Your delivery experts

Privacy policy

Data Management Guide for Customers / Statement on Data Management Compliance

 

Name of data manager:                                                  DPD Hungária Kft. (hereinafter: DPD Company or Data Manager) 

Data Manager's Company Reg.No.:                                 Cg.01-09-888141

Data Manager’s Tax Reg.No.:                                          13034283-2-42.

Data Manager’s seat:                                                      1158 Budapest, Késmárk utca 14. B.

Data Manager’s Contact Data:                                          [email protected]

Data Manager’s Representative:                                        Szabolcs Czifrik (CEO)

Data Protection Officer:                                                    Dr. Gergő Soltész

Data Protection Officer’s Contact Data:                              [email protected]

 

Introduction 

 

DPD gave the following data management briefing (hereinafter the Briefing) to grant the rights of those concerned.

 

DPD wants to make sure that the right to clear briefing as defined in the European Parliament and Council’s (EU) Regulation No. 2016/679 (hereinafter: GDPR), Article 12, comes true by setting up and making available this information.

This briefing intends to provide proper information for those concerned on the data managed by DPD or the data processor authorized by them, the source of such data, the purpose and period of data management, possible data managers who may be involved in data management, and if the personal data of those concerned are transferred, on the legal basis and addressee of such data transfer.

 

Personal data in the briefing mean any information about the identified or identifiable natural person (the person concerned) based on which the natural person can be directly or indirectly identified with the help of one or several factors.

This briefing form part of the General Conditions of Contract and is available at https://www.dpd.com/hu/home/szallitas/aszf.

We at DPD take the protection of personal data very seriously at every phase of data management. We manage personal data only for certain purposes, in order to practice law or fulfill obligations, to the minimum degree and time as required to reach the purpose.

Regulations to be used:

• Regulation No. 2016/679 (EU) on the protection of natural persons’ personal data when managing them and the free flow of such data (hereinafter ‘GDPR’)

• the 2011 Law No. CXII on the right for information autonomy and information freedom (hereinafter the ‘Info Law’),

• 2012 Law No. CLIX on postal services (hereinafter: the ‘Postal Law’),

• Government Decree No. 35/2012 (XII.4) on the detailed rules of the provision of postal services and postal services regarding official documents, and on the general conditions of contract of postal service providers, and consignments excluded from postal services or deliverable only on condition (hereinafter: ‘Post Decree’),

• the 2000 Law No. C on accounting (hereinafter: the ‘Accounting Law’),

• the 2013 Law No. V on the Civil Code (hereinafter: the ‘Civil Code’),

• the 1997 Law No. CLV on consumer protection (hereinafter: the ‘Consumer Protection Law’), and  

• the 2005 Law No. CXXXIII on rules of safety and security, and private detective activities (hereinafter the ‘Property Law')

 

Whose data do we manage and for what purpose?

 

The Company’s main activity: other postal, courier activities. 

 

The Company agrees to pick-up consignments, make arrangements to transfer, sort and deliver them both within the country and abroad, to the party indicated as addressee by the consignment’s sender, making sure that such consignment can be tracked via the internet also by sender. While executing their service activities, the Company also get in touch with the data of natural persons. Such data can be names, home addresses, telephone numbers and email addresses. They are required to perform courier postal activities.

 

purpose of data management: to perform courier postal activities, fulfill contracts on postal services, account for, certify, and do follow-up check on performance, provide data for authorities that supervise the services

scope of the managed data:

-          for consignment addressee: name, home address, telephone number and email address

-          for sender: partner identifier, partner's name, tax.reg.no., headquarters or home address, email address, telephone number, account data, date of conclusion of contract

legal basis for data management: data management is required to fulfill the contract as per DDPR, Art. 6, Item (1) b), and meet the legal obligations set forth in DDPR, Art. 6, Item (1) c)

 

 

end data of data storage: 

-          for telephone numbers and email addresses: 8 years after the postal services contract terminates based on the Accounting Law Art. 169, Par. (2).

