General information

• Under the EU GDPR, data subjects have the following rights in relation to the processing of their personal data
• Information on the processing of personal data in the employment context
• Information on data processors
• Information on the use of technical means to monitor the employee
• Information on the performance of an aptitude test
• Obligations of the employee
• Processing within a contractual relationship on the basis of the consent of the data subject
• Processing outside a contractual relationship on the basis of the data subject’s consent
• Processing of job applications in connection with job advertisements
• Operation of an electronic camera system
• Rights of data subjects in relation to data processing
• Procedure in the event of a data protection incident
• Data security
• Final provisionű
• Entry into force

General Information

Our Company, POP-UP BOX, 6724 Szeged, Kossuth Lajos sgt.29.; hereinafter referred to as the “Data Controller”) is committed to the protection of personal data, compliance with mandatory legal provisions, and secure and fair processing of personal data. This Policy aims to set out the data protection and data management principles and policies applied by the Data Controller.

The following legislation, in particular but not limited to the following, shall govern all processing operations on which this Privacy Policy is based:

Fundamental Law (Articles VI, IX, XVII)
Act V of 2013 on the Civil Code;
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information;
Act I of 2012 on the Labour Code
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (GDPR)

The legal definitions and interpretations of the terms used in this Policy are those set out in Section 3 of the Infotv:

Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;

Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

Data breach: the processing of personal data must be carried out in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical or organisational measures.

A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Consent of the data subject: a voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation.

Under the EU GDPR, the data subject has the following rights in relation to the processing of his or her personal data:

the right to information under Articles 13 and 14 of the EU GDPR
the right of access under Article 15 of the EU GDPR
the right to rectification under Article 16 of the EU GDPR

the right to the erasure of personal data in accordance with Article 17 of the EU GDPR
the right to restriction of processing under Article 18 of the EU GDPR
the right to data portability under Article 20 of the EU GDPR

Information on the processing of personal data in the employment context:

The Company processes the employee’s employment-related data in accordance with the applicable legislation. The employee may request information about the processing of his/her personal data, request the rectification of his/her personal data, and request the erasure or blocking of his/her personal data, except for mandatory processing.
Upon the employee’s request, the employer shall provide information on the data processed by the employer or by a data processor appointed by the employer or on its behalf, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and its activities related to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy the situation, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the transfer.

The employer may only request data from the employee relating to the establishment, maintenance or termination of the employment relationship. The processing of data is based on the provisions of the Labour Code and the legitimate interests of the employer.

An employee may only be subjected to an aptitude test which is required by the law governing the employment relationship or which is necessary for the exercise of a right or the performance of an obligation provided for by the law governing the employment relationship.
Personal data may only be processed for specific purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful. Only personal data which is necessary for the purpose of the processing and adequate for the purpose of the processing may be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

The employer may disclose facts, data or opinions concerning an employee to third parties only in cases provided for by law or with the employee’s consent.

For the purpose of fulfilling the obligations arising from the employment relationship, the employer may transfer the employee’s personal data to a data processor, stating the purpose of the data transfer, as defined by law. The employee must be informed of this in advance.

The data relating to the employee may be used for statistical purposes and may be transmitted for statistical purposes without his/her consent and in a non-personally identifiable manner.

The employee’s personal data will not be transferred to third countries. Third countries are those countries which are not members of the European Union.

The processing of the employee’s personal data does not involve automated decision-making or profiling.
The processing of data by the Data Controller is always based on law or voluntary consent.

In some cases, in the absence of consent, processing is based on another legal basis or on Article 6 of the Regulation.

The following processing is carried out by the employer in the legitimate interest of the employer:

Labour and personnel records (name, address, place and date of birth, mother’s name, tax identification number) Processing of data relating to aptitude tests,

Data processing related to the use of e-mail accounts,

Data processing related to the use of computers, laptops, mobile phones provided by the employer,

Processing of data relating to the use of GPS navigation system,

Processing of data relating to the use of an electronic access and egress system at the workplace,

Data processing in relation to electronic camera systems,

Processing of data contained in the curricula vitae and references of employees who, by virtue of their position, are involved in the certification of professional and technical competence in the context of certain tendering and public procurement procedures and competitive market procedures.
The processing of data by the Data Controller is always based on law or voluntary consent.

