ITSecure Kft. (hereinafter referred to as “Data Controller” or “Company”) is committed to taking the utmost care when handling personal data. Accordingly, the Data Controller has developed its data management, data processing, data deletion regulations and internal system aimed at the protection of personal data in accordance with legal regulations, taking into account the nature of the activities it performs, the legal obligations applicable to it and the nature of the legal relationships with its customers and partners.

The information below contains a detailed description of how and for what purpose the Data Controller processes your (hereinafter “Data Subject”) personal data and what rights you have in relation to the data managed by the Company.

1. The data controller

Information about the data controller:

• Name: ITSecure Kft.
• Headquarters: Hársfa u. 11, 5500 Gyomaendrőd, Hungary
• Mailing address: Logodi utca 54, 1012 Budapest, Hungary
• Electronic (e-mail) address: [email protected]
• Name of his representative: Gergely Biró

2. Legal basis of data management, duration of data management

In the course of its data management activities, the Company acts in accordance with the provisions of data protection legislation regarding the management of personal data of natural persons. The basic principles of the Company’s data management comply with the provisions of the following legislation:anagement

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR),
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.),
• Act V of 2013 on the Civil Code (Civil Code Act),
• Act I of 2012 on the Labour Code;
• Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (Act on the Rules of Private Investigation)

Questions not or not fully covered by this information are governed by the provisions of the Infotv. and the above-mentioned legislation.

3. Amendments to this Guide

The Company reserves the right to unilaterally modify the Privacy Policy. The current Privacy Policy is available on the Website. By accessing the Website, the user of the Website accepts the provisions of the current Privacy Policy.

4. Terms and definitions

The following terms are used in this Policy:

• “data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
• “data processing” means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• “restriction of processing” means the marking of stored personal data for the purpose of limiting their future processing;
• “controller” means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
• “transfer” means the making available of data to a specified third party;
• “erasure” means the rendering of data unrecognisable in such a way that it is no longer possible to retrieve it;
• “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed;
• “Anonymisation under the GDPR” means the permanent de-personalisation of data such that their link with the data subject can no longer be established, including by the Service Provider. The Service Provider shall consider the risks at its own discretion and decide whether to anonymise instead of deleting;
• “recipient” means the natural or legal person, public authority, agency or any other body to whom or with whom the personal data is disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
• “consent of the data subject” means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data relating to him or her;
• “supervisory authority concerned” means a supervisory authority which is concerned by the processing of personal data for one of the following reasons:

1. the controller or processor is established in the territory of the Member State of that supervisory authority;
2. the processing significantly affects or is likely to significantly affect data subjects residing in the Member State of the supervisory authority; or
3. a complaint has been lodged with that supervisory authority;

• “supervisory authority” means an independent public authority established by a Member State in accordance with Article 51 of the GDPR;

• “third party” means a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

• “third country” means any State which is not an EEA State;

• “processing for legal obligations” means processing necessary for compliance with a legal obligation to which the controller is subject;

• “processing for legitimate interests”: processing necessary for the purposes of the legitimate interests pursued by the controller or a third party;

• “representative” means a natural or legal person established or resident in the Union and designated in writing by the controller or processor pursuant to Article 27 of the GDPR to represent the controller or processor in relation to the obligations incumbent on the controller or processor under this Regulation;

• “international organisation” means an organisation governed by public international law or its subsidiary bodies or any other body which is established by or under an agreement between two or more countries;

• “profiling” means any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

• “relevant and reasoned objection” means an objection to a draft decision, raised with regard to whether this Regulation has been infringed or whether the envisaged action by the controller or processor is in compliance with this Regulation; the objection must clearly demonstrate the significance of the risks posed by the draft decision to the fundamental rights and freedoms of data subjects and, where applicable, to the free flow of personal data within the Union;

• “personal data” means any information relating to an identified or identifiable natural person (‘the data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

• “cross-border processing of personal data”: 

1. the processing of personal data within the Union in the context of activities carried out by a controller or processor established in more than one Member State at sites of activity in more than one Member State; or 

2. processing of personal data carried out in the Union in the context of activities carried out by a controller or processor at a single establishment which significantly affects or is likely to significantly affect data subjects in more than one Member State;

• “processing for the performance of a contract” means processing necessary for the performance of a contract to which the data subject is a party or necessary for the purposes of taking steps at the request of the data subject prior to entering into a contract.

• “centre of activity”:

1. in the case of a controller having establishments in more than one Member State, the place of its central administration within the Union, but where decisions concerning the purposes and means of the processing of personal data are taken in another establishment of the controller within the Union and the latter establishment has competence to implement those decisions, the establishment which took those decisions shall be considered the centre of activity; 

2. in the case of a processor having its place of business in more than one Member State, the place of its central administration within the Union or, where the processor does not have a central administration in the Union, the place of business of the processor within the Union where the main processing activities in relation to the activities carried out at the place of business of the processor take place, where the processor is subject to obligations under this Regulation;

Where the definitions in the applicable data protection legislation (at the time of the drafting of this Regulation, the Infotv.) differ from the definitions in this Regulation, the definitions in the legislation shall prevail.

