Data Management General Terms and Conditions

We inform you that if awith SHIFT HUNGARY KFTis in a contractual relationship, then the data management specified in the data management regulations of the Data Controller is carried out. In this data management, the Data Controller and you, or your business is also involved. The Data Controller pays great attention to complying with the highest level of data protection requirements, so data management complies with the GDPR.

The GDPR stipulates that the companies involved in data management must establish the obligations of the companies in relation to data management in a contract with each other. Therefore, the Data Controller uses this document as general contractual terms and conditions (hereinafter: “general terms and conditions”, “Terms and Conditions” or “contract”), in which the Data Controller records the obligations of other businesses participating in the data management covering the data processing carried out in connection with the contractual relationship.

In view of the above, if you establish a contractual relationship with [company name], please read these general terms and conditions carefully, as its provisions are binding on your company.

In the terms of these General Terms and Conditions, Data Processor means you, while Data Controller means[company name]understandable.

Definitions

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified who directly or indirectly, in particular an identifier, e.g. can be identified based on name, number, location data, online identifier or one or more factors related to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

“data controller”: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;

“data controller employee”:any person who is in an employment relationship with the data controller, in another legal relationship for work, or in any legal relationship with the data controller, on the basis of which this third party participates in the data management that is the subject of this contract;

“data processor”: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;

“representative”: with a place of business in the Union, or a natural or legal person with a place of residence and designated in writing by the data controller or Data Processor, who represents the data controller or Data Processor in relation to the obligations of the data controller or Data Processor pursuant to this regulation;

“automated decision-making”: when a decision based on an assessment of the data subject’s personal characteristics is made only through automated data processing;

“profiling”: any form of automated processing of personal data, during which personal data is used for the evaluation of certain personal characteristics of a natural person, in particular for the analysis of characteristics related to work performance, economic situation, health, personal preferences, interests, reliability, behavior, location or movement or used to predict;

“data protection incident”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled;

“deletion”or “deletion of data”: rendering the data unrecognizable in such a way that its recovery is no longer possible.

Role of contracting parties in this contract

Data manager is a company that developed the…..application named.

The application is available on Android. After downloading the application, users can register in the application as an employee and a restaurant.

SHIFT HUNGARY LTD.

6753 Szeged, Major Street 15.

E-mail: martin.tihanyi9@gmail.com

SHIFT HUNGARY KFT is a company that provides assistance within the framework of a contractual relationship. in the implementation of data management purposes.

If you register as a restaurant a…..in the named application, as long as you do not officially employ an employee, you as a restaurant are considered a data processor. However, if an employee is employed, you as a restaurant become a data controller.

Subject of contract, data management

Parties are all parties to the CXII of 2011 on the right to self-determination of information and freedom of information. Act (hereinafter: “Infotv”) and REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (General Data Protection Regulation, hereinafter: “Regulation” or “GDPR”) cooperate and exercise their rights in compliance with the principles and provisions, or fulfill their obligations arising from this contract and manage the personal data that comes into their possession as a result of the above data management. With this contract, the parties establish the rules of the data processing operations performed by the Data Processor on the basis of the Data Controller’s mandate, or The Data Controller commissions the Data Processor to perform the tasks contained in this contract. During this assignment, the Parties place special emphasis on the protection of the private sphere of the affected persons of the processed personal data and the realization of the requirement of data security.

This contract was created in connection with the data management necessary for the operation of the business premises and online systems operated by [company name], and the achievement of data management goals, which are defined in the Data Controller’s Privacy Policy.

The data processor may not use the personal data obtained in connection with this contract for the information or consent of the persons concerned, or in this contract, or in excess of the regulations and frameworks laid down in legal provisions. If the Data Processor violates the above, it commits a breach of contract and at the same time a violation of the law. In such a case, the Data Controller may immediately withdraw or terminate this contract with immediate effect, and the Data Processor shall bear full responsibility for the former’s conduct and its consequences.

Rights and obligations of parties

In connection with the cooperation of the parties set out in this contract, especially in connection with the exercise of the rights of the affected parties – in the absence of a different provision of the Parties or this contract – the obligations set forth in both the Decree and this contract in connection with the Data Controller are by definition also borne by the Data Processor. For example, if the data subject asks the Data Controller to delete or limit his personal data, then by definition both the Data Controller and the Data Processor are obliged to delete or limit the data subject’s personal data.

