DATA PROCESSING AND DATA PROTECTION NOTICE

Transcription

1 Univer-Product Zrt Kecskemét, Szolnoki út 35. represented by Károly Molitorisz, Chief Executive Officer DATA PROCESSING AND DATA PROTECTION NOTICE Table of Contents 1. THE DATA CONTROLLER CATEGORIES OF DATA PROCESSED BY THE COMPANY AS DEFINED HEREIN AND THE DETAILED RULES OF DATA PROCESSING... 2 A. Processing the data of applicant employees... 2 B. Processing the data of natural person contracting partners... 3 C. Processing the data of natural person representatives and contact persons of legal person clients (customers, suppliers)... 4 D. Data processing related to the Company s website (processing visitors data, newsletter service, prize game, information on the use of cookies)... 5 I. Processing personal data explicitly provided by Users (contact, newsletter, prize game)... 5 II. Information otherwise collected in relation to the use of the website (logging activity by third party service providers, cookies, Facebook) RIGHTS AND REMEDIES OF THE DATA SUBJECTS... 9 A. Right to access (know) personal data... 9 B. Right to correct or supplement personal data C. Right to erasure (to be forgotten) D. Right to restriction of processing E. Right to data portability F. Right to object to the processing of personal data G. Right to lodge a complaint with a supervisory authority (right to official remedy) DATA SECURITY Annex No. 1 Declaration of Consent by Job Applicant

2 This Data Processing and Data Protection Notice (hereinafter referred to as the Notice ) intended for the public is issued to ensure the processing and protection of the personal data processed by Univer-Product Zrt. (hereinafter referred to as the Company or Data Controller ) as the Data Controller, to describe the data processing and data protection policy of the Company and to ensure the rights of data subjects, in accordance with the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information, which the Data Controller accepts as binding. The purpose of this Notice is for the Company to regulate the general and special requirements for the processing and protection of personal data held by the Company in accordance with the applicable law, in particular, but not limited to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the GDPR ); Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter referred to as the Privacy Act ); Act C of 2000 on Accounting (hereinafter referred to as the Accounting Act ); Act XLVIII of 2008 on the Fundamental Terms and Limitations of Economic Advertising Activities (hereinafter referred to as Advertising Act ); Act CVIII of 2001 on Certain Aspects of Electronic Commercial Services and Information Society Services. The Data Controller processes personal data both collected directly from data subjects and also received from other data controllers in accordance with this Notice. The terms used in the Notice shall have the meaning defined in the GDPR. 1. THE DATA CONTROLLER For the purpose of this Notice, the Data Controller is: Univer-Product Termelő és Kereskedelmi Zártkörűen Működő Részvénytársaság registered seat: 6000 Kecskemét, Szolnoki út 35. represented by Károly Molitorisz, Chief Executive Officer company registration number: tax number: internet address: telephone: / adatkezeles.product@univer.hu, informacio@univer.hu, marketing@univer.hu, sales@univer.hu, karrier@univer.hu, minoseg@univer.hu 2. CATEGORIES OF DATA PROCESSED BY THE COMPANY AS DEFINED HEREIN AND THE DETAILED RULES OF DATA PROCESSING A. Processing the data of applicant employees The Company shall act as follows when processing the applicants data. Categories of data processed The categories of data subjects includes natural persons (applicants) who are interested in job vacancies, and who, by submitting their CV, voluntarily consent to their personal data to be processed by the Company. 2

