This Notice sets out the basic rules and safeguards applicable to the processing of personal data by Nextum Audit Zrt as Controller (hereinafter referred to as the “Controller”) through the
www.nextum.hu
website (hereinafter referred to as the “Website”), pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).

1. CONTROLLER

• Company name: NEXTUM Audit Zártkörűen Működő Részvénytársaság
• Seat: H-1042 Budapest, Árpád út 51-53. Building B 3rd floor
• Mailing address: 1042 Budapest, Árpád út 51-53. Building B 3rd floor
• Registration authority: Court of Registration attached to the Budapest Regional Court
• Company Register No.: 01-10-048554
• Tax number: 25354818-2-41
• Phone number: +36 30 163 2237
• E-mail:
  
  

The Controller does not designate a Data Protection Officer; the person responsible for data processing is: Attila Kozma.

2. DATA PROCESSING ON THE WEBSITE

2.1 Processing job applicants’ personal data

Visitors of the Website can apply for vacancies advertised on the Website by clicking on the Careers menu and completing and submitting an application form. The Controller processes job applicants’ personal data in accordance with the provisions of the
Notice on Data Processing during Recruitment
.

2.2
Processing the personal data of parties requesting quotes

Visitors of the Website can request quotes for services provided by the Controller through the Website by completing and submitting an inquiry form. The Controller processes the personal data of parties requesting quotes in accordance with the provisions of the
Notice on Data Processing Relating to Requests for Quotes
.

2.3
Cookies

The website uses cookies. For details of data processing related to cookies, see the
Cookie Notice
available on the Website.

2.4 Google Analytics

Google Anyalytics, a service provided by Google Inc (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) also runs on the website. On each sub-page of the Website there is an embedded tracking code that connects to Google’s servers (Google Analytics tracking code). Google Analytics reads and stores cookies in order to collect data about visits to the Website and the activities of the data subjects. On this basis, it collects the following user data: the geographical location of the device without names, Internet access providers, web browser, time and duration of the visit, pages visited and possible re-visits to the Website.

The data provided by Google Analytics are not linked to any traffic data or user data from other sources. Google’s privacy policy is available at the following link:
https://policies.google.com/privacy?hl=en&gl=pl
.

To find out more about Google Analytics, please visit: https://support.google.com/analytics#topic=3544906

You can restrict access by Google Analytics by downloading the application from the following website: https://tools.google.com/dlpage/gaoptout?hl=en

The Controller stores data collected through Google Analytics as statistical data and has no access to personal data.

3. PROCESSORS USED BY THE CONTROLLER

The Controller uses the following Processors:

• Websupport Magyarország Kft (1132 Budapest, Victor Hugo utca 18-22.; Company Register No.: 01-09-381419, email: , phone: +36 22 78 76 74) as hosting provider;
• Ferenczi Gábor, sole trader (registered office: 2016 Leányfalu, Ravasz püspök utca 20.; Sole Trader’s Registration No.: email: ; phone: +36 30 499 5837) as developer of the website;
• Professional Information Technology Kereskedő és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1107 Budapest, Baross utca 4. Building C Ground floor; Company Register No.: 01-09-353262; email: ; phone: +36 1 920 0131) as the Controller’s systems administrator and IT service provider.

4. DATA SECURITY; SECURITY BREACH MANAGEMENT

The Controller has established and maintains a comprehensive data security system, which includes administrative, technical, physical, and organisational measures and safeguards to ensure the confidentiality, security, integrity and availability of personal data and to protect them from unauthorised access, use, disclosure, modification and destruction.

The Controller must notify the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) of any data security breach involving risks relating to personal data within 72 hours of becoming aware of the same.

It is the responsibility of the Controller’s Managing Director, in close cooperation with the Hosting Provider, as appropriate, to investigate the data security breach and notify the authorities. In the course of the investigation, the Managing Director will check the following circumstances:

• the nature of the security breach;
• the categories and approximate number of data subjects concerned;
• the categories and approximate number of data affected by the security breach;
• the likely consequences of the data security breach.

If it is found that a data security breach has taken place, the Managing Director will take action to notify the authorities. The Managing Director must prepare an action plan to remedy the data security breach, including measures to mitigate any adverse consequences of such breach.

5. DATA TRANSFER

Processors may have access to personal data provided through the Website. Agreements with processors provide appropriate safeguards for the secure and lawful processing of personal data.

Specific authorities or organisations authorised by law may request the Controller to provide information, to disclose or transfer data, or to make documents available. The Controller may disclose to such authorities or bodies personal data only in the scope and to the extent strictly necessary for the purpose of the request, provided that the purpose and scope of the data have been clearly specified.

The Controller shall not transfer any personal data provided to it through the Website to any third countries.

The Controller shall store personal data provided by the data subject on servers located in several external locations in Hungary, separate from the Controller’s headquarters, which are under 24-hour protection and data security is provided by a service provider specialised in the secure and professional storage of servers.

In order to prevent unauthorised access to its systems, the Controller shall regularly review its data collection, storage and processing practices and applies strict access restrictions.

