TABLE OF CONTENTS

I.GENERAL PROVISIONS
 1.1. Purpose of the Prospectus
 1.2. Scope of the Prospectus
 1.3. Availability of the Prospectus
 1.4. Amending the Prospectus
 1.5. Guiding legislations
 1.6. Definition of terms
 1.7. Genuineness, accuracy of personal data
 1.8. Data protection
  
II.INDIVIDUAL DATA MANAGEMENT
       (1)    data management through the “JOBS” section of the Website,
       (2)    data management through the storage of contact details of business partners.
  
III.RIGHTS OF THE DATA SUBJECT
 3.1.     Right to be informed
 3.2.     Right of access
 3.3.     Right to rectification and completion
 3.4.     Right to delete personal data (right to be forgotten)
 3.5.     Right to restrict data management
 3.6.     Right to objection
 3.7.     Right to data portability
 3.8.     Right to complain at the supervisory authority
 3.9.     Right to an effective judicial remedy against the supervisory authority
 3.10.   Right to an effective judicial remedy against the Company or the data processor
 3.11.   Informing the Data Subject of the data breach
  
IV.ASSERTING THE RIGHTS OF THE DATA SUBJECT, MAKING A REQUEST, CONTACTING THE COMPANY
  
V.DATA CONTROLLERS


I. GENERAL PROVISIONS

1.1.  Purpose of the Prospectus

The purpose of this Data Management Prospectus (hereinafter referred to as the “Prospectus“) is to provide information about the data management practices followed and applied by LAKÓGÉP Építőipari Szolgáltató és Kereskedelmi Korlátolt Felelősségű Társaság (registered office: 1021 Budapest, Hűvösvölgyi út 64-66., trade register number: 01 09 353655, represented by Patrik Palai, Managing Director, tax number: 23519585-2-41, E-mail address: info@lakogep.hu, website: www.lakogep.hu (Website), hereinafter referred to as Company or Data Controller).

1.2.  Scope of the prospectus

1.2.1.  The Prospectus applies to the personal data of natural persons (hereinafter referred to as Data Subjects) concerned by the Company’s data management activities as set out in section 1.2.2.

1.2.2.  Data management activities of the Company:

(1)    data processing through the “JOBS” section of the Website,

(2)    data management by storing contact information of business partners.

1.3.  Availability of the Prospectus

This Prospectus, in its current version, is available at all times in hard copy at the Company’s registered office as set out in point 1.1, and in electronic form on the Website under the ” Data Management Prospectus ” section.

1.4.  Amending the Prospectus

The Company is entitled to amend the Prospectus unilaterally at any time, as necessary, without prior notice, with effect from the date of amendment. The Company shall inform the Data Subjects of the fact of the amendment using the contact details specified in Section 1.3.

1.5.  Guiding legislations

The data processing activities of the Company are governed by the provisions of the European Parliament and the Council Regulation (EU) 2016/679 (hereinafter: GDPR).

1.6. Definition of terms

Capitalised terms used in this Prospectus and not otherwise defined have the meanings ascribed to them in the GDPR.

1.7.  Genuineness, accuracy of personal data

The Data Subject is solely responsible for the genuineness and accuracy of the personal data provided to the Company by any means. The Company shall not be liable for any omissions or any consequences arising from the incorrectness of the data provided, and expressly excludes its liability in this respect.

1.8.  Data protection

The Company is committed to protect the personal datas of Data Subjects, and considers it particulary important to respect Data Subjects’ right to self-determination of information. The Company keeps personal datas confidential and takes all security, technical and organizational measures to ensure the security of personal datas.

II. INDIVIDUAL DATA MANAGEMENT

The individual data management activities carried out by the Company are detailed in a separate table.

1.      Processing of data through the “JOBS” section of the Website, i.e. by storing applications and CVs

Data management operations:The Company collects CVs, cover letters and applications through two channels (collectively referred to as “Applications“): (I.) forwarded by recruitment agencies and/or (II.) by sending an e-mail to hr@lakogep.hu, which E-mail address can be found under the “JOBS” section of the www.lakogep.hu Website. Under “JOBS” section, the Company gives any natural person (hereinafter referred to as the “Applicant“) the opportunity to submit his/her Application directly to the Company at the E-mail address provided therein, without specifying a particular job or job title. The Company records and systematically stores the Applications received. The Company will send a confirmation of receipt to the Applicant’s E-mail address.
 
