GDPR



DATA MANAGEMENT INFORMATION

ON THE RIGHTS OF THE NATURAL PERSON INVOLVED

 IN RELATION OF MANAGEMENT OF PERSONAL DATA

 

 

TABLE OF CONTENTS

 

INTRODUCTION

CHAPTER I – NAME OF THE DATA MANAGER

CHAPTER II – NAMES OF THE DATA PROCESSORS

1. Our Company’s IT service provider

2. Postal services, delivery, mail order services

CHAPTER III – ENSURING LEGALITY OF DATA MANAGEMENT

1. Data management on the basis of the approval of the person involved

2. Data management based on fulfilment of the legal obligation

3. Promotion of the rights of the person involved

CHAPTER IV – VISITOR’S DATA MANAGEMENT IN THE COMPANY’S HOMEPAGE – INFORMATION ON APPLICATION OF COOKIES

1. General information on cookies

2. Information on the cookies applied in the Company’s homepage, and the data generated during the visit

CHAPTER V – INFORMATION ON THE RIGHTS OF THE PERSON INVOLVED

1. Transparent information, communication and promotion of exercise of rights by the person involved

2. Right for preliminary information – if the personal data are collected from the person involved

3. Informing the person involved and the information to be made available if the data manager has not obtained the personal data from it

4. Involved person’s right to access

5. Right of correction

6. Right of deletion (“right to have it forgotten”)

7. Right to restrict data management

8. Obligation of notice related to correction or deletion of personal data, or restriction of data management

9. Right of data portability

10. Right of objection

11. Automated decision-making in individual cases, including profiling

12. Restrictions

13. Informing the person involved on the incident of data management

14. Right to complain to the supervisory authority (right of official legal remedy)

15. Right of effective judicial legal remedy against the supervisory authority

16. Right of effective judicial legal remedy against the data manager or data processor

 

 

 

INTRODUCTION

 

The EUROPEAN PARLIAMENT AND COUNCIL (EU) DECREE No. 2016/46/EC on protection of natural persons in respect of personal data management and free flow of such data, as well as repeal of the decree No. 95/46/EC (hereinafter referred to as: Decree) specifies that the Data Manager shall take appropriate measures in order to provide all information in relation to personal data management to the person involved in a brief, transparent, understandable and easy-to-access form, formulated clearly and in an understandable way, furthermore, the Data Manager shall promote exercise of the involved person’s rights. 

 

With the information readable below we fulfil this legal obligation.

 

The information shall be published in the Company’s homepage, or it shall be sent to the person involved at its request.

 

CHAPTER I

NAME OF THE DATA MANAGER

 

Issuer of this information, at the same time the Data Manager:

Company name:

Benefit Barcode Inc.

Registered office:

DELAWARE, 19901 DOVER, 8 THE GREEN, STE B

Registration number:

6045923

 

 

(hereinafter referred to as: Company)

 

CHAPTER II

NAMES OF THE DATA PROCESSORS

 

Data processor: the natural or legal person, public power body, agency or any other body, which manages personal data on behalf of the data manager; (Decree Article 4, Section 8)

 

To utilize the data processor there is no need for the involved person’s prior consent, but it is necessary to inform it. Accordingly, we provide the following information:

 

Data processor’s name and contact details

Aim of data processing

Amazon Web Services, Inc.

P.O. Box 81226

Seattle, WA 98108-1226

https://aws.amazon.com/  

Our Company utilizes a data processor to maintain and manage its homepage, who provides the IT services (hosting service), and within its framework –during the duration of our contract existing with it – it manages the personal data provided in the homepage, the operation carried out by it is storing personal data in the server.

Magyar Posta Zrt.

Address: 1138 Budapest, Dunavirág utca 2-6.

Postal address: Budapest 1540

E-mail: [javascript protected email address]

For performance of the postal services, mail order services it receives the personal data needed to deliver the ordered product from our Company (involved person’s name, address, telephone number) and it delivers the product by using it.

GLS General Logistics Systems Hungary Csomag-Logisztikai Kft.

