ 25. With regard to issues not regulated in these regulations, the GDPR and the Infotv. The provisions of this Regulation shall apply.