DPD Hungária Kft.
As of 15.02.2015
Appendix No. 12
The objective of this Policy is to provide appropriate information and protection for visitors of the web sites www.dpd.hu / www.dpd.net about the protection of personal data in compliance with the 2011 Law No. CXII on the right to autonomy of information and freedom of information.
DPD data manager will manage and record personal data as per the applying regulations, with a definite consent obtained from users, which consent users will give either on the web site or by signing the Agreement / using the service.
1. concerned party: any natural person identified or – directly or indirectly – identifiable with personal data;
2. personal data: data that can be connected to the concerned party – especially name, ID no., and information about one or more of their physical, physiological, mental, economic, cultural or social identities -, and any conclusions about the concerned party that can be derived from such data;
3. special data:
a) personal data concerning ethnic origin, national identity, political opinion or stand, religious or other ideological believes, memberships in trade unions, sexual life,
b) personal data concerning state of health, harmful addictions, and personal criminal records;
7. consent: voluntary and determined declaration of will by the concerned party based on proper information, through which they give their unambiguous permission to have their personal data handled for all or some operations;
8. protest: statement of the concerned party in which they object to the management of their personal data, request to stop data management and delete the data managed, respectively;
9. data manager: a natural or legal person or organization without legal personality who or which defines on their own or together with others the purpose of data management, makes decisions relating to data management (including the means used), and performs them or have them performed;
10. data management: disregarding the procedure used, any or all the operations performed with the data to collect, record, sort, store, change, use, retrieve, transfer, disclose, harmonize or interconnect, freeze, delete or destroy them, and also to hinder their further usage, taking photos, making sound or video footages of them, and recording physical characteristics (such as finger or palm prints, DNS patterns, iris images) suitable to identify a person;
11. data transfer: making the data available for certain third persons;
12. disclosure: making the data available for anyone;
13. deleting of data: making the data unidentifiable so that they cannot be restored anymore;
14. marking of data: furnishing the data with an identifying sign to differentiate them;
15. freezing of data: furnishing the data with an identifying sign to restrict their management permanently or for a defined period of time;
16. data destruction: total physical destruction of the data carrier containing the data;
17. data processing: performing technical tasks in connection with data management operations, disregarding the methods and means used to perform the operations plus the site of application, provided such technical jobs are performed with the data;
18. data processor: a natural or legal person or organization without legal personality who or which performs data processing based on a contract – including a contract signed as per the provision of a regulation;
19. body in charge for data: a body performing public functions which produced the data of general interest that are to be disclosed electronically, or during the operation of which these data were produced;
20. informant: the body performing public functions which discloses the data they received from the body in charge if the latter fails to do so;
21. data files: all the data handled in one registry;
22. third party: a natural or legal person or an organization without legal personality who or which is not the concerned party, the data manager, or the data processor;
23. EEA state: Member States of the European Union and any other states that are party to the Agreement on the European Economic Area, and any states the citizens of which – under an international contract signed between the European Union and its member states, and states which are not party to the Agreement on the European Economic Area – have the same status as citizens of the states that are party to the Agreement on the European Economic Area;
24. third country: any states that are not an EEA state.
Under the Law, the concerned party shall be informed unambiguously and in details about every single fact about the management of their data, thus especially about the purpose of and legal ground for data management, the persons entitled to carry out data management and data processing, the time period of data management, the fact if data of the concerned party are handled by the data manager in compliance with Art. 6, Par. (5), and the persons who have access to the data. This information shall include the rights of and possible remedies for the concerned party regarding data management.
Data manager DPD Hungária Kft is informing the concerned parties (the parties using registered services) as follows:
Name and contact data of the party carrying out data management and processing:
DPD Hungária Kft.
Seat, posting address: 1158 Budapest, Késmárk utca 14. b. ép.
Company Registration No.: Cg.01-09-888141
Tax ID No.: 13034283-2-42.
NAIH No. (no. issued by the National Authority for Privacy and Freedom of Information): NAIH-80728/2014.
(hereinafter jointly ‘Data Manager’)
The purpose of data management: to keep contact with users of the contracted courier mail service (clients), grant access to the web site (www.dpd.hu) and ensure usage of the service, check the right of access, issue invoices, and enforce claims in case of fee payment default, perform the service with the help of contracted data management partners providing the service (subcontractors) and by using the latters’ services.
