Data Processing Policy

The aim of the present data processing policy (hereinafter referred to as the Policy) is to ensure that the personal data of applicants (hereinafter referred to as the Data Subject(s)) visiting the www.myad.hu website (hereinafter referred to as the Website) and submitting their CVs, of natural persons who are contractual partners of MyAd Marketing Kft., of natural persons who are contractual partners of a contractual partner that is not a natural person, and of other natural persons specified in a contract (e.g. contact persons) (hereinafter referred to as the Data Subject(s)) will be processed in a lawful, fair and transparent manner, with information provided in compliance with Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter referred to as the Information Act). In line with this, the present Policy contains the purpose and legal basis of data processing activities, the storage period of personal data, and the rights and available legal remedies of the Data Subjects with regard to the processing of their personal data.

The operator of the Website is MyAd Marketing Kft. (registration number: Cg.01-09-178437, seat: H-1033 Budapest, Szentendrei út 95.) (hereinafter referred to as the Service Provider or the Controller). The Service Provider is committed to the protection of the personal data of the Data Subject and pays particular attention to compliance with legal regulations when processing personal data.

The provisions of the Information Act and of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) apply to the data processing activities defined in the present Policy, as specified under the individual processing activities.

The Service Provider specifically draws the attention of the Data Subjects to the fact that if they have consented to a data processing activity specified in the present Policy, they have the right to withdraw this consent anytime as specified herein.

 

The Website may contain links to other websites over the data processing policies of which the Service Provider has no influence. If the User leaves the Website through such a link, the data processing policy of the website visited this way applies to the processing of his or her personal data.

Basic principles relating to the processing of personal data:

• The Service Provider processes data lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
• The Service Provider collects data for specified, explicit and legitimate purposes (‘purpose limitation’);
• Personal data are limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
• Data processing is, to the best of the controller’s ability, accurate and kept up to date (‘accuracy’);
• Personal data are kept in a form that is limited to the time period necessary (‘storage limitation’);
• Data are processed in a manner that ensures appropriate security of the personal data (‘integrity and confidentiality’).

PROCESSING OF PERSONAL DATA

 

1. DATA PROCESSING

1.1. Responding to job advertisements

The Service Provider stores the applications and CVs submitted.

Purpose of data processing	Legal basis of data processing	Scope of data processed	Duration of data processing
To apply for a job at the Service Provider and participate in the selection process	Data Subject’s consent	Motivational letters, CVs and the personal data provided therein	6 months from the date the application is submitted; if the applicant is hired by the Service Provider, the policy for processing employee data also applies.

 

Data Subjects are advised that if an applicant does not provide his or her personal data, the Data Subject cannot apply for positions advertised by the Service Provider.

1.2. Personal data specified in contracts

The Service Provider keeps and stores paper copies of the contracts concluded.

Purpose of data processing	Legal basis of data processing	Scope of data processed	Duration of data processing
To process the data of contact persons specified in contracts so that contracts can be executed. To process the data of natural persons as contracting parties so that contracts can be executed.	Data Subject’s consent	Data specified in contracts (contact persons): name, phone number, email. Data specified in contracts (contact persons): name, mother’s name, date and place of birth; address; tax identification number; phone number, email.	For the duration of the contract and after that at least until the expiry of the warranty period arising from the contract or the end of the limitation period. In case of a legal dispute, while litigation continues.

 

1.3. Provisions regarding the processing of data of natural persons and contact persons of legal persons who participate in promotions or get into contact with MyAd Marketing Kft. through its other services

Purpose of data processing	Legal basis of data processing	Scope of data processed	Duration of data processing
The processing and technical processing of personal data of natural persons, including the contact persons of legal persons, who participate in promotional activities announced or managed by MyAd Marketing Kft or get into contact with MyAd Marketing Kft through its other services (hereinafter jointly referred to as the Participants) is performed by MyAd Marketing Kft confidentially and, in compliance with relevant regulations and the provisions of the present Policy, is limited to the intended purpose.	By providing their data and agreeing to the present Data Processing Policy, the Participants consent, in advance and explicitly, for their personal data to be processed by MyAd Marketing Kft.	Unless the parties agree otherwise in writing, the scope of the Participants’ data processed is the following: Participant’s name, mother’s name at birth, place and date of birth, address or place of residence, email address, bank account number. The Participant is responsible for the accuracy and authenticity of the data he or she provides.	MyAd Marketing Kft processes data for 5 years after the expiry of the contract, until the withdrawal of consent (cancelling of subscription) or the statutory deadline.

In case of promotions, MyAd Marketing Kft may announce a separate data processing policy with terms and conditions of data processing different from the ones provided for herein.

