PRIVACY POLICY

In effect from 25 May 2018 until cancelled

1. Introduction

CGP Europe Limited Liability Company (registered office: H-1024 Budapest, Ady Endre út 19., Hungary, company registration number: 01-09-965048; TAX ID number: 23425026-2-41; data processing registration No: NAIH-78299/2014.; (hereinafter: "Controller") creates this Privacy Policy (hereinafter: "Policy").

The purpose of data processing:

Controller providesEAP services to the employees of the Partnersas Users (hereinafter: "User(s)") to survey, prevent, reduce or eliminate the exposure of Usersto psychosomatic risks at their workplace and in their personal environment.  Usersuse the EAP service voluntarily, at their discretion, after interpreting and accepting the terms of the privacy notice and this Privacy Policy. The contractual relationship is established between the Controller and the Partners, while Usersare the employeesof thePartners or the Close Relatives of the Users.  Controllerprovides the EAP serviceprimarily by telephone and through an online interface exclusively by responding to contacts established by Users. Upon a User's request, Controlleroffers personal consulting with one of Controller'sassociates or a person or organisation contracted to participate at delivering theEAP Service.  For the purpose of the above,Controllerconcludes service agreements with the Partnersas employers who intend to provide their employees with the EAP Service.  Based on the provisions of the contracts with its subcontractors participating in the EAP service, Controllerwarrants that the subcontractors involved in the data transfer providesufficient and suitable guarantees during their own data processing, and that the procedures of the subcontractors participating in the EAP serviceare fully aligned with the current legal regulations and norms, especially the instructions of GDRP.

2. Definitions

EAP Service: "Employee Assistance Program": is a psychological / legal and financial orientation service provided by Controller in connection with problems of the Users employed by the Partners.

Partner: An employer being in contractual relationship with the Controller, whose employees are eligible for using the EAP Service. 

User:the data subject who eligible for using the EAP Service as the employee of the Partner or the close relative of such employee. 

Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Identification Data: either a person's first name and surname, maiden name, sex, place and date of birth, mother's first name and surname at birth, home address, place of residence, social security number individually or in combination, provided that such data is or could be suitable for identifying the data subject.

Special data:personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life, furthermore personal data concerning health, pathological addictions, or criminal record;

Data concerning health:personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

Controller:a natural or legal person, or an organisation without legal personality who/that alone or together with others determines the purpose of data processing, makes and executes decisions concerning data processing (including the instrument used), or have them executed by a processor entrusted by him/her. Furthermore, natural or legal persons, or organisations without legal personality who/that are entitled to process personal or personal identification data, or Special data and Data concerning health in specific cases, for a purpose defined by the law.

Data Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

Processor:a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Transfer: making data available to a specific third party.

Personal data breach:a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

Public Disclosure: making data available to anyone.

Erasure of Data: making data unrecognisable in a way that it can never again be restored.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.

Close relative: spouses, direct relatives, adopted, step or foster children, adoptive, step and foster parents as well as siblings and partners.

3. Purpose of this Policy

This Policy seeks to ensure that the data processing conducted by CGP Europe Limited Liability Companycomplies with the provisions of the applicable legal regulations. This Policy is set out to specify the scope of the data of the Usersthat are processed by the Controller, the manner, purpose and legal basis of data processing, furthermore to ensure that the constitutional principles of data processing and the requirements of privacy are enforced and to prevent unauthorised access to and the alteration and unauthorised public disclosure of the data of the Users.
Controllerprocesses personal data exclusively for a specified purpose, in order to exercise rights and perform obligations. Each phase of the data processing is in compliance with the purpose of data processing. Data are recorded and processed in a fair and lawful manner. Controllerexerts best efforts not to process personal data unless they are indispensable for achieving the purpose of data processing and suitable for attaining that purpose. Personal data will be processed to the extent and for the duration necessary to achieve its purpose.
Controllerprocesses the personal data after informing the data subjects in a concise, easily accessible and easy to understand manner, and with clear and plain language. This Policy also ensures compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

4. Data Protection Laws and Regulations

The laws and regulations of utmost importance for the purposes of this Policy include:

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”);
  2. The Fundamental Law of Hungary;
  3. Section 2:42 of Act V of 2013 on the Civil Code;
  4. Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act);
  5. Act XLVII of 1997 on the Processing and Protection of Data Concerning Health and Associated Personal Data;
  6. Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services;
  7. Act LXVI of 1992 on Keeping Records on the Personal Data and Address of Citizens;
  8. Amendments to the GDPR and the GDPR-based legal practice and recommendations made by the European Committee or the supervisory authority of the Controller’s seat.

