top of page

Refund Policy

GDPR, Data Protection Statement

​

Data management and data security policy

 

Scope of the policy

The scope of these regulations covers the entirety of STORY PRINT Limited Liability Company (head office: 4028 Debrecen, Zrínyi street, no. 15, registration number: 0909029337, Tax number: 26201665-2-09), all its organizational units, and all employees (hereinafter: Company).

 

Purpose of the policy

 

The purpose of the Regulations is to ensure the enforcement of the protection of personal data following the Basic Law, the implementation of information self-determination, and to define the data protection and data security rules governing data management concerning the personal data managed by the company.

​

III. Governing Laws

 

During its data management, the company must act following the regulations contained in the following legislation, under the provisions of these internal regulations:

 

Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons concerning the processing of personal data and on the free flow of such data, and the repeal of Regulation 95/46/EC (general data protection regulation, hereinafter: GDPR)

CXII of 2011 on the right to information self-determination and freedom of information. Act (hereinafter: Infotv.)

Act V of 2013 on the Civil Code (hereinafter: Civil Code)

Act I of 2012 on the Labor Code (hereinafter: Mt.)

​

Interpretative provisions

Concepts defined in the GDPR, of which the following concepts should be highlighted under the nature of these internal regulations:

 

  • personal data: any information relating to an identified or identifiable natural person ("data subject"); a natural person can be identified directly or indirectly, in particular, based on an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.

 

  • data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying.

​

  • data controller: the natural or legal person, public authority, agency, or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law.

​​

  • data processor: the natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller. 

​

  • recipient: the natural or legal person, public authority, agency, or any other body to whom the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the handling of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the data management.

​​

  • third party: the natural or legal person, public authority, agency, or any other body that is not the same as the data subject, the data controller, the data processor, or the persons who have been authorized to handle personal data under the direct control of the data controller or data processor.

​

  • registration system: a file of personal data divided in any way - centralized, decentralized, or according to functional or geographical aspects - which is accessible based on specific criteria.

​

  • data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored or otherwise handled.

​

  • representative: the natural or legal person with a place of business or residence in the European Union and designated in writing by the data manager or data processor pursuant to Article 27, who represents the data manager or data processor in relation to the obligations of the data manager or data processor pursuant to this regulation.

​

  • enterprise: a natural or legal person engaged in economic activity, regardless of its legal form, including partnerships and associations engaged in regular economic activity.

​

Additional concepts:

 

  • data asset inventory: a document used to assess the scope and nature of personal data managed by the data controller 

 

  • technical and organizational measures: the nature, scope, circumstances, and purposes of the data management, as well as the varying probability and severity of the risk posed by the data controller to the rights and freedoms of natural persons, a properly defined procedure to ensure and prove that the processing of personal data is following the GDPR is done under These measures are reviewed by the data controller and updated if necessary.

​​

Basic principles of data management

 

The company handles the data legally and fairly, as well as in a transparent manner for the data subject (legality, fair procedure, and transparency).

 

The company only collects personal data for specific, clear, and legitimate purposes, and does not process them in a way that is incompatible with these purposes (purpose limitation).

The company conducts data management appropriately and relevantly in terms of its purpose(s) and is limited to what is necessary (data saving). Accordingly, the company does not collect or store more data than is necessary to achieve the purpose of data management.

The company's data management is accurate and up-to-date. The company takes all reasonable measures to ensure that inaccurate personal data for data management are immediately deleted or corrected (accuracy).

The company stores personal data in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management, subject to the storage obligation defined in the relevant legislation (limited storage capacity).

​

The company ensures adequate security of personal data by applying appropriate technical or organizational measures, including protection against unauthorized or illegal processing, accidental loss, destruction, or damage of personal data (integrity and confidentiality).

 

The business is responsible for compliance with the basic principles detailed above, and the business proves this compliance (accountability). According to this, the company ensures the continuous enforcement of the provisions of this internal regulation, the continuous review of its data management, and, if necessary, the modification and addition of data management procedures. The company prepares documentation to prove compliance with legal obligations.

