Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) prescribes that data subjects must be provided with concise, transparent, easy to understand and easily accessible information concerning the processing of their personal data.
Data processing under GDPR does not apply to handling non-personal data.
Complying with this provision, we hereby provide our customers ordering our services, other contractual partners and visitors to our website with the following easy to understand information about the data processing and data protection rules of our Company.
Hungarian Office for Translation and Attestation Ltd (OFFI Ltd)
1062 Budapest, Bajza utca 52.
1394 Budapest, Pf. 359.
adatkezeles [at] offi [dot] hu
Unit responsible for data protection:
Secretariat of OFFI Ltd
II. LEGISLATION GOVERNING DATA PROCESSING
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)
- Act CXII of 2011 on the right to informational self-determination and on the freedom of information.
III. TERMS USED UNDER GDPR
- ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘Controller’ means the natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of personal data.
IV. PRINCIPLES OF DATA PROCESSING AT OFFI LTD
- We process personal data lawfully and fairly, and in a manner that is transparent for you. We are authorised by law to process the data in order to comply with our contractual obligation or in the legitimate interest of our Company with your voluntary written consent based on prior information.
- We collect personal data exclusively for specified, clear and lawful purposes, and we do not process them in any manner that is incompatible with the purposes.
- Our Company takes every reasonable, necessary and proportionate measure to ensure that the data we process are correct and up-to-date, and we immediately erase or correct any incorrect personal data as explicitly requested by you or as we are officially informed.
- Using appropriate technical and organisational measures, we can ensure appropriate security of the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- We report and address any personal data breach immediately, within the period provided by law.
- We comply with your requests related to your personal data in the manner and within the period prescribed by law.
V. DATA PROCESSING RELATED TO CONTRACTUAL RELATIONSHIP AND PROVIDING A QUOTATION
In the course of carrying out its activities, our Company hires co-workers and creates price quotes for or concludes contracts with our Customers so that we can provide our services, and also carries out procurement and archiving activities necessary for its operation. In this context, our Company processes and stores the data listed below for the following purposes until the date specified:
- hiring procedure
- contact (for marketing purposes),
- concluding contracts,
- performing contracts,
- handling invoices and debts,
- enforcing contractual legal rights (e.g. complaints, warranty objections),
- document management and archiving following the termination (performance or dissolution) of the contract.
1. Hiring staff and subcontractors, Careers portal
- OFFI receives applications for staff positions or for entrepreneurial relationship based on advertisement or via the Careers portal of its website www.offi.hu.
- A successful application procedure is followed by signing a contract. Processing of personal data takes place in accordance with the terms of the contract, and in the case of employees, in accordance with OFFI’s internal rules.
- If the application is un successful, the applicant’s personal data will be stored for three months after the end of the application procedure, unless otherwise agreed.
2. Personal data of natural person customers:
- For the above purposes, our Company processes the name, address, phone number, e-mail address, customer number (client number, order number), and online identifier of natural persons concluding, as customers, a contract with us. Data processing starts legally before concluding the contract, based on the request of our customers, when we give a quote.
- The period of personal data processing: the period prescribed for the retention of documents following the termination of contracts in Section 169 of Act C of 2000 on accounting; in the case of giving a quote, 10 days after the quote has expired.
- Before starting the data processing, we inform the data subjects, orally or in writing on the quote form or order form, about data processing under the legal basis of performing the contract.
3. Data of natural person representatives in the case of legal person customers:
- Personal data that can be processed: name, address, phone number, e-mail address and online identifier of the natural persons.
- The purpose of personal data processing: performance of the contract concluded with the Company’s legal person partners and maintaining business contact under the legal basis of the data subjects’ consent.
- Duration of storage of personal data: term of the business contact and of storing the contract.
4. Data processed in the case of all our customers:
We retain both the documents to be translated and the translated documents, including any personal data in them, until the contract is performed and the warranty period has expired. This data processing is necessary for performance of the contract and in the legitimate interest of our Company as the controller.
5. Registering in the homepage of the Company:
We request personal data from visitors to our website only if they want to create an account or log in so that they can request a quote or submit an order.
- Personal data that can be processed: name (family name, given name), address, phone number, e-mail address and online identifier of natural persons.
- The purpose of personal data processing:
- Delivering orders submitted through our website.
- Establishing contact through electronic means, phone, text message or mail.
- The data are processed under the legal basis of the data subjects’ consent.
- Duration of storage of the personal data: the period of the registration / service or until the withdrawal (request for erasure) of the consent of the data subject.
6. Other contractual partners
We request and process the data of our other contractual partners (subcontractors, translators/revisers/interpreters), as well as our contractual partners in purchasing activities as specified by the laws listed in section VI, for the period specified in the same section.
VI. DATA PROCESSING RELATED TO LEGAL OBLIGATIONS
1. Data processing in compliance with tax and accounting obligations
- In order to comply with its legal obligations, our Company processes the data specified by law of natural person customers and suppliers doing business with us for the purpose of performing obligations (bookkeeping, taxation) specified by law (under Sections 169 and 202 of Act CXXVII of 2017 on value added tax, Act CXVII of 1995 on personal income tax, Act LIII of 2017 on the prevention and combating of money laundering and terrorist financing and Act C of 2000 on accounting).
- The duration of storage of personal data is eight years following the termination of the legal relationship.
2. Documents with permanent value specified in the Archives Act
Under the legal basis of complying with legal obligations, our Company handles documents classified as having permanent value under Act LXVI of 1995 on public records, public archives, and the protection of private archives (Archives Act) that have not been collected by our customers. The data are stored until the documents are delivered to the public archives.