5. The Principles of Data Processing

Controllershall act in cooperation with data subjects in compliance with the requirements of good faith and fairness. Controllershall exercise its rights and shall perform its obligations in accordance with their intended purpose.
Personal Data shall be treated as personal during data processing as long as it is possible to restore their relationship with the User. It is possible to restore the relationship with the Userif Controllerpossesses the technical means required to restoration.
During the data processing, Controllerensures data accuracy and completeness and –if deemed necessary in the light of the purpose of data processing – that the data are updated and permit the identification of the User for no longer than it is necessary for the purposes of data processing.

Personal data shall be:

  • processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. (‘storage limitation’);
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Controllershall be responsible for, and be able to demonstrate compliance with the principles of Data Processing (‘accountability’).

6. Free Consent

Controllerprocesses the personal data of Userscovered by this Policy on the basis of a freely given, specific, informed and unambiguous agreement given by theUsers.
 Controllerprocesses Special data and Data concerning health named in this Privacy Policy exclusively based on Users’ requestand voluntary and explicit consent for the specified purposes and to the specified extent, furthermore it transfers such data as defined in the agreement. 

7. Receiving and Transferring Data

Controllermay not transmit the data it processes to anyone except its employees and collaborating persons and organisations who are participating in delivering the EAP Service, provided that any such transfer shall be limited to the extent required by the purpose of data processing.
Controllershall have all of its employees as well as the persons and organizations involved in data processing become familiar with the provisions of this Policy.
Controller shall, furthermore, ensure that any person participating in transferring or receiving data, processes data only to the extent required by the purpose of data processing.
Usersshall be informed of the data transmitting or transferring, and the possibility thereof. 
In case of a legally incapacitated person or a person with limited legal capacity, such information shall be given to the legal guardian who has the right to make declarations on behalf of that person.

8. Purposes of Data Processing

Controllermay process data for the following purposes during the use and delivery of the Service:

  • to deliver the EAP Service;
  • to settle accounts with Partners.

Controller processes Special data and Data concerning health upon the User'srequest and explicit consent for the purpose to deliver the EAP Service.

9. The legal basis for the date processing

Controllerwill process the personal data covered by this Policyon the basis of the natural person User'sfreely given andunambiguous  consent according to Article 6 (1) point a) of the GDPR, Section 5 (1) and Section 6 (5) of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, and in accordance with the provisions of Article 4 of Act XLVII of 1997 on the Processing and Protection of Data Concerning Health and Associated Personal Data. Institutions, bodies or persons outside the health care network (hereinafter: non-health care institution) may process data concerning health and personal identification data to the extent necessary for performing their duties.  
The Controller and processors of data shall keep confidential any medical secrets they may become aware of, subject to exceptions provided by law.

10. Scope of data processed by Controller

During the delivery of the EAP Service,Controllerwill process only the data that are indispensable for the provision of EAP Serviceon the basis of the Users'consent, the applicable legal regulations and this Policy.

In doing so, Controlleracts so that the anonymity of Usersis ensured as far as possible, thus neither the provider nor any person or organisation participating in the provision of the EAP Serviceor any third party may become aware of the Users' identity. Given that framework, the data with regard to Users that are processed by Controllershall be limited to: 

  • the User's first name;
  • the User's telephone number and/or email address;
  • the User's unique identification number generated by Controller, which consists of the company name of the User’s employer and the exact time of the inquiry;
  • the description of the problem or question outlined by User with reference to User's voluntary account;
  • Special data potentially disclosed by User to the Controller, which Controller processes upon User's request and in line with User's explicit and unambiguous consent.

Purpose of the data process is to provide the EAP serviceto the Users, without identifying their person or revealing their identity, while retaining the privacy and anonymity of their data, if that is possible.

11. The possible consequences of failure to provide personal data

Controller can not deliver the EAP service to the User.

12. Method of Collecting Data

Usershave the discretion to contact Controllerby notifying Controllerof their request for the EAP Service. When a request is received,Controllerinforms Usersabout the specification of the data that need to be processed for using the service, the retention period, the purpose of data use, the fact that data will be transferred and the recipients thereof.

13. Data Transfer

Data may be transferred only on the basis of the consent of the data subject or an authorisation granted by law in all cases. Controllerwill transfer personal data, only of the legal basis thereof is unambiguous and the purpose of the transfer as well as the intended recipients are accurately specified. Controllershall document each case of data transfer in such a way that the process and lawfulness of transfer can be demonstrated. 
Controller shall refrain from disclosing any data concerning the Users, including those specified in Section 10 of this Policy, to the Partnersor to third parties. Controllergives account to the Partnersof the activities carried out in the form of monthly statistical reports, which will not include personal data and will not permit identification of Users,either directly or indirectly.
Controlleris required to comply with the data transfer obligations set out in legal regulations.
Apart from the above, data transfer shall take place only in case of the unambiguous and explicit consent of the data subject.