Scope of personal data processed:Name, E-mail address, phone number and all personal data contained in the attached Application Form, in particular, but not limited to, highest level of education, language skills, professional experience, place of residence, etc. In case of the Company identifies special personal data in the Application, it shall delete it without delay, unless the processing is necessary for the fulfilment of the Company’s or the Applicant’s obligations and the exercise of their specific rights arising from the legal provisions governing employment, social security and social protection.
  
Purpose of data management:To fill a vacancy and/or a vacant position in the Company.
Legal basis of the management:The processing is based on the legal basis pursuant to Article 6(1)(a) of the GDPR, i.e. on the Data Subject’s consent.
Withdrawal of consent:
The Applicant has the right to withdraw his/her consent at any time, as a result of which the Company will immediately cancel his/her Application. However, the withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal. Withdrawal of consent can be made by the Applicant in writing, by means of a free text request, sent to one of the Company’s contact details set out in chapter IV of this Prospectus. Withdrawal of the consent shall become effective upon the Company becomes aware of it.
 
Duration of data management:If the Applications are transmitted to the Company through a recruitment company, the period of data management is the duration of the application, i.e. the period from the date of the Applicant’s consent until the closing of the application. The Company will delete the personal data (Applications) of the unselected Applicants immediately after the vacancy is filled, but no later than three months after the deadline for submission of the Application, or if the Applicant withdraws his/her Application during the application process. In case of the Company wishes to keep the Application of an unsuccessful candidate after the closure of the application procedure, it shall inform the Applicant in advance, in particular of its purpose and duration, and shall obtain the Applicant’s consent, in which case it shall continue to manage the Application for a fixed period of three months from the date of receiving such consent, and shall delete it after the expiry of that period, or if the Applicant withdraws his/her consent during that period.
In case of the Applications are stored via the E-mail address found under the “ÁLLÁS” menu of the website:In case of a specific job description: The Company shall set a deadline in all cases for the submission of the Application. Within three months after the expiry of this deadline, the Company will decide on the outcome of the Application, the selection of the Applicant suitable for the given position and the closing of the Application. The Company notifies the Applicants of the result of the Application. The duration of the management is the duration of the Application, i.e. the period from the submission of the Applicant’s consent to the closing of the Application. The Company will delete the personal data (Applications) of the unselected Applicants immediately after the vacancy is filled, but no later than three months after the deadline for submission of the Application, or if the Applicant withdraws his/her Application during the application process. In case of the Company wishes to keep the Application of an unsuccessful candidate after the closure of the application procedure, it shall inform the Applicant in advance, in particular of its purpose and duration, and shall obtain the Applicant’s consent, in which case it shall continue to manage the Application for a fixed period of three months from the date of receiving such consent, and shall delete it after the expiry of that period, or if the Applicant withdraws his/her consent during that period.In case of not indicating a specific job title: The Company shall delete the Application after the expiry of the fixed period of three months from the date of consent or if the Applicant withdraws his/her consent within this period. If the Company launches a new Application during the three-month period for which it will use the Application, the provisions of paragraph (1) shall apply to the Company’s data management.
 
Rights of the Data Subject:The rights under Chapter III of this Prospectus.
 
Enforcement of the rights of the Data Subject:According to Chapter IV of this Prospectus.

2.      Data management by storing personal data of business partners’ contacts

Description of the managementThe Company stores the data of the non-natural person’s business partners in an electronic database. Among the data of the business partner, the name and contact details (telephone number, email address) of the natural person ‘s contact (hereinafter referred to as the “Data Subject”) are also recorded. The Company only carries out data management in relation to business partners in this respect, that is subject to the GDPR, given that business partners are not natural persons. The Data Subject is the contact person of the business partner.
  
Managed personal data:namephone numberE-mail address
  
Purpose of data management:There is a contractual relationship between the Company and its business partners. The purpose of the management of the Data Subject’s personal data is to take pre-contractual steps with business partners, to establish the contract, to perform the contract concluded, to manage the related administration, to maintain contact, to enforce any claims of the Company through the Data Subject towards the business partner.
  
Legal basis of the management:The processing is based on the legal basis pursuant to Article 6(f) of the GDPR, i.e. the processing is necessary for the purposes of the legitimate interest pursued by the Company in maintaining contact with the business partner and fulfilling its contractual obligations, which is only possible through the Data Subject designated by the business partner. The Data Subject’s potentially protected right, in contrast, may be a right to his or her privacy, however, the Company’s right and legitimate business interest in the performance of the contract between the Company and the business partner is stronger than this right. The Data Subject’s right to privacy is not violated, as the contact details provided to the Company are most likely provided by the business partner. The protection of the right to privacy is opposed by the obligation of the Data Subject to fulfill his / her job responsibilities and to act in the interests of the business partner. The Company has carried out an interest assessment test in relation to the above and has concluded that its management under this point is lawful.
  