1.4. Provisions regarding the processing of data of natural persons who get in contact with the Service Provider in relation to press releases issued and at press conferences

Purpose of data processing	Legal basis of data processing	Scope of data processed	Duration of data processing
To send invitations to members of the press to press conferences held by MyAd Marketing Kft and provide information to persons participating in the press conference. To send press releases issued by MyAd Marketing Kft to members of the press. The processing and technical processing of personal data of natural persons who participate in press conferences managed by MyAd Marketing Kft (hereinafter referred to as the Participants) is performed by MyAd Marketing Kft confidentially and, in compliance with relevant regulations and the provisions of the present Policy, is limited to the intended purpose.	Data Subject’s consent	Name, media organisation represented, contact information (email). The Participant is responsible for the accuracy and authenticity of the data he or she provides.	MyAd Marketing Kft processes data until the withdrawal of consent or the statutory deadline.

1.5 Other

We provide information on processing activities not provided for herein at the time the data are recorded. The court, the prosecutor, the investigating authority, the authority dealing with administrative offences, the administrative authority, the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, hereinafter referred to as NAIH), and other bodies authorised by law may contact the Service Provider to request information and request data to be provided and transferred and documents to be made available. The Service Provider provides the authorities – if the authority has indicated the exact purpose and scope of the data – with only the quantity of personal data and only to the extent that is essential for the purposes of the request.

2. METHODS OF STORAGE OF PERSONAL DATA, SECURITY OF PROCESSING

The Service Provider implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with data processing activities, including inter alia as appropriate: (i) the encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

3. CONTACT INFORMATION OF THE CONTROLLER

MyAd Marketing Kft.

registration number: Cg.01-09-178437

seat: H-1033 Budapest, Szentendrei út 95.

registry authority: Registry Court of the Budapest-Capital Regional Court

email: This email address is being protected from spambots. You need JavaScript enabled to view it.

telephone: +36-1-920-1668

The technical processing of data processed under the present Policy is performed by the Controller and by a Processor contracted by the Controller.

4. CONTROLLER’S OBLIGATION TO MAINTAIN RECORDS OF PROCESSING ACTIVITIES

In accordance with the GDPR, the Controller maintains records of its processing activities. Upon request, the Controller makes these records available to the NAIH.

5. RIGHTS OF THE DATA SUBJECT

5.1 General provisions

The present Policy provides information regarding the Data Subject’s personal data. When requested by the Data Subject, information may be provided orally, provided that the identity of the Data Subject is proven. The Service Provider shall not refuse to act on the request of the Data Subject for exercising his or her rights specified below, unless the Service Provider demonstrates that it is not in a position to identify the Data Subject. Where the Service Provider has reasonable doubts concerning the identity of the natural person making the request, it may request the provision of additional information necessary to confirm the identity of the Data Subject.

The Service Provider shall provide information on action taken on a request to the Data Subject without undue delay and in any event within 1 month of receipt of the request. That period may be extended by 1 further month where necessary, taking into account the complexity and number of the requests. The Service Provider shall inform the Data Subject of any such extension within 1 month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.

If the Service Provider does not take action on the request of the Data Subject, the Service Provider shall inform the Data Subject without delay and at the latest within 1 month of receipt of the request of the reasons for not taking action and on the possibility of seeking a judicial remedy as provided for in the present Policy. The Service Provider charges no fee for the information and communication provided and the resulting actions taken. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive nature, the Service Provider may either: charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.

5.2 The Data Subject’s rights with regard to data processing

5.2.1 Right of access

The Data Subject shall have the right to obtain from the Service Provider confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and to information provided herein regarding the processing of his or her data.

The Service Provider shall provide a copy of the personal data undergoing processing to the Data Subject. For any further copies requested by the Data Subject, the Service Provider may charge a reasonable fee based on administrative costs.

5.2.2. Right to rectification

The Data Subject shall have the right to obtain from the Service Provider without undue delay the rectification of inaccurate personal data concerning him or her, and/or, taking into account the purposes of the processing, the Data Subject shall have the right to have these data completed.

5.2.3 Right to erasure

The Data Subject shall have the right to obtain from the Service Provider the erasure of personal data concerning him or her without undue delay and the Service Provider shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the Data Subject withdraws consent and there is no other legal ground for the processing;
• the Data Subject objects to the processing and the Data Subject is not involved in a dispute and is not subject to proceedings, or there are no overriding legitimate grounds for the processing, or the Data Subject objects to processing for direct marketing purposes;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Service Provider is subject;
• the personal data have been collected in relation to the offer of information society services to children.

The personal data shall be erased if

1. a) the processing is unlawful, in particular, if
2. aa) the processing is contrary to the principles laid down in section 4 of the Information Act,
3. ab) the purpose of processing no longer exists or further processing is not necessary for the realisation of the purpose of processing,
4. ac) the period provided for by law, international agreement or a binding legal act of the European Union has elapsed, or
5. ad) the legal basis for processing no longer exists and there is no other legal basis for processing,
6. b) the data subject has withdrawn his or her consent given to the processing or requests the erasure of his or her personal data
7. c) the erasure of the data is required by law, a legal act of the European Union, by the Authority or by a court, or
8. d) the period laid down in section 19 (1) b) to d) of the Information Act for the limitation of data processing has elapsed.