In some cases, in the absence of consent, processing is based on another legal basis or on Article 6 of the Regulation.

The employer shall inform the employee that, in the case of employees whose work requires the provision of work clothing, it processes the employees’ clothing measurements in order to fulfil this obligation. The employer shall store this data until the date of termination of employment in order to ensure the continuous provision and replacement of work clothing. After the expiry of this period, the data controller shall immediately arrange for the final deletion of the data.

 The employer shall inform the employee that, for reasons of property protection, the registration numbers of vehicles parked on the premises will be recorded. A member of the property management staff employed by the employer is authorised to record and manage the registration numbers. After the termination of the employment relationship, the data controller shall immediately arrange for the deletion of the data relating to the private motor vehicle of the employee.
The employer will always inform employees in advance by email if photographs and audio and video recordings are taken at company events. By attending the event, employees consent to the taking of photographs and audio and video recordings, which the employer is free to publish on its website, social networking sites and promotional materials promoting the company.

Information about data processors

The Employer informs the employee that his/her personal data are processed by accountants and financial staff employed by the Company in order to fulfil the tax, contribution and social security obligations arising from the employment relationship. The identity of these data processors may change during the period of employment, in which case the employer will inform the employees of the new data processor.

The operator of the employer’s electronic log-in and log-out system is POP-UP BOX, which transfers to POP-UP BOX the data recorded in relation to the log-in and log-out of POP-UP BOX employees. The data recorded by the access control system shall be recorded by the data controller in charge of the management of the property under the employment relationship with the company. In addition to the data controller, the data recorded may be known to the person exercising the employer’s powers.
In tendering and public procurement procedures, personal data contained in CVs and references may be processed only by employees designated by the employer and employed by the employer who need to know such personal data in order to carry out their duties. The CVs and references made available in this context may be freely used in all tendering procedures during the period of employment of the employees.

Access rights to the IT tools made available to employees by the employer for their work and the processing of personal data on the tools during the use of the individual programs are carried out by system administrators employed by the employer. The system administrators, as data controllers, shall ensure the deletion of data that has become redundant or incorrect and, if necessary, the inactivation of email addresses.

Information on the use of technical means to monitor employees

The principles to be implemented during the verification:

The employee may only be checked in the context of his/her employment-related conduct. The control and the means and methods used for its implementation must not involve any violation of human dignity. The means and methods of control and the measures and methods used may not be used or may not be subject to any form of control.
The employee must be informed in advance of the legal basis for the check, the method used and the results of the check.

 The inspection must be purposeful, necessary and proportionate at all stages of the procedure. The inspection must be without prejudice to the employee’s personal rights and personal data. Of the various methods of control, the one which least restricts or infringes the employee’s constitutional or legal rights shall be implemented.

The right to privacy and the right to protection of personal data is a right of personality. An employee’s right of personality may be restricted if the restriction is strictly necessary for reasons directly related to the purpose of the employment relationship and proportionate to the aim pursued. The employee must be informed in advance of the manner, conditions and expected duration of the restriction of the right to privacy. The employee may not generally waive his right to privacy in advance. A valid declaration of the employee’s right to privacy must be made in writing.

Control by the employer:

The Employee may only use the IT equipment (hardware, software), access (Internet, etc.), communication equipment (mail, fax, e-mail, mobile phone) and vehicles provided by the Employer for work purposes, and may not use them for private purposes (General Manager Instruction No. 1/2017, dated 19.01.2017).

The employee must be informed in advance of the legal basis for the check, the method used and the results of the check.

The employer shall be entitled to check regularly, in the presence of the worker, the use of the equipment provided by the employer. The monitoring of the employee’s telephone use, correspondence and email account is based on the employer’s interest in preventing the disclosure of business secrets.