5. Cookie information

The data to be technically recorded are the data of the User’s computer logging in, which are generated during the use of the service and which are logged by the data controller’s system as an automatic result of technical processes (e.g. IP address, session ID). Due to the operation of the internet, the data to be automatically recorded are automatically logged by the system without any special declaration or action by the Data Subject – using the internet. The Internet does not function without these automatic server-client communications. These data cannot be linked to other personal data of the Data Subject, except in cases required by law. The data can only be accessed by the Company. The log files, which are automatically and technically recorded during the operation of the system, are stored in the system for a period of time justified for the purpose of ensuring the operation of the system.

The Company informs visitors to the Website that the collection and processing of data through the use of the Website (in the absence of web contact) is carried out through the use of anonymous User identifiers (cookies or cookies) and their acceptance by the Data Subject. The Company summarises the essential characteristics of cookies below.

Cookies are widely used to operate websites efficiently or to provide web services and features.

Cookies do not contain any personal data and are not used to identify individual users.

Cookies may be “permanent” or “temporary” cookies. Persistent cookies are stored by the browser for a fixed period of time, provided that they are not deleted by the user before that time, while temporary cookies are not stored by the browser and are automatically deleted when the browser is closed.

Cookies will allow your browser to be uniquely identified, the website will remember your actions and personal preferences (e.g. username, language, font size and other unique settings related to the presentation of the website) for a certain period of time, and will store the fact and time of your visit to the site. This way you do not have to re-enter them each time you visit our website or navigate to our website from another page.

In general, “cookies” and other similar programs make the website easier to use, help to provide visitors with a real web experience and an effective source of information, and enable the website operator to monitor the functioning of the site, prevent abuse and ensure that the services provided on the site are smooth and of an adequate standard.

What kind of cookies does the website use?

Cookies that provide basic functionality

These cookies ensure the proper functioning of the website, facilitate its use and collect information about its use without identifying our visitors.

Our website uses cookies for the following purposes:

• to set the language of the website
• to identify the user on return, to remember certain settings/preferences.

The information stored by cookies is used only for the purposes described here. We do not pass on cookies or the data they store to third parties. For detailed information about these cookies, please see the table below:

Google Analytics cookies

Google Analytics cookies are simple, easy-to-use tools that help the website owner assess how users interact with the content of the website (how many have visited the website, how many people are on the website, etc.)

We use this information to create statistics and further develop the portal. These cookies cannot identify you personally, they collect information such as which page was viewed by our visitor, which part of the website the user clicked on, how many pages were visited, how long the viewing time of each session was, and what were the possible error messages.

More information about these cookies is available at the following links:

• https://policies.google.com/technologies/types?hl=en
• https://marketingplatform.google.com/about/analytics/

Accept/deny cookies

Accepting and authorizing the use of “cookies” is not mandatory. You can refuse the use of cookies through the settings of your computer or other device used for browsing, or the browser used to access the website. However, in this case, some pages may not be displayed correctly, or the system will inform you in a message that cookies must be enabled to view the website. Without the use of cookies, we cannot guarantee you full use of the website.

• ITSecure Kft. 5500 Gyomaendrőd, Hársfa utca 11. operation, maintenance, hosting of the IT Secure website
• Google LLC CA 94043 Mountain View 1600 Amphitheater Parkway, United States of America, provision of analytical services on the neka.hu website, detailed information on analytical data management: http://www.google.com/intl/hu/policies/

A cookie valid until the end of the session remains on the computer only until the browser is closed.

6. Purpose of data management, scope of managed data, duration of data management, persons entitled to access data in relation to Data Subjects applying to the Company as job seekers

The Company always processes personal data exclusively for specific purposes, to the extent necessary, in order to exercise rights and fulfill obligations. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal. Personal data can only be processed to the extent and for the time necessary to achieve the purpose. The purpose of data management is to select job applicants and contact them.

The Company handles the personal data provided during the application in accordance with the provisions of Infotv. and the GDPR.

The Company processes Personal Data based on your express and voluntary consent in the following cases: Workforce recruitment.

The Data Controller treats the application for the job advertisement by e-mail as an express and voluntary consent, since there is no technical possibility to prove voluntariness in any other way.

With reference to the indicated legal basis, the Company collects and processes personal data according to the table(s) below for the indicated retention period:

The Company uses the personal data provided during the application, as well as the personal data indicated in the submitted documents, only when evaluating applications that match the applicant’s qualifications. Providing certain information is absolutely necessary for the selection process.

