ProMan Consulting Kft. (hereinafter referred to as “Controller“, headquarters 1221 Budapest, Tanító utca 15/1a.) as a (Data) Controller in the processing of personal data acts in accordance with the provisions of the regulation and the applicable laws (regulation No 2016/679 of the European Parliament and the Council of 27 April 2016) on the protection of individuals with regard to the processing of personal data and the free movement of such data.
ProMan Consulting Kft. respects your rights (hereinafter referred to as “Data Subject“) to protect your personal data. This information material summarizes, in a compact, simple way, what information we collect, how we can use it, and describes the tools we use, as well as the privacy and enforcement capabilities of the Data Subject.
Detailed rules are laid down in the aforementioned Regulation. For further information, we recommend that the Regulation is to be studied.
- Personal data – any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- Controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- Data Processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- Recipient – a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- Third Party – a natural or legal person, public authority, agency or body other than the Data Subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- Consent – consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- Personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- Authority: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), naih.hu
Name of Controller: ProMan Consulting Kft.
Headquarters: 1221 Budapest, Tanító u. 15/1a.
Postal address: 1221 Budapest, Tanító u. 15/1a.
Company registration number: 01-09-293715
Data Controller Representative: Zsolt Czimbalmos
E-mail address of Data Controller Representative: email@example.com
General telephone number: +36 30 663 2069
General e-mail address: firstname.lastname@example.org
Data Protection Offer (DPO): János Szendi Joó
DPO mail address: email@example.com
Place and address of complaint handling: 1221 Budapest, Tanító u. 15/1a.
2. Purpose of processing, scope of processed data, duration of processing, and scope of entitled third parties to access data
Purpose of processing
Personal data can only be processed for a specific purpose, to the extent necessary, to exercise a right and to fulfil obligations. At all stages of processing, the purpose of processing must be met, data entry and management must be fair and legitimate. Personal data can only be handled to the extent and for the duration required to achieve the goal. Controller’s internal instructions specified that only the recipients contributing to and needed to achieve the purpose of processing can manage the data.
Controller handles personal data on the basis of a Data Subject’s legitimate interest in the following cases:
- Customer identification,
- service order recording, fulfilment of ordered services, corresponding notifications sending,
- data subject’s personal data recordkeeping to aid service providing,
- IT system operation to aid service providing.
Controller handles personal data with a voluntary consent in the following cases:
- Potential customer identification,
- customer enquiry correspondence, information dissemination, contacting.
Controller handles personal data as a result of a statutory obligation in the following cases:
- certification of deliveries, handling of attendance sheets.
The scope of processed data, the duration of processing, and entitled third parties to access data
Referring to the above, the following data are collected and treated for the designated retention period by reference to the claimed legal basis.
Data PROCESSED by LEGITIMATE INTEREST
|Name of data||Retention time|
|Name||Retention time according to the termination of legitimate interest or according to the related statutory provision (Hungarian Civil Code 6:22§), which is 5 years.|
|Position at Company|
Data PROCESSED by STATUTORY OBLIGATION
|Name of data||Retention time|
|Name||Retention time according to the term of the legally binding contract or according to the related statutory provision (Act C. of 2000 on accounting, subsection (1) of 169. §), which is 8 years after the invoice has been issued.|
|Name||Retention time according to the related statutory provision (Act LXXVII. of 2013 on adult education, 16. §), which is 5 years.|
|Zip code of personal address|
|Year of birth|
|Labour law status|
|Highest level of completed education|
Data PROCESSED by VOLUNTARY CONSENT
|Name of data||Retention time|
|Name, e-mail address, telephone number||Until the end of the year in question when the contact was made.|
|CVs||Until the end of the year in question when the contact was made, or until Data Subjects withdraws his or her consent for data processing.|
You may find information on the methods of withdrawing voluntary consent in this Statement’s section number 5.
3. Collection, use, and transmission of personal data
When collecting personal data, the Controller complies with applicable legal regulations, restrictions, and ethical standards.
- Informs Data Subject of Controller’s processing practices as prescribed in a timely manner, before data is processed.
- Collects, stores and uses personal data for a specific purpose only. The information collected is always relevant and appropriate to the given purpose.
- Makes reasonable steps to ensure that Data Subject’s personal data is entire, accurate, up-to-date and reliable to Data Subject’s intended purpose.
- Uses Data Subject’s personal data for promotional purposes only with Data Subject’s explicit consent and provides the opportunity to withdraw consent for, thus prohibit such communication.
- Takes reasonable and prudent steps to protect Data Subject’s personal data, including cases when personal data is transmitted to third parties. Data transfers to third parties without Data Subject’s prior express consent will not happen.
For the processing of personal data by the Controller, the following Data Processor(s) will be used for the indicated activities:
|Data Processor||Company reg. numb. / VAT numb.||Data processing activity|
|Gold Medal Kft.||01-09-996475||Accounting|
|Magyar Posta Zrt.||01-10-042463||Correspondence and courier service|
|Octonull Kft.||01-09-1981177||Invoicing, sending and storing invoices|
The data controller also transmits the data to the following recipients in addition to the recipients specified in the internal policy(s):
- Employees of the Controller performing customer service, commercial activities,
- Employees and processors of the Controller performing accounting and taxation activities.
