CUSTOMERS
Information on Data Protection
I. Purpose and Scope of this Notice
1.1 The purpose of this Notice is to establish the data protection and management principles applied by the Hungarian Mint Ltd. (Magyar Pénzverő Zártkörűen Működő Részvénytársaság; hereinafter: the Company or Data Controller) and the Company’s data protection and management policies which are recognised as binding by the Company as the Data Controller.
1.2 This Notice contains the principles for the management of personal data provided by Users on the Webpage, including such provided in the course of Webshop registration.
1.3 In formulating the provisions of this Notice, the Company specifically took into account Regulation 2016/679 of the European Parliament and of the Council (‘General Data Protection Regulation’ or ‘GDPR’) and the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (‘Information Act’), Act V of 2013 on the Hungarian Civil Code (‘Civil Code’) and Act CVIII of 2001 on electronic commercial services and certain questions on services related to the information society (‘Electronic Commerce Act’).
II. Definitions
Data management: regardless of the procedure in question, an action or sum total of actions performed using personal data, thus in particular the collection, recording, organisation, categorisation, storage, transformation, modification, use, access, review, use, provision, transfer, dissemination or otherwise rendering accessible, publication, coordination or linking, limitation, erasure or destruction of personal data.
Data Controller: the party defining the purposes and means of data management, independently or in conjunction with others.
Personal data or data: any data or information, based upon which a natural person User can be identified, directly or indirectly.
Data Processor: a party which manages personal data on behalf of the Data Controller.
Webpage(s): the Internet pages penzvero.hu/coins.hu/emlékpénz.hu operated by the Data Controller.
Service(s): the services operated and provided by the Data Controller which are accessible on the Webpages.
User: a natural person who registers for the services and provides the personal data set forth in Point IV. below.
External service providers: third-party service partners used by the Data Controller in relation to the operation of the individual Webpages or to ensuring the services accessible on the Webpages, either directly or indirectly, which receive or can receive personal data in the interests of providing their services or which can transfer personal data on behalf of the Data Controller. Furthermore, service providers which are not working with the Data Controller but which by accessing the services Webpages collect data on Users that are suitable for identifying the Users either independently or in connection with other data are also deemed to be external service providers.
Note: this data management notice issued by the Data Controller.
III. Scope of Data Subjects
The data management pertains exclusively to natural or legal persons or the representatives of organisations without legal personality, who voluntarily register for the newsletter service using the Company’s site, or who voluntarily provide their data for the purposes of ordering, purchasing or advance ordering, or voluntarily participate in online prize games or calls for tenders organised by the Data Controller.
IV. Scope of Personal Data Managed
4.1 The Company’s data management activities are based on voluntary authorisation. In certain cases, however, the management, storage and transfer of some of the data provided is required by law; Users are separately notified in such cases. Parties providing data to the Company are hereby notified that, if they do not use their own personal data, it is the responsibility of the party providing the data to obtain the authorisation of the data subject.
4.2 Based on the User’s decision, the Data Controller may manage the following data in the interests of purchasing the products and using the services available through the Webpage:
- In relation to operation of the Webshop: For orders and purchases: name, address, e-mail address, and – depending on authorisation – telephone number. Users may register on the page using their e-mail addresses; following registration, they identify themselves with a username and password. Using the menu point “Data amendment”, Users always have the ability to change their username, password and personal data or to cancel their registration.If personalised coin engraving or photoengraving services are ordered, by sending the image to be used for photoengraving and the text to be engraved, the User authorises the Company to use such data. The images and texts are immediately erased following receipt of the coin by the ordering party.
- For advance orders of commemorative coins: name, address and e-mail address, and – depending on authorisation – telephone number. Data can be amended using the registration module on the Webpage.
- For using the newsletter service: name, address and e-mail address. Subscription to the Newsletter is voluntary; using the menu point “Data amendment” in the registration module on the Webpage, Users can subscribe to the Newsletter and can cancel their subscription using the menu point “Unsubscribe from the Newsletter” which appears at the bottom of the Newsletter.
- For prize games or calls for tenders on social media pages or Webpages: name, e-mail address, delivery address for winners, identifier suitable for identifying the community.
