Appendix I to the Internal Data Protection Regulations
Information
on certain data processing activities performed
by Katto Kft.
Introduction
Katto Kft. (registered office: H-2040 Budaörs, lot no.: 10855/15, tax number: 26629236-2-13, telephone number: +36 30 900-8679, e-mail: katto@katto.hu, represented independently by: Balázs Rudner, Managing Director), in its capacity as data controller, deems it important to respect and enforce the rights of its clients and all other natural person data subjects (hereinafter: data subjects) related to data processing, and thus it hereby informs the data subjects that during its data processing activity it proceeds in accordance with the provisions of the Hungarian effective data protection law, the prevailing Internal Data Protection Regulation and any other internal regulations.
This data protection Notice forms part of the Controller’s Internal Data Protection Regulations (hereinafter: Regulation), created for the purpose of informing the data subjects briefly on Data Controller’s certain data processing activities and relevant rules. The issues and topics not addressed in the individual Notices shall be governed by the provisions of the Regulations and the relevant laws, and should be interpreted together with those. The full texts of the Notices are continuously available at H-2040 Budaörs, Gyár u. 2.
In order to ensure transparency, the Data Controller presented the required information in the form of Questions and Answers and, where possible, in tables, providing examples as necessary. Transparency is also facilitated by the fact that each form of data processing has been defined on a separate page.
The individual forms of data processing also comply with the obligation to provide information, as stipulated in Articles 13 and 14 of GDPR.
Who processes my data?
The Employees of Data Controller may process the data only to the degree absolutely necessary for the performance of their duties.
Does the Data Controller transfer or transmit data to third parties?
Personal data are processed essentially by the Data Controller, or – should it outsource the task – by the outsourcing provider(s) specified in Appendix II to the Regulations. In this case the Data Controller transfers data to the data processors and it is responsible for the activity of the data processors.
The Data Controller may transmit to its Partners the data specified by the data subject, should the requirements in respect of onward transfer be met.
In certain cases, the Data Controller transmits data to the authorities or courts.
What rights do I have?
Pursuant to the provisions of the Information Act (Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information) and Regulation 2016/679/EU of the European Parliament and of the Council, the data subject has the following rights: the right to access, the right to rectify, the right to erase, “the right to be forgotten”, the right to block/restrict data, the right to object, the right to turn to the courts, and the right to lodge a complaint with the authorities.
The Data Controller reminds the data subjects that conditions and restrictions may apply to the exercise of their rights in relation to certain types of data processing, which factors the Data Controller is obliged to assess. When the data subject cannot exercise his or her right in relation to the respective data processing, the Data Controller shall inform the data subject of the factual and/or legal reasons precluding/restricting the exercise of the right.
Where and how can I obtain detailed information on the processing and transmission of data, where and how can I exercise my rights?
The Data Controller informs the data subjects that they may submit their request for information and exercise their other rights – should it not be excluded by law – by a declaration sent to katto@katto.hu or to any other contact point of the Data Controller. The Data Controller examines and responds to the declaration within the shortest possible period from the receipt thereof, and takes the necessary measures in accordance with the provisions of the declaration, the Regulations and the law.
What forum may I contact upon the breach of the right of self-determination?
Hungarian National Authority for Data Protection and Freedom of Information
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telephone: +36(1) 391-1400
Fax: +36(1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
Upon the breach of his or her rights the data subject may turn to the courts. The courts shall hear such cases in priority proceedings. The burden of proof to show that the data processing complies with the statutory provisions lies with the Data Controller.
When, by the illegal processing of the data of the data subject or by the violation of the data security requirements the Data Controller breaches the privacy of the data subject, he or she may demand compensation from the Data Controller.
How does the Data Controller ensure the security of my data?
The Data Controller ensures the security of the data by protecting it by proper measures from unauthorised access, alteration, forwarding, disclosure, deletion or destruction, incidental destruction or damage, and inaccessibility resulting from the change in the applied technology.
When determining and applying the measures to ensure the safety of the data, the Data Controller takes into consideration the actual technological development level and of the several possible data processing solutions and selects the one that provides the highest protection for the personal data, unless it would represent disproportionate difficulty.