​

Legal bases for data management

The processing of personal data is only legal if and to the extent that at least provisions 13-18. one of the legal bases specified in the point is fulfilled:

 

The data subject has given his consent to the processing of his personal data for one or more specific purposes (hereinafter: data processing based on consent).

 

Data management is necessary to fulfill a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject before the conclusion of the contract (hereinafter: contract-based data management).

Data management is necessary to fulfill the legal obligation of the company (hereinafter: data management based on legal obligation).

 

Data management is necessary to protect the vital interests of the data subject or another natural person (hereinafter: data management based on vital interests).

 

Data management is in the public interest or is necessary for the execution of a task carried out within the framework of the exercise of a public power authority granted to the enterprise (hereinafter: data management based on public power authority).

 

Data management is necessary to enforce the legitimate interests of the company or a third party unless these interests are overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data, especially if the child concerned (hereinafter: legitimate interest-based data management).

​

Concerning the management of a given set of personal data, the company always performs data management based on only one legal basis. The legal basis for data processing may change during data processing.

​

VII. Inventory of data assets

The company prepares an inventory of data assets to create technical and organizational measures for data management in the scope of its activities that comply with the obligations prescribed by GDPR and legislation. The data asset inventory contains all the data managed by the company.

 

In connection with the company's data management activities, the following, are defined in the data asset inventory:

 

  • the name of the element of the data asset

  • data wealth

  • purpose of data management

  • the legal basis for data management

  • the duration of data management

  • the circle of stakeholders

  • who can access personal data within the company's organization?

  • method and place of storage

  • to whom the data may be transmitted

  • the purpose of the data processor's data management

  • date of deletion

 

VIII. The rights of the data subject and their enforcement

​

 

Following the provisions of the GDPR, the company provides the following to the data subjects.

 

Right to information

​

 

The data subject has the right to information regarding all legal grounds for data processing.

 

The company provides information to those concerned in a concise, transparent, comprehensible, and easily accessible format, in a clear and comprehensible manner.

The information must be provided in writing or in another way, including, where applicable, the electronic way.

 

Information at the request of the data subject

 

Verbal information can also be provided at the request of the data subject, provided that the identity of the data subject has been verified in another way.

 

The company informs the data subject without undue delay, but in any case within 30 days of receipt of the request, about the measures taken following the data subject's request regarding other data subject rights.

​

If necessary, taking into account the complexity of the application and the number of applications, the 30-day deadline can be extended by another 60 days. The company informs the data subject of the extension of the deadline, indicating the reasons for the delay, within 30 days of receiving the request. If the data subject submitted the request electronically, the information must be provided electronically, if possible, unless the data subject requests otherwise.

 

 Information and measures must be provided free of charge. 

​

If the data subject's request is clearly unfounded or - especially due to its repeated nature - excessive, the company, taking into account the administrative costs associated with providing the requested information or information or taking the requested measure:

- may charge a reasonable fee, or

- can refuse to take action based on the request.

 

It is the responsibility of the company to prove that the request is unfounded or excessive.

​

Mandatory information

 

If the company obtained the data directly from the data subject (including, in particular, customers), the company will provide information on the following:

 

- the identity and contact details of the representative of the company - if there is one;

- the contact details of the data protection officer, if any;

- the purpose of the planned processing of personal data, as well as the legal basis for data processing

- in the case of data management based on legitimate interest, the legitimate interests of the company or a third party;

- where applicable, recipients of personal data

- where appropriate, the fact that the company wishes to transfer personal data to a third country or international organization,

 

At the time of the first acquisition of personal data, in addition to the above, the company also informs the affected parties of the following:

- on the duration of storage of personal data

- on the right of the data subject to request from the company access to personal data relating to him, their correction, deletion, or restriction of processing in the case of data processing belonging to certain legal bases, and in the case of data processing belonging to certain legal bases, he can object to the processing of such personal data, as well as the data portability of the data subject about his right;

- the right to withdraw data processing based on consent at any time, which does not affect the legality of data processing carried out on the basis of consent before the withdrawal;

- on the right to submit a complaint addressed to the supervisory authority (National Data Protection Authority, hereinafter: Authority or NAIH);

- whether the provision of personal data is based on legislation or a contractual obligation or is a prerequisite for the conclusion of a contract, as well as whether the data subject is obliged to provide the personal data, and what possible consequences the failure to provide data may have.

