Privacy Policy

DATA PROTECTION POLICY

AUTÓFLEX-KNOTT

Közlekedési Eszközöket Gyártó Szolgáltató és Kereskedelmi Kft.

Seat: 6000 Kecskemét, Kadafalva-Heliport hrsz:11751/1.

Company registration number: 03-09-000338

Tax number: 10263648-2-03

Prepared by: Value Data Solutions Kereskedelmi és Szolgáltató Kft.

Seat: 6050 Lajosmizse, Bajcsy-Zsilinszky u. 78.

Company registration number: 03-09-131294

Tax number: 25947539-2-03

Vincze Katalin Gizella – data protection official

I. PURPOSE AND SCOPE OF THE POLICY, DEFINITION OF DATA CONTROLLER

The purpose of this policy is to set out the basic rules for the processing of data to ensure that the privacy of natural persons is respected by data controllers. It covers all handling and processing of data on the territory of Hungary that relates to data of natural persons and data of public interest or publicly available based on public interest.

The policy is based on the following legislation in force:

Act No. CXIX of 1995 on the processing of name and address data for research and direct marketing purposes
Act No. CVIII of 2001 on certain aspects of electronic commerce services and information society services
Act No. CXII of 2011 on the right to informational self-determination and on the freedom of information
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
The Constitution of Hungary
Act No. V of 2013 on the Civil Code
Act No. I of 2012 on the Labour Code
Act No. C of 2012 on the Criminal Code
Act No. C of 2003 on Electronic Communications
Act No. CLXV of 2013 on Complaints and Notifications of Public Interest
Act No. XCII of 2003 on Taxation
Act No. I of 2013 on the Electronic Information Security of State and Local Government Bodies
Act No. XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity
Accounting Act of 2000
Act LIII of 2017 on Preventing and Combating Money Laundering and Terrorist Financing
Act No. CLI of 2017 n Tax Administration Procedure
Act No. LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives
Act No. CLXIV of 2005 on Trade
Act No. LXXXVIII of 2012 on the Market Surveillance of Products
Act No. LXXVI of 2009 on the General Rules of the Commencement and Performance of Service Activities
Act No. C of 1990 on Local Taxes
Ministerial decree No. 16/2008. (VIII. 30.) NFGM on the safety requirements of machines and the certification of their conformity
Ministerial decree No. 5/1990. (IV. 12.) KöHÉM on the technical inspection of road vehicles
Government decree No. 57/2013. (II. 27.) on certain production and service activities which may be carried out on the basis of a site licence or notification of the establishment of a site, and on the procedures for the granting of site licences and the rules for notification

Date: Lajosmizse, 17 September 2018

Details of the Data Controller:

Company name: AUTÓFLEX-KNOTT Közlekedési Eszközöket Gyártó Szolgáltató és Kereskedelmi Kft.

Company registration number: 03-09-000338

Seat: 6000 Kecskemét, Kadafalva-Heliport, Hrsz: 11751/1.

Tax number: 10263648-2-03

Details and contact information of the Data Protection Officer involved in the preparation of this data protection policy:

Value Data Solutions Kft. (6050 Lajosmizse, Bajcsy-Zsilinszky u. 78.) – Vincze Katalin Gizella – v.datakft@gmail.com

During its activities, AUTÓFLEX-KNOTT Közlekedési Eszközöket Gyártó Szolgáltató és Kereskedelmi Kft. (hereinafter referred to as the “Data Controller”) shall pay particular attention to the protection of personal data, compliance with mandatory provisions, safe and fair data processing.

The Data Controller shall in all cases process the personal data provided to it in compliance with the applicable Hungarian and European legislation and ethical requirements and shall in all cases take the technical and organisational measures necessary for the proper and secure processing of the data.

The data controller reserves the right to change the privacy policy, in which case the amended policy will be published to the public.

Key principles covered by this Policy

Personal data may be processed only if the data subject consents in writing, in the case of special data, or if it is ordered by law or by a decree of a local authority, on the basis of a law and within the scope specified therein.

Personal data may be processed only for specified purposes, for the exercise of rights and the performance of obligations. The processing must comply with this purpose at all stages.

Only those personal data may be processed which are necessary for the purpose of the processing, are adequate for the purpose and they can be processed only to the extent and for the duration necessary for the purpose.

