In effect from 25 May 2018 until cancelled
EAP Service: "Employee Assistance Program": is a psychological / legal and financial orientation service provided by Controller in connection with problems of the Users employed by the Partners.
Partner: An employer being in contractual relationship with the Controller, whose employees are eligible for using the EAP Service.
User:the data subject who eligible for using the EAP Service as the employee of the Partner or the close relative of such employee.
Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal Data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Identification Data: either a person's first name and surname, maiden name, sex, place and date of birth, mother's first name and surname at birth, home address, place of residence, social security number individually or in combination, provided that such data is or could be suitable for identifying the data subject.
Special data:personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life, furthermore personal data concerning health, pathological addictions, or criminal record;
Data concerning health:personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Controller:a natural or legal person, or an organisation without legal personality who/that alone or together with others determines the purpose of data processing, makes and executes decisions concerning data processing (including the instrument used), or have them executed by a processor entrusted by him/her. Furthermore, natural or legal persons, or organisations without legal personality who/that are entitled to process personal or personal identification data, or Special data and Data concerning health in specific cases, for a purpose defined by the law.
Data Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor:a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Transfer: making data available to a specific third party.
Personal data breach:a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Public Disclosure: making data available to anyone.
Erasure of Data: making data unrecognisable in a way that it can never again be restored.
Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
Close relative: spouses, direct relatives, adopted, step or foster children, adoptive, step and foster parents as well as siblings and partners.
This Policy seeks to ensure that the data processing conducted by CGP Europe Limited Liability
Companycomplies with the provisions of the applicable legal regulations. This Policy is set out to
specify the scope of the data of the Usersthat are processed by the Controller, the
manner, purpose and legal basis of data processing, furthermore to ensure that the constitutional
principles of data processing and the requirements of privacy are enforced and to prevent
unauthorised access to and the alteration and unauthorised public disclosure of the data of the Users.
Controllerprocesses personal data exclusively for a specified purpose, in order to exercise rights and perform obligations. Each phase of the data processing is in compliance with the purpose of data processing. Data are recorded and processed in a fair and lawful manner. Controllerexerts best efforts not to process personal data unless they are indispensable for achieving the purpose of data processing and suitable for attaining that purpose. Personal data will be processed to the extent and for the duration necessary to achieve its purpose.
Controllerprocesses the personal data after informing the data subjects in a concise, easily accessible and easy to understand manner, and with clear and plain language. This Policy also ensures compliance with the Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
The laws and regulations of utmost importance for the purposes of this Policy include:
Controllershall act in cooperation with data subjects in compliance with the requirements of good
faith and fairness. Controllershall exercise its rights and shall perform its obligations in
accordance with their intended purpose.
Personal Data shall be treated as personal during data processing as long as it is possible to restore their relationship with the User. It is possible to restore the relationship with the Userif Controllerpossesses the technical means required to restoration.
During the data processing, Controllerensures data accuracy and completeness and –if deemed necessary in the light of the purpose of data processing – that the data are updated and permit the identification of the User for no longer than it is necessary for the purposes of data processing.
Personal data shall be:
Controllershall be responsible for, and be able to demonstrate compliance with the principles of Data Processing (‘accountability’).
Controllerprocesses the personal data of Userscovered by this Policy on the basis of a freely
given, specific, informed and unambiguous agreement given by theUsers.
Controllermay not transmit the data it processes to anyone except its employees and collaborating
persons and organisations who are participating in delivering the EAP Service, provided that
any such transfer shall be limited to the extent required by the purpose of data processing.
Controllershall have all of its employees as well as the persons and organizations involved in data processing become familiar with the provisions of this Policy.
Controller shall, furthermore, ensure that any person participating in transferring or receiving data, processes data only to the extent required by the purpose of data processing.
Usersshall be informed of the data transmitting or transferring, and the possibility thereof.
In case of a legally incapacitated person or a person with limited legal capacity, such information shall be given to the legal guardian who has the right to make declarations on behalf of that person.
Controllermay process data for the following purposes during the use and delivery of the Service:
Controller processes Special data and Data concerning health upon the User'srequest and explicit consent for the purpose to deliver the EAP Service.
Controllerwill process the personal data covered by this Policyon the basis of the natural
person User'sfreely given andunambiguous consent according to Article 6 (1) point a)
of the GDPR, Section 5 (1) and Section 6 (5) of Act CXII of 2011 on the Right of Informational
Self-Determination and on Freedom of Information, and in accordance with the provisions of Article 4
of Act XLVII of 1997 on the Processing and Protection of Data Concerning Health and Associated
Personal Data. Institutions, bodies or persons outside the health care network (hereinafter:
non-health care institution) may process data concerning health and personal identification data to
the extent necessary for performing their duties.
The Controller and processors of data shall keep confidential any medical secrets they may become aware of, subject to exceptions provided by law.
During the delivery of the EAP Service,Controllerwill process only the data that are indispensable for the provision of EAP Serviceon the basis of the Users'consent, the applicable legal regulations and this Policy.
In doing so, Controlleracts so that the anonymity of Usersis ensured as far as possible, thus neither the provider nor any person or organisation participating in the provision of the EAP Serviceor any third party may become aware of the Users' identity. Given that framework, the data with regard to Users that are processed by Controllershall be limited to:
Purpose of the data process is to provide the EAP serviceto the Users, without identifying their person or revealing their identity, while retaining the privacy and anonymity of their data, if that is possible.
Controller can not deliver the EAP service to the User.
Usershave the discretion to contact Controllerby notifying Controllerof their request for the EAP Service. When a request is received,Controllerinforms Usersabout the specification of the data that need to be processed for using the service, the retention period, the purpose of data use, the fact that data will be transferred and the recipients thereof.
