Content

Introduction

Responsibilities for data management

Data Controller

Data Protection Officer

Data processors

Principles, purposes and legal basis for processing

Brief description of data processing

Proportionality and necessity of processing

Overview of the legal bases and purposes of data processing

Records required for the performance of contractual obligations

Records to ensure the operation of the company

Enforcement of legitimate interests register

Business acquisition (lead) register 

Duration of data processing

Process of data processing

Information to the person concerned

Establishment of the legal basis

Data capture

Data classification

Data storage and processing

Additions, corrections, data changes

Withdrawal of consent

Restriction and termination of data processing

Delete data

Data transmission

Data management flowchart

Tools for processing personal data

Rights of data subjects

Information for stakeholders

Right to complain

Right to erasure

Right to object

 

Introduction

This document describes the processing of personal data by 27G-Technology Ltd. as the data controller in the course of the company’s operations, and informs the data subjects about their rights and the way to exercise them an accordance with the General Data Protection Regulation (GDPR). Within the limits of the legal possibilities, the information notice aims to meet the requirements of clarity and comprehensibility to the maximum extent possible, informing the data subjects in simple, understandable language. In the event of any questions of interpretation, the company’s Data Protection Officer will be happy to provide further clarification at the request of the data subject.

Responsibilities for data management

Data Controller

27G-Technology Korlátolt Felelősségű Társaság (company register number: 13-09-204308, tax number: 27338212-2-13, registered office: 2100 Gödöllő, Iskola utca 8.), short name 27G-Technology (27G).

Contact details of the Data Controller:

Email: info@27g.space

Phone: +36 30 651 3471

Data Protection Officer

Dr. jur. Zoltán Székely

zoltan@szekely.family

+36304795654

Data processors

  1. Microsoft (https://privacy.microsoft.com/hu-hu)
  2. Google (https://policies.google.com/privacy?fg=1)
  3. Automattic (https://automattic.com/privacy/)

We use data processors to deliver our products and services to our customers, operate our website and its cookies, and through software services for business management, such as data storage, documentation, initiating payment transactions and communicating with customers.

Principles, purposes and legal basis for processing

Brief description of data processing

The purposes of the data processing are the sale of products and services of 27G-Technology Ltd., the fulfilment of the resulting contractual obligations, the operation of the company, the enforcement of legitimate interests and business acquisition. In exceptional cases, data processing may also be carried out by means of complaint handling or by means of an obligation imposed by law or by a competent authority. Data management is carried out in registers, in principle in purpose-oriented registers, but also in accordance with the requirement of data economy, where it is reasonable to have one database (physical register) serving several administrative registers (functional register). A record is permanently deleted when it is no longer required to be managed by one of the records.

Proportionality and necessity of processing

27G-Technology Ltd. will only process data whose processing is proportionate to the economic benefits to be achieved through legitimate, reasonable and fair business practices and which provide mutual benefits to the data subject and 27G-Technology Ltd. This should also include processing that is mandatory by law. We do not process data that is not strictly necessary and we do not process data for longer than is strictly necessary.

Overview of the legal bases and purposes of data processing

In summary, 27G-Technology processes data on the following legal bases:

  1. We process data in the context of record-keeping necessary for the performance of contractual obligations where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” (Art.6(1)(b) GPDR). For example, when we record an order, write a contract or monitor its performance, issue a performance confirmation or invoice, we use the data for the production of documents in the context of this processing.
  2. We process the data to ensure the operation of the company if “processing is necessary for compliance with a legal obligation to which the controller is subject” (Article 6(1)(c) GPDR). This includes tax returns, records of health and safety training, employee records, other documents and records that must be kept.
  3. We will process data for the purposes of our legitimate interests if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child” (GPDR 6. This includes our CCTV footage taken during a security incident, data necessary for the enforcement of our financial claims, audio recordings made with the consent of the participants in a dispute resolution negotiation.
  4. We will process data for a specific commercial purpose if “the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes” (Article 6(1)(a) GPDR). This means not only for us, but also for the data subject, and includes access to our social networking channels. On this basis, we send – subject to our customers’ consent – newsletters, offers and various information.