-           for  data needed for accounting (name, address) 8 years after the invoice is issued.

data storage method: hardcopy and digital

 

Arrears Management

 

The Company may also have customers who accumulate arrears. In this case the Company’s assets management group will start an arrear management procedure. Should this procedure not be successful, customer’s data will be handed over to an authorized lawyer or a debt management company.

 

purpose of data management: to collect arrears

scope of the managed data:

-           partner identifier

-           partner’s name

-           tax.reg.no.

-           headquarters or home address data

-           email address

-           telephone number

-           data of first, second notice

-           account data

-           date of conclusion of contract

legal basis for data management: to enforce the Company’s rightful interest based on GDPR Art. 6, Item (1) f)

end data of data storage: settle arrears, and forfeiture of civil code claims in connection with arrears settlement (5 years)

 

Website

 

The Company runs its own website at https://www.dpd.com/hu. The website implements automatic data collection (cookies, Google Analytics etc.).

Visits to the website are assisted by small data packages known as “cookies” that the website places on and retrieves from visitors’ IT devices. Cookies help the website to work properly and provide more effective service, as well as collecting anonymous statistical data.

Visitors can delete cookies from their devices, and the cookies are deleted automatically when the browser is closed. A browser can also be set manually to disable the use of cookies. A visitor can still use the website after manually disabling cookies in the browser.

The website uses an individual, temporary “spublic” cookie to identify processes, which means determining whether or not the visitor is logged in. The spublic cookie therefore helps the visitor to sign on and to sign off. The spublic cookie is temporary and is automatically deleted from the device when the browser is closed. The visitor can also delete it manually in the browser settings.

Cookies are used to collect the following statistical data on visits and visitor numbers:

-              whether the visitor reached the website through a search engine, a keyword or a ling (“utmz” cookie),

-              how many times the visitor has visited the website (“utmb” cookie),

-              how long the visitor stayed on the website (“utma” and “utmv” cookies),

-              when the visitor first visited the website (“utma” and “utmv” cookies),

-              when the visitor last visited the website (“utmc” and “utmv” cookies).

Other cookies protect the website from overload (“utmt” cookie), and others, used by Google Analytics for analytic, statistical and security purposes, record the IP address of the visitor’s device. Data is stored on the visitor’s device.

Google Analytics is thus an external service provider, using its servers and the above cookies to independently measure and audit the visitor figures and other web analytic data. Detailed information on the handling of this data is given on the Google Analytics website https://www.google.com/analytics/, and Google’s data protection policies are explained at http://www.google.hu/intl/hu/policies/privacy/. The data forwarded from the website to the Google Analytics servers is capable of identifying the IP address of the device, but cannot be used for direct personal identification of the visitor.

 

Complaint Management

 

The Company investigates incoming complaints in a free, simple, clear and indiscriminative procedure, and keeps a record on the way they are handled. Rules for complaint management for customers are included in the Company’s GCC.

 

purpose of data management: to record investigate and assess complaints

scope of managed data:

-           time of consignment pick-up

-           parcel no. on the consignment’s parcel label

-           claim validator's (Customer’s/Addressee’s) data (name, headquarters/home address, ID number – parcel no., reference no. -, tax.reg.no., possibly bank account number), and official or handwritten signature, or fax number or email address or postal address to which the Company can send their written reply

-           claim description, statement or description of the consignment’s or service’s possible fault and its known cause

-           state, describe the damage and define the degree of the damage claim

-          sound of the person concerned (the telephone conversation is recorded)

-           documents to certify the claim’s validity and make possible a check on the damage claim, e.g. a document disclosing the consignment’s contents (freight bill, acquisition invoice, photos taken etc.)