- For User identification based on the Act on the Prevention and Deterrence of Money Laundering and Terrorism Financing. In this case, the scope of Users involved is Users who purchase precious metals; the scope of the personal data used for identification is determined by the provisions of the law in force.
V. Scope of Other Data Managed by the Data Controller
5.1 In the interests of providing personalised service, the Data Controller places small data packages (so-called “cookies”) on the User’s computer. The purpose of cookies is to ensure the best possible operation of the pages, to provide personalised services and to enhance the User’s experience. The User can delete the cookies from its computer or can set its browser to prohibit the use of cookies. If the use of cookies is prohibited, the User accepts that the operation of the Webpage is not fully functional without the use of the cookies.
5.2 In the course of providing personalised services, the Data Controller manages the following personal data with the use of cookies: demographic data (based on the data referred to in Point 4.2) and information on the scope of interest and preferences (based on previous browser activities).
5.3 Data technically recorded during operation of the systems: the data on the User’s computers which are generated when the services are used and which the Data Controller’s system automatically record as a result of technical processes. The system automatically logs the data which are automatically recorded upon the User entering and exiting the site, without the separate consent or action of the User.
5.4 Users can find information on the cookies used by the Company in the Cookie Notice.
VI. Objective and Legal Basis of Data Management
6.1 Objectives of the data management performed by the Data Controller:
- identification of the User, contact with the User;
- identification of the User’s authorisations (services which can be used by the User);
- facilitating personalisation of the services used by the User and functions which promote ease-of-use;
- managing, processing and satisfying individual User requests;
- preparing statistics and analyses;
- directing marketing and marketing-related contact (e.g. newsletter, eDM, etc.);
- in individual cases, organisation and execution of prize games, notification of winners and delivery of prizes;
- development of the IT system;
- protecting User’s rights;
- complying with legal obligations;
- enforcement of the justified interests of the Data Controller.
6.2 Data management occurs on the basis of the proper, voluntary, advance notification of the User, the declaration of which includes the User’s express authorisation that the personal data provided while using the Webpages and the personal data on the User may be used. In the event of data management occurring on the basis of the authorisation, the User is entitled to revoke its authorisation at any time, but this does not affect the legality of data management occurring prior to such revocation.
Above and beyond the authorisation of the User, the justified interest of the Data Controller may serve as the legal basis for data management. In the case when the justified interest of the Data Controller serves as the legal basis for data management, the Data Controller has performed and may perform in the future the analysis of interests in accordance with the provisions of GDPR, which demonstrates that the justified interest of the Data Controller in data management is stronger than the data subject’s rights and freedoms related to data management. In the event of such a request, the Data Controller will provide information to the data subject in accordance with this Notice in relation to the contents of this paragraph.
6.3 Transfer of data to the Data Processors defined in this Notice may occur without separate notification of the User. Unless otherwise provided for by law, transfer of personal data to third persons or to the authorities is only possible on the basis of an official resolution, or in the event of the prior, express authorisation of the User.
6.4 The User guarantees that it has properly obtained the authorisation of the affected natural person in relation to the management of the personal data of other natural persons which it provides or makes accessible in the course of using the Webpages’ services. The User bears full responsibility for any User contents uploaded or shared to the Services.
6.5 In relation to any User e-mail address or data provided in the course of registration (username, identifier, password, etc.), upon providing such the User assumes liability that it is the sole party using the services from the e-mail address or using the data it has provided. With due respect to this assumption of liability, all liability in relation to the access using the e-mail address and/or data provided is borne by the User which registered the e-mail address and provided the data.
6.6 Notification of product availability
With regard to products that are currently out of stock but are expected to be subsequently available, it is possible to sign up on the Company’s website so that notification is sent when the product in question becomes available again.
Signing up for notification can occur in two ways: without registration or after registration.
The Company does not analyse the data or user habits of interested parties (which sign up) in the interests of presenting individual product recommendations and announcements on the webpages and in the newsletters.
Purpose of data processing: To send e-mail notification to interested parties on the availability of the product in question.
