Data protection and data management policy
The purpose of this regulation, subject to the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as "Privacy Act") – is to ensure the informational self-determination by determining the legitimate order of records kept at Maria Kopp Institute for Demography and Families (hereinafter referred to as Institute), by providing constitutional principles of data protection and enforcement of data security requirements, as well as by preventing unauthorized access, data alteration and unauthorized disclosure.
I. GENERAL PROVISIONS
1. Scope of the Policy
The scope of this policy applies to all personal data contained in all the organizational units of the Institute.
2. Basic concepts of data protection
2.1. Personal data: data relating to the data subject, in particular the name, identification number, and one or more physical, physiological, mental, economic, cultural or social feature of the data subject, as well as the conclusions that may be deduced from the data regarding the subject.
Personal data may be identification and descriptive data.
2.1.1. Identifying data that serves the identification of the individual.
22.214.171.124. Natural data, in particular the name of the data subject, his / her mother's name, date and place of birth, marital status, residence and place of residence;
126.96.36.199. Artificial identification data, that is, data generated by a mathematical or other algorithm, including in particular the personal identification code, the social security identification number (TAJ), the tax identification number, the identity card number, the passport number;
2.1.2. Descriptive data, that is, other data relevant to data handling. Non-descriptive data, non-personal data (e.g. statistical data), which cannot be associated with the specified natural person.
2.2. Special data:
2.2.1. Personal data on racial origin, nationality, political opinion or party affiliation, religious or philosophical beliefs, membership of representative organizations, sexual life;
2.2.2. Personal data on health, addictions and criminal records
2.3 Public data: the State or local government job, as well as other statutory bodies of the body or person and the context of the provision relating to the activities or közfeladatának the concept of personal data, which is not subject, in any way, shape or form recorded information or knowledge, regardless of the mode of management or collections, including the nature of the jurisdiction, jurisdiction, organizational structure, the effectiveness of professional activities, including the assessment of the operation of regulatory adatfajtákra held and legislation, as well as the management of the contracts;
2.4. Public data of public interest: data not covered by the concept of public data the disclosure, accessibility or availability of which is ordered by law upon public interest;
2.5. Data processing: any operation or set of operations carried out in relation to data regardless of the applied procedure, including the collection, recording, organisation, storage, alteration, use, query, forwarding, coordination of disclosure, or linking, blocking, cancellation and destruction of data, as well as to prevent further use of the data, photo, audio or video recordings, as well as the recording of physical characteristics (e.g. finger or palm prints, DNA samples, Iris picture), capable for the identification of the person;
2.6. Data processing: the technical operations related to data handling tasks, regardless of the method and the device used to perform the operations, as well as the location of the application, provided that the technical task is carried out on the data;
2.7. Data transmission: the data set available to a third party;
2.8. Data deletion: making the data unrecognisable in such a way that the restoration is no longer possible;
2.9. Data annihilation: total physical destruction of the media containing the data;
2.10. Data controller: any natural or legal person or unincorporated organization which alone or jointly with others determines the purpose of the data handling
2.11 – 3.1
2.11. Data Processor: a natural or legal person or an organization without legal personality who, on the basis of a contract, including a contract under a provision of the law, processes data;
2.12. Contribution: voluntary and decisive disclosure of the will of the data subject, based on appropriate information and by which he/she gives his / her unambiguous consent to the handling of his / her personal data, covering all or part of the operation;
2.13. Data security: a set of organizational, technical solutions and procedural rules against the unauthorized handling of personal data, in particular the acquisition, processing, alteration and destruction of personal data; the state of data management in which the risk factors - and thus the threat are reduced to the smallest by organization, technical solutions and measures;
2.14. Right of Information Self-Determination: The content of the right to the protection of personal data provided in Article 3 of the Fundamental Law is that everyone has the right to disclose and use his or her personal data;
2.15. Third party: a natural or legal person or a non-legal entity that is not the same as the data subject, the data controller or the data processor;
3. Principles of data protection
3.1. The right to the protection of personal data is the fundamental right of natural persons provided in the Fundamental Law, which guarantees the right of information to self-determination of data subjects. In the absence of the data subject’s consent, the right to informational self-determination may only be restricted under an authorisation by law.
