’personal data’: any information related to an identified or identifiable natural person (‘data subject’). A natural person is identifiable when directly or indirectly, in particular by virtue of one or more factors such as name, number, position, online identification or physical, physiological, genetic, intellectual, economic, cultural or social identity of the natural person identified.
‘data management’: any combination of operations, whether automated or not, performed on personal data or data files, such as their collection, recording, systematization, classification, storage, change or alteration, retrieval, access, use, communication or distribution by any other means, coordinating or linking, limiting, deleting or destroying.
‘restriction of data management’: the marking of stored personal data with the aim of limiting its processing in the future.
‘profiling’: any form of automated processing of personal data for the purpose of assessing it in relation with the individual, in particular using it to analyse and predict related characteristics with regards to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.
‘pseudonymity’: the processing of personal data in such a way that without further information it is no longer possible to ascertain which specific individual is the one concerned, provided that such additional information is stored separately and the appropriate technical and organizational measures are in effect to make sure that such personal information cannot be linked to identified or identifiable natural persons.
‘filing system’: a collection of personal data, in any centralized, decentralized, functional or geographical form, accessible according to specified criteria.
‘recipient’: any natural or legal person, public authority, agency or any other body to whom or by whom personal data are disclosed, regardless if it is a third party or not. Public authorities which have access to personal data in the framework of a specific inquiry in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by these public authorities must be compliant with the applicable data protection rules in accordance with the purposes of the processing.
‘data processor’: any natural or legal person, public authority, agency or any other body which handles personal data on the behalf of HAVS INTERNATIONAL Ltd.
‘third party’: any natural or legal person, public authority, agency or any other body which is not the data subject, HAVS INTERNATIONAL Ltd. or any persons or entities authorized to process personal data under the direct control of HAVS INTERNATIONAL Ltd.
‘affected party’: the representative, contact person or contractor of the customer of HAVS INTERNATIONAL Ltd.
‘consent’: the voluntary, explicit and unambiguous expression of the will of the data subject by means of a statement or act by which the data subject unambiguously confirms or signifies his or her consent to the processing of his or her personal data.
‘NAIH’: the National Data Protection and Freedom of Information Authority which is the supervisory authority competent in data protection matters.
‘information law’: the Act CXII of 2011 on the Right of Information Self-Determination and Freedom of Information.
‘GDPR or Regulation’: Regulation 2016/679 of the European Council and Parliament (EU) on the protection of personal data with regard to the processing of personal data and on the free movement of such data repealing EC Regulation No 95/46.
‘third country’: any State not a member of the European Economic Area, with the exception of Andorra, Argentina, Canada, Switzerland, Faroe Islands, Isle of Man, Jersey, New Zealand, United States of America, Uruguay.
II. The Handler of Personal Data
During event technology activities in accordance with the information law and GDPR, HAVS International Ltd. qualifies as a data handler.
Representative of the data handler: Wolff Kornél Roland, Managing Director
Contacts of the representative:
Head Office: 1074 – Budapest, Csengery u.13/B.
Phone: +36 1 4615858
Personal Data must be
handled in a lawful and fair manner which is transparent to the person concerned (‘legality, due process and transparency’),
collected only for specified, explicit and legitimate purposes (‘purpose-related’),
only relevant to the purposes of the data management, and limited to what is absolutely necessary (‘data saving’),
accurate and up to date (‘accuracy’),
stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘limited storage’),
handled in a manner that ensures its safety by appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage to the data (‘integrity and confidentiality’).
IV. Title, Duration and Purpose of Data Management, Scope of Data Processed
1) The purpose of processing personal data is to fulfil a legal obligation under Article 6 c) of the GDPR. HAVS INTERNATIONAL Ltd., as an event technology company, manages the data of the Client’s representative and contact person during the execution of orders for the purpose of fulfilling the business contract concluded between them.
2) Data management includes handling the name, e-mail address and telephone number of the Customer’s contact person / representative.
