Data Processing Guidelines

Purpose of the Policy

The purpose of this policy is to harmonize the provisions of the organization's internal regulations regarding data processing activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the proper handling of personal data.
The organization aims to fully comply with the legal requirements related to the processing of personal data, particularly the provisions of Regulation (EU) 2016/679 of the European Parliament and the Council.
Another important objective of issuing this policy is to ensure that the organization's employees, by understanding and adhering to it, can lawfully process the personal data of natural persons.

Key Terms and Definitions

GDPR (General Data Protection Regulation): The European Union’s new data protection regulation.
Data Controller: A natural or legal person, public authority, agency, or other body that alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
Data Processing: Any operation or set of operations performed on personal data or data sets, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
Personal Data: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Third Party: A natural or legal person, public authority, agency, or other body other than the data subject, data controller, data processor, or persons who, under the direct authority of the data controller or processor, are authorized to process personal data.
Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or a clear affirmative action, signify agreement to the processing of personal data relating to them.
Restriction of Processing: The marking of stored personal data with the aim of limiting their processing in the future.
Pseudonymization: The processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Filing System: Any structured set of personal data that is accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
Data Breach: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Principles of Data Processing

Personal data must be processed lawfully, fairly, and transparently in relation to the data subject.

Personal data must be collected for specified, explicit, and legitimate purposes.

The purpose of data processing must be adequate, relevant, and limited to what is necessary.

Personal data must be accurate and kept up to date; inaccurate data must be promptly deleted.

Personal data must be stored in a form that permits identification of data subjects only for as long as necessary. Longer storage is permitted only for public interest archiving, scientific and historical research, or statistical purposes.

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, through appropriate technical and organizational measures.

The principles of data protection apply to all information relating to an identified or identifiable natural person.

Employees responsible for data processing within the organization are subject to disciplinary, liability, administrative, and criminal accountability for lawful data processing. If an employee becomes aware that the personal data they process is incorrect, incomplete, or outdated, they must correct it or initiate its correction with the responsible colleague.

Handling of Personal Data

Since natural persons can be associated with online identifiers provided by the devices, applications, tools, and protocols they use—such as IP addresses and cookie identifiers—these data, when combined with other information, can be used to create profiles of natural persons and identify them.

Data processing may only take place if the data subject has given their voluntary, specific, informed, and unambiguous consent through a clear affirmative action, such as a written (including electronic) or verbal statement.

Consent to data processing is also considered given if the data subject marks a relevant checkbox while viewing a website. Silence, pre-ticked boxes, or inactivity do not constitute consent.

Consent may also be inferred when a user configures electronic services accordingly or performs an action or declaration that clearly indicates their consent to the processing of their personal data in the given context.

Health-related personal data includes information about the data subject's past, present, or future physical or mental health condition. These include:

Registration for healthcare services;
An individual identifier assigned to a natural person for health-related purposes;
Information derived from testing or examination of a body part or bodily material—including genetic data and biological samples;
Data concerning a disease, disability, disease risk, medical history, clinical treatment, or physiological or biomedical status, regardless of the source, which may be a doctor, other healthcare professional, hospital, medical device, or diagnostic test.

Genetic data is defined as personal data related to the inherited or acquired genetic characteristics of a natural person and is obtained through the analysis of a biological sample taken from the individual—particularly chromosome analysis, DNA or RNA examination, or other elements that allow for the extraction of similar information.

Children’s personal data deserve special protection, as they may be less aware of the risks, consequences, guarantees, and rights related to data processing. This special protection should be applied particularly when children’s personal data is used for marketing purposes or for creating personal or user profiles.

Personal data must be processed in a manner that ensures an appropriate level of security and confidentiality, including measures to prevent unauthorized access to or misuse of personal data and the tools used for processing them.

All reasonable steps must be taken to correct or delete inaccurate personal data.

Lawfulness of Data Processing

The processing of personal data is lawful if at least one of the following conditions is met:

The data subject has given their consent for one or more specific purposes;
The processing is necessary for the performance of a contract in which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
The processing is necessary for compliance with a legal obligation to which the data controller is subject;
The processing is necessary to protect the vital interests of the data subject or another natural person;
The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
The processing is necessary for the legitimate interests of the data controller or a third party, except where such interests are overridden by the data subject’s interests, fundamental rights, and freedoms requiring the protection of personal data, particularly if the data subject is a child.