Lawful basis for data processing: Article 6 (1) a) of GDPR
Type of personal data managed: E-mail (in the case of signing up without registration)
Duration of data management: The e-mail address is deleted after the notification e-mail is sent.
Possible consequences of providing no data: The interested party will not receive information on the Company’s special offers and notifications.
Data processors:
Name | Registered office | Tasks of the data processor |
Petrocelli Reklámügynökség Kft. | Address: 1119 Budapest, Károly Ireneusz
József utca 9. |
Operation of the website and webshop, providing information to customers on products, special offers, handling of commemorative coin pre-orders, etc.
Judging of tenders, notification of winners, delivery of winnings |
Rackforest Informatikai kereskedelmi Szolgáltató és Tanácsadó Zrt. | 1132 Budapest, Victor Hugo utca 11., 5. emelet |
Storage services |
VII. Principles, Mode and Duration of Data Management
7.1 The Data Controller manages the personal data in accordance with the principles of good faith, honesty and transparency, as well as in compliance with the provisions of the legal regulations in force and this Notice.
7.2 The Data Controller uses the personal data absolutely necessary for using the services on the basis of the authorisation of the User involved and solely for specific purposes.
7.3 The Data Controller only manages personal data for the purposes specified in this Notice and in the relevant legal regulations. The scope of personal data managed is proportionate to the purpose of the data management and may not exceed such. In all cases when the Data Controller wishes to use the personal data for a different purpose than the purpose of the original data collection, the User must be notified of this and its express, prior authorisation must be obtained or an opportunity must be provided for the User to prohibit such use.
7.4 The Data Controller does not check the personal data which are provided. The person providing the data is solely responsible for the personal data which are provided.
7.5 The personal data of persons younger than 16 may only be managed with the authorisation of the person exercising the rights of custody. The Data Controller is not in a position to check the entitlement of the person providing authorisation or such declarations, and thus the User or the person exercising the rights of custody guarantee that the authorisation complies with the legal regulations. In the absence of a declaration of authorisation, the Data Controller does not collect the personal data of persons younger than the age of 16, with the exception of the IP address used when accessing the service, which occurs automatically given the nature of Internet services.
7.6 The Company does not manage any special personal data, such as data on racial or ethnic origin, political opinions, religious or secular beliefs, or union membership, or personal genetic or biometric data used for the individual identification of natural persons, or any health-related or sexual orientation data.
7.7 The Data Controller does not provide the personal data it manages to third parties, with the exception of the Data Processors specified in this Notice and – in the cases set forth in this Notice – the external service providers.
Use in a statistically compiled form is an exception to the rules set forth in this Point; such data shall not contain any other data suitable for identifying the Users involved and such use shall not constitute data management or the transfer of data. In certain cases (court, law enforcement, legal proceedings, infringement of the Data Controller’s interests due to violations of property rights or other legal rights or justified suspicion of such, threats to service continuity, etc.), the Data Controller may make the available personal data of the User involved accessible to third parties.
7.8 The Data Controller’s system may collect data on the activities of Users; these data may not be linked to the other data provided by the Users upon registration.
7.9 The Data Controller shall notify the affected User with regard to rectification, limitation or erasure of the personal data it manages, and shall furthermore notify all parties to which it has previously transferred personal data for the purposes of data management. It may forego notification if the justified interests of the data subject are not infringed upon, with due respect to the purpose of data management.
7.10 The Data Controller shall ensure the security of the personal data, take the technical and organisational measures and formulate the procedural rules which ensure that the data collected, stored and managed are protected and which prevent the accidental loss, unlawful erasure, unlawful access, unlawful use, unlawful modification or unauthorised transfer of such data. The Data Controller shall call upon all other third parties to which it transfers personal data to fulfil this obligation.
7.11 With due regard to the relevant provisions of GDPR, the Data Controller is not required to designate a data protection officer.
VIII. Duration of Data Management
8.1 Management of the personal data provided by the User shall last until the User requests erasure of the data by the Data Controller. Data management based on legal regulations lasts for the period of time prescribed by the legal regulation in question.
