Privacy policy

PRIVACY AND DATA PROTECTION POLICY AND INFORMATION NOTICE

1. THE CONTROLLER

1.1.Identification of Controller:

Company name:	ASSA ABLOY Opening Solutions Hungary Kft.
Registered seat:	HU-8000 Székesfehérvár, Palánkai út 5.
Branch office:	HU-1031 Budapest, Záhony utca 7.
Company registration No.:	07-09-001285
Tax identification number:	10271731-2-07
Representatives jointly:	István Kocsis and András Pintér as general managers
Name of application:	SiS Work
Availability of the privacy policy:	In the application
Main activity:	Manufacture of other electrical equipment
E-mail address:	info.seawing@assaabloy.com

2. THE DATA PROTECTION OFFICER

ASSA ABLOY Opening Solutions Hungary Kft. ("Controller"), taking into account the fact that it processes sensitive personal data in accordance with the rules of Regulation (EU) 2016/679 of the European Parliament and of the Council "GDPR"), appoints a Data Protection Officer to ensure the lawful processing and protection of data.

The Data Protection Officer is appointed from among the employees of the Controller as the employer. The Controller shall ensure that the Data Protection Officer shall only be an employee of the Controller who is bound by an obligation of confidentiality.

2.1 Details of the Data Protection Officer:

Name:	Balazs Bachstetter
E-mail address:	balazs.bachstetter@assaabloy.com
Telephone number:	+36 22 510-170

3. RULES ON DATA PROCESSING

This privacy policy is valid from 15th April 2024 until its withdrawal.

This policy and information notice sets out the rules and obligations of natural persons with regard to the processing of personal data and informs natural persons about the processing of their personal data, including its exact nature, the purposes of the processing, the identity of the persons and entities having access to their data and the security measures taken to protect them during processing.

During the operation of the application, the Controller processes the data provided by private users who have registered and logged in to the application in order to provide them with a transparent and secure service when using the application, to facilitate their work and to accelerate the fulfilment of various administrative obligations.

Data processing is carried out by the Controller.

The Controller intends to fully comply with the legal requirements for the processing of personal data, in particular the GDPR and the Act CXII of 2011 on the right to informational self-determination and on the freedom of information ("Privacy Act"), taking into account the amendment of the Privacy Act in 2018.

The terminology used in this policy corresponds to the interpretative definitions set out in Article 4 of the GDPR, supplemented in certain points by the interpretative provisions of Article 3 of the Privacy Act.

3.1 Relevant terms, interpretative provisions:

„personal data”: means any information relating to an identified or identifiable natural person („data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

„biometric data”: means personal data resulting from specific technical processing relating to the physical, physio logical or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

„consent”: of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

„controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

„processing”: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

„profiling”: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

„pseudonymisation”: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

„filing system”: means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

„data erasure”: means making the data unrecognisable in such a way that restoration is no longer possible.

3.2 Additional terms:

„employer”: means any person having the capacity to perform legal acts who is party to employment contracts with employees;

„employee”: means any natural person who works under an employment contract;

„user”: means natural persons who have their own username and password in the application and are authorised to use the services of the application.

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Personal data is be collected by the Controller only for specified, explicit and legitimate purposes and not to be further processed in a manner that is incompatible with those purposes, additionally, the personal data collected shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

In the course of their work, the employees of the Controller shall ensure that no unauthorized persons have access to personal data, and that the storage and placement of personal data is designed in such a way that it cannot be accessed, known, altered or destroyed by unauthorized persons.

The Controller processes personal data only on the basis of the legal grounds set out in Article 6 of the GDPR. The processing of personal data is therefore lawful only if at least one of the following conditions apply:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes [Article 6(1)(a) GDPR];

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract [Article 6(1)(b) GDPR];

c) processing is necessary for compliance with a legal obligation to which the Controller is subject [Article 6(1)(c) GDPR];

d) processing is necessary in order to protect the vital interests of the data subject or of another natural person [Article 6(1)(d) GDPR];

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller [Article 6(1)(e) GDPR];

f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child [Article 6(1)(f) GDPR].

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

Consent should cover all processing activities carried out for the same purpose or purposes.

If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

4. DATA PROCESSING DURING THE USE OF THE APPLICATION

4.1 Data of employees

4.1.1 Scope, legal basis and purpose of the personal data processed by the Controller

In relation to personal data, the legal basis for processing is the data subject's consent to the processing of his or her personal data for one or more specific purposes, as provided for in Article 6(1)(a) of the GDPR, and, to sensitive personal data, Article 9(2)(a) of the GDPR, which also requires the data subject's explicit consent to the processing of sensitive personal data for one or more specific purposes.

4.1.2 Method of data collection:

The data subject provides data to the Controller by filling out the registration and electronic forms on the application. The scope of data collection depends on the consent of the data subject.