Duration of data management:The Company shall keep the data of the business partner for the duration of the contractual relationship, until the performance of the contract and for a limited period thereafter for 8 years on the basis of Article 169 of Act C of 2000 on Accounting, until 31 December 2017 pursuant to Section 47 (3) and Section 164 of Act XCII of 2003 on the Rules of Taxation (old law on taxation), while while after 1 January 2018, it shall be processed for the period of limitation for tax purposes pursuant to § 78(3) and § 202 of Act CV of 2017 on the Rules of Taxation (new law on taxation). Accordingly, the personal data of the Data Subject will also be kept for the period specified above and for as long as the Data Subject has a legal relationship with the business partner.
  
Rights of the Data Subject:Rights under Chapter III of this Prospectus.
  
Enforcing the rights of the Data Subject:According to Chapter IV of this Prospectus.

III. RIGHTS OF THE DATA SUBJECT

The Data Subject has the following rights in relation to the above processing.

3.1.     The right to be informed

The Data Subject has the right to be informed of the facts relating to the processing of his or her personal data managed by the Company before the processing starts. Given that the Data Subject provides his or her personal data to the Company, the Company complies with its obligation to provide information pursuant to Article 13 of the GDPR by means of this Prospectus.

3.2.     Right of access (Article 15 GDPR)

At any time, the Data Subject has the right to request information about the exact personal data managed by the Company. Upon his/her request, the Company will also provide information about the purposes, legal basis and duration of the processing of the Data Subject’s data, as well as about who is receiving or has received his/her data and for what purposes (including in particular recipients in third countries and international organisations, if any). The Data Subject has the right to be informed at any time about he or she has the right to request the Company to rectify, delete or restrict the processing of personal data concerning him or her and to object to the processing of such personal data. At any time, the Data Subject is entitled to receive information and explanation about the possibility to lodge a complaint with the supervisory authority. In the event that data is obtained by the Company from a source other than the Data Subject, the Data Subject may request information about the source of the data(s) at any time. Where the Company transfers personal data to a third country or international organisation, the Company will also inform the Data Subject of the appropriate safeguards for the transfer in accordance with Article 46 of the GDPR.

The Company shall provide the Data Subject with a first copy of the personal data processed free of charge. The Company may charge a reasonable fee for additional copies based on administrative costs, commensurate with the amount of data, but the Company will notify the Data Subject in advance. If the Data Subject has submitted a request for information/access electronically, the Company will provide the information to the Data Subject in a commonly used electronic format, unless the Data Subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.

3.3.     Right to rectificate and supplement (Article 16 GDPR)

The Data Subject has the right to request the Company to correct inaccurate or incorrectly recorded personal data. If the data is incomplete, taking into account the purpose of the processing, the Data Subject may request that it be completed. If the information requested to be corrected or supplemented is contained in an official identity and address document or other public record, the correction or supplementation also requires the presentation of showing this document.

 

3.4.     Right to delete personal data (“right to be forgotten”) (Article 17 GDPR)

The Data Subject may request the Company to delete his or her personal data at any time, and the Company shall comply with the request if one of the following reason applies:

  1. the personal datas are no longer necessary for the purposes for which they were collected or otherwise managed by the Company;
    1. the Data Subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
    1. the Data Subject – on the basis of Article 21(1) of the GDPR – objects to the processing by the Company on grounds of public or legitimate interest and there are no overriding legitimate grounds for the processing, or objects on the basis of Article 21(2) of the GDPR to processing for direct marketing purposes;
    1. the personal data were unlawfully managed by the Company;
    1. personal data must be deleted in order to comply with a legal obligation under EU or national laws applicable to the Company;
    1. personal data have been collected in connection with the provision of information society services referred to in Article 8(1) of the GDPR.

If the Company has disclosed the personal data and is obliged to delete it, it will take all reasonable steps to inform the other controllers of the obligation to delete the data.

No need to delete the data if the processing is necessary:

  1. to exercise the right of freedom for expression and to get informed;
    1. for the purpose of fulfilling an obligation under the law applicable to the Company requiring the processing of personal data (eg fulfilling tax and accounting obligations), or for the performance of a task performed in the public interest or in the exercise of a public authority conferred on the Company;
    1. on grounds of public interest in the area of public health pursuant to Article 9 (2) (h) and (i) and Article 9 (3) of the GDPR;
    1. for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR, where the right of deletion would be likely to render such processing impossible or seriously jeopardise it; or
    1. for the presentation, exercise or defence of legal claims.

