ENLOYD DATA PROTECTION POLICY
AND DATA PRIVACY NOTICE
ENLOYD DATA PROTECTION POLICY AND DATA PRIVACY NOTICE
Effective from: May 1, 2020 until repealed
This document (hereinafter: Privacy Notice) will explain, as required by the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: GDPR) as well as by other in-force Hungarian legislation, how we process your personal data and which rights and options you have in this respect.
This document also serves the purpose of informing the customers of ENLOYD Kft and the visitors of its website (https://www.enloyd.hu/hu/) about what personal data we process in relation to our business activities, what data processing practices we apply, what technical and organisational protection measures we implemented, and what means and options data subjects have to exercise their rights.
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
(short company name: ENLOYD Kft.; registered seat: 1062 Budapest, Aradi utca 8-10.; company reg. number: 01-09-202847; tax number: 25151921-2-41; Telephone: +36-1-783-0000; e-mail: email@example.com; website: https://enloyd.hu/, hereinafter: Controller or ENLOYD)
The Controller undertakes to disclose a clear, awareness-raising and unambiguous notice prior to commencing the processing of any personal data to provide information to the data subject in a fair and transparent manner about, among others, the manner, the purposes and the principles of the processing.
PRINCIPLES RELATING TO PROCESSING, METHOD OF PROCESSING
ENLOYD feels it is of particular importance to respect its customers’ right to information self-determination, and to ensure the highest level of protection to any personal data it processes. We, therefore, treat all personal data highly confidential and process them in a manner which ensures appropriate security of the data, including protection against accidental loss, unlawful destruction, alteration, dissemination and unauthorized access to them, using appropriate security, technical or organizational measures.
Lawfulness, Fairness and Transparency
We will process personal data lawfully (based on a consent or legitimate legal basis), fairly and in a transparent manner in relation to the data subject. Any information and communication relating to the processing of your personal data will be exact, transparent, easily accessible and easy to understand, written in clear and plain language.
We will, to the best of our ability, act on the requests of data subjects related to data processing, particularly if the legal basis for the processing is their consent.
According to the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
• the data subject has given consent;
• processing is necessary for the performance of a contract;
• processing is necessary for compliance with a legal obligation;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights of the data subject.
We only collect data for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
In line with the principle of data minimization, we only collect and process data to the extent they are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
We take every reasonable step to ensure that the personal data we process are accurate and, where necessary, kept up to date. Personal data that are inaccurate are erased or rectified without delay. We apply the principle of data accuracy to every processing operation.
Personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, taking account of the time limits set out in legislation. As soon as these purposes are achieved, personal data are either erased or rendered anonymous. In order to ensure that the personal data are not kept longer than necessary, time limits are established for erasure or for a periodic review. If pseudonymization is applied, personal data may not be attributed to the data subject without combining them with other information.
Security of Personal Data
We have implemented all the necessary technical and organizational measures to ensure that personal data are protected against accidental, unauthorized or unlawful access, use, alteration, disclosure, loss, destruction or damage while they are processed. We have, in particular, implemented IT and organizational prevention measures (e.g.: defining access rights and authorization privileges, encryption of data) as required pursuant to the provisions in Article 32 (Security of processing) and in Article 35 (Data protection impact assessment) of the GDPR.
We shall notify the data protection authority of any personal data breach where there is a reasonable risk that the rights and freedoms of data subjects may have been infringed, as set out in Article 33 of the GDPR. We shall have a similar obligation to communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to his/her rights and freedoms.
While processing personal data, we are responsible for ensuring full compliance with all data protection regulations as well as with our own policies. Pursuant to the principle of accountability (Article 5 (2) of the GDPR), we shall be able to demonstrate compliance with data protection regulations to data subjects, to the public and to the supervisory authorities at all times.
We shall not verify the correctness of data if such data have been disclosed by the data subject himself/herself. For that reason, responsibility for the accuracy of data shall solely lie with the disclosing person.
We shall not process the personal data of data subjects under 16 years of age.
Being entitled to the exemption granted by law, we have not appointed a data protection officer.
Where the data processing is based on a legitimate interest pursued by our company, we have performed and will continue to perform a balancing test for legitimate interest to support that our legitimate interest to processing the personal data overrides the data subject’s interests, rights or freedoms. At the request of the data subject, we will provide information about the foregoing.
The Controller shall use only contracted processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the data protection regulations and ensure the protection of the rights of the data subject. The Controller shall not transfer personal data to other third parties, unless required to do so by law.
