Book your tickets online to museums in France. Don’t miss out!

Data processing

Data processing

General Terms and Conditions for Data Processing

 

Please be informed that if you have an agency relationship with Diamond tours s. r. o., this will be subject to the processing set out in the Data Controller’s Privacy Policy. This processing involves the Data Controller and you or your company. The Data Controller takes great care to comply with the highest standards of data protection, so that the processing complies with the GDPR.

 

The GDPR requires businesses involved in data processing to enter into a contract with each other to set out their obligations in relation to data processing. Therefore, the Data Controller has drafted and applies these General Terms and Conditions (hereinafter referred to as “General Terms and Conditions”, “GTC” or “contract”) as a general contractual agreement in which the Data Controller sets out the obligations of other undertakings involved in the processing of data in relation to the processing of the data in the context of the relationship of trust.

 

In view of the above, if you are entering into an agency relationship with Diamond tours s. r. o, please read these general terms and conditions carefully, as its provisions are binding on your business.

 

In these Terms and Conditions, the term “Processor” shall mean you and the term “Controller” shall mean Diamond tours s. r. o.

 

Definitions

 

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘controller’ means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be determined by Union or Member State law;

“employee of the controller” means any person who has an employment or other relationship with the controller or any other legal relationship with the controller under which that third party is involved in the processing of data subject to this contract;

“processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

‘representative’ means a natural or legal person established or resident in the Union and designated in writing by the controller or processor to represent the controller or processor in relation to the obligations incumbent on the controller or processor under this Regulation;

“automated decision making”: where a decision is made based on an assessment of the personal data of the data subject, solely by automated processing;

“profiling” means any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

“data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

“erasure” or “data deletion”: rendering data unrecognisable in such a way that it is no longer possible to recover it.

 

Role of the contracting parties in this contract

 

The data controller is a company that carries out online ticketing activities.

 

Diamond tours s. r. o

94501 Komárno, Eötvösova ul. 3195/21

E-mail: info@ticket-paradise.com

Website: https://ticket-paradise.com

 

A data processor is a company that provides assistance to Diamond tours s. r. o. in the implementation of the data processing purposes (e.g. accounting, server services, etc.) under a contract of engagement.

 

Subject matter of the contract, data processing

 

The Parties shall be subject to both Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (hereinafter referred to as “the Infotv.”) and Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016.,) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “Regulation” or “GDPR”), and shall cooperate and exercise their rights and fulfil their obligations under this Agreement and process the personal data they obtain as a result of the above processing. The parties hereby agree on the rules for the processing operations to be carried out by the Processor on behalf of the Controller, and the Controller shall entrust the Processor with the performance of the tasks provided for in this contract. In the course of this mandate, the Parties shall place particular emphasis on the protection of the privacy of the data subjects of the personal data processed and on the implementation of the requirement of data security.

 

This contract is concluded in connection with the processing of data necessary for the operation of the business premises and online systems operated by [company name], in order to achieve the data processing purposes set out in the Data Controller’s Privacy Policy.

 

The Processor shall not use the personal data obtained in connection with this contract without the information and consent of the data subjects or beyond the requirements and limits set out in this contract or in the legal provisions. If the Data Processor breaches the foregoing, it shall be in breach of contract and in breach of the law. In such a case, the Data Controller may immediately withdraw or terminate this contract with immediate effect and the Data Processor shall be fully liable for the former conduct and its consequences.

 

Rights and obligations of the parties

 

The obligations of the parties in relation to their cooperation under this contract, in particular in the context of the exercise of the rights of data subjects, both in the Regulation and in this contract in relation to the Data Controller, shall be incumbent on the Processor, mutatis mutandis, unless otherwise provided by the parties or this contract. For example, if the data subject requests the Controller to erase or restrict his or her personal data, both the Controller and the Processor shall, mutatis mutandis, erase or restrict the data subject’s personal data.

