evoCRM Limited Liability Company
Company registration number: 01-09-270640
PRIVACY AND DATA PROTECTION POLICY
Effective May 25, 2018 until revoked.
Purpose of the Code
The purpose of evoCRM Ltd. (hereinafter: Data Controller) is to determine the scope of the personal data it handles, the way of data management, and to ensure the fulfillment of the requirements of data protection, data management and data security in the automatic processing and processing of personal data of data subjects.
In the course of its activities, evoCRM Ltd. pays special attention to the protection of personal data, compliance with mandatory legal provisions, and safe and fair data management.
Information of the Data Controller: Company name: evoCRM Kft.
Company registration number: 01-09-270640
Headquarters :. 1111 Budapest, Lágymányosi utca 12 st. Second
Tax ID: 25360174-2-43
Data Management Registration Number: -
In all cases, the Data Controller shall handle the personal data provided to it in compliance with the applicable Hungarian and European laws and ethical requirements, and shall at all times take the technical and organizational measures necessary for the proper management of the data.
- CXIX of 1995 TV. managing your name and address for research and direct marketing purposes
- CVIII of 2001 TV. on certain aspects of electronic commerce services and information society services
- XLVIII of 2008 TV. the basic conditions and limits for economic advertising
- CXII of 2011 tv on information self-determination and freedom of information
- Regulation 2016/679 / EU of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46 / EC
2. INTERPRETATIVE PROVISIONS
- data file: the sum of all data processed in a single register;
- data processor: any natural or legal person, or any entity without legal personality, who carries out the processing of data on the basis of a contract, including a contract under a legal act;
- data controller: a public-service entity that produced or generated public-interest data which is subject to mandatory publication by electronic means;
- "data management": any operation or combination of operations, in particular the collection, recording, recording, filing, storing, altering, using, querying, transmitting, publishing, matching or linking, blocking, deleting and destruction of data, irrespective of the procedure used, and to prevent further use of the data, taking photographs, sound or images and recording physical characteristics (eg fingerprints, palmprints, DNA samples, iris images) of the person;
- data controller: any natural or legal person, or any entity without legal personality, which alone or jointly with others determines the purpose of the processing of data, takes and implements the data management (including the device used), or executes with the data processor;
- "informant": a public-service entity which publishes on a website the data transmitted to it by the data controller, unless the data controller himself publishes the data;
- data designation: the identification of the data to distinguish it;
- data transfer: making data available to a specific third party;
- data deletion: rendering the data unrecognizable in such a way that it is no longer possible to recover it;
- data protection incident: unlawful processing or processing of personal data, in particular unauthorized access, alteration, transfer, disclosure, deletion or destruction, and accidental destruction or damage.
- data blocking: the identification of the data with the aim of limiting its further processing for a definitive or definite period;
- affected: any natural person identified or identified, directly or indirectly, on the basis of personal data;
- third party: any natural or legal person, or any entity without legal personality, other than the data subject, the controller or the processor;
- consent: a voluntary and determined expression of the will of the data subject, based on appropriate information and giving his / her unambiguous consent to the processing of personal data concerning him or her, whether full or specific;
- public data of general interest: any data not covered by the definition of public interest, the disclosure of which, or its disclosure, or disclosure is required by law in the public interest;
- specific information:
a) personal data related to racial origin, nationality, political opinions or parties, religious or other beliefs, membership of an organization representing interests, sex life,
(b) personal data concerning health status, pathological passion and criminal data;
- disclosure: making the data available to anyone;
- personal data: data which can be related to the data subject, in particular the data subject's name, an identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities, and the conclusions that can be drawn from the data;
- protest: a statement by the data subject that he objects to the processing of his personal data and requests the termination of the data processing or the deletion of the data processed;
-data processing: performing technical tasks related to data management operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
- data destruction: the complete physical destruction of the data carrier containing the data;
-data of general interest: information or knowledge, irrespective of the way in which it is processed, which is in the possession of a public or local authority, and which is related to or related to the activities or functions of a public or local authority the nature, autonomous or collective nature of the data, including in particular the scope of competence, competence, organization, professional activity, its effectiveness, the types of data held and the legislation governing its operation, as well as data on management and contracts;
3. PRINCIPLES OF DATA MANAGEMENT
Personal data may only be processed for specified purposes, for the exercise of a right and for the fulfillment of an obligation. At all stages of data management, the purpose of data management must be appropriate, and the recording and handling of data must be fair and lawful.
