IBV HUNGÁRIA KFT. 

DATA PROTECTION POLICY

1. SCOPE OF THE POLICY

The personal scope of the Policy covers the natural person clients that are in contact with IBV Hungária Kft the data controller, and all those employees by or persons employed by IBV Hungária Kft in the framework of another relationship that is directed at employment, who process personal data during their work or in connection with their work, and to those employees or persons employed in the framework of another legal relationship that is directed at employment, whose data are processed by the Company, the data controller.

In respect of the personal scope of the Policy, the tenderer, or the employee, whose employment relationship had already terminated at employer, the data controller, has to be considered an employee in the following part of this document.

2. PURPOSE OF THE POLICY

IBV Hungária Kft (hereinafter referred to as. “Company”) establishes this data protection and data processing policy (hereinafter referred to as: “Policy”) in the interest of the enhanced protection of the personal data of the natural person clients, or employees and other natural persons that get into contact with the Company, as well as the lawful, decent and transparent processing of these personal data.

3. DESCRIPTION OF THE ACTIVITY

3.1. Data protection organisation

The Company operates a separately defined, independent data protection organisation in the interest of being compliant with the GDPR, which organisation it defined as follows:

  • Executive
  • HR generalist, as the central data protection person
  • the leaders of the organisational units, as the professional area data protection persons
  • System administrator, as the data security (IT) person
  • subordinate employees that deal with data processing

3.2. Registrations of the main data processing operations of the Company

The Company records a detailed register on its data processing activities, which includes

  • the purpose of data processing,
  • the categories of the data subjects,
  • the categories of the personal data,
  • the deadlines set for erasing the data categories,
  • the description of the technical and organisational measures,
  • the categories of those addressees, with whom it may communicate or to whom it mayforward personal data.


The Company registers its data processing operations by organisational units.

3.3. Possible legal bases of data processing

The legal basis that are connected to the purpose of data processing may be the following at the Company:

  • consent [Section 6 (1) a) of the GDPR],
  • performance of the legal obligations [Section 6 (1) c) of the GDPR],
  • signing the contract [Section 6 (1) b) of the GDPR],02.HR.SZ.13.
  • Data Processing and Data Protection Policy

  • performance of the contract [Section 6 (1) b) of the GDPR],
  • consent [Section 6 (1) a) of the GDPR],
  • assessment of the justified interest [Section 6 (1) f) of the GDPR],
  • protection of the vital interest of the data subject or of another natural person [Section 6(1) d) of the GDPR].

3.3.1. Identification of the possible legal bases of data protection

Establishing the legal basis that corresponds to the purpose of data processing, based on the instruction of the central data protection person is the task of the professional area data protection persons.

3.4. Limited storability

The central data protection person of the Company, in line with the data processing operations included in the register of data processing activities, for their purpose and for their legal use defines erasure deadlines and it takes the necessary steps according to these deadlines for inspecting the execution of the erasures.

Erasing those data, the processing of which is not needed is the task of the professional area data protection person that directly processes the data.

3.5. Data security

The Company in addition to the technical and organisational measures that are defined in this Policy, established also a separate information security policy, which sets forth the methods and conditions of the application of the data security principles. The authorisation levels defined by the Company limit access both on the side of the data controller and on the side of the data processor. In the interest of the security of the IT systems the Company operates a fire wall, and a virus searching and virus eliminating program for preventing external and internal data losses.

3.6. Information to be provided for the data subjects

The Company informs the data subjects during the processing of the data – without any separate request – about the following:

  • the personal and contact data of the data controller
  • the purpose of data processing
  • the legal basis of data processing
  • the range of the data processed
  • addressees, data forwarding
  • addressees, data processing
  • range of data subjects
  • duration of data processing
  • source of the personal data (if the data were obtained by the Company from third persons)
  • method of data processing (manual or automated)
  • technical and organisational measures
  • rights of the data subject and the exercising of these rights

For the purpose of providing information for the data subjects, the Company defines the following:

For those job seekers, who ask questions at the email address of allas@ibv.hu in automatic response messages. Providing information on the processing of data is done verbally in the case of personal inquiries.
In the case of visitors, the Company uses attention raising notices concerning the using of the camera system, and the Company ensures the physical availability of the Camera Policy at the freight and personal reception, and at the reception, moreover, electronically through the email address of kamera@ibv.hu.
The accessibility of the Data Processing Policy on the website is ensured.