II. THE PURPOSE OF THE PROCESSING WITHIN

THE ORGANISATION

AUTÓFLEX-KNOTT Közlekedési Eszközöket Gyártó Szolgáltató és Kereskedelmi Kft. shall act in the course of its business activities in accordance with the provisions of these Regulations.

AUTÓFLEX-KNOTT Közlekedési Eszközöket Gyártó Szolgáltató és Kereskedelmi Kft.’s main economic activity is the manufacture of motor vehicle bodies and trailers.

This policy sets out the processing of personal data obtained by the company during all its activities.

Processing means any operation or set of operations which is performed upon the data, whatever the procedure used, in particular any collection, recording, organisation, storage, alteration, use, download, transmission, disclosure, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound or image recordings and recording of physical characteristics which can be used to identify a person.

The main objective in relation to customers is to comply with the purpose limitation principle in the processing of personal documents under the anti-money laundering legislation. In all cases, when copying documents to identify persons, the Company will draw up a consent form and inform the customer of the duration and purpose of the records.

In processing the personal data available to it, the Data Controller may, based on the consent of the customer, send an electronic message with commercial content.

The Data Controller shall not disclose tax secrets or other documents provided by the customer to third parties without the written consent of the customer, except for its obligations under the law. It shall keep business secrets of which it becomes aware and shall not disclose them to third parties.

The Data Controller shall be responsible for.:

– Compliance with the provisions of the applicable legal regulations (Labour Code, Income Tax Act, Tax Act, CLI/2017.) in the recording and storage of data of employees, customers, clients and suppliers.

– The Data Controller shall destroy the personal documents copied for the contracts if the business negotiations initiated do not lead to a result.

– Preparing a confidentiality statement – compliance with the rules on business confidentiality, written warning of the legal consequences of breaching them to the parties concerned (employees, business partners, accounting service providers).

– Restrict employee access to customer data by documenting physical, operational and technical security requirements.

The legal basis for the processing is the legitimate interest of the contractor, based on a legal requirement, a contractual performance obligation or voluntary consent, and the purpose of being able to prove contractual performance in the event of a dispute. The legal grounds for processing used in this policy have been determined after a balancing of interests test.

III. DATA PROTECTION MEASURES WITHIN THE ORGANISATION, SECURITY OF DATA MANAGEMENT

In particular, the Data Controller shall protect the data against unauthorised access, alteration, transmission, disclosure, deletion or destruction and against accidental destruction or damage. The Data Controller, together with the server operators, shall ensure the security of the data by technical, structural and organisational measures which provide a level of protection appropriate to the risks associated with the processing.

We ask you to provide wage and employment data in order to comply with our legal obligations, which are necessary for subsequent social security, tax and other mandatory returns and records. Their storage and retention period is determined by the Labour Code and the personal income tax and social security legislation in force. The documents and data necessary to determine length of service and to calculate pensions must be retained throughout the duration of the company for the purpose of calculating the employee’s subsequent period of employment.

Computers, laptops, tablets and company phones provided by the Company to the employee for work purposes may only be used by the employee for the performance of his/her job duties, and the Company prohibits their private use. Employees may not process or store any personal data or correspondence on these devices, unless permitted by the Company’s internal rules. The employer may check the data stored on these devices in the presence of the employee.

The data subject may also give his or her consent in the context of a written contract with the Data Controller in order to perform the contract. In this case, the contract must contain all the information that the data subject needs to know in relation to the processing of personal data, in particular the identification of the data to be processed, the duration of the processing, the purposes of the processing, the transfer of the data, the use of a processor. The contract must state clearly that, by signing it, the data subject consents to the processing of his or her data as provided for in the contract.

The right to the protection of personal data and the privacy rights of the data subject must not, unless an exception is provided for by law, be prejudiced by other interests in the processing, including the disclosure of data of public interest.

The physical, operational and technical security of the storage, disposal, use, processing and transmission of data is carried out in accordance with the law and is accurately documented. The logging and recording of the above activities is traceable from the system operated by the company. The form of deletion, rectification, blocking of data and the related records are recorded in the logs of the programs used by the company. This policy includes information on the right to object, the refusal to object (by reference to a legal provision), and the means of identification of the data subject. In the event of a data breach, the protocol procedure to be followed should be followed, after informing the company representative, to contact the system operator without delay in order to avoid further loss of data. Following a data breach, the primary task is to inform the data subjects, with the involvement of the data protection officer, to provide accurate documentation of the measures taken, and to organise data recovery with the involvement of experts, if possible.