 

All data and information obtained by the Processor in the course of the performance of this contract may be used exclusively for the Controller or in connection with the processing. The Data Processor shall comply with the conditions set by the Data Controller at all times and shall ensure data security conditions.

 

The Processor shall use persons with appropriate knowledge and experience to perform the tasks set out in this contract. He shall also ensure that the persons he employs are trained in the legal provisions to be complied with, the obligations contained in this contract and the purposes and methods of the processing.

 

Duty to cooperate and provide information

 

The parties are mutually obliged to cooperate and inform each other in the performance of this contract in relation to the cooperation and tasks covered by the contract and all relevant information, circumstances and questions relating thereto. Pursuant to the aforementioned obligation, the Parties shall notify each other without undue delay, but no later than within 3 working days.

 

If, at any time during the performance of the contract, the Processor encounters circumstances that prevent timely performance, the Processor shall notify the Controller of the delay, its expected duration and the reasons for the delay without undue delay, but no later than 3 working days.

 

The Data Controller shall provide the Processor with all information necessary to fulfil its obligations under this contract and to verify compliance, and to enable and facilitate audits, including on-site inspections, carried out by the Processor or by another auditor appointed by the Processor.

 

Both the Processor and the Data Controller and, where applicable, the Data Processor or the Data Controller’s representative shall cooperate with the supervisory authority (National Authority for Data Protection and Information, hereinafter referred to as the “NPAIH”) in the performance of their tasks.

 

Unless otherwise agreed by the Parties, the Processor shall inform the Data Controller of any action taken in relation to any of its material obligations under this contract or provide the Data Controller with evidence of compliance with the obligation, in order to enable the Parties to comply with the principle of accountability as set out in the Regulation.

 

Right to instruct and right to decide

 

In performing this contract, the Processor shall act on the instructions of the Controller.

 

The Controller shall be responsible for the lawfulness of the instructions given by the Data Controller in relation to the tasks defined in the context of the processing. However, the Processor shall promptly inform the Controller if it considers that any instruction given by the Controller is in breach of this contract, the Regulation or any other provision of law, or if the Processor gives an inappropriate or unprofessional instruction. If the Data Controller maintains its instructions despite the warning, the Processor may withdraw from the contract or perform the task as instructed by the Data Controller at the risk of the Data Controller. The Processor shall refuse to comply with an instruction if its execution would lead to a breach of law or an administrative decision or would endanger the person or property of others.

 

The Data Processor may not make any decision on the merits of the data processing, may process the data that comes to its knowledge only in accordance with the provisions of the Data Controller, may not process the data for its own purposes, and shall store or retain the data in accordance with the provisions of the Data Controller. The Processor shall be entitled to carry out only the technical processing and data processing operations necessary for the processing and for the purposes of this contract.

 

Right of control

 

The Data Controller is entitled to monitor the performance of the contractual activity by the Processor. The consent of the Processor is not required to exercise the right of control.

 

The Controller may exercise its right of control without prior information and notification to the Processor. The right of control shall, as far as possible, be exercised primarily during the opening hours or working hours of the Processor.

 

On the basis of the right of inspection, the Data Controller shall be entitled to enter the premises of the Processor in connection with the processing and the data processed, to inspect the records, to ask questions to persons involved in the processing, to make copies and to perform any other inspection act that may be necessary to monitor the processing in accordance with this contract or the law.

 

Commissioning an additional processor

 

The Processor shall not engage any other processor without the prior authorisation of the Data Controller, either on a case-by-case basis or in general. In the case of a general authorisation, the Processor shall inform the Controller of any planned changes concerning the use or replacement of additional processors, thereby giving the Controller the opportunity to object to those changes.

 

If the Processor uses an additional processor to carry out its tasks in connection with the processing, the Processor warrants that the additional processor it uses will carry out its activities in accordance with the provisions of this contract, the Regulation and other legislation. In addition, the Processor shall impose on the additional processor the obligations of the data processor set out in this contract and shall enter into a written or electronic contract with the additional processor, in particular by providing the additional processor with appropriate guarantees to implement appropriate technical and organisational measures to ensure that the processing complies with the requirements of this contract and the Regulation.