During the performance of this contract, all data and information that came to the attention of the Data Processor exclusively for the Data Controller, or can be used in connection with data management. The Data Processor is obliged to continuously comply with the conditions formulated by the Data Controller and to ensure the data security conditions.

The Data Processor is obliged to use persons with appropriate knowledge and experience in order to perform the tasks specified in this contract. It is also obliged to ensure the preparation of the persons it uses with regard to the legal provisions to be observed, the obligations contained in this contract, and the purpose and method of data management.

Obligation to cooperate and provide information

During the performance of this contract, the parties are mutually obliged to cooperate and provide information regarding the cooperation that is the subject of the contract, or tasks, or in relation to all relevant information, circumstances and questions related to these. Based on the above obligation, the Parties are obliged to notify each other immediately, but no later than within 3 working days.

If at any time during the performance of the contract a circumstance arises for the Data Processor that prevents timely performance, the Data Processor must notify the Data Controller immediately, but no later than within 3 working days, of the delay, its expected delay and the reasons.

The Data Controller provides the Data Processor with all information necessary to fulfill the obligations specified in this contract, or necessary to verify performance, and which enables and facilitates audits performed by the Data Processor or by another auditor commissioned by the Data Processor, including on-site inspections.

Both the Data Processor and the Data Controller, as well as – if any – the Data Processor’s or the Data Controller’s representative during the performance of their duties with the supervisory authority (National Data Protection and Information Authority, hereinafter: NAIH)cooperate.

If the Parties do not agree otherwise, the Data Processor is obliged to inform the Data Controller of any measures taken in connection with its essential obligations arising from this contract, or certify the fulfillment of the obligation to the Data Controller in order for the Parties to be able to comply with the basic principle of accountability defined in the decree.

Right of instruction and right of decision

During the performance of this contract, the Data Processor is obliged to act based on the instructions of the Data Controller.

The Data Controller is responsible for the legality of the Data Controller’s instructions regarding the tasks defined in connection with data management. However, the Data Processor shall immediately inform the Data Controller if it believes that an instruction of the Data Controller violates this contract, the Regulation or other legal provisions, or if the Data Processor gives inappropriate or unprofessional instructions. If the Data Controller maintains its instructions despite the warning, the Data Processor may withdraw from the contract or perform the task according to the Data Controller’s instructions at the Data Controller’s risk. The Data Processor is obliged to refuse to fulfill the instruction if its implementation would lead to a violation of legislation or an official decision or endanger the person or property of others.

The Data Processor may not make substantive decisions regarding data management, may only process the data it receives in accordance with the provisions of the Data Controller, may not carry out data processing for its own purposes, and is obliged to store the data in accordance with the provisions of the Data Controller, or keep. The Data Processor is only authorized to perform the technical data management and data processing operations necessary for data management and this contract.

Right of inspection

The Data Controller is entitled to check the execution of the contractual activity at the Data Processor. The Data Processor’s consent is not required to exercise the control right.

The Data Controller may exercise its control right without prior information and notification to the Data Processor. The right of inspection is exercised, if possible, primarily during the opening hours of the Data Processor, or must be practiced during working hours.

Based on the right of inspection, the Data Controller is entitled to enter the premises of the Data Processor in connection with the data processing and the processed data, to inspect the records, to ask questions of the persons involved in the data processing, to make copies and to carry out all other control actions that the data processing is in accordance with this contract or they may be necessary for the proper control of the legislation.

Assignment of additional data processor

The Data Processor may not use additional data processors without the prior authorization of the Data Controller on a case-by-case or general basis. In the case of general authorization, the Data Processor informs the Data Controller of any planned changes that affect the use of additional data processors or their replacement, thereby providing the Data Controller with the opportunity to object to these changes.

If the Data Processor uses an additional data processor to perform its tasks in connection with data management, the Data Processor guarantees that the additional data processor it uses performs its activities in accordance with the provisions of this contract, the Decree and other laws. In addition, the Data Processor is obliged to impose the data processing obligations defined in this contract on the additional data processor and to enter into a written or electronic contract with the additional data processor, in particular that the additional data processor must provide adequate guarantees for the implementation of the appropriate technical and organizational measures and thereby ensure the data management must comply with the requirements of this contract and the Regulation.

