Data protection

We hereby accept this Notice in order to provide the representatives of the natural and legal persons (hereinafter: Users) using our services with all the relevant information and details in a concise, transparent, comprehensible and easily accessible way, with clear and simple wording, and also to help Users exercise their rights specified in Section 4. Our services are available at www.hsagroup.hu.

The basis of our information obligation is Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR), applicable as of 25 May 2018, Article 16 of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Infotv.), as well as Article 4 of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Elkertv.).

This Notice has been prepared with consideration to GDPR, Infotv. and other laws relevant to data processing. These laws and regulations are listed in Appendix 10.1 of this Notice, the main terms are defined in Appendix 10.2, and a detailed description of the data subjects’ rights can be found in Appendix 10.3.

When preparing and implementing this notice, we followed the findings in the recommendations of the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) on the data protection requirements of preliminary information, and also the accountability principle described in Article 5 of the GDPR, particularly Article 5(2).

We also monitor the practice of the European Union related to the protection of personal data; thus we include in our practices the content of the guidelines on transparency set out by the Article 29 Working Party of the European Commission.

2. Details of the data controller

Name: HSA Group Zrt.

Registered office: H-1051 Budapest, Széchenyi István tér 7-8.

Company registration number: 01-10-142262

VAT ID: 32223877-2-41

Email: info@hsagroup.hu

3. Data processing processes

This section details the relevant circumstances for each data processing activity required of all data controllers by the GDPR and other legislation applicable to the industry.

3.1 Getting in and keeping contact

You can contact us through our home page with any purpose. Besides, it is part of our job to process the personal data of the contact persons of our business partners. Please refer to the details of the corresponding data processing below.

3.1.1 What data are processed and what is the purpose of data processing

Personal data	Purpose of data processing	Legal basis of data processing
name	to identify the User or the contact person of our business partner	Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR)
email address	getting in and keeping contact with the User or the contact person of our business partner	Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR)
phone number	getting in and keeping contact with the User or the contact person of our business partner	Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR)
public profile data accessible on social media platforms	to identify the User	Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR)

3.1.2 Legal basis of data processing

The consent of the User given when getting in contact by showing voluntary, explicit behaviour (making a phone call or sending an email) to processing their personal data for a purpose defined in Section 3.2.1 (Article 6(1) (a) of GDPR).

In case we use the data of the User for a purpose other than the original purpose for which it was collected, we will notify the User about doing so, obtain their preliminary, explicit consent, and give them the opportunity to ban using their data (see: Section 9.1).

The above specified personal data of the contact person of our business partner are processed based on the legitimate interest of the data controller and the business partner (Article 6(1) (f) of GDPR). It’s the legitimate interest of both parties to have effective business communications while using the website and discussing the partnership, and to be able to inform each other’s relevant representatives of the material circumstances relevant to our contract. Here, the right to informational self-determination of the contact person of our business partner is not considered to be violated, as it is their official or contractual duty to facilitate communication between the parties and to provide their personal data for this purpose. The contact person of our business partner can object to such data processing.

3.1.3 Duration of data processing

We process the provided personal data until the consent is withdrawn. The User can withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

We process the personal data of the contact persons of our business partners for a period necessary for communication and until we are required to do so by applicable law (in compliance with Act V of 2013, it is 5 years from the performance or termination of the contract, and in compliance with Act C of 2000, it is 8 years from issuing the invoice).

3.1.4 Method of data processing

Electronically.

4. What rights do users have?

It is important for us to process data in a way that meets the requirements of fairness, lawfulness and transparency. In this context, we will briefly describe in this section what type of rights data subjects have. Further details can be found in Appendix 3 to this notice.

Our Users may request free information on the details of the processing of their personal data, access to or obtain a copy of the personal data processed, and in certain cases specified by law, request the rectification, erasure, blocking or restriction of the processing of such personal data and object to the processing of such personal data. Users may send their requests for information or requests under this section to the contact details provided in Section 2.

4.1 Right to access

Our User can receive feedback from us about the processing of their personal data, access these personal data and the details of their processing, and obtain a copy of the personal data processed by us.