4. Access, modification, correction, and portability of personal data
Data Subject has the right to receive feedback from Data Controller as to whether Data Subject’s personal data is being processed and, if such processing is in progress, has the right to have access to his or her personal data and the following information:
- purposes of processing;
- categories of personal data concerned;
- categories of recipients or recipients with whom or which personal data was communicated or will be communicated.
Data Subject is entitled to request the Controller to correct any of his or her inaccurate personal data without undue delay. Taking into account the purpose of the data handling, Data Subject is entitled to request the supplementation of incomplete personal data, including by means of a supplementary statement.
Data Subject has the right to receive the personal data previously provided to Controller in a commonly used, machine-readable format and is entitled to transmit this data to another Controller without being obstructed by the Controller, who was given access to these personal data in the first place, if:
- processing is based on a voluntary contribution or on a contract where Data Subject is one of the parties; and
- processing is carried out in an automated manner.
5. The deletion, limitation and right to object
(1) Data Subject has the right to terminate Data Subject’s personal data on Data Subject’s request without any undue delay by Controller and Controller is obliged to delete personal data relating to the subject without undue delay if one of the following reasons exists:
- personal data is no longer required for the purpose from which they have been collected or otherwise handled;
- Data Subject withdraws the voluntary consent given to Controller through the contact opportunity provided by Controller and there is no other legal basis for processing;
- Data Subject has been concerned with data handling for reasons related to Data Subject’s own situation or Data Subject objects to data processing because of direct business information management, and there is no priority legitimate reason for data processing;
- personal data has been unlawfully handled;
- personal data is to be deleted in order to comply with legal obligations imposed on the Controller in the European Union or Member States’ law;
- the collection of personal data was directly related to the provision of information society services specifically to children.
(2) If the Controller has disclosed personal data and is required to cancel it pursuant to paragraph 1, it shall take reasonable steps, including technical measures, to take into account the available technology and implementation costs in order to inform the Controllers handling the data, that Data Subject has requested from them to delete any referring links, duplications or copies of such personal data.
(3) Paragraphs (1) and (2) shall not apply where data processing is required:
- to exercise the right to freedom of expression and information;
- to fulfill an obligation under EU or Member State law for the processing of personal data, which is applicable to the Controller, based on public interest or to carry out tasks in accordance with exercising public authority;
- based on public interest in the fields of workplace health or public health;
- for purposes of public interest archiving, for scientific and historical research purposes or for statistical purposes, where the law referred to in paragraph 1 is likely to render impossible or seriously jeopardize this data processing; or
- to file, enforce or protect legal claims.
(1) Data Subject has the right to request Controller to limit the processing of data on request if one of the following is true:
- Data Subject dispute the accuracy of the personal data; in this case, the limitation concerns the period of time where Controller can verify the accuracy of personal data;
- data processing is unlawful, and Data Subject opposes the deletion of data and instead requests their use to be limited;
- Controller no longer needs personal data for data processing, but Data Subject requires them to submit, enforce, or protect legal claims; or
- Data Subject has objected to data handling for reasons related to Data Subject’s own situation; in this case, the restriction applies to the duration of determining whether the rightful reasons of Controller have priority over Data Subject’s legitimate grounds.
(2) If the processing of data is restricted under paragraph 1, such personal data may only be used with the consent of the Data Subject concerned or with the submission, enforcement or protection of legal or other rights of the natural or legal person, or in an important public interest of the EU or a Member State.
(3) Controller shall inform Data Subject in advance the dissolution of limitation of the previously limited processing of data requested by Data Subject pursuant to paragraph (1).
Data Subject is entitled to object to the handling of Data Subject’s personal data for any reason relating to Data Subject’s own situation if the Controller carries out a task in the exercise of a public authority license or processing is necessary to enforce the legitimate interests of the Controller or a third party including profiling based on those provisions. In this case, Controller may not process personal data unless Controller proves that processing is justified by legitimate reasons of enforceability that prevail over the interests, rights and freedoms of the Data Subject, or for the submission, enforcement or protection of legal claims related.
If Data Subject’s personal data is handled for direct marketing, Data Subject is entitled to object at any time to the handling of personal data relating to that purpose, including profiling, if it relates to direct marketing.
If Data Subject objects the handling of personal data for direct business acquisition, personal data may no longer be processed for that purpose.
6. Data Subject’s Enforcement Opportunities
In the event of violation of Data Subjects personality rights and in the cases specified in the Regulation, Data Subject may request the assistance of the National Authority for Data Protection and Freedom of Information:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
(National Authority for Data Protection and Freedom of Information)
Postal address: 1530 Budapest, Pf.: 5.
Address: Szilágyi Erzsébet fasor 22 / c., 1125 Budapest, Hungary
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
7. Changes in this Information material
The Controller reserves the right to modify or update this “Information” at any time, without prior notice, and publish the updated version on its websites. Any modification applies only to personal data collected after the publication of the revised version.
Please check this “Information” regularly to review the changes or to know how the changes affect you.
Last update: 20. 02. 2019.