Data Processing Handout

Introduction

AUTOWALLIS Ltd. (hereinafter the “Controller”) wishes to provide information about the general requirements and conditions of its data processing operations during liaising with investors as well as the rights of data subjects in this document.

The fundamental rules of the management of personal data are laid down in Regulation 2016/679/EU (“General Data Protection Regulation” or “GDPR”) and in Act CXII of 2011 on the Right of Informational Self-Determination and the Freedom of Information.

The Controller only engages in such data processing operations in respect of the data subjects that are unavoidable and justifiable for the given legal relationships. The Controller focuses on enforcing the principle of data minimisation and does not manage any sensitive data.

The Controller complies with all laws applicable to the data processing operations conducted by it at all times and treats personal data with particular care.

Defined terms

In its documents pertaining to data processing, the Controller strives to reduce the usage of legal terminology to the greatest extent possible. However, in order to ensure the clarity of the information, the following terms shall have the following meanings, as defined in the GDPR:

  • data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
  • data processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • personal data breach: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  • data subject: The identified or identifiable natural person whose personal data are concerned by the processing.
  • sensitive data: Special categories of personal data provided for in Article 9 of the GDPR, including personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • personal data: means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1. Data processing in relation to the Controller’s website

On the investor relations subpage of its website at https://autowallis.hu/befektetoi-kapcsolattartas/, the Controller allows investors to liaise with the Controller through electronic messages. The legal basis for data processing is the data subject’s consent that the data subject may withdraw at any time. In such cases, the Controller shall examine the messages exchanged and if, in his opinion, the contents thereof need to be retained with a view to the protection of its legitimate interests and the data protection legal conditions for such retention exist, then the Controller shall retain the messages exchanged until the relevant limitation period.

2. The duration of data processing

The Controller shall process the data during the general five year limitation period.

3. The principles of data processing

The fundamental principles of the data processing operations conducted by the Controller are laid down in Article 5 of the GDPR; these principles are to be construed in respect of the Controller as follows:

3.1. Lawfulness

The data processing operations conducted by the Controller always have an appropriate legal basis and the Controller fully complies with the provisions of the relevant data processing laws or contracts.

3.2. Fairness

The Controller manages the processed data with fairness and integrity, acts in good faith, does not abuse the personal data processed by it and respects and does not violate the data subject’s privacy and right to informational self-determination.

3.3. Transparency

The Controller conducts its data processing operations in a transparent manner both in respect of the Authority and the data subjects. The Controller informs the data subject about all data processing operations and where the data subject exercises his right of access, the Controller provides all necessary information prescribed in the GDPR in this regard. In the case of a personal data breach, if required by the law, the Controller shall comply with his notification obligation without delay.

3.4. Purpose limitation

The Controller conducts all data processing operations exclusively for justified and legitimate purposes. The purpose of data processing is always specified and the related information is unambiguous and not misleading.

3.5. Data minimisation

The Controller only processes personal data if this is necessary, also having regard to the principles of purpose limitation, lawfulness and fairness. All data processing operations conducted by the Controller are adequate and necessary for the company’s business.

3.6. Accuracy

The Controller strives to ensure that the personal data processed by it are complete, accurate and up-to-date and takes every reasonable step to ensure the rectification of any inaccuracies.

3.7. Storage limitation

The Controller only processes personal data until there is adequate legal basis for such processing and purpose limitation is ensured. Thereafter, the personal data are either erased, or the document containing such data is returned, or the given data are deprived of their personal nature.

The time limits applicable to the processing of the different categories of data are specified in the information documents pertaining to the given client contract or the processing of employee data.

3.8. Integrity and confidentiality

The Controller takes the necessary and adequate technical or organisational measures in order to ensure that its data processing operations comply with the data security requirements provided for in the GDPR and the relevant sectoral laws.

The Controller makes sure that only authorised persons can have access to the personal data processed by it and that such data are exclusively processed either by the Controller at its headquarters or by persons over whom the Controller has monitoring rights. The Controller’s infrastructure complies with the requirements provided for in the relevant sectoral laws.

Furthermore, the Controller ensures that the persons involved in the processing of the personal data are bound by an obligation of confidentiality.

4. The data subjects’ rights

Data subjects are entitled to exercise their rights specified below. Such legal statements shall be sent to the Controller’s registered office by mail. Requests for general information can also be sent by email. The Controller shall assess the legal statements without delay and if the conditions of lawfulness are met, the Controller shall comply with the request without delay but within one month at the latest. If the legal statement for the exercise of the data subject’s rights is unclear, the Controller shall call upon the data subject to supplement or modify the legal statement.

4.1. Right of access by the data subject

The data subject may request information about the data processing operations and may request the Controller to provide access to the personal data concerning him/her.

The Controller only provides access to the personal data if the data subject adequately proves his/her identity. Otherwise, the Controller may only provide general information.

4.2. Right to rectification

The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her.  Taking into account the purposes of data processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.3. Right to erasure

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) the data subject withdraws the consent on which the processing is based and there is no other legal ground for processing;
  3. c) the data subject objects to the processing and there are no overriding legitimate grounds for processing;
  4. d) the personal data have been unlawfully processed by the Controller;
  5. e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject.

The right to erasure may be limited for the reasons provided for in Article 17 (3) of the GDPR.

4.4. Right to restriction of data processing

The data subject shall have the right to obtain from the Controller restriction of data processing where one of the following applies:

  1. a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  4. d) the data subject has objected to processing, in which case the restriction shall apply pending the verification whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction is lifted, the Controller shall inform the data subject thereof before the restriction of data processing is lifted.

4.5. Right to data portability

The Controller is not engaged in any data processing concerning the personal data of its clients and employees or the personal data of any other data subject in relation to its client contracts that is fully automated and, accordingly, the data subjects are not entitled to exercise the right to data portability in respect of the personal data processed by the Controller.

4.6. Rights to object

The data subject shall have the right to object, on grounds relating to his/her particular situation, at any time to the processing of his/her personal data, if the Controller processes such personal data on grounds of public interest or the enforcement of the legitimate interests of a third party.

In such cases, the Controller may only continue to process the personal data if the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

4.7. Right to remedy

The data subject shall have the right to file an objection or bring a civil action pursuant to the provisions of Section 6.

5. Enforcement of rights

The data subject shall have the right to file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information if he/she believes that his/her rights provided for in the GDPR or the Information Act have been violated. In such cases, please first file your complaint with the Controller. Your complaint will be assessed immediately and the results of the assessment will be communicated to you.

The contact details of the National Authority for Data Protection and Freedom of Information are the following:

mailing address: 1530 Budapest, Pf.: 5.

address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

URL http://naih.hu

Furthermore, the data subject shall have the right to apply to a court if the data protection laws are violated. In such cases, the competent court under the GDPR shall be the Metropolitan Court of Budapest in respect of the Controller’s data processing operations, while for violations of the Information Act, the action can also be brought before the competent court at the data subject’s domicile or place of permanent residence.

The Controller’s contact details

AUTOWALLIS Nyrt.

Address: 1055 – Budapest, Honvéd utca 20.

Telephone/Fax: +36 1 551 5773

E-mail: info {at} autowallis.hu

Scope and amendments

This information document shall take effect upon publication. The Controller may unilaterally amend this information document. The Controller shall inform data subjects about such amendments through its website.