For tax purposes, supporting documents used for the assessment of taxes must be kept until the right to assess the tax expires, i.e. for 5 years.

We are legally obliged to include the customer’s address when invoicing. In this case, the legal basis for data processing is CVIII/2001, Article 13/A (2), which allows our company to process personal data relating to the use of the service for the purpose of invoicing the fees resulting from the contract for the provision of the service. The duration of the processing is the obligation to keep the accounting records directly and indirectly supporting the accounting, i.e. 8 years, pursuant to Article 169(2) of Act C of 2000 on Accounting. This includes documents that support the accounting treatment of an economic event. Annual accounts, annual reports, inventories, general ledger extracts, logbooks, analytical and detailed records must also be kept for 8 years.

Exceptions to this rule include, for example, receipts for services provided remotely, which must be kept for 10 years from the last day of the year in which the service was provided.

IV. THE SECURITY OF DATA MANAGEMENT OF IT SYSTEMS

WITHIN THE ORGANISATION

We offer our customers and interested parties the possibility to contact us by mail. The e-mail address is mandatory for the identification of the user. The legal basis for processing in this case is the consent of the data subject. The consent is required in accordance with 5. § (1) of the law CXII/2011. For this purpose, the data will be processed until the consent is withdrawn, but at the latest for one year after the last correspondence. After that, your data will be deleted from our contact list.

In the case of the purpose of the processing, our right to process your personal data ceases upon completion of the contract after the electronic correspondence is closed. However, in order to be able to prove, in the event of a dispute, that we have properly performed the contract and have fully delivered what we have undertaken, it is necessary that these system messages are kept until the end of the limitation period, i.e. for 5 years after the system message was sent, pursuant to Section 6:22 of Act V of 2013 on the Civil Code (“Ptk.”).

Employees are only allowed to access websites related to their job duties, and the employer prohibits the use of the Internet for personal purposes at work, unless the Company’s internal rules allow it. Internet registrations made on behalf of the Company as part of the employee’s job duties are authorised by the Company, and the registration must be made using a Company ID or password. If the provision of personal data is also required for registration, the Company shall initiate their deletion upon termination of employment. The employer may monitor the employee’s use of the Internet at work in the presence of the employee.

Data processing related to the verification of the use of your e-mail account:

If the Company makes an e-mail account available to the employee, the employee may use this e-mail address and account solely for the purposes of his/her job duties, in order to keep in touch with each other or to correspond with clients, other persons or organisations on behalf of the employer.

The employee may not use the e-mail account for personal purposes and may not store personal mail in the account. The employer is entitled to check the entire content and use of the e-mail account on a regular basis – every 3 months – in the presence of the employee, the legal basis for data processing being the legitimate interest of the employer.

The purpose of the inspection is to verify compliance with the employer’s provision on the use of e-mail accounts and to check the employee’s obligations (§ 8, § 52 of the Labour Code).

The manager of the employer or the person exercising the employer’s rights is entitled to carry out the inspection. Where the circumstances of the inspection do not preclude this, it must be ensured that the employee is present during the inspection.

Prior to the check, the employee must be informed about the employer’s interest in the check, who on the employer’s side may carry out the check, – the rules according to which the check may be carried out (compliance with the principle of gradual approach) and the procedure to be followed, – the employee’s rights and remedies in relation to the processing of data in connection with the check of the e-mail account. The principle of gradualness should be applied in the verification, so that the address and subject of the e-mail should be the primary basis for determining that it is related to the employee’s job duties and not personal. The content of non-personal e-mails may be examined by the employer without restriction.

If, contrary to the provisions of this policy, it can be established that the employee has used the e-mail account for personal purposes, the employee should be requested to delete the personal data immediately.

In case of absence or non-cooperation of the employee, the personal data will be deleted by the employer upon verification. The use of the e-mail account in violation of this policy may result in the employer taking legal action against the employee under labour law. The employee may exercise the rights set out in the chapter of this Code on the rights of the data subject in relation to the processing of data in connection with the monitoring of the e-mail account.

The Data Controller uses the cooperation and services of the following website and server providers for its activities:

SILICON DREAMS Számítástechnikai, Informatikai és Kereskedelmi Korlátolt Felelősségű Társaság (6000 Kecskemét, Kőhíd utca 12. 1st floor 1. tax number: 23173080-2-03)

3LAN Kereskedelmei és Szolgáltató Korlátolt Felelősségű Társaság (6000 Kecskemét, Szolnoki út 1., tax number: 11425971-2-03);

Website: https://www.autoflex.hu

V. RIGHTS OF DATA SUBJECTS

In all cases, the data controller processes personal data in the course of its activities on the basis of a legal requirement or voluntary consent. In some cases, in the lack of consent, the processing is based on other legal bases or on Article 6 of Regulation 2016/679 of the EU Parliament and of the Council (GDPR).