​

If the company intends to carry out further data processing of personal data for a purpose other than the purpose of its collection, it shall inform the data subject of this different purpose and of all relevant additional information prior to further data processing.

 

Right of access

The data subject is entitled to the right of access in relation to all legal grounds for data management.

 

The data subject has the right to receive feedback from the company as to whether his personal data is being processed, and if such data processing is underway, he is entitled to access the personal data and the following information:

​

- the purposes of data management;

- categories of personal data concerned;

- recipients or categories of recipients to whom or to which the company has disclosed or will disclose the personal data

- where appropriate, the planned period of storage of personal data

- the right of the data subject to request from the company the correction of personal data relating to him, the deletion or restriction of the processing of this data in the case of data processing tied to certain legal bases, and the right to object to the processing of such personal data in the case of data processing tied to certain legal bases;

- the right to submit a complaint to the supervisory authority;

- if the data were not collected from the data subject, all available information about their source;

- the fact of automated decision-making, including profiling, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management, and the expected consequences for the data subject.

The company provides a copy of the personal data that is the subject of data management to the data subject.

 

For additional copies requested by the data subject, the company may charge a reasonable fee based on administrative costs, the amount of which is contained in the company's pricing regulations, other regulations, or other documents.

​

Right to rectification

 

The data subject has the right to rectification concerning all legal grounds for data processing.

 

In the event of a request to this effect from the data subject, the company shall correct inaccurate personal data concerning the data subject without undue delay. The data subject has the right to request the completion of incomplete personal data, including utilizing a supplementary statement.

 

Right to deletion (forgetting).

 

The data subject does not automatically have the right to erasure (forgetfulness) concerning data management related to all legal grounds.

 

The company will delete the personal data of the data subject without undue delay if one of the following reasons exists:

 

- the personal data are no longer needed for the purpose for which they were collected or otherwise processed;

- the data subject withdraws the consent that forms the basis of the data management (in the case of data management based on consent), and there is no other legal basis for the data management;

- the data subject objects to the data processing, and there is no overriding legal reason for the data processing in the case of the data processing legal bases applied according to points 17 and 18 (data processing based on public authority authorization or legitimate interest)

- personal data has been processed illegally;

- personal data must be deleted to fulfill a legal obligation prescribed by EU or member state law applicable to the company;

 

The company will not comply with the data subject's request for deletion if data management is necessary to fulfill the legal obligation applicable to the company that requires the processing of personal data.

​

If the company receives a cancellation request, the first step is to check whether the cancellation request really originates from the right holder. To this end, the business may request data for identifying the contract between the data subject and the business (for example, contract number, date of contract), the identification number of the document issued by the business to the data subject, and the provision of personal identification data registered about the data subject (however, the business may not request such additional data as identification, which is not registered about the person concerned).

 

If the company has to comply with the deletion request, it is obliged to do everything possible to ensure that the personal data is deleted from all databases.

 

The company records the cancellation to be able to prove that the cancellation took place. The protocol is signed by the representative of the company or by the person(s) who has the right to do so based on their job description. The cancellation protocol includes:

  • the name of the person concerned

  • the deleted personal data type

  • the date of deletion.

 

The company informs all those to whom the personal data has been forwarded about the obligation to delete it.

​

The right to restrict data processing

The data subject has the right to restriction concerning all legal grounds for data processing.

 

The company restricts data processing at the request of the data subject if one of the following is true:

- the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the company to check the accuracy of the personal data;

- the data management is illegal, and the data subject opposes the deletion of the data and instead requests the restriction of their use;

- the company no longer needs the personal data for data management, but the data subject requires them to submit, enforce or defend legal claims; obsession

- the data subject objected to the data processing in the case of data processing legal bases applied according to points 17 and 18 (data processing based on a public authority or legitimate interest); in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the business take precedence over the legitimate reasons of the data subject.

 

If data management is subject to restrictions based on the previous point, such personal data, with the exception of storage, will only be processed with the consent of the data subject, or for the presentation, enforcement, or defense of legal claims, or for the protection of the rights of another natural or legal person, or the European Union or a member state can be handled in the important public interest.