Where the Service Provider has made the personal data public and is obliged pursuant to the present Policy to erase the personal data, the Service Provider, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The Service Provider has no obligation to erase the data if processing is necessary (i) for exercising the right of freedom of expression and information; (ii) for compliance with a legal obligation or for the performance of a task carried out in the public interest; (iii) for the establishment, exercise or defence of legal claims.

5.2.4   Right to restriction of processing

The Data Subject shall have the right to obtain from the Service Provider restriction of processing where

• the accuracy of the personal data is contested by the Data Subject (for a period enabling the Service Provider to verify the accuracy of the personal data); or
• the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead; or
• the Service Provider no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; or
• processing is necessary for the performance of a task carried out in the public interest or processing is necessary for the purposes of the legitimate interests pursued by the Service Provider or by a third party, and the Data Subject objected to the processing of data for said purposes (pending the verification whether the legitimate grounds of the Service Provider override those of the Data Subject).

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. A Data Subject who has obtained restriction of processing shall be informed by the Service Provider before the restriction of processing is lifted.

5.2.5   Notification obligation

The Service Provider shall, to the best of its ability, communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Service Provider shall inform the Data Subject about those recipients if the Data Subject requests it.

5.2.6   Right to object

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her (including profiling based on those provisions) if processing is necessary for the performance of a task carried out in the public interest or for the legitimate interests pursued by the Service Provider or by a third party. The Service Provider shall no longer process the personal data unless the Service Provider demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Where personal data are processed for statistical purposes, the Data Subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

5.2.7 Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

1. the processing is based on consent or on a contract; and

1. the processing is carried out by automated means.

In exercising his or her right to data portability, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible, but this shall not adversely affect the rights and freedoms of others.

5.2.8   Automated individual decision-making, including profiling

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except for cases when the decision (i) is necessary for entering into, or performance of, a contract between the Data Subject and the Service Provider; (ii) is authorised by law to which the Service Provider is subject and which also lays down suitable measures to safeguard the Data Subject's rights and freedoms and legitimate interests; or (iii) is based on the Data Subject's explicit consent.

For the purpose of the enforcement of the Data Subject’s rights, the Data Subject shall have the right to obtain human intervention on the part of the Service Provider, to express his or her point of view and to contest the decision.

5.2.9   Personal data breach*

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Service Provider shall communicate the personal data breach to the Data Subject without undue delay. The communication to the Data Subject shall describe in clear and plain language the nature of the personal data breach and contain the following information and measures: (i) the name and contact details of the contact point where more information can be obtained; (ii) the likely consequences of the personal data breach; (iii) the measures taken or proposed to be taken by the Service Provider to address the personal data breach.

The communication to the Data Subject shall not be required if any of the following conditions are met: (i) the Service Provider has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach (ii) the Service Provider has taken subsequent measures which ensure that the high risk to the rights and freedoms of the Data Subject is no longer likely to materialise; (iii) it would involve disproportionate effort.

In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

(* ‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.)

6. LIABILITY, COMPENSATION AND LEGAL REMEDY

The Service Provider and every controller and processor involved in the processing are liable for damage caused by processing and/or technical processing infringing the provisions of the Information Act under general rules. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of legal regulations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Service Provider. The Service Provider or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

If you have any questions, comments or problems with regard to data processing performed by the Service Provider, use the contact information provided to contact the Service Provider.

If the Data Subject does not agree with the decision made by the Service Provider, Data Subject may seek judicial remedy within 30 days of the date the decision is disclosed. The Service Provider shall prove that the processing is compliant with legal provisions. Regional Courts shall have jurisdiction to hear the case. The Data Subject may bring the action before the regional court having territorial jurisdiction over his or her domicile or place of residence, according to his or her choice.

The Data Subject shall also have the right to ask information from the NAIH in relation to his or her rights and to initiate, on grounds of infringement or imminent threat of infringement, an inquiry or request a procedure for data protection to be launched by the authority using the contact information below:

Nemzeti Adatvédelmi és Információszabadság Hatóság/Hungarian National Authority for Data Protection and Freedom of Information Seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C. Mailing address: H-1530 Budapest, Pf.: 5. Telephone: +36 1 391 1400 Fax: +36 1 391 1410 E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it. Website: http://www.naih.hu

7. AMENDMENT OF THE POLICY

The Service Provider reserves the right to unilaterally amend the present Policy with effect for the future.

Budapest, 5 December 2018

MyAd Marketing Kft.