Skip to main content

INFORMATION ON DATA PROTECTION

For the partners of Hamburger Hungária Kft. (Annex 2 of the Data Protection Regulation)

Effective from: 15 July 2021

 

1. Controller’s data

Name of Controller: Hamburger Hungária Kft.

Registered office: 2400 Dunaújváros, Papírgyári út 42-46.

Company registration number: 07-09-017523

Represented by: Attila Bencs Managing Director and Éva Forgó Finance Director

Telephone: +36 (25) 55-7731

Email: adatvedelem_HH@hamburger-containerboard.com

Website: https://www.hamburger-containerboard.com/hu/hu/

Person responsible for data processing: Rita Ősi HR manager

Data Protection Officer: Consact Minőségfejlesztési és Vezetési Tanácsadó Kft. (Dr. Barbara Kőrösi)

Contact details of the Data Protection Officer: korosib@consact.hu

 

2. Purpose of this Information

The purpose of this Information on Data Protection is to provide information on the processing of your personal data in clear and plain language and in a transparent form.   

Data processing is not part of our core activities but in carrying it out we pay special attention to the relevant EU and Hungarian legislation, in particular to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - GDPR”) and Hungarian Act CXII of 2011 on “The right to informational self-determination and freedom of information” (Privacy Act).

Our professional activities include the production of corrugated base paper.

 

3. General purpose of data processing

Agreement with our clients and partners, performance of contracts, issuing of accounting documents, management and maintenance of records related to the company's activities.

 

4. Rights of the data subjects

Right to prior information

The data subject shall have the right to obtain from the controller information in writing, in a transparent, intelligible, clear and easily accessible manner, before the processing of personal data has started. The information must be given to the Controller at the time of obtaining the personal data, at the latest.

If the controller wishes to perform additional processing on the personal data for purposes other than those for which the personal data were initially collected, the controller should inform the data subject about this different purpose and all the relevant additional information.

Right of access

The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing:

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, any available information as to their source;

h) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Controller shall provide a copy of the personal data undergoing processing to the data subject. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.  The right to obtain a copy shall not adversely affect the rights and freedoms of others.

Right to rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purpose of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;    

(b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing (If the data subject wishes to withdraw his or her consent, he or she can do it in the same form that he or she gave it.);

(c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

(f) the personal data have been collected in relation to the offer of information society services.

Where the controller has made the personal data public and is obliged pursuant to the foregoing to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The above shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c) for reasons of public interest in the area of public health;

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted as set out above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The data subject shall have the right to request the Controller to give him or her the recipients to whom his or her personal data have been disclosed. The Controller shall provide information about the rectification, erasure or restriction of data processing to all the recipients who have been informed about the personal data, except where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort.

Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, carried out in public interest or while implementing a task within the framework of exercising public authority vested in the Controller, or processing required to enforce the legitimate interests of the Controller or a third party, including profiling based on the mentioned provisions. (In clause 5 the legal basis for the processing of the data subject’s data is defined as “legitimate interest”.)  In such a case the Controller shall not process personal data any further, except if the Controller proves that the processing is justified by compelling legitimate reasons which are not overridden by the interests or rights and freedoms of the data subject, or which are related to the submission, enforcement or protection of legal claims.

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing.

If the data objects against processing for the purposes of direct marketing, personal data should not be processed for such a purpose any longer.

Right of the data subject to being informed about personal data breaches

Data subjects shall have the right to be informed about personal data breaches occurring at the Controller, concerning them.

Right of the data subject to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. 

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.

Hungarian member state supervisory authority: National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)

Right to an effective judicial remedy against a supervisory authority

Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

Right to an effective judicial remedy against a controller or processor

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.

Data subjects may exercise such rights by using our contact details given below, in writing or in person subject to prior agreement. We make efforts to respond to each request within the shortest possible time, but at most within 15 working days.

Our contact details to exercise your legal rights:

  • By post: 2400 Dunaújváros, Papírgyári út 42-46.
  • By email: adatvedelem_HH@hamburger-containerboard.com
  • In person: pre-agreed at phone number 36 (25) 55-7700.

We are not in a position to provide information related to data on the phone, because we cannot identify the caller.

Data subjects may contact the National Authority for Data Protection and Freedom of Information if their rights are breached.

address: 1055 Budapest, Falk Miksa utca 9-11.,

postal address: 1363 Budapest, Pf. 9.,

telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410,

website: http://www.naih.hu

e-mail: ugyfelszolgalat@naih.hu

 

5. Processed data

5.1. Contractual relationships

Data subjects: any natural person who is named in the contract as a representative or contact person of the company of the other contracting party.

Purpose of data processing: conclusion of a contract and its performance.