3 The Company shall not post any anonymous job advertisements. Categories of data processed in the labour market register: personal information indicated in CV (name, birth name, date and place of birth, mother s name, address), photo, contact details (mailing address, telephone number, address), education, (professional) qualifications, professional experience, job-related demands and other personal information provided in the cover letter or during the job interview. Purpose and legal basis of data processing The Company keeps a labour market register that contains the personal data of those interested in job vacancies, so that the HR manager can contact applicants in case of a vacancy at the Company, which the applicant would be suitable for based on their education, qualifications and professional experience. Another purpose of the data processing is to enable the Company to carry out the selection process for vacant posts to be filled and to decide on the suitability of the candidate for the announced job. The legal basis for data processing is the applicant s prior voluntary, informed consent based on Article 6 (1) (a) of the GDPR. If the applicant submits its CV to the Company without the Declaration of Consent required for data processing, the HR manager will draw the attention of the applicant to the need for signing and submitting the Declaration as per Annex No. 1 of this Notice for the inclusion in the labour market register. Following the Declaration of Consent, the personal data submitted will be included in the labour market register by the HR manager, otherwise the applicant s CV will be destroyed and deleted without further notice. Duration of data processing If after the selection procedure no employment is established, the data of the candidate that registered in the labour market register will be processed by the Company for a period of 3 years from the date of data collection, after which period the HR manager shall delete the data and destroy the submitted documents. The applicant concerned shall, at any time prior to the final data deletion date, have the right to withdraw its Declaration of Consent to the processing of data in writing, without a justification, by sending a letter to the mailing address 6000 Kecskemét, Szolnoki út 35. or to the address karrier@univer.hu (indicating their exact personal data). After receiving the Declaration of Withdrawal, the Data Controller shall immediately delete the applicant s data from the labour market register. The withdrawal of consent shall not affect the lawfulness of processing before the withdrawal. Those entitled to access personal data, data processing At the Company, the data of the labour market register may be accessed by employees involved in the recruitment and selection of labour force, and the competent manager (exercising the employer s rights) making the decision on the post to be filled by the applicant concerned. The data shall not be transmitted by the Company to any other organization or person, and no data processor shall be employed during such data processing. B. Processing the data of natural person contracting partners The Company shall act as follows when processing data in relation to the conclusion and performance of contracts. Categories of data processed The Data Controller processes the following data of data subjects according to the categorization as per taxpayer s quality (individual entrepreneur/agricultural primary producer/other): 3

4 in case of individual entrepreneurs: family name and first name, contact details (telephone, , fax/telex), tax number, tax ID number, entrepreneurial licence number, name of financial institution, bank account number, registration number, partner code in case of agricultural primary producers and other natural persons: family name and first name, family name and first name at birth, mother s family name and first name at birth, place and date of birth, address, contact details (telephone, , fax/telex), tax number, tax ID number, tax declaration, social security number, name of financial institution, bank account number, primary producer ID card number, family farm registration number, registration number, partner code, ownership in company Data processing in an extent exceeding that stipulated herein shall require the explicit consent of the data subject. Prior to obtaining the Declaration of Consent, the Data Controller shall inform the data subject according to legal regulations. Purpose and legal basis of data processing In connection with the data processing stipulated in this Notice and in accordance with the principle of purpose limitation set out in the applicable law, the Data Controller shall inform the data subject that the Data Controller processes the personal data of the data subject as may be required and sufficient for the conclusion of the contract, the determination of its content, its modification, fulfilment, for the provision of contractual benefits, invoicing, the enforcement of claims and the performance of obligations related to the contract, and also to ensure compliance with the legal obligations binding the Data Controller in accordance with Article 6 (1) (b) of the GDPR, on the legal basis of contractual performance. Duration of data processing The duration of the processing of personal data shall be 5 years after the termination of the contract (general limitation period), except when an invoice is issued during the contractual relationship, in which case the retention period shall be 8 years as specified in the Accounting Act. Those entitled to access personal data, data processing The Company hereby informs the data subjects that only those employees of the Company are entitled to data processing whose duties justify such activity. The personal data of the data subject shall (may) also be transferred to the following data processors engaged by the Data Controller: Univer Szövetkezeti Zrt. (6000 Kecskemét, Szolnoki út 35.; Cg ) for the purposes of taxation, accounting, financial performance, Hírös Security Kft. (2750 Nagykőrös, Október 23. tér ép. fszt. 12.; Cg ) for the purposes of delivering mail to the post, Magyar Posta Zrt. (1138 Budapest, Dunavirág utca 2-6.; Cg ) for mailing purposes C. Processing the data of natural person representatives and contact persons of legal person clients (customers, suppliers) The data of natural person representatives and contacts of legal persons shall be processed by the Company on relation to the conclusion and performance of contracts concluded with legal entities. Categories of data processed The Data Controller processes the following personal data of the data subjects during the processing activity stipulated herein: the name, position of the natural person, and, for contact persons, also their contact details (telephone number, ) in addition to such data. Purpose and legal basis of data processing 4

