PRIVACY POLICY
MASTERFILM DIGITAL Kulturális Szolgáltató Korlátolt Felelősségű Társaság (registered seat: 1138 Budapest, Vizafogó sétány 2.; tax number: 11825151-2-41; hereinafter: “Company”) shall guarantee the right of the data subjects to information by establishing and publishing this privacy policy (hereinafter: „Policy”), as provided for by REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: „GDPR”) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: "Privacy Act").
The material scope of this Policy shall apply to any and all processing of personal data carried out by the Company and its organizational units. The temporal scope of the Policy shall apply until its withdrawal. The Company reserves the right to amend the Policy. Notification of the amendment shall be done by publishing the amended Policy on the website of the Company.
I. Data controller
Data controller: MASTERFILM DIGITAL Kulturális Szolgáltató Korlátolt Felelősségű Társaság
Registered seat: 1138 Budapest, Vizafogó sétány 2.
Tax number: 11825151-2-41
Telephone number: +3618770700
Email address: info@masterfilm.hu
II. Definitions
-
Data subject:an identified or identifiable natural person (who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person);
-
Personal data:any information relating to an identified or identifiable natural person (such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person);
-
Special categories of personal data:personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation;
-
Controller:the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
-
Processing:any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
-
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
-
Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Other referenced legislation:
-
Security Services Act: Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators
-
Accounting Act.: Act C of 2000 on Accounting
III. Data processing carried out by the Company
3.1. Visiting the website
No personal data is necessary to browse the content made publicly available on the website of the Company at http://masterfilm.hu. The Company does not collect any personal data of the visitor.
3.2. Szállítók, üzleti partnerek adatainak kezelése
The Company may process the personal data in connection with its clients, suppliers and sub-contractors that is necessary for the quotation and the entering into and performance of a contract.
The Company processes only the personal data provided in the contract, the contact information provided by the parties, as well as personal data required under the Accounting Act.
-
Purpose of processing personal data: The purpose of data processing is entering into and performance of the contract between the client/business partner and the Company, as well as communication and billing.
-
Legal basis of processing personal data: The legal basis of processing personal data is the consent of the data subject [GDPR Art. 6. Sect. (1) Par. a)], as well as the performance of contract between data subject and the Company [GDPR Art. 6. Sect. (1) Par. b)].
-
Duration of processing personal data: The duration of data processing is 8 (eight) years after the performance of the contract pursuant to the preservation obligation of the bills issued by the Company under the Accounting Act.
3.3. Job applications
The Company processes the personal data provided to the Company by the solicited and unsolicited CV-s and other documents attached to the job application.
-
Purpose of processing personal data: The purpose of data processing is to notify the applicant of any job opportunities matching their qualifications and interests, as well as making an appointment with the applicant and performing the application procedure.
-
Legal basis of processing personal data: The legal basis of processing personal data is the consent of the data subject [GDPR Art. 6. Sect. (1) Par. a)], the consent is provided by sending the Company the CV and related documents of the data subject (applicant).
-
Duration of processing personal data: Duration of data processing a) iIn case of a successful application the duration of the employment; b) in case of an unsuccessful application the duration of the hiring process (after that, all the documents provided by the unsuccessful candidates are destroyed).
3.4. Electronic survaillance (camera system)
The Company operates an electronic surveillance and recording system at its registered seat. The camera system records the parking lot and the common areas of the building. The camera system records only the picture and actions of the people entering the areas (the system does not record the voice of the data subjects). Only the authorized employees of the Company are entitled to view and review the live and recorded footages. The camera system is operated by the Company, no services providers are engaged, therefore the Company is the sole data controller in connection with this activity.
-
Purpose of processing personal data: The purpose of data processing is the protection of the property and personal safety of the visitors staying in the hotel, as well as the protection of business secrets and to prove any illegal activity.
-
Legal basis of processing personal data: The legal basis of processing personal data is the consent of the data subject [GDPR Art. 6. Sect. (1) Par. a)] that shall be deemed given by the subject entering into the building, as well as the legal grounds provided by Sections 30-32 of the Security Services Act.
-
Duration of processing personal data: The duration of the processing is 3 (three) business days from the date of the recordings, after this period the recordings shall be deleted automatically pursuant to Paragraph 2 of Section 31 of the Security Services Act.
IV. Data processors of the Company
The personal data processed by the Company is made accessible to only the employees of the Company with the relevant roles and responsibilities, as well as service providers performing data processing on behalf of the Company based on data processing agreements and solely in the scope that is necessary to perform the data processing activities.
V. Data security (privacy by design)
The Company guarantees the security against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Company keeps a register of the data breaches that have occured at the Company, and shall notify the data subjects of the breach in case the GDPR and Privacy Act requires it.
VI. Rights of the data subjects
6.1.Information and access to personal data
The data subject may request the Company in writing to provide information as to:
-
the personal data processed by the Company regarding the data subject, as well as
-
the legal basis of the processing,
-
the purpose of the processing,
-
from which source the personal data originate,
-
the duration of the processing,
-
to whom the Company forwards the personal data and its legal basis.