The following entities shall be entitled to act as processors on behalf of the Controller:
1. In the capacity of the IT service provider operating, maintaining and managing the website (hereinafter: Website):
ICT Európa Network Kft. (Registered seat: 1117 Budapest, Fehérvári út 50-52.; Company reg. number: 01-09-935243; Tax number: 12457124-2-43)
2. Postal services, delivery, courier services:
Magyar Posta Zrt. (registered seat: 1138 Budapest, Dunavirág utca 2-6.; company reg. number: 01-10-042463; tax number: 10901232-2-44)
DHL Express Magyarország Kft. (registered seat: 1185 Budapest, BUD International Airport Building No. 302; company reg. number: 01-09-060665; tax number: 10210798-2-44)
3. Enterprise resource planning (ERP), invoicing:
ICT Európa Finance Kft. (Registered seat: 1117 Budapest, Fehérvári út 50-52.; Company reg. number: 01-09-935243; Tax number: 12457124-2-43)
PERSONAL DATA PROCESSED
a) General Information
A cookie is a packet of data consisting of alphabetical and numerical characters sent from a website to the user's web browser with the purpose to store settings and information on the user’s computer so as to facilitate the use of the Website while also contributing to statistical data collection. Cookies do not contain personal information and may not, in themselves, be used to identify the user. Some cookies expire after the Website is closed, while others are stored on the user’s computer for a longer period. Users may block or disable cookies, and may also clear cookies stored on their computer during previous sessions. Consult the Help function of your browser to learn how to manage these options.
b) Cookies necessary for Using the Website
The Controller may place cookies on the computer of the Website’s visitor which are necessary for the use of the Website. Some of these cookies are strictly necessary for the functionality of the Website: they are essential in order to enable the visitor to navigate the Website and use certain features. Without these strictly necessary cookies, the Website or some of its functions will not work or will not work flawlessly. Cookies record the IP address of the user’s device, the date and time of the visit, the type of the browser and the operating system, as well as the pages visited during the session.
As for these cookies, data processing is required for the proper operation of the Website.
The period of data processing shall be limited to the current session of the visitor and once the session is over and the browser is closed, these type of cookies are automatically cleared from the computer.
Since the operation of the Website is the legitimate interest of the Controller, the legal basis of the data processing is this legitimate interest within the meaning of Article (6) (1) (f) of the GDPR, which is also protected by Section 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services, which states that the service provider may – for the purpose of providing the service – process personal data indispensable for providing the service for technical reasons.
The recipients of the personal data are the Controller’s employees and processors engaged in the operation of the website.
c) Other Cookies
As certain parts of the Website are downloaded Google Analytics, a service operated by Google Inc, automatically places snippets on the user’s device, which may occasionally contain personal data. Google Analytics automatically stores the IP address returned by the browser so it cannot be linked to the user. These data are retained for 24 months, which period renews if a new event is recorded in connection with the user (e.g.: if a new session is initiated). The Controller shall request the visitor’s affirmative consent by ticking the checkbox in a pop-up window at the time of the first visit to enable these cookies. The exact specification of these data files (_ga, _gat, _gid) and their function are described at the following link.
If the user would want to prevent their data collected during the visit of the Website from being used by Google Analytics, he/she may download and install the following opt-out browser add-on for any browser:
If the user has previously received a cookie from Facebook because he/she either has an account or has visited facebook.com, their browser sends information about this cookie when he/she visits a site (e.g.: the Website) with the “Like” button or another social plugin. For further information, visit:
Furthermore, the Controller may also place other statistical cookies on the user’s device when the Website is visited. The purpose of certain cookies is to enhance user experience and to make the use of the Website more convenient since these cookies recognize and store information about the device used to access the Website, or any change made by the user in text size, font type or other customizable elements of the Website.
Data processing referred to in this Clause is based on the consent of the visitor of the Website; such affirmative consent may be given, as advised by this Notice, by clicking the checkboxes in the pop-up window, where the different types of cookies may be individually enabled or disabled.
These data shall be processed by the Controller if the cookies are placed by any third party for as long as the third party defines or until they are cleared from the user’s device, and in other cases for no longer than 3 months after the cookie has been placed.
The recipients of the personal data are the Controller’s employees and processors engaged in the operation of the Website.
d) Social Plugins
The Website using social plugins which enable automatic communication between the visitor’s browser and the server of the particular social media network. This way the social media provider is transferred data about the visitor viewing the particular pages of the Website even if the visitor is not a registered user of the social media application or is not logged in.