-           documents to certify the consignment’s acquisition and acquisition price, and possibly its production costs

-           protocol written together with the courier

-           in justified cases an expert opinion needed0 to determine the damage.

legal basis for data management: provisions laid down in the 1997 Law No. CLV, Art. 17/A-C on consumer protection

end data of data storage: the Company is obliged to preserve the protocol with the complaint and a copy of the reply for 5 years, and present them to the control authorities at their request [Consumer Protection Law, Art. 17/A. § (7)].

data storage method: hardcopy and digital

 

Data management regarding recorded telephone conversations

 

Your conversation with DPD is recorded in accordance with the Consumer Protection Law, Art. 17/B. § (3), it receives an individual identification number, and your data will be managed as follows:

 

purpose of data management: to record customer claims, record evidences that decided legal disputes, record, investigate, asses reported faults, prove agreements, certify uncollectible amounts, quality assurance  

scope of managed data:

-           time of consignment pick-up

-           parcel no. on the consignment’s parcel label

-           claim validator's (Customer’s/Addressee’s) data (name, headquarters/home address, ID number – parcel no., reference no. -, tax.reg.no., possibly bank account number), and official or handwritten signature, or fax number or email address or postal address to which the Company can send their written reply

-           claim description, statement or description of the consignment’s or service’s possible fault and its known cause

-           state, describe the damage and define the degree of the damage claim

-          sound of the person concerned

-           documents to certify the claim’s validity and make possible a check on the damage claim, e.g. a document disclosing the consignment’s contents (freight bill, acquisition invoice, photos taken etc.)

-           documents to certify the consignment’s acquisition and acquisition price, and possibly its production costs

-           protocol written together with the courier

-           in justified cases an expert opinion needed to determine the damage.

legal basis for data management: provisions laid down in the 1997 Law No. CLV, Art. 17/A-C on consumer protection, GDPR regulation, Art. 6, Par. (1), Item c) (fulfill a legal obligation, considering the Postal Service Law, Art. 57, Par. (1) and the Consumer Protection Law, Art. 17/B, Par. (3))

end data of data storage: the Company is obliged to preserve the protocol with the complaint and a copy of the reply for 5 years, and present them to the control authorities at their request [Consumer Protection Law, Art. 17/A. § (7)].

data storage method: hardcopy and digital

 

Call for an Offer

 

Visitors are able to call for an offer on website https://www.dpd.com/hu/home/szallitas/arajanlatkeres2.

 

purpose of data management: to identify visitors who initiate contact on the website, make it possible for them to access electronic services

scope of managed data:

-          Company name *

-        Street address *

-        Postal code *

-        Location *

-           Contact:

-        Name *

-        Email address *

-        Phone number *  

-        Average no. of parcels a month (pcs)? *

-        What is the average weight of these consignments? *

-        Description of the good *

-        Do you have any COD parcels? What is the percentage of your COD parcels?

-        What is the average COD amount to be collected?

-         Notes

legal basis for data management: contribution of the person concerned based on GDPR 6 Art (1) a)

end data of data storage: 2 years after data provision

data storage method: electronic  

 

Data Provision by a camera surveillance system

 

Boards showing the exact location of cameras and informing that a recording takes place are put out where a picture making and video recording electronic surveillance system operates.

 

Personal data connected to the camera surveillance system is managed as follows:

 

The Company divides its area under surveillance via an electronic surveillance system into two parts.

 

Sector I:

purpose of data management: to operate an electronic surveillance system, protect property, prevent breaches of laws, detect breaches of laws, and record evidence if such breaches are highly suspected, provide quality assurance

scope of managed data: Portraits and images made directly of the person concerned

legal basis for data management: Regulation GDPR, Art. 6, Par. (1), Item a) (consent of the persons concerned given by their implied conduct of actually entering the area)

end data of data storage: in lack of any usage 3 working days after recording

data storage method: digitally

 

Sector II:

purpose of data management: to store, handle, and transport safely a stock of high value, to document its complete and sound transfer out of the warehouse

scope of managed data: Portraits and images made directly of the person concerned

legal basis for data management: GDPR Article 6, Par. (1), Item f) (to enforce data manager’s rightful interests)

end data of data storage: in lack of any usage 30 working days after recording

data storage method: digitally

 

You’ll get information on any data management not listed in this briefing at the time your personal data are collected. 