4.2 Right to rectification

On the User’s request, we rectify their inaccurate personal data without undue delay, and the User shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4.3 Right to erasure

On the User’s request, we shall erase their personal data, if processing is not needed any more, or if the User withdraws their consent, or objects to processing their data, or processing is unlawful.

4.4 Right to be forgotten

We seek to inform all data controllers of the User’s request for erasure (if they require us to do so) who accessed or might have accessed the potentially disclosed data of the User.

4.5 Right to restriction of processing

On the User’s request, we shall restrict data processing if the accuracy of personal data is debatable, or data processing is unlawful, or our User objects to processing their data, or in case we no longer need the provided personal data.

4.6 Right to data portability

Our User can receive the personal data concerning and provided by them in a structured, commonly used and machine-readable format, and has the right to transmit it to other data controllers.

4.7 Right to object

Our User should have the right to object to processing their personal data based on legitimate interest for a reason related to their own circumstances (see: Section 3.1). In this case we are not allowed to process these personal data any longer, unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims. In case of objection, personal data are not allowed to be processed any further by default.

4.8 Responding to requests

We shall assess the request as soon as possible after submission, but no later than 30 days – 15 days in the case of an objection – after submission, and decide whether it is valid, and notify the requester of this decision. If we don’t fulfil the request of the requester, we inform them in our decision about the factual and legal reasons.

4.9 Remedy options

It is important for us to keep personal data safe, and we also respect the User’s right to informational self-determination, therefore we seek to respond to all requests in a fair and timely manner. In this regard, we ask Users to contact us first with any complaints or queries before turning to authorities or courts to enforce their potential claims, so that any objections can be addressed as quickly as possible.

In case this proves unsuccessful, our User can enforce their rights at court based on Act V of 2013 on the Civil Code (the action can be brought before the competent regional court as per the domicile or place of residence of our User; for a list of regional courts and their contact details, please visit http://birosag.hu/torvenyszekek), moreover, based onthose set out in the Infotv., can reach out to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) (address: H-1055 Budapest, Falk Miksa utca 9-11.; mailing address: H-1363 Budapest, Pf.: 9.; phone: +36 1 391 1400; fax: +36 1 391 1410; email: ugyfelszolgalat@naih.hu; website: https://naih.hu/; hereinafter: NAIH), and file a complaint there.

5. Our process related to requests to exercise rights

5.1 Notification of recipients

In the event of rectification, erasure or restriction of data processing, we will always notify the recipients to whom the personal data of the User might have been disclosed, unless this proves to be impossible, or when the effort necessary to do so would be disproportionate. On the User’s request, we shall give information about these recipients.

5.2 Method and deadline of notification

We shall give information about the measures taken at the requests related to Section 4 electronically no later than one month after receiving such request, if the User does not require otherwise. This period can be extended with an additional two months as applicable, regarding the complexity of the request or the number of requests. The User shall be informed of such extension together with a description of the underlying reasons within one month from receiving the request.

When requested by the User, the information may be provided orally, provided that the User’s identity is proven by other means.

If we do not take action on a request, we shall inform the User of the reasons no later than one month after receiving the request, and also of the fact that they can lodge a complaint with NAIH and seek a judicial remedy (Section 4.9).

5.3 Verification

Under exceptional circumstances, where we have reasonable doubts concerning the identity of the natural person making the request, we shall request the provision of additional information necessary to confirm their identity. This measure is necessary to promote the confidentiality of data processing defined in Article 5 (1) (f) of GDPR, i.e. to prevent unauthorised access to the personal data.

5.4 Costs of notification and taking action

We shall provide information for the requests concerning Section 4, and implement the corresponding measures free of charge.

If the User’s request is clearly unreasonable or has an excessive character (especially when it’s recurrent), we shall charge a reasonable fee (considering the incurring administrative costs when providing the requested information or the notification, or implementing the requested measure), or we shall refuse to take action based on the request.

6. Possible recipients of personal data, and data processors

6.1 In terms of operating the website

The web host as data processor has the right to access the personal data provided during the use of the website.

Name: Websupport Magyarország Kft.