3.5.     Right to restrict processing (Article 18 GDPR)

The Data Subject may request the Company to restrict the processing of certain of his or her personal data if one of the following conditions is met:

  1. the Data Subject disputes the accuracy of the personal data, in which case the restriction applies to the period of time that allows the Company to verify the accuracy of the personal data;
    1. the data processing is illegal and the Data Subject objects to the deletion of the data and instead requests a restriction on their use;
    1. the Company no longer needs personal data for the purpose of data processing, but the Data Subject requests them in order to submit, enforce or protect legal claims;
    1. the data subject has objected to the data processing pursuant to Article 21 (1) of the GDPR and time is required to examine whether there is a legitimate priority for the data management. In this case, the restriction shall apply for the period until it is established whether there is an overriding legitimate ground for processing, i.e. whether the Company’s legitimate grounds for retaining and processing the data override the Data Subject’s legitimate grounds for deleting the data.

During the restriction, the Company will only store the data and will not perform any other data management operations except I) if the Data Subject consents to further operations or II) if the processing of the data is necessary for the submission, enforcement or protection of legal claims, and III) if necessary to protect the rights of another natural or legal person, or 4) if the processing is required by an important public interest of the EU or of a Member State.

In the case of restriction of processing, the Company shall inform the Data Subject in advance of the lifting of the restriction, in the form and manner in which the Data Subject has requested the restriction of processing.

The Company shall inform all recipients of the rectification, deletion or restriction of data processing requested by the Data Subject and implemented by the Company, with whom or with which the personal data have been disclosed, unless this proves impossible or requires a disproportionate effort. At the request of the Data Subject, the Company shall inform the Data Subject of the identity of the recipients to whom it has provided the information referred to above.

3.6.     Right to object (Article 21 GDPR)

The Data Subject has the right to object at any time on grounds relating to his or her particular situation to the processing of his or her personal data on grounds of public interest, or necessary for the purposes of the legitimate interests pursued by the Company or a third party (Article 6(1)(e) and (f) GDPR), including profiling based on those provisions. In this case, the Company may no longer process the personal data, unless it can prove compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.

The Data Subject has the right to object at any time to the processing of personal data concerning the Data Subject for and in relation to direct marketing purposes, including profiling (if used by the Company, but provides adequate information about it), where it relates to direct marketing. In case of objection, the Company will no longer manage the personal data for direct marketing purposes.

In the case of data processing for statistical purposes, the Data Subject has the right to object to the processing of personal data concerning him or her for this purpose for reasons related to his or her own situation, unless the data processing is necessary for the performance of a task in the public interest.

3.7.     Right to data portability (Article 20 GDPR)

In view of the fact that the Company also stores the Data Subject’s data in an electronic database, the Data Subject has the right to receive the personal data concerning him/her provided to the Company in a structured, commonly used, machine-readable format and to transmit such data to another controller without the Company’s prevention. The right to data portability applies to data whose processing is based on the Data Subject’s consent (Article 6(1)(a) or 9(2)(a), GDPR) or on the performance of a contract (Article 6(1)(b), GDPR). If the Data Subject requests the direct transfer of personal data between controllers, the Company will indicate whether this is technically feasible.

3.8.     Right to complain to the supervisory authority (Article 77 GDPR)

Without prejudice to other administrative or judicial remedies, the Data Subject has the right to lodge a complaint at a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR.

In Hungary the supervisory authority is the Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information) (1024 Budapest, Szilágyi Erzsébet fasor 22/C., e-mail: ugyfelszolgalat@naih.hu, +36-1-3911400, Chairman: dr. Attila Péterfalvi, www.naih.hu).

The supervisory authority with which the Data Subject has lodged the complaint is obliged to inform the Data Subject as a customer of the procedural developments concerning the complaint and its outcome, including the right of the Data Subject to seek judicial redress under Article 78 of the GDPR.

3.9.     Right to an effective judicial remedy against the supervisory authority (Article 78 GDPR)

Without prejudice to other administrative or non-judicial remedies, the Data Subject shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority (in Hungary, the National Authority for Data Protection and Freedom of Information) concerning him or her. Without prejudice to other administrative or non-judicial remedies, the Data Subject shall have the right to an effective judicial remedy if the supervisory authority competent under Articles 55 or 56 of the GDPR does not deal with the complaint or does not inform the Data Subject within three months of the procedural developments concerning the complaint lodged under Article 77 or of the outcome of the complaint. Proceedings against the supervisory authority must be brought before the courts of the Member State in which the supervisory authority is established (In Hungary, the Fővárosi Közigazgatási és Munkaügyi Bíróság (Metropolitan Court of Public Administration and Labour) has the jurisdiction and competence to take legal proceedings against the Hungarian National Authority for Data Protection and Freedom of Information).

