Languages

Adatvédelem

General part

Introduction

The purpose of these data protection regulations (hereinafter: "Regulations") is to regulate the data management activities of Krupp-System Kft (hereinafter: "Krupp-System Kft" or "data controller") concerning personal data and to ensure the protection of the privacy of data subjects, rights, meeting the requirements of the data protection legislation in force at all times, in particular the General Data Protection Regulation of the European Union ( GDPR - EU 2016/679), as well as the ISO 27001 and the requirements of the NIS2 directive.

Subject scope of the instruction

The material scope of the instruction applies to those activities, processes and systems that are regulated within the framework of the data protection and information security regulations.
In this case, the scope of Krupp-System Kft's Data Protection and Information Security Policy covers all systems and activities during which Krupp-System Kft manages or processes personal data.

This includes:

  • All data management operations (collection, storage, organization, use, transmission, deletion, etc.).
  • Information security measures related to data management processes.
  • Data management activities performed by data processors.
  • The operation and security of IT systems handling personal data.
  • Cyber ​​security regulations, including NIS2 and ISO 27001 compliance.

Therefore, the material scope applies to all data protection and security systems, regulations and measures that Krupp-System Kft applies when handling personal data.

Subject scope of the instruction

The subject scope of these Regulations covers all persons who participate in the activities of Krupp-System Kft., and whose personal data is managed by Krupp-System Kft., including in particular:

  • Employees of Krupp-System Kft : Those who handle personal data arising from their employment or other legal employment relationship, as well as whose personal data is managed by the company.
  • Contractual partners and subcontractors : Those who manage or have access to data based on a contract with Krupp-System Kft.
  • Customers, customers and users : Those who use the services of Krupp-System Kft or are connected with the company, and whose personal data is managed by the company.
  • Data processors : Those who manage personal data on behalf of Krupp-System Kft., and are obliged to comply with the regulations during their data processing tasks.
  • Third parties : Those who come into contact with Krupp-System Kft., and whose personal data is managed by the company, for example website visitors, newsletter subscribers, complainants.

.

Related policies and legislation

Legislation

Law reference

Name of legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

The General Data Protection Regulation, which regulates the handling of data of natural persons in the European Union. The decree defines the rights of the data subjects, the obligations of the data controllers and data processors, and the way of handling data protection incidents.

CXII of 2011 Act - On the right to self-determination of information and freedom of information (Infotv.)

Hungary's data protection law, which regulates the management and protection of personal data and the disclosure of data of public interest. Infotv. supports the application and enforcement of the GDPR at the national level.

ISO/IEC 27001:2013

An international standard for information security management systems that defines policies and requirements for ensuring the confidentiality, integrity and availability of information.

Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2)

The Directive on the Security of Network and Information Systems (NIS2), which aims to strengthen the protection of critical infrastructures such as digital services and networks in the EU.

Act L of 2013 - On electronic information security of state and local government bodies (Ibtv.)

The law requires public sector actors to introduce and maintain measures to ensure the protection of electronic information systems, which is also in line with the requirements of ISO 27001.

Act I of 2012 on the Labor Code

It also contains regulations for the management of employees' personal data, with particular regard to the legality and transparency of employer data management.

Act V of 2013 on the Civil Code (Ptk.)

The Civil Code lays down general rules for the legal relationships related to data management, with particular regard to the handling of the data of parties involved in contracts and legal disputes.

 

Referenced and related policies and documents

Krupp-System Kft.

IT Security Regulations_Krupp-System_20240911_V01

Krupp-System Kft.

Policy on the discovery and publication of data of public interest

Krupp-System Kft.

Organizational and Operational Regulations

Reference regulations, documents

 

 

 

 

Document classification

 

  • Rating: Public
  • Purpose of use: The version that can be published on the Internet and on the official website of Krupp-System Kft.
  • Target audience: Customers, partners, employees of Krupp-System Kft., data protection authorities and all stakeholders affected by the processing of personal data.
  • Publication platform: On the official website of Krupp-System Kft ( www.kruppsystem.hu ).

This document is publicly available, as the information contained in it is important and relevant for all stakeholders in order to learn about the rights and obligations related to data management. The document does not contain confidential information that requires protection, so it can be released to the public .