If the visitor is logged into his/her account at the given social media application, the module shall continue to collect information when the Website is opened or during the browsing session (e.g.: IP address, cookies) and shall retain them or even connect them to the visitor’s account or profile. If the visitor takes any action within the plugin, the information about such actions may also be retained and connected to the user profile.
If the visitor would like to prevent that the social media network should connect his/her visiting the Website with his/her user account or profile and collect additional information, first he/she should log out of the social media account, and may also disable the module.
For more information about social plugins used at the Website, please visit:
„Facebook” (Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA)
„LinkedIn” (LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Írország)
2. Data Processing Related to Candidate Data
In respect of data processing pursued on the Website, ENLOYD shall act as the data controller. ENLOYD shall also be the controller of the data of persons who provide their data for the purpose of being delivered recruitment services (hereinafter: Candidates). ENLOYD shall process these data within the context of providing recruitment services and may, at times, transfer them to the employers and its contracted suppliers (hereinafter: Partners). ENLOYD shall not act as the controller when the Candidates’ data are processed on behalf of its Partners and not for ENLOYD’s own purposes.
ENLOYD shall act as the processor when it processes the Candidates’ data exclusively on behalf of a Partner without storing such data in its own databases or otherwise using them for its own purposes.
ENLOYD shall not be responsible for the content, lawfulness and veracity of job advertisement posted by the Partners.
2.1. Forms of Data Processing
This Privacy Notice shall be applicable to all activities carried out as part of the recruitment services provided by the Controller, in particular:
a) application to a job posting advertised on the Website by submitting a CV through the “Apply for Position” function of the Website;
b) registration in the candidates database using the “Send us your CV” function so as to receive future offers;
c) the Controller contacts a Candidate registered in its database in connection with a specific job posting;
d) the Controller finds the Candidate in the database of another recruitment agency or based on the Candidate’s social media profile, and contacts him/her about a specific job posting.
2.2. Sources of Personal Data
The Controller shall process the personal data of Candidates collected from the following sources:
a) data provided by the Candidate by completing the template on the Website and by sending us their CV;
b) data obtained from the database of other recruitment agencies or job search websites (Profession.hu, ………….)
c) data disclosed by the Candidate and made publicly available on social media websites (the Candidate’s LinkedIn or Facebook profile);
d) data obtained from previous employers (references);
e) personal data obtained by the Controller during the recruitment process, interviews, aptitude tests and activities.
2.3. Scope of Data Processed and the Duration of Processing
a) “Apply for Position”
The Controller offers candidates the possibility to apply for positions advertised by Partners by completing the template in the “Apply for Position” function of the Website. The Controller shall process the candidate’s name, telephone number and e-mail address, as well as his/her CV to contact the candidate after receipt of his/her application.
The personal data so obtained shall only be processed for the purpose of contacting the candidate in respect of the job posting and the application to the position, but only if the Candidate has given consent to data processing by clicking the relevant checkbox on the template. In these cases, data processing is based on consent (within the meaning of Article 6 (1) a) of the GDPR). The Controller shall retain the data for 3 months after the expiry of the application period specified in the job posting (or after the posting has been removed from the Website) and shall subsequently erase them.
If the Candidate is not offered a job by the Partner as a result of the application, ENLOYD may later contact the candidate in an electronic mail or in a printed document to request his/her consent to the processing of the candidate’s CV and contact data (name, e-mail, telephone), to retain such data for a continued period and to store them in ENLOYD’s database for the purpose of contacting the candidate again with future job offers. This consent may be given by checking the checkbox already when the application is sent. In these cases, data processing is based on consent (within the meaning of Article 6 (1) a) of the GDPR).
If the candidate consents to processing related to storing his/her personal data in ENLOYD’s database, such data shall be processed for 2 years after his/her last job search activity and then shall be erased. (The following shall, among others, be considered job search activities: registration, log in, newsletter pixel, newsletter click, application, newsletter subscription, newsletter modification, job posting view, job postings page view.)
b) “Send us your CV”
By completing the other template in the “Send us your CV” section of the Website, the Candidate may voluntarily initiate his/her registration in the Controller’s database and sign up for being informed about future job openings. In this case the Controller will process the Candidate’s name, e-mail address, telephone number as well as his/her CV for the purposes of contacting the Candidate later and storing his/her data in the database.