Records required for the performance of contractual obligations

When 27G-T enters into a contract with a customer, or with another person on behalf of a customer, or takes preparatory steps to enter into a contract, such as preparing and sending a personalised offer, in order to serve its natural person customers, it processes the following data on this legal basis:

  1. Name
  2. Mailing (billing) address
  3. Shipping address
  4. Email address
  5. Phone number
  6. Other electronic contact information (e.g. Facebook, Instagram, LinkedIn, Twitter ID)
  7. Payment details (bank account number, PayPal, Simple or other online payment identifier)
  8. List of transactions to date
  9. Username and password pair
  10. Post-contract performance data (e.g. product delivery process identifier)

Records to ensure the operation of the company

These records contain the information necessary to fulfil the legal obligations relating to the operation of the company. This includes, for example, employment or agency contracts of the company’s employees and natural persons acting on behalf of the company, data subject to reporting to the tax authorities, company email accounts provided to natural persons.

  1. Name (based on identity document)
  2. Identity document number
  3. Driving licence number, category and period of validity
  4. In case of a foreign natural person, travel document number
  5. In the case of a third-country natural person, the number of his/her visa or residence permit entitling him/her to work (traineeship)
  6. Social security number or, for foreigners, full health insurance policy number
  7. Tax identification number (tax number in the case of individuals with a tax number)
  8. If you are claiming an advance tax credit or working time allowance, the supporting data (e.g. names of children, tax identification number)
  9. Copies of your educational qualifications and the details on them (e.g. name, photo, OH ID)
  10. Performance measurement data (person-related data, such as hours worked, number of contracts successfully concluded)
  11. Other electronic contact information (e.g. Facebook, Instagram, LinkedIn, Twitter ID)
  12. Image, sound and video recordings (only recordings made with the knowledge and consent of the data subject and not offending the dignity of the data subject may be processed)
  13. Electronic log files related to the use of the system (log files are generated by the data processors and may be obtained only in justified cases, based on a written decision of the executive manager)

Enforcement of legitimate interests register

The register contains data that cannot be included in the scope of the other registers, but whose processing is unavoidably necessary for the enforcement of the legitimate interests of 27G-Technology Ltd., its customers or third parties in connection with the operation of the company. For example, this includes claims for compensation or damages against third parties, the enforcement of claims or the performance of obligations in relation to natural persons other than by contract, employment or agency. For example, if a visitor to the premises of a company is involved in an accident at work, his details must be recorded in the accident report.

  1. Name
  2. E-mail
  3. Phone number
  4. Mailing address
  5. Shipping address
  6. Image, sound and video recordings (only recordings made with the knowledge and consent of the data subject and not offending the dignity of the data subject may be processed)
  7. Electronic log files related to the use of the system (log files are generated by the data processors and may be obtained only in justified cases, based on a written decision of the executive manager)

Business acquisition (lead) register

This record includes the data of natural persons who have requested or given their informed consent to be contacted by us with our offers, subscribe to our news feeds, visit our websites or follow our social media channels, subscribe to our magazines, register and participate in our events. This processing is based solely on the data subject’s informed consent, which may be withdrawn at any time without any adverse consequences for the data subject.

  1. Name
  2. Email
  3. Phone number
  4. Other electronic contact information (e.g. Facebook, Instagram, LinkedIn, Twitter ID)
  5. Tracers (cookies) indicating activity in connection with the use of the website and previous contracts, to the extent that the data subject agrees when accessing the website
  6. Audio, visual and video recordings made during workshops, conferences and other meetings, where the data subject may request that the recording not be recognisable and/or be distorted

Duration of data processing

The duration of the processing depends on the specific register.

  1. In the case of records necessary for the performance of contractual obligations, due to the rules of the Civil Code on the limitation of claims, the data will be processed until the termination of the contract and then stored for five years in the framework of limited data management (archives). Legislation or Grant Agreements may provide for a longer retention period for certain contracts (some funding sources require data to be kept for up to ten years after the end of the project).
  2. 27G-Technology Ltd. manages the data contained in the register of ensuring the operation of the company until the end of the tax return period following the termination of the employment relationship or contract of assignment, and then stores it for a further 2 years or for a period specified in other legislation or contract (for example, on the basis of the obligation to keep records of the contractor employed in a project supported under a grant agreement) in the framework of limited data management (archive), and then deletes it from the register.
  3. In the framework of the legitimate interests register, we will only process data until we have exhausted the possibilities to pursue the interest in question or until it is recognised earlier that the processing of the data infringes the interests of the data subject which are disproportionately overriding our legitimate interests. As the enforcement of interests may take many years in certain cases, for example in the case of judicial proceedings, although we intend to process these data for as short a period as possible, it is not possible to determine the exact duration of the processing.
  4. The processing based on the informed consent of the data subject shall continue until the data subject withdraws his or her consent, after which the processing shall cease. The obligation to erasure does not exclude the processing of information obtained from the anonymised processing of data for statistical purposes prior to their erasure, but such information must not contain personal data and must not make the data subject identifiable.