Contact: https://www.hsagroup.hu/impresszum/

6.2 In terms of social media platforms

Our website is connected to various social media platforms (e.g. Facebook, LinkedIn, Twitter, Google+, Instagram, YouTube); which means that in case the User “likes” our Facebook page, or “follows” us on Twitter, we get to know all the publicly available personal data connected to their account. Data processing activities on these platforms are subject to the relevant information contained in the respective service provider’s own privacy notice.

6.3 Joint data processing with Meta Platforms Ireland Limited

Facebook (including the Facebook mobile app and the in-app browser) is available through the Meta product portfolio of Meta Platforms Ireland Limited (registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland; Irish company registration number: 462932; website: https://about.facebook.com/meta). In the context of using Facebook, the terms of use, the privacy policy and the privacy notice of Meta Platforms Ireland Limited should be referenced in case of current data processing activities, depending on the specific purpose of the data processing:

Together with Meta Platforms Ireland Limited, we are jointly responsible for processing your personal data, with the purpose of creating target groups, sending messages related to commercial transactions, customising functionalities and content, developing Meta products and making them safer. For compliance with GDPR, you can reach the agreement on settling the chains of responsibility, and the notification about the privacy shield framework of data transfers on the following sites:

In this joint data processing, it is predominantly the responsibility of Meta Platforms Ireland Limited to provide information on data processing, and to enable the data subjects to exercise their rights according to GDPR. For more information about Facebook’s processing of your personal data, and about the rights and options of the User related to this processing, please refer to the Facebook privacy notice of Meta Platforms Ireland Limited here: https://www.facebook.com/about/privacy/.

Otherwise, the parties have separate responsibility for the processing of personal data.

https://www.facebook.com/legal/Workplace_GDPR_Addendum;

https://www.workplace.com/legal/WorkplaceEuropeanDataTransferAddendum?fbclid=IwAR1KngiTZgbBM7CxwiyX7937hOazemFX9svQl34lMfVEwNJkhdboDUDF_9A; . https://www.facebook.com/about/privacyshield.

Data processing implemented by us is based on the consent given by the User, in compliance with Article 6(1) (a) of the GDPR. You can withdraw your consent at any time in the future by changing your preferences in the cookie banner. The withdrawal of consent shall not affect the lawfulness of data processing based on consent before its withdrawal.

7. Data security

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, we shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.

We and the employees of the data processors are authorised to access the personal data of the User to an extent appropriate for the tasks of their job. We shall take all security, technical and organisational measures to safeguard the safety of the data.

7.1 Organisational measures

Our IT systems can only be accessed with personalised accounts. When assigning such access, there is a “necessary and sufficient” approach: any employee can use our IT systems and services to the extent appropriate for completing their tasks, with the corresponding rights and for the sufficient period of time. Access to the IT systems and services shall be given only to the person who is not subject to restrictions for security or other (e.g. conflict of interest) reasons, and who has the professional, business and information security knowledge for the safe use thereof.

We and our data processors are bound by a written statement of strict confidentiality and are required to act in accordance with these rules of confidentiality in the course of our activities.

7.2 Technical measures

Data (except for the data stored by our data processors) are stored on our own devices, in a data centre. The IT devices storing these data are located separately, in severed, secured server rooms, protected by a multi-level access control system with authorisation control.

Our intranet is safeguarded by multi-level firewall protection. There is always a hardware firewall (gateway device) at the entry points of the public networks used, everywhere and in every instance. Data is stored redundantly, which means the same data is stored at different locations, in order to protect them from destruction, loss, damage or unauthorised destruction.

Our intranets are protected from outside attack via multi-level, active protection (e.g. virus protection) against complex malware codes. We enable the necessary external access to the IT systems and databases we operate via an encrypted data connection (VPN).

We shall do our best to always keep our IT devices and software compliant with the technological solutions widely accepted in the market. Through our developments, we create systems that use logging to control and monitor operations and detect incidents such as unauthorised access. Our server is located on a separate and dedicated server of the web host provider, protected and secured. Taking into account the applicable recommendation of NAIH, we use the https protocol on the website, which means a higher level of data security as opposed to the http protocol.

8. Cookies

For the appropriate functioning of our website, in certain cases we place small data files on the computer device of the User, just like most modern websites do.