How to protect data? 

 

To ensure the safety of hardcopy personal data, DPD takes the following measures:

-           only authorized people can learn these data, others have no access to them

-           place the documents in a premise that closes well, is dry, is equipped with fire and property protection equipment

-           documents in continuous active handling can be accessed only by authorized persons

-           staff doing data management for DPD can leave the premise of data management during the day only if they lock away the data carriers or lock the office

-           staff doing data management for DPD shall lock away hardcopy data carriers at the end of their working day

-           should the personal data managed on hard copy be digitalized, the Company will apply safety rules valid for digitally stored documents

 

Should the purpose of hardcopy personal data management be fulfilled, the Company will take measures to destroy such paper. Should personal data be stored on other physical carriers but paper, then they shall be destroyed based on the rules of the destruction of paper-based documents.

 

To ensure the safety of personal data stored on computers or networks, the Company shall use the following measures and warranty elements:

-           the Company owns the computers used for data management or has a ownership right over them

-           the data on the computer can be accessed only with customized, valid, identifiable rights – minimum a user name and a password -, and the Company will make sure that passwords are modified regularly or in all justified cases

-           all recording of data on computers shall be logged to be able to track them

-          data on the network serving machine (hereinafter: the server) can be accessed only with proper rights and only by people assigned for this

-           as soon as the purpose of data management is fulfilled  and the deadline for data management expires, the file storing the data will be irreversibly deleted, and the data cannot be recovered any longer

-           to guarantee the safety of the data stored on a network, the Company protects servers with a highly available infrastructure, and prevents data losses by creating backups and archives

-           the data carrier storing the data is stored in a dedicated armored box in a fire safe place, in a fire safe way

-           the Company will provide anti-virus protection on the network where personal data are managed

-           they will prevent access by unauthorized persons with available IT tools and their application

 

At the site of personal data storage, the Company will use the following measures and warranty elements to physically protect the servers stored in server rooms:

-           physical protection of server rooms is provided by fire proof walls

-           server rooms are air-conditioned and have fire detection equipment

-           only people having a permission to get the server room’s key can enter the server room,

-           Data Manager lists people having a permission to get the server room’s key in a register

 

Purpose of entitlement management is to make all assigned rights precisely traceable, preserve them in a documented form, and be able to control the activities of people with different rights and the amount of data used them. The updated status of these data largely help the Company to implement the safety level expected of them or can be achieved by them, and to operate the IT network based on the legal and professional standards.

 

In order to guarantee the safety of personal data, the Company uses the following access management requirements:

-           New settings or modifications of access rights are done by the IT specialist based on an authorization from the owner of such right.

-           When setting up access rights, only those needed and sufficient for work shall be assigned

-           It has to be made certain that people in other jobs or people who do not require access rights shall not receive full access or admin rights

-          Every time when it’s possible named users with admin access rights shall be employed to do admin jobs on the system. Passwords for not named administrators shall be stored in a closed envelope, signed and made sure it cannot be opened. Their usage can be permitted by the main data management officer or in their absence their substitute as per the order or substitution. The usage of not named user rights needs to be justified and documented.

-           Staff of third party – maintenance or developing – companies will not have constantly working access rights valid for an indefinite period of time.

 

To comply with the GDPR, DPD is striving to minimize the management of personal data, give pseudo-names to personal data as soon as possible, make the functions and management of personal data transparent, and allow the person concerned to monitor data management, plus the data manager to create safety elements and develop them.  A so-called ‘privacy by design’ has been introduced as a result of which the Company is considering the GDPR requirements already before the actual start of data management, e.g. in the project preparation phase. Privacy by design is the entirety of the Company’s own internal procedures that they use disregarding any outside regulations to try to protect the privacy of the people concerned as much as possible.