Registered office: 2351 Alsónémedi, GLS Európa u. 2. Company register number: 13-09-111755 Tax number: 12369410-2-44

Contact: https://gls-group.eu/

E-mail: [javascript protected email address]

For performance of the mail order service it receives the personal data needed to deliver the ordered product from our Company (involved person’s name, address, telephone number, e-mail address), and it delivers the product by using it.

Wells Fargo Bank, N.A.

Telephone number: 1-877-593-2468

execution of bank transactions

MKB Bank Zrt.

H-1056 Budapest, Váci u 38.

Telephone number: +36 1 373 3333

https://www.mkb.hu

execution of bank transactions

Stripe

510 Townsend Street, San Francisco CA 94103

https://stripe.com/

The service provider of the payments taking place in the internet interface at our Company’s

Mailgun Technologies

535 Mission St., 14th Floor San Francisco, CA 94105

https://www.mailgun.com/

Forwarding the messages sent by the system, for which we hand over the involved person’s name and e-mail address.

CardDeal Kft.

H-1054 Budapest, Honvéd utca 8. 1./2.

[javascript protected email address]

Card manufacturing and administration services.

Microsoft Corporation

USA - One Microsoft Way Redmond, Washington 98052

Provider of the Microsoft 365 cloud service

Facebook, Inc.

USA

Profiling, advertising, analytical and measurement service, display of behaviour-based advertisements

GOOGLE LLC

USA - Google Data Protection Office, 1600 Amphitheatre Pkwy

 Mountain View, California 94043

Profiling, advertising, analytical and measurement service, display of behaviour-based advertisements

 

Information related to data forwarding to a foreign country

 

Amazon Web Services, Inc., Google LLC and its associated companies, Facebook, Inc., and Microsoft Corporation are included in the decision of conformity as per the European Commission GDPR Article 45, as well as the USA – EU Privacy Shield List, that is, data forwarding to this place is not considered as data forwarding to a third company outside the European Union, and for this the involved persons’ specific licences are not required, as well as data forwarding to that place is allowable in accordance with Article 45 of GDPR. These companies undertake to comply with GDPR.

 

 

 

 

CHAPTER III

ENSURING LEGALITY OF DATA MANAGEMENT

 

1. Data management on the basis of the approval of the person involved

 

(1) If the Company wants to execute data management based on approval, the involved person’s approval shall be requested with the content and information as per the form of data request for management of its personal data.

 

(2) It is considered as an approval if the person involved marks a relevant box while viewing the Company’s homepage in the Internet, executes relevant technical setups during utilizing the services related to the information society, as well as any other declaration or action is considered as such one, which clearly indicates the involved person’s approval of planned management of its personal data in this context. Silence, a box marked in advance or the lack of action therefore will not be considered as an approval. 

 

(3) The approval will cover all the data management activities performed for the same aim or aims. If the data management serves more aims at the same time, the approval shall be granted in relation to all the data management purposes.

 

(4) If the person involved grants its approval within the framework of such a written declaration which also applies to other cases – e.g. conclusion of a contract of sales, services – the request of approval shall be presented in a clearly distinguishable way from other cases, in an understandable and easily accessible form, with clear and simple language. Any part of such declaration containing the involved person’s approval, which violates the Decree, will not have any mandatory effect.

 

(5) The Company shall not connect conclusion, performance of a contract to granting of approval of management of such personal data, which are not necessary for performance of the contract.

 

(6) Withdrawal of the approval shall be made possible in the same easy way as its granting.

 

(7) If the personal data is recorded with the involved person’s consent, the data manager may also manage the recorded data without further separate approvals, as well as after withdrawal of the involved person’s consent for fulfilment of the legal obligation related to it unless it is otherwise stipulated by the law.

 

2. Data management based on fulfilment of the legal obligation

 

 

(1) In case of data management based on the legal obligation the provisions of the underlying law will govern the scope of manageable data, the aim of data management, duration of data storage, the addressees.