 

If the sub-processor fails to comply with its data protection or data processing obligations, the Data Processor that engaged it shall be fully liable to the Data Controller for the performance of the sub-processor’s obligations. The Processor shall be liable for any damage resulting from the use of the sub-processor.

 

Prior information of the data subjects

 

Where personal data are collected from the data subject, the information listed in Annex 1 shall be provided to the data subject at the time the personal data are obtained. Where the personal data are not obtained from the data subject: a) within a reasonable period of time from the date of obtaining the personal data, but not later than 25 days; b) where the personal data are used for the purpose of contacting the data subject, at least at the time of the first contact with the data subject; or c) where the data are likely to be disclosed to another recipient, the information listed in Annex 1 shall be provided to the data subject at the latest at the time of the first disclosure of the personal data.

 

The above obligation to provide information shall be incumbent on the Processor, unless otherwise provided by the Parties. In order to fulfil the obligation to provide information, the Data Controller shall provide the Processor with all information necessary to provide the information and relating to the Processor or its activities without undue delay, correctly and in accordance with the law and this contract.

 

Where the above information is provided by the Processor to the data subject, the Processor shall promptly notify the Controller of the information and provide the Controller with the documentation proving the provision of the information.

 

Rights of data subjects and cooperation of the parties

 

The parties stipulate that data subjects have the following rights in relation to data processing: the right to information, the right of access, the right of rectification, the right to erasure, the right to be forgotten, the right to restriction, the right to object, the right to data portability, the right to withdraw consent, the right to complain, the right to judicial remedy (hereinafter collectively referred to as “data subjects’ rights”).

 

It is the joint obligation of the parties to ensure that the data subjects can exercise their rights in relation to data processing to the highest reasonable standard and in accordance with the Regulation and other legislation and this contract. To this end, the Parties shall cooperate with each other, the data subjects, the supervisory authority and third parties to ensure the exercise of the rights of the data subjects, in particular with regard to the following.

 

For the above purposes, the Parties undertake that the Processor will provide the information, cooperation or other act necessary to properly inform the data subject in order to exercise his or her rights within 3 days. If the Processor is unable to fulfil its obligation within the aforementioned period, it shall notify the Data Controller without undue delay, but no later than 2 days, and shall inform the Data Controller of the period within which it is able to fulfil its obligation, which shall not exceed 10 days.

 

The Data Controller shall inform all recipients, including the Processor, of the rectification, erasure or restriction of processing of personal data to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.

 

Right to information and right of access

 

The Controller shall provide the data subject with all information and disclosures relating to the processing of personal data pursuant to Articles 13 to 14, 15 to 22 and 34 of the Regulation in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular in the case of any information addressed to children. At the request of the data subject, the Controller shall provide the data subject with a copy of the personal data which are the subject of the processing.

 

The parties shall provide the information to each other in writing or electronically. If the data subject has submitted the request by electronic means, the information shall be provided in a commonly used electronic format, in which case the Processor shall also provide the data to the Controller in electronic form.

 

The information and action shall be provided to the data subject free of charge, and therefore the Processor shall not charge a fee to the Data Controller. The Processor may charge a reasonable fee based on administrative costs for additional copies requested by the data subject.

 

If the Data Controller has reasonable doubts about the identity of the natural person making the request, it may request additional information necessary to confirm the identity of the data subject.

 

Right to rectification and erasure (“right to be forgotten”)

 

The data subject shall have the right to have inaccurate personal data relating to him or her corrected or completed by the Data Controller without undue delay upon request.

 

The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay, and the controller shall be obliged to erase personal data relating to him or her without undue delay, if the provisions of Article 17. (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on the basis of which the processing was carried out (and the processing was based on the data subject’s consent) and there is no other legal basis for the processing; (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (d) the personal data have been unlawfully processed; etc.

