SME_Europe_kft_logo

Effective: as of April 01, 2021

PRIVACY NOTE

SME-EUROPE Kft

I.   The purpose of the Privacy Notice

The purpose of this Privacy Note (hereinafter referred to as “Privacy Note”) is to lay down the rules for the data protection and data processing policy of SME-Europe Ltd. (hereinafter referred to as “Company” or “SME-Europe”) by complying with the data protection and data processing provisions set out by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR Regulation”) and by enforcing these provisions the Company ensures respect for the rights of the data subjects to protect personal data when processing or managing personal data of the data subjects during all the activities and the use of the services of the Company.

II. The scope of the Privacy Note

The material scope of the Data Protection Regulations covers all the computer and manual data management and data processing – affecting personal information – performed by all the employees and subcontractors of the Company. 

The personal scope of the Data Protection Regulations covers all the employees of the Company involved in data processing, data management, and natural and legal persons, organizations with a legal personality in a contractual relationship with the Company, to the extent set out in the contract and confidentiality statement concluded with them.

The Regulations shall enter into force on April 01, 2021 and shall be valid until superseded, i.e. its current text shall be published by the Company on its website on the following link: www.sme-europe.com

III. Definitions

The system of definitions of these Regulations is the same as the definitions included in Article 4 of the GDPR Regulation, in addition, in certain points supplemented by the interpretative provisions of Section 3 of Act CXII of 2011 on the right of informational self-determination and the freedom of information (hereinafter referred to as “Act of Info”).

The definitions used in this information package have the following meaning:

data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

The Controller will keep the information available on its website continuously. The acceptance of the data processing information (the proper box checked) justifies that the data subject has become familiar with it and it qualifies as consent to data processing, i.e. data processing may only occur if the data subject indicates by a clear affirmative action e.g. by a written statement – including an electronic statement – that he or she gives free, specific, informed and unambiguous agreement to the processing of personal data relating to him or her.

Personal data shall be collected by the controller for a specified, explicit and legitimate purpose and not further processed in a manner incompatible with these purposes and their storage shall be in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

The Controller’s colleagues ensure during their work that no unauthorized persons may have access to personal data, as well as provide storage for the personal data in a way that no unauthorized persons may have access to them, or receive, alter or destroy them.

IV. Data processing taking place when controller’s website is used

Cookies

Cookies are placed on the user’s computer by the websites visited and contain information such as page settings. The use of cookies allows the Company to query certain data of the visitor and to track their Internet usage. Some cookies are essential for the proper operation of the website, some collect statistics to make the use of the website more comfortable, while there are cookies, which aim to set targeted advertisements. In the bar at the bottom of the website the visitor can select which cookies they allow, so which ones they accept or refuse.

Purpose of data processing: analyzing how visitors use the website, promoting contact with the company
scope of processed data: the visitor’s Internet Protocol Address (IP Address), the date of visiting, the data of the viewed pages, the name of the browser used

legal grounds for data processing: consent of the data subject according to GDPR Article 6(1)a).
data storage period: up to one year from data recording

method of data storage: electronic

Request for Quotation

On the company’s website the visitor has the opportunity to request a quotation. By filling out the form, the visitor provides the relevant information required for establishing contact and quotation calculation. However, the data subject only has the opportunity to submit the data if they agree to the Company’s data processing information, which can be done by checking a box, otherwise they can not finalize the quotation.

purpose of data processing: promoting contact with the Company, registration
scope of processed data: contact person’s name, email address, phone number, place of loading and unloading
legal grounds for data processing: consent of the data subject according to GDPR Article 6(1)a).
data storage period: 30 days from the completion of the request for quotation form if no contract is concluded between the parties; if a contract is concluded, for 10 years from the date of its termination.
method of data storage: electronic

Data processing related to job applications

The CVs arriving via the online platform of the Company or by post arrive directly from the data subject or by post at the Company’s registered seat and locations or electronically at the e-mail address info@sme-europe.com operated by the Company.