If the candidate consents to processing related to storing his/her personal data in ENLOYD’s database, such data shall be processed until the registration is deleted, or for 2 years after his/her last job search activity and then shall be erased.
Prior to the expiry of the 2-year period, the Controller may contact the Candidate about the renewal of his/her consent to data processing; failing that the Controller shall erase the Candidate’s data from its database at the end of the 2-year period.
In that case, the personal data shall only be processed for the purpose of contacting the candidate about later job postings, but only if the Candidate has given consent to data processing. In these cases, data processing is based on consent (within the meaning of Article 6 (1) a) of the GDPR).
The recipients of the data shall be the executives and recruitment specialists of the Controller, who shall, in turn be authorized to obtain and process such data.
2.3. Data Transfer
On the basis of a specific consent given by the Candidate, ENLOYD may create written records of the information and data relevant for the particular position and obtained during in person interviews, as well as of the results of the Candidate’s personality and professional skills tests.
ENLOYD may also transfer personal data to the following entities belong to its group, or may use them to contact the Candidate with international job offers.
· Antal sp. z o.o. (registered seat: Wrocław (53-413), ul. Gwiaździsta 66, KRS: 0000105676.)
· Antal International s.r.o. (registered seat: Prague. ul. Anglická 140/20, 12000 Praha 2. Tax number: CZ03421520.)
· Antal International s.r.o. having its registered seat at: Bratislava ul. Skultetyho 1, 831 04 Bratislava. tax number: SK2120199686.
Processing data in the above manner always requires the affirmative consent of the Candidate, which may be given in advance by clicking the respective checkbox at the time when the application is sent.
3. Personal Data of Candidates of ENLOYD Positions
To post its own job offers and advertisements, or to contact potential candidates, the Controller may also engage a third party service provider (HR consultant and recruitment partner). After reading this Privacy Notice, the data subject may apply for the vacant position at his/her own discretion in an e-mail or through the online platform of the recruitment partner. In that case, his/her name and e-mail address, as well as any other personal data voluntarily disclosed (including his/her telephone number and CV) shall be processed by the Controller.
The personal data so obtained shall only be processed for the purpose of contacting and recruiting the candidate in connection with the job posting and the application. In the above case, data processing is based on the data subject’s consent (within the meaning of Article 6 (1) a) of the GDPR), which may be given, as described in this Privacy Notice, by voluntarily sending the data in an e-mail, or by giving a specific consent on the recruiter’s online platform.
The Controller shall retain the data for 3 months after the expiry of the application period specified in the job posting and shall subsequently erase them. The recipients of the data shall be the executives and HR specialists of the Controller, who shall, in turn be authorized to obtain and process such data.
If the data subject is not offered a job by the Controller following his/her application, the Controller may later contact the candidate in an electronic mail or in a printed document to request his/her consent to the processing of the candidate’s CV and contact data (name, e-mail, telephone), so as to retain such data for a continued period for the purpose of contacting the candidate again with a future job offer for that position. In these cases, data processing is based on the data subject’s consent (within the meaning of Article 6 (1) a) of the GDPR). Once consent is given, the Controller may process the data for five years and shall then erase them.
4. Message Sending
A message to the Controller may be sent from the “Contact Us, Send your Inquiry” page of the Website using a purpose made message template.
ENLOYD will process the personal data (name, telephone number and e-mail address) of the sender for the purpose of contacting him/her and responding to the message. If the message is sent by a natural person, consent to data processing may be given, as described in this Privacy Notice, by clicking the checkbox on the Website prior to sending the message. Failing that, the message cannot be sent and therefore no personal data will be obtained by ENLOYD.
In these cases, data processing is based on the data subject’s consent (within the meaning of Article 6 (1) a) of the GDPR), which may be given in the above manner.
The duration of the data processing shall be the final resolution of the inquiry. When a message clearly implies that no further response or contact is necessary but at the latest within six months of receipt of the latest message, ENLOYD will erase the respective personal data.
The recipients of the personal data are the Controller’s employees and agents responsible for customer relationship.
5. Data Processing related to Inquiries
If the data subject sends an inquiry or addresses a question to the Controller in an e-mail or via other media, the Controller shall process the sender’s name, e-mail address and/or telephone number to the extent necessary for responding to such inquiry or question; the existence of data processing shall be communicated to the data subject in a response e-mail (by inserting a link) or in a similar manner.
Data processing in such a case is based on the Controller’s legitimate interest to provide satisfactory response to all inquiries, complaints and to duly answer all questions raised by customers. The duration of the data processing shall be the final response given or the resolution of the inquiry.