Process of data processing

Information to the person concerned

The data subject must be informed before the processing starts, and must be given the opportunity to familiarise him or herself with the information notice. This may be done, for example, by making it available on the website during registration, by providing it before the conclusion of a contract, by handing out information at the time of workshop registration, or by means of a poster or notice (typically at the entrance to an area protected by a CCTV system).

If the data subject so requests, he or she must be informed of the scope of the data stored about him or her, the data themselves (so that he or she can exercise his or her right to rectification if necessary), the basic characteristics of the algorithm in the case of automated processing (e.g. an algorithm that tries to suggest the next course material based on the results obtained so far) and the remaining time of processing. The information may also be provided via a web interface where the data subject can view his/her profile, in which case the request will be fulfilled in an automated way.

Establishment of the legal basis

Before processing, the legal basis or bases on which we process the personal data of the data subject must be assessed. In theory, there may be more than one legal ground for processing the personal data of a data subject at the same time, but this may mean a difference in the range of data that can be processed. Only data in respect of which a legal ground exists may be processed. For example, in the business acquisition register, the legal basis of which is voluntary informed consent, the social security number of the data subject cannot be processed even if he or she was previously employed and therefore could be legally processed in the other register (the register for the purpose of ensuring the functioning of the business). If no legal basis can be established, for example, if the data subject has not given consent and there is no other legal basis for the processing, it must be terminated and the data deleted.

Data capture

Data processing can be initiated in two ways: either by the communication of data by the data subject or by the recording of data based on the data subject’s informed consent. Examples of the former are the provision of data required for a contract, and the latter include cookies on a website or the recording of images and audio recordings of participants at a workshop. The legal basis for the processing must be checked before recording, in particular where the consent of the data subject is required. In case of doubt, the data subject or the DPO should be contacted.

Data classification

The data classification should identify which personal data should be processed in which register(s). The data may only be processed in registers for which there is a legal basis for the data. The data should be labelled according to the logical register, indicating the registers in which the data may be processed.

Data storage and processing

The data is then stored and processed automatically or, if necessary, manually. As a result of the processing, it is possible to carry out various transactions with the data subject, such as concluding a contract, making training available, sending a newsletter, providing a service, paying a salary, issuing an invoice, etc. If there are no more transactions in progress, the data will be automatically subject to restricted processing and deleted after the expiry of the storage period (immediately if no such period is specified). The processed data may be anonymised and used to produce statistical reports upon termination of the processing; the anonymised statistical report thus produced is no longer personal data.

Additions, corrections, data changes

The data subject has the right to request that personal data stored about him or her be supplemented (e.g. to obtain a doctorate), corrected (e.g. typing errors, incorrect entries) or changed in accordance with the changed situation (e.g. change of name due to marriage, change of address due to move, new email address). This can also be done by the data subject changing the data on his or her user profile on the web interface. For reasons of data security, the change should be logged (the log file is part of the records of the company’s operations) and notified to the data subject.

Withdrawal of consent

The data subject may withdraw his or her consent at any time without undue prejudice. A legitimate consequence included in a contract, employment contract or conditions of participation, such as the termination of a service, restriction of access to a business premises, cancellation of registration for an event, shall not be considered as an unjustified disadvantage. The withdrawal of consent shall not be impeded in any way, including by persuasion or inducement. The possibility to withdraw consent should be provided in a simple and comprehensible way (e.g. in a maximum of two clicks). After withdrawal of consent, it should be examined which personal data of the data subject can be further processed on another legal basis. The data subject’s attention should be drawn to this, so that he or she can, if he or she so wishes, arrange for the termination of another legal basis (e.g. termination of a contract). For data which do not have a legal basis for processing, the termination of processing should be implemented.