14. Rectification and erasure

The data subject shall have the right to obtain from the Controllerwithout undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

The data subject shall have the right to obtain from the Controllerthe erasure of personal data concerning him or her without undue delay and the Controllershall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  • the data subject objects to the processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;

The data subject shall have the right to obtain from the Controllerrestriction of processing where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the Controllerto verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the Controllerno longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  • the data subject has objected to processing; pending the verification whether the legitimate grounds of the Controlleroverride those of the data subject.

15. Retention period

Controllerprocesses the data concerning the Userfor the period necessary for the provision  of EAP Serviceand the related settlement of accounts with the Partnersbut not longer than three months.

16. Users' Rights in Respect of the Processing of their Personal Data 

Users may request information about their personal data that is processed. Controllerinforms Usersof the personal data processed, their resources, purposes, legal basis and retention period, as well as the name and address of the Data Processors, and their activity connecting to data processing, without undue delay, but within one month of receiving the request at the latest. 

17. Possibility to amend the Privacy Policy

Controllerreserves the right to unilaterally amend this Policy. The amendment as well as the consolidated text of the privacy policy shall be published and communicated to all parties to whom the Policy has been specifically sent or otherwise properly disclosed by theControllerin the same way and at the same place as this Policyhas been published and communicated.

18. Data Security Measures

Controllershall ensure the security of the data. To this end, Controllertakes the necessary technical and organisational measures in respect of data stored both by information technology instruments and on traditional paper based media. Controllershall take steps to give effect to the privacy rules laid down in applicable legal regulations. Controllershall ensure the security of the data, shall take the technical and organisational measures and shall lay down the procedural rules that are necessary to give effect to the relevant legal regulations and rules governing data privacy and confidentiality.
Controllershall take all necessary measures to protect the data, in particular from unauthorised access, alteration, transfer, public disclosure, erasure or destruction and from accidental loss or damage as well as from becoming inaccessible due to changes in the applied technology.
When Controllerdetermines and applies measures to ensure data security, Controllershall take into account the state of the art technology. When several data processing options are available, Controllershall select the one that provides the highest level of protection for personal data, unless doing so would incur disproportionate difficulties.
Controllerstores the personal data in an appropriately encrypted SQL database. To provide the necessary technical environment required by the EAP service, when queries submitted through the mobile application, in addition to the data specified in section 10., Controlleris also processing the user name and password provided by the User, along with the cookies (which allows the identification of the submitting computer) used by the online surface where the user’s queries or issues are submitted.
The cookies are exclusively used to identify the computer used for the submission and only contains the current number of steps the user is at in the query submission process, user data is not stored in this phase by the Controller.

19. Applicable proceedings in case of a personal data breach

In the case of a personal data breach, the Controllershall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor shall notify the Controllerwithout undue delay after becoming aware of a personal data breach.
The Controllershall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. 
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controllershall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred in the GDPR.
If the Controllerhas not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that the communication is dispensable.

20. Data protection officer (DPO)

Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights specified by the relevant legal regulations.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
Name and contact details of the Data Protection Officer appointed by the Controller:
Szabolcs Péter Sója
postal address:H-1024 Budapest, Ady Endre utca 19., Hungary
e-mail:dpo@chestnutce.com

21. Legal Remedy Options

Should any questions or concern arise related to the data processing or data transferring proceedings of CGP Europe Kft., do not hesitate to contact our Data Protection Officer (DPO) in any of the availabilities listed in section #20. Your questions related to data protection will be answered by the Data Protection Officer, your issues or complaints will be investigated in cooperation with the Data Controller and you will be informed upon the findings;
Should data subject’s rights be violated, data subject may turn to court against the Controller. In the case of court action, the Court will proceed forthwith. No charge duties are levied on court proceedings related to personal data protection.
Subject may forward its complaints to the Hungarian National Authority for Data Protection and Freedom of Information. (mailing address: 1534 Budapest, Pf.: 834; cím: 1125 Budapest, Szilágyi Erzsébet fasor 22/c).
Upon any violation of their rights, Usersmay seek legal remedy against theControllerwith reference to the provisions of the Info Act and the Civil Code and may take such complaints before a court or the National Authority for Data Protection and Freedom of Information(mailing address: 1534 Budapest, P.O.Box: 834; Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.). In the case of court action, the Court will proceed forthwith.

22. Publication of the Privacy Policy

Controllershall publish this Policy at its website (www.eap.hu/online), and shall notify Usersabout the availability of this Policy. Upon a specific request by a Userto that effect, Controllershall also send this Policydirectly to the User. 
Controllersends this Policyas well as any amendments directly to the Partners. 

23. Closing Provisions

This Policyenters into force upon signature.
The provisions of this Policyshall apply to data processing taken place after entry into force hereof. 
The provisions of this Policyshall also apply to data processing being in progress at the time of the entry into force hereof.
Any issues not regulated herein shall be governed by the provisions of the legal regulations listed in Section 4 hereof.
With effect from the date of entry into force, thisPolicysupersedes and repeals the previous data processing policies in effect at the Controller.


Budapest, 25 May 2018.