(2) The data management based on the legal title of fulfilment of the legal obligation is independent of the involved person’s consent, since data management is specified by the law. It shall be disclosed to the person involved before commencement of data management in this case that data management is compulsory, furthermore, the person involved shall be informed clearly and in details before commencement of data management on all the facts related to management of its data, particularly the aim and legal basis of data management, the person eligible for data management and data processing, duration of data management, and if the involved person’s data are managed by the data manager on the basis of the relevant legal obligation, and who may know the data. The information shall cover the involved person’s rights related to data management and possibilities of legal remedy. In case of mandatory data management, the information may be provided by publication of reference to the legal provisions containing the information above.

 

3. Promotion of the rights of the person involved

 

During all the data management by it, the Company shall ensure exercising the involved person’s rights.

 

 

CHAPTER IV

VISITOR’S DATA MANAGEMENT IN THE COMPANY’S HOMEPAGE – INFORMATION ON APPLICATION OF COOKIES

 

The person visiting the homepage shall be informed on application of cookies in the homepage – except for the cookies of the session essentially needed technically -, and its approval shall be requested.

 

1. General information on cookies

 

1.1. The cookie is such a data, which is sent by the visited website to the visitor’s browser (in the form of a varying name value) so that it should be stored, and later on the same website can upload its content. The cookie may have validity, it may be valid until closing the browser, but also for unlimited time. Later on, for all HTTP(S) requests the browser will send these data to the server. Thereby it will modify the data located on the user’s computer.

 

1.2. The main point of the cookie is that by nature of the website services it is needed that it should designate a user (e.g. that it has entered the website), and it can manage it accordingly later. Its risk will be that the user will not know about it in any case and it may be suitable that the website operator or another service provider follows the user, whose content is integrated in the website (e.g. Facebook, Google Analytics), thereby a profile is made about it, in this case the content of the cookie may be considered as a personal data.

 

1.3. Types of the cookies:

2.3.1. The cookies of session essentially needed technically: without them the website would not work functionally, they are necessary for identification of the user, e.g. for its management it is needed if it has entered, what he put into the basket, etc.  It is typically storing a session-id, which is more secure in this way. It is security-relevant if the value of the session cookie is not generated well, the risk of a session-hijacking attack is existing, therefore, it is essential that these values should be generated appropriately. Other terminologies call all the cookies as session cookies, which are deleted upon existing the browser (one session is one use of a browser from starting to existing).

2.3.2. Cookies promoting the use: those cookies are called, which remember the user’s selections, for example, what form the user wants to see the website in. These types of cookies substantially mean the setup data stored in the cookie.

2.3.3. Although the cookies ensuring performance do not have much relevance to “performance”, usually the cookies, which collect information for the user on the behaviour, time spent in the visited website. These are typically a third party’s application (e.g. Google Analytics, AdWords, or Yandex.ru cookies). These are suitable for profiling about the visitor.

You may inform on the Google Analytics cookies here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

You may inform on the Google AdWords cookies here:

https://support.google.com/google-ads/answer/2407785?hl=en

 

1.4. It is not compulsory to accept, authorize the use of cookies. You may restore the settings of your browser so that it should refuse all the cookies, or it should indicate if the system is just sending a cookie. Most browsers automatically accept the cookies as default, but these can be changed so that automatic acceptance can be prevented, and it should offer the possibility of choice at any time.

You may inform on the cookie settings of the most popular browsers:
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=en
• Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
• Microsoft Internet Explorer 11: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy
• Safari: https://support.apple.com/en-us/HT201265

However, besides all these we call the attention that it may occur that certain website functions or services will not work appropriately without cookies.

 

2. Information on the cookies applied in the Company’s homepage, and the data generated during the visit

 

2.1. Cookies applied in the homepage

 

2.1.1. Session cookies essentially needed technically

The aim of data management: ensuring appropriate operation of the homepage. These cookies are necessary so that the visitors can browse in the website, use its functions, the services accessible through the website smoothly and completely, so – among others – particularly remembering the operations carried out by the visitor in the given websites or identification of the user logged in during a visit. The period of data management of these cookies solely applies to the visitor’s current visit, upon completion of the session, or closing the cookies this type will automatically be deleted from your computer. 