In the absence of the data subject’s consent, the right to informational self-determination may only be restricted under an authorisation by law.
3.2. A person within the scope of his / her duties may, handle personal and special data only in statutory cases or in the cases where he/she is authorized by the head of the data handling body on the basis of the authorization of the law or if the data subject explicitly consented to it, in case of special data in writing.
3.3. The Institute's employee responsible for data handling owns disciplinary, compensation, punitive, and criminal liability for the legitimate management of personal data that he or she becomes aware of while exercising his or her duties and powers and for the lawful exercise of access rights to the records of the Institute.
3.4. Personal data may only be handled for a specific purpose, for the exercise of the right and for the fulfilment of the obligation. At all stages of data handling, the purpose of data handling must be met, the recording and handling of data must be fair and legitimate.
3.5. Only such personal data may be managed which are essential and suitable for the implementation of the objective of data handling. Personal data can only be handled to the extent and for the duration required to achieve the goal.
3.6. Personal data preserves its quality during management as long as its relationship can be restored with the data subject. The connection with the data subject is deemed as restored if the data controller has the technical conditions that are necessary for restoration.
3.7 During data handling the accuracy and completeness of the data and, if necessary for the purposes of data handling, the updating of the data shall be ensured and the identification of the data subject shall be restricted for the time necessary for the purpose of data processing.
3.8. If a person within the scope of the Policy becomes aware of the fact that the personal data he/she manages is defective, incomplete or timeless, he or she must rectify it or ask for rectification by the person responsible for recording the data.
3.9. Data protection obligations for natural or legal persons or non-legal entities performing data processing on behalf of the Institute shall be enforced in a contract with the data processor.
4. General rules for data handling
4.1. Personal data can be handled by the Institute if
4.1.1. The person concerned has given its consent to it, or
4.1.2. It is governed by law or by a decree of the local authority on the basis of the authorization of the law, within the scope specified therein, for a purpose based on public interest (hereinafter: mandatory data handling). In case of doubt, it must be presumed that the data subject has not given his/her consent.
4.1.3. In the case of mandatory data handling, the types of data to be processed, the purpose and conditions of the data handling, the accessibility of the data, the length of the data handling and the person of the data controller are determined by the law or the municipal decree governing the data handling.
4.2. Special data may be handled if
4.2.1. The data subject contributes to the data handling in writing, or
4.2.2. Regarding data as per Section 2.2.1., data handling is required in order to enforce an international treaty promulgated by an act or it is prescribed by the law in order to enforce the fundamental right guaranteed by the Constitution and to preserve national security, prevent or prosecute crime or out of defence interests, or
4.2.3. For the purposes of Section 2.2.2. the law prescribes it out of public interest.
4.3. Before recording the data, the data subject must be notified of the purpose of data handling and whether the data supply is voluntary or mandatory. In the case of mandatory data provision, one must also indicate the law prescribing data handling.
4.4. Employees handling information at the Institute's departments are required to treat the personal information they get acquainted with as secret and to comply with the relevant legal provisions. In such a position, only a person can be employed who has made a confidentiality statement.
4.5. Personal data may also be handled if the acquisition of the consent of the data subject is impossible or would impose disproportionate costs and the management of personal data is necessary to fulfil a legal obligation of the data controller or to enforce the legitimate interests of the data controller or third party, and the enforcement of these is in proportion to the restriction of the right for protection of personal data.
4.6. If, due to the inability to do so or for some other unavoidable cause, he or she is unable to give his or her consent, the personal data of the data subject may be processed to the extent necessary for the protection of the essential interests of one's own or another person and to avert or prevent the direct threat to the life, physical integrity or wealth, for the time the given threat exists.