When a message clearly implies that no further response or contact is necessary but at the latest within six months of receipt of the latest message, the Controller will erase the respective personal data, unless it is the legitimate interest of the Controller (e.g.: a consumer protection complaint has been lodged) to continue to process the data. In that case, data will be erased within eight days after the Controller’s legitimate interest no longer exists.
The recipients of the personal data are the Controller’s employees responsible for carrying out customer relationship management activities.
In the “Knowledge Base” section of the Website ENLOYD allows all interested data subjects to voluntarily provide certain personal data (name, e-mail address, telephone number, position, (employer) company, sector, city/town, country) so that the Controller may target the subscriber with relevant business and marketing offers, in case the data subject has given consent to data processing by clicking the respective checkbox on the consent template.
The purpose of the data processing is to enhance efficient needs analysis, facilitate correct targeting, optimize service provision and to contact the data subjects through the channels they opted for to promote and sell the services of ENLOYD. In the absence of an affirmative consent, the Controller shall not process the data and shall not transfer them to any third parties.
By providing the data, the visitor of the Website will be given the opportunity to directly access and download professional opinions, studies, and electronic publications related to the latest labor market trends issued by the Controller.
In these cases, data processing is based on the data subject’s consent (within the meaning of Article 6 (1) a) of the GDPR), which may be given in the above manner.
If consent is given to the subscription, ENLOYD will process the data until such consent is withdrawn but no longer than for 1 year after the respective personal data were recorded, and will then erase them.
Prior to the expiry of the 1-year period, the Controller may contact the data subject about the renewal of his/her consent to data processing; failing that the Controller shall erase the data subject’s data from its database at the end of the 1-year period.
The recipients of the personal data are the Controller’s employees and agents responsible for sales and marketing.
ENLOYD may use the e-mail address of the data subject to send him/her newsletters to inform the subscribed data subject about business offers, new services, company and business news or events.
A visitor of the Website may subscribe to the newsletter by clicking the respective checkbox, and entering a name and e-mail address, as described in this Privacy Notice.
Irrespective of how the data subject has subscribed to the newsletter, he/she may unsubscribe (and withdraw consent) any time by sending an e-mail to . Alternatively, the data subject may subscribe from the newsletter (and withdraw consent) by clicking the Unsubscribe button in the footer of the newsletter, or by sending a legal statement to that effect to any contact point of ENLOYD. Upon receipt of the request to unsubscribe, ENLOYD will erase the e-mail address from the database and will no longer send a newsletter.
The data processed for the purpose of sending newsletters are the recipient’s name and e-mail address. Data processing will be the data subject’s consent given in any of the ways described above; the purpose of data processing is the promotion and sales of ENLOYD’s services.
The duration of data processing will expire when the newsletter service is terminated or the data subject unsubscribes from the newsletter service. The data subject may re-subscribe to the newsletter service any time.
The recipients of the personal data are ENLOYD’s employees responsible for customer relations and sales.
8. Data Processing related to Contracts Concluded with Partners
ENLOYD will process the personal data of any natural person contracted with ENLOYD to the extent such data are necessary for the performance of a contract (name, name at birth, date of birth, mother”s name, address, e-mail address, taxpayer’s ID, ID card number, personal UID, registered seat, telephone number, e-mail address, bank account number), for the purposes of concluding, maintaining, performing and terminating such contract.
In these cases, processing is necessary for the performance of a contract to which the data subject is party (within the meaning of Article 6 (1) b) of the GDPR).
Data will be processed for an additional 5 years after the termination of the contract, or as long as data are required to be retained by law.
ENLOYD shall process the personal data (name, telephone number, e-mail address, address) of the contact persons appointed by entities contracted with ENLOYD.
In these cases, processing is necessary for the performance of a contract to which the data subject is party (within the meaning of Article 6 (1) b) of the GDPR), while it is also based on the Controller’s legitimate interest to enforce warranty and other claims under the contract, as well as the Controller’s legitimate interest to promote the conclusion of subsequent contract, to maintain good business relations (within the meaning of Article 6 (1) f) of the GDPR).
Data will be processed for an additional 5 years after the termination of the contract, or as long as data are required to be retained by law.
The recipients of the data are the executives of ENLOYD as well as its employees responsible for recruitment and customer relations, and its data processors.
