Taking into consideration the provisions of Act CXII of 2011 On Informational Self-determination and Freedom of Information HIA-Hungary creates current data protection policy for the sake of protecting data of its Clients.
II. BASIC CONCEPTS
Related to data control and data protection the below concepts’ definitions imply the following:
1. Client: any person who, as a result of HIA-Hungary’s activities, enters into ad hoc or permanent contact with HIA-Hungary.
2. Staff-member: any person being in contractual relationship with HIA-Hungary who represents HIA-Hungary’s activities for the Client bearing the Client’s interests in mind.
3. Personal data: data relating to the Client, in particular the name and identification number of the data subject, as well as one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the Client. The person can be considered identifiable if - directly or indirectly – his/her name, identifying sign, or one or more of his/her physical, physiological, psychological, economic, cultural or social characteristics can be identified;
4. Data processor: natural or legal person, or organization without legal personality which alone or jointly with others determines the purposes and means of the control of the data; makes and executes decisions concerning data control (including the means used) or contracts a data processor to execute it.
5. Data control: any operation or the totality of operations performed on the data, regardless of the procedure applied; in particular, data collecting, recording, classifying, storing, modifying, using, querying, transferring, disclosing, synchronizing or connecting, blocking, deleting and destructing, as well as preventing the further use of the data, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as, fingerprints or palm prints, DNA samples, iris scans).
6. Data transfer: ensuring access to the data for a third party.
7. Disclosure: ensuring open access to the data.
8. Data deletion: making data unrecognizable in a way that it can never again be restored.
9. Blocking data: making it impossible, for a definite period of time or finally, to transfer, access, make public, alter, modify, destroy, delete, connect or synchronize, or use the data.
10. Data destruction: complete physical destruction of the data carrier recording the data.
11. Data processing: undertaking technical tasks in connection with data control operations, regardless of the method and means used for executing the operations, as well as the place of use.
12. Data processor: natural or legal person or organization without legal personality processing the data on the grounds of a contract concluded with the controller, including contracts conducted upon legislative provisions.
3.1. Control of personal data
When handling personal, special and criminal personal data HIA’s management and each staff-member are obliged to proceed as follows:
Personal data may only be controlled if the Client agrees to it or it is provided for by law or a local government decree.
Special personal data may be controlled if the Client agrees to it in writing, or the protection of special personal data relating to racial origin, national, nationality and ethnic status, political opinion or party affiliation, religious or other convictions, membership in an advocacy group is required to implement an international treaty, is provided for by law to enforce basic rights ensured in the Fundamental Law, serves the interests of national security, crime prevention and law enforcement; or the data control is provided for by law in other specific cases.
If the Client is unable to provide his consent to data handling due to physical reason or his incapacity to act, the data of the Client, including special personal data, may be controlled to protect his own or others’ vital interests to the extent required to avert and prevent disaster and emergency situations.
Personal data may only be transferred or various data controls may only be connected if the Client has given its consent to it, or it is permitted by law and conditions of data control are met for each of the personal data.
Personal data (including special data) may only be transferred –regardless of the data carrier or the mode of data transmission - to data controller or data processor of a third country if the Client has given an explicit consent to it, or it is permitted by law, and the level of data protection during control and handling of personal data in the third country is deemed to be sufficient.
Personal data may exclusively be controlled for a specific purpose to realize rights and fulfill obligations. Data control must at every stage comply with this objective. Only personal data essentially needed to satisfy the aim of the control, appropriate for achieving the goal may be controlled to the extent and for the time required to achieve the goal.
3.2. Purpose of data control
Recording and control of the Clients’ data are necessary to allow HIA-Hungary to perform its obligations and exercise its rights based on the relationship with the Client or statutory provisions and also to enable HIA-Hungary to send information letters or notifications to clients who had given their consent to such activities.
3.3. Duration of data control
Data controller controls data to the extent and for the time required for achievement of the purpose of data control or until the Client requests deletion of his/her personal data.
The Client – upon his/her request – is entitled to, either at the start of or during the legal relationship established with HIA-Hungary, to receive information in detail of every fact relating to what data are being controlled, the objective and duration of the control process, the identity of data controller and the fact of possible processing of his/her data and the Client also should be informed on how his/her consent to control his/her data can be revoked and how he/she can communicate it to HIA-Hungary.
The controller shall provide information within 30 days of submission of request. Information is provided free of charge, if the individual requesting the information has not yet submitted a request for information to the controller with the same scope of data in the same year, otherwise the costs connected with provision of information must be paid.
3.5. Data security
The controller, as well as the data processor within their respective scope of activities, is obliged to ensure data security, institute technical and organizational measures and develop procedural rules required to enforce data protection and confidentiality rules. Through the institution of the appropriate measures, the controller is obliged to prevent data from unauthorized access, modification, transfer, disclosure, deletion or destruction, accidental destruction and damage.
Data controller shall provide inspection, maintenance and updating of the systems and software used for data control.
3.6. The Client’s rights
The Client may request
- information on handling of his personal data as described above,
- the rectification of his/her personal data, and deletion of his/her personal data – with the exception of data processing ordered by a rule of law. Personal data must be deleted if it is requested by the Client unless data control is required by law or data control is necessary for meeting obligations of a contract conducted with the Client. Data processor shall take immediate action to delete personal data or instructs data processor to delete data.
The Client can go to court in case of violation of his/her rights.