 

In accordance with the Decree the service provider may manage those personal data for providing a service, which are technically essential for providing the service. In case of sameness of other conditions the service provider shall select and in any case shall operate the devices applied during providing the service related to the information society in such a way that the personal data should be managed only if it is essential for providing this service or achieving other aims specified in this act, however, in this case only to the necessary extent and for the necessary time.

 

2.1.2. Cookies promoting the use:

 

These remember the user’s selections, for example, in what form the user wants to see the website. These types of cookies substantially mean the settings data stored in the cookie.

The legal basis of data management is the visitor’s consent.

The aim of data management: Increasing efficiency of the service, increasing the user’s experience, making the use of the homepage more convenient.

This data is rather located in the user’s computer, the website only access and recognise the visitor, others may access to and recognise the visitor.

 

2.1.3. Cookies ensuring performance:

Information is collected on the visitor’s behaviour, time spent in the homepage, clicking. These are typically a third party’s applications (e.g. Google Analytics, AdWords).

The legal basis of data management: the involved person’s consent.

The aim of data management: analysis of the homepage, sending advertisement offers.

 

 

 

CHAPTER V

INFORMATION OF THE RIGHTS OF THE PERSON INVOLVED

 

I. The involved person’s rights summed up briefly:

1. Transparent information, communication and promotion of exercise of rights by the person involved

2. Right for preliminary information – if the personal data are collected from the person involved

3. Informing the person involved and the information to be made available if the data manager has not obtained the personal data from it

4. Involved person’s right to access

5. Right of correction

6. Right of deletion (“right to have it forgotten”)

7. Right to restrict data management

8. Obligation of notice related to correction or deletion of personal data, or restriction of data management

9. Right of data portability

10. Right of objection

11. Automated decision-making in individual cases, including profiling

12. Restrictions

13. Informing the person involved on the incident of data management

14. Right to complain to the supervisory authority (right of official legal remedy)

15. Right of effective judicial legal remedy against the supervisory authority

16. Right of effective judicial legal remedy against the data manager or data processor

 

II. The rights of the person involved in detail:

 

1. Promotion of transparent information, communication and exercise of rights by the person involved

 

1.1. The data manager shall provide all the information related to personal data management to the person involved in a brief, transparent, understandable and easy-to-access form, formulated clearly and in an understandable way, particularly in case of any information addressed to children. The information shall be provided in writing or in any other way – including the electronic way in a given case. At the involved person’s request verbal information may also be provided in case that the involved person’s identity was verified in any other way.

1.2. The data manager shall promote exercise of the involved person’s rights.

 

1.3. The data manager will inform the person involved on the measures taken due to its request to exercise its rights without unreasonable delay, but within one month from receipt of the request by any means. This deadline can be extended by further two months under the conditions specified in the Decree, on which the involved person shall be informed.

 

1.4. If the data manager does not take any measures due to the involved person’s request, it will inform the person involved on the reason for failure to take measures without delay, but not later than within one month from receipt of the request, as well as that the person involved may lodge a complaint to any supervisory authority and may exercise its right of judicial legal remedy.

 

1.5. The data manager will provide the information on the involved person’s rights and measures free of charge; however, fees may be charged in the cases specified in the Decree.

 

The detailed rules can be found in Article 12 of the Decree.

 

2. Right of preliminary information – if the personal data are collected from the person involved

 

2.1. The person involved will be entitled to receive information on the facts and information related to data management before commencement of data management. Within the framework thereof the person involved shall be informed on:

a) the data manager’s and its representative’s identity and contact details,

b) the data management official’s contact details (if any),

c) the aim of planned management of personal data, as well as the legal basis of data management,

d) in case of data management based on enforcement of rightful interests, the data manager’s and a third party’s rightful interests,

e) addresses of the personal data – to whom the personal data are disclosed -, and the addressees’ categories, if there are any;

f) in a given case the fact that the data manager wants to forward the personal data to a third country or an international organisation.