8.2 In the case of e-mails sent by the User, if the User otherwise does have any registration, the Data Controller shall erase the e-mail address on the 90th day following closure of the matter referenced in the request, unless – in individual cases – the justified interest of the Data Controller warrants further management of the personal data, for as long as such interest of the Data Controller exists.
8.3 In the event that illegal, deceptive personal data is used or if the User commits a criminal offense, or in the event of an attack on the system, the Data Controller is entitled to simultaneously terminate the User’s registration and erase its personal data; at the same time, if there is suspicion of a criminal offense or civil liability, it is entitled to store the personal data until the completion of any legal proceedings.
8.4 If the court or other authority orders the erasure of the personal data in a final resolution, the Data Controller shall undertake erasure. In lieu of erasure, along with notifying the User, the Data Controller shall limit the use of personal data if the User requests this, or if – based on the information available – it can be presumed that erasure would infringe upon the justified interests of the User. The Data Controller shall not erase the personal data as long as data management purpose exists which precluded erasure of the personal data.
8.5 In the case of individual orders of commemorative medals (e.g. photoengraving), designing tenders, online and prize games, data management for the data managed by the Company shall last until completion of the order, the end of the designing tender or game and announcement of the result by the Company.
8.6 The data from designing tenders is not provided to remarketing motors; the Company does not store such data in written form and does not provide the data to third parties. For tenders with a voting option, the right to vote is linked to providing an e-mail address for registration. This registration is only used by the Company to prevent hacking of the online voting. During registration for voting, the Company does not request any names, telephone numbers or other data. Upon completion of the tender the registration data is erased; the Company does not use data for remarketing purposes.
IX. Rights of the User and the Enforcement of Such
9.1 The User may request that the Data Controller inform the User as to whether it manages the personal data of the User, and if it does to ensure access to the personal data it manages (right of access). The personal data provided by the User can be viewed in the settings of the log-in system. Independently of this, the User may request information on the management of its personal data at any time in writing, by registered letter or return-receipt letter sent to the Data Controller’s address or by e-mail sent to the address adatvedelem@penzvero.hu (right of information). A request for information sent by letter shall be deemed to be authentic by the Data Controller if the User can be unambiguously identified on the basis of the request which is submitted. A request for information sent by e-mail shall only be deemed to be authentic by the Data Controller if such request is sent from the User’s registered e-mail address; however, this does not preclude the Data Controller from identifying the User in another manner prior to providing the information. The request for information may extend to the User’s data managed by the Data Controller, the source of such data, the purpose of data management, the legal basis, the duration, the name and address of any data processors, activities related to data management, and – in the case of transfer of the personal data – information on which parties received or receive the User’s data and for what purposes. The Data Controller shall provide the information following receipt of the request, but within 30 days.
9.2 The User may request that the Data Controller rectify or modify its personal data (right of rectification). Taking into consideration the purpose of data management, the User may request addition to the personal data. The personal data provided by the User can be modified in the settings of the log-in system. Following performance of a request to modify personal data, the previous (erased) data cannot be restored.
9.3 The User may request that the Data Controller erase its personal data (right to be forgotten). Erasure may be refused (i) for the purpose of exercising the right to freedom of expression and information, or (ii) if a legal regulation provides authorisation for management of the personal data, or (iii) for the establishment, exercise or defence of legal claims. The Data Controller shall inform the User regarding refusal of the request for erasure, citing the reason for such refusal. Following performance of a request to erase personal data, the previous (erased) data cannot be restored. Subscription to the newsletters sent by the Data Controller can be cancelled using the Unsubscribe link in the newsletters. In the event of cancellation, the Data Controller shall erase the User’s personal data from the newsletter database.
9.4 The User may request that the Data Controller limit management of its personal data, if the User disputes the accuracy of the personal data managed. In this case, the limitation shall last for the period of time which allows the Data Controller to review the accuracy of the personal data. The Data Controller shall mark the personal data it manages if the User disputes the correctness or accuracy of such data, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly determined. The User may also request that the Data Controller limit management of its personal data, if the data management is unlawful, but the User rejects erasure of the personal data managed and instead requests limitation on the use of such. Furthermore, the User may also request that the Data Controller limit management of its personal data, if the purpose of the data management has been achieved, but the User requires management of such data by the Data Controller in the interests of establishing, exercising or defending legal claims.