The data subject has the opportunity to apply under the menu item ‘Career’. The data subject can apply by completing a form, and they have to accept the data processing information and consent to data processing before submitting it.

purpose of data processing: selecting the suitable employee or contributor to fill a position, processing the personal particulars of the applicants

scope of processed data: name, e-mail address, phone number, data contained in the curriculum vitae uploaded by the data subject
legal grounds for data processing: consent of the data subject according to GDPR Article 6(1).
data storage period: one year from data recording

method of data storage: electronic

V. Data processing during the Company’s operation

Client register

The clients’ and partners’ data are recorded and maintained in the Company’s unique system.

purpose of data processing: communication needed to fulfill customers’ and partners’ orders.
scope of processed data: client’s contact person’s name, e-mail address, phone number

legal grounds for data processing: consent of the data subject according to GDPR Article 6(1)a) or additionally legitimate interest according to GDPR Article 6(1)f).

data storage period: until the termination of the relevant contract

method of data storage: electronic

Client management

In order to meet clients’ needs as fully as possible, the Company sends e-mails to the contact persons of the contracted partners for informal purposes, for example to notify them that the insurance of the contracted partner will expire. Although these e-mails are automatically sent, they do not qualify as advertising, they need to be sent for the performance of the contract.

purpose of data processing: client management

scope of processed data: client’s contact person’s name, e-mail address, phone number
legal grounds for data processing: consent of the data subject according to GDPR Article 6(1)a) or additionally legitimate interest according to GDPR Article 6(1)f).

data storage period: until the termination of the Company or until erasure requested by the data subject.

method of data storage: electronic and paper-based

Managing invoices

purpose of data processing: issuing and storing invoices

scope of processed data: client’s name, address

legal grounds for data processing: GDPR Article 6(1)c) and Section 167 of Act C of 2000 on Accounting

data storage period: accounting documents shall be stored for at least 8 years by the Company under Section 169(2) of Act C of 2000 on Accounting. The Company automatically deletes the personal data of the data subject after 8 + 1 years

method of data storage: electronic

VI. Enforcing the rights of the data subject

The data subject may request: information about the processing of his or her personal data; the rectification or erasure of his or her personal data at info@sme-europe.com e-mail address; the restriction of data processing; and may be eligible for data portability and judicial remedy. In the case of a complaint the data subject may turn to the Hungarian National Authority for Data Protection and Freedom of Information or court – at his or her choice – in the territory of Hungary. In legal proceedings the tribunal has jurisdiction.

Rights of the data subject:

a) The Controller’s obligation to provide employees with information

·      Prior to commencing data processing, the employee must be informed that data processing is required for the performance of the contract.

·      Prior to the start of the data processing, the employee must be clearly and in detail informed about any facts related to the processing of his data, in particular about the purpose and legal grounds of the data processing, the person entitled to data processing, the duration of the data processing, and about who can have access to the data.

·      The information should include the rights of the data subject and any legal remedies relating to data processing.

·      Employees shall be informed about data processing at the start of their employment, which they shall acknowledge with their signature.

·      It is the employee’s responsibility that the data submitted and reported by him or her to the controller shall be authentic, accurate, complete and up-to-date.

·      The employee shall inform the controller without delay of any changes in his or her registered data within 5 working days at the latest

b) Right to receive information

At the request of the data subject the Controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 of the GDPR Regulation relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The data subject may request information about the processing of his or her personal data and may request the rectification or erasure of his or her personal data – with the exception of data processing required by law. Upon the request of the data subject the controller shall provide information on the data processed by the controller, about the purpose of data processing, its legal grounds and duration, the name, address (registered seat) of the data processor and the activities associated with data processing, as well as who has or will receive the data and for what purposes. The controller shall provide information as soon as possible after the submission of the request, or at the latest within 10 days in writing, in a clearly understandable form, free of charge.

c) The data subject’s right to access data

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

·      a) the purposes of data processing;

·      b) the categories of the personal data concerned;

·      c) the recipients or categories of recipients to whom or which personal data were disclosed or will be disclosed, including in particular third country recipients or international organizations;

·      d) the intended duration of the storage of personal data;

·      e) the right to rectification and erasure, the right to restricting data processing, the right to protest;

·      f) the right to lodge a complaint with a supervisory authority;

·      g) information on data sources;

·      h) the fact of automated decision-making, including profiling, and

·      i) comprehensible information on the analytics used, on the relevance of such data processing, and on the consequences to the data subject.

·      j) In the event of transferring personal data to a third country or international organization, the data subject shall be entitled to receive information on the appropriate guarantees for transfer.

·      The controller shall provide the data subject with one copy of the processed personal data. The data subject may be charged a reasonable administration fee for any additional copies by the controller.

·      At the request of the data subject information is provided by the controller in electronic form.

·      The right to information can be exercised in writing through the contact details on the Company’s website.

·      At the request of the data subject, information may be given orally – after the verification and identification of the data subject’s identity.

d)    Right to Rectification

The data subject has the right to request the Company to rectify his or her incorrect personal data, or to supplement any missing data.

e)     Right to data erasure

The data subject has the right to obtain from the controller the erasure of his or her personal data without undue delay, in case one of the following reasons exist:

·      the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;

·      the data subject has withdrawn his or her consent on which the data processing is based, and there is no other legal ground for the processing;

·      the data subject objects to the data processing, and there is no priority legitimate reason for the data processing;

·      the personal data have been unlawfully processed;

·       the personal data have to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;

·      the personal data have been collected in relation to the offer of information society services.