In the event of termination of employment, the employer shall provide the employee with the opportunity to take with him/her, by copying onto a data carrier, personal data, documents and other personal items stored on the telephone and computer made available for work purposes, no later than 5 days after the termination of employment.

The Employer informs the employee that the data referred to above will be permanently deleted after the expiry of the deadline indicated above.

The Employer informs the employee that, after termination of employment, the work email address used by the employee will be inactivated and the senders of any incoming messages will be informed of this fact. The employee’s access to the mail system will be cancelled on the date of termination of employment.

Employer informs employee that GPS tracking has been installed in company vehicles.
The Employer informs the employee that further information and rules on the use of this information in its establishments are set out in point 11(A) of this Code of Conduct.

Information on the conduct of an aptitude test

An employer may subject an employee to an aptitude test in order to assess his/her legitimate interest and suitability for the job.

Participation in the aptitude test is compulsory for the employee under Decree No. 33/1998 (VI. 24.) NM on the medical examination and opinion on the aptitude for the job, occupational and personal hygiene.

An employee may only be subjected to a medical examination which is required by a rule governing the employment relationship or which is necessary for the exercise of a right or the performance of an obligation laid down in a rule governing the employment relationship.

The results of the test may be disclosed only to the worker concerned and to the examiner. The employer is only informed of the results of the examination as to whether or not the employee is suitable for the job. In addition to the person exercising the employer’s powers, the information may be communicated to the employee in the employer’s employ who is responsible for personnel and labour matters.
Obligations of the employee

The employee must notify the employer within 3 days of any change in the personal data processed by the employer, who will promptly take steps to record the changes and delete the previously recorded data.

Data processing within a contractual relationship based on the consent of the data subject

The controller records, manages and processes the personal data of persons who have a contractual relationship with the controller, as recorded in the contract, for the purposes of the performance of the contract. In this context, personal data may be requested from the data subjects only to the extent strictly necessary for the establishment of the contract and the performance of the obligations under the contract. The processing is based on the written consent of the data subject (Annex 1).

The legal basis for processing is the performance of a contract.

Employees involved in the performance of the contract, employees carrying out accounting and tax tasks and data processors are entitled to access personal data processed.

The controller shall process the personal data of the data subject during the period of the contract. The controller shall keep the personal data of the data subject for 5 years from the termination of the contract, subject to the general limitation period.

The controller shall inform the data subject that the data processed by it shall be used solely for the performance of the contract and shall not be made available by the controller to unauthorised third parties.
Obligations of the employee

The employee is obliged to notify the employer within 3 days of any change in the personal data processed by the employer, who will take immediate action to record the changes and delete the previously recorded data.

The controller shall record, manage and process the personal data provided by persons who do not have a contractual relationship with the controller. The processing may only take place with the consent of the data subject (Annex 1).

The provision of data and consent to the processing thereof shall be voluntary and shall not be required by law or by contract between the parties. The legal basis for processing is the consent of the data subject.

The data processed by the data controller shall be used exclusively for the purpose specified in the declaration signed by the data subject, shall not be made available by the data controller to unauthorised third parties and shall be destroyed in the event of the purpose of the processing or withdrawal of the declaration.

 Processing of job applications submitted in response to job advertisements

Personal data contained in CVs handed over in person at the time of job interviews will be received at the same time as the declaration is signed (Annex 2).
Candidates can also submit their CVs via our website. When applying via the website, candidates will be able to submit their application after reading and accepting the privacy notice published on the website.

The Data Controller informs the data subjects that our Company is registered in the Data Protection Register of the National Authority for Data Protection and Freedom of Information (No.: NAIH-132105/2017.)

Operation of an electronic camera system

Operation of an electronic camera system at the properties at 6724 Kálvária sgt. 87/A and 1239 Budapest Haraszti út 36/C.