8.1 What is a cookie?

A cookie is a small text file placed on the computer device (including mobile phones) of the User by the website. This allows the website to “remember” the settings of the User (e.g. language, font size, display option, etc. used), so that the User won’t need to set these again when visiting our website. For a list of the cookies used on our website, please see the Cookie Policy published on the website (https://www.hsagroup.hu/sutik//).

8.2 Google Analytics

The Website uses Google Analytics, a web analytics service provided by Google LLC (hereinafter: “Google”). Google Analytics uses so-called cookies, which are text files saved on the computer, to help analyse how the User uses the website they visit.

The information created by the cookies in connection with the website used by the User is usually transferred to and stored on a Google server located in the USA. By enabling IP anonymisation on the Website, Google shall previously shorten the User’s IP address if they are in an EU member state or another country included in the agreement on the European Economic Area.

Transferring and storing the whole IP address on a Google server located in the USA, and shortening the address there is only done in exceptional circumstances. On our behalf, Google shall use this information to assess how the User uses the website, and to make reports for us about the activities on the website, and also to provide additional services related to website and internet usage.

In Google Analytics, the IP address transferred by the User’s browser shall not be merged with other data held by Google. The User can prevent the storage of cookies by setting their browser appropriately, but please note that in this case the User might not access all functionalities of the website fully. Moreover, downloading and installing the plugin at the following link can prevent Google to collect and process the data from cookies related to the website usage of the User (including the IP address): https://tools.google.com/dlpage/gaoptout?hl=h

8.3 How can cookies be managed?

Cookie files can be deleted (for more details see www.AllAboutCookies.org), or most browsers used today can block them, too. In this case, however, you will need to make certain settings again each time you use our website, and some services might not function properly. For details about deleting and blocking cookies, see www.AllAboutCookies.org (in English) and the following links regarding the various browsers used by the User:

Firefox

Google Chrome

Bing

9. Miscellaneous

9.1 Data processing for other purposes

If we want to use the data provided for a purpose other than the original purpose for which it was collected, we will notify the Users about doing so, obtain their preliminary, explicit consent, and give them the opportunity to ban using their data.

9.2 Record keeping requirements

In compliance with Article 30 of the GDPR, we keep records of the data processing activities carried out under our responsibility (records of data processing activities).

9.3 Personal data breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. In case of a personal data breach, we are obliged to proceed according to Articles 33 and 34 of the GDPR. We document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

9.4 Amendment

We have the right to amend this Notice any time unilaterally. In case this Notice is amended, we keep the previous versions, and, if possible and reasonable, notify the data subjects of the amended clauses.

Effective date: 10 July 2023

Appendices

Appendix 10.1: Applicable laws and regulations

When drafting this Notice, the Data Controller considered the applicable and effective laws and regulations and the major international recommendations, particularly the following:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);

Act V of 2013 on the Civil Code (Ptk.);

Act CXXX of 2016 on the Code of Civil Procedure (Pp.);

Act C of 2000 on Accounting (Számv. tv.);

Act CLV of 1997 on Consumer Protection (Fgytv.);

Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Elkertv.).

Appendix 10.2: Definition of terms relating to the processing of personal data

controller: means the legal person which determines the purposes and means of the processing of personal data;

processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

transfer: means making the data available for a specific third party;

erasure of data: means making the data unrecognizable in a manner that their recovery is not possible;

marking of data: means marking data with an identifier to distinguish it from other data;

restriction of processing: means the marking of stored personal data with the aim of limiting their processing in the future;

destruction of data: total physical destruction of the data storage device;

processor: means a legal person which processes personal data on behalf of the controller;

recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

cookie: small packet of data (text file) sent by the web server and placed on the computer of the User for a specified period, which, depending on the type, may be supplemented by the server when the website is visited again, meaning the browser returns a previously saved cookie, and the service provider managing that cookie can link the current visit of the user to previous visits, but only in respect of its own content;

data subject/User: means an identified or unidentified natural person; an identified natural person is someone who can be identified directly or indirectly, in particular based on any identifier, e.g. name, number, location data, online identifier or one or more factors relevant to the bodily, physiological, genetical, mental, economic, cultural or social identity of that natural person;

third party: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

consent of the data subject: means any freely given, specific and properly informed indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;

IP address: in all networks that work with the TCP/IP communication protocol, servers have an IP address or identification number that enables the identification of the given computer over the network. It is well known that every computer connected to a network has an IP address, by which it is identifiable;

personal data: means any information relating to the data subject;

objection: means a statement made by the data subject disapproving the processing of their personal data, and requesting ceasing data processing and erasure of the processed data.