The data subject may request the controller to inform him or her about the processing of his or her personal data, to rectify his or her personal data and, except for mandatory processing, to erase or block his or her personal data.

At the request of the data subject, the controller shall provide information about the data of the data subject processed by the controller or by a processor to whom the controller or the processor has delegated the processing, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the processor and the activities of the processor in relation to the processing, the circumstances of the personal data breach, the effects of the personal data breach and the measures taken to remedy the personal data breach, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.

The Controller shall erase personal data if the processing is unlawful, if the data subject requests it, if it is incomplete or inaccurate -and this situation cannot be lawfully rectified-, provided that erasure is not excluded by law, if the purpose of the processing has ceased, if the statutory period for storing the data has expired or if it has been ordered by a court or the data protection official.

It shall notify the data subject of the rectification and erasure and all those to whom it has previously disclosed the data for processing purposes. Notification may be omitted if this does not harm the legitimate interests of the data subject having regard to the purposes of the processing. The user is responsible for the accuracy of the personal data provided.

The data subject may object to the processing of his or her personal data if the processing (transfer) of the personal data is necessary solely for the purposes of the exercise of a right or legitimate interest pursued by the controller or the recipient of the data, unless the processing is required by law, the use or transfer of the personal data is for direct marketing, public opinion polling or scientific research purposes, or the exercise of the right to object is otherwise permitted by law.

The Data Controller shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, and inform the applicant in writing of the outcome of the examination, with the simultaneous suspension of the processing. If the objection is justified, the controller shall be obliged to terminate the processing, including further recording and transmission, and to block the data, and to communicate the objection and the action taken on the basis of the objection to all those to whom the personal data concerned by the objection have been previously disclosed and who are obliged to take measures to enforce the right to object.

The data subject may take the controller to court or to the data protection authority if his or her rights are infringed.

VI. EXPLANATORY PROVISIONS

In our policy, data protection terms have the following meanings:

Personal data: any data that can be associated with a specific natural person (identified or identifiable) (hereinafter referred to as “data subject”), and any inference that can be drawn from the data concerning that data subject. The personal data shall retain this quality during the processing for as long as its link with the data subject can be re-established. In particular, a person shall be regarded as identifiable where he or she can be identified, directly or indirectly, by reference to a name, an identification mark or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Consent: a voluntary and explicit expression of the data subject’s wishes, based on adequate information, by which he or she gives his or her explicit consent to the processing of personal data concerning him or her, whether in full or in relation to specific operations.

Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the termination of the processing or the deletion of the processed data.

Data Controller: the natural or legal person or unincorporated body who, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements the decisions concerning the processing (including the means used) or implements them with the Processor.

Data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound or image recordings and recording of physical characteristics which can be used to identify a person.

Transfer of data: making data available to a specified third party.

Disclosure: making the data available to anyone.

Erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it.

Data marking: the marking of data with an identification mark to distinguish it from other data.

Data blocking: the marking of data with an identifier in order to limit its further processing permanently or for a limited period of time.

Data destruction: the complete physical destruction of the medium containing the data.

Data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data.

Data processor: a natural or legal person or an unincorporated body which processes data based on a contract, including a contract concluded pursuant to a legal provision.

Data set: the set of data managed in a single register.

Third party: a natural or legal person or an unincorporated body other than the data subject, the controller or the processor.

EEA State: a Member State of the European Union and another State party to the Agreement on the European Economic Area, and a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty between the European Union and its Member States and a State not party to the Agreement on the European Economic Area.

Third country: any state that is not an EEA State,

Data breach: unlawful treatment or processing of personal data, in particular unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction or accidental damage.

SUPERVISORY BODIES:

Competent District Court – in civil law cases

In case of a data breach, misuse of personal data:

Name: National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Phone: (+36) – 1-391-1400

Fax: (+36) -1-391-1410

E-mail: ugyfelszolgalat@naih.hu Website: naih.hu

Lajosmizse, 27 September 2018

Prepared by: Value Data Solutions Kft. – Vincze Katalin Gizella data protection official