We draw your attention to such mandatory information.

Personal data can only be accessed by the Data Controller’s employees and agents who contribute to the implementation of the data management goals indicated above. The transfer of personal data is possible only in the cases stipulated by law or on the basis of the Data Subject’s consent.

No one but the data manager can access the data.

7. The purpose of the data management, the scope of the data managed, the duration of the data management, the persons entitled to access the data in relation to the Data Subjects staying at the Company’s premises and the Company’s employees

The provisions of this chapter cover the processing of the personal data of all Data Subjects who are present at the Company’s premises or are employees of the Company.

The Company always processes personal data exclusively for specific purposes, to the extent necessary, in order to exercise rights and fulfill obligations. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal. Personal data can only be processed to the extent and for the time necessary to achieve the purpose. The data controller regulated in its internal instructions that only those recipients who contribute to the achievement of the data management goal and are necessary for that process handle the data.

We draw the attention of data informants to the Company that if they do not provide their own personal data, the informant must obtain the consent of the data subject.

The Company processes personal data in accordance with the provisions of Infotv. and the GDPR, based on legitimate interest, in the following cases: stay at the premises.

With reference to the indicated legal basis, the Company collects and processes personal data according to the table(s) below for the indicated retention period:

8. Data managed by the Company

The Data Manager does not manage special data. In the case of job applications and job applicants, the Company manages the data specified in the following chapter:

• 6. Purpose of data management, scope of managed data, duration of data management, persons entitled to access data in relation to Data Subjects applying to the Company as job seekers
• 7. The purpose of the data management, the scope of the data managed, the duration of the data management, the persons entitled to access the data in relation to the Data Subjects staying at the Company’s premises and the Company’s employees

In the case of non-natural persons, if the representative or authorized representative does not expressly indicate with respect to the non-natural person that the provided e-mail address or other contact data are not the personal data of the given representative or authorized representative, the Company may reasonably assume that the provided contact data (e-mail, phone number) is considered the data of the given non-natural person.

Personal data can only be accessed by the Company’s employees and agents who contribute to the implementation of the aforementioned data management goals. The transfer of personal data is possible only in the cases stipulated by law, on the basis of a data processing contract or on the basis of the Data Subject’s consent.

9. Data management rules

If data processing serves several purposes at the same time, consent must be given for all data processing purposes.

If the data processing is not carried out for the fulfillment of a contractual obligation, the fulfillment of a legal obligation or for a legitimate interest, personal data can only be processed with the express consent of the Data Subject. The Data Subject has the right to withdraw his consent at any time. However, withdrawal of consent is only valid for data processing based on consent, not for data processing based on other legal bases. Withdrawal of consent does not affect the legality of data management prior to the withdrawal, nor does it influence it.

10. Access to data, data transmission

The Company has developed IT support appropriate to the purpose of data management, which ensures that personal data can only be accessed by those persons who need to manage this data.

In addition, if it is necessary on the basis of the legal basis of data management, the Company is entitled or obliged to transmit or make available the data it manages to the person entitled to it.

The Company may transfer the personal data managed by it to service providers under contractual legal relationship with the Company, to the extent and duration necessary for the fulfillment of the tasks of these persons, but at most for the same extent and duration as the data management defined above.

The Company is entitled to involve a data processor in the performance of data management activities for the entire duration of the data in its possession.

In the case of using a data processor, the Company stipulates as a contractual obligation that the contracted data processor complies with the provisions of the GDPR in order to protect personal data and also has the required records. For the management of personal data, the Company uses the following Data Processor(s) for the indicated activities:

Data may be transferred in the following cases:

• in order to fulfill official or judicial data provision obligations;
• in the cases of data provision required by law;
• in order to fulfill the concluded contract or to fulfill the obligations undertaken in connection with the contract, or to check them, if the Company provides a given service jointly with another partner.

At the request of the person concerned, the Company provides information about the recipients of the data transfers.

The Company ensures that the persons defined above handle the data management in compliance with the data protection rules in force at all times and the legal provisions on confidentiality.

11. Deleting data

The Company continues to process data to the extent and for the time specified in the legislation or necessary for the realization of the purpose of data management in accordance with the Company’s current Document Management Regulations. With the termination of the data management purpose, the data is deleted or, if possible, anonymized in accordance with the principle of limited storage.

The duration of data management related to invoicing: 8 years, or the period specified in the tax law and accounting legislation in force at all times.

12. Data security

The Company keeps it during data management

• confidentiality: protects the information so that only those authorized to do so can access it;
• integrity: protects the accuracy and completeness of the information and the method of processing;
• availability: it ensures that when the authorized user needs it, he can really access the desired information and that the related tools are available.