Appendix 10.3: Rights of data subjects

Access

The User shall have the right to get access to their personal data processed by us, upon their request submitted via our contact details. By doing this, the User shall obtain information on the following:

whether or not personal data concerning him or her are being processed;

the purposes of processing;

the categories of personal data concerned;

the recipients or categories of recipient to whom the personal data have been or will be disclosed;

the envisaged period for which the personal data will be stored;

his or her rights;

his or her remedy options;

information on the source of data.

Moreover, the User may request making a copy of their personal data subject to data processing available for them. In this case, personal data shall be made available to them in a structured, commonly used and machine-readable format (PDF/XML), and/or in a printed, paper-based version thereof. The User can request such copy free of charge.

Rectification

The User shall have the right to ask the personal data concerning them and processed by us, and which are inaccurate, to be rectified upon their request submitted via our contact details. In case we do not have the information necessary for the correction and completion of the erroneous data, we may ask them to submit the additional information and a verification of the accuracy of these data. We shall restrict processing the data subject’s personal data, and temporarily suspend the operations carried out related to them (except storage), until the correction and completion of data is finished (due to lack of supplementary information).

Erasure

The User shall have the right to ask the erasure of the personal data concerning them and processed by us, upon their request submitted via our contact details, if any of the following conditions apply:

we no longer need the provided data;

the User has concerns about the lawfulness of our processing of their data.

In case we find upon the request of the User that there is a valid obligation to erase the personal data processed by us, we cease processing the data, and destroy the personal data processed earlier. In addition, an obligation to erase personal data may result from the withdrawal of consent, the exercise of the right to object, and also based on legal obligations.

Restriction of data processing

The User shall have the right to ask the restriction of processing the personal data concerning them and processed by us, upon their request submitted via our contact details, in the following cases

they have concerns about the lawfulness of our processing of their personal data concerning them and processed by us, and they ask restriction instead of erasure of the data;

we no longer need the provided data, but the User requests us to have them for the establishment, exercise or defence of legal claims.

We shall automatically restrict processing the personal data when the User contests the accuracy of the personal data, and/or the User exercises their right to object. In this case, restriction applies to a period enabling the verification of the accuracy of the personal data and/or (in case of objection) exploring if the preconditions for data processing are still met.

During the restriction period, no data processing operations shall be completed on the marked personal data, except for storage. In case data processing is restricted, personal data shall be processed exclusively in the following instances:

based on the consent of the data subject;

the establishment, exercise or defence of legal claims;

the protection of other natural or legal persons’ rights;

for reasons of important public interest.

We shall inform the User before the restriction is lifted.

Data portability

The User shall have the right to ask the provision of the personal data concerning them and processed by us, for further use defined by the User, upon their request submitted via our contact details. In addition, the User can also request us to transfer their personal data to the other data controller specified by them.

This right applies exclusively to the personal data provided by the User and processed for the completion of their contract. There is no option to make any other data portable. Personal data shall be provided to the User in a structured, commonly used and machine-readable format (PDF/XML), and/or in a printed, paper-based version thereof.

Please note that exercising this right does not automatically mean erasing the User’s personal data in our systems. Moreover, the User should have the right to re-establish their relationship with us even after portability of their data is implemented.

Objection

The User shall have the right to object to processing their personal data for purposes described in Section 3.1 of this Notice, upon their request submitted via our contact details. In this case we assess whether the compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims. If we find that such grounds exist, we carry on processing the personal data. Otherwise, we shall not process the personal data any longer.

About

Sport

Management

CSR

Student jobs

Jobs for parents of small children

Blue-collar jobs

Jobs for pensioners

White-collar jobs