PERSONAL DATA BREACH POLICY

In effect as of 25 May 2018 until cancelled

1. Introduction

CGP Europe Limited Liability Company (registered office: 1024 Budapest, Ady Endre út 19., Hungary, company registration number: 01-09-965048; Tax ID No.: 23425026-2-41; data processing registration No.: NAIH-78299/2014.; (hereinafter: "Controller") creates this Personal Data Breach Policy (hereinafter: "Policy").

2. Definitions

Personal Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Identification Data: either a person's first name and surname, maiden name, sex, place and date of birth, mother's first name and surname at birth, home address, place of residence, social security number individually or in combination, provided that such data is or could be suitable for identifying the data subject.

Specialdata: personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life, furthermore personal data concerning health, pathological addictions, or criminal record;

Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Controller: a natural or legal person, or an organisation without legal personality who/that alone or together with others determines the purpose of data processing, makes and executes decisions concerning data processing (including the instrument used), or have them executed by a processor entrusted by him/her. Furthermore, natural or legal persons, or organisations without legal personality who/that are entitled to process personal or personal identification data, or Special data and Data concerning health in specific cases, for a purpose defined by the law.

Data Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

3. Data Protection Laws and Regulations

The laws and regulations of utmost importance for the purposes of this Policy include:

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”);
  2. The Fundamental Law of Hungary;
  3. Section 2:42 of Act V of 2013 on the Civil Code;
  4. Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act);
  5. Act XLVII of 1997 on the Processing and Protection of Health Care Data and Associated Personal Data;
  6. Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services;
  7. Act LXVI of 1992. on Keeping Records on the Personal Data and Address of Citizens;
  8. Amendments to the GDPR and the GDPR-based legal practice and recommendations made by the European Committee or the supervisory authority of the Controller’s seat.

4. Notification of a Personal data breach

In the case of a Personal data breach, the Controllershall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the Personal data breachto the supervisory, unless the Personal data breachis unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.The DataProcessorshall notify the Controllerwithout undue delay after becoming aware of a Personal data breach.

The notification must contain the following:

  1. describe the nature of the Personal data breachincluding where possible, the categories and approximate number of data subjects concerned and the categories and approximatenumber of personal data records concerned;
  2. communicate the name and contact details of the data protection officer or other contact point where moreinformation can be obtained;
  3. descriptionof the likely consequences of the Personal data breach;
  4. describe the measures taken or proposed to be taken by the Controllerto address the Personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. The Controllershall document any Personal data breaches, comprising the facts relating to the Personal data breach, its effects and the remedial action taken.

5. Communication of the Personal data breach to the data subject

When the Personal data breachis likely to result in a high risk to the rights and freedoms of natural persons, the Controllershall communicate the Personal data breachto the data subject without undue delay.
In the communication to the data subject, Controllershall describe in clear and plain language the nature of the Personal data breach, provide the name and contact details of the contact point where more information can be obtained, describes the likely consequences of the Personal data breach,describe the measures taken or proposed to be taken by the  Controllerto address the Personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

The communication to the data subject referred to in section 5 of this Policy shall not be required if any of the following conditions are met:

  1. the Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the Personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  2. the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
  4. If the Controller has not already communicated the Personal data breachto the data subject, the supervisory authority, having considered the likelihood of the Personal data breachresulting in a high risk, may require it to do so or may decide that the data subject shall not be notified.

6. Miscellaneous

This Policy, in compliance with the Controller’sPrivacy Policy, and Regulation (EE) 2016/679 of the European Parliament and of the Council (GDPR), introduces the following provisions:
The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a Personal data breach to a data subject and certain related obligations of the Controllersmay be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal data to provide specific information related to the political behavior under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

7. Closing Provisions

This Policyenters into force upon signature.
The provisions of this Policyshall apply to data processing taken place after entry into force hereof. 
The provisions of this Policyshall also apply to data processing being in progress at the time of the entry into force hereof.
Any issues not regulated herein shall be governed by the provisions of the legal regulations listed in Section 3 hereof.
With effect from the date of entry into force, this Policysupersedes and repeals the previous Personal data breach policies in effect at the Controller. 


Budapest, 25 May 2018