If the additional data processor does not comply with data protection or obligations as a data processor, the Data Processor who commissioned him is fully responsible to the Data Controller for fulfilling the further obligations of the data processor. The Data Processor is responsible for any damage resulting from the use of an additional data processor.

Prior information of the affected parties

If the personal data is collected from the data subject, the information listed in Annex No. 1 must be made available to the data subject at the time of obtaining the personal data. If the personal data were not obtained from the data subject, then: a) within a reasonable period of time from the acquisition of the personal data, but no later than 25 days; b) if the personal data is used for the purpose of contacting the data subject, at least during the first contact with the data subject; or c) if it is expected that the data will be communicated to another recipient, the information listed in Annex No. 1 must be made available to the data subject at the latest when the personal data is communicated for the first time.

The above obligation to provide information – in the absence of a different provision by the Parties – is the responsibility of the Data Processor. In order to fulfill the obligation to provide information, the Data Controller is obliged to immediately, correctly and in accordance with the law, provide all the information necessary for the provision of information and related to the Data Processor or its activities, or to be given to the Data Processor in accordance with this contract.

If the above information is provided by the Data Processor to the data subject, the Data Processor is obliged to immediately notify the Data Controller of the information and provide the Data Controller with the documentation proving the completion of the information.

The rights of data subjects and the cooperation of the parties in this regard

The parties state that in relation to data management, the data subjects are entitled to the following rights: right to information, right to access, right to correction, right to deletion, “right to be forgotten”, right to restriction, right to protest, right to data portability, the right to withdraw consent, the right to complain, the right to judicial redress (hereafter together: “rights of data subjects”).

It is the joint obligation of the parties that the data subjects exercise their rights related to data management to the highest level that can be expected, as well as to the Regulation, or they can exercise it in accordance with other laws and this contract. In view of this, the Parties cooperate with each other, with the data subjects, the supervisory authority and third parties in order to ensure the exercise of the rights of the data subjects, in particular with regard to the following.

For the sake of the above, the Parties agree that the Data Processor will provide the information, cooperation or other action necessary for the proper information of the data subject in order to exercise his rights within 3 days. If the Data Processor is unable to fulfill its obligations within the aforementioned deadline, it must notify the Data Controller immediately, but no later than within 2 days, and at the same time inform the Data Controller about the deadline by which it can fulfill its obligations, which deadline cannot exceed 10 days.

The Data Controller informs all recipients, including the Data Processor, of the correction, deletion or in connection with the restriction of data management, to whom or to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort.

Right to information and right to access

The Data Controller shall comply with Articles 13-14, 15-22 of the Regulation on the processing of personal data for the data subject. and 34 provides all information and information in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded, especially in the case of any information addressed to children. At the request of the data subject, the Data Controller provides the data subject with a copy of the personal data that is the subject of data management.

The parties provide the information to each other in writing or electronically. If the data subject submitted the request electronically, the information must be made available in a widely used electronic format, therefore in this case the Data Processor also provides the data to the Data Controller in electronic form.

The information and measures must be provided free of charge to the data subject, therefore the Data Processor cannot request a fee from the Data Controller. For additional copies requested by the data subject, the Data Processor may charge a reasonable fee based on administrative costs.

If the Data Controller has reasonable doubts about the identity of the natural person who submitted the request, it may request the provision of additional information necessary to confirm the identity of the person concerned.

Right to rectification and erasure (“right to be forgotten”)

The data subject has the right to have inaccurate personal data corrected or supplemented by the Data Controller without undue delay upon request.

The data subject has the right to request that the Data Controller delete the personal data concerning him without undue delay, and the Data Controller is obliged to delete the personal data concerning the data subject without undue delay if one of the reasons listed in Article 17 of the Regulation exists, in particular: a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed; b) the data subject withdraws the consent that forms the basis of the data processing (and the data processing was based on the consent of the data subject) and there is no other legal basis for the data processing; c) the data subject objects to data processing and there is no overriding legal reason for data processing; d) personal data were handled unlawfully; etc.

The Parties are not obliged to comply with the deletion, if there is a limitation of the right to deletion. The limitations of the right to erasure are listed in Article 17 (3) of the regulation.