 

Do we transfer your data to third parties? 

 

We’re going to use your data only for purposes registered in connection with our business activities. The data processed by us will not be disclosed to parties and for purposes that are not directly connected to our services, apart from the following cases:

Meeting legal regulations

There are cases where the Company is obliged to disclose the data they manage as requested by competent authorities in compliance with legal regulations. Such authorities are for instance: state administration bodies and authorities, social and health security bodies, auditors etc.

Data Processors

Natural or legal persons, public authorities, agencies or any other bodies which handle personal data on behalf of Data Processor.

Such data processors include (but are not limited to):

  1. I.              Freighters as subcontractors

Contractors who pick up and deliver parcels for DPD based on an agreement.

Scope of the processed data: identifiers and contact data of parcel senders and addressees

  1. II.             Organizations cooperating with the DPD Group and partners participating in delivery

Parcels are transported/transferred abroad as part of the international services by DPD Group’s organizational units or partners which are responsible for such services provided in that specific country.

Scope of the processed data: data needed for identifying and contacting parcel senders and addressees

  1. III.            Infocommunication service providers

In the necessary cases DPD will disclose data, in a controlled structure, also to infocommunication service providers. Such cases are for instance:

-           to ensure the efficiency of services (especially to optimize the transportation processes)

-           when notification services are used (transfer of parcel data),

-           in connection with the service fee of COD services etc.

Scope of the processed data: data necessary to identify and contact parcel senders and addressees, data of online application users.

  1. IV.            Service Providers

There are companies that take part in certain DPD activities to a limited degree during which data are made available to them. They are usually subcontractors whose employees are liable for loading and sorting parcels.

Scope of the processed data: transportation data on parcel labels

  1. V.             Contractors providing services for our staff

When calculating and paying employee benefits, carrying out all tasks resulting from a job, and doing jobs, we transfer our staff’s data to certain companies in a controlled procedure.

Scope of the processed data: employees’ identification data

 

  1. Arrears Management 

Should DPD’s arrears management procedure not be successful, customer’s data will be handed over to an authorized lawyer or a debt management company.

Scope of the processed data: data required to collect arrears

 

DPD concludes a data processing agreement with each data processor. Both parties agree in them to comply with the privacy regulations and the data safety requirements based on the DPD requirements.

 

Rights of the people concerned, and their enforcement

 

The person concerned may request information on the management of their data, and also the correction or, except for data management ordered by laws, deletion of their personal data, or the limitation thereof under the Company’s contacts.

 

The person concerned has the right to receive the personal data made available to data manager in an articulated way that is used widely and can be read on machines, and is also entitled to transfer these data to another data processor.

 

The Company is obliged to transfer such a request or protest within three days to the head of the organizational unit empowered to carry out data management tasks.

 

Data manager shall inform the person concerned about the measures they take as a result of the request made as per GDPR, Arts. 15 to 22 without delay but at least within 1 month from receiving said request. If necessary, this deadline can be extended by another 2 months depending on the complexity of the request and the number of requests. DPD will notify the person concerned of extending the deadline in a month after the receipt of said request and also state the reasons of the delay. If the person concerned submits their request digitally, they should possibly be notified digitally unless required differently by them (GDPR, Art. 12, Par. (3)). Data as per GDPR, Articles 13 & 14, and information and measures as per Articles 15 to 22, and 34 shall be given free of charge. If the request of the person concerned is clearly ungrounded or exaggerated, especially due to its repeated nature, DPD as data manager may charge a reasonable fee because of the administration costs of giving the requested information or a briefing or taking the requested measure, or may deny to act upon the request. It is up to the data manager  to prove the ungrounded or exaggerated nature of the request (GDPR, Art. 12, Par. (5)).