 

The Parties are not obliged to comply with the cancellation if there is a limitation on the right to cancellation. The limitations on the right of cancellation are listed in Article 17(3) of the Regulation.

 

If the Processor or the Controller has disclosed the personal data and is obliged to delete it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies of the personal data in question.

 

Right to restriction of processing

 

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller in accordance with Article 18. (a) the data subject contests the accuracy of the personal data, in which case the restriction shall be for a period of time which allows the Controller to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use; (c) the Processor no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or (d) the data subject has been informed by the Controller of the processing of personal data pursuant to Article 21 of the Regulation. 21(1); in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.

 

Where processing is restricted pursuant to paragraph 1, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

 

The Data Controller shall inform both the data subject at whose request the processing has been restricted and the Processor in advance of the lifting of the restriction.

 

The right to data portability

 

In accordance with Article 20 of the Regulation, the data subject shall have the right to obtain the personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, where the processing is based on consent and the processing is carried out by automated means.

 

Since the data subject has the right to request the direct transfer of his or her personal data between controllers, the Processor may be obliged to transfer the data subject’s personal data directly to the controller to which the data subject has requested the transfer of his or her data. Where the right to data portability is exercised, the personal data of the data subject must also be erased at the same time on the basis of a specific request by the data subject.

 

The right to protest

 

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1)(e) (processing in the public interest) or (f) (processing necessary for the purposes of the pursuit of a legitimate interest) of the Regulation, including profiling based on those provisions.

 

Where the right to object is exercised, the Controller may no longer process the personal data, unless the Controller proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.

 

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. And in that case, the personal data may no longer be processed for that purpose.

 

Automated decision-making on individual cases, including profiling

 

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

 

Therefore, in the case of automated decision-making, the Parties shall ensure the protection of the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

 

Remuneration and costs

 

Unless otherwise agreed by the parties, the Data Controller shall not be liable to pay any amounts under this contract, as the obligations of the parties under this contract and the obligations set out herein are imposed on the parties by the Regulation and other legislation. In view of the foregoing, the Parties shall bear their own costs incurred in connection with the processing and shall not claim any reimbursement of costs from each other.

 

Damages and liability

 

Each controller involved in the processing shall be liable for any damage caused by processing in breach of this Regulation. A Processor shall be liable for damage caused by processing only if it has failed to comply with the obligations specifically imposed on processors by the Regulation or this contract or if it has disregarded or acted contrary to lawful instructions from the Controller.

 

The Processor or the Data Controller shall be exempt from liability for damages if it proves that it is not in any way responsible for the event giving rise to the damage.

 

Where several controllers or several processors or both the Processor and the Controller are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the entire damage in order to ensure the effective compensation of the data subject. Where a controller or processor has paid full compensation for the damage suffered in accordance with the aforementioned joint and several liability, it shall be entitled to recover from the other processors or controllers involved in the same processing that part of the compensation corresponding to the extent of their liability for the damage under the conditions set out above.

 

The above liability rules apply mutatis mutandis also in the case of damages, and also in the case where the controller is censured or fined by the supervisory body (NAIH) and the infringement on which the sanction is based is attributable to the Data Processor.

 

Data security

 

The Processor and the Controller shall implement appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of data security appropriate to the level of risk, including, where appropriate: (a) the pseudonymisation and encryption of personal data; (b) the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data; (c) the ability to restore access to and availability of personal data in the event of a physical or technical incident in a timely manner; (d) a procedure for the regular testing, evaluation and assessment of the effectiveness of the technical and organisational measures taken to ensure the security of processing.

 

The Parties stipulate that the data security requirements system means the support of the protection of personal data by technical and personnel measures as well as physical and IT solutions.

 

The parties declare that the Processor and the Data Controller shall act in accordance with the provisions of the Regulation and other legislation, data protection rules and practice, and shall comply with the provisions of the applicable legislation and take into account the main international recommendations on data protection.