ENLOYD shall not be responsible for any content shared by its Partners, for the veracity and accuracy of personal data, which shall remain the sole liability of the Partner. ENLOYD shall not be liable for any adverse consequence arising out of misstated data or failure to provide sufficient data.
INFORMATION ABOUT THE RIGHTS OF DATA SUBJECTS
1. Rights of Data Subjects
The data subject may request information about how his/her personal data are processed, may request the rectification of inaccurate personal data or – with the exception of data processed to comply with a statutory obligation – erasure of personal data concerning him or her, may request the restriction of processing, data portability, and may object to the processing of their personal data in certain circumstances specified at the time when data are collected by contacting the controller.
ENLOYD shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The data subject may request information about the sources of his/her personal data, the purpose, legal basis and duration of the data processing, the name and address of any processor engaged, the activities related to processing, and if personal data were or are transferred, then also the purpose and recipients of such data transfer.
Where ENLOYD intends to further process the personal data for a purpose other than that for which the personal data were collected, ENLOYD shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
· the purposes of the processing;
· the categories of personal data concerned;
· the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
· the envisaged period for which the personal data will be stored;
· the right to rectification and erasure, or the right to restriction of processing and to object;
· the right to lodge a complaint with a supervisory authority; information about the source of data;
· the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
ENLOYD shall provide the requested information within no more than one month of the submission of the request.
ENLOYD shall provide the requested information and will advise the data subject about their rights free of charge, subject to the exceptions set out in the GDPR.
The data subject shall have the right to obtain from ENLOYD without undue delay the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
d) Right to Erasure /Article 17 of GDPR/
The data subject shall have the right to obtain from ENLOYD the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
· the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
· the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
· the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
· the personal data have been unlawfully processed;
· the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
· the personal data have been collected in relation to the offer of information society services.
The erasure of data may not be initiated to the extent that processing is necessary:
· for exercising the right of freedom of expression and information;
· for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
· for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
· for the establishment, exercise or defence of legal claims.
The data subject shall have the right to obtain from ENLOYD restriction of processing where one of the following applies:
· the accuracy of the personal data is contested by the data subject, for a period enabling the verification of the accuracy of the personal data;
· the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
· the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
· the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
ENLOYD shall inform the data subject who has obtained restriction of processing, before the restriction of processing is lifted.
ENLOYD shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. ENLOYD shall inform the data subject about those recipients if the data subject requests it.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to ENLOYD, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract and the processing is carried out by automated means. The exercise of this right shall not adversely affect the rights and freedoms of others.
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the performance of a task carried out in the public interest point (Article 6 (1) (e) or on legitimate interests (Article 6 (1) (f)), including profiling based on those provisions. ENLOYD shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Advice about data processed for direct marketing purposes: Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The data subject shall have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her. This right shall not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and ENLOYD; or if the decision is authorized by a European Union or Member State law to which ENLOYD is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or the decision is based on the data subject’s explicit consent.
i) Right to Withdraw Consent /Article 7 of GDPR/
Where processing is based on consent, ENLOYD shall ensure that the consent may be withdrawn in the same simple manner as it was given in. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
j) Right to Lodge a Complaint with a Supervisory Authority /Article 77 of GDPR/
Every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the legal regulations.
In Hungary the supervisory authority is the National Authority for Data Protection and Freedom of Information (registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; postal address: 1530 Budapest, PO Box. 5.; telephone: 06 -1- 391-1400)
k) Right to an Effective Judicial Remedy /Article 79 of GDPR/
Every data subject shall have the right to seek judicial remedy where he or she considers that his or her rights have been infringed. Such cases shall be given priority at court.
In the cases referred to above, ENLOYD shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of ENLOYD, to express his or her point of view and to contest the decision.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
The data subject may make a request to ENLOYD in order to exercise any of the above rights, without any restriction as to substance or form of the request, sent to the contact details disclosed in this Privacy Notice.
2. Request Submitted by the Data Subject, and Actions taken by ENLOYD
If the data subject makes a request to ENLOYD in order to exercise his/her rights or related to any other matter concerning data protection, ENLOYD shall provide information on action taken on the request to the data subject without undue delay and in any event within one month of receipt of the request.
This period may be extended by two further months where necessary, taking into account the complexity and number of the requests. ENLOYD shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If ENLOYD does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Complaints and requests related to data processing shall be addressed to:
The Controller is entitled to unilaterally modify this Privacy Notice any time, and shall communicate the modifications to all data subjects and users by posting them on the Website within 30 days.