4.7. For the validity of the legal declaration of a minor of 16 years' consent, the consent or post-approval by his / her legal representative is not required.
4.8. If the purpose of the consent-based data handling is to perform a contract in writing with the data controller, the contract must include all information that the data subject needs to know for the purposes of the processing of personal data - on the basis of this law - and in particular the definition of the data to be processed, the duration of the processing, its purpose, the transmission of the data, its addressees and the fact that it is being processed by the data processor. The contract must, in an unambiguous manner, contain that by the signature the data subject consents to the management of its data as specified in the contract.
4.9. If the personal data has been collected with the consent of the data subject, the data controller may manage the data recorded in the absence of a different legal provision in order to fulfil its legal obligation or to enforce a legitimate interest of the data controller or third party without further special consent, if the enforcement of this interest is proportionate with the restriction of the right to the protection of personal data, and this data may also be managed after the consent of the data subject has been withdrawn.
4.10. In the case of personal data necessary for the conduct of court or administrative proceedings at the request of the data subject, the consent of the data subject shall be presumed in the case of personal data necessary for the conduct of the proceeding at the request of the data subject.
4.11. The consent of the data subject shall be deemed to have been granted for personal data communicated or disclosed by him/her during public acting.
5. Data processing
5.1. In the case of the involvement of a data processor, the data controller is entitled to determine the purpose of the data handling and the decision on the data handling, thus the President of the Institute or the person authorized by the President is entitled to decide upon a request on the disclosure or transmission of data.
5.2. The data processor may process any personal data obtained pursuant to the instructions of the data controller; it may not perform data processing for its own purposes, and is obliged to store and preserve personal data as required by the data controller.
5.3. The contract for the processing of data shall be concluded in writing. With data processing no organization can be entrusted that is interested in the business of personal data processing.
6. Data provision upon request
6.1. Request for information from a body other than the Institute or a private person may only be performed if the data subject authorizes the Institute in writing to do so. The data subject may also grant such authorization in advance, which may be for a certain period of time and for a specific range of bodies regarding their request.
6.2. Irrespective of the statement of the data subject, the inquiries from authorities responsible for the criminal proceedings - police, court, public prosecutor - and national security services must be satisfied. On requests by these bodies, the competent data controller shall inform the President of the Institute, directly or through the head of its department. Data provision can only be done with the approval of the President.
6.3. The facts and circumstances relating to the data provision on request must be documented by the taking of minutes. The protocol shall include the following information:
6.3.1. the name, address, telephone number of the initiating body or person,
6.3.2. the purpose and goal of the data request,
6.3.3. the legal basis of the data request or the statement of the data subject,
6.3.4. date of the data request,
6.3.5. the name of the data processing underlying the data provision,
6.3.6. the name of the organizational unit performing the data provision,
6.3.7. the data subjects,
6.3.8. the data set requested,
6.3.9. the way of transferring data.
6.4. The protocol on the request shall be kept for 5 years at the place of data processing.
7. Demand for access to data of public interest
7.1. Anyone can apply upon oral, written or electronical way a request to an access to data of public interest. Regarding access to data of public interest, the applicable regulations of Infotv. shall be applied. For publication, deletion and correction of data of public interest, regulations conained in Infotv. and governmental decree 305/2005 (XII.25.) shall apply.
7.2. Requests for data of public interest may be submitted:
7.2.1. In person at 1016 Budapest, Sánc u. 3 / b. (Monday-Thursday from 9 am to 4 pm, Fridays from 9 am to 1 pm).
7.2.3. Via post at the postal address 1016 Budapest, Sánc u. 3 / b.
7.3. The request for data of public interest shall be complied with by the Institute within the shortest time after its receipt, but not later than within 15 days, if the statutory conditions are met. If the data request is significant or involves a large number of data or the fulfilment of the data request involves a disproportionate use of the labour force required to perform the core activity of the Institute, the deadline of 15 days may be extended once by 15 days. Upon this, the claimant must be informed within 15 days of receipt of the request.
