1. Effectiveness of General Data Protection Regulation

 

1.1 These General Data Protection Regulations (hereinafter “Regulations”) are contain all the general regulations regarding management of personal data registered by Bimfra Design and Service Kft. (Limited Liability Company; registered office: 1122 Budapest, Városmajor utca 13. 2nd floor, company registration number: Cg.01-09-177156, registered in the company register of the Company Court of the Budapest-Capital Regional Court, hereinafter “Data Controller”).

 

1.2. The Data Controller has developed and applies these Regulations within the framework of the technical and organizational measures taken in order to ensure the compliance of its data management with the law.

 

1.3. The Data Controller protects the personal data of the data subjects at all times in accordance with the provisions of these Regulations and the legislation in force at any time regarding the processing of personal data [in particular, but not exclusively, the Regulation 2016/679 (27 April 2016) of the European Parliament and Council (EU) on the protection of individuals with regard to the processing of personal data and on the free flow of such data, and repealing Regulation 95/46/EK (General Data Protection Regulation, hereinafter: GDPR) and on the right to informational self-determination and freedom of information 2011 CXII. (hereinafter: the Information Act)] in accordance with the provisions thereof.

 

1.4. The text of These Regulations 

The uniform text of these Regulations in force at any time is available on the Data Controller's website [www.bimfra.com]. If any provision of the Regulations is amended by the Data Controller, the Data Controller shall publish the text of the amended Regulations on its website within 30 days prior to the entry into force of the amendment, together with the publication of the information on the amendment.

 

 

 

2. Name and identification of Data Controller

 

2.1. Name of the Data Controller: Bimfra Design and Service Kft. (Limited Liability Company)

 

2.2. Data controller identification data:

- company registration number: 01-09-177156

- tax number: 24682567-2-43

 

2.3. Contact details of the Data Controller:

- registered office: 1122 Budapest, Városmajor utca 13. 2nd floor

- e-mail: info@cat-surveys.hu

 

2.4. Representative of the Data Controller: Andrea Ernecová

 

3. General information on data management: basic terms related to data management

 

3.1. “personal data”: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

3.2. “processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

3.3. “restriction of processing” means marking stored personal data with the

aim of restricting their processing in the future.

 

3.4. “profiling”: any form of automated processing of personal data

consisting of the use of personal data to evaluate certain personal aspects

relating to a natural person, in particular to analyse or predict aspects

concerning that natural person's performance at work, economic situation,

health, personal preferences, interests, reliability, behaviour, location or

movements.

 

3.5. “pseudonymisation”: the processing of personal data in such a

manner that the personal data can no longer be attributed to a specific data

subject without the use of additional information, provided that such

additional information is kept separately and is subject to technical and

organisational measures to ensure that the pers

 

3.6. „Data Controller”: the natural or legal person, public authority, agency or

other body which, alone or jointly with others, determines the purposes and

means of the processing of personal data; where the purposes and means of

such processing are determined by Union or Member State law, the Insurer or

the specific criteria for its nomination may be provided for by Union or

Member State law.

3.7. “Processor”: a natural or legal person, public authority, agency or other

body which processes personal data on behalf of the Data Controller.

 

3.8. “Recipient”: a natural or legal person, public authority, agency or

another body, to which the personal data are disclosed, whether a third party

or not. However, public authorities which may receive personal data in the

framework of a particular inquiry in accordance with Union or Member State

law shall not be regarded as recipients; the processing of those data by those

public authorities shall be in compliance with the applicable data protection

rules according to the purposes of the processing.

 

3.9. “Third party”: a natural or legal person, public authority, agency or

body other than the data subject, controller, processor and persons who, under

the direct authority of the controller or processor, are authorised to process

personal data.

 

3.10. “consent of the data subject”: any freely given, specific, informed

and unambiguous indication of the data subject's wishes by which he or she,

by a statement or by a clear affirmative action, signifies agreement to the

processing of personal data relating to him or her.

 

3.11. “personal data breach”: a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorised disclosure

of, or access to, personal data transmitted, stored or otherwise processed.

 

3.12. “Genetic data”: personal data relating to the inherited or acquired

genetic characteristics of a natural person which give unique information

about the physiology or the health of that natural person and which result, in

particular, from an analysis of a biological sample from the natural person in

question.