POP-UP BOX operates an electronic surveillance system (cameras) at its premises at 6724 Kálvária sgt. 87/A and 1239 Budapest Haraszti út 36/C to monitor movements within the property, during which images containing personal data are recorded.

The purpose and legal basis for the use of the cameras is the protection of property. The purpose is to prevent and detect infringements and to catch offenders in the act. In the event of an infringement, the recordings are used as evidence in official proceedings.

The cameras continuously record images of the entrances to the premises, the yard, the parking areas and the yard storage area. The field of view of the cameras is exclusively directed at the target area, thus only areas owned or used by the owner are observed.

The location of the cameras and the area they monitor:

Camera 1: Office

Camera 2: premises
The recordings will be kept by the operator for 3 working days at its headquarters (6724 Szeged, Kossuth Lajos sgt. 29.) by recording on a central server, after which the recordings will be deleted in a non-recoverable manner. In justified cases (detection of an infringement), the recordings may be stored for a longer period of time, until the existence of a justified legitimate interest.

The digitally recorded recordings may only be viewed by a person authorised by the operator (property management officer, operational director). The recorded recordings are handled by POP-UP BOX in accordance with the provisions of the data protection legislation and are only passed on to third parties in cases specified by law (e.g. public authorities).

The employer has informed the employees in advance of the existence and functioning of the surveillance system in the usual local way.

Persons other than employees (customers, guests), by entering the area, acknowledge and accept the fact that they are being monitored by the CCTV system and consent to being recorded. The Data Controller, in compliance with its legal obligation, has put up a notice informing the public that it is using an electronic surveillance system in the area.

The controller does not have a camera that monitors only one employee and his/her activities. The electronic surveillance system is not intended to influence the behaviour of employees at the workplace.
No cameras have been installed in places other than those indicated above, in particular in places where human dignity could be violated (e.g. toilets). The Data Controller does not use cameras that monitor only the area designated for the employees’ break time.

The location of the cameras and their angle of view have been selected in accordance with the principle of purpose limitation, solely with a view to safeguarding the interests of property and in compliance with the requirements of necessity and proportionality.

Data subjects may request information on the processing of the recordings at any time.

In the event of a breach of their rights, the data subject may take legal action against the controller and may also initiate proceedings before the National Authority for Data Protection and Freedom of Information.

 Rights of data subjects in relation to data processing

– Rectification, erasure of personal data

The data subject may request information on the processing of his or her personal data and may request the rectification or, except for processing required by law, the erasure of his or her personal data.
At the request of the data subject, the Data Controller shall provide information on the data processed by it, the purpose, legal basis and duration of the processing, the name, address (registered office) and activity of the data processor, as well as the persons who receive or have received the data and the purposes for which the data are received or have been received. The controller shall provide the information in writing, in an intelligible form and free of charge, within the shortest possible time from the date of the request, but not later than 25 days.

The Data Controller shall rectify personal data which are inaccurate.

The Controller shall erase personal data if the processing is unlawful, if the data subject requests it, if it is incomplete or inaccurate – and this situation cannot be lawfully rectified – provided that erasure is not excluded by law, if the purpose of the processing has ceased, if the statutory time limit for storing the data has expired or if it has been ordered by a court or the Data Protection Commissioner.

The rectification and erasure shall be notified to the data subject and to all those to whom the data were previously disclosed for processing. The notification may be omitted if this does not harm the legitimate interests of the data subject in relation to the purposes of the processing.

Information on the legal remedies available to the data subject

Right to lodge a complaint with a supervisory authority
Any data subject has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of personal data concerning him or her infringes the provisions of the applicable legislation.

The supervisory authority with which the complaint has been lodged must inform the data subject of the progress and outcome of the complaint, including the right to judicial remedy.

The acting supervisory authority:

National Authority for Data Protection and Freedom of Information 1125 Budapest, Szilágyi Erzsébet fasor 22/C. ugyfelszolgalat@naih.hu

www.naih.hu

The right to an effective judicial remedy against the supervisory authority

The data subject shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him/her.

