BHS Trans Limited Company (seat: H-2120 Dunakeszi, Pallag utca 7., company registration number: 13-09-194265; tax number: 23196081-2-13; homepage: www.bhstrans.hu, hereinafter referred to as „BHS TRANS” or „CONTROLLER” or „COMPANY”) as Controller submits itself to the following Policy and regards it as binding on itself.
BHS Trans assumes the obligation that every data controlling and data processing related to its activities complies with the requirements of this Policy, Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter referred to as „INFORMATION ACT”) and the General Data Protection Regulation (EU) 2016/679 (hereinafter referred to as „GDPR”).
BHS Trans is committed to the protection of the personal data of its clients and partners and prioritises the respecting of the rights of its clients. BHS Trans processes personal data confidentially and does all security, technical, and organisational measures to guarantee data security.
In this Policy, the following terms shall have the following meanings:
- Data subject/User shall mean any specific natural person who is identified or is, directly or indirectly, identifiable based on personal data,
- Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- Objection means the statement of the Data Subject, raising objection against the processing of his or her personal data and requesting the termination of the processing and/or the erasure of the processed data,
- Controller means the natural or legal person or the organisation without legal personality that either alone or jointly with others defines the purpose of data controlling, makes and implements the decisions pertaining to data processing (including the equipment used), or have them implemented by a processor hired by it,
- Processing means, regardless of the applied procedure, any operation or set of operations performed on the data, such as collection, recording, organisation, storage, alteration, use, querying, transfer, disclosure, alignment or combination, locking, erasure and destruction, and the prevention of the further use of the data, preparation of photos, audio or video recordings, and the recording of physical features capable of identifying a person (e.g. fingerprint or palmprint, DNS sample, iris image),
- Data transfer means making the data available to specific third persons,
- Data erasure means rendering data unrecognisable in a way that renders their restoration impossible,
- Data marking means giving an identifier to the data to distinguish them,
- Data locking means giving an identifier to the data to restrict their further processing either permanently or for a specified time,
- Data destruction means the complete physical destruction of the data carrier containing the data,
- Processing means the performance of technical tasks related to data processing operations, regardless of the method or means applied to execute the operations, or the place of application, provided that the technical task is carried out on the data,
- Processor means the natural or legal person or the organisation without legal entity that processes data as ordered or instructed by the Controller, within the framework and under the conditions specified by the law or a mandatory legal act of the European Union,
- Data breach means the illegal controlling or processing of personal data, including unauthorised access, alteration, transfer, disclosure, erasure or destruction or accidental destruction and damage.
III. Legal basis of processing, information to data subjects
According to Section 14 of the Information Act, prior to the start of the processing, the data subject shall be informed whether the processing is mandatory or subject to consent. All data processing activities of the Controller are based on voluntary consent or contractual or legal obligation.
The legal basis of the processing by the Controller is the fulfilment of the services either provided by it or used by it and the fulfilment of the contracts made in other subjects (hereinafter referred to as "CONTRACTS"), and its purpose is to fulfil the rights and obligations arising from these contracts.
In the case of registering on the homepage of the Controller, the legal basis for the processing is the voluntary, informed and expressed consent of the User, and, in the case of profiling, the proper information to the USER according to the provisions of the GDPR, more specifically Article 6(1)(f) of the GDPR. In that case, the Users voluntarily contact the Controller, they voluntarily register and use the services of the Controller. Without the consents of the Users, the Controller only processes data if the law unequivocally authorises it to do so.
The Controller is authorised to process the personal data and keep them until the purpose of the contracts specified in the foregoing is met and the complete settlement, as well as for the legal retention period necessary for performing a legal obligation.
The persons primarily authorised to familiarise themselves with the data processed by the Controller are our authorised internal employees, and we do not give the data to third persons unless for legitimate interest (e.g. debt collection), legal obligation, or if the User has given his or her prior consent to the disclosure.
Before starting the processing, the Controller always clearly and thoroughly informs the data subject of every fact related to the processing of his or her data, particularly the purpose and legal basis of the processing, the person(s) authorised to do the processing, and the duration of the processing.
The Controller always fully complies with this requirement. The information shall cover the processing-related rights and remedies of the data subject, which requirement the Controller shall fully comply with similarly to what is written above.
If informing the data subjects in person is not possible or would entail disproportionate costs (e.g. in this case, on a website), the information may be provided by disclosing the following information:
- the fact of data collection,
- the scope of data subjects,
- the purpose of data collection,
- the duration of processing,
- the identities of the potential processors who are authorised to learn the data,
- description of the processing-related rights and remedies of the data subjects.
Amendments to this Policy take effect by disclosure on the above address.
IV. Purpose limitation of processing
Personal data may only be used for explicit stated, lawful purposes, in order to exercise rights and fulfil obligations. All processing stages shall be in line with the purpose of processing, the collection of data, and the data collection shall be fair and lawful. Only personal data that are indispensable to the achievement of the goal of the processing and are fit for achieving that goal may be processed. Personal data may be processed only to the extent and time necessary for achieving the goal.
Data of the processor relied in the processing (storage processor):
V. Client relations and other data processing activities
Should the data subject have questions or problems in the course of using the services of our Controller, he or she may contact the Controller as given on the website (telephone number, email, social networking sites, etc.).
We provide information regarding the processing activities not listed in this Policy.