Legal basis for data management: the Law and the concerned parties’ consent.
Scope of the managed data:
- For private persons: name, phone number, address, email address;
- For legal persons: name of the legal person, seat, branches and sites, tax registration number, bank account no., etc.,
- Delivery data (especially addressee’s data – name, delivery address, phone no.);
- Data of the package to be delivered (dimensions, weight, value, contents etc. of package).
Data management time period: data manager will handle the data received from the concerned party until the latter specifically requests deletion of such data.
If personal data are recorded with the concerned party’s consent, data manager, in lack of provisions in the law stating otherwise, may handle the recorded data
- to perform the legal obligations of data managers, or
- to enforce the interests and claims of the data manager and/or a third party, if such enforcement is proportional with the restriction of privacy rights
without any special consent, and even after the concerned party’s consent has been withdrawn.
Data manager will not use the personal data received from the concerned party(parties) for purposes other than detailed above, will handle and transfer them to a third party only with the concerned party’s/parties’ definite prior consent when a law or a resolution of the local municipality – if authorized by a law, within the scope set forth there – orders this for a purpose of public interest.
Under the Law data manager will strive to make sure to observe privacy obligations, accordingly they take all the necessary technical and other steps against unauthorized access, change, transfer, disclosure, deletion or destruction, accidental damage or perish. Data manager declares in connection with this that all their staff and partners who/which will have access to the personal data indicated above are obliged to retain such personal data.
The concerned party may request data manager to
a) inform them about the management of their personal data
b) correct their personal data, and
c) delete or freeze their personal data, except for any obligatory data management.
a) 1. If requested by the concerned party, data manager will give information about the concerned party’s data managed by them or processed by them or an authorized agent, their sources, the purpose of, legal ground for, time period of data management, name, address of the data processor and the latter’s data management related activities, plus the legal ground for and addressee of any data transfer in case of transferring the personal data of the concerned party.
a) 2. To be able to check the legality of data transfer and inform the concerned party, data manager will keep files of data transfers to record the transfer time of the personal data managed by them, legal ground for and addressee of such data transfer, scope of the personal data transferred, and any other data defined in the regulations that require data management.
a) 3. The time period of obligatory recording of the data included in Item a) 2 in a data transfer file, and accordingly of giving information, may be limited in the regulation that requires data management. This limitation cannot set forth a time shorter than 5 years for personal data, and a time shorter than 20 years for special data.
a) 4. Data manager shall give information at the concerned party’s request in a clear language, in the shortest possible time after submitting such request, but maximum within 30 days.
a) 5. Giving information as per Item a) 4 is free of charge if this is the first request from the submitter to data manager in the current year for the range of data involved. In other cases it may be required to pay a fee. The amount of this fee may also be defined in a contract between the parties. Such a fee already paid shall be returned if the data are handled illegally or the request for information leads to a correction.
a) 6. Data manager can refuse to give information to the concerned party only in cases set forth in the Law, Art. 9, Par. (1), and in the Law, Art. 19.
If they refuse to provide information, data manager shall notify the concerned party in writing of the specific article in the Law that gives ground for such refusal. If they refuse to provide information, data manager shall notify the concerned party of the remedies available to the latter or the option to turn to the National Authority for Privacy and Freedom of Information (hereinafter the Authority).
a) 7. Data manager will inform the Authority of any requests refused before January 31 of the year following the subject year.
b) Should any personal data contradict reality and the true personal data be available to data manager, then such personal data shall be corrected by data manager.
c) 1. All personal data shall be deleted if
- they are handled illegally;
- the concerned party requests this under the contents of the Law, Art.14, Par. c);
- they are incomplete or false – and this situation cannot be legally corrected, provided that the Law doesn’t exclude such deletion;
- the purpose of data management has ceased, or the deadline for data retention as defined in the Law has expired;
- this is ordered by a court or the Authority.
c) 2. If the purpose of data management ceases, or the deadline for data retention as defined in the Law expires, the obligation to delete will not apply to the personal data the data carrier of which must be archived as per the regulation on the safekeeping of archived material.
c) 3. Any declaration to delete personal data under this Policy shall be made in writing, and shall be delivered personally, by post as a recorded delivery, by fax or in email, and will be considered delivered if sent to data manager’s email address email@example.com unless data manager notifies the concerned party of a change in their address provided that such an email note is deemed to be delivered only if no error message arrives within 72 hours after the email is sent.
c) 4. Data manager shall freeze and not delete personal data if so requested by the concerned party or if it can be presumed based on the available information that such deletion would violate the concerned party’s legitimate interests. It is allowed to handle the personal data frozen this way only as long as the purpose of data management that excluded the deletion of personal data exists.
c) 5. Data manager shall mark the personal data managed by them if the concerned party questions their being correct or accurate but this cannot be stated unambiguously.