3) The duration of processing personal data is normally up to five years from the date of the certificate of performance until the claims under the business contract expire.
4) The sole purpose of data management is to establish and perform the business contract, to make an offer, and to maintain contact between the parties during the execution of the contract.
5) In case of sending invitation to a tender to HAVS INTERNATIONAL Ltd., the subject of the processing of personal data provided in the invitation is the consent of the data subject, which shall be deemed to have been given when sending the invitation. After receiving it, HAVS INTERNATIONAL Ltd. handles the data as a legal interest / legal obligation.
V. Transmission of Personal Data
1) HAVS INTERNATIONAL Ltd. has the right to transfer the personal data of the affected parties to its subcontractors in order to provide effective event technical support. Subcontractors may use the personal data they receive under the contract between themselves and HAVS INTERNATIONAL Ltd. solely for the purposes set out in this document, which is included in the data processing contract between them. Further information on data processors used by HAVS INTERNATIONAL Ltd. and a description of their data processing activities are detailed in Chapter 8 of this document.
2) Except for the authorities entitled to request so by law, such as for investigative authorities, based on Act XC of 2017 on Criminal Procedure § 264, HAVS INTERNATIONAL Ltd. shall not transfer any personal data processed to third parties without the preliminary, explicit and informed consent of the data subjects, in which case the transmission of data is a legal obligation of HAVS INTERNATIONAL Ltd. upon request of the authorities concerned.
3) Should personal data be transferred to third countries, HAVS INTERNATIONAL Ltd. shall be bound by GDPR 45-49., in particular to enter into a contract with the recipient company for the content of the standard contractual terms and conditions as published in the Annex to Decision 2010/87 / EU.
VI.1. The Right of the Data Subject to Access Processed Personal Data Concerning Him
If the data subject does not have such information, he has the right to request and receive feedback from HAVS INTERNATIONAL Ltd. on the subject of whether his personal data is being processed and, if such processing is in progress, he has the right to get access to the following:
the purposes of data management,
categories of personal data concerned,
recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular third-country recipients or international organizations,
the intended period for which the personal data will be stored where applicable or, if this is not possible, the criteria for determining the length of this period,
the right of the data subject to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data,
the right to file a complaint with a supervisory authority,
if the data collected was not originating from the subject, all available information on their source,
HAVS INTERNATIONAL Ltd. shall provide copies of the personal data subject to the data processing upon request of the data subject. For additional copies requested, HAVS INTERNATIONAL Ltd. may charge a reasonable fee based on administrative costs. If the data subject has submitted an application by electronic means, the information shall be provided in a widely used electronic format unless otherwise requested.
VI.2. Correction and Deletion
The data subject shall have the right, upon request, to have inaccurate personal data concerning him / her corrected by HAVS INTERNATIONAL Ltd. without undue delay. Taking into account the purpose of the data processing, the data subject is entitled to request incomplete personal data to be completed, including by means of a supplementary statement.
The data subject shall have the right to have personal data concerning him / her deleted by HAVS INTERNATIONAL Ltd. without undue delay upon his / her request, and the data manager shall delete the personal data concerning the data subject without undue delay (within 8 days) if any of the following reasons exist:
personal data are no longer needed for the purpose for which they were collected or otherwise processed,
the data subject withdraws his consent as the basis for the data management and there is no other legal basis for further handling his data,
the data subject protests against the data managing and there is no priority or legitimate reason for the data handling,
unlawful management of personal data,
the personal data must be deleted in order to comply with a legal obligation under EU or Member State law applicable to HAVS INTERNATIONAL Ltd.