 

The parties declare that the personal data will be stored on secure servers with restricted access and that the Processor and the Data Controller will take all necessary technical and organisational measures to protect the data subject’s data against loss, misuse, disclosure, alteration or deletion by unauthorised persons.

 

The Parties shall ensure, inter alia, that the stored data are accessible only to authorised persons through an internal system or by direct access and only in connection with the purpose of the data management, shall ensure the necessary regular maintenance and improvement of the tools used, shall place the data storage device in a secure room with appropriate physical protection, shall also ensure its physical protection, shall ensure that the data stored in the different registers cannot be directly linked and attributed to the data subject.

 

The Processor shall ensure that the data it processes, whether stored on paper or electronically, are adequately protected. The Data Processor shall prevent access to the data by unauthorised persons and shall be fully liable for any damage resulting from any intentional or negligent breach of this obligation. The Processor may not transfer the right to use the data it processes to a third party.

 

The Processor must have an internal data management policy covering its entire organisation, which has been accepted by all its employees, and must act in accordance with the policy in relation to data processing. The Processor shall also review and, if necessary, amend its internal data management policy from time to time, but at least annually or when justified (e.g. in the event of a data breach), in order to enhance data security.

 

Data protection incident

 

In the event of a data breach, the parties must cooperate with each other. In the event of a data breach, the parties shall comply with their obligations under this Agreement and the Regulation to enhance the security of the personal data of the data subjects and to avoid a future data breach.

 

The controller shall notify the data protection incident to the competent supervisory authority (NAIH) without undue delay and, where possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. Accordingly, if the Data Processor becomes aware of a data breach or suspected data breach, it shall notify the Data Controller without undue delay, but no later than one day after becoming aware of the data breach. In the event of failure to provide the aforementioned information or delay in doing so, the Processor shall be fully liable for the data breach and its consequences. Furthermore, if the Processor subsequently obtains further information about the processing incident, it shall also promptly inform the Controller thereof as set out above.

 

The information to be provided by the Data Controller about the data breach shall include the information referred to in Article 33(3) of the Regulation, in particular: the nature of the data breach, including the categories and approximate number of data subjects, the categories and approximate number of data concerned by the data breach; the likely consequences of the data breach; the measures taken or envisaged by the Data Processor to remedy the data breach.

 

The Processor shall keep a record of the data breach, indicating the facts relating to the data breach, its effects and the measures taken to remedy it.

 

In the event of a data breach, the Parties shall conduct an investigation within the organization that caused the breach in order to identify, among other things, the cause of the breach, the parties responsible for the breach, and the regulatory, procedural or other security weakness that led to the breach. The report shall be accepted by the Parties within 30 days of the occurrence or becoming aware of the incident. The results of the investigation shall be summarised in a report by the Party concerned, which shall include recommendations to prevent or mitigate a recurrence of the incident in the future. The parties shall implement the recommendations of the report in their organisation without delay and within 30 days at the latest, and shall take the necessary measures on the basis of the report.

 

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject of the personal data breach without undue delay.

 

Data protection impact assessment

 

Where a type of processing, in particular one using new technologies, is likely to present a high risk to the rights and freedoms of natural persons, taking into account its nature, scope, context and purposes, the Processor shall carry out an impact assessment prior to the processing, in order to assess how the envisaged processing operations will affect the protection of personal data.

 

The Processor shall inform the Data Controller without delay of the data protection impact assessment, its results and the new processing based on the impact assessment. If the Controller does not agree with the new processing practice or technology, it shall notify the Processor thereof within 3 days at the latest. In this case, the Processor shall not apply the new processing practice or technology in relation to the processing subject to this contract. If the Processor does not accept the Controller’s disagreement, it may terminate this contract by giving 30 days’ notice to the Controller unilaterally. If the Processor adopts the new processing practice or technology in the event of the Controller’s disagreement, the Controller shall be entitled to terminate this contract with immediate effect and claim damages.