 

3.13. “biometric data”: personal data resulting from specific technical

processing relating to the physical, physiological or behavioural characteristics

of a natural person, which allow or confirm the unique identification of that

natural person, such as facial images or dactyloscopic data.

 

3.14. “data concerning health”: personal data related to the physical or

mental health of a natural person, including the provision of health care

services, which reveal information about his or her health status.

 

3.15. “Binding Corporate Rules (BCRs)”:  Personal Data Protection policies which are adhered to by a Controller or Processor established on the territory of the any Member States of the Union for transfers or a set of transfers of Personal Data to a Controller or Processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

 

4. Guidelines of data management

 

In the course of its data management activities, the Data Controller acts in accordance with the following principles and enforces them:

 

4.1. Lawfulness, fairness and transparency: the Data Controller processes personal data lawfully and fairly and in a manner that is transparent to the data subject.

 

4.2. Purpose limitation: personal data are to be collected only for specified, explicit and legitimate purposes and it is not allowed to process them further in a way that is not compatible with those purposes.

 

4.3. Data minimisation: Data Controller processes only that personal data in a specific manner and for a period of time which is mandatory in relation to purposes of data processing.

 

4.4. Accuracy: Data Controller ensures that personal data are accurate and are kept up to date and takes all necessary provisions to ensure that personal data which are inaccurate – considering the purposes for their processing – must be deleted or rectified without any delay.

 

4.5. Storage limitation: Data Controller keeps personal data in a form that makes it possible to identify data subjects for no longer than is necessary for the purposes of the processing.

 

4.6. Integrity and confidentiality: Data Controller provides appropriate security for personal data by applying appropriate technical or organizational measures. This should include protection against unauthorised or unlawful processing, accidental loss, destruction or damage.

 

5. Purpose and legal basis of data processing

 

5.1. The purpose of data processing by the Data Controller the fulfilment of the legal or contractual obligations as well as the exercising of rights in particular (but not exclusively) the enforcement of employment rights and the fulfillment of obligations, the continuous improvement of employee satisfaction and existing or potential customer satisfaction, and the continual development of efficiency and quality of services provided by the Data Controller in the course of its business, and helping to protect personal and property security.

 

5.2. The Data Controller only process personal information

• on the basis of the consent of the data subject,

• performance of a contract concluded or to be concluded by the data subject,

• in order to fulfill legal obligations on the Controller,

• the protection of the vital interests of the data subject or of another natural person,

• enforcement of the legitimate interests of the Data Controller or a third party.

 

5.3.

If the processing is based on consent of the data subject, the Controller is obliged to obtain the data subject's voluntary written statement of consent based on appropriate information. Regarding the data processing based on the data subject's consent, the Data Controller records that the data subject has the right to withdraw his or her consent to the processing of his or her personal data at any time, provided that the withdrawal does not affect the lawfulness of the data processing prior to withdrawal.

​

6. Rights of the data subject

 

6.1. Regarding the data processing, the data subject has the following rights within the framework of the mandatory legal provisions on data processing:

 

• the right to information related to data processing,

• the right to access to information related to data processing, including a copy of the personal data processed,

• the right to rectify or supplement inaccurate or incomplete personal data,

• the right to withdraw consent of data processing,

• the right for data portability,

• the right to object

• the right to erasure, if

  • the processing of personal data is not necessary for the fulfillment of the Data Controller's legal obligation or for the submission, enforcement or protection of legal claims,

and

• the purpose of the processing has already been fulfilled, or

• the data subject, in the case of consent - based data processing,

• withdraw its consent, or

• the data subject objects to the processing, or

• the processing of personal data is unlawful, or

• the obligation to erase is imposed by law.

•  

6.2. The Controller shall provide information to the data subject on actions taken on any request concerning the exercise of the data subject's rights without undue delay and in any event within one month of receipt of the request. In case of the complexity of the data subject's request or the high number of requests, the deadline may be extended by another two months, of which the Data Controller shall inform the data subject within one month of receiving the request, indicating the reasons for the delay. The Data Controller shall also inform the data subject no later than within one month from the receipt of the request if the Data Controller does not take action following the data subject's request. In that case, the information shall also cover the reasons for the non-action and the rights of legal remedy of the data subject.

