DATA PROTECTION POLICY OF CST-CSEPEL TECHNO KFT.
On the Control and Storage of Data of Employees
The purpose of this policy is to describe the date control practice of CST-Csepel Techno Kft. according to the data protection and data safety requirements defined in the Law no. CXII. of yr 2011 (hereafter: InfoLaw) on information self-determination and freedom of information. In issues not regulated in this Policy the provisions of InfoLaw, Labour Law and the relevant rules in force are valid.
1. GENERAL MEASURES
1.1 Explanatory notes
Data group: A summarized name of data and data circles (that is a formal appearance of facts, concepts or instructions, recorded series of signals, verbal communication or through technical means, for explanation and processing. In this policy any written or electronically made and stored on any data medium – text, numerical data row, fact, information, draft, graph, picture and figure) usually based on recording function.
Data processing: Performing the technical tasks related to data control activities, regardless the applied method and means and the place of activity provided that the technical tasks are made on the data. According to the interpretation of this Policy data processing is each kind of technical data controlling activity without the need for decision making which is made by the data processor by the instructions of the data controller.
Data Processor: A natural or legal entity, or an organisation without legal entity who/which performs data processing according to its contract with the data controller – including contract making by legal regulations
Data Medium: The physical form of data, its storage location, including documents.
Data Controlling: Regardless the applied procedure any activity or sum of activities made on the data thus especially its collection, recording, systematization, storage, modification, usage, questioning, forwarding, making them public, combination, locking, cancelling and deletion, and the obstructing of their further usage, photo-, voice-, or video recording, plus the recording of physical traits which are capable of personal identification. According to the interpretation of this Policy data controlling is especially the decision making and issuing instructions related to specific data controlling activities.
Data Controller: A natural or legal entity, or an organisation without legal entity who/which on its own or with others defines the objectives of data control, makes and executes the decisions or makes the data processor execute the decisions related to data controlling.
Data Destruction: A complete physical destruction of the data medium storing the data.
Data forwarding: Making the data accessible for a defined third party.
Data Cancellation: Making the data unrecognizable in a way that it is not possible to restore them.
Subject: Any concrete and identified or identifiable natural person by the personal data.
Third Person: A natural or legal person, or organisation without legal entity, who/which is not identical with the subject, the data controller and the data processor.
Consent: Consent is any freely given, specific, informed and unambiguous indication of the individual’s wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed for one or more specific purposes. The consent has no formal requirements, except for the consent on the control of special data, it can be made by a clear statement and by acceptance of conduct as well, but the consent has to be provable in all cases.
Document: A text, numerical data, draft, graph and figure made in written form or electronically.
Special/Sensitive Data: Personal data which are related to racial, national or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, health or sex life, addictions and criminal record data.
Personal Data: Any data which can be connected to the subject – a characteristic information related to especially the name, ID sign, and one or more physical, physiological, mental, economic, cultural, or social identity and the consequence which can be made from the data related to the subject.
Natural personal ID data: First and second name, birth name, mother’s name, birth date and place of the subject.
Protest: The statement of the subject in which he/she disapproves of the control of his/her personal data and asks for stopping personal data control and the cancellation of controlled data.
Data protection incident: A security breach which results in the cancellation, loss, modification, unauthorized disclosure or unauthorized access to personal data.
2. CONTROL AND PROTECTION OF PERSONAL DATA
2.1. Purpose limitation of data control
The employer can control the personal data of the employees to fulfil its requirements of the labour relations.
2.2 Data Security
The employer is obliged to ensure the highest possible level of security (principle of data security) all through the data controlling. The employer takes the necessary measures during the data control for the safe data storage and to avoid unauthorised access, change, forwarding, making public, cancellation or destruction, and accidental cancellation or damage.
The data controller is obliged to plan and implement the data control activities so that these activities should ensure the protection of the employees’ private life.
Every employee and data processor who has to have access to personal data during their work shall sign a declaration of confidentiality.
The subject can ask for notification form the data controller about the control of his/her personal data during the time of data control and has the right to look into it. This right has to be ensured in a way that the subject cannot get access to the personal data of other subjects.
Notification can be rejected by the data controller in the following cases:
a) if the employee asks for notification about the personal data of other subjects
b) if notification is excluded by law
2.4. Circle of controlled data
Only those data can be requested from the subjects and can be recorded and only those types of job-related medical aptitude tests can be made which are necessary for creating, maintaining, and terminating the employment contract and needed for the social and welfare benefits and do not violate the individual rights of the employee.