 

2.2. For honest and transparent data management the data manager shall inform the person involved on the following supplementary information:

a) period of storing the personal data, or if it is not possible, considerations of determining this period;

b) the involved person’s right that it may apply for access to the relevant personal data, their correction, deletion or restriction of their management to the data manager, and may object to management of such personal data, as well as on the involved person’s right of data portability;

c) in case of data management based on the involved person’s consent on the right of withdrawal of the consent at any time, which does not affect the legality of data management executed based on the consent without withdrawal;

d) right of submission of a complaint addressed to the supervisory authority;

e) if the provision of the personal data is based on a provision of law or if it is a precondition of a contractual obligation, as well as if the involved person shall provide the personal data, furthermore, what possible consequences failure of data supply may have; 

f) the fact of automated decision-making, including profiling, as well as at least in these cases on the applied logic and the information meant in relation that what importance and what expected consequences such data management has in relation to the involved person.

 

2.3. If the data manager wants to execute further data management for a purpose other than the aim of their collection in case of the personal data, it shall inform the person involved on the different aim and all the relevant supplementary information before further data management.

 

The detailed rules of the right of preliminary information are included in Article 13 of the Decree.  

 

3. Informing the person involved and the information to be made available for it if the data manager has not obtained the personal data from it

 

3.1. If the data manager has not obtained the personal data from the person involved, the data manager shall inform the person involved not later than within one month from obtaining the personal data; if the personal data are used to keep contact with the person involved, at least on the occasion of first contacting the person involved; or if the data is disclosed to another addressee as expected, not later than upon disclosing the personal data for the first time on the facts and information described in Section 2 above, furthermore, the categories of the personal data involved, as well as the sources of the personal data and in a given case on the fact if the data are originated from publicly accessible sources.  

 

3.2. Further rules will be governed by those described in Section 2 above (Right of preliminary information).

 

Detailed rules of this information are included in Article 14 of the Decree.

 

4. The involved person’s right of access

 

4.1. The involved person will be entitled to receive feedback from the data manager in relation that if management of its personal data is in progress, and if such data management is in progress, it will be entitled to get access to the personal data and the relevant information specified in Sections 2-3 above. (Article 15 of the Decree).

 

4.2. If the personal data are forwarded to a third party or to an international organisation, the person involved will be entitled to receive information in relation to forwarding on the appropriate guarantees as per Article 46 of the Decree.

 

4.3. The data manager shall make a duplicate of the personal data constituting the subject of data management available for the person involved. The data manager may charge a fee of reasonable extent, based on the administrative costs, for further copies requested by the person involved.

 

The detailed rules related to the involved person’s right of access are included in Article 15 of the Decree.

 

5. Right of correction

 

5.1. The person involved will be entitled that the Data Manager shall correct the relevant incorrect personal data without unreasonable delay.

 

5.2. By taking the purpose of data management into consideration the person involved will be entitled to request supplementation of the deficient personal data – among others, by a supplementary declaration.

 

These rules are included in Article 16 of the Decree.

 

6. Right of deletion (“right of having it forgotten”)

 

6.1. The person involved will be entitled that the data manager should delete the relevant personal data without unreasonable delay, and the data manager shall delete the personal data related to the person involved without unreasonable delay if

a) the personal data are not necessary for the purpose, for which they have been collected or handled in any other way;

b) the person involved withdraws its consent constituting the basis of data management, and data management does not have any other legal basis;

c) the person involved objects to its data management, and there is no rightful reason having priority for data management,

d) the personal data have been managed illegally;

e) the personal data must be deleted for fulfilment of the legal obligation of the European Union or specified in the law of a member state applicable for the data manager;

f) the personal data are collected in connection with offering services offered directly to children, related to the information society.

 

6.2. The right of deletion may not be enforced if data management is required

a) for exercising the right of freedom of expressing opinions and obtaining information;

b) for fulfilment of the obligation as per the right of the Union applicable for the data manager or as per the law of a member state, and for execution of a task carried out within the framework of exercising a public power eligibility assigned to the data manager;

c) based on a public interest affecting the field of public health;

d) for archiving of public interest, for scientific and historic research or statistical purposes if the right of deletion probably made it impossible or seriously endangered this data management; or

e) for submission, enforcement, and protection of legal demands.

 

The detailed rules related to the right of deletion are included in Article 17 of the Decree.