9.5 The User may request that the Data Controller provide the personal data given by the User and processed using automated means by the User in a structured, commonly used, machine-readable format, and/or to transmit them to another controller (right of transmission).
9.6 The User may object (right of objection) to management of the personal data (i) if management of the personal data is necessary exclusively for the performance of legal obligation pertaining to the Data Controller or for the enforcement of justified interests of the Data Controller or third parties; (ii) if the purpose of the data management is direct marketing, public opinion or scientific research; or (iii) data management occurs in the public interest. In such cases, the Company shall review the objection within 15 days of the request being submitted and notify the User of the results of such review in writing. If the objection is justified, it shall terminate the data management, block the personal data managed and notify all parties which previously received the personal data affected by the objection with regard to the objection and the measures taken on the basis of such. If the User does not agree with the results of the review, or if the Company misses the deadline, it may – within 30 days of notification or expiration of the deadline – seek remedy in the courts.
X. Data Processing
10.1 The Data Controller uses the Data Processors and External service providers named in 11.1 of Chapter XI in this Notice for the performance of its activities.
10.2 The Data Processors do not make independent decisions and are only authorised to proceed on the basis of the contract concluded with the Data Controller and its instructions. After 25 May 2018, the Data Processors store, manage and process the personal data provided by the Data Controller which they manage or store in accordance with the provisions of GDPR and have submitted declarations to this effect to the Data Controller.
10.3 The Data Controller reviews the work of the Data Processors.
10.4 The Data Processors may only use the services of further data processors with the consent of the Data Controller.
XI. Data Processors, External Service Providers
11.1 In order to provide the services, in many cases the Data Controllers use Data Processors, with which the Data Controllers cooperate. With regard to the personal data managed in the systems of the Data Processors, the contents of the service contract concluded between the Data Controller and the Data Processor or the contents of the data management notice of the Data processors are definitive. The Data Controller does everything in its power to ensure that the Data Processors manage the personal data sent to them in compliance with the legal regulations, and that the Data Processors only use such data for the purpose specified by the User or a purpose specified below in this Notice. After 25 May 2018, the Data Processors store, manage and process the personal data provided by the Data Controller which they manage or store in accordance with the provisions of GDPR. Within the framework of this Notice, the Data Controllers shall notify the Users with regard to the transfer of data to Data Processors.
Company Name: Petrocelli Reklámügynökség Kft.
Company registration no: 01-09-284145
Court of registry: Commercial Court of the Municipal Court of Budapest
Registered office: 1119 Budapes, Károly Ireneusz József u. 9.
Telephone: +36 (70) 77 66 77 5
E-mail: balzermiklos@petrocelli.hu
The Data Processor manages the online prize games announced by the Company, coin design tender bids and the Company’s social media pages.
Company Name: Fotografika.hu Bt.
Company registration no: 01-06-410 688
Court of registry: Commercial Court of the Municipal Court of Budapest
Registered office: 1211 Budapest, Petz Ferenc utca 10.
Telephone: +36 (30) 747 8239
E-mail: iroda@fotografika.hu
Services provided by the data processor:
- administration of the Webpages www.penzvero.hu, www.coins.hu and www.emlekpenz.hu,
- hosting service,
- dissemination of the Newsletter,
- management of the advance order module for commemorative coins.
The Data Processor provides the interface necessary for the processing of the User’s orders for goods and services, the execution of purchases, the recording of advance order requests, attends to the dispatch of the newsletter issued by the Company and operates the aforementioned sites.
Company Name: Fáma First Kft., courier service
Company registration no: 01-09-929804
Court of registry: Commercial Court of the Municipal Court of Budapest
Registered office: 1194 Budapest, Viola u. 38.
Telephone: +36 (20) 524 4777
E-mail: info@famafutar.hu
The Data Processor manages the User’s name, and the telephone number and delivery address necessary for delivery of the product ordered by the User, in the interests of delivering the product ordered by the User.