From those employees who are disabled or rated by the occupational health-care professional as “not suitable”, the employer can ask for and control the expert opinions of the relevant authorities (and medical exit reports) which make a detailed list of the illnesses of the employee. The employer can use the data of the resolution exclusively for the purpose to conduct the rehabilitation procedure, to explore the rehabilitation job type, and to establish the rehabilitation allowance, aid and foundation support.
CST-Csepel Techno Kft. can control the following personal data of the employees by legal regulations:
a) The natural personal identification data pf the employee, sex, permanent or temporary place of living
c) Hungarian social security number (TAJ)
d) Tax identification number
e) Start and end date of employment
f) Job title
g) Copies of documents on education, professional qualification, language knowledge, study contract
h) Sum of salary, data related to salary and other benefits
i) Deductible debt, its entitlement based on a final decision or law his/her written consent
j) The duration of sick leave of the employee in the year when the employment contract terminated
k) Data on regular and irregular holidays and working hours, issue of holidays and other times off work related data
l) Other significant data of the employment contract (e.g.: benefits for the employee, daily/monthly working time of the employee
m) Employee assessment
n) The way and reasons of terminating the employment contract
o) Summary of the occupational aptitude tests
p) Name of institute, ID no. and membership no of employee in case of membership in private pension fund and voluntary mutual insurance institute
q) Passport no. in case of travel abroad
r) Finger-print (entry and recording system)
s) Photo of the subject
t) CV of the subject
u) Driving license (for those whose job title requires it)
v)) All other personal data which are consented by the subject to control. Especially of this kind are the personal data related to family tax reduction, social-welfare benefits (aid, residential support), expert opinion on disability, health damage or invalidity or medical exit report by a medical specialist.
w) All personal data the control of which is regulated by law
2.5 The following persons can have access to the data of the employee
a) The subject
b) The managers of the employer in cases, time and extent as it is inevitably required to fulfil their jobs, and the defined employee of the legal, financial and operational team – who controls the personal file of the subject.
c) The co-workers appointed the managers of the employer in cases, time and extent as it is inevitably required to fulfil their jobs
d) By the request of law court, prosecution, investigating authorities, or other determining authorities to the required extent
e) Other persons – in justified cases – with the written consent of the subject, to the extent of the consent.
2.6 Duration of the data control
After one year of the termination of the employment contract the data of the employee shall be deleted from the records except for those data which can or have to be legally maintained or stored.
2.7 Data control of the job applications
In case there is no employment contract after the recruitment process the data of the subject (job applicant) shall be deleted except if the subject gives a written consent to the recruiting employer to control his/her data in the future. These personal data are controlled by the employer until a determined time given in the written consent of the subject.
2.8 Forwarding data
It is possible in all cases when the data controller fulfils its obligations written employment contract.
In cases defined by law the employer can give over the personal data of the employee to the law court, prosecution, investigating authorities, or other determining authorities.
2.9 The data controller
Name: CST-Csepel Techno Kft.
Site: 1211 Budap est, Déli-bekötő út 3.
E-mail address: firstname.lastname@example.org
Dat protection officer: Eszter Győri
The subject can exercise his/her rights regarding data control at the above contacts.
3. ENFORCEMENT AND REMEDIES
Anybody can initiate an investigation at the Hungarian National Authority for Data Protection and Freedom of Information with reference to violation of law or to its direct threat regarding the exercise of rights on the control of personal data or the learning of data of common interest or public data by common interest. The investigation of the Authority is free of charge, the costs are covered by the Authority.
Name: Hungarian National Authority for Data Protection and Freedom of Information
(in Hungarian: Nemzeti Adatvédelmi és Információs Hatóság)
Site: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, PO Box: 5.
Website: http:/ /www.naih.hu
In case of the violation of law of his/her rights the subject can refer to the relevant court claiming the infringement of the data controller. The court will handle the case as priority. The lawsuit can be initiated before the court according to the place of living of the subject. The data controller is obliged to pay for the damages to the subject caused by the unlawful data control or by breaching the requirements of data security. The data controller is responsible for the damage caused by the data processor as well. The data controller is exempted from liability, if it can prove that the damage was made by an event of Force Majeure which was beyond the scope of data control.
Effective date: May 25, 2018