At the exceptional requests of authorities or the requests of other bodies under legal authorisation, the Controller shall provide information, disclose and hand over data, and to make documents available.
In these cases, the Controller shall disclose as much personal data as and to the extent strictly necessary for fulfilling the purpose of the request to the requesting party, if they have specified the exact purpose and the scope of data.
VI. Data security
The Controller shall design and implement data processing operations in such a way as to ensure the protection of the privacy of the data subjects. The Controller shall ensure data security (with a password and antivirus protection), take the technical and organisational measures and set up the procedural rules necessary to implement the Information Act, the GDPR, and other data-protection and secrecy-protection regulations.
The Controller shall take appropriate measures to protect the data especially against
- unauthorised access,
- erasure or destruction,
- accidental destruction and damage,
- inaccessibility due to changes in the applied technology.
The Controller shall use an appropriate technical solution to ensure that the data on record cannot be connected to one another or assigned to the data subjects.
To prevent unauthorised access to personal data, data alteration, unauthorised data disclosure or data use, the Controller shall ensure
- the setting up and operation of an appropriate IT and technical environment,
- the controlled selection and supervision of its employees taking part in the provision of the service,
- the development of detailed operating, risk-management, and service rules of procedure.
- Accordingly, the Controller shall ensure that the data processed by them
- are accessible to the authorised person,
- are valid and validated,
- are unchanged and this is verifiable.
The IT system of the Controller and its storage processor shall protect from
- IT fraud,
- computer viruses,
- and other attacks.
VII. Rights of data subjects
The data subject may request the Controller to provide information on the processing of their personal data, request the rectification of his/her personal data, and may request the erasure or locking of his/her personal data, except for mandatory processing.
At the request of the data subject, the Controller shall provide information of the data of the data subject processed by the Controller or processed by a processor either ordered or instructed by the Controller, the sources of such data, the purpose, legal basis, and duration of the processing, the name, address and processing-related activities of the processor, the circumstances and effects of a data breach as well as the measures taken to eliminate it, and, in the event of transferring the personal data of the data subject, the legal basis and recipient of the data transfer.
The Controller, if it has an internal data-protection officer, then via him or her, shall keep records for verifying data breach-related measures and informing the data subjects, and these records shall include the relevant personal data, the scope and number of data subjects involved in the data breach, the date, circumstances and effects of the data breach as well as the measures taken to eliminate the data breach, and the other data specified by the piece of legislation requiring the processing.
To verify the lawfulness of the data transfer and to inform the data subject, the Controller shall keep records of the data transfers including the dates and times of the transfers of the personal data processed by the Controller, the legal bases and recipients of the data transfers, the definition of the scope of the transferred personal data, and the other data specified in the piece of legislation requiring the processing.
At the request of the User, the Controller shall provide information on the data processed by the Controller, the sources of such data, the purpose, legal basis, and duration of the processing, the name, address and processing-related activities of the potential processor, and, in the event of transferring the personal data of the data subject, the legal basis and recipient of the data transfer. Within the shortest time counted from the submission of the application, but in maximum 15 days, the Controller shall provide the information in writing and in a non-technical manner. This information is free.
If the personal data are inconsistent with reality, and the realistic personal data are available to the Controller, then the Controller shall rectify the personal data.
Instead of erasure, the Controller shall lock the personal data, if the User so requests, or if the information available allows the assumption that the erasure would violate the legitimate interests of the User. Locked personal data may be processed only as long as the processing purpose that has excluded the erasure of the personal data exists.
The Controller shall erase the personal data if their processing is illegal, the User requests that, the processed data are incomplete or false, and this condition cannot be lawfully rectified, provided that the erasure is not excluded by the law, the purpose of processing has ceased to exist, or the legal deadline for data storage has lapsed, or it has been ordered by a court or the National Authority for Data Protection and Freedom of Information.
The Controller shall mark the personal data processed by it if the data subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be unequivocally determined.
The data subject and all to whom the data were previously transferred for processing shall be informed of the rectification, locking, marking, and erasure. The notification may be ignored if this does not violate the legitimate interests of the data subject with regard to the purpose of the processing.
If the Controller fails to perform the request of the data subject for rectification, locking, or erasure, then it shall disclose the factual and legal reasons for rejecting the request for rectification, locking or erasure in 15 days following the receipt of the request. In the event of rejecting the request for rectification, erasure, or locking, the Controller shall inform the data subject of the options of judicial redress and turning to the Authority.
The User may object against the processing of his or her personal data if
- the processing or transferring of personal data is only necessary for performing a legal obligation imposed on the Controller or asserting the legitimate interests of the Controller, the data recipient, or a third person, except if the processing is required by the law;
- personal data are used or transferred for direct marketing purposes, opinion polling, or scientific research;
- in other cases specified by the law.
The Controller shall examine the objection within the shortest possible time from the submission of the request but in maximum 15 days, decide whether the request is founded, and inform the requesting party of its decision in writing. If the Controller establishes that the objection of the data subject is founded, then it shall terminate the processing, including any further data recording and data transfer, lock the data, and inform all to whom it previously transferred the personal data concerned by the objection and who are obliged to act with a view to enforcing the right to object about the objection and the actions taken based on the objection.
If the User disagrees with the decision made by the Controller, then he or she may challenge that before a court, and the court shall handle his or her case as a matter of urgency.
Potential violations of the Controller may be complained against at the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
H-1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf.: 9.
Telephone: +36 -1-391-1400