Company Name: Magyar Posta Zrt., as the postal service provider
Company registration no: 01-10-042463
Court of registry: Commercial Court of the Municipal Court of Budapest
Registered office: 1138 Budapest, Dunavirág utca 2-6.
Telephone: +36 (1) 767 8282
E-mail: ugyfelszolgalat@posta.hu
The Data Processor manages the User’s name, and the telephone number and delivery address necessary for delivery of the product ordered by the User, in the interests of delivering the product ordered by the User.
Company Name: K&H Bank Zrt.
Company registration no: 01-10-041043
Court of registry: Commercial Court of the Regional Court of Budapest
Registered office: 1095 Budapest, Lechner Ödön fasor 9.
Telephone: +36 (1) 328 9000
E-mail: bank@kb.hu
Services provided by the data processor: online bankcard acceptance services necessary for payment for the products ordered on the Company’s Webpages. The Company has no access to the User’s bankcard data and does not perform any data management in this regard.
Company Name: MKB Bank Zrt.
Company registration no: 01-10-040952
Court of registry: Commercial Court of the Regional Court of Budapest
Registered office: 10956 Budapest, Váci utca 38.
Telephone: +36 (1) 327 8600
E-mail: telebankar@mkb.hu
Services provided by the data processor: bank account management and other banking services.
Company Name: Invitech Megoldások Zrt. (external service provider)
Company registration no: 13 -10-041599
Registered office: 2040 Budaörs, Edison u. 4.
Telephone: 1444
E-mail: vip@invitech.hu
Services provided by the data processor: e-mail and internet services.
Company Name: Drávanet Zrt. (external service provider)
Company registration no: 02-10-060286
Registered office: 7624 Pécs, Budai Nagy Antal u. 1.
Telephone: 80/811-118
E-mail: info@dravanet.hu
Services provided by the data processor: e-mail services.
The above mentioned two external service providers having contractual relationship with the Data Controller manage the personal data collected by them arising from that contractual relationship in accordance with their own data management principles.
11.2 There are external service providers, with which the Data Controller does not have a contractual relationship or does not intentionally cooperate in respect of data management, but which nevertheless have access to the Webpages and the Company’s social media pages (Facebook pages), and which as a result of such access collect data on the Users or the user activities performed on the Webpages or the Company’s social media pages; in some cases these data may be suitable for the identification of Users, either independently or in conjunction with other data collected by the external service provider. In particular, but not exclusively, these external service providers may include: Facebook Ireland LTD., Google LLC.
These external service providers manage personal data collected by them in accordance with their own data management principles.
XII. Data Transfer
12.1 The Data Controller is entitled and required to transfer all of the personal data which are available and properly stored to the competent authorities, as required by law or by legally binding official resolution. The Data Controller may not be held liable for such transfer and the consequences of such.
12.2 In the event that the Data Controller partially or completely transfers operation of storage services on the Webpages to a third party, it may transfer to the operator the personal data it manages in full or in part to this third party without separate authorisation by the User, but with appropriate prior notification of the User, with the proviso that this transfer of data may not put the User in a worse position as compared to the prevailing data management provisions of this Notice. In the case of transfer pursuant to this Point, prior to such transfer, the Data Controller shall enable Users to protest the data transfer prior to such data transfer. In the event of protest, the data of the User in question may not be transferred pursuant to this Point.
12.3 The Data Controller shall maintain a register of data transfers in the interests of reviewing the legality of data transfers and to ensure notification of Users.
XIII. Data Protection Incidents
13.1 The Company shall notify the competent supervisory authority of any data protection incidents without undue delay, and if possible no later than 72 hours of gaining knowledge of such.
13.2 If the data protection incident presumably entails a high risk to the rights and freedoms of natural persons, the Data Controller shall notify the data subject in respect of the data protection incident without undue delay.
13.3 The Data Controller shall record data protection incidents.
13.4 In the event that a data protection incident occurs at a Data Processor, it shall notify the Data Controller without undue delay after gaining knowledge of such.