Based on the above, data processing is lawful if it is necessary within the framework of a contract or contractual intent.

If data processing is carried out to fulfill a legal obligation imposed on the data controller or for the execution of a public task or official authority, it must have a legal basis in Union law or the law of a Member State.

Data processing should be considered lawful when it is conducted to protect the life or other vital interests of the data subject or another natural person. Personal data processing on the grounds of another natural person’s vital interests should only occur if it cannot be based on another legal basis.

Certain types of personal data processing may serve both an important public interest and the vital interests of the data subject. For example, this applies to humanitarian reasons, such as tracking epidemics and their spread or responding to humanitarian emergencies, particularly natural or man-made disasters.

The data controller—including any party to whom the personal data may be disclosed—or a third party may have a legitimate interest that justifies data processing. A legitimate interest may exist, for instance, when there is a relevant and appropriate relationship between the data subject and the data controller, such as when the data subject is a customer or employee of the data controller.

The processing of personal data for fraud prevention purposes is also considered a legitimate interest of the data controller.

Direct marketing activities based on the processing of personal data may also be considered a legitimate interest.

To determine the existence of a legitimate interest, careful consideration must be given to whether the data subject can reasonably expect data processing for a given purpose at the time of data collection and in connection with it.

The interests and fundamental rights of the data subject may take precedence over the data controller’s interest if personal data is processed under circumstances in which the data subjects would not reasonably expect further processing.

A data controller’s legitimate interest includes those of public authorities, incident response teams, network security teams, and operators and providers of electronic communication networks.

Consent of the Data Subject, Conditions

If data processing is based on consent, the data controller must be able to demonstrate that the data subject has consented to the processing of their personal data.
If the data subject gives consent as part of a written declaration that also concerns other matters, the request for consent must be presented in a manner that clearly distinguishes it from those other matters.
The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The data subject must be informed of this before giving consent. The withdrawal of consent must be as easy as giving it.
In determining whether consent is freely given, utmost consideration should be given to whether the performance of a contract, including the provision of services, is conditional on consent to the processing of personal data that is not necessary for the contract’s performance.
In the case of the processing of personal data related to services of the information society directly offered to children, processing is lawful if the child has reached the age of 16. If the child is under 16, the processing of their personal data is lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child.

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic and biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation, is prohibited unless the data subject has given explicit consent for one or more specified purposes.
The processing of personal data relating to criminal convictions and offenses or related security measures can only take place if it is carried out under the control of an official authority.

Data Processing Without Identification

If the purposes for which the data controller processes personal data do not or no longer require the identification of the data subject, the controller is not obliged to retain additional information for the purpose of identifying the data subject.
If the data controller can demonstrate that they are unable to identify the data subject, they shall inform the data subject of this, where possible, in an appropriate manner.

Information and Rights of the Data Subject

The principle of fair and transparent processing requires that the data subject is informed about the processing of their data and its purposes.
When personal data is collected from the data subject, they must also be informed whether the provision of personal data is a statutory or contractual requirement, and the consequences of failing to provide such data. This information may be supplemented with standardized icons to provide clear, easily understandable, and readable general information about the planned processing.
Information related to the processing of personal data concerning the data subject must be provided at the time of data collection or, if collected from another source, within a reasonable period, considering the circumstances.
The data subject has the right to access their collected data and to exercise this right easily and at reasonable intervals to verify and review the lawfulness of the processing. Every data subject should have the right to know, in particular, the purposes of the processing of their personal data and, where possible, the intended duration of processing.
The data subject has the right to have their personal data erased and no longer processed if the data is no longer necessary for the original purposes for which it was collected or otherwise processed, or if the data subject withdraws their consent to the processing.
If personal data is processed for direct marketing purposes, the data subject must have the right to object at any time, free of charge, to the processing of their personal data for such purposes.

Review of Personal Data

To ensure that personal data is stored only for the necessary duration, the data controller establishes deletion or periodic review deadlines.
The regular review deadline determined by the organization’s management is 1 year.