 

If requested by the concerned party, Data Manager will give information about the data of the concerned party managed by them or processed by a data processor authorized by them or at their instruction, their sources, the purpose of, legal ground for, time period of data management, name, address of the data processor and the latter’s data management related activities, circumstances and effects of the privacy incident and the measures taken to prevent them, plus the legal ground for and addressee of any data transfer in case of transferring the personal data of the party concerned.

 

As a rule of thumb, information shall be given free of charge if the person requesting such information hasn’t submitted in the current year an information request for the same data to Data Manager. In other cases a cost refund may be required. The amount of this refund may also be defined in a contract between the parties. Such a refund already paid shall be returned if the data are handled illegally or the request for information leads to a correction.

 

Data not true to reality shall be corrected by head of the data managing organizational unit if all the necessary data and underlying public deeds are available, and they will act to delete the managed personal data if the reasons set forth in GDPR, Art. 17 subsist.

 

All personal data shall be deleted if

a)        such personal data are needed any longer for the purposes for which they were collected or otherwise handled;

b)       the person concerned withdraws their consent given to data management which has no other legal basis;

c)        the person concerned protests against data management and there is no legal right giving preference to data management, or the person concerned protests against data management

d)       the personal data are managed unlawfully;

e)        the personal data need to be deleted to comply with legal obligations set forth in the Union’s or the member state’s law for data processors

f)         the personal data are collected for children under 16 by offering services in connection with the information society.

g)  should the data manager disclose the personal data to the public (which are no longer needed for the purposes they were collected for or otherwise managed), they will be obliged to delete them, and considering the available technology and the implementation costs, they shall take reasonably expectable actions, including technical steps, in order to inform the data managers who manage the data about the request of the person concerned to delete all links pointing to such personal data, or any of their copies or backup copies.  

 

The person concerned may protest against the management of their personal data

-           if the management or transfer of the personal data is needed only to meet the legal obligation required of Data Manager, or to enforce the legitimate interests of Data Manager, the data receiver or a third party, except in case of obligatory data management;

-           if the personal data are used or transferred for direct marketing, an opinion poll or a scientific research, and

-           in other cases defined by the law.

 

Data Manager will inspect the protest in the shortest possible time after the request is submitted but maximum within 15 days, make a decision on how grounded it is, and notify the applicant about their decision in writing.

 

Should Data Manager determine that the protest of the person concerned is not grounded, they will stop data management, including also further data entrance and data transfer, freeze the data, and notify all parties about the protest and the measures taken relating to it who received such personal data subject to the protest earlier, and who are obliged to act in order to enforce the right of protest.

 

Should the person concerned not agree with Data Manager’s decision, or should Data Manager miss the deadline for replying, the person concerned may turn to court within 30 days after learning the decision, or 30 days after the last deadline.

 

If data receiver doesn’t get the data necessary to enforce their right because of the protest of the person concerned, they may take Data Manager to court to get such data within 15 days after they receive the notification. Data Manager may also sue the person concerned.

 

If Data Manager fails to give a notification, data receiver may ask Data Manager to clarify the circumstances of how the data handover failed, which clarification Data Manager will be obliged to provide within 8 days from the delivery of data receiver’s request. Data receiver may turn to court and sue Data Manager within 15 days from giving clarification, if clarification is requested, or maximum from the deadline open for it. Data Manager may also sue the person concerned.

 

Data Manager cannot delete the data of the person concerned if data management was ordered by law. The data, however, cannot be transferred to data receiver if data manager agrees with the protest, or if the court has stated the rightfulness of such protest.

 

If the case cannot be judged unambiguously while rights of the person concerned are exerted, head of the data managing unit may request a statement from the data protection officer by submitting the case documents and his views about the case, who will then make such statement in 3 days.

 

The Company will pay for the damages caused to other parties by illegally managing the data of the person concerned or breaching the data protection requirements, or pay a restitution in case personal rights are violated by the data processor engaged by them.. Data Manager will be exempt from any liabilities or the obligation to pay a restitution if they can prove that the damage or violation of the rights of the person concerned was caused by unavertable causes other than data management. By the same token, they will not pay for the damage if it results from the aggrieved person’s intentional or seriously careless behaviour.