If the Data Processor or the Data Controller has disclosed the personal data and is obliged to delete it, taking into account the available technology and the costs of the implementation, it will take the reasonably expected steps – including technical measures – in order to be able to inform the data controllers handling the data that the data subject has requested from them the links to the personal data in question or a copy of this personal data, or deletion of its duplicate.

The right to restrict data processing

The data subject has the right to request that the Data Controller restricts data processing in the cases listed in Article 18 of the Regulation, in particular: a) the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period that allows the Data Controller to verify accuracy of personal data; b) the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use; c) the Data Processor no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or d) the data subject has objected to data processing in accordance with Article 21 (1); in this case, the restriction applies to the period until it is determined whether the Data Controller’s legitimate reasons take precedence over the data subject’s legitimate reasons.

If data management is subject to restrictions based on paragraph (1), such personal data, with the exception of storage, will only be processed with the consent of the data subject or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of other natural or legal persons, or the Union, or can be handled in the important public interest of a member state.

The Data Controller informs both the data subject at whose request the data processing was restricted and the Data Processor about the lifting of the data processing restriction in advance.

The right to data portability

In accordance with Article 20 of the Regulation, the data subject has the right to receive the personal data concerning him/her provided by him/her to a data controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without this would be hindered by the data controller to whom the personal data was made available, if the data management is based on consent and the data management is carried out in an automated manner.

Since the data subject has the right to request the direct transmission of his personal data between the data controllers, the Data Processor may be obliged to transmit the data subject’s personal data directly to the Data Controller to which the data subject has requested the transmission of his data. In the case of exercising the right to data transmission, the data subject’s personal data must be deleted at the same time based on a separate request from the data subject.

The right to protest

The data subject has the right to object at any time for reasons related to his own situation against the processing of his personal data based on points e) (data processing in the public interest) or f) (data processing necessary to assert a legitimate interest) of Article 6, paragraph (1) of the Regulation, including those based on the aforementioned provisions also profiling.

In the case of exercising the right to protest, the Data Controller may no longer process the personal data, unless the Data Controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or which, in order to submit legal claims, are related to its enforcement or protection.

If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of personal data concerning him for this purpose, including profiling, if it is related to direct business acquisition. And in this case, the personal data can no longer be processed for this purpose.

Automated decision-making in individual cases, including profiling

The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have a legal effect on him or affect him to a similar extent.

Therefore, in case of automated decision-making, the Parties ensure the protection of the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to request human intervention on the part of the Data Controller, to express his position and to submit objections to the decision.

Remuneration and costs

In the absence of a different provision by the parties, the Data Controller is not burdened with payment obligations based on this contract, since this contract and the obligations set forth in it are for the Parties according to the Regulation, or required by other laws. In view of the above, in connection with data management, the parties bear the incurred costs themselves and do not enforce reimbursement of costs towards each other.

Indemnification and liability

All data controllers involved in data management are responsible for any damage caused by data management that violates this regulation. The Data Processor is only liable for damages caused by data processing if it has not complied with the obligations specifically imposed on data processors specified in the Regulation or this contract, or if it has ignored or acted contrary to the lawful instructions of the Data Controller.

The Data Processor, or the Data Controller is exempted from liability for damages if he proves that he is not responsible in any way for the event that caused the damage.

If several data controllers or data processors or both the Data Processor and the Data Controller are involved in the same data management and are liable for the damages caused by the data management, each data controller or data processor shall be jointly and severally liable for the entire damage in order to ensure the effective compensation of the data subject. If a data controller or data processor has paid full compensation for the damage suffered in accordance with the aforementioned joint and several liability, it is entitled to reclaim from the other Data Processors or Data Controllers involved in the same data management the part of the compensation that corresponds to the extent of their responsibility for the damage in accordance with the conditions established above.

The above liability rules also apply in the case of damages, or also in the event that the data controller is reprimanded by the supervisory body (NAIH), or is subject to a fine and the violation on which the sanction is based can be charged to the Data Processor.

Data security

The Data Processor and the Data Controller are obliged to implement appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons. , to guarantee a level of data security appropriate to the degree of risk, including, among other things, where applicable: a) pseudonymization and encryption of personal data; b) ensuring the continuous confidentiality, integrity, availability and resilience of the systems and services used to manage personal data; c) in the event of a physical or technical incident, the ability to restore access to personal data and the availability of data in a timely manner; d) a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures taken to guarantee the security of data management.