The Company, as a data controller or data processor in its scope of activity, ensures the security of the data, and also takes the technical and organizational measures and establishes the rules that are necessary to enforce the Infotv. and other data and privacy protection rules.

When storing the data, the Company ensures that unauthorized persons cannot access the data, and that the confidentiality of the data cannot be violated during the entire period of data management. The data is protected by appropriate measures, especially against unauthorized access, change, transmission, disclosure or deletion, as well as against accidental damage, as well as against becoming inaccessible due to changes in the technology used.

The Company sets out the detailed rules for data management in its Data Protection Policy.

During data management, the Company always takes care of the appropriate level of data protection, which it ensures or ensures by introducing various technical and organizational measures. These measures provide the level of protection required by the related risks and the nature of the personal data and take into account the current state of technology, the nature, scope, connections and purposes of data management, as well as the rights and freedoms of natural persons, caused by the varying probability and severity risk. To this end, the Company uses data management systems, develops and applies procedural rules that ensure that only those who are justified in performing the activities can access the information, as well as reduce to the smallest possible extent the possibility that during the performance of the activities anyone can unlawfully use the information in their possession for a different purpose or contrary to it.

13. Information on data security measures:

In the event of a data protection incident, the Company shall report it to the National Data Protection and Freedom of Information Authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to personal data. If the data protection incident that has occurred involves a high risk, the Company is obliged to notify all users without undue delay.

14. The Data Subject’s rights and their enforcement options

Based on the relevant legislation, the following can be requested from the Data Controller:

• Informing the data subject about the handling of his personal data;
• correcting the Data Subject’s personal data;
• deletion of the Data Subject’s personal data, with the exception of mandatory data management;
• request to carry data;
• protest against unauthorized data management or data transmission;
• initiation of restriction of data management;
• initiating a legal remedy.

The Company provides the Data Subject with the following legal remedies in the event of a violation of the rights related to the handling of personal data:

• You can request information about the management of your personal data, as well as request the correction of your personal data. Upon request, the Company provides information on the data it manages, the purpose, legal basis, duration of the data processing, the name, address (headquarters) of the data processor and its activities related to the data processing, as well as on who and for what purpose the data is or has been received. The information will be provided in writing in an understandable form as soon as possible after the submission of the request, but at most, if no shorter deadline is established by law, within 30 days.
• The Data Subject’s personal data will be deleted:
• if its handling is illegal,
• if the Data Subject requests it (unless the data management is based on a mandatory provision of law),
• if the purpose of data management has ceased,
• if it is incomplete or incorrect, and this condition cannot be legally remedied, provided that deletion is not precluded by law,
• if the statutory period for data storage has expired,
• if it was ordered by the court or the National Data Protection and Freedom of Information Authority.

The Company will notify you of the correction and deletion. The notification can be omitted if this does not harm the legitimate interests of the data subject in view of the purpose of the data management.

Within the scope of his right to restrict the processing of data, the Data Subject is entitled to request the restriction of his personal data managed by the Company, among other things, if:

• disputes the accuracy of personal data,
• the data processing is illegal, but the Data Subject opposes the deletion of the data,
• the purpose of the data management has been achieved, but the Data Subject requires the personal data to submit, enforce or defend legal claims,

As part of his right to data portability, the Data Subject is entitled to receive his personal data managed by the Company in a segmented, segmented, widely used, machine-readable format, and to transmit these data to another data controller; if:

• the processing of personal data is based on the Data Subject’s consent or is necessary for the performance of a contract, and
• data management is done automatically.

With regard to personal data managed by the Company on the basis of the Data Subject’s consent, the consent is revoked at any time, which does not affect the legality of the data processing carried out on the basis of the consent prior to the withdrawal.

The Data Subject may object to the processing of his personal data if

• data management is necessary to assert the legitimate interests of the data controller or a third party,
• the exercise of the right to protest is otherwise permitted by law.

The Company – with the simultaneous suspension of data management – will examine the objection within the shortest period of time from the submission of the application, but at most, if no shorter deadline is established by law, within 30 days, and will inform the applicant of the result in writing. If the Company determines that the protest is well-founded, it will terminate the data management – including further data collection and transmission – and block the data, as well as notify all those to whom the personal data affected by the protest may have been previously transmitted about the protest and the measures taken based on it. and who are obliged to take measures to enforce the right to protest.

If you do not agree with the Company’s decision, or if the Company misses the deadline stipulated in Infotv., you may apply to the court within 30 days from the notification of the decision or the last day of the deadline.

15. National Data Protection and Freedom of Information Authority (Supervisory Authority)

The Data Subject may file a complaint with the Data Protection Supervisory Authority (National Data Protection and Information Freedom Authority, 1125 Budapest, Szilágyi Erzsébet fasor 22/c, postal address: 1530 Budapest, Pf.: 5. e-mail: [email protected]).

Budapest, January 19, 2022.