Despite the above, it is not necessary to delete data where data management is required in case:
to exercise the right of freedom of speech and information,
to fulfil an obligation under the Union or national law applicable to the controller for the processing of personal data or to carry out a task in the public interest or in the exercise of official authority vested in the data handler,
VI.3. The Right to Restrict Data Management
The data subject shall have the right to request restriction of the data management of HAVS INTERNATIONAL Ltd. if any of the following applies:
the data subject disputes the accuracy of the personal data, in which case the limitation relates to the period allowing the data manager to verify the accuracy of the personal data,
data management is unlawful, however, the data subject is against the deletion of the data and instead requests that its use be restricted,
HAVS INTERNATIONAL Ltd. no longer needs personal data for the purpose of data management, but the data subject needs it to be retained in order to submit, assert or defend legal claims, or
the data subject objected to its data being managed. In this case, the restriction shall apply for a period until it is established whether the legitimate grounds of the data handler prevail over those of the data subject concerned.
If the data management of HAVS INTERNATIONAL Ltd. is subject to restrictions, such personal data, with the exception of storage, shall only be managed with the consent of the data subject, or for the filing, enforcement or defense of legal claims or other natural or legal persons or for an important public interest of the European Union or its member state.
HAVS INTERNATIONAL Ltd. duly informs the data subject, at the request of whom the data processing has been restricted, before lifting the data management restriction.
HAVS INTERNATIONAL Ltd. informs any recipient of any rectification, erasure or restriction of personal data with whom or to whom personal data have been communicated, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the data manager shall inform them of who those recipients are.
VI.4. The Right to Data Portability
Given that the legal basis of data management is the performance of the contract between the Customer and HAVS INTERNATIONAL Ltd. which is a legal obligation under Article 6 (c) of the GDPR, the data subject is not entitled to transfer the data processed about him.
VI.5. The Right to Protest
The data subject shall have the right to object at any time to the processing of his or her personal data for reasons related to his or her situation. In this case, HAVS INTERNATIONAL Ltd. may not further process personal data, unless HAVS INTERNATIONAL Ltd. proves that the processing is justified by compelling legitimate reasons, which take precedence over the interests, rights and freedoms of the data subject or his or her submission, validation or defence.
Where personal data are processed for the purpose of direct business, the data subject shall have the right to object at any time to the processing of personal data relating to him or her for that purpose.
If the data subject objects to the management of personal data for the purpose of direct marketing, the personal data may no longer be handled for this purpose.
VII. Data Security
Only employees of HAVS INTERNATIONAL Ltd. who need access to such data for performing their duties have access to your personal data. An IT system containing the data of the data subject shall continuously ensure the availability, confidentiality, integrity, resilience of the data and the timely restoration of access to and availability of personal data in the event of a technical or physical incident.
VIII. Data Processing, Data Processors
Primary technical and organizational measures related to data processing activities:
prevention of unauthorized access to data-processing systems handling personal data (access control),
to ensure that persons having access to data processing systems can only access data at their level of authorization, and that no unauthorized person can read, copy, modify or delete personal data during their collection (control of access to data),
to ensure that personal data is not readable, copied, modified or erased by unauthorized persons during electronic transmission, transportation or storage, and that it can be examined and identified where exactly was the personal data transmitted using the data communication equipment (data transfer control),
to ensure that it is possible to retrospectively establish who has entered, modified or deleted personal data into and from the data processing system and when,
to ensure that personal data processed by subcontractors can only be processed in accordance with the instructions of the contracting party (subcontracting control),
to ensure that personal data is protected against unintentional destruction or loss of data (availability control),
to ensure that personal data is protected from accidental or unlawful alteration or unauthorized disclosure,
to ensure the continued confidentiality, integrity, availability and resilience of systems and services used to process personal data;
in the event of a physical or technical incident, the ability to restore access to and availability of personal data in a timely manner,
regular testing and evaluation of the effectiveness of technical and organizational measures taken to ensure security of data management.
The list of data processors is an integral part of this document and may be modified and updated unilaterally by HAVS INTERNATIONAL Ltd. Acknowledgment and acceptance of the document shall include acceptance and approval of the aforementioned Annex.
Budapest, 25th May 2018