The Company shall comply with the request of the data subject within 15 (fifteen) days by electronic or postal mail to the address provided by the data subject. Prior to complying with the request the Company may request the data subject to further specify the request or the data processing activities.
If the data subject’s right to obtain information as described above adversely affects the rights and freedoms of others (especially regarding trade secrets and intellectual property rights) the Company is entitled to refuse to comply with the request in the necessary and proportionate amount.
In the event the data subject requests the above information in multiple copies the Company is entitled to bill a proportionate and reasonable amount of money in connection with the administrative costs of fulfilling the request. If the personal data indicated by the data subject is not processed by the Company, the Company shall nevertheless inform the data subject of this fact.
6.2. Right to rectification
The data subject shall have the right to obtain from the Company without undue delay the rectification of inaccurate, incorrect or incomplete personal data concerning him or her. The Company shall correct the inaccurate or inaccurate data immediately, but no later than within 5 (five) days. If it does not conflict with the purposes of the processing, the Company may complete the incomplete personal data by means of a supplementary statement provided by the data subject. The Company shall notify the data subject of the above by electronic or postal mail to the address provided by the recipient.
The Company shall be exempted from complying with the request for rectification if
-
the accurate, correct and complete personal data are not available and the data subject does not provide those to the Company, or
-
if the validity of the personal data provided by the data subject cannot be established.
6.3.Right to erasure („right to be forgotten”)
The data subject shall have the right to request from the Company the erasure of any personal data relating to the data subject. The data subject shall make the request in writing with specifying the personal data to be erased and the reason for the erasure.
The fulfilment of the request shall only be denied by the Company in case the processing of the personal data is obligatory for the Company by law. Should the Company not be obligated by law to process the personal data then the Company shall comply with the request no later than within 15 (fifteen) days and inform the data subject by electronic or postal mail to the address provided by the data subject.
6.4.Right to restriction of processing
The data subject may request the Company the restriction of processing the personal data in writing. The restriction shall apply until the reasons specified by the data subject make it necessary. The data subject may request the restriction of processing if:
-
the accuracy of the personal data is contested by the data subject (for a period enabling the controller to verify the accuracy of the personal data);
-
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
-
the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the Company before the restriction of processing is lifted.
After complying with the request of restriction the Company shall inform of that fact any persons or legal entities to whom the Company has lawfully forwarded the personal data of the data subject, unless such a task is impossible or would require unproportionate effort from the Company.
6.5. Right to an effective remedy
6.5.1. Dispute resolution with the Company
The data subject may announce their request regarding information, rectification, erasure and restriction in person or in writing at the Company at any addresses of the Company provided in Section I.
6.5.2. Right to complaint
In the event the dispute resolution with the Company proved unsuccessful or the data subject deems that their rights listed above were violated or a direct risk of such violation exists, the data subject is entitled to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.
Contact information of the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)
Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: 1530 Budapest, Pf. 5
Telephone: +36(1)3911400
Telefax: +36(1)3911410
E-mail address: ugyfelszolgalat@naih.hu
Website: http://naih.hu
6.5.3. Right to a court
The data subject – regardless of their right to complaint – may file an action with the courts if their rights under the GDPR and the Privacy Act have been violated.
Any action against the Company may only be filed with a Hungarian court.
The data subject may file the action with the court of his jurisdiction. The Courts of Hungary and their jurisdiction is available at the following link: http://birosag.hu/torvenyszekek
VI. Additional information
7.1. Claims regarding personal data after the death of the data subject
In the 5 (five) years following the death of the data subject their original rights may be claimed by persons with power of attorney specifically for this matter (in a notarial document or in a private document representing conclusive evidence). If the data subject has not made such a declaration while they were alive, then their next of kin may exercise those rights (in the event that more than one kin is entitled to exercise those rights, the one exercising the rights first shall be entitled to do so).
7.2. Special provisions regarding camera recordings
7.2.1. Right to information
The data subject may inquire about the contents of the footage relating to the data subject within 3 (three) business days of the recording. The data subject shall note in the inquiry when and where the footage was recorded, and how the data subject may be identified on the recordings. The Company shall fulfill the inquiry within 15 (fifteen) days.
7.2.2. Right to hold the recording
The data subject may request the Company to hold the footage (so that it will not be deleted) relating to the data subject within 3 (three) business days of the recording by proving their right or lawful interest. The data subject shall note in the inquiry when and where the footage was recorded, and the reason for the request. The Company strongly advises the data subject to initiate any other necessary proceedings, as the Company shall only hand out the recordings based on a request from the authorities or the courts.
7.2.3. Right to view the footage
The data subject may request the Company to allow insight into the footage recorded about them within 3 (three) business days of the recording. The data subject shall note in the inquiry when and where the footage was recorded, and how the data subject may be identified on the recordings, and the date when the data subject wishes to view the footage. The Company shall provide access to the recordings on workdays from 9 to 15 o’clock.