The parties state that the system of data security requirements means supporting the protection of personal data with technical and personal measures, as well as physical and IT solutions.

The parties declare that the Data Processor and the Data Controller, in the course of their data management and data processing activities, act in accordance with the provisions of the Decree and other laws, the data protection rules and jurisprudence, comply with the provisions of the applicable laws, or it also takes into account the most important international recommendations related to data protection.

The parties declare that personal data is stored on protected servers with limited access, and in addition, the Data Processor and the Data Controller take all necessary technical and organizational measures against the loss, use for other purposes, disclosure, disclosure, change or deletion of the data subject’s data by unauthorized persons.

The parties – among other things – ensure that the stored data is accessed only by authorized persons through an internal system or through direct access, and only in connection with the purpose of data management, they ensure the necessary, regular maintenance and development of the devices used, the device storing the data is properly it is placed in a closed room with physical protection, they also take care of its physical protection, they ensure that the data stored in the various registers cannot be directly linked and assigned to the person concerned.

The Data Processor is obliged to take care of the paper or on the appropriate protection of electronically stored data. The Data Processor is obliged to prevent access to the data by unauthorized persons, and is fully responsible for any damage resulting from a deliberate or negligent violation of this obligation. The Data Processor may not transfer the right to use the data it processes to a third party.

The Data Processor is obliged to have internal data management regulations covering its entire organization, which all its employees have accepted, and to act in accordance with the regulations in relation to data management. Furthermore, in order to increase data security, the Data Processor is obliged to review and, if necessary, amend its internal data management policy from time to time, but at least annually or in justified cases (e.g. in the event of a data protection incident).

Data protection incident

In the event of a data protection incident, the parties are obliged to cooperate with each other. In the event of a data protection incident, the parties in this contract, or they fulfill their obligations defined in the Regulation in order to increase the security of the personal data of the data subjects and to avoid future data protection incidents.

The data controller shall report the data protection incident to the competent supervisory authority (NAIH) without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the rights of natural persons and for his freedoms. By definition, if the Data Processor detects a data protection incident or a suspicion thereof, it must notify the Data Controller immediately, but no later than one day after the detection. In the event of non-fulfilment or delayed fulfillment of the aforementioned obligation to provide information, the Data Processor bears full responsibility for the data protection incident and its consequences. Furthermore, if the Data Processor later obtains additional information about the data management incident, it is also obliged to inform the Data Controller of this information without delay.

The Data Controller’s information about the data protection incident must cover the provisions of Article 33, paragraph (3) of the Regulation, with particular regard to the following: the nature of the data protection incident, including the categories and approximate number of data subjects, the categories and approximate number of data affected by the incident; the likely consequences of the data protection incident; measures taken or planned by the Data Processor to remedy the data protection incident.

The Data Processor is obliged to keep records of data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it.

In connection with the data protection incident, the Parties are obliged to conduct an investigation within the organization that resulted in the cause of the incident in order to reveal – among other things – the cause of the incident, those responsible for it and the regulatory, procedural or other security deficiency that led to the incident. The Parties are obliged to accept the report within 30 days after the incident occurred or became known to them. The results of the investigation are summarized in a report by the affected party, which report also includes the proposals that prevent or may prevent the incident from happening again in the future. The parties are obliged to implement the recommendations of the report into their organization immediately, but within 30 days at the latest, or to take the necessary measures based on these.

If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the data protection incident without undue delay.

Data protection impact assessment

If a type of data processing – particularly one that uses new technologies – is likely to involve a high risk to the rights and freedoms of natural persons, taking into account its nature, scope, circumstances and purposes, the Data Processor shall conduct an impact assessment prior to data processing to ensure that the planned data processing operations how the protection of personal data is affected.

The Data Processor is obliged to inform the Data Controller immediately about the data protection impact assessment, its results and the new data management on which the impact assessment is based. If the Data Controller does not agree with the new data management practice or technology, it shall notify the Data Processor within 3 days at the latest. In this case, the Data Processor may not apply the new data management practice or technology in connection with the data management that is the subject of this contract. If the Data Processor does not accept the Data Manager’s disagreement, it may terminate this contract with a unilateral declaration with a 30-day notice period. If the Data Processor applies the new data management practice or technology in the event of the Data Controller’s disagreement, the Data Controller is entitled to terminate this contract with immediate effect and may demand compensation.