 

Control before the rights of the person concerned are exerted: 

 

We lay great emphasis on protecting the rights of the person concerned, therefore maximum attention is paid to verifying if requests for data management or other requests defined in the regulation come from the entitled person. Checking of the identity of the person concerned doesn’t affect our interest in general issues. 

 

We reserve the right to check your identity in order to define the legitimacy of your request, thus contributing to the protection of your personal data.

During this we’re entitled to carry out the following activities:

-          compare the contact data of the person submitting a request for data protection with the data available to us. Transfer the requested information only to those authorized to get them.

-           check if the person inquiring has the necessary information, especially if they request data correction / modification

-           check the personal identity card of the person inquiring

-           compare the request’s contents to any other reliable evidence

 

Should it be impossible to define your personal identity without doubt, we won’t be able to make available the requested data or carry out the operations asked by you.

 

Management and reporting of privacy incidents

 

We will report any privacy incidents to the supervisory authority within 72 hours after learning about them, based on the relating laws, and record all privacy incidents. In cases defined by law we will also notify all the users concerned. Should it be stated as a result of the investigation that the privacy incident is likely to be dangerous for the rights and freedom of natural persons and it becomes necessary to inform the people concerned, the data protection officer will immediately inform the people concerned, and also notify the Company’s chief officer of this.

 

It is not necessary to inform the people concerned:

-          if the Company has taken technical, organizational, protection measures for the data in question which prevents unauthorized people from accessing the data or prevent the interpretability of such data;

-          if the Company took measures after the privacy incident in order to make sure that the discovered data management risk wasn’t likely to materialize;

-          if it would take irrationally large efforts to give information. In this case the people concerned will have to be informed via data disclosed publicly which can also be done digitally.

 

Limitation of DPD’s liability

 

When providing their services, DPD will define the purposes and tools of managing personal data independently. DPD takes responsibility for collecting, sorting, managing, and storing personal data.

In some cases, however, DPD’s liability can be excluded, for instance:

-          if the damage caused was due to your data management that violated the law

-          if data were transferred to us due to data manager’s fault despite we didn’t request certain data or didn’t agree with data provider in transferring the data in question

-          if our clients received the data of the person concerned without the latter’s consent and transferred them to us

-          if our clients providing services for children transfer children’s personal data to DPD without obtaining the consent of the person exercising the parental supervisory right

 

Remedies

 

You inform the person concerned without delay after they submit their request but within 1 month the latest after such request is received about why no measures were taken, and also that they may submit a complaint to a supervisory authority and exert their judicial remedy right (GDPR, Art. 12, Par. (4)).

Supervisory authority:

name: National Authority for Data Protection and Freedom of Information (NAIH)

address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

postal address:  1530 Budapest, Pf.: 5.

phone number: (06 1) 391 1400

fax: (06 1) 391 1410

e-mail: [email protected]

website: www.naih.hu

 

Compensation

 

Somebody who suffered a material or non-material damage as a result of violating the GDPR, is entitled to compensation from the data manager or the data processor (GDPR, Art. 82, Par. (1)). All data managers involved in data management are liable for every damage caused by data management that violated GDPR. Data processor will be liable for the damages caused by data management only if they didn’t comply with the obligations set forth in GDPR specifically for data processors, or if they neglected data manager’s legal instructions or went against them (GDPR, Art. 82, Par. (2)). Data manager or data processor will be exempt from liability if they prove that they are in no way responsible for the incident causing the damage (GDPR, Art. 82, Par. (3)). If several data managers or several data processors, or both data manager and data processor are involved in the data management, and they are responsible for the damages caused by data management, every single data manager or data processor will bear universal liability for the entire damage in order to make sure the person concerned gets effectively compensated.