DATA MANAGEMENT INFORMATION ON CONNECTAX.HU
I. The appointment of the data controller
RSM Connect Tax Korlátolt Felelősségű Társaság ( referred as Data Controller)
Registered office: 1138 Budapest, Faludi utca 3.
Correspondence address: 1138 Budapest, Faludi utca 3.
Corporate registration number: 01-09-320751
Telephone: +36 1. 886-3700
The controller has not appointed a data protection officer.
II. Legal provisions under which the data processing takes place
To the type of data processing described in this document, the following legal provisions apply:
- Act No CXII of 2011 on the right to informational self-determination and freedom of information;
- Regulation (EU) 2016/679 of European Parliament and of the Council;
1. “data subject”: a natural person identified or identifiable based on any information;
2. “personal data”: any information respective of the subject;
3. “data of public interest”: any information or knowledge recorded in any manner or form that is not considered personal data, and which is being processed by, relevant to the activities of, or arose in connection with the public function of any natural or legal person having public or municipal responsibilities or any other corresponding public duties or functions set out in the applicable legislation, irrespective of its manner of processing, its individual or collective nature, and thus especially of it being data relating to competencies, organisational structure, professional activities and the evaluation thereof that also covers effectiveness, the types of data held, the legislation governing operation, and data in connection with economic management and contracts concluded;
4. “data publicly available due to public interest”: any data that is not considered data of public interest, and to which access, or the availability or knowing thereof is ordered by the law as a matter of public interest;
5. “identifiable natural person”: a natural person is identifiable if his or her identity can be ascertained, either directly or indirectly, in particular by reference to an identifier such as name, number, location data, online identifier, or one or more factors relating to that natural person’s physical, physiological, genetic, mental, economic, cultural or social identity thereof;
6. “data processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7. “restriction on data processing”: flagging of personal data stored, with the intent of restricting their processing in the future;
8. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
9. “filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
10. “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
11. “processor”: a natural or legal person, public authority, agency or other bodies which processes personal data on behalf of the controller;
12. “recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
13. “third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
14. “the data subject's consent”: any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed;
15. “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
16. “enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
17. “group of undertakings”: a controlling undertaking and its controlled undertakings;
18. “supervisory authority”: an independent public authority created in accordance with Article 51 of the Regulation, which in Hungary is the Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information);
19. “processing of personal data across borders”:
a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State;
20. “information society service”: a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
IV. Data processing on the website run by the controller
1. Scope of data processed and the purpose of the processing
a) name: We process the names of natural persons when visitors, potential customers provide contact information on a quote. The purpose of the data processing is to keep in touch and to identify the persons involved.
b) e-mail address: We process the email address of natural persons when the visitor provides contact information on a quote. The purpose of the data management is to communicate, to identify the persons involved, to provide information related to the application subject to the call for proposals.
c) phone number: it allows easier contact in case of proposal request.
d) cookies: To be able to fully benefit of certain services of the website, we would like to recommend enabling cookies. A cookie is a small passage containing personalised information which the data subject’s browser stores on their computer. The purpose of cookies is to help us in identifying recurring visitors, implementing customised visitor functions, and managing user logins (identification, verification). If you are seeking to learn more about our cookies, you can obtain additional information on the following website:
e) Data are given by Google (Google Analytics service): data processing is carried out solely for statistical purposes, for the Controller to be able to improve user experience using the website’s traffic data.
2. Legal basis for data processing
The legal basis for data processing regarding data provided for a proposal (points 1 (a) to (c)) is the Article 6 of the Decree (1) (b),so data management is required in order to allow the Data Controller to respond to the quotation request. If you refuse to provide the requested data, contact or proposal will be impossible.
In the event the requested data is not given, contacting or sending the newsletter can be hindered. In the event the data required by the provisions of the law on money laundering is not given, the conclusion of a contract will be rendered impossible.
If you are seeking to learn more about Google Analytics, you can obtain additional information on the following website: https://support.google.com/analytics#topic=3544906
You can also restrict the access of Google Analytics with the use of the application downloadable from the following website: https://tools.google.com/dlpage/gaoptout?hl=en
Data collected through Google Analytics can be stored by Data controller as statistics, and will not know personal information.
3. Period of data processing
Data given for the purpose of proposal request will be erased after withdrawal of the consent to the Controller or, after a period of 3 years in the event of a contract is not concluded.
4. Access to data and data protection measurements
4.1. Access to data and transmission thereof
Personal data given by the data subject can be accessed by the appointed personnel of the Controller and the executive officers of the Controller.