7.4. Of the document or document part containing the data, regardless of how it is stored, the claimant may receive a copy. For the fulfilment of the request for information, up to the amount of the costs incurred, the Institute may set a cost reimbursement for which the claimant must be informed before the claim is fulfilled.
7.5. About the refusal of the claim, including the reasons for it, and the information of the claimant of the legal remedies he/she is entitled to pursuant to Infotv., one must notify the claimant by e-mail within 15 days of receipt of the request, if the electronic mailing address of the claimant has been sent in the request or in writing. The data controlling Institute keeps a record of rejected requests and the grounds for refusal and informs the National Data Protection and Information Authority by every 31st January of each year on these records.
7.6. The claimant may file a lawsuit against the Institute pursuant to the relevant provisions of Infotv., when the request for data of public interest is rejected. The lawsuit must be initiated against the Institute within thirty days of the notification on the rejection of the request and the expiration of the deadline. With the exception of a lawsuit against a body with public authority of national competence, the District Court of Pest in Budapest is competent for the lawsuit. The jurisdiction of the court is determined upon the seat of the defendant body with public authority. The court proceeds out of order.
8. Transmission of data abroad
8.1. Personal data may be transmitted by a data controller or data processor to a data controller carrying out data handling in a third country subject to this Act or may be transferred to a data processor carrying out data handling in a third country if
8.1.1. The data subject expressly consented to it, or
8.1.2. The conditions of data handling provided for in the relevant law and this policy are fulfilled and in the third country during the management and processing of personal data an adequate level of protection is provided.
8.2. An adequate level of protection of personal data is provided when
8.2.1. The European Union's statutory act establishes it or
8.2.2. Between the third country and Hungary, an international treaty with rules of guarantee for ensuring the enforcement of rights, the right of appeal and the independent control of data handling and data processing is in force pursuant to the Infotv.
8.3. Personal data may be transmitted to a third country for the purposes of implementation of the international treaty on international assistance, tax information exchange and the avoidance on double taxation, with the conditions set forth therein and within the data set specified.
8.4. Data transmission to an EEA state shall be deemed as a data transmission within the territory of Hungary.
9. Disclosure of personal data
The disclosure of personal data handled by the Institute - unless prescribed by law - is prohibited.
10. Requirement of data security
10.1. The data handling Institute shall design and execute the data handling operations so that in the course of implementing the regulations of the Infotv. and other rules on data handling, the protection of the privacy of the data subjects is ensured.
10.2. The data controller or, in the course of its activities, the data processor shall ensure the security of the data, and shall also take the technical and organizational measures and develop the procedural rules necessary to enforce this law and other data and confidentiality rules. The necessary measures should be taken to ensure the security of both personal data handled manually and stored and processed on the computer.
10.3. Data shall be protected against any unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as any unintentional destruction or damage or unavailability resulting from a change in the technique used.
10.4. In order to protect electronically managed files in different registers, via an appropriate technical solution it shall be ensured that the data stored in the records cannot be directly linked and assigned to the data subject unless permitted by law.
10.5. In the automated processing of personal data, the data controller and the data processor provide additional measures in order to
10.5.1. Prevent unauthorized data entry,
10.5.2. Prevent the use of automatic data processing systems by unauthorized persons by means of data transmission equipment,
10.5.3. Ensure and verify that the personal data was or might be transmitted by means of data transmission equipment to which bodies,
10.5.4. Ensure and verify, which personal data, when and who has entered to the automatic data processing systems,
10.5.5. Ensure the ability for recovery of installed systems in case of malfunction and,
10.5.6. Compile reports of errors occurring during automated processing.
10.6. The data controller and the data processor must take into account the current state of art when defining and applying data security measures. From several possible data handling solutions one has to be chosen that provides a higher level of protection of personal data, unless imposing disproportionate difficulty to the data controller.