The impact assessment covers at least: a) the methodical description of the planned data management operations and the description of the purposes of the data management, including, where applicable, the legitimate interest that the Data Processor wishes to assert; b) examining the necessity and proportionality of data management operations, taking into account the purposes of data management; c) to examine risks affecting the rights and freedoms of the data subject; and d) to present measures aimed at managing risks, including guarantees, security measures and mechanisms for the protection of personal data and verification of compliance with this regulation, taking into account the rights and legitimate interests of the data subjects and other persons.

If the data protection impact assessment establishes that the data processing is likely to involve a high risk in the absence of measures taken by the Data Processor to mitigate the risk, the Data Controller must consult with the supervisory authority (NAIH) before processing personal data and inform the Data Processor immediately of the results of the consultation. The consultation must cover the information contained in Article 36 of the Regulation.

Confidentiality

With respect to the duties of the Data Controller and the Data Processor arising from the contract, the Data Processor is obliged to take the technical and organizational measures and establish the procedural rules that are necessary to enforce the data and privacy protection rules.

Acquired by the Data Processor in connection with this contract, or all data obtained by the parties are considered confidential information, according to which it is prohibited to disclose them, or otherwise transfer them to third parties, make them accessible, etc., unless otherwise stipulated by the parties, unless it is required by law.

The Data Processor undertakes to make copies and extracts of documents and documents related to the performance provided by the Data Controller only with the prior permission of the Data Controller, and not to give access to these documents to third parties, or does not disclose their content to third parties in any other way.

The obligation of confidentiality is imposed on the Data Processor regardless of the fulfillment or termination of the contract, without any deadline. Violation of the confidentiality obligation, or the disadvantages resulting from the unauthorized disclosure of data, as well as the costs necessary to eliminate them, including compensation for both pecuniary and non-pecuniary damage – in addition to other responsibilities – shall be borne by the party responsible for the unauthorized disclosure.

Scope, modification, termination of the contract

This contract between the Parties is for the duration of data management, or was created to perform data processing tasks. This contract, therefore, simultaneously with the termination of data management, all further legal declarations, or will be terminated without notice.

If the Parties have concluded a separate basic contract (mandatory contract, hereinafter: basic contract) with each other in connection with the legal relationship of assignment, in that case this contract forms part of the basic contract and at the same time an annex. Therefore, by amending or terminating the basic contract, or by its termination by any Party – without a separate declaration by the parties – this contract is modified, or cease. And the provisions following this paragraph of this chapter (Scope, modification, termination of the Agreement) are invalid and must be ignored. Thus, the Parties’ unilateral modification of this contract, as well as the ordinary or in the case of exercising extraordinary termination rights, the relevant provisions of the basic contract must be applied, they cannot deviate from it.

If no basic contract has been established between the Parties, this contract can be modified in writing or electronically, based on the mutual agreement of the Parties, or valid in the event of a unilateral amendment by the Data Controller specified in this contract.

The Data Controller shall notify the Data Processor of any unilateral changes to this contract. After notification, the Data Processor has 15 days to object to the amendment. If within 15 days the Data Processor does not notify the Data Controller of the non-acceptance of the amendment, the amendment shall be considered accepted on the 15th day. If the Data Processor indicates that it does not wish to accept the amendment within 15 days, the amendment is not considered accepted. In this case, the Data Controller may terminate this contract with immediate effect. If the contract amendment is due to a change in legislation, the Data Processor cannot object to the amendment. In other cases, the contract can be modified unilaterally by the Data Controller for valid reasons, which modification cannot make the Data Processor’s tasks significantly more burdensome.

In the absence of a basic contract, the Parties may terminate this contract at any time by mutual agreement in writing or electronically.

If one of the Parties seriously violates the essential obligations assumed in this contract and does not remedy it even within the deadline specified in the relevant notice, the other party may terminate this contract with immediate effect. In this contract, among other things, all such obligations are considered essential obligations, on the basis of which the Data Controller may be fined by the supervisory authority (NAIH).

In the absence of a basic contract, either party may terminate this contract unilaterally in writing or electronically with a 30-day notice period.

