Effective: from 01 April 2021
DATA MANAGEMENT INFORMATION
SME-EUROPE Ltd
I. Purpose of this privacy notice
The purpose of this Privacy Notice (hereinafter referred to as "Privacy Notice") is to set out the rules governing the data protection and data management policy of SME-Europe Ltd.), in compliance with the data protection and data management provisions laid down in Regulation 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter referred to as the "GDPR Regulation"), which the Company shall enforce in all its activities and services to ensure that the data subjects' right to the protection of their personal data is respected in the processing and management of their personal data.
II. Scope of the privacy notice
The scope of the Privacy Policy covers all computer and manual processing and handling of personal data by all employees and subcontractors of the Company.
The personal scope of the Privacy Policy extends to all employees of the Company performing data processing and data handling, as well as to natural and legal persons and organisations with legal personality who have a contractual relationship with the Company, to the extent specified in the contract concluded with them and in the confidentiality statement.
The Rules shall enter into force on 01 April 2021 and shall remain in force until revoked, provided that the Company publishes the text of the Rules in force on its website at the following link: www.sme-europe.com
III. Concepts
The terminology of this Policy corresponds to the interpretative definitions set out in Article 4 of the GDPR Regulation and, supplemented at certain points, to the interpretative provisions of Article 3 of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "Info Act").
Terms used in this Prospectus have the following meanings as defined above:
data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
data management: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data controller: a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the controller's designation may also be determined by Union or Member State law;
privacy incidents: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
the data subject's consent: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
addressed to: the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;
personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The Data Controller shall make the information available on its website on an ongoing basis. Acceptance of the Privacy Notice (by ticking the corresponding checkbox) constitutes acknowledgement of receipt and constitutes consent to processing, i.e. processing can only take place if the data subject gives his or her freely given, specific, informed and unambiguous consent to the processing of personal data concerning the natural person by means of a clear affirmative action, such as a written, including electronic, statement.
The personal data collected by the Controller must be processed only for specified, explicit and legitimate purposes and not in a way incompatible with those purposes, or stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
In the course of their work, the employees of the Data Controller shall ensure that no unauthorised persons have access to personal data, and that the storage and placement of personal data is designed in such a way that it cannot be accessed, accessed, altered or destroyed by unauthorised persons.
IV. Processing of data in the course of using the website of the Data Controller
Cookiek
Cookies are placed on the user's computer by the websites visited and contain information such as the page settings. The use of cookies enables the Company to retrieve certain data about the visitor and to monitor his/her use of the Internet. Some cookies are essential for the proper functioning of the site, others collect statistics to make the use of the site more convenient, while some cookies are used to serve targeted advertisements. Visitors can use the bar at the bottom of the website to choose which cookies they want to allow, i.e. which cookies they agree to and which they do not want.
the purpose of the processing: to study website visiting habits, to facilitate contact with the Company
the type of data processed: the visitor's Internet Protocol (IP) address, the time of the visit, the pages viewed, the name of the browser program used
the legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR.
data retention period: maximum one year from the date of recording
how the data is stored: electronic
Get a Quote!
On the Company's website, visitors have the possibility to request a quote. By filling in the form, the visitor provides the relevant data required for contacting the Company and calculating the offer. However, the data can only be sent if the data subject accepts the Company's privacy policy by ticking a box, otherwise the offer cannot be finalised.
purpose of processing: facilitate contact with the Company, registration
scope of data processed: name of contact person, e-mail address, telephone number, place of loading and unloading
legal basis for processing: data subject's consent pursuant to Article 6(1)(a) of the GDPR
data storage period: 30 days from the date of filling in the request for proposal form, if no contract is concluded between the parties, if the contract is concluded, 10 years from the date of its termination.
storage method: electronic
Data processing related to job applications
CVs sent via the Company's online platform or by post are received directly from the person concerned in person or by post to the Company's headquarters and premises or electronically to the e-mail address info@sme-europe.com operated by the Company.