10.7. To prevent unauthorized access, the data controller is prohibited from communicating information about public servants or other natural persons treated in the Institute via telephone.
11. Computer-managed data
11.1. In order to ensure the security of personal data stored on a computer or on a network, the following measures must be taken:
11.1.1. Backup: Data from personal data databases must be backed up on a dedicated media on a regular basis in the case of payroll and labor records weekly, for human resources, public records and other records every month. The backup media should be kept in a fireproof metal case.
11.1.2. Archiving: the passive proportion of personal data databases - data that does not require further processing, which is unchanged - must be separated from the active part and the passive data shall be recorded on a durable medium. The media containing the archived data must be kept in an appropriate manner.
11.1.3. Fire protection: data and databases must be placed in a lockable security box.
11.1.4. Virus protection: virus protection must be provided on desktops of personal computers.
11.1.5. Access protection: access to data is limited to valid, personal, identifiable entitlements - at least with a user name and password. Network resources can only be accessed with a valid user name and password. Regular replacement of passwords should be provided.
11.1.6. Network protection: via the use of computing devices at all times it should prevented that unauthorized persons access data storage servers accessible over the network.
13. Manually handed data
13.1. To ensure the security of manually handled personal data, the following measures must be taken:
13.1.1. Fire and property protection: documents taken in the archives are to be placed in a well-sealed, dry, fire-proof and property protected facility.
13.1.2. Access protection: continuously active files can be accessed by competent administrators. The documents relating to human resources, public employment as well as wage and labour shall be kept in a special cabinet and documents concerning other legal relations, containing personal data must be kept in a separate lockable room, in a lockable cabinet.
13.2. Archives of the documents referred to in the specific part of this policy shall be concluded once a year. Archived documents must be sorted and archived in accordance with the Institute's rules on documentation and disposal.
14. Rights of the data subject, enforcement of rights
14.1. The data subject may request in person or in writing information about the handling of his / her personal data and may request the rectification or the deletion of his / her personal data except for the data handling required by law.
14.2. The data subject may request information from the competent administrator about the data handling of which he or she is subject and also has access rights. The access shall be provided in a way that it does enable the data subject to gain access to personal data of others.
14.3. Upon request, the data controller shall provide information about the data he or she handles, the purpose, legal basis, duration of the data handling, and who has received the data and for what purpose.
14.4. The provision of information or access can only be denied if the requested information was classified by the competent body under the appropriate procedure, pursuant to the provisions of Act CLV. of 2009 on classified information. In this case, the data controller shall inform the data subject of the reasons for denial.
14.5. In the event of a data change or noticing an incorrect recording of data, the data subject may request rectification or correction of the processed data. Incorrect data must be rectified by the data controller within two working days.
14.6. In the case of data handling based on non-mandatory data provision, the data subject may request the deletion of his/her managed data without any reason. Deletion must be completed within two business days.
14.8. In case of the breach of the rights of the data subject, and in cases pursuant to the Infotv., the data recipient may appeal to the court against the data controller. Such court proceedings shall be conducted under priority. The data controller shall demonstrate that data handling is in compliance with the law. The lawsuit can be initiated by the data subject, according to his/her choice, before the competent court of domicile or place of residence.
15.1. Compliance with data protection regulations, and in particular the provisions of this policy is monitored by each head of organizational units and the data protection officer.
15.2. A systematic observation and management of personal data is not realized in the Institute, therefore the Institute does not employ a distinct data protection officer.
15.3. Monitoring of each data processing must be carried out as necessary, but at least once a year.
This Policy shall enter into force on the date of its signature. For matters not covered by this Policy, the General Data Protection Regulation (GDPR) 2016/679 of the European Parliament and Council, as well as the Infotv., Ptk., Kjt and Mt. shall prevail.