Publication options on the website

  • The document can be published in PDF format , which is easily accessible and downloadable for interested parties.
  • A directly readable version can also be made available through the website , which visitors can browse directly without the need for downloading.
  • An understandable, easy-to-navigate interface can be provided, where visitors can easily find the rights and obligations of data subjects, as well as the contact information for the data protection officer.

Concepts

Data Controller
The natural or legal person, public authority, agency or other body that determines the purposes and means of processing personal data independently or together with others. In this case, the data controller is Krupp-System Kft .

Data processor
The natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller. The data processor may only perform data management operations in accordance with the instructions of the data controller.

Personal data
Any information relating to an identified or identifiable natural person. Identifiable is a natural person who can be identified directly or indirectly, for example by name, identification number, location data, online identifier or one or more factors related to their physical, physiological, genetic, mental, economic, cultural or social identity.

Special data
The category of personal data that requires special protection. This includes data related to racial or ethnic origin, political opinion, religious or worldview beliefs, trade union membership, genetic and biometric data, health data, and sex life or sexual orientation.

Classified Information
Classified Information is information or data that is considered secret, confidential, restricted distribution, or otherwise classified under national or international law. Classified data requires special protection, and its handling is determined by strict rules, with particular regard to ensuring the confidentiality, integrity and availability of the data.

Data management
Any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, storage, conversion, query, use, transmission, distribution or otherwise making available, as well as deletion or destruction of data .

Data protection incident
A breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access of personal data transmitted, stored or otherwise handled.

Data subject
The natural person whose personal data is processed. The affected person can be, for example, a customer, an employee, or a third party whose data is managed by Krupp-System Kft.

Consent
is a voluntary, specific and clearly informed statement of the data subject's will, with which he gives his consent to the processing of his personal data.

Objection
The statement of the data subject in which he objects to the processing of his personal data and requests the termination of data processing or the deletion of the processed data.

Profiling
Any form of automated processing of personal data in which personal data are used to evaluate certain characteristics of a natural person, in particular to analyze or predict characteristics related to work performance, economic situation, health, personal preferences, interests or trustworthiness.

Data Protection Officer (DPO)
The person appointed by the data controller or data processor to ensure the legality of the processing of personal data and compliance with the GDPR. The DPO informs and advises on data management issues and maintains contact with the supervisory authorities.

Data transmission
Making personal data available to third parties. Transfer of data to another data manager or data processor is considered data transfer.

Disclosure
The process of making personal information available to anyone, for example by publishing it on the Internet.

Pseudonymization
A technical procedure during which personal data is handled in such a way that the data subject cannot be identified without additional information. The purpose of pseudonymisation is to reduce the risk to the rights and freedoms of natural persons during data management.

Third party
The natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who can process personal data under the direct control of the data controller or data processor.


General Rules of the Data Protection and Information Security Policy

Purpose of the Data Protection and Information Security Policy

 

The purpose of this data protection and information security regulation (hereinafter: "Regulation") is to:

  1. Ensure the protection of the personal data of the persons concerned
    Krupp-System Kft. is committed to the legal and safe handling of personal data and strives to protect the privacy of the persons concerned. The Regulations define in detail how to manage, store, transmit and protect the personal data of the data subjects, with particular attention to compliance with the relevant data protection legislation, in particular the General Data Protection Regulation (GDPR) of the European Union.
  2. Prescribes the transparency of data management processes and procedures
    The purpose of the Regulation is to transparently regulate when and how Krupp-System Kft handles personal data, including the purpose, legal basis, duration and rights of the data subjects.
  3. It defines the obligations of Krupp-System Kft and the rights of the data subjects
    . during data management activities.
  4. Ensure information security and compliance with cyber security regulations
    The purpose of the Regulation is also to ensure the appropriate level of information security measures in accordance with the requirements of the ISO 27001 standard and the NIS2 directive. The purpose of these measures is to provide protection against unauthorized access, loss, destruction or modification of personal data.
  5. Regulates the handling and reporting of data protection incidents
    The purpose of the Regulation is also to determine the way of handling data protection incidents, including reporting obligations to the supervisory authorities, information to the affected parties and response to incidents.
  6. Ensuring legal compliance
    The Regulations also aim to ensure that the data management and information security activities of Krupp-System Kft are in accordance with the applicable data protection legislation (e.g. GDPR, Infotv.) and the requirements of the ISO 27001 and NIS2 standards.
  7. Raising awareness and establishing responsible data management practices
    The Regulations help ensure that all employees, contractual partners and data processors are aware of the data protection obligations and security requirements, and thereby develop a uniform, responsible data management practice at Krupp-System Kft.

