This Notice sets out the basic rules and safeguards applicable to the processing of personal data by Nextum Audit Zrt as Controller (hereinafter referred to as the “Controller”) through the
www.nextum.hu
website (hereinafter referred to as the “Website”), pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).
The Controller does not designate a Data Protection Officer; the person responsible for data processing is: Attila Kozma.
Visitors of the Website can apply for vacancies advertised on the Website by clicking on the Careers menu and completing and submitting an application form. The Controller processes job applicants’ personal data in accordance with the provisions of the
Notice on Data Processing during Recruitment
.
Visitors of the Website can request quotes for services provided by the Controller through the Website by completing and submitting an inquiry form. The Controller processes the personal data of parties requesting quotes in accordance with the provisions of the
Notice on Data Processing Relating to Requests for Quotes
.
The website uses cookies. For details of data processing related to cookies, see the
Cookie Notice
available on the Website.
Google Anyalytics, a service provided by Google Inc (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) also runs on the website. On each sub-page of the Website there is an embedded tracking code that connects to Google’s servers (Google Analytics tracking code). Google Analytics reads and stores cookies in order to collect data about visits to the Website and the activities of the data subjects. On this basis, it collects the following user data: the geographical location of the device without names, Internet access providers, web browser, time and duration of the visit, pages visited and possible re-visits to the Website.
The data provided by Google Analytics are not linked to any traffic data or user data from other sources. Google’s privacy policy is available at the following link:
https://policies.google.com/privacy?hl=en&gl=pl
.
To find out more about Google Analytics, please visit: https://support.google.com/analytics#topic=3544906
You can restrict access by Google Analytics by downloading the application from the following website: https://tools.google.com/dlpage/gaoptout?hl=en
The Controller stores data collected through Google Analytics as statistical data and has no access to personal data.
The Controller uses the following Processors:
The Controller has established and maintains a comprehensive data security system, which includes administrative, technical, physical, and organisational measures and safeguards to ensure the confidentiality, security, integrity and availability of personal data and to protect them from unauthorised access, use, disclosure, modification and destruction.
The Controller must notify the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) of any data security breach involving risks relating to personal data within 72 hours of becoming aware of the same.
It is the responsibility of the Controller’s Managing Director, in close cooperation with the Hosting Provider, as appropriate, to investigate the data security breach and notify the authorities. In the course of the investigation, the Managing Director will check the following circumstances:
If it is found that a data security breach has taken place, the Managing Director will take action to notify the authorities. The Managing Director must prepare an action plan to remedy the data security breach, including measures to mitigate any adverse consequences of such breach.
Processors may have access to personal data provided through the Website. Agreements with processors provide appropriate safeguards for the secure and lawful processing of personal data.
Specific authorities or organisations authorised by law may request the Controller to provide information, to disclose or transfer data, or to make documents available. The Controller may disclose to such authorities or bodies personal data only in the scope and to the extent strictly necessary for the purpose of the request, provided that the purpose and scope of the data have been clearly specified.
The Controller shall not transfer any personal data provided to it through the Website to any third countries.
The Controller shall store personal data provided by the data subject on servers located in several external locations in Hungary, separate from the Controller’s headquarters, which are under 24-hour protection and data security is provided by a service provider specialised in the secure and professional storage of servers.
In order to prevent unauthorised access to its systems, the Controller shall regularly review its data collection, storage and processing practices and applies strict access restrictions.
At the time of capturing personal data, and thereafter within one month of receipt of the request to do so, but no later than upon first contact, the Controller shall, by making this Notice available, advise the data subject of the following:
The data subject may at any time contact the Controller to inquire about whether the Controller is processing their personal data. If the Controller is indeed processing the data subject’s personal data, the Controller shall provide the data subject with the information specified in section 4.1.
On the basis of the principle of accuracy, if the data subject becomes aware that personal data processed by the Controller are inaccurate or incomplete, they shall be entitled to address a request for rectification or integration to the Controller and the Controller shall fulfil the request without delay.
The Controller shall, upon a reasonable request of the data subject, erase their personal data within the time limits specified in this Notice for each processing operation, if any of the following reasons apply:
The Controller shall not be able to erase the data subject’s personal data in the event of a request under this point, if the processing is necessary to comply with a legal obligation or if it is necessary for the purposes of enforcing a claim (e.g. compensation). The Controller shall inform the data subject requesting erasure of the existence of such circumstances.
If the data subject has notified the Controller of inaccuracies in the personal data processed by the Controller, the Controller shall, upon request, suspend the processing of the personal data referred to in the request until it has verified the accuracy of said personal data and decided to correct or complete them.
The Controller shall also restrict data processing if
The data subject shall have the right to receive personal data provided to the Controller in a commonly known and used, structured, machine-readable format and to have it sent to another controller (e.g. a new agency) or to have it transmitted directly by the Controller to the other controller on the basis of the data subject’s instructions. The Controller shall comply with the request where the processing of personal data in a computer system is based on the data subject’s consent or is necessary for the performance of a contract.
Where the Controller processes personal data of a data subject for its own legitimate interests or for the legitimate interests of another person, the data subject shall have the right to object to the processing. In the event of an objection, the Controller may continue to process the personal data of the data subject only if it demonstrates compelling reasons for the processing which (i) override the rights or interests of the data subject or (ii) are necessary to enforce a claim.
If the data subject considers that the Controller is in breach of the standards for the processing of their personal data, the data subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) as supervisory authority for the processing activities.
Irrespective of the exercise of both the rights listed above and the right of recourse to a supervisory authority, the data subject shall have the right to take legal action against the Controller for infringement of their rights in relation to data processing.
Where the data subject suffers damage as a result of unlawful processing, they shall have the right to claim compensation. The Controller shall be liable for the damage caused by the processing. Where the Controller proceeds as a processor, it shall be liable for the damage caused by the processing only if it has failed to comply with the obligations specifically imposed on processors by the GDPR or if it has disregarded or acted contrary to lawful instructions from a client acting as a controller.
If the Controller infringes the data subject’s right to privacy by unlawfully processing the data subject’s data or by breaching data security requirements, the data subject may claim damages from the Controller. The Controller shall be liable to the data subject for any damage caused by the processor and the Controller shall also pay the data subject due damages in the event of violation of personality rights caused by the processor. The Controller shall be exempted from liability for the damage caused and from the obligation to pay damages if it proves that the damage or the violation of the data subject’s personality rights has been caused by an unforeseeable circumstance outside the scope of processing, for which it shall not be liable. No compensation shall be paid and no damages shall be claimed where the damage has resulted from the data subject’s intentional or grossly negligent conduct. The Controller’s general civil liability shall be governed by the provisions of the Civil Code and the Information Act. The above provisions on damages shall apply only in the case of a mandatory provision of law.
At the data subject’s request, the Controller shall provide detailed information on the options of enforcing rights.