 

The company informs all those to whom the personal data has been transmitted about the obligation.

 

The data subject has the right to protest in the case of data processing legal grounds based on public authority or legitimate interest.

 

In the event of a request for objection from the data subject, the company may no longer process the personal data unless it proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights, and freedoms of the data subject, or that are necessary for the presentation, enforcement or are related to its protection.

 

If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of his data for this purpose.

 

If the data subject objects to the processing of personal data for direct business acquisition, then the personal data may no longer be processed for this purpose.

​

The right to lodge a complaint

​

If a request for information, correction, restriction, or deletion is submitted, or if a protest is made against data management, but the request is not fulfilled, it is possible to submit a complaint to the Company.

The manager of the Company investigates the complaint received by the Company regarding the data management of the data controller within 8 days and informs the complainant of the result of the investigation.

If the managing director determines that action is necessary for connection with the complaint received, he will take the action no later than 15 days after the investigation and inform the complainant thereof.

 

Right to data portability

The data subject has the right to data portability in the case of data processing based on consent or a contract, if the data processing takes place in an automated manner.

 

The company ensures that the data subject receives the personal data he/she has provided to the company in a segmented, widely used, machine-readable format and that the data subject forwards this data to another data controller.

 

The right to appeal to the authorities

If the data management is objectionable, the National Data Protection and Freedom of Information Authority can be contacted. Contact information of the authority:

1530 Budapest, Pf.:5

1125 Budapest, Szilágyi Erzsébet fasor 22/C

+36 1 3911400

ugyfelszolgalat@naih.hu

​

Registration of data management activities

The company records the data management activities in accordance with the principle of accountability in order to be able to monitor and verify compliance with the GDPR.

​

The company keeps at least the following records of the data management activities carried out under its responsibility:

​

- the record of data transfer

- registration of applications for the enforcement of stakeholder rights and the responses given by the company

- registration of official inquiries and the responses given by the company

- registration of requests for termination of data management

- customer register

- registration of inquiries for marketing purposes

- registration of the management of personal data related to the employment relationship

- registration of employment

- registration of data protection incidents.

​

The company keeps records of the data management activities carried out under its responsibility, as specified in point 59, with the following content:

 

- the name and contact information of the company and, if there is one, the name and contact information of the representative of the company and the data protection officer;

- the purposes of data management;

- description of categories of data subjects and categories of personal data;

- categories of recipients to whom the personal data is or will be communicated

- where appropriate, information on the transfer of personal data to a third country or international organization;

- if possible, deadlines for deleting different data categories;

- if possible, a general description of the technical and organizational measures.

 

The records are kept by the company in writing, on paper, or in electronic format.

 

 

Data security provisions

 

The company implements appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances, and purposes of data management, as well as the varying probability and severity of the risk, posed to the rights and freedoms of natural persons, to ensure that guarantees a level of data security corresponding to the degree of risk.

 

According to the above, the company is obliged to guarantee the confidentiality, integrity, and availability of the data it manages.

 

To determine the appropriate level of data security measures, the company evaluates each data file in its management from the point of view of the need for protection and classifies it into a security level.

 

To determine the security level of individual data management, it is necessary to analyze:

- the risk and expected damage associated with the unauthorized access, change, deletion of personal data handled, damage to hardware and software devices;

- whether the damaged data file can be restored, as well as possible restoration costs, the availability of data sources necessary to reproduce personal data, the possibility of replacing lost data from manual background records;

- whether, because of the nature of the handled personal data, it is justified to apply differentiated security standards;

- other risk elements endangering data security;

 

To ensure the security of data management, the company applies a combination of physical, logical, and administrative controls.

 

The enterprise applies at least the following physical controls:

to avoid unauthorized access to the data it manages both electronically and on paper, the company ensures that no unauthorized person can physically access the data it manages (closing the office; placing monitors in such a way that only the authorized persons can see the data contained in it) on it; only data carriers audited by the company may be connected to the computers).