 

7. The right of restriction of data management

 

7.1. In case of restriction of data management such personal data may be managed only with the involved person’s consent, except for storage, or for submission, enforcement or protection of legal demands, or protection of other natural or legal persons’ rights, or for an important public interest of the Union or any member state.

 

7.2. The person involved will be entitled that the Data Manager restricts data management at its request if any of the following is fulfilled:

a) the person involved disputes exactness of the personal data, in this case restriction applies to the period, which allows the Data Manager to inspect exactness of the personal data;

b) data management is illegal, and the involved person objects to deletion of the data, and instead thereof it requests restriction of their use;

c) the Data Manager does not need the personal data for data management, but the person involved demands them to submit, enforce or protect legal demands; or

d) the person involved has objected to data management; in this case the restriction applied to the period until it is established that the data manager’s rightful reasons have priority over the involved person’s rightful reasons.

 

7.3. The person involved shall be informed on the end of restriction of data management in advance.

 

The relevant rules are included in Article 18 of the Decree.

 

8. The obligation of notice related to correction or deletion of personal data, or restriction of data management

The data manager will inform any addressees on all corrections, deletion or data management restriction, to whom the personal data has been disclosed, except for the case if it proves to be impossible, or required disproportionally great efforts. At the involved person’s request, the data manger will inform the person involved on the addressees.

 

These rules can be found in Article 19 of the Decree.

 

9. The right of data portability

 

9.1. Under the conditions stated in the Decree the person involved will be entitled to receive the personal data related to it, made available by it for a data manager in an arranged, widely used format illegible with a computer, furthermore, it will be entitled to forward these data to another data manager without hindering by the data manager, for whom it has made the personal data available, if

a) data management is based on a consent or contract; and

b) data management is implemented in an automated way.

 

9.2. The person involved may request direct forwarding of the personal data between the data managers as well.

 

9.3. Exercising the right of data portability shall not violate Article 17 of the Decree (right of deletion (“right of having it forgotten”)). The right of data portability shall not be applicable in case that data management is required for execution of a task carried out within the framework of exercising of rights of public interest or rights of public power assigned to the data manager. This right shall not affect others’ rights and freedom adversely.

 

The detailed rules are included in Article 20 of the Decree.

 

10. Right of objection

 

10.1. The person involved will be entitled to object to management of its personal data based on public interest, implementation of public tasks (Article 6 (1) e)) or rightful interest (Article 6 f)) at any time for reasons related to its own situation, including profiling based on the mentioned provisions. In this case the data manager may not manage the personal data further on, except for the case if the data manager proves that data management is reasoned by such rightful causes of forcing power, which have priority over the involved person’s interests, rights and freedom, or which are connected to submission, enforcement or protection of legal demands.

10.2. If the personal data are managed for directly obtaining businesses, the involved person will be entitled to object to management of the relevant personal data for this purpose at any time, including profiling, if it connects to directly obtaining businesses. If the person involved objects to management of the personal data for directly obtaining businesses, the personal data shall not be managed for this purpose any more.

10.3. Attention shall be called to these rights expressly not later than during establishment of a contact for the first time, and the relevant information shall be displayed clearly and separated from any other information.

10.4. The person involved may exercise the right of objection also with automated devices based on technical specifications.

10.5. If the personal data are managed for scientific or historic research purposes or statistical purposes, the person involved will be entitled to object to management of the personal data related to it for reasons in connection with its own situation, except for the case if data management is required to implement a task executed for a reason of public interest.

 

The relevant rules are included in the article of the Decree.

 

11. Automated decision-making in individual cases, including profiling

 

11.1. The person involved will be entitled that the effect of a decision solely based on automated data management – including profiling -, which would have a legal effect on it or would affect it similarly to a significant extent will not cover it.

 

11.2. This eligibility shall not be applicable in case that the decision:

a) is required for conclusion or performance of a contract between the person involved and the data manager;

b) is possible to be made by the law of the Union or a member state applicable for the data manager, which also establishes appropriate measures serving the protection of the involved person’s rights and freedoms, as well as rightful interests; or

c) is based on the involved person’s expressed consent.