3.10.    Right to an effective judicial remedy against the Company or processor (Article 79 GDPR)

Without prejudice to the available administrative or non-judicial remedies – including the right to lodge a complaint with a supervisory authority under point 4.8 – the Data Subject has the right to initiate a legal action before a court if he or she considers that the Company has not processed his or her personal data in accordance with the GDPR and has therefore infringed his or her rights under the GDPR.

The proceedings must be brought before the court of the Member State where the Company is established, i.e. Hungary. Proceedings may also be brought before the court of the Member State where the Data Subject has his or her habitual residence (if different from Hungary).

3.11.   Informing the Data Subject about the data breach (Article 34 GDPR)

If the personal data breach is likely to result in a high risk to the rights and freedoms of the Data Subject, the Company shall communicate the personal data breach to the Data Subject without undue delay.

This information shall clearly and understandably describe the nature of the personal data breach and shall include at least the following information and measures:

  1. the name and contact details of the data protection officer or other contact person who can provide further information;
  2. possible consequences resulting from data breach shall be described;
  3. a description of the measures taken or planned by the controller to remedy the data protection incident shall be made, including, where appropriate, measures to mitigate any adverse consequences possibly arising from the data protection incident.

The Data Subject doesn’t need to be informed of a personal data breach if any of the following conditions are met:

  1. the Company has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures – such as the use of encryption – which render the personal data unintelligible to persons not authorised to access these personal data;
  2. the Company has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
  3. information would require a disproportionate effort.

In the above cases, the Data Subject shall be informed by means of publicly disclosed information or by a similar measure which ensures that the Data Subject is informed in a similarly effective manner.

IV. ENFORCEMENT OF THE RIGHTS OF THE DATA SUBJECT, SUBMISSION OF THE APPLICATION, CONTACT WITH THE COMPANY

4.1.  The Company requests that the Data Subject, in order to enforce his or her rights, send his or her request, if possible, I) in writing by post, II) in person to the Company’s postal address or III) by e-mail to the Company’s E-mail address.

Company name:                                 LAKÓGÉP Építőipari Szolgáltató és Kereskedelmi Korlátolt Felelősségű Társaság

Registered office:                               1021 Budapest Hűvösvölgyi út 64-66.

Mailing address:                                 1525 Budapest, Pf.: 120

Company registration number:    01 09 353655

Represented by:                                Patrik Palai Managing Director

Tax number:                                         23519585-2-41

E-mail address:                                   info@lakogep.hu

Website:                                               www.lakogep.hu

Telephone:                                          +36 30 643 5483

4.2.  If there is any doubt about the identity of the Data Subject or if the data provided are not sufficient for identification, the Company is entitled to request from the Data Subject additional identification data necessary and appropriate to confirm the identity.

4.3.  If the person making the request cannot prove his/her identity beyond reasonable doubt and therefore cannot be identified, the Company may refuse to process the request.

4.4.  The Company shall inform the Data Subject of the measures taken in response to the request without undue delay and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Company shall inform the Data Subject of the extension of the deadline within one month of receipt of the request, stating the reasons for the delay.

4.5.  If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means where possible, unless the Data Subject requests otherwise.

4.6.  If the Company fails to take action on the Data Subject’s request, it shall inform the Data Subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the possibility for the Data Subject to lodge a complaint with a supervisory authority and to exercise his or her right to judicial remedy.

4.7.  The information pursuant to Articles 13 and 14 of the GDPR and the information and action pursuant to Articles 15-22 and 34 of the GDPR shall be provided by the Company free of charge. If a request is clearly unfounded or – in particular because of its repetitive nature – excessive, having regard to the administrative costs involved in providing the information or explanation requested or in taking the action requested, the Company shall

a) charge a reasonable fee, or

b) refuse to act on the request.

V. DATA CONTROLLERS

The Company uses the following data controllers for its data management activities:

Hosting service provider:

Company name:                                               Rackhost Zrt.

Registered office:                                            6722 Szeged, Tisza Lajos körút 41.

E-mail address:                                                 info@nextserver.hu

Telephone:                                                        +36 1 445 1300

Fax:                                                                       +36 1 700 1650

Tax number:                                                      25333572-2-06

Company registration number:                 06-10-000489

Budapest, May 1., 2022.