13.5 The User/data subject need not be notified of the data protection incident, if
- the Data Controller has taken the appropriate technical and organisational security measures and applied such measures in relation to the data involved in the data protection incident;
- the Data Controller took further measures following the data protection incident which ensure that the high risks to the rights and freedoms of the data subject will presumably not materialise;
- the notification would require disproportionately intensive efforts.
XIV. Amendment of the Data Management Notice
14.1 The Data Controller reserves the right to amend this Notice by unilateral decision at any time.
14.2 The User accepts the prevailing Notice with the following log-in to the Data Controller’s website and no further requests for the consent of the Users are necessary.
XV. Legal Remedies
15.1 Any question or comments related to data protection can be directed to the Data Controller’s employees using the e-mail address adatkezeles@penzvero.hu.
15.2 Users may also turn directly to the National Data Protection and Freedom of Information Office with complaints (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; Webpage: www.naih.hu).
15.3 Users may take legal action in the event that their rights are violated. Adjudication is the responsibility of the courts. Proceedings may be initiated at the court competent for the domicile or place of residence, at the discretion of the data subject. Upon request, the Data Controller will inform the User of the available legal remedies and options.
CONTRACTUAL PARTNERS
LEGITIMATE INTERESTS ASSESSMENT
supporting the lawful basis for the data processing of the data of contact persons designated by non-natural person contractual partners establishing a contractual relationship with Magyar Pénzverő Zrt.
In respect of the data processing of the personal data of contact persons (hereinafter: data subjects) designated by non-natural person contractual partners, Magyar Pénzverő Zrt. (hereinafter: Hungarian Mint Ltd. or data controller) is considered to be a data controller falling under the scope of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
The Hungarian Mint Ltd. has specified legitimate interests pursuant to Article 6 (1) f) of GDPR as the lawful basis for the data processing of the data of contact persons designated by non-natural person contractual partners and has thus performed a legitimate interests assessment supporting this lawful basis.
Data controller: Hungarian Mint Ltd.
Subject of the Legitimate Interests Assessment: To support the lawfulness of the processing of the personal data of contact persons designated by contractual partners in the Hungarian Mint Ltd.’s contracts with non-natural persons.
Prepared by: Zoltán Faragó, data protection officer
Date of preparation: 7 October 2020
Purpose of data processing: Promoting effective communication in relation to the performance of the contracts concluded.
Lawful basis for data processing: Data processing on the lawful basis pursuant to Article 6 (1) f) of GDPR is necessary in the legitimate interests of the Hungarian Mint Ltd. as the data controller, unless these interests are overridden by interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
Guarantees undertaken by the Hungarian Mint Ltd. prior to data processing:
- the performance of a legitimate interests assessment prior to data processing,
- the principle of data minimisation,
- the principle of accountability,
- the principle of accuracy,
- the principle of storage limitation,
- principle of purpose limitation,
- the principles of lawfulness, fairness and transparency.
Categories of the data subject’s personal data (depending on the contents of the contract): name, e-mail address, telephone number, mailing address, position at contractual partner.
Sources of personal data: Non-natural person contractual partners of the Hungarian Mint Ltd.
Duration of data management: The period during which the personal data of the contact persons stated in the contract are kept is limited to the duration for which the respective contract is stored, whereby if there is a change in the person or personal data of the designated contact person, the contractual partner is required to immediately notify the Hungarian Mint Ltd., which shall make the amendments to the contract and delete the data that is changed.
Method of data processing: The data contained in the contract are located in closed project files, which are stored in a closed (restricted access) document archive. The destruction of such files occurs in accordance with the provisions of the Document Management Regulations.
Notification of data subjects: The Hungarian Mint Ltd. provides information to data subjects in its Information on Data Protection on the company’s Website. Above and beyond this, it is expected that the contractual partner will also notify its contact personnel, employees and representatives of the data processing and the prevailing data processing regulations. Additionally, data subjects can request information from the Hungarian Mint Ltd.’s data protection officer (Zoltán Faragó, adatvedelem@penzvero.hu).
Data subjects may review data processing in accordance with this Legitimate Interests Assessment and the Information on Data Protection, exercising their rights set forth therein, and may raise protest against such data processing.