Data of the data controller

  • Name of data controller: Krupp-System Kft.
  • Headquarters: 2045 Törökbálint, DEPO 062/32 hrsz.
  • Company registration number: 13-09-106428
  • Tax number: 12811120-2-13
  • Postal address: 2046 Törökbálint, Pf. 31.
  • Phone: (+36) 23 511 030
  • E-mail: adatkezeles(kucac)kruppsystem.hu

As a data controller, Krupp-System Kft. is committed to the legal and transparent handling of personal data and ensures that the rights of those concerned are respected.

Purposes and legal basis of data management

Krupp-System Kft processes personal data for the following purposes:

  • Contact with customers and partners.
  • Provision of services and fulfillment of contractual obligations.
  • Fulfillment of legal obligations.
  • Validation of legitimate interests.

Legal bases

Data is processed on the basis of the following legal bases, in accordance with Article 6 of the GDPR:

  • By consent.
  • In order to fulfill a contract.
  • For the purpose of fulfilling a legal obligation.
  • Based on the legitimate interests of the data controller , unless the rights and freedoms of the data subject take precedence over them.

Krupp-System Kft. does not handle classified data based on the Information Security Regulations (IBSZ). Classified data is any information that is considered secret, confidential, restricted distribution or otherwise protected under national or international law.

Management of personal data

Scope of data

During data processing, we process the following personal data:

  • Name
  • Email address
  • Phone number
  • Title
  • Birth data, identification numbers
  • Other identification information provided by the data subject

Data processors and recipients

Krupp-System Kft may use data processors to carry out data management activities. These third parties have adequate data protection guarantees and conduct their activities strictly in accordance with the provisions of the GDPR.

Rights of data subjects

The data subjects have the following rights in relation to their personal data managed by Krupp-System Kft:

  1. Right to information : Data subjects have the right to request information from Krupp-System Kft about how, why and what data is processed.
  2. Right of access : Those concerned may ask Krupp-System Kft to learn about their personal data managed by them and request a copy of them.
  3. Right to rectification : Data subjects may request the modification of their personal data if they are inaccurate or incomplete.
  4. Right to erasure ("right to be forgotten") : Data subjects can request the erasure of their personal data if the legal basis for data management has ceased, for example consent has been withdrawn.
  5. Right to restrict data processing : Data subjects have the right to request that we restrict the processing of their personal data, for example if they dispute its accuracy.
  6. Right to data portability : Data subjects may request a copy of the data processed about them for the purpose of transmission to another data controller named by them.
  7. Right to object : Data subjects may object to the processing of their personal data, especially if the data processing is based on the legitimate interests of Krupp-System Kft.
  8. Right to automated decision-making and profiling : Data subjects have the right not to be subject to a decision based solely on automated data management, unless it is necessary for the conclusion of the contract or the data subject has consented.

Reporting obligations

Report a data protection incident

In the event of a data protection incident, Krupp-System Kft. is obliged to report to the National Data Protection and Freedom of Information Authority (NAIH) without undue delay, but at the latest within 72 hours, if the incident is likely to pose a risk to the rights and freedoms of those concerned.

How to report a data protection incident and contact details

If Krupp-System Kft detects a data protection incident, the following steps must be followed:

  1. Reporting deadline:
    The data controller (Krupp-System Kft) must report the data protection incident to the supervisory authority without undue delay, but no later than within 72 hours , if the incident is likely to pose a risk to the rights and freedoms of the data subjects.
  2. Incident notification to the National Data Protection and Freedom of Information Authority (NAIH):
  • Authority name: National Data Protection and Freedom of Information Authority (NAIH)
  • Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
  • Postal address: 1530 Budapest, Pf.: 5.
  • Phone: +36 1 391 1400
  • Fax: +36 1 391 1410
  • E-mail: ugyfelszolgalat@naih.hu
  • Incident reporting form available: NAIH Data Protection Incident Reporting System
  • Content of the announcement:
  • Nature of the data protection incident : A detailed description of the type of incident, including the categories of damaged data and the number of people affected.
  • Name and contact details of the data protection officer : The data protection officer who is responsible for data protection at Krupp-System Kft (name, phone number, e-mail address).
  • Expected consequences : A description of the consequences of the incident, including the possible effects on those involved.
  • Measures taken by the data controller : Description of the measures taken or planned by the data controller to deal with the incident, including steps taken to mitigate possible adverse consequences.
  • Notification to the affected parties: The affected parties must also be notified if the incident is likely to involve a high risk for rights and freedoms. The notification must clearly and clearly state the nature of the incident, the possible consequences and the measures taken or planned by the data controller.

Remedies

Data subjects may use the following legal remedies if they believe that they have been wronged in relation to the processing of their personal data:

  1. Submitting a complaint to the supervisory authority
    The data subject may submit a complaint to the National Data Protection and Freedom of Information Authority (NAIH):
  • Name: National Data Protection and Freedom of Information Authority
  • Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
  • Phone: +36 1 391 1400
  • E-mail: ugyfelszolgalat@naih.hu
  • Website: NAIH website
  • Initiating legal proceedings
    The data subject has the right to initiate legal proceedings if he believes that Krupp-System Kft has unlawfully handled his personal data. The procedure can be initiated before the court of your place of residence.
  • Claiming compensation
    The data subject may claim compensation if he suffered material or non-material damage as a result of a violation of the law.

Data Protection Officer (DPO)

Krupp-System Kft has appointed a data protection officer who monitors compliance with data protection regulations, advises on data management issues and maintains contact with the authorities.

Name and contact details of data protection officer:

Data security and cyber security measures

ISO 27001 regulations

In order to protect personal data, Krupp-System Kft applies the following measures in accordance with the ISO 27001 standard:

  1. Access control : Only authorized employees have access to personal data. Access rights are reviewed regularly.
  2. Encryption : We ensure the confidentiality of personal data using encryption.
  3. Incident management : We handle data protection incidents based on a strict procedure, the incidents are documented and reported to the affected parties and the authorities.
  4. Continuous risk management : We regularly assess risks and carry out a data protection impact assessment where necessary.

NIS2 specifications

In order to comply with the NIS2 directive, Krupp-System Kft applies the following cyber security measures:

  1. Maintaining system security : We continuously monitor critical IT systems and networks and ensure their protection.
  2. Incident reporting : Cyber ​​security incidents are immediately reported to the relevant authorities and remediation is initiated to minimize adverse consequences.
  3. Continuity plans : We ensure the continuous operation of IT systems and regularly test emergency recovery plans in our processes.

Data management records

Krupp-System Kft keeps a detailed record of its data management operations, including the following information:

  • Purpose of data management.
  • Categories of affected data.
  • The recipients.
  • Duration of storage.
  • The legal basis.

These records are created under the supervision of the data protection officer and are available to the authorities if necessary.

 

 

Final and supplementary provisions

Effective date

Effective date of this document: 09.18.2024.

Organizational unit responsible for maintenance and preparation

Made by : Krupp-System Kft. The IT Security department
is responsible for maintaining, updating and preparing the data protection and information security policy of Krupp-System Kft . The IT Security department continuously monitors changes in data protection and information security legislation and standards, ensuring that the policy complies with GDPR, ISO 27001 and NIS2 requirements.

Responsibilities:

  • Policy maintenance : The task of the IT Security department is to regularly review and update the policy based on legislative, technological and internal changes.
  • Policy preparation and approval : The preparation and development of the policy is the responsibility of the IT Security department, which is approved by the organization's management.
  • Liaising with management and the legal department : The IT Security department cooperates with the legal representative and senior management during the preparation and updating of the policy.

           Other related organizational units:

  • Data Protection Officer (DPO) : The data protection officer actively participates in the preparation and maintenance of the policy, ensuring that the policy meets the requirements of the GDPR.
  • Legal department : To ensure the legal aspects of the policy, the IT Security department works with the legal representative, who checks for compliance.

This instruction must be reviewed at least every two years.