​

The company applies at least the following logical controls:

the company ensures that only those with the appropriate authorization have access to the data it manages (determination of authorization levels by job; setting access to computer databases according to authorization levels; tying access to the internal computer network to a user name and password

 

The enterprise applies at least the following administrative controls:

the company ensures that any access to personal data can be tracked in the documentation

 

The place of storage and archiving of paper-based documents containing personal data: Zrínyi street, no 15, 4028 Debrecen, the headquarters of the company. The place where the digital documents are stored: Zrínyi street, no 15, 4028 Debrecen, the headquarters of the company, which is a computer protected by a code and password known to the executive.

The storage location of the archived paper-based and digital documents: the registered office of the company at Zrínyi street, no. 15, 4028 Debrecen is a lockable room.

​

Web shop

​

The company operates a cloud-based online store, in which case it complies with the data protection regulations below.

Visitors: Visitors to the website who do not wish to use our services as users do not register on it.

​

Newsletter registrants: Website visitors who order our regular or occasional newsletter by registering on our website by checking the relevant box.

Users: natural, directly or indirectly identifiable individuals who use the online interface with the intention of managing their orders.

Customers/Buyers: Those who order goods as part of registration, and by registering on the website, their personal data will appear in our company's data management and data processing system.

Newsletter-related data management:

- Legal basis: the consent of the data subject, which the natural person subscribing to the newsletter can provide by checking the relevant box during registration on the website.

- Its purpose: sending a regular or ad hoc newsletter about Service-related news, tips, professional content, and marketing messages

- Scope of processed data: name, email address

- Duration of data management: until the existence of the newsletter service, or until the consent of the data subject is withdrawn (deletion request). It is possible to withdraw consent using the link at the bottom of the newsletters or by sending an email to info@storyshop.hu.

​

Data management related to registration:

 

- Legal basis: The user gives consent to data management by ticking the checkbox indicating acceptance of the data management information.

- Purpose: fulfillment of the order, service to the users, information, contact arising from the contractual relationship, issuing invoices following the law, and fulfilling the obligation to keep accounting records.

- Scope of processed data: full name, email address, phone number (if applicable), address (for invoicing), registered office address in the case of a legal entity, and tax number.

- Duration of data management: until the registration is canceled, but no more than 3 years. The invoices issued by Sztv. Based on § 169, paragraph (2), it must be kept for 8 years from the date of issue of the invoice.

​

Data transmission: The company does not transmit the personal data of Newsletter registrants, Users and Registrants to third parties, unless it works as our subcontractor in order to fulfill the contract, e.g. courier service.

​

Management of data protection incidents

​

In the absence of appropriate and timely measures, a data protection incident can cause physical, financial, or non-financial damage to natural persons, including loss of control over their data or restriction of their rights, discrimination, identity theft or misuse of identity, financial loss, damage to reputation, damage to the confidential nature of personal data protected by the obligation of professional confidentiality, or other significant economic or social disadvantage affecting the natural persons in question.

The company shall report the data protection incident to the authority without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident.

 

The data protection incident does not have to be reported to the authority if the data protection incident is not likely to pose a risk to the rights and freedoms of natural persons.

 

If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.

 

If it is necessary to report the data protection incident to the authorities, then in the report:

 

- the nature of the data protection incident must be described, including – if possible – the categories and approximate number of those affected, as well as the categories and approximate number of data affected by the incident;

- the name and contact details of the data protection officer or other contact person providing additional information must be provided;

- the likely consequences of the data protection incident must be described;

- the measures taken or planned by the company to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

 

If the data protection incident is likely to involve a high risk to the rights and freedoms of natural persons, the company shall inform the data subject of the data protection incident without undue delay.

 

n the information according to point 94, the nature of the data protection incident must be clearly and comprehensibly explained to the data subject, and the following must be communicated:

 

- the name and contact details of the data protection officer or other contact person providing additional information;

- the likely consequences of the data protection incident must be described;

- the measures taken or planned by the company to remedy the data protection incident must be described, including, where appropriate, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

​

The data subject does not need to be informed if any of the following conditions are met:

 

- the enterprise has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that make it unintelligible to persons not authorized to access personal data the data;

- after the data protection incident, the company has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future;

- providing the information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.

 

If the company employs a data processor, it must be stipulated in the data processing contract that the data processor is obliged to immediately notify the company of any data protection incident that has occurred. 