Responsibilities of the Data Controller:
The data controller applies appropriate internal data protection rules to ensure lawful processing. This regulation covers the scope and responsibilities of the data controller.
The data controller is obliged to implement appropriate and effective measures and to be able to demonstrate that processing activities comply with applicable regulations.
This regulation should be established considering the nature, scope, circumstances, and purposes of processing, as well as the risks posed to the rights and freedoms of natural persons.
The data controller implements appropriate technical and organizational measures based on the nature, scope, circumstances, and purposes of processing, as well as the varying probability and severity of risks to natural persons’ rights and freedoms.
Based on this policy, other internal regulations are reviewed and updated as necessary.
The data controller or processor maintains appropriate records of processing activities within their competence. Every data controller and processor must cooperate with the supervisory authority and make these records available upon request to facilitate oversight of the relevant data processing operations.

Rights Related to Data Processing

Right to Request Information

Any individual may request information through the provided contact details regarding what data the organization handles, on what legal basis, for what data processing purpose, from which source, and for how long. Upon request, information must be provided without undue delay, but no later than within 30 days, to the contact details specified.

Right to Rectification

Any individual may request the modification of their data through the provided contact details. Upon request, modifications must be made without undue delay, but no later than within 30 days, and information must be sent to the specified contact details.

Right to Erasure

Any individual may request the deletion of their data through the provided contact details. This must be done without undue delay, but no later than within 30 days, and the individual must be notified at the provided contact details.

Right to Restriction of Processing

Any individual may request the restriction of their data through the provided contact details. Restriction will remain in place as long as the stated reason necessitates data storage. Upon request, restriction must be implemented without undue delay, but no later than within 30 days, with notification sent to the specified contact details.

Right to Object

Any individual may object to data processing through the provided contact details. Objections must be reviewed within the shortest possible time, but no later than 15 days from the submission date, with a decision made on its validity. Notification of the decision must be sent to the provided contact details.

Legal Remedies Related to Data Processing

National Authority for Data Protection and Freedom of Information
Mailing Address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat (at) naih.hu
URL: https://naih.hu
Coordinates: N 47°30'56''; E 18°59'57''
In case of a violation of their rights, the data subject may turn to the courts against the data controller. The court shall proceed with priority. The lawsuit may be filed at the competent court based on the residence or temporary residence of the data subject.

The Organization's Responsibilities for Ensuring Proper Data Protection

Raising Data Protection Awareness: Ensure professional readiness to comply with legislation. Employee training and familiarization with regulations are essential.
Review Data Processing Purpose and Guidelines: Ensure lawful data processing and data handling in alignment with data protection regulations.
Proper Information for Data Subjects: Ensure that, in cases of consent-based processing, the data controller can prove that consent has been obtained from the data subject.
Clear and Understandable Information: Information provided to data subjects must be concise, easily accessible, and understandable, presented in a clear and plain language.
Transparency in Data Processing: Data subjects must be informed about the processing's facts and purposes before it begins, with the right to be informed lasting until the processing ends.
Key Rights of Data Subjects:
- Access to personal data concerning them;
- Rectification of personal data;
- Erasure of personal data;
- Restriction of personal data processing;
- Objection to profiling and automated processing;
- Right to data portability.
Timely Response: The data controller must inform the data subject without undue delay, but no later than one month from receipt of the request. If necessary, considering complexity and the number of requests, this period may be extended by an additional two months.
Review of Data Processing: Regularly review data processing activities and ensure the exercise of information self-determination rights.
Explicit Consent: Consent must clearly indicate that the data subject agrees to data processing. The data controller must prove consent if data processing is based on it.
Protection of Children's Data: Special attention must be given to the rules governing the processing of children’s data. Processing is lawful if the child is over 16 or, if younger, consent is provided or authorized by a parent.
Reporting Obligation in Case of Unlawful Processing: Notify the supervisory authority without undue delay, preferably within 72 hours of becoming aware of the data breach.
Data Protection Impact Assessment (DPIA): Conduct a DPIA before processing to evaluate the impact on personal data protection.
Appointing a Data Protection Officer (DPO): Necessary when activities involve large-scale monitoring or processing of special data categories.

Data Security

Data must be protected with appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental loss or damage and inaccessibility due to changes in the applied technology.

To safeguard electronically managed data records, appropriate technical solutions must be implemented to ensure that the stored data in the records cannot be directly linked or assigned to the data subject.

When designing and implementing data security measures, the current state of technological advancements must be taken into account. Among multiple possible data processing solutions, the one that ensures a higher level of personal data protection should be chosen, unless it would impose a disproportionate burden on the data controller.

