Igloo.hu Kft. Internal Data Management and Data Security Policy
1. PREAMBLE
The right to the protection of personal data is a fundamental constitutional right under Article VI(2) of the Fundamental Law of Hungary, the most essential requirement of which, according to the practice of the Constitutional Court, is that “the entire data processing process must be traceable and verifiable for everyone, i.e. everyone has the right to know who, where, when and for what purpose their personal data are used.”
PROVIDER DETAILS
Name: igloo.hu Kft.
Registered office: 1115 Budapest, Bártfai utca 55. 7/23.
Tax number: 27523779-2-43
Phone: +36308265787
Email: info@igloo.hu
Bank account number: 11773494-00547651
as data controller (hereinafter referred to as the “Controller”)
meets this constitutional requirement and all its legal obligations. It shall also ensure compliance with the principle of accountability, and shall set out in this Policy (hereinafter referred to as the “Policy”) and its annexes the data processing activities it carries out, the conditions, purposes, legal basis and procedures for data processing, i.e. who and what tasks they perform in the course of processing, how processing is planned, how data subjects can exercise their rights, the procedures to be followed in the event of a data protection incident, and how the Data Controller ensures the security of data.
The purpose of the Policy is to ensure the enforcement of the right to information self-determination, to prevent unauthorized access to personal data, alteration and disclosure of data, by applying the procedures set out in the Policy and by complying with the principles of data management, and to this end to define the data protection and data security rules applicable to the processing of personal data.
2. SCOPE OF THE RULES
PERSONAL RESPONSIBILITY
The internal data processing and data security policy of Igloo.hu Kft. (hereinafter referred to as the “Controller”), which is mandatory in the EU as of 25 May 2018, pursuant to Article 24 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (EU) 2016 (hereinafter referred to as “GDPR”), applies to the organisation and all its employees and data subjects whose personal data are processed by the Controller.
SCOPE
The scope of the Policy covers the operation of the website www.igloo.hu operated by the Data Controller, the services available through the website and all activities of the Data Controller in the course of which personal data are processed.
TEMPORARY EFFECT
This Regulation shall enter into force on 25 May 2020 and shall remain in force until revoked
3. INTERPRETATIVE PROVISIONS
data protection: the regulation of the processing of personal data in order to exercise the data subject’s right to self-determination;
data medium: any material containing personal data, in whatever form, by whatever means, by whatever process;
data controller’s agent: a company that carries out business activities on behalf of the data controller at the data controller’s premises on the basis of a contract of agency/contractor/intermediary/cooperation agreement with the data controller, in the course of which it processes personal data;
data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
hardware device: any device that is used to ensure the continued operation of an information technology system, or to back up or make copies of data, or to protect a computer, electronically or otherwise, against external interference;
communication equipment: any technical device or technological process capable of transmitting or receiving signals, data and information to one or more recipients;
data subjects: natural persons – in particular, but not exclusively, customers and employees of the Data Controller – whose personal data are processed by the Data Controller;
4. THE LEGISLATION USED IN THE DRAFTING OF THE CODE
The Fundamental Law of Hungary (hereinafter: Fundamental Law)
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)
CVIII. of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR)
Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (hereinafter: Act on the Protection of Personal Data)
Recommendation of the National Authority for Data Protection and Freedom of Information on the Data Protection Requirements for Prior Information (hereinafter: NAIH Recommendation)
5. DATA PROTECTION PRINCIPLES
The controller shall act in accordance with the purpose and principles of data management and shall take appropriate technical and organisational measures for the purpose and shall observe the principle of data minimisation in the course of data management, from the time of determining the method of data management or throughout the entire data management (built-in and default data management).
The Data Controller processes personal data to the extent and for the time necessary for the purposes of the processing and only to the extent that the personal data are necessary for the purposes of the processing and are adequate for the purposes for which they are processed.
Employees and agents of the Data Controller shall process personal data in the course of their activities only in accordance with the provisions of the applicable legislation.
If the Data Controller, its employee or agent becomes aware that personal data it is processing is inaccurate, incomplete or out of date, the Data Controller shall take steps to correct it.
The data controller shall ensure that the processing is transparent, i.e. that the data subject receives concise, but at the same time easily understandable, easily accessible and clearly worded information about the processing of his or her personal data.
6. THE DATA PROTECTION REGIME OF THE SOLE TRADER
Taking into account the specificities of the company’s operation, the Data Controller’s CEO has defined the organisation of data protection, its tasks and competences. The head of each individual department concerned is responsible for ensuring compliance with the provisions of the Code. In the course of their work, the employees of the company shall ensure that personal data cannot be accessed by unauthorised persons and that personal data is stored and stored in such a way that it cannot be accessed, accessed, altered or destroyed by unauthorised persons.
For data protection, the Managing Director:
a. is responsible for the protection of data subjects in accordance with the GDPR and the Infotv.
b. is responsible for ensuring the personal, material and technical conditions necessary for the protection of personal data processed by the company;
c. is responsible for remedying any deficiencies or unlawful circumstances that may be discovered during the audit of data processing, and for initiating or conducting the necessary proceedings to establish personal liability;
d. is responsible for the protection of personal data of the data subjects, as defined in the GDPR and the Info Privacy Act; d. is responsible for the protection of personal data of the data subjects, as defined in the Privacy Act. supervise the activities of the Data Protection Officer;
e. monitor compliance with data protection regulations and may order an investigation;
f. keep data protection records;
g. issue the company’s data protection regulations;
h. monitor changes in data protection legislation;
Regulations, leaflets
In accordance with the principles of transparency and accountability, the Data Controller has issued the policies and notices listed below:
1. Internal data management and data security policy;
2. Information on data management on the website www.IGLOO.hu, on the data management activities of the booking system accessible through the website (placed on the website);
3. Employment data management policy;
4. Information for employees and visitors on camera-based data management
5. Interest balancing test for in-camera data management
The IT staff of the Data Controller ensured that the privacy notice was easily accessible on the website operated by the Data Controller by clicking on a link from the opening page, thus ensuring the prior information and transparency of the data subjects.
Impact assessment, Data Protection Officer
The Data Controller has determined, on the basis of the assessment set out in Annex 1 to this Policy, that a Data Protection Impact Assessment (DIA), as detailed in Article 35 of the GDPR, is not required for its processing activities.
The controller is not obliged to appoint a data protection officer under Article 37 of the GDPR.
Data processors
The Data Controller uses the following data processors in the course of its data processing activities:
Data Controller’s partner offices:
(access to the front office database system for the conclusion of contracts and access to the integrated management system for the performance of contracts)