Restriction and termination of data processing

When the legal basis ceases to apply, it must be ensured that the data controller has fulfilled all accounting and transfer obligations in relation to the data subject (e.g. payment of the contract, issue of certificates to the employee). If the record is subject to a retention obligation, the data must be subject to temporarily restricted processing, i.e. it must be stored in an archive (this means a separate, encrypted data container within the storage space, from which information cannot be automatically extracted). Thereafter, the data may not be further processed, except for deletion, until a legal basis for its processing is re-established (e.g. the data must be handed over by the Funding Authority in the context of a post-project audit). The data subject also has the right to request the restriction of processing, in particular if he or she contests the legal basis for the processing, if the data need to be clarified or if he or she wishes to prevent the deletion of the data in order to protect his or her legitimate interests. The data subject’s request for restriction of processing should be complied with until the situation is clarified, but efforts should be made to resolve it as quickly as possible.

Delete data

If there is no retention obligation or the retention period has expired, the data must be deleted. If the data is also present on a physical medium, the deletion must be made permanent by overwriting or, if this is not possible, by physical destruction (e.g. by ripping a DVD), but physical destruction must not cause damage to the environment (e.g. burning plastic media outdoors is prohibited). This will terminate the data management. The data subject must be informed of the fact of erasure before it starts.

Data transmission

We will not disclose the data to third parties without the explicit authorisation of the data subject for the specific data and transfer. Exceptions to this rule are our own contracted data processors, such as companies involved in transport (e.g. courier services) and authorities to whom we are legally obliged to transfer the data (for example, the employee’s tax identification number for the tax authorities in the case of records within the scope of company operations). An exception is also made if the transfer of the data is necessary to protect the vital interests of the data subject or of another natural person. An example of a transfer by authorisation is where the data subject consents, for commercial purposes, to the transfer of his or her name, email address and telephone number to a third party who wishes to use the services of the data subject.

Data management flowchart

The data management flowchart illustrates the process according to ISO 5807:1985. The arrow and no-arrow connectors have the same meaning and are merely for ease of interpretation. For decisions, the ‘I’ branch indicates yes and the ‘N’ branch indicates no. Transactions shall be understood to include employment, other employment relationships, services provided on the basis of a subscription contract or a separate contract or free of charge.

Tools for processing personal data

Personal data is handled on laptops and mobile devices with up-to-date operating systems and office software, protected by password, biometric or two-factor authentication, and with drive-level encryption. Storage is encrypted and activity-tracking, redundant and synchronised in the cloud. Network connections used for processing are also encrypted. We do not connect our devices to open, unencrypted WiFi networks or install unsigned or unlicensed software. We keep paper documents containing personal data in a locked room, where they are only allowed to be with our permission and supervision, and we use couriers or the state postal service for delivery. We use a shredder for the destruction of data media.

Rights of data subjects

Information for stakeholders

Data subjects have the right to be informed about the processing of their data and the data processed. Information is provided to data subjects mainly through the web interface, email and social networking groups, where each data subject can view the data processed about him or her. If the data subject requests it or if it is necessary in the specific situation (for example, a data protection incident or a clear error in the data entered and its correction, data designated for deletion and the fact of deletion, the introduction or lifting of a restriction), the data subject will also be informed separately via one of the contact details.

Right to complain

In data management, we strive to proactively address the problems that arise and to cooperate as much as possible with the data subjects. If you have a complaint or comment about the processing, please contact our Data Protection Officer in the first instance using one of the contact details provided above. You also have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (www.naih.hu).

Right to erasure

Data subjects have the right to request the cessation of processing and the erasure of their data. In the case of business records, this also means withdrawing consent. In other cases, the data will be deleted when the processing is no longer necessary or when there is no legal basis for the processing. For example, we will delete, on request and even before the expiry of the general 5-year processing period, contractual data for which we have already settled with the data subject after the termination of the contract, for which we have no claims against each other and for which we are not legally obliged to retain. We do not delete data that is necessary for the establishment, exercise or defence of legal claims (see Register of legitimate interests).

Right to object

The data subject may object to the processing in the register of legitimate interests and the processing in the register of commercial purposes. In the first case, it must be examined whether the claim of legitimate interest has been made in relation to a data subject. If so, and if it is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims, the data may continue to be processed. In the second case, this shall be considered as a withdrawal of consent and the processing in the commercial register shall be stopped immediately.