 

XII. Management of customer data

 

In the case of personal data processing based on the legitimate interests of the company, following the provisions of the GDPR, it is necessary to carry out the following interest assessment test:

 

the subject of data management

determination of the legal basis of the legitimate interest

the personal data to be handled

purpose of data management

designation of the legitimate interest of the enterprise

what rights of the affected parties may be violated?

consideration of interests

what measures and guarantees does the company apply to adequately protect the personal data collected in this way?

​

Employment-related data management

 

Concerning job applications, the company includes the provisions regarding data management information in the job application by indicating the contact information.

​

If the company wishes to store the documents submitted by the job applicant even after the job application has been filled, the job applicant's consent must be requested. The consent must be voluntary, specific, based on adequate information, and clear. For this purpose, the declaration of consent must contain at least the following:

 

the identity and contact details of the company's representative;

the purpose of the planned processing of personal data [for example, a subsequent request to fill a newly opened position], as well as the legal basis for data processing (consent-based);

the period of storage of personal data;

the data subject's right to request from the company access to personal data relating to him, their correction, deletion, or restriction of processing;

the data subject's right to withdraw their consent at any time, which, however, does not affect the legality of the data processing carried out based on the consent before the withdrawal;

on the right to submit a complaint to the authority.

​

After the evaluation of the application, the data carriers containing the personal data of the unsuccessful applicants must be returned to the applicant within 90 days, upon request, or, in the absence of the applicant's consent to the use of their data in further applications, must be destroyed. A record of the destruction (deletion) must be taken.

 

 The company manages the employees' data based on the relevant provisions of the Mt. and informs them in the manner specified in the Mt., in compliance with the data management principles contained in the GDPR.

 

The company provides employees with information about the data processors it uses about their identity and the scope of the data transmitted to them.

 

The following legal bases may typically arise during data processing in the employment relationship:

 

contractual [the employment contract]

based on legal obligation [e.g. taxation, alimony deduction]

based on legitimate interest [for example data related to workplace monitoring].

 

If the company manages data based on point 85 c), then following the provisions of the GDPR, in this case, it is necessary to carry out the following interest assessment test:

 

designation of the legitimate interest of the enterprise

who is affected and what rights are violated

consideration of interests

what measures and guarantees does the company apply to adequately protect the personal data collected in this way?

 

The interest assessment test(s) carried out regarding the handling of the scope of the given personal data must be made available to the employees [for example via an internal network, as an attachment to the employment contract].

​

XIV. Provisions regarding the use of the data processor

 

If the data processing is carried out by someone else on behalf of the company [for example, payroll, server service, website operation], the company can only use data processors who provide adequate guarantees that the data processing complies with the GDPR requirements and that the rights of the data subjects are protected. to implement measures.

 

The data processor may not use additional data processors without the company's prior written authorization on a case-by-case or general basis.

 

Concerning the data processing carried out by the data processor, the company and the data processor enter into a contract. This contract defines the subject, duration, nature, and purpose of data management, the type of personal data, the categories of data subjects, as well as the obligations and rights of the company.

​

 

The contract according to the previous point stipulates in particular that the data processor:

 

personal data is handled solely on the basis of the written instructions of the company,

ensures that the persons authorized to handle personal data undertake a confidentiality obligation or are subject to an appropriate confidentiality obligation based on legislation;

apply data security measures of at least the level prescribed by the company;

respects the conditions mentioned above regarding the use of the additional data processor;

taking into account the nature of the data management, with appropriate technical and organizational measures, it assists the enterprise to the extent possible in being able to fulfill its obligations with regard to responding to requests related to the exercise of the rights of the data subject;

helps the company fulfill its obligations under the data protection incident, taking into account the nature of the data management and the information available to the data processor;

undertakes to inform the company immediately in the event of a data protection incident;

after the completion of the provision of the data management service, based on the company's decision, all personal data will be deleted or returned to the company, and existing copies will be deleted unless EU or member state law requires the storage of personal data.

The data processor and the person with access to personal data may only handle this data in accordance with the company's instructions.

​

XIV. Implementing and closing provisions

These regulations enter into force on May 25, 2018.

 

Amendment of the regulations due to a change of seat: 25 October 2021.

bottom of page