5 The purpose of the personal data processing is to conclude a contract between the Parties, to communicate during the performance of the contract and to facilitate compliance with existing contractual obligations. Personal data of the data subjects are processed by the Company for the purposes above in accordance with Article 6 (1) (b) of the GDPR, on the legal basis of contractual performance. The representative of the legal person is responsible for obtaining the consent of the natural person data subjects to process the personal data provided or disclosed about other natural persons (contact persons). Duration of data processing The duration of storing personal data shall be 5 years after the termination of the business relationship (general limitation period for contracts), except when an invoice is issued during the contractual relationship, in which case the retention period shall be 8 years as specified in the Accounting Act. Those entitled to access personal data, data processing The Company hereby informs the data subjects that only those employees of the Company are entitled to data processing whose duties justify such activity. The personal data of the data subject shall (may) also be transferred to the following data processors engaged by the Data Controller: Univer Szövetkezeti Zrt. (6000 Kecskemét, Szolnoki út 35.; Cg ) for the purposes of accounting, Hírös Security Kft. (2750 Nagykőrös, Október 23. tér ép. fszt. 12.; Cg ) for the purposes of delivering mail to the post, Magyar Posta Zrt. (1138 Budapest, Dunavirág utca 2-6.; Cg ) for mailing purposes D. Data processing related to the Company s website (processing visitors data, newsletter service, prize game, information on the use of cookies) The Data Controller operates the websites available under the domain names above. By accessing the website, users visiting the website, contacting the Data Controller, subscribing to the newsletter, participating in the prize game (hereinafter referred to as the User ) will accept all the terms and conditions stipulated herein, so please read the Notice carefully before using the website. Users may enter information and data on the website in two ways: Personal data expressly provided or disclosed during the use of the website services (see Part I). Information provided to the Data Controller regarding the use of the website, in respect of the visit to the website and its use (see Part II). I. Processing personal data explicitly provided by Users (contact, newsletter, prize game) Categories of data processed a) In the case of contact, the following personal data may be provided (required if marked by *): name*, address*, home address (optional), phone number, message. b) In the case of subscription to newsletters, the following personal data may be provided (required if marked by *): name*, address* c) In the case of organising prize games, the following personal data may be provided (required if marked by *): full name*, contact details* ( address, phone), address* (postal code, county, city, street) 5

6 Should further personal data be required subject to the nature of the prize game, such shall be stipulated in the current game rules. The User is free to choose what address to provide, but it is not necessary for the specified address to contain personal information (the user s name). Users may only enter their own personal information on the website. If the User provides other than its own personal data, the data supplier shall be obliged to obtain the consent of the data subject. The Data Controller shall not verify the personal data provided, and their compliance is solely the responsibility of the person giving the information. When providing their address and their data entered during registration, Users accept responsibility that the service is used only by them from the address and with the information provided by them. In consideration of this responsibility, any responsibility associated with access via an address and/or data provided shall be the sole responsibility of the User who registered the address and provided the information. The personal data of persons under the age of 16 can only be processed if the adult exercising parental responsibility over them has consented thereto. The Data Controller is not in a position to verify the authorisation of the person granting their consent or the content of such person s Declaration, so the User or the person exercising parental control over them shall warrant that the consent is in compliance with the law. In the absence of a Declaration of Consent, personal data relating to data subjects under the age of 16, except for the IP address used to access the service, which is automatically recorded due to the nature of the Internet services, will not be collected. Purpose and legal basis of data processing The Data Controller shall use the User s personal data for the following purposes related to providing the services available on the website: a) In the case of contact: the purpose of processing is to ensure the provision of services available on the website, including contacting and communicating with the User interested in the services offered by the Data Controller, informing the Users, and handling the observations related to the activity of the Data Controller. b) In the case of subscription to newsletters: sending electronic newsletters, commercial messages to the User s address (application of DM tools) for offers, services, discounts, promotions and prize games related to the Data Controller. c) In the case of participation in prize games: the purpose of processing is to arrange prize games with the aim to advertise products, to contact winners, to check the right to participate in the case of any conditions to participation in the game, to announce the winner s name and photo. The Data Controller does not perform any profiling related to processing in connection with the website. In the course of all data processing (including contact establishment, sign-up for newsletters and participation in prize games), governed by this section, related to the Company s website, Users consent to the Data Controller to process their personal data as described in this Notice. The legal basis for data processing is the user s prior voluntary consent based on Article 6 (1) (a) of the GDPR. Duration of data processing The data processing periods associated with the services available on the website are as follows: 6