VII. DATA PROCESSING RELATED TO CAMERA SURVEILLANCE
In the customer services areas of our Budapest headquarters where cash is accepted, our Company makes visual recordings of data subjects involved in transactions related to handling money or appearing in those areas. The recordings are made only for accounting and security purposes and are stored for the period and purpose specified in OFFI’s internal rules. If there are any grounds for it, OFFI will use the recordings with the assistance of its security manager in accordance with the provisions in the effective regulation of the Company.
We also operate cameras for security purposes along the routes where money is transported, in certain corridors leading to the locations where our data asset is stored, and in the staircase.
A warning sign and notice about using an electronic surveillance system is displayed in a prominent place clearly visible to the public, in a clearly legible manner, in order to provide third parties entering the area with adequate information.
VIII. OTHER DATA PROCESSING ISSUES
- As a general rule, your personal data may be available to the employees of our Company so that they can perform their tasks.
- The translations provided by our Company are prepared partly by external subcontractors, and therefore, the documents submitted to be translated are transferred to our subcontractors through our case management system, to which customers have previously given their consent. Contractors are regarded as data processors. OFFI and the contractors have concluded a data processing contract. In the course of performing the tasks assigned, contractors are obliged and entitled to handle the related documents only through the case management system. If a contractor downloads or prints any work document, they are obliged to ensure that the downloaded set of data and any printed work document will be erased and physically destroyed when the task has been performed and no third parties have access to them in any manner. Contractors are liable for any risks resulting from failure to comply with the above obligation.
- Contractors are under the obligation of confidentiality and must comply with the legal provisions concerning the protection of individual rights, as well as the provisions of OFFI’s internal regulations on contractor agreements.
- We transfer the data of our customers – not including those in section VIII/2 – to third parties only in the cases specified by law.
- Our Company does not transfer data abroad unless you request that we send abroad the translation you have ordered.
- Our Company may be contacted by courts, prosecutor’s offices and other authorities (e.g. the police, the tax authority and the National Authority for Data Protection and Freedom of Information) in order to provide information, data or documents. In these cases, we must comply with our obligation to provide data but only to the extent indispensable for fulfilling the purpose of the request.
- We safeguard your personal data through appropriate technical and other measures ensuring that the data are safe and available, and protecting them from unauthorised access, alteration, damage and disclosure, as well as any other unauthorised use.
- Through certain organisational measures, we supervise physical access in our buildings, provide our employees with regular training and keep paper documents locked and protected. Within the context of electronic data security, we have introduced specific security measures in our IT system (encryption, protection from access, authorisation, etc.). However, we would like to remind you that that the confidentiality, integrity and accessibility of data transfer through our website are not exclusively controlled by our Company, and therefore, we cannot accept full responsibility for them. We comply with strict rules concerning the data we receive in order to ensure that your data are secure and protected against unlawful access.
IX. LEGAL REMEDIES
Concerning data processing, you may
- request information,
- request the correction, modification or supplementation of your personal data processed by us,
- object to data processing and request that your data are erased or blocked (except for compulsory data processing),
- appeal to a court,
- file a complaint with the supervisory authority, or initiate proceedings (https://naih.hu/panaszugyintezes-rendje.html).
Supervisory Authority: National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: 1530 Budapest, Pf.: 5.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat [at] naih [dot] hu
Upon your request, we provide information about
- your data handled and processed by us,
- their source,
- the purpose and legal basis of data processing,
- the period of data processing, or, if that is not possible, the criteria for determining that period,
- the name and address of our data processors, and their activity related to data processing,
- the circumstances and effects of personal data breaches, and our measures taken to address and prevent those incidents, and
- the legal basis and addressee if your personal data are transferred.
We will provide the information within one month following the submission of the request. The information is provided free of charge except if you have already submitted to us a request concerning the same set of data in the same year. We may refuse to provide the information only in cases specified by law, indicating the relevant legal provisions and providing information on judicial remedy or the opportunity to apply to the Authority. Our company will inform you about the correction, blocking, marking or erasure of personal data.
If your request for correction, blocking or erasure cannot be granted, we will inform you in writing within one month from receiving your request, providing the reason for the refusal and information on legal remedies.
If you object to processing your personal data, your objection will be examined also within one month from receiving your request and we will notify you in writing about our decision. If we decide that your objection is reasonable, we will terminate the data processing, including any further data collection and transfer, and block your data.
We will refuse to grant your request if we can prove that the data processing is justified by compelling legitimate grounds which override your interests, rights and freedoms or which are related to the establishment, exercise or defence of legal claims.
Such grounds may arise when the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract; if the data subject is obliged to provide the above personal data, and failure to provide those data may have the following legal consequences:
- request for data for the purpose of compliance with a legal obligation: complance with a legal obligation is made impossible;
- request for data for the purpose of concluding a contract: the contract cannot be concluded;
- request for data for the purpose of using a service: refusing to provide the service; after performance, losing the warranty rights.
If you do not agree with our decision, or if we miss the deadline for replying/taking measures, you may apply to a court within 30 days from the communication of the decision or the last day of the deadline.
Regional courts have material jurisdiction concerning data breach lawsuits, and a lawsuit may be filed before the regional court with jurisdiction either at the address or temporary residence of the data subject, whichever they prefer. Foreign citizens may also submit a complaint to the supervisory authority with competence at their address.
Before approaching the supervisory authority or a court with your complaint, please contact our Company so that we can negotiate and settle the issue as quickly as possible.
X. PUBLISHING AND AMENDING THE INDORMATION ON DATA PROCESSING
We reserve the right to amend this Information on Data Processing, about which it will duly notify the data subjects. The data processing information is published on www.offi.hu, and at the customer service centres.
Budapest, 29 December 2018