Data type Legal basis Retention period
name Article 6 (1) f) GDPR (Legitimate interest of the Controller) 5 years after the termination of the contractual relationship
email address    
phone number    
position    
tax number (individual entrepreneur)    
bank account number (individual entrepreneur)    
tax number (individual entrepreneur)    
signature    

The process of data processing:

We use the data provided by the partner during the conclusion of the contract and process them for the duration of the contractual relationship, solely for the purposes of contract performance, identification and contact keeping.

If we also receive the personal data of the partner company, typically for the purpose of contact keeping, we process these data based on legitimate interests. In such a case the employee’s right of use regarding his or her personal data is overridden by the enforcement of the legitimate interests of the contracting parties, since the restriction is necessary and proportionate for the purposes of the employee’s performing work (NAIH/2018/2570/2/V). In order to assess if processing is necessary and proportionate, we have performed an interest assessment test.

The data are preserved on a file server, in an SAP system and in the correspondence system.

Provision of data is not compulsory in either case, but it is an indispensable condition for concluding a contract or an agreement to know the personal data suitable for identification and contact keeping.

The data may be transferred to the competent authority (NAV) and Prinzhorn Holding Gmbh. (SAP registration).

 

5.2. Assignment contracts with private individuals

Data subjects: any private individual contracting partner

Purpose of data processing: conclusion of a contract and its performance.

Data type Legal basis Retention period
name Article 6 (1) b) GDPR (necessary for concluding a contract) 5 years after the termination of the contractual relationship
address    
tax identification code    
TAJ number    
place of birth    
date of birth    
mother’s maiden name    
wage data    
bank account number    

The process of data processing:

When concluding a contract, we use the data provided by the private individual, we process them during the term of the contract exclusively for the purpose of the performance of the contract, identification and contact keeping.

We store the data on paper and electronically on a file server, in SAP MyHR system, Pyramid wage program and in the correspondence system.

It is an indispensable condition for concluding a contract and performing it to know the personal data suitable for identification and contact keeping.

The data may be transferred to the competent authority (NAV), L-Soft Zrt a payroll service company, and VÉD-SZ Kft. The payroll statements may be forwarded to Prinzhorn Holding Gmbh.

 

5.3. Processing of invoices

Data subjects: any individual entrepreneur or private individual who concludes a contract with us.

Purpose of data processing: Management of the official document under the Accounting Act.

Data type Legal basis Retention period
name observing a legal obligation 8+1 years

Process of data processing:

In the case of our individual entrepreneur partners and private individuals the official documents (may) include personal data. We retain these documents according to the provisions of the Accounting Act.

Data provision is mandatory under the relevant legislation. In the event of failure to do so, the invoice cannot be accepted.

The data will be forwarded to the accounting partner and, in the event of an audit, to the competent agency (NAV).

 

5.4. Protocol register

Data subjects: owners and employees of partners, representatives of public authorities

Purpose of data processing: contact keeping with VIP partners and organization of events

Data type Legal basis Retention period
name Article 6 (1) f) GDPR Legitimate interest of the Controller 1 year after the termination of the relationship
email address    
phone number    

The process of data processing:

We exclusively use such data for contact keeping, we store them on a file server and in our correspondence system, we will not forward them to a third party.

In order to assess if processing is necessary and proportionate, we have performed an interest assessment test.

 

5.5. Keeping contact with contracted partners

Data subjects: employees of partners

Purpose of data processing: contact keeping during the performance of contracts

Data type Legal basis Retention period
name legitimate interest 1 year after the termination of the contractual relationship
email address    
phone number    

The process of data processing:

We keep a record of the contact details of our contracted partners to make it easier to find them. The data is stored on a file server, in an SAP system and in the correspondence system.  The data may be transferred to Prinzhorn Holding Gmbh (SAP registration).

We process personal data of the employees of partner companies based on legitimate interests. The legitimate interest of the contracting parties takes precedence in this case over the employee's right to dispose of his or her personal data, since the restriction is necessary and proportionate for the performance of the employee's job (NAIH/2018/2570/2/V). In order to assess if processing is necessary and proportionate, we have performed an interest assessment test.

 

5.6. Access to premises

Data subjects:  Representatives and employees of external companies who enter one of our sites

Purpose of data processing: Provision of safety, security and asset protection

Data type Legal basis Retention period
name Article 6 (1) f) GDPR Legitimate interest of the Controller We do not retain such data, they are managed by Véd-Sz Kft.
ID card number    
time of entry and exit    
company name    
number plate    

The process of data processing:

During the entry process, the above data are recorded by the work safety representative acting as an employee of VÉD-Sz Kft. The data will be used in the event of a security incident, in which case we may also transfer it to the requesting authority in accordance with the legislative conditions.

In order to assess if processing is necessary and proportionate, we have performed an interest assessment test.