Within the scope of its duties related to IT protection, the Data Controller particularly ensures:
-
- denial of access by unauthorised persons to the equipment used for data processing (hereinafter: data processing system),
- prevention of unauthorised reading, copying, altering or removal of data carriers,
- prevention of unauthorised recording of personal data in the data processing system as well as learning, amending or deleting of the personal data stored therein,
- prevention of the use of the data processing systems by unauthorised persons through data transmission equipment,
- that the persons authorised to use the data processing system have access only to the personal data specified in the access rights,
- that it can be verified and established to which recipient the personal data were or may be transmitted, were or may be provided through the data transmission system,
- that it can be subsequently verified and established which personal data were recorded when and by whom in the data processing system
- prevention of unauthorised learning, copying, amendment or deletion of the personal data during their transmission or the transportation of the data carrier
- that upon malfunction the data processing system can be restored
- that that data processing system is serviceable, the errors occurring during its operation are logged and that the stored personal data cannot be amended even by the faulty operation of the system.
For further information see Section 10 of the Regulations.
What kind of data processing activity does the Data Controller perform, for what purpose and how long does it process my data?
The individual types of data processing have been defined on separate pages.
Appendix II to the Internal Data Protection Regulations
Register of Katto Kft’s
data processors and recipients of data transmission
Katto Kft. (registered office: H-2040 Budaörs, lot no.: 10855/15, tax number: 26629236-2-13, telephone number: +36 30 900-8679, e-mail: katto@katto.hu, represented independently by: Balázs Rudner, Managing Director), as the data controller, hereby informs the data subjects as follows:
Data processor of the Data Controller’s website, commissioned with the responsibility to web host:
Name: Pászli Balázs
Registered office: 1136 BP Hollán Ernő utca 21/b
Contact details:
balazs@ethermedia.hu
Appendix III to the Internal Data Protection Regulations
Katto Kft’s
external data protection notice
Katto Kft. (registered office: H-2040 Budaörs, lot no.: 10855/15, tax number: 26629236-2-13, telephone number: +36 30 900-8679, e-mail:katto@katto.hu, represented independently by: Balázs Rudner, Managing Director), as the data controller, hereby provides a summary and brief information of the processing activities it performs.
The Controller reminds the data subjects, that
- the data subjects may exercise their rights (the right of access, the right of erasure and “the right to be forgotten”, the right to block/restrict data, the right to object, and the right to data portability) by sending a declaration to katto@katto.hu or other contact of the Data Controller, and upon any breach of their rights they have the right to file a complaint with the competent authority (for the current contact details see: Hungarian National Authority for Data Protection and Freedom of Information (NAIH), www.naih.hu) or the court with competence based on the data subject’s place of residence and demand compensation. The Data Controller reminds the data subjects that conditions and restrictions may apply to the exercise of their rights in relation to certain types of data processing, which factors the Data Controller is obliged to assess upon the data subjects’ exercise of their rights. When the data subject cannot exercise his or her right in relation to the respective data processing, the Data Controller shall inform the data subject of the factual and/or legal reasons precluding/restricting the exercise of the right in writing (including electronic form).
- for more detailed explanation of the individual types of data processing see Appendix I to the Internal Data Processing Regulations.
- no profiling shall take place in respect of any data processing.
- disclosure to a third party may take place in relation to the respective data processing, which is stated in the detailed information on the respective data processing, and if any disclosure takes place in respect of any data during the data processing stipulated below, the recipient of the disclosure (controller or processor) was specified in Appendix II.
- the summary below contains all types of data processing carried out by the Data Controller, except those that solely apply to Data Controller’s employees.