 

11.3. In the case mentioned in the previous clauses a) and c) the data manager shall take appropriate measures for the protection of the involved person’s rights, freedoms and rightful interests, including its right that it requests a human intervention from the data manager, expresses its standpoint, and submits an objection to the decision.

 

Further rules are included in Article 22 of the Decree.

 

12. Restrictions

 

The law of the Union or a member state applicable for the data manager or data processor may restrict the effect of the right and obligations with legislative measures (Articles 12-22, Article 34, Article 5 of the Decree) if the restriction respects substantial content of the basic rights and freedoms.

 

The conditions of this restriction are included in Article 23 of the Decree.

 

13. Information of the person involved on the incident of data protection

 

13.1. If the incident of data protection probably has a high risk in respect of natural persons’ rights and freedoms, the data manager shall inform the involved person on the incident of data protection without unreasonable delay. In this information the nature of the incident of data protection shall be presented clearly and in an understandable way, and at least the following shall be disclosed:

 

a) name and contact details of the data management official or other contact persons providing further information;

c) the probable consequences arising from the incident of data protection shall be presented;

d) the measures taken or planned to remedy the incident of data protection by the data manager shall be presented, including the measures aiming at mitigation of the possible adverse consequences arising from the incident of data protection.

 

13.2. The involved person will not have to be informed if any of the following conditions is fulfilled:

a) the data manager has carried out appropriate technical and organisational protection measures, and these measures have been applied in respect of the data affected by the incident of data protection, particularly the measures – such as application of encryption -, which make the data meaningless for the persons unauthorized to access to the personal data;

b) the data manager has taken further measures after the incident of data protection, which ensure that the high risk meant to affect the involved person’s rights and freedoms probably will not be implemented further on;

c) the information would make disproportional efforts necessary. In such cases the persons involved shall be informed by publicly published information, or such similar measures shall be taken, which ensure the involved persons’ similarly efficient information.

 

Further rules are included in Article 34 of the Decree.

 

14. The right of complaining to the supervisory authority (right of official legal remedy)

 

The person involved will be entitled to make a complaint to a supervisory authority – particularly in the member state as per its usual place of residence, workplace or suspected location of violation of law – if as per the involved person’s judgement management of the relevant personal data infringes the Decree. The supervisory authority, to which the complaint has been submitted, shall inform the client on the progress of the procedure related to the complaint and its result, including that the client is entitled to ask for judicial legal remedy.

 

These rules are included in Article 77 of the Decree.

 

15. The right of efficient judicial legal remedy against the supervisory authority

 

15.1. Without prejudice to other public administrative or non-judicial legal remedies all the natural and legal persons will be entitled for efficient judicial legal remedies against the supervisory authority’s relevant, legally binding decisions. 

 

15.2. Without prejudice to other public administrative or non-judicial legal remedies all the natural and legal persons will be entitled for efficient judicial legal remedies if the competent supervisory authority does not deal with the complaint or does not inform the person involved within three months on the progress of the procedure related to the submitted complaint or its result.

 

15.3. The procedure against the supervisory authority shall be launched at the court of the member state as per the supervisory authority’s registered office.

 

15.4. If a procedure is launched against such a decision of the supervisory authority, in connection with which the Body has previously issued an opinion or made a decision within the framework of uniformity mechanism, the supervisory authority shall send this opinion or decision to the court.

 

These rules are included in Article 78 of the Decree.

 

16. The rights of efficient judicial legal remedy against the data manager or data processor

 

16.1. Without prejudice to the available public administrative or non-judicial legal remedies – including the right of complaining to the supervisory authority – all the involved persons will be entitled for efficient judicial legal remedies if as per its judgement its rights as per this decree have been infringed as a consequence of inappropriate management of its personal data in accordance with this decree.

 

16.2. The procedure against the data manager or the data processor shall be launched at the court of the member state as per the place of activity of the data manager or the data processor. Such a procedure may also be launched at the court of the member state as per the involved person’s usual place of residence, except for the case that the data manager or the data processor is a public power body acting within public power of any member state.

 

These rules are included in Article 79 of the Decree.

 

Dated on 18th October 2018.