Data may be transferred only on the basis of the consent of the data subject or an authorisation
granted by law in all cases. Controllerwill transfer personal data, only of the legal basis
thereof is unambiguous and the purpose of the transfer as well as the intended recipients are
accurately specified. Controllershall document each case of data transfer in such a way that
the process and lawfulness of transfer can be demonstrated.
Controller shall refrain from disclosing any data concerning the Users, including those specified in Section 10 of this Policy, to the Partnersor to third parties. Controllergives account to the Partnersof the activities carried out in the form of monthly statistical reports, which will not include personal data and will not permit identification of Users,either directly or indirectly.
Controlleris required to comply with the data transfer obligations set out in legal regulations.
Apart from the above, data transfer shall take place only in case of the unambiguous and explicit consent of the data subject.
The data subject shall have the right to obtain from the Controllerwithout undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The data subject shall have the right to obtain from the Controllerthe erasure of personal data concerning him or her without undue delay and the Controllershall have the obligation to erase personal data without undue delay where one of the following grounds applies:
The data subject shall have the right to obtain from the Controllerrestriction of processing where one of the following applies:
Controllerprocesses the data concerning the Userfor the period necessary for the provision of EAP Serviceand the related settlement of accounts with the Partnersbut not longer than three months.
Users may request information about their personal data that is processed. Controllerinforms Usersof the personal data processed, their resources, purposes, legal basis and retention period, as well as the name and address of the Data Processors, and their activity connecting to data processing, without undue delay, but within one month of receiving the request at the latest.
Controllershall ensure the security of the data. To this end, Controllertakes the necessary
technical and organisational measures in respect of data stored both by information technology
instruments and on traditional paper based media. Controllershall take steps to give effect to
the privacy rules laid down in applicable legal regulations. Controllershall ensure the
security of the data, shall take the technical and organisational measures and shall lay down the
procedural rules that are necessary to give effect to the relevant legal regulations and rules
governing data privacy and confidentiality.
Controllershall take all necessary measures to protect the data, in particular from unauthorised access, alteration, transfer, public disclosure, erasure or destruction and from accidental loss or damage as well as from becoming inaccessible due to changes in the applied technology.
When Controllerdetermines and applies measures to ensure data security, Controllershall take into account the state of the art technology. When several data processing options are available, Controllershall select the one that provides the highest level of protection for personal data, unless doing so would incur disproportionate difficulties.
Controllerstores the personal data in an appropriately encrypted SQL database. To provide the necessary technical environment required by the EAP service, when queries submitted through the mobile application, in addition to the data specified in section 10., Controlleris also processing the user name and password provided by the User, along with the cookies (which allows the identification of the submitting computer) used by the online surface where the user’s queries or issues are submitted.
The cookies are exclusively used to identify the computer used for the submission and only contains the current number of steps the user is at in the query submission process, user data is not stored in this phase by the Controller.
In the case of a personal data breach, the Controllershall without undue delay and, where
feasible, not later than 72 hours after having become aware of it, notify the personal data breach
to the competent supervisory authority, unless the personal data breach is unlikely to result in a
risk to the rights and freedoms of natural persons. Where the notification to the supervisory
authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The processor shall notify the Controllerwithout undue delay after becoming aware of a personal data breach.
The Controllershall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controllershall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred in the GDPR.
If the Controllerhas not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that the communication is dispensable.
Data subjects may contact the data protection officer with regard to all issues related to
processing of their personal data and to the exercise of their rights specified by the relevant
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
Name and contact details of the Data Protection Officer appointed by the Controller:
Data Protection Officer, CGP EUROPE Kft.
postal address: H-1024 Budapest, Ady Endre utca 19., Hungary
Should any questions or concern arise related to the data processing or data
transferring proceedings of CGP Europe Kft., do not hesitate to contact our Data
Protection Officer (DPO) in any of the availabilities listed in section #20. Your
questions related to data protection will be answered by the Data Protection Officer,
your issues or complaints will be investigated in cooperation with the Data Controller
and you will be informed upon the findings;
Should data subject’s rights be violated, data subject may turn to court against the Controller. In the case of court action, the Court will proceed forthwith. No charge duties are levied on court proceedings related to personal data protection.
Subject may forward its complaints to the Hungarian National Authority for Data Protection and Freedom of Information. (mailing address: 1262 Budapest, P.O. Box: 9; address: 1055 Budapest, Falk Miksa u. 9-11.).
Upon any violation of their rights, Users may seek legal remedy against the Controller with reference to the provisions of the Info Act and the Civil Code and may take such complaints before a court or the National Authority for Data Protection and Freedom of Information (mailing address: 1363 Budapest, P.O. Box: 9; Address: 1055 Budapest, Falk Miksa u. 9-11.). In the case of court action, the Court will proceed forthwith.
Controllershall publish this Policy at its website (www.24eap.com), and shall notify Users about
the availability of this Policy. Upon a specific request by a User to that effect, Controller shall
also send this Policy directly to the User.
Controller sends this Policy as well as any amendments directly to the Partners.
This Policyenters into force upon signature.
The provisions of this Policyshall apply to data processing taken place after entry into force hereof.
The provisions of this Policyshall also apply to data processing being in progress at the time of the entry into force hereof.
Any issues not regulated herein shall be governed by the provisions of the legal regulations listed in Section 4 hereof.
With effect from the date of entry into force, thisPolicysupersedes and repeals the previous data processing policies in effect at the Controller.
Budapest, 25 May 2018.