The person concerned can apply under the "Careers" section of the website. The data subject can apply by filling in a form, which he/she must accept before submitting it and give his/her consent to the processing.
the purpose of the processing: the selection of a suitable prospective employee or contractor to fill the vacancy, the processing of personal data of applicants
the scope of the data processed: name, e-mail address, telephone number, data provided in the CV uploaded by the data subject
legal basis for processing: data subject's consent pursuant to Article 6(1) GDPR
data retention period: 1 year from the date of recording
how the data is stored: electronically
V. Data processing in the course of the Company's operations
Customer Register
The data of customers and partners are recorded and stored in the Company's unique system.
the purpose of the processing: maintaining the necessary contacts to meet the ordering needs of customers and partners.
scope of data processed: name, e-mail address, telephone number of the customer's contact person
the legal basis for processing: the data subject's consent within the meaning of Article 6(1)(a) of the GDPR or, additionally, a legitimate interest within the meaning of Article 6(1)(f) of the GDPR
the deadline for data storage: until the termination of the relevant contract
how the data is stored: electronic
Customer care
In order to serve customers' needs as fully as possible, the Company sends informal e-mails to the contact persons of the contracted partners, for example, to inform them that the contracted partner's insurance has expired. These e-mails, although sent automatically, are not considered as advertising and are necessary for the performance of the contract.
the purpose of the processing: customer care
scope of data processed: name, e-mail address, telephone number of the customer's contact person
legal basis for processing: the data subject's consent pursuant to Article 6(1)(a) of the GDPR or, additionally, legitimate interest pursuant to Article 6(1)(f) of the GDPR
the deadline for data storage: until the dissolution of the company or its cancellation at the request of the person concerned
how the data is stored: electronic and paper-based
Account management
purpose of processing: issuing and storing invoices
the scope of the data processed: customer name, address
the legal basis for processing: Article 6(1)(c) of the GDPR and Article 167 of Act C of 2000 on Accounting.
the deadline for data storage: the accounting documents shall be kept by the Company for at least 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting. The Company shall automatically delete the personal data of the data subject after 8+1 years
how the data is stored: electronic
VI. Enforcement of data subjects' rights
The data subject may request information about the processing of his or her personal data; request the rectification of his or her personal data; request the erasure of his or her data by e-mail to info@sme-europe.com; request the restriction of processing; and have the right to data portability and to judicial remedy. In the event of a complaint, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information in Hungary or, at your choice, with a court. The court of law has jurisdiction in court proceedings.
Rights of the data subject:
a) The obligation to inform the employees of the Data Controller
- The employee must be informed before the processing starts that the processing is necessary for the performance of the contract.
- The employee must be informed clearly and in detail of all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller and processor, the duration of the processing and the persons who may have access to the data, before the processing begins.
- The information should also cover the rights and remedies of the data subject in relation to the processing.
- Employees are informed of the data processing when they start their employment, which they sign to confirm.
- The employee is responsible for ensuring that the data he or she provides to the Data Controller are authentic, accurate, complete and up-to-date.
- The employee must notify the change in his/her registered data without delay, but
- shall notify the Data Controller within a maximum of 5 working days.
b) Right to information
At the request of the data subject, the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language. The data subject may request information about the processing of his or her personal data and may request the rectification or erasure of his or her personal data, except for processing required by law. At the request of the data subject, the Controller shall provide information on the data processed by it, the purposes, legal basis and duration of the processing, the name, address (registered office) and activities of the data processor in relation to the processing, as well as the persons who receive or have received the data and the purposes for which the data are received or have been received. The controller shall provide the information in writing, in an intelligible form and free of charge, within the shortest possible time from the date of the request, but not later than 10 days.
c) The right of access of the data subject
The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information:
- a) the purposes of the processing;
- b) the categories of personal data concerned;
- (c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
- d) the envisaged duration of the storage of the personal data;
- (e) the right to rectification, erasure or restriction of processing and the right to object;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) information on data sources;
- (h) the fact of automated decision-making, including profiling; and
- (i) clear information on the logic used and the significance of such processing and the likely consequences for the data subject.
- (j) In the case of a transfer of personal data to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards applicable to the transfer.
- The Data Controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
- At the request of the data subject, the Data Controller shall provide the information in electronic form.
- The right to information can be exercised in writing via the contact details on the Company's website.
- The data subject may also be provided with information orally at his or her request, after his or her identity has been verified and identified.
d) Right of rectification
The data subject may request the rectification of inaccurate personal data relating to him or her processed by the Controller.
and to complete the incomplete data.
e) Right to erasure
The data subject shall have the right, upon request and without undue delay, to obtain the erasure of personal data relating to him or her where one of the following grounds applies:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
- personal data are collected in connection with the provision of information society services.