Only personal data that is necessary for the fulfillment of the purpose of data management and suitable for the purpose may be processed. Personal data may be processed only to the extent and for the time necessary to achieve the purpose.
Personal data will retain this quality during data management as long as the relationship with the data subject can be restored. The data subject can be restored if the controller has the technical conditions necessary for the restoration.
The accuracy, completeness and, where necessary for the purposes of data processing, the accuracy of the data, and that the data subject can only be identified for the time necessary for the purposes of the data processing, shall be ensured.
Personal data may be transmitted and different data processing may be combined if necessary or permitted by law, or permitted by law, and provided that the conditions of data processing for each individual data are met.
The consent of the data subject shall be deemed to have been given in respect of the data provided by the data subject for publication.
In the context of proceedings brought at the request of the data subject, his / her consent to the processing of his / her necessary data shall be presumed. This fact should be brought to the attention of the data subject.
The right to the protection of personal data and the privacy of the data subject shall not, unless otherwise provided by law, be violated by other interests in the processing of data, including public access to data of public interest.
4. SCOPE OF PROCESSED DATA
EvoCRM Ltd. acts as a data processor on behalf of its business partners. This data processing activity is carried out exclusively through the business partners' IT network, using the test database provided by them. EvoCRM Ltd. does not store, manage or archive any personal data or database in its own computer system, nor does it have any backup of personal data on its own network or server. From a GDPR perspective, this data management is not relevant.
EvoCRM Ltd does not carry out direct marketing activities and does not issue newsletters. Business correspondence with contractual partners and other companies related to the operation
contacts. Correspondence with individuals will only occur at the time of recruitment.
The scope of personal data processed is thus limited to the data of our own employees and subcontractors.
5. BASICS OF DATA MANAGEMENT
In all activities of the Data Controller, the processing of personal data is based on law, contract or voluntary consent. In some cases, in the absence of data management, consent or other legal basis, or pursuant to CXII. 6 of the Act.
Identity of potential controllers entitled to access personal data:
Data may be accessed and processed by the Data Controller or by employees who have been specifically authorized by the Management, subject to the terms and conditions of such authorization, subject to the above principles.
The Data Controller will not disclose the data to third parties.
The Data Controller shall use the following Data Controller for its activities and services:
Company name: MANAGE Economic - Information and Service Ltd.
Registered office: 1097 Budapest, Tóth K. u. 33. A. 1/3
Your company number is 01-09-266332
Tax number: 10865518-2-43
Scope of data transmitted: Data required for payroll accounting.
Purpose of data transfer: payroll.
The Data Processing Contractor guarantees that its operation complies with the applicable data protection regulations.
Duration of data processing, deadline for deletion of data:
The accounting document (including general ledger accounts, analytical and accounting records) supporting the accounts, directly and indirectly, must be preserved in a legible form for at least 8 years, retrievable by reference to the accounting records.
In contrast to the above, pay and employment records cannot be scrapped as they may be needed beyond the 5, 8 or 10-year limitation period to calculate your pension or your service record. Accordingly, in the case of employee-related data, data relating to the confirmation of employment and Tb benefits shall be retained and shall not be deleted.
In the case of recruitment, the data may be stored - unless extended - until the application is closed.
6. SECURITY OF DATA MANAGEMENT
The Data Controller shall protect the data in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage. The Data Controller shall ensure the security of the data by technical, organizational and organizational measures which ensure a level of protection appropriate to the risks represented by the data management.