7 a) During contact: the duration of the data processing is up to 30 days from the receipt of the message sent by the User to the Data Controller (or when the User requests deletion of its data or withdraws its consent to processing its personal data prior to such date). b) In the case of subscription to newsletters: When sending a newsletter, personal data will be processed by the Data Controller until the Declaration of Consent provided by the User to the receipt of the newsletters is withdrawn. c) In the course of participation in prize games: The Data Controller processes personal data until the prize draw, or the suspension/termination of the game and the withdrawal of the User s consent, and the tax due after the prize is paid by the Company, in which case it manages the data until the fifth year following the year of the tax return. Users may withdraw their voluntary consent to data processing related to the provision of services available on the website at any time, free of charge, without justification and restriction, in a letter sent to the address marketing@univer.hu or the mailing address: 6000 Kecskemét, Szolnoki út 35. (with the personal data accurately indicated), and subscribed users may also withdraw their Declaration of Consent by clicking on the link for unsubscribing in the newsletters. If the withdrawal of the consent to data processing concerns only newsletters, the Data Controller shall immediately delete the User, but only from the direct marketing registry, otherwise the Company will continue to be able to process the User s data in order to provide the website services used by the User. The Data Controller shall delete the User s data from its database immediately upon receipt of the request to unsubscribe (withdrawal of consent). The withdrawal of the consent provided by the User shall not affect the lawfulness of data processing performed before the withdrawal on the basis of the consent. Those entitled to access personal data, data processing Only those employees of the Company are entitled to data processing whose duties justify such activity. Data processing on behalf of the Data Controller data processor in respect of the tasks concerning website operation, maintenance, delivery of newsletters and hosting services: WellUnic Kft. (registered seat: 1126 Budapest, Orbánhegyi út 50.; Cg ; phone: +36/ ; info@wellunic.hu); data processor in respect of the tasks concerning financial accounting of prize games, financial processes, taxation thereof: Univer Szövetkezeti Zrt. (6000 Kecskemét, Szolnoki út 35.; Cg ) The Data Controller reserves the right to involve additional data processors in data processing, of which it shall notify Users via changes to this Notice or the Gaming Regulations calling for prize games. Data transfer to the Data Processors specified in this Notice shall not require the User s special consent. Disclosure of personal data to a third party or the authorities may, unless otherwise provided by law, be solely based on an official decision or subject to the prior express consent of the User. The National Media and Communications Authority acts in respect of electronic advertising, the detailed rules thereof are set out in Act CVIII of 2001 on Certain Aspects of Electronic Commercial Services and Information Society Services. II. Information otherwise collected in relation to the use of the website (logging activity by third party service providers, cookies, Facebook) If the User does not explicitly provide data or information pertaining to itself on the website as specified in Part 2/D/I of the Notice, the Data Controller will proceed as described in this chapter when visiting the website. 7

8 1. Data processing by third party service providers related to logging The html code of the portal may contain links from and to third party servers that are independent of the Data Controller. The server of the third party service provider is connected directly to the user s computer. The direct connection between their server and the user s browser allows the providers of the links to collect user data (e.g. IP address, browser, operating system data, visited sites address, and date of visit). The Data Controller does not link any data generated during the analysis of log files with other information and does not seek to identify the visitor s person. Potentially personalized content for the User is served by the server of the third party service provider, so personal data is not delivered or transferred to the Data Controller. Independent measurement and auditing of site visitation and other webanalytical data is assisted by the server of Google Analytics as an external service provider. For details on managing measurement data, the Data Controller provides detailed information at The service provider available at displays map information as third party service