6. RIGHTS RELATING TO DATA PROCESSING

6.1 Information provision

At the time of capturing personal data, and thereafter within one month of receipt of the request to do so, but no later than upon first contact, the Controller shall, by making this Notice available, advise the data subject of the following:

• the Controller’s contact details;
• contact details of the Controller’s Data Protection Officer (the person in charge of data protection);
• the purpose and legal ground of data processing;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed;
• the envisaged period of storage of personal data or the criteria for determining such a time period;
• information on the right to request the rectification, erasure or restriction of the processing of personal data and on the right to object to data processing;
• information on the right to withdraw consent to data processing;
• information on the complaint procedure conducted by the competent authority;
• the conditions and circumstances of data transfer to third countries;
• the legitimate interest of the Controller as controller, which justifies the data processing;
• the data source.;

6.2 Access to information on data processing

The data subject may at any time contact the Controller to inquire about whether the Controller is processing their personal data. If the Controller is indeed processing the data subject’s personal data, the Controller shall provide the data subject with the information specified in section 4.1.

6.3 Right to rectification

On the basis of the principle of accuracy, if the data subject becomes aware that personal data processed by the Controller are inaccurate or incomplete, they shall be entitled to address a request for rectification or integration to the Controller and the Controller shall fulfil the request without delay.

6.4 Right to be forgotten

The Controller shall, upon a reasonable request of the data subject, erase their personal data within the time limits specified in this Notice for each processing operation, if any of the following reasons apply:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• the data subject withdraws their consent forming the basis of data processing and there is no other legal ground for data processing;
• the data subject objects to data processing and there is no overriding legitimate ground for such data processing;
• the personal data have been unlawfully processed;
• the personal data must be erased in order to comply with a legal obligation under EU or Member State law applicable to the Controller;
• the personal data have been collected in connection with offering information society services directly targeting children.

The Controller shall not be able to erase the data subject’s personal data in the event of a request under this point, if the processing is necessary to comply with a legal obligation or if it is necessary for the purposes of enforcing a claim (e.g. compensation). The Controller shall inform the data subject requesting erasure of the existence of such circumstances.

6.5 Right to restriction of data processing

If the data subject has notified the Controller of inaccuracies in the personal data processed by the Controller, the Controller shall, upon request, suspend the processing of the personal data referred to in the request until it has verified the accuracy of said personal data and decided to correct or complete them.

The Controller shall also restrict data processing if

• the unlawfulness of data processing has been established and the data subject opposes the erasure of the data and requests instead the restriction of their use;
• the personal data are no longer necessary for the purposes of data processing but the data subject requires them for the filing, enforcement or defence of legal claims; or
• the data subject has objected to processing and a period of time is necessary to consider whether the legitimate grounds of the Controller override the legitimate grounds of the data subject.

6.6 Right to data portability

The data subject shall have the right to receive personal data provided to the Controller in a commonly known and used, structured, machine-readable format and to have it sent to another controller (e.g. a new agency) or to have it transmitted directly by the Controller to the other controller on the basis of the data subject’s instructions. The Controller shall comply with the request where the processing of personal data in a computer system is based on the data subject’s consent or is necessary for the performance of a contract.

6.7 Right to object

Where the Controller processes personal data of a data subject for its own legitimate interests or for the legitimate interests of another person, the data subject shall have the right to object to the processing. In the event of an objection, the Controller may continue to process the personal data of the data subject only if it demonstrates compelling reasons for the processing which (i) override the rights or interests of the data subject or (ii) are necessary to enforce a claim.

6.8 Right to lodge a complaint with a supervisory authority

If the data subject considers that the Controller is in breach of the standards for the processing of their personal data, the data subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) as supervisory authority for the processing activities.

Hungarian National Authority for Data Protection and Freedom of Information:

• 1530 Budapest, PO box 5.
• 1125 Budapest, Szilágyi Erzsébet fasor 22/c
• +36 1 391 1400
• +36 1 391 1410 (fax)
• www.naih.hu

6.9 Right to apply to the courts

Irrespective of the exercise of both the rights listed above and the right of recourse to a supervisory authority, the data subject shall have the right to take legal action against the Controller for infringement of their rights in relation to data processing.

6.10 Right to compensation

Where the data subject suffers damage as a result of unlawful processing, they shall have the right to claim compensation. The Controller shall be liable for the damage caused by the processing. Where the Controller proceeds as a processor, it shall be liable for the damage caused by the processing only if it has failed to comply with the obligations specifically imposed on processors by the GDPR or if it has disregarded or acted contrary to lawful instructions from a client acting as a controller.

If the Controller infringes the data subject’s right to privacy by unlawfully processing the data subject’s data or by breaching data security requirements, the data subject may claim damages from the Controller. The Controller shall be liable to the data subject for any damage caused by the processor and the Controller shall also pay the data subject due damages in the event of violation of personality rights caused by the processor. The Controller shall be exempted from liability for the damage caused and from the obligation to pay damages if it proves that the damage or the violation of the data subject’s personality rights has been caused by an unforeseeable circumstance outside the scope of processing, for which it shall not be liable. No compensation shall be paid and no damages shall be claimed where the damage has resulted from the data subject’s intentional or grossly negligent conduct. The Controller’s general civil liability shall be governed by the provisions of the Civil Code and the Information Act. The above provisions on damages shall apply only in the case of a mandatory provision of law.

At the data subject’s request, the Controller shall provide detailed information on the options of enforcing rights.