In case of termination of this contract for any reason, the Data Processor is obliged to delete (destroy) the stored data and record the fact of this in a protocol, and then hand over the protocol to the Data Controller. Should the contract be terminated for any reason prior to the fulfillment of the contract, the Data Processor shall, in accordance with the provisions of the Data Controller, transfer the data processed by it to the Data Controller or another data processor designated by the Data Controller and delete the data, or in accordance with the provisions of the Data Controller – if the data processing cannot be continued legally – delete the data, record the fact of this in a protocol and hand over the protocol to the Data Controller. The Data Processor is obliged to fulfill the obligations of the former until the termination of the contract at the latest.

Keeping in touch

The parties keep in touch with each other during the performance of this contract through the contact persons designated by the parties in Annex No. 2 and the contact details of the contact persons. The parties record that they recognize the electronic mail sent to their electronic mail address (email address) as written communication between them. The Data Controller declares that it checks the e-mail account of the contact person daily and reads the e-mail sent by the contact person daily.

If any of the Parties has a data protection officer, then – unless otherwise stipulated by the Parties – the designated contact person is the party’s data protection officer.

The parties are obliged to inform each other immediately if the person or any data or contact information of the designated contact person ceases to exist or changes. Damage caused by failure to fulfill the above obligation shall be borne by the defaulting party.

Final provisions

This contract is governed by the rules of Hungarian law, and in matters not regulated in this contract, the relevant provisions of the Decree, Infotv., and Act V of 2013 on the Civil Code. The parties agree that they will primarily attempt to resolve any disputes arising in connection with this contract between themselves through negotiations. In relation to this contract, the parties stipulate the exclusive jurisdiction of the Szeged District Court and the Szeged Court of Justice.

The parties undertake to inform each other of any circumstances that affect the fulfillment of the contract or affects the legitimate interest of the other Party. The defaulting Party is responsible for damages resulting from failure to report.

The invalidity of any point or provision of this contract does not mean the invalidity of the entire contract, unless the Parties would not have concluded the contract without the provision or part considered invalid, or this provision or in the absence of this part, the contract would become meaningless or uninterpretable.

This contract is signed by the Parties – at the undersigned place and time – after reading and interpreting it, as being in accordance with their wishes in all respects.

List of attachments:

Annex No. 1: The information you must inform the affected parties

Appendix No. 2: Contact persons

Appendix No. 1

The information you need to inform the data subjects

  1. the identity and contact details of the Data Controller and the Data Controller’s representative, and if there is one: the data protection officer and their contact details;
  2. the purpose of the planned processing of personal data,
  3. the expected effects, consequences and benefits of data processing on the data subject;
  4. the personal data concerned and their categories;
  5. the legal basis for data management;
  6. if the data management is necessary to enforce the legitimate interests of the Data Controller or a third party, then the legitimate interests of the Data Controller or a third party;
  7. about whether the provision of personal data is based on legislation or a contractual obligation or is a prerequisite for concluding a contract, as well as
  8. whether the data subject is obliged to provide personal data, and
  9. the possible consequences of failure to provide data;
  10. the recipients of the personal data, or categories of recipients,
  11. on the period of storage of personal data or aspects of determining this period;
  12. the data subject’s right to request from the Data Controller access to personal data relating to him, their correction, deletion or restriction of processing, and to object to the processing of such personal data, as well as the data subject’s right to data portability;
  13. if the data processing is based on the data subject’s consent, then about the right to withdraw the consent at any time,
  14. on the right to submit a complaint to the supervisory authority;
  15. the fact that the Data Controller wishes to transfer the personal data to a third country or an international organization, and the existence of the Commission’s compliance decision in relation to the third country, or the absence of such a compliance decision, or the indication of adequate and suitable guarantees according to the Regulation, as well as to obtain a copy of them reference to methods or their availability,
  16. the fact of automated decision-making, including profiling, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management and the expected consequences for the data subject,
  17. the source of the personal data and, where applicable, whether the data comes from publicly available sources (if the data is not obtained directly from the data subject).

Appendix No. 2

Contact persons designated by the Parties

Data processor contact:

Name: …
E-mail: …
Mobile: …
Telephone/Fax: …
Mailing address: …

Data controller contact:

Name: …
E-mail: …
Mobile: …
Telephone/Fax: …
Mailing address: …

Működteti a WordPress.com.