Data transfer is possible only in the following cases:
a. In course of the program and website development, the staff of the company entrusted with the development may have access to the data, solely for the purposes of programming.
b. In the IT background maintenance, the IT staff members may have access to the data, solely for the purpose of performing maintenance tasks.
c. In cases involving legal assistance, the data may be transferred to the law firm appointed by the Data Controller.
d. The data will be transferred for storage to the storage provider company, but this entity is not entitled to know this data.
e. The Data Controller uses a data processor to handle and respond to quotation requests.
In instances other than the above, the Controller only shares personal data with other persons, public bodies or authorities if it is required by legal provisions. Thus, if, for instance:
- a legal proceedings started in relation to the data subject, and the court seized requires (inter alia) documents containing the personal data of the data subject;
- an investigative authority contacts the Controller, and requests the forwarding of (inter alia) documents containing the personal data of the employee;
- another authority, when acting in its legal capacity, requests (inter alia) documents containing the personal data of the data subject.
4.2. Data protection measurements
The Controller stores all data given by the data subject on the servers located in its registered office (1138 Budapest, Faludi utca 3.), that is protected by a 24/7 security service. For the processing of personal data, the Controller employs the services of Google (Analytics) . If data given during the use of these services abroad, the location of data processing is the United States of America. The safety of the data processing is guaranteed by the Privacy Shield agreement with the United States of America. User data access is provided by the Data Controller based on the principles of "Principle of least privilege".
The Controller shall take appropriate measures to ensure the protection of personal data inter alia from unauthorised access or alteration. In order to prevent unauthorized access to the systems, the Data Controller regularly reviews its data collection, storage and processing practices.
5. Rights related to data processing
5.1. The right to request information
The data subject can request information from the Controller in writing, using the contact details given in Clause I, relating to:
- what personal data,
- on what legal basis,
- for what purpose of processing,
- from what source,
- and for what period the data is being processed,
- to whom, when, on what legal basis, and to what personal data did the Controller give access to, or to whom did it forward their personal data.
The Controller shall adhere to the data subject’s request by sending the information via mail to the address given by the employee within 30 days.
5.2. The right of rectification
The data subject can request the alteration of personal data from the Controller in writing, using the contact details given in Clause I (for instance, he or she can change his or her e-mail address anytime). Prior to adhering to the request, the Controller may request adequate proof of the change in personal data (for instance in the event of a change of home address, or change of name). The Controller shall adhere to the data subject’s request within 30 days and confirm it via mail to the address given by the data subject.
5.3. The right to erasure
The data subject can request the erasure of their personal data from the Controller in writing, using the contact details given in Clause I. The Controller refuses the request if it’s obligated by a legal provision or an internal policy to keep storing the personal data. If no such obligation exists, the Controller shall adhere to the data subject’s request within 30 days and confirm it via mail to the address given by the data subject.
5.4. Right to have data blocked
The data subject can request in writing that the Controller blocks their personal data, using the contact details given in Clause I. The blocking shall be maintained until the reason given by the data subject makes it necessary to do store it. The data subject may request the blocking of the data if, for instance, he or she thinks that the Controller has processed it unlawfully, but it is necessary for the administrative or legal proceedings that the data subject initiated that the Controller does not erase the data. In this case, Controller shall store personal data until the authority or the court requests, after which it shall erase said data.
5.5. Right to data portability
The data subject is entitled to receive the data he or she provided to a controller in a structured, widely used format, readable by a computer; and is entitled to forward this data to another controller; so upon request, the Controller provides the data subject with the data burned on a portable data storer.
5.6. The right to object
The data subject can object to the data processing in writing, using the contact details given in Clause I, should the Controller use or forward personal data for the purposes of direct marketing, public opinion poll, or scientific research. Thus, for instance, the data subject can object to the Controller using his or her personal data for the purpose of scientific research without consent. The data subject may object to the data processing even if it is believed that the processing is only used to comply with a legal obligation, or to enforce a given right, except for data processing based on regulatory authorization. Thus, he or she cannot object to the Controller forwarding their request containing his or her personal data to the authorities.
6. Enforcement of rights related to data processing
6.1. Initiating legal proceedings
The data subject can initiate a civil lawsuit if he or she believes his or her personal data was processed in a way that is considered unlawful. The hearing of the case falls within the jurisdiction of the general court. The list and contact data of the general courts can be found on the following link: http://birosag.hu/torvenyszekek
6.2. Notification to the Supervisory Authority
The data subject may initiate investigations via notification, claiming that by the processing of his or her personal data he or she has suffered the impairment of a right, at:
Adatvédelmi és Információszabadság Hatóság (the national authority for data protection and freedom of information):
1530 Budapest, Mailbox. 5.
1125 Budapest, Szilágyi Erzsébet fasor 22/c
+36 1 391 1400
+36 1 391 1410 (fax)