The erasure of data cannot be initiated if the processing is necessary:
- to exercise the right to freedom of expression and information;
- for the purposes of complying with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for archival, scientific or historical research purposes, or for statistical purposes in the public interest in the field of public health; or
- to bring, enforce or defend legal claims.
f) Right to restriction of processing
At the request of the data subject, the Data Controller shall restrict processing if one of the following conditions is met:
- the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the accuracy of the personal data to be verified;
- the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
- the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
- the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject.
Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State. The Controller shall inform the data subject in advance of the lifting of the restriction on processing.
g) Right to data portability (GDPR.§ 20)
In exercising the right to data portability, the data subject shall have the right to receive the personal data concerning him or her that he or she has provided to the Controller in a structured, commonly used, machine-readable format, and the right to transmit those personal data that he or she has provided to the Controller to another controller without hindrance from the Controller, if:
- (a) the legal basis for processing is consent or the performance of a contract,
- (b) the processing is carried out by automated means (the right of retention does not extend to paper files).
h) Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions.
In the event of an objection, the controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed by the Controller for those purposes.
i) Automated decision making in individual cases, including pro9loguing
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply where the processing
- necessary for the conclusion or performance of a contract between the data subject and the controller;
- is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
- is based on the explicit consent of the data subject.
j) Right of withdrawal
The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
VII. Data breach and its handling
The Company, as the data controller, shall notify the National Authority for Data Protection and Freedom of Information of the data protection incident without undue delay after becoming aware of it, if possible within 72 hours at the latest. The notification shall be made in the form and manner specified by the authority, in accordance with the authority's instructions (for example, through the interface or hot-line designated by the authority). If the DPA does not establish an interface, the notification shall be made with the mandatory content of the notification.
If the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons, the notification need not be made. This decision is taken by the administrator, taking into account all the circumstances of the case.
The Data Controller shall record the data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it if the supervisory authority determines mandatory content elements for the incident record, in which case the incident record table shall be prepared with this content.
The Data Controller shall inform the data subject of the personal data breach without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. This decision shall be taken by the Executive Director having regard to all the circumstances of the case and shall be recorded.
Exception to the notification of the data subject where
The Data Controller has implemented appropriate technical and organisational protection measures and applied those measures to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data; or
The controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise; or
The information would require a disproportionate effort, in which case the data subjects should be informed by means of publicly disclosed information or a similar measure should be taken to ensure that the data subjects are informed in an equally effective manner
VIII. Data processors
The Company uses the following data processors for the processing of personal data for technical tasks only:
Data processor name: SME-Europe Kft.
Registered office: 2100 Gödöllő, Hungary Ádám u. 51.
Purpose of data processing:
The data provided by the User will be used and processed by the Operator solely for the purpose of providing a higher level of service to Users, in particular in the following areas:
to answer your questions on the Website and, if necessary, to clarify them later
to improve the content and services of the Website
to further optimise the Website in order to tailor it more closely to the needs of its Users.
The Operator will not use the data for any purpose other than those stated above. Personal data will only be disclosed to third parties with the prior and informed consent of the user. This does not apply to any data transfers required by law.
The Processors shall carry out the processing in accordance with the instructions of the Company, shall not make any decision on the substance of the processing, shall process the personal data they become aware of only in accordance with the provisions of the Company, shall not process the personal data for their own purposes, and shall store and retain the personal data in accordance with the provisions of the Company.
IX. Right to remedy/complaint
In the event of any alleged violation of your rights in relation to the processing of your personal data, please contact our company in the first instance. We will investigate your complaint within 1 month at the latest. You may also lodge a complaint with the competent court or initiate an investigation with the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11., ugyfelszolgalat@naih.hu, +36-1-3911400, www.naih.hu).
Please contact our Company before lodging a complaint with a supervisory authority or a court, in order to discuss and resolve the problem as quickly as possible.
Name, address and contact details of the controller:
Company name: SME-Europe Kft.
Head office: 2100 Gödöllő, Ádám u. 51
Company registration number: 13-09-203563
Data Protection Officer: Dániel Benke
E-mail: info@sme-europe.com
Thank you for your trust and for choosing SME- Europe Ltd.
English 
Hungarian 
German