4.1.3 Scope of personal data processed by the Controller:

a) the employee's

aa) name

ab) place and date of birth

ac) gender

ad) citizenship

ae) the address of his or her place of residence or domicile

af) social security number

ag) in the case of non-Hungarian citizens, the legal title of residence in Hungary and the name and number of such document,

ah) profile picture

ai) job title

aj) supervisor’s name (if he/she has one)

ak) telephone number

al) e-mail address

-for contact and identification purposes

The employer or the employee's supervisor may contact the employee during the employee's working hours using the electronic or other contact addresses provided by the employee.

voluntarily provided:

· current location

· tracking of movement

· location history

– for the purpose of monitoring work

The employee's supervisor may make it compulsory to provide location data in order to carry out certain workplace activities. This may include the use of specific entry points.

b) automatically collected data include:

ba) IP address

bb) browsing history - including referring and exit pages

bc) technical, connectivity and usage data

bd) activity logs

be) relevant cookies

bf) clicks

bg) interactions

bh) any information regarding the viewing history on the application

-to track the reach of the application

bi) performance data

bj) data on functionality

bk) data on stability

bl) fraudulent activities

-to improve the operation of the application

c) messages, documents and images uploaded to the application system - for the purpose of monitoring work

d) web interface personal data - to increase transparency

e) data relating to the employee's existing employment relationship - for administrative purposes

f) data relating to the suspension or termination of employment - for administrative and monitoring purposes

g) data relating to the employee's negligence- for administrative purposes

h) data on the employee's requests, their status, acceptance, rejection - in order to facilitate administration

i) data relating to the duration, place and execution of work - for administrative and monitoring purposes

j) data on the employee's remuneration and wages - for administrative purposes

k) data relating to the employee's disciplinary and compensation cases- for the purpose of recording misconduct

l) biometric data - for identification purposes

4.1.4 How the data is stored

The data storage is mainly electronic, through the application system, while the various non-electronic forms are also stored on paper.

4.1.5 Duration of data processing

The Controller processes the data for the duration of the registration. In the event of unlawful or fraudulent use of personal data or in the event of a criminal offence or system attack committed by the user, the Controller is entitled to delete the user's data without delay, and in the event of suspected criminal offences or civil liability, the Controller is also entitled to retain the data for the duration of the proceedings.

4.1.6 Access to personal data

Access to the employee's personal data in the system is as follows:

a) the employee has access to all personal data concerning him or her;

b) persons in a "supervisor" position have access to all data necessary to manage the work of the employees under their supervision;

c) the person with "administrator" rights has access to all personal data. The Controller shall ensure that only its employees bound by confidentiality obligations are authorised to act as administrators.

4.2 Data on persons with an employment-related relationship

4.2.1 Scope, legal basis and purpose of the personal data processed by the Controller

4.2.2 Method of data collection:

The data subject provides data to the Controller by filling out the registration and electronic forms on the application. The scope of data collection depends on the consent of the data subject.

4.2.3 Scope of personal data processed by the Controller:

a) of the person with an employment-related relationship:

aa) name

ab) place and date of birth

ac) gender

ad) citizenship

ae) the address of his or her place of residence or domicile

af) social security number

ag) in the case of non-Hungarian citizens, the legal title of residence in Hungary and the name and number of such document

ah) profile picture

ai) job title

aj) supervisor’s name (if he/she has one)

ak) telephone number

al) e-mail address

- for contact and identification purposes

The supervisor of the person with an employment-related relationship or the person who employs the person with an employment-related relationship may contact the person with an employment-related relationship during his or her working hours using the electronic or other contact addresses provided by him or her.

voluntarily provided:

· current location

· tracking of movement

· location history

–for the purpose of monitoring work

The supervisor of the person with an employment-related relationship may make it compulsory to provide location data in order to carry out certain workplace activities. This may include the use of specific entry points.

b) automatically collected data include:

ba) IP address

bb) browsing history - including referring and exit pages

bc) technical, connectivity and usage data

bd) activity logs

be) relevant cookies

bf) clicks

bg) interactions

bh) any information regarding the viewing history on the application

- to track the reach of the application

bi) performance data

bj) data on functionality

bk) data on stability

bl) fraudulent activities

-to improve the operation of the application

c) messages, documents and images uploaded to the application system - for the purpose of monitoring work

d) web interface personal data - to increase transparency

e) data relating to the existing legal relationship of the person having an employment-related relationship - for administrative purposes

f) data relating to the suspension or termination of the legal relationship - for administrative and monitoring purposes

g) data relating to the negligence of the person with an employment-related relationship - for administrative purposes

h) data on the requests of the person with an employment-related relationship and also the requests status, acceptance, rejection - in order to facilitate administration

i) data relating to the duration, place and execution of work - for administrative and monitoring purposes

j) data on the remuneration and wages of the person with an employment-related relationship - for administrative purposes

k) data relating to disciplinary and compensation cases of the person with an employment-related relationship - for the purpose of recording misconduct

l) biometric data - for identification purposes

4.2.4 How the data is stored

The data storage is mainly electronic, through the application system, while the various non-electronic forms are also stored on paper.