​

7. Data transmission

 

7.1. If the data processing is based on the consent of the data subject, the Data Controller shall only transfer data to a third party with the express consent of the data subject, unless the Data Controller is obliged to disclose data by law, court or other body or organization exercising public power.

 

7.2. If the Data Controller uses a third party (data processor) to process personal data on behalf of the Data Controller, the Data Controller shall only use a data processor that provides adequate guarantees for the implementation of appropriate technical and organizational measures to ensure compliance with the legal requirements of data processing and the protection of the rights of data subjects.

 

8. Records of data processing activities

 

8.1. The Data Controller shall keep accurate and up-to-date records in writing (including electronic recording) of the data processing activities performed by him / her.

 

8.2.

The general register of data processing activities shall contain at least the following information:

• the name and contact details of the Data Controller,

• the purpose and legal basis of the data processing,

• defining the range of data subjects and the categories of personal data processed,

• identification of the potential recipient of any transfer and, in the case of a transfer to a third country, guarantees of the data subject's rights

• the deadlines for deleting any categories of data (if it is possible to determine).

 

9. Data breach

 

9.1. If any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data (data breach) occurs, the Data Controller shall notify the National Authority for Data Protection and Freedom of Information (NAIH) without delay, but if possible no later than within 72 hours of becoming aware of the data breach, with the content required by law.

 

9.2. In addition to notifying the NAIH, the Data Controller shall inform the data subject about the data breach if a specific information obligation is imposed on the Data Controller by law.

 

9.3. The Controller shall keep a record of the data breaches, indicating the facts relating to the data protection incident, its effects and the measures taken to remedy it.

 

10. Data security

 

10.1.

The Data Controller shall implement appropriate technical and organizational measures, in particular taking into account the nature, scope, circumstances and purposes of the data processing and the possible risks to the rights of the data subjects, in order to guarantee an adequate level of data security to the extent of potential risks and take all necessary measures in order to prevent possible data breaches.

Developing and taking appropriate technical and organizational measures, the Data Controller pays special attention to the development of risk minimization procedures and processes within the framework of its business activities, as well as to the efficient and data security operation of the information technology (IT) systems used.

 

10.2. In order to guarantee an adequate level of data security, the Data Controller shall grant access to the data only to those employees and only to the extent necessary for the fulfillment of their job responsibilities. In compliance with these Regulations and the legislation in force at any time, the employees of the Data Controller may process data only in order to fulfill their job responsibilities, during and to the extent necessary for that purpose.

 

10.3. The Data Controller is committed to the implementation of new technical solutions or organizational processes that guarantee data security to a greater extent than before, and will strive to implement them in order to continuously increase data security.

 

10.4. The Data Controller reviews its data management activities from time to time and, in addition to implementing any measures that may be necessary, continuously ensures compliance with the provisions of the legislation governing data management.If the review or the measures implemented as a result of it necessitate the amendment or supplementation of these Regulations, these amendments or supplementations shall be implemented immediately by the Data Controller and the amended or supplemented Regulations – according to Section 1.6 of these Regulations shall also be published by the Data Controller.

 

11. Legal remedy

 

11.1. In case that the data subject considers that the processing of personal data concerning him or her against the rights of the legal provisions governing data processing, in order to enforce the data subject's rights - the Regulation 2016/679 (27 April 2016) of the European Parliament and Council (EU) on the protection of individuals with regard to the processing of personal data and on the free flow of such data, and repealing Regulation 95/46/EK (GDPR) and on the right to informational self-determination and freedom of information 2011 CXII. And and on basis of Act V of 2013 on the Civil Code - may initiate legal proceedings or submit a complaint to the National Data Protection and Freedom of Information Authority (NAIH).

 

11.2. Contact details of the National Data Protection and Freedom of Information Authority:

• mailing address: 1530 Budapest, P.O.B.: 5.

• address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c

• telephone: +36 1 391 1400

• fax: +36 1 391 1410

• e-mail: ugyfelszolgalat@naih.hu

11.3. Any person who suffers damage as a result of infringement of data processing law may claim compensation for proven damage. The Data Controller shall be liable for any damage caused by its data processing which infringes legal provisions governing its data processing activities, unless he /she can prove that he / she is not liable for the event that caused the damage.