Data Protection Officer (DPO)

The appointment of a Data Protection Officer (DPO) is mandatory based on the following criteria:

Data processing is carried out by public authorities or other bodies performing public functions, except for courts acting in their judicial capacity.
The core activities of the data controller or data processor involve data processing operations that, by their nature, scope, or purpose, require the regular and systematic large-scale monitoring of data subjects.
The core activities of the data controller or data processor involve the large-scale processing of personal data related to criminal convictions and offenses.

If the appointment of a Data Protection Officer is mandatory, the following rules apply:
The Data Protection Officer must be appointed based on professional competence, particularly expert-level knowledge of data protection law and practices, as well as the ability to perform data protection tasks.
The Data Protection Officer may be an employee of the data controller or data processor or may perform their tasks under a service contract.
The data controller or data processor must publish the name and contact details of the Data Protection Officer and communicate them to the supervisory authority.

Status of the Data Protection Officer

The data controller must ensure that the Data Protection Officer is properly and timely involved in all matters related to the protection of personal data. It must also provide the necessary resources to maintain the DPO's expert-level knowledge.
The Data Protection Officer must not accept instructions from anyone concerning the performance of their duties. The data controller or data processor cannot dismiss or impose penalties on the DPO for carrying out their tasks. The DPO reports directly to the highest management level of the data controller or data processor.
Data subjects may contact the Data Protection Officer regarding all matters related to the processing of their personal data and the exercise of their rights.
The Data Protection Officer is bound by confidentiality or secrecy obligations regarding the performance of their duties.
The Data Protection Officer may also perform other tasks, provided that there is no conflict of interest with their DPO responsibilities.

Tasks of the Data Protection Officer

Informing and providing professional advice to the data controller or data processor, as well as to employees involved in data processing.
Monitoring compliance with internal regulations related to personal data protection within the data controller or data processor.
Providing expert advice on data protection impact assessments upon request and monitoring their implementation.
Cooperating with the supervisory authority.

Data Protection Incident

A data protection incident refers to a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to transmitted, stored, or otherwise processed personal data.
Inadequate or delayed action in response to a data protection incident may cause physical, material, or non-material harm to individuals, including loss of control over personal data, restrictions on rights, discrimination, identity theft, or fraud.
A data protection incident must be reported to the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, unless it can be demonstrated, in accordance with the accountability principle, that the incident is unlikely to result in a risk to the rights and freedoms of natural persons.
If the data protection incident is likely to result in a high risk to the rights and freedoms of a natural person, the affected individual must be informed without delay so that they can take the necessary precautions.

Data Processing for Administrative and Record-Keeping Purposes

The organization may process personal data in cases related to its activities, as well as for administrative and record-keeping purposes.

The basis for data processing is the voluntary and explicit consent of the data subject, given after receiving appropriate information. The detailed information must cover the purpose, legal basis, and duration of data processing, as well as the rights of the data subject. The data subject must be informed that providing data is voluntary. Consent to data processing must be recorded in writing.

Data processing for administrative and record-keeping purposes serves the following objectives:

Managing data of the organization’s members and employees, which is based on legal obligations;
Managing data of individuals in a contractual relationship with the organization for contact, accounting, and record-keeping purposes;
Managing contact details of representatives of other organizations, institutions, and businesses in a business relationship with the organization, which may include personal contact and identification data.

The above data processing is partly based on legal obligations and partly on the explicit consent of the data subject (e.g., for employment contracts or partner registration on the website).

In cases where the organization receives written documents containing personal data (e.g., resumes, job applications, other submissions), consent from the data subject is presumed. Once the case is closed, unless further use is authorized, the documents must be destroyed, and the destruction must be recorded in a report.

For administrative data processing, personal data is only included in the relevant case files and records. The processing of such data lasts until the documents serving as the basis for processing are disposed of.

To ensure that personal data storage is limited to the necessary duration, administrative and record-keeping data processing must be reviewed annually. Inaccurate personal data must be deleted without delay. Compliance with applicable laws must also be ensured in the case of administrative and record-keeping data processing.

Data Processing for Other Purposes

If the organization intends to carry out data processing not covered by this policy, it must first amend this internal regulation accordingly and incorporate the new data processing purpose with appropriate sub-rules.