 

5.7. Access control system

Data subjects:  Natural persons holding an access card

Purpose of data processing: Fast, efficient, safe entry and exit

Data type Legal basis Retention period
Card identifier Article 6 (1) f) GDPR Legitimate interest of the Controller 24 hours
Moving within the building    

Process of data processing:

The data will be transferred to VÉD-SZ Kft.

In order to assess if processing is necessary and proportionate, we have performed an interest assessment test.

 

5.8. Camera surveillance

Data subjects: any person entering the camera view

Purpose of data processing: asset protection, health protection, control of conditions for safe work

Data type Legal basis Retention period
image Article 6 (1) f) GDPR Legitimate interest of Controller Until automatic overwriting, for 3 weeks on average

The process of data processing:

Images of persons entering the controller's premises are recorded in the electronic surveillance system operated on site.

The surveillance system is operated by VÉD-Sz Kft, during which they may have access to data.

During a check, the data may be transmitted to the competent law enforcement authorities and the insurance company.

Provisions on camera surveillance are set out in a separate camera regulation.

In order to assess if processing is necessary and proportionate, we have performed an interest assessment test.

 

5.9. Job applications

Data subjects:  Persons applying for a job at Hamburger Hungária Kft.

Purpose of data processing: Conduct of the admission procedure, decision on compliance with the conditions

Data type Legal basis Retention period
Data provided in the CV (typically: name, place and date of birth, address, telephone number, e-mail address, educational qualifications, courses, language skills, work experience, previous jobs, driving license, interests, motivation, other data) Article 6 (1) a) GDPR    
consent until the negative decision or, in the case of a separate consent, for six months after the decision  

The process of data processing:

The applicant's personal data will be requested in order to carry out the admission procedure. The data will be used to prepare the employment contract and will be stored electronically and/or on paper.

The data must be provided for the assessment of the application. In the event of failure to do so, the admission procedure may not be continued.

 

6. Data security

We ensure the security of the personal data that we process by technical and organizational measures and procedures put in place.

We take appropriate measures to protect the data against unauthorized access, alteration, transfer, disclosure, deletion or destruction, accidental destruction or damage, or loss of access due to changes in the technology used.

Personal data is only accessed by our employees who need to know it in order to perform their duties. All our staff have undertaken the obligation of secrecy.

For data security

  • In the design and operation of the IT system, we assess and consider potential risks, with a view to continuously reducing them.
  • The IT security of data is protected in accordance with the risks by complex technical measures, such as: access supervision, control and protection of mobile devices, encryption measures, implementation of physical security, protection against malicious codes, security of information transmission.
  • Data management processes have been regulated, with responsibilities defined. Staff have received appropriate training.
  • We monitor our IT systems to detect potential problems and incidents.
  • We monitor emerging threats and vulnerabilities (such as computer viruses, computer intrusions, attacks resulting in denial of service, etc.) so that we can take timely action to prevent and tackle them.
  • We have policies in place to identify, indicate, investigate, and report any incidents.
  • IT assets and information on paper are protected against unauthorized physical access and environmental impacts (e.g. water, fire, electrical surges).
  • We take great care to train staff in information security and raise their awareness.
  • Reliability is a key criterion in the selection of service providers, and we stipulate appropriate assurances in our vendor contracts to ensure GDPR compliance and data security.

 

7. Transfer and transmission of data

We do not transfer personal data of our contractual partners to other data controllers except as described here. Data may be transferred in the event of a request from a public authority (e.g. a NAV inspection). In the case of cooperation in calls for proposals, personal data may be transferred to the collaborating organization or subcontractor (proposal writer or project management company). If this might go beyond the original purpose of the processing, the data will only be transferred to a third party with the explicit consent of the data subject.

Prinzhorn Holding GmbH also has access to the personal data via the SAP system.

During the audit of the management systems operated by our company, various records may be checked, but in these cases the auditor does not check the personal data, only the existence of the records.

For certain activities, the data may be accessed by the service provider we use (e.g. hosting provider, newsletter provider, etc.). In all such cases, we enter into a data processing or other data management agreement with the service providers, which sets out in detail the terms and conditions of the data processing. The individual service providers have been indicated in each case in section 4.

Our processors:

  1. L-Soft Zrt. - payroll accounting

 (registered office: 4400 Nyíregyháza, Dózsa György út 41., company registration number: 15-10-040377

  1. T-Inform Kft. – information technology

(2400 Dunaújváros, Kőműves utca 11. 1. em. 3., Company registration number: 07 09 015076)

  1. VÉD-Sz Kft. – asset protection, work safety

(2400 Dunaújváros, Papírgyári út 42-46., Company registration number: 07 09 00294)

 

Dunaújváros, 15 July 2021

 

Attila Bencs

Managing Director