4.2.5 Duration of data processing

4.2.6 Access to personal data

Access to the person with an employment-related relationship’s personal data in the system is as follows:

a) the person with an employment-related relationship has access to all personal data concerning him or her;

b) persons in a "supervisor" position have access to all data necessary to manage the work of the persons with employment-related relationships under their supervision;

5. RIGHTS OF THE USER AS DATA SUBJECT

The data subject may request information on the processing of his or her personal data; request the rectification of his or her personal data; request the erasure of his or her data via the e-mail address provided by the Controller; request the restriction of processing; and have the right to data portability and the right to legal remedy.

In the event of a complaint in Hungary, the data subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information or, at his or her choice, go to a court. The Regional Courts have jurisdiction to hear the case.

Rights of the data subject:

5.1.Right of access and information

As the Controller collects personal data relating to the data subject from the data subject, the Controller shall provide the data subject with all of the following information at the time the personal data are obtained:

a) the identity and the contact details of the Controller and, where applicable, of the Controller's representative;

b) the contact details of the Data Protection Officer, where applicable;

c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d) the legitimate interests of the controller or a third party, where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child;

e) the recipients or categories of recipients of the personal data, if any;

f) where applicable, the fact that the Controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

g) where the personal data are not collected from the data subject, any available information as to their source;

h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The Controller shall, without undue delay and in any event within one month of receipt of the request, provide information to the data subject on the action taken on a request under the right of information. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

As a general principle, the information is provided free of charge, and the Controller will only charge a fee in the cases specified in Articles 12(5) and 15(3) of the GDPR.

If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

5.2.Right to rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

For the period during which the Controller checks the accuracy of the personal data, the personal data in question may be restricted in accordance with point 5.4 of this policy.

5.3.Right to erasure („right to be forgotten”)

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

f) the personal data have been collected in relation to the offer of information society services.

Where the Controller has made the personal data public and is obliged to erase them in the cases listed above, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right of the data subject to erasure may be limited only if the following exceptions in the GDPR apply, i.e. if the following grounds apply, the continued retention of personal data may be considered lawful:

a) for exercising the right of freedom of expression and information;

b) or compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defence of legal claims.

5.4.Right to restriction of processing

The data subject shall have the right to obtain from the Controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the Controller override those of the data subject.

The Controller shall suspend the processing of the personal data for the duration of the examination of the objection of the data subject to the processing of his or her personal data, but for a maximum of 5 days, examine the validity of the objection and take a decision, which shall be communicated to the applicant.

If the objection is justified, the Controller will restrict the data, so that only storage as data processing can take place until

a) the data subject gives consent to the processing;

b) the processing of personal data becomes necessary for the exercise of legal claims;

c) the processing of personal data is necessary to protect the rights of another natural or legal person; or

d) law requires data processing in the public interest.

Where the restriction of processing is the result of a request by the data subject, the Controller shall inform the data subject in advance of the lifting of the restriction.

5.5.Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided, where:

a) the legal basis for the processing of data is either the data subject's previously given consent, or that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; [Article 6(1)(a) or (b) and Article 9(2)(a) GDPR]

AND

b) the processing is carried out by automated means.

The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.

5.6.Right to object

The data subject may object to the processing of his or her personal data by means of a statement addressed to the Controller if the legal basis for the processing is

a) public interest within the meaning of Article 6(1)(e) of the GDPR; or

b) legitimate interest within the meaning of Article 6(1)(f) of the GDPR.

In this case, the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

5.7.Withdrawal of consent

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It shall be as easy to withdraw as to give consent.

5.8.Legal remedy

The Controller shall compensate for any damage caused to others in connection with the unlawful processing of the data subject's data or breach of data security requirements, and pay grievance award for damages from the violation of personality rights caused by it. The Controller shall be exempt from liability for the damage caused and from the obligation to pay grievance award if it proves that it is not in any way responsible for the event giving rise to the damage.

The data subject may lodge a complaint about the Controller's data processing procedures with the supervisory authority, which in Hungary is the NAIH.

Details of NAIH:

Name:	National Authority for Data Protection and Freedom of Information
Registered seat:	HU-1024 Budapest, Szilágyi Erzsébet fasor 22/C.
Homepage:	www.naih.hu

The data subject also has the option of pursuing his or her legal claim through the courts. The Regional Courts have jurisdiction to hear the case. The legal action may also be brought before the court of the data subject's place of residence or domicile, at his or her choice.

6. CHANGE OF POLICY

The Controller reserves the right to modify the policy. If the change affects the use of the personal data provided by the data subject, the changes will be communicated to the user by means of an e-mail information letter. If the details of the processing also change as a result of the modification of the policy, the Controller will specifically request the data subject's consent.

7. ISSUES NOT COVERED BY THE PRIVACY AND DATA PROTECTION POLICY AND INFORMATION NOTICE

In matters not covered by this policy, the provisions of the GDPR and, in the cases permitted by the GDPR, the rules of the Privacy Act shall apply by way of assistance, and thereafter the provisions of other relevant sectoral legislation shall pertain.