Are alternative solutions which are less limiting from the perspective of the individual (data subject) available, with which the interests can be achieved? If the contact person data are not stated in the contract and cannot not be linked to individual provisions of the contract, they cannot provide the contractual parties with a uniform structure in respect of the contractual rights and obligations. Uniform structure renders communication easier in the interests of the performance of the contract. Anonymizing the personal data would make it impossible to maintain contact with the purchaser. Keeping in mind the principle of data minimisation, the Hungarian Mint Ltd. processes the data which are absolutely necessary for maintaining contact.
Necessity test: In relation to the nature of the interests, it can be stated that while the data processing may limit the data subject’s right of self-determination with regard to personal data, this right does not embody an absolute, unlimited entitlement and thus the data processing can be deemed acceptable in the event of necessity and proportionality.
Balancing test: In respect of the nature of the interests, with regard to the data processor, there are other legitimate interests, which – when considering the issue of proportionality – are weaker than fundamental rights and public interests, but can be viewed as interests that are stronger than cultural or socially recognized interests. The nature of the interests tip the balance of proportionality towards acceptability, insofar as these interests are vital in an evidential sense. The fact that such may be necessary in the future cannot be established with complete certainty, but can be with a high likelihood. Based on all of this, the standard of proportionality shows no significant deviation in either direction. However, the necessity of data processing is supported by the fact that the data do not fall into any special categories.
Impact assessment (evaluation of the impact of data processing): The positive or negative impacts of the data processing on the data subject also do not shift the standard of proportionality in the direction of the acceptability of the data processing or the prohibition of such, as both the positive and the negative impacts are putative. The acceptability of data processing is facilitated by the fact that the data processing does not result in harassment of or the performance of regular extra activity by the data subject and also does result in coercive or intrusive interference in the data subject’s private life or rights. The situation of the parties also does not influence the standard of proportionality, as the data subject is not a member of a vulnerable or sensitive group, and while the data processor has greater economic strength, it does not exercise any advantage in the interests of substantiation. Furthermore, the data subject is not at the mercy of the data processor in any way. With due consideration that the data subject must expect data processing when the data are collected and that the impacts of data processing are completely foreseeable, the standard of proportionality shifts towards the acceptability of data processing in this regard. The proportionality of the limitation is also increased by the fact that the data processor provides complete, clear and comprehensible information to the data subject on the scope of the personal data processed following the end of the contract, and on the basis, method and duration of data processing, as well as on the data subject’s rights in relation to such data processing.
Method of data processing (Broad-based? Foreseeable impacts?). Including, will or can the data be disclosed: The method of data processing is already clear prior to the data processing; the data processor performs the processing of the data in a secure environment with employees appropriately trained in data protection and data security issues. The data processor takes the data security measures that can be expected of it, in the interests of ensuring that the personal data processed in the contracts are not disclosed and that unauthorized third parties to not gain access to such data in any way.
Opinion of the data subjects taken into consideration the assessment: The opinion of the data subjects was not collected in the course of preparing the legitimate interests assessment.
Findings:
- The Hungarian Mint Ltd. has a legitimate interest: In relation to the contracts concluded, ensuring contact and communication with the contractual partner, thus facilitating the most effective performance of the contract.
- Necessity test for data processing: Data processing is necessary, as the lack of such would significantly hinder performance of the contract and related administrative activities.
- Violation of data subjects’ rights and freedoms: The data processing affects the data subject’s right to information and self-determination; violation of such right is not probable in the course of the data processing.
- The data processing is proportionate, as no violation of the data subjects’ rights and freedoms can be determined, as the data processing occurs in the interest of performing work.
Result of the legitimate interests assessment:
In the course of data processing, the rights or fundamental rights and freedoms of the data subjects are not violated in such a manner that would override the legitimate interests of the Hungarian Mint Ltd. Based on the above, it is found that the legitimate interests of the Hungarian Mint Ltd. proportionately limit the legitimate interests of the data subjects. Processing of the personal data of the data subject is absolutely necessary for ensuring the rights of the purchaser involved; no other, alternative data processing solutions involving the processing of less personal data are available.