 

The impact assessment shall cover at least: (a) a systematic description of the envisaged processing operations and a description of the purposes of the processing, including, where relevant, the legitimate interests pursued by the Processor; (b) an assessment of the necessity and proportionality of the processing operations in the light of the purposes of the processing; (c) an assessment of the risks to the rights and freedoms of the data subject; and (d) a description of the measures taken to address the risks, including safeguards, security measures and mechanisms to protect personal data and to ensure compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons.

 

If the data protection impact assessment concludes that the processing is likely to result in a high risk in the absence of measures taken by the Processor to mitigate the risk, the Controller shall consult the supervisory authority (NAIH) prior to processing the personal data and inform the Processor of the outcome of the consultation without delay. The consultation shall include the information referred to in Article 36 of the Regulation.

 

Confidentiality

 

The Data Controller or the Data Processor, as the case may be, shall take the technical and organisational measures and establish the procedural rules necessary to enforce the data protection and confidentiality rules in respect of its tasks under the contract.

 

All data obtained or disclosed by the Processor in connection with this Agreement shall be considered confidential information and shall not be disclosed or otherwise made available to third parties, unless otherwise agreed by the Parties, unless required by law.

 

The Data Processor undertakes to make copies or extracts of the documents provided by the Data Controller only with the prior consent of the Data Controller, and not to allow third parties to inspect these documents or otherwise disclose their contents to third parties.

 

The obligation of confidentiality shall be imposed on the Processor without time limit, irrespective of the performance or termination of the contract. The disadvantages resulting from the breach of confidentiality or unauthorised disclosure of data, as well as the costs necessary to remedy them, including compensation for both pecuniary and non-pecuniary damage, shall be borne by the party liable for the unauthorised disclosure, in addition to its other liability.

 

Scope, amendment, termination of the contract

 

This contract is concluded between the Parties for the duration of the data processing and for the performance of the data processing tasks. The present contract shall therefore terminate without any further legal declaration or notification upon termination of the data processing.

 

If the Parties have concluded a separate basic contract (the “basic contract”) in connection with the assignment relationship, this contract shall form part of and be annexed to the basic contract. Therefore, upon amendment, termination or expiry of the Basic Agreement by either Party, this Agreement shall be amended or terminated without any separate declaration by the Parties. And the provisions of this Chapter (Scope, Amendment, Termination) following this paragraph shall be ineffective and shall be disregarded. Thus, in the event of a unilateral amendment to this contract or the exercise of ordinary or extraordinary termination rights, the Parties shall be bound by the relevant provisions of the basic contract and may not derogate from them.

 

If no basic contract has been concluded between the Parties, any amendment to this contract shall be valid in writing or electronically, by mutual agreement of the Parties, or in the event of a unilateral amendment by the Data Controller as provided for in this contract.

 

The Data Controller shall notify the Processor of any unilateral amendment to this contract. After the notification, the Processor shall have 15 days to object to the modification. If the Processor does not notify the Controller within 15 days that it does not accept the amendment, the amendment shall be deemed to have been accepted on the 15th day. If the Processor indicates within 15 days that it does not wish to accept the amendment, the amendment shall be deemed not to have been accepted. In this case, the Data Controller may terminate this contract with immediate effect. If the amendment is justified by a change in the law, the Processor may not object to the amendment. In other cases, the contract may be unilaterally amended by the Data Controller for good cause, provided that such amendment does not substantially increase the burden on the Data Processor.

 

In the absence of a basic contract, this contract may be terminated at any time by mutual agreement of the Parties in writing or by electronic means.

 

If either Party is in serious breach of a material obligation under this Agreement and fails to remedy such breach within the time limit specified in the notice to that effect, the other Party may terminate this Agreement with immediate effect. In this contract, any obligation shall be considered, inter alia, a material obligation on the basis of which the Data Controller may be subject to a fine by the supervisory authority (NAIH).

 

In the absence of a basic contract, this contract may be terminated unilaterally by either party by giving 30 days’ notice in writing or by electronic means.