Data erasure can not be initiated if data processing is required:

·      for exercising the right of freedom of expression and information;

·      for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

·      for purposes regarding public health or for archiving, scientific and historical research or statistical purposes, on the basis of public interest; or

·      for the establishment, exercise or defense of legal claims.

f)      Right to restriction of processing

At the request of the data subject, the Controller restricts data processing where one of the following applies:

·      if the accuracy of the personal data is contested by the data subject, restriction shall be valid for a period enabling the controller to verify the accuracy of the personal data;

·      the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

·      the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

·      the data subject has objected to data processing; in this case such restriction shall be valid for a period it is determined whether the legitimate grounds of the controller override those of the data subject.

Where data processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of your legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The data subject shall be informed by the controller before the restriction of processing is lifted.

g)     Right to data portability (GDPR Article 20)

In exercising the right to data portability, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

·      a) the legal grounds of the data processing is consent or the performance of the contract,

·      b) data processing is carried out by automated means (the right to data portability does not include paper-based files).

h)    Right to object

The data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her for public interest or for exercising public authority vested in the controller, or if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions.

In case the data subject objected, the controller may not continue to process the personal data, except where the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or are needed for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by the Controller.

i)      Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply if the decision:

·       is necessary for entering into, or performance of, a contract between the data subject and a controller;

·      is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

·      is based on the data subject’s explicit consent.

j)      Right to withdraw

The data subject is entitled to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

VII. Personal data breach and its management

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Hungarian National Authority for Data Protection and Freedom of Information. The notification shall be made in the form and manner prescribed by the authority, according to the requirements of the authority (e.g. on the platform or hot-line designated by the authority). If the authority for data protection does not create a platform, the notification shall be made with its mandatory content elements.

If the personal data breach is not likely to pose a risk to the rights and freedoms of natural persons, the notification does not need to be made. This decision is made by the managing director in view of all the circumstances of the case.
The Controller shall record the personal data breaches indicating the facts related to the personal data breach, its effects and the measures taken to remedy it; where the supervisory authority defines mandatory content elements for recording personal data breaches, the table recording the personal data breach shall be prepared with this content. 
The controller shall inform the data subject without undue delays of the personal data breach if the personal data breach is likely to pose a high risk to the rights and freedoms of natural persons. This decision is made by the managing director in view of all the circumstances of the case and it is recorded.
The data subject must be notified except if
the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those – such as application of encryption – that render the personal data unintelligible to any person who is not authorized to access them; or
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise; or
communication would involve disproportionate effort, in which case there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

VIII. Data processors

The Company uses the following data processors for processing personal data only to perform technical tasks:

Data processor’s name: SME-Europe Kft

Registered seat: Hungary 2100 Gödöllő, Ádám u. 51.

Purpose of data processing:

The Operator uses and manages the data provided by the User only for the purpose of being able to provide a higher level of service to the Users, primarily in the following areas:

·      to answer your questions on the Website and, if necessary, to clarify them later

·      to improve the content and services of the Website

·      to further optimize the Website so that it can be further tailored to the needs of the Users.

The operator does not use the data for purposes other than those indicated above. You will only transfer personal data to third parties with the prior and informed consent of the user. This does not apply to any data transfers that are required by law.

The Data processors process data according to the Company’s instructions, they may not make any substantial decisions affecting data processing, and may only process any personal data obtained pursuant to the instructions of the Company; they may not process data for their own purposes, and are obliged to store and preserve personal data as required by the Company.

IX. Right to legal remedy/complaint

In the case of a perceived legal injury related to the processing of your personal data, please contact our Company first. Your complaint will be investigated within no later than one month. You also have the opportunity to submit an action to the competent court or to initiate an investigation at the Hungarian National Authority for Data Protection and Freedom of Information  (1055 Budapest, Falk Miksa utca 9-11., ugyfelszolgalat@naih.hu, +36-1-3911400, www.naih.hu).

You are requested to contact our Company before lodging a complaint at the supervisory authority or the court of justice, in order to consult and to resolve the problem as quickly as possible.

Name, address and contact details of the controller

Company name:                     SME-Europe Kft.

Registered seat:                       2100 Gödöllő, Ádám u. 51

Company registration number:13-09-203563

Data Protection Officer:         Dániel Benke

E-mail:                                     info@sme-europe.com

Thank you for your trust and for choosing SME-EUROPE Ltd.