3.7. Facilitating the exercising of the rights of the data subjects

The following rights are due to the data subject in connection with his/her personal data:

3.7.1. Right to being informed

The data subject is entitled to ask information from the Company about the circumstances that are connected to data processing, which request the Company will fulfil through providing the following data processing information simultaneously with processing the data:

  • Information on data processing connected to job tenders
  • Information on data processing that is connected to the employment relationship
  • Information on using the camera system

The central data protection person of the Company is competent in respect of the data subject’s other questions involving the processing of the data.

3.7.2. Right to access

The data subject is entitled to get feedback from the data controller on whether the processing of his/her personal data is in process or not, and if this kind of data processing is ongoing, he/she is entitled to get access to his/her personal data and to the information that is connected to the processing of the data.

3.7.3. Right to erasure

Data subject is entitled to have the personal data referring to him/her erased by the Company upon his/her request without any unjustified delay. The Company will erase the personal data referring to the data subject without any unjustified delay, provided the personal data are already not needed for the purpose for which they were collected or processed in any other manner, or if they managed the personal data unlawfully.The request of the data subject concerning this aspect has to be also forwarded to the central data protection person of the Company in each case.

3.7.4. Right to limiting the processing of the data

The data subject is entitled to have the Company limiting the processing of the data, in case the following conditions exist:

  • in the case of unlawful data processing, provided the data subject objects to the erasure of the data and instead of this he/she asks the restriction of their use,
  • the Company does not need any more the personal data for the purpose of data processing, but the data subject needs them for the purpose of presenting, enforcing or protecting legal demands,
  • the data subject may object to the processing of the data, and in this case the limitation refers to the period during which it will be established whether the justified reasons of the data controller enjoy priority compared to the justified reasons of the data subject or not.

If the data processing belongs under limitations, the personal data of this kind may be processed – except storage – only with the consent of the data subject or for the presentation, enforcement or protection of legal demands or in the interest of the protection of the rights of another natural or legal person or in the interest of any important public interest of the European Union or one of the member states.The request of the data subject concerning this aspect has to be also forwarded to the central data protection person of the Company in each 

3.7.5. Right to object

The data subject is entitled to object due to reasons that are connected to his/her situation against the processing of his/her personal data done on the basis of the interest assessment of the Company. In this case the data controller may not continue the processing of the personal data, except, if data controller proves that the processing of the data are justified by such coercive lawful reasons, which enjoy priority compared to the interests, rights and freedoms of the data subject, or which are connected to the presentation, enforcement or protection of legal demands.

The request of the data subject concerning this aspect has to be also forwarded to the central data protection person of the Company in each case.

3.7.6. Right to legal remedy

The right to legal remedy is due to the data subject. If data subject wishes to complain in connection with the processing of his/her personal data, the data subject is entitled to submit a complaint to both the data controller and the supervisory authority, and to exercise law enforcement at the court. In the case of law enforcement at the court, the data subject may initiate the lawsuit according to his/her arbitrary choice either at the regional court that has jurisdiction in respect of his/her home address or the regional court that has jurisdiction in respect of his/her place of residence.

3.7.7. Right to rectification, to be forgotten and to data portability

The right to rectification, to be forgotten and to data portability is due to the data subject in respect of the processing of his/her personal data.

The request of the data subject concerning this aspect has to be also forwarded to the central data protection person of the Company in each case.

3.8. Regime of managing and reporting data protection incidents

Each colleague of the Company is obliged to report each data protection incident he/she becomes aware of to the central data protection person without any delay.

3.8.1. Notifying the central data protection person about the data protection incident

The notice has to contain the following data:

  • the name of the person detecting the data protection incident,
  • if the person detecting and the person reporting the data protection incident are differentpersons, then the name of the person reporting the data protection incident,
  • the brief description of the data protection incident,
  • the fact whether the detected data protection incident involves the IT system of theCompany or not,
  • the range of the data that are involved in the data protection incident and theirapproximate number,
  • the range of persons involved in the data protection incident and their approximatenumber,
  • the probable consequences of the data protection incident, and
  • the measures that were introduced for the remediation and mitigation of the dataprotection incident.

The notice concerning the detection of the data protection incident has to be sent without delay even if the above data are not fully available at the moment of reporting. The missing data have to be sent without delay to the central data protection person, the moment they are become available.