 

In the event of termination of this contract for any reason, the Processor shall delete (destroy) the stored data and record the fact in a protocol and hand the protocol to the Data Controller. In the event of termination of the contract for any reason prior to its performance, the Processor shall, at the option of the Controller, transfer the data processed by it to the Controller or another processor designated by the Controller and erase the data or, at the option of the Controller, if the processing cannot lawfully be continued, erase the data, record the fact and provide the record to the Controller. The Processor shall comply with the foregoing obligations no later than the termination of the contract.

 

Contact

 

The Parties shall communicate with each other during the performance of this Contract through the contact persons and contact details of the contact persons designated by the Parties as set out in Annex 2. The Parties acknowledge that electronic mail sent to their e-mail address shall be considered as written communication between them. The Data Controller declares to check the e-mail account of the contact person on a daily basis and to read the e-mail sent by the contact person on a daily basis.

 

If either Party has a DPO, the designated contact person shall be the Party’s DPO, unless otherwise provided by the Parties.

 

The parties shall inform each other immediately if the person or any data or contact details of the designated contact person cease to exist or change. Any damage caused by failure to do so shall be borne by the defaulting party.

 

Final provisions

 

The present contract shall be governed by Hungarian law, and in matters not covered by the present contract by the Regulation, the Infotv. and the relevant provisions of Act V of 2013 on the Civil Code. The parties agree to attempt to settle any disputes arising in connection with this contract primarily between themselves through negotiations. The parties stipulate that the Szeged District Court and the Szeged General Court shall have exclusive jurisdiction in relation to this contract.

 

The Parties undertake to inform each other of any circumstances affecting the performance of the contract or the legitimate interest of the other Party. The defaulting Party shall be liable for any damage resulting from failure to notify.

 

The invalidity of any clause or provision of this contract shall not invalidate the contract as a whole, unless without the invalid clause or provision the Parties would not have entered into the contract or the contract would be meaningless or unenforceable in the absence of such clause or provision.

 

This Agreement, after having been read and understood by the Parties at the place and on the date indicated below, is hereby signed by the Parties as if it were in full agreement with their intentions.

 

List of annexes:

Annex 1: Information to be provided to data subjects

Annex 2: Contacts

Annex 1

 

Information that you must provide to the data subjects

 

  1. the identity and contact details of the Data Controller and the Data Controller’s representative and, where applicable, the Data Protection Officer and contact details;
  2. the purposes for which the personal data are intended to be processed,
  3. the likely effects, consequences and benefits of the processing for the data subject;
  4. the personal data concerned and their categories;
  5. the legal basis for the processing;
  6. where the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, the legitimate interests of the controller or the third party;
  7. whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, and
  8. whether the data subject is obliged to provide the personal data; and
  9. the possible consequences of not providing the data;
  10. the recipients or categories of recipients of personal data,
  11. the duration of the storage of personal data or the criteria for determining that duration;
  12. the data subject’s right to request the Controller to access, rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data, and the data subject’s right to data portability;
  13. where processing is based on the data subject’s consent, the right to withdraw consent at any time,
  14. the right to lodge a complaint with a supervisory authority;
  15. the fact that the Controller intends to transfer the personal data to a third country or an international organisation, the existence of an adequacy decision of the Commission in relation to the third country or the absence of an adequacy decision or the indication of adequate and appropriate safeguards pursuant to the Regulation and a reference to the means of obtaining a copy or the availability of a copy,
  16. the fact that automated decision-making, including profiling, is taking place and, at least in these cases, clear information on the logic used and the significance of such processing and its likely consequences for the data subject,
  17. the source of the personal data and, where applicable, whether the data originate from publicly available sources (if the data are not obtained directly from the data subject).

 

 

Annex 2

 

Contact persons designated by the Parties

 

Contact person for the data processor:

 

Name: …

E-mail: …

Mobile: …

Telephone/Fax: …

Postal address: …

 

Contact person of the Data Controller:

 

Name: …

E-mail: …

Mobile: …

Phone/Fax: …

Postal address: …