|
Summary table of data processing related to one-off requests for and provision of information |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Providing proper information to the data subject, and communication |
Voluntary consent or fulfilment of statutory obligation, or based on agreement, or legitimate or vital interest |
All natural persons who enter into relations with the Data Controller and request for/ receive information from the Data Controller |
See below |
Until the realisation of the purpose, or the request for erasure, or after the expiry of statutory deadline, or after the expiry of the period of limitation or upon the cessation of the legitimate interest |
Electronically and/or on paper, manually |
Data subjects |
|
Summary of the data processed during continuous and regular communication with the data subject |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Communication with the data subject, responding to questions and resolving other issues, marketing/sales activity |
Voluntary consent or fulfilment of statutory obligation, or based on agreement, or legitimate or vital interest |
All natural persons, including the natural person acting for and on behalf of an organisation, who beyond a one-off request for information continuously or regularly communicates with the Data Controller |
See below |
Until the realisation of the purpose, or the request for erasure, or after the expiry of a statutory deadline, or after the expiry of the period of limitation or upon the cessation of the legitimate interest |
Electronically and/or on paper, manually |
Data subjects |
|
Summary table of data processing related to request for proposal and making offers |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Making an offer to the data subject, and communication |
Voluntary consent |
All natural persons, including the natural person acting for and on behalf of an organisation, who ask for a proposal from the Controller by providing his or her personal data |
See below |
During the validity period, or upon acceptance until the end of the legal relationship, or when the data processing takes place based on legitimate interest, until the expiry thereof |
Electronically and/or on paper; this typically takes place electronically, manually |
Data subjects |
|
Summary table of data processing related to the conclusion of agreements |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Conclusion and fulfilment of the agreement, supervision of fulfilment, communication |
Concluding the agreement (Article 6 (1)b) of GDPR) the processing of the data of the representative or contact person is based on a legitimate interest |
All natural persons, including the natural person acting for and on behalf of an organisation, who concludes an agreement – providing his or her personal data – with the Data Controller, or is specified in the contract as a representative or contact person |
See below |
Term of limitation, or duration specified in the agreement, or may not be scrapped, and thus it must not be erased |
Electronically and/or on paper, manually |
Data subjects |
|
Summary table of data processing related to orders |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
The purpose is to identify the data subjects ordering the services, to ensure and verify their rights, to simplify and carry out the order, and communication |
Agreement, the processing of the data of contact persons is based on a legitimate interest |
All natural persons, including the natural person acting for and on behalf of an organisation, who orders services or products from the Data Controller (or from its Partner through the Data Controller) by providing his or her personal data |
See below |
Until the end of the term of limitation |
Electronically and/or on paper; processing is carried out manually |
Data subjects |
|
Summary table of data processing related to delivery |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Fulfilment of the agreement: delivery of the goods/products by the deadline to the specified address, communication with regard to the fulfilment |
Concluding the agreement (Article 6 (1)b) of GDPR), or a legitimate interest (if the data subject is a representative/contact person) |
All natural persons, including the natural person acting for and on behalf of an organisation, who orders delivery from the Data Controller |
For more details see the data processing Notice |
Within the term of limitation |
Electronically, on paper, manually |
Data subjects |
|
Summary table of the data processing related to appointments (bookings) |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
To arrange an appointment for the data subject, and communication |
Based on voluntary consent, or – if it is prescribed by law – on statutory obligation |
All natural persons with whom the Data Controller makes an appointment |
See below |
Until the realisation of the purpose, or within the general term of limitation, or as long as the legitimate interest exists |
electronically and/or on paper, manually |
Data subjects |
|
Summary table of data processing related to the declarations of consent |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Proof of the legal basis of the data processing, fulfilment of the consent, and communication |
Voluntary consent |
All natural persons who provide the Data Controller with a declaration of consent to process their data for a specific purpose |
For more details see the data processing Notice |
Consent until withdrawal/cancellation the declarations of consent are erased after the end of the term of limitation |
Electronically and/or on paper, manually |
Data subjects |
|
Summary table of the data processing related to images, video and sound recordings taken with the consent of the data subject |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
The purpose specified in the consent of the data subject |
Voluntary consent |
All natural persons who provide prior consent to taking a photo, video and/or sound recording of them |
For more details see the data processing Notice |
Until erasure at the data subject’s request |
Electronically and/or on paper, manually |
Data subjects |
|
Summary table of data processing related to complaints/complaint management |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Identification of the data subject and the complaint, management of the complaint and communication |
The data processing starts upon voluntary consent, but based on Article 6(1)c) of GDPR, in order to fulfil the legal obligation applicable to the data controller, Section 17/A (7) of Act CLV Of 1997 on Consumer Protection |
All natural persons who communicate their complaint related to the service used, products purchased and/or the conduct, activity or omission of the Data Controller |
See below |
The Data Controller processes the minutes taken on the complaint and the copy of the response for five years from the recording of those based on the Act on Consumer Protection |
Electronically and/or on paper, manually |