Both the concerned party and those who earlier received the data for the purpose of data management shall be notified of any corrections, freezes, markings, and deletions. Such notification can be skipped if this doesn’t violate the concerned party’s legitimate interests regarding the purpose of data management.
If data manager doesn’t fulfill the concerned party’s request for correction, freezing or deletion, they shall disclose the factual and legal reasons of refusing the request for correction, freezing or deletion in writing, within 30 days after receiving such request. Should data manager refuse a request for correction, freezing or deletion, they will inform the concerned party of the existing court remedies and their option to turn to the Authority.
The concerned party’s right enforcement options are included in the 2011 Law No. CXII on the right to autonomy of information and freedom of information and the Civil Code (currently the 2013 Law No. V), under which the concerned party may turn, if their rights contained in the Law are violated, to court or to the National Authority for Privacy and Freedom of Information.
Remedies, right enforcement at authorities and courts:
At the National Authority for Privacy and Freedom of Information
1024 Budapest, Szilágyi Erzsébet fasor 22/C
Currently chaired by: Dr. Péterfalvi Attila
Relating regulation: The Law and its Art. 52, Par. (1).
By submitting a report to the Authority, anyone can have an investigation started by stating that their rights in connection with personal data management or practicing their rights to learn data of public interest or public data of public interest were violated, or are threatened imminently.
An investigation by the Authority is not deemed to be an administrative procedure, and the law on the general rules of administrative procedures shall not apply.
Capital Court of Justice
1055 Budapest, Markó u. 27
Relating regulation: The Law and its Art. 22.
If the concerned party’s rights are violated, data receiver may bring data manager to court in the cases defined in the Law Art. 21. The court will conduct an extraordinary procedure in such a case.
It is data manager’s obligation to prove that data management complies with the contents of the regulations. In cases as per the Law Art. 21, Pars. (5) & (6), data receiver shall prove if a data transfer to them was legal or not.
A court of justice (the Capital Court of Justice) will be competent to reach a verdict in the lawsuit. The lawsuit may also be initiated, at the concerned party’s discretion, at the court of justice at the concerned party’s permanent or temporary residence.
Anyone who otherwise doesn’t have a legal capacity in the suit can be party to it. To make sure the concerned party wins, the Authority may intervene in the lawsuit.
If the court entertains the request, it will oblige data manager to give information, correct, freeze, delete data, cancel the decision made with automated data processing, consider the concerned party’s right to protest, and provide the data requested by data receiver as defined in the Law, Art. 21, respectively.
If in the cases defined the Court in the Law, Art. 21 the court rejects data receiver’s request, then data manager will be obliged to delete the concerned party’s personal data within 3 days after the court verdict is disclosed. Data manager is obliged to delete the data also if data receiver doesn’t turn to court within the deadline defined in the Law, Art. 21, Pars. (5) and (6).
The court may rule to make its verdict public – by disclosing data manager’s identification data - if this is required by privacy interests and the rights protected by law of a large number of concerned parties.
This Policy and the concerned registering party’s statement form an integral part of the registration, and by reading and accepting it, the concerned party will specifically agree that data manager will manage their personal data indicated in this statement and at the registration time.
The concerned party specifically agrees that data manager will transfer their personal data provided for registration to other organizations (courier post service providers taking part in providing the service, legal persons doing delivery). The concerned party may any time request data manager to change or delete their personal data stored. Data manager will take no responsibility for the true nature of the personal data furnished by the concerned party, who will be exclusively responsible for them.
Should it become necessary to disclose the concerned party’s data to a third party or an authority, data manager shall immediately inform the concerned party accordingly in an email.
Should any question arise in connection with personal data management, you may get information if writing to the following email address: firstname.lastname@example.org
Budapest, January 30, 2015