Any data subject shall have the right to an effective judicial remedy if the supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint or the outcome of the complaint.

Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

Right to an effective judicial remedy against the controller or processor
Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, all data subjects have an effective judicial remedy if they consider that their rights under the Regulation have been infringed as a result of the processing of their personal data in a way that does not comply with the EU Regulation.

Proceedings against a controller or processor must be brought before the courts of the Member State where the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.

Right of the data subject to compensation

Any person who has suffered damage, whether pecuniary or non-pecuniary, as a result of a breach of a legal provision shall be entitled to obtain compensation from the controller or processor for the damage suffered.

Any controller involved in the processing shall be liable for any damage caused by processing in breach of the law. A processor shall be liable for damage caused by processing only if it has failed to comply with obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller.
The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Where more than one controller or more than one processor, or both controller and processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the entire damage in order to ensure that the data subject is effectively compensated.

Where a controller or processor has paid full compensation for the damage suffered, it shall be entitled to recover from the other controllers or processors involved in the same processing that part of the compensation corresponding to the extent of their liability for the damage.

Legal proceedings to enforce the right to compensation shall be brought before the court competent under Hungarian law.

 Procedure applicable in the event of a data breach
The data controller shall notify the competent supervisory authority of a potential data breach without undue delay and no later than 72 hours after becoming aware of it (Annex 3).In the event of a data breach, the data controller shall determine the seriousness of the data breach. This shall include, as a first step, determining the scope of the data breach and the circumstances of the processing. Then, the ease with which the data subjects can be identified from the data affected by the personal data breach should be assessed. The circumstances of the breach should then be examined. Under what circumstances and for what reasons (security weakness, human error, intentional wrongdoing, etc.) did the data breach occur? After the above assessment, the severity of the data breach should be classified into one of the following categories: low, medium, high, very high.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.
In case of detection of risks and deficiencies identified during the above detailed investigation, the data controller shall immediately take measures to reduce and eliminate the security risks and shall take all reasonable measures to ensure that no similar data protection incident of this kind occurs in the future. The controller shall take action without delay to mitigate the adverse consequences of a data breach that has already occurred.

The controller shall keep a record of the personal data breaches.

) and the approximate number of data; the additional likely consequences of the data breach; the actions taken by the controller to remedy the data breach to date; the future actions planned by the controller to remedy the data breach; whether the data breach was notified to the authority within 72 hours of its occurrence.

 Data security:

In particular, the Data Controller shall protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction and against accidental destruction or accidental damage. The Data Controller, together with the server operators, shall ensure the security of the data by technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with the processing.

The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the scale of the risk, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons.

In order to protect the data files managed electronically in the different registers, appropriate technical arrangements shall be put in place to ensure that data stored in the registers cannot be directly linked and attributed to the data subject, except where permitted by law.

In the course of automated processing of personal data, the controller and the processor shall take additional measures to prevent unauthorised access to data; the use of automated data-processing systems, the transmission of data by unauthorised persons, the use of data by unauthorised persons, the use of data processing systems and the use of data processing services by unauthorised persons shall be prevented.
equipment; the verifiability and ascertainability of which personal data have been or may be transmitted to which bodies using data transmission equipment; the verifiability and ascertainability of which personal data have been introduced into automated data processing systems, when and by whom; the recoverability of the systems installed in the event of a malfunction and the reporting of errors in automated processing.

The controller and the processor should take into account the state of the art when defining and implementing measures to ensure data security. A choice should be made between several possible processing solutions which ensure a higher level of protection of personal data, unless this would impose a disproportionate burden on the controller.

 Final provision

This Privacy and Data Protection Policy will be published in the usual local way, by electronic means, under dk (S) drive → Office → Policies → Privacy Policy.

Entry into force

The provisions of this Data Management and Privacy Policy shall apply from the date of its entry into force. It shall enter into force on 31.03.2023.

Szeged, 31.03.2023.