Data subjects |
|
Summary table of the data processing related the register of data subjects (clients and partners) |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Identification of the data subject, communication with him or her, monitoring the fulfilment of the agreement (if applicable) |
Based on voluntary consent, or based on agreement, or necessary for the fulfilment of statutory obligation or based on legitimate interest |
All natural persons and representatives of legal entities, who wish to become the Partner/client or Employee of the Data Controller |
See below |
until erasure at the data subject’s request, until erasure due to failure of data reconciliation, until erasure due to the death of the data subject if the interest of the Data Controller necessitates it, until the end of the interest. The Data Controller may declare the register to be of permanent value, and thus the data included in it may not be erased |
Electronically (on paper) manually |
Data subjects, incidentally the partner |
|
Summary table of data disclosure (to third party) |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Specific purpose |
Consent, fulfilment of statutory obligation, agreement, legitimate interest |
All natural persons, including the natural person acting for and on behalf of an organisation, whose data the Data Controller discloses to a third party |
See below |
Until the realisation or lend of the purpose, or the statutory deadline or until the end of legitimate interest |
Electronically and/or on paper, manually, complying with the data security requirement and principle of confidentiality |
Data subjects, data processor, authentic public records |
|
Summary table of data processing related to delivery and acceptance protocols |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Proof, monitoring |
Legitimate interest of the Data Controller, or should it be prescribed by law, and fulfilment of statutory obligation |
All natural persons, and the representative of legal entities, how receive or deliver products/goods from/to the Data Controller; witnesses, if necessary |
See below |
Term of limitation, or the cessation of the legitimate interest |
Electronically, on paper, manually |
Data subjects |
|
Summary table of data processing related to bank data and credit transfers |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Facilitating and verifying financial settlement |
Fulfilment of statutory obligation and/or agreement, or voluntary consent |
All natural persons to whom credit transfers, initiated by the Data Controller, are made, and all natural persons who wish to settle their financial obligation to the Data Controller by credit transfer through a bank |
See below |
Until the end of the term of limitation, or by the statutory deadline |
Takes place electronically, manually or in automated form |
From own register, from the data subjects |
|
Summary table of data processing related to the issuing of invoices |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Fulfilment of statutory obligation |
Fulfilment of statutory obligation in accordance with Act CXXVII of 2007 on Value Added Tax, and the regulations issued under this Act |
All natural persons, including sole traders, obliged to issue invoices to the Data Controller |
Data categories stipulated in Sections 169–170 and 176 of Act CXXXVII of 2007 |
Within the term of limitation |
On paper/electronically, manually |
Data subjects, rarely authentic public records |
|
Summary table of data processing related to the acceptance of invoices |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Complete fulfilment of statutory obligations, storage of invoices (and equivalent documents) based on Section 179 of Act CXXVII of 2007 |
Fulfilment of statutory obligation (Section 179 of Act CXXVII of 2007) |
All natural persons whose data are shown on the invoice (or equivalent document) accepted by the Data Controller or on the annex thereto |
Data categories stipulated in Sections 169–170 and 176 of Act CXXXVII of 2007 |
Within the term of limitation |
On paper/electronically, manually |
The party that issues the invoice |
|
Summary table on the operation of closed-circuit television (CCTV) system |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
The purposes stipulated in the CCTV regulation, e.g. protection of property, persons and corporal integrity, etc., identification of the data subjects |
Legitimate interest of the Data Controller |
All natural persons who enter or stay in the area covered by the CCTV surveillance system |
See below |
Section 32 (2) of Act CXXXII of 2005 (in the absence of use for three working days from the day of recording) |
Electronically, in automated manner |
Data subjects |
|
Summary table of data processing related to GPS tracker |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Protection of the business interests of the Data Controller (employer), protection of motor vehicles, and the life and corporal integrity of the driver |
Legitimate interest of the Data Controller |
All employees who drive a vehicle equipped with GPS tracker, and the passengers in the vehicle |
See below |
30 days from the recording, or if there is a proceeding, until the completion of it |
Electronically in an automated manner |
From the data processor operating the GPS system |
|
Summary table of data processing related to the sending of newsletters |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Providing comprehensive general or personalised information to the recipient on the Data Controller’s latest promotions, events and news |
Based on voluntary consent |
All natural persons who wish to be informed of the Data Controller’s news, promotions and discounts, and to this end subscribe to the newsletter service by providing their personal data |
See below |
Until unsubscribing |
Subscribing electronically or on paper, manually sending electronically in an automated manner unsubscribing electronically or on paper, manually |
Data subjects |
|
Summary table of data processing related to marketing through social media |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
Data Controller’s marketing |
Voluntary consent |
Natural persons who voluntary follow, share or like the social networking sites of the Data Controller or the contents published therein |
See below |
Until erasure upon the data subject’s request, or the cessation of the legitimate interest |
Takes place electronically, manually |
Data subjects |
|
Summary table of data processing related to the processing of the data of job applicants |
||||||
|
Purpose |
Legal basis |
Data subjects |
Data category |
Duration |
Method |
Source |
|
To facilitate application and selection, communication |
Voluntary consent |
All natural persons who apply for jobs announced by the Data Controller or apply without any vacancy notice |
See below |
For the period stipulated in the consent or until the end of the legitimate interest |
Electronically, on paper, manually |
Data subjects |