Description of the technical solution for data protection
The Data Controller shall keep the personal data in its possession confidential and in its IT infrastructure separate from the resources required for the daily work. The Data Controller employs almost exclusively Microsoft solutions for storing your personal information, with GDRP compliant, to a large extent, by Microsoft. Learn more: https://blogs.microsoft.com/blog/2017/05/24/accelerate-gdpr-compliance-microsoft-cloud/
In addition to standard IT security measures, the following GDPR relevant technologies are used.
The Data Controller uses drive encryption on IT devices that even temporarily store your personal data to ensure that locally stored data cannot be read without the appropriate unlock keys and / or passwords. The entire drive is encrypted and can only be unlocked centrally with keys stored on the server if the hardware is broken.
Each workstation installs firewall and antivirus software without exception.
The personal data collected by Data Controller is centrally stored in Microsoft Cloud Data Centers, with Sharepoint Online as the primary tool. The Data Controller stores personal information obtained by him in a separate, limited Sharepoint 'Site Collection', which is only accessible to those responsible through a closed group membership, the membership of which is determined by management. Sharing with a third party outside the company is forbidden, only members of evoCRM Ltd. are allowed to join this document repository.
In the Data Manager application, all employees receive and store personal information through the Exchange Online service provided under Microsoft Office 365. In addition to being GDPR compliant in its own right, the system provides a number of management audit tools to its subscribers, for more information: https://docs.microsoft.com/en-us/office365/enterprise/office-365-info-protection-for- gdpr-overview
Spam, phishing, and malware are automatically protected by Exchange Online Protection. More information: https://technet.microsoft.com/en-us/library/anti-spam-and-anti-malware-protection-in-eop.aspx
Currently, the Data Controller does not store electronically personal data in its own office-based infrastructure, so this does not deserve special attention or further action under the provisions of the GDPR. Regardless, the current servers are housed in a locked server room, protected by an uninterruptible power supply against the risks of a sudden power outage / overload, and daily backups of virtualized servers to external media.
Data Protection Officer:
Given that the Data Controller only handles data on prospective, existing and former employees and subcontractors and does not appoint a Data Protection Officer.
7. RIGHTS OF STAKEHOLDERS
The data subject may request information on the processing of his or her personal data, as well as the rectification or blocking or deletion of data other than those required by law, processed under contract or a legitimate interest.
At the request of the data subject, the Data Controller shall provide information on the data processed by the data controller or processed by the data processor, its source, purpose, legal basis, duration, data processor's name, address and data protection incident. , its effects and the measures taken to rectify it, and, in the case of the transfer of personal data of the data subject, the legal basis and the recipient of the data transfer.
The Data Controller shall keep a record of the data protection incidents for the purpose of monitoring the related actions and informing the data subject, which shall include:
- the scope of the personal data concerned,
- the scope and number of those involved in a data protection incident,
the date, circumstances, effects and measures taken to address the privacy incident, and
- other data as defined by the law governing data processing.
The Controller shall keep a record of the transfer for the purpose of checking the legality of the transfer and informing the data subject of the date of transfer, the legal basis and addressee of the transfer, the scope of the transferred personal data and other data prescribed by law.
The Data Controller shall provide the information in writing, at the request of the data subject, in a comprehensible form, within the shortest time, but not more than 25 days from the submission of the request.
The Data Controller shall correct personal data that do not correspond to reality.
Personal Data will be deleted by the Data Controller if its processing is unlawful, requested by the data subject, incomplete or erroneous - and this condition cannot be legally rectified - unless such deletion is prohibited by law, if the purpose of data management has ceased, has expired or has been ordered by a court or the Data Protection Commissioner.
It shall inform the data subject of the rectification and erasure, as well as anyone to whom he has previously transmitted the data for the purpose of data management. Notification may be dispensed with if this is not contrary to the data subject's legitimate interest with regard to the purpose of the processing.
The information provided to the data subject is only exceptional - pursuant to CXII. (1) and Article 19.
The data subject may apply to the courts or the data protection authority in case of violation of his / her rights. You can contact the following remedies and complaints:
Name: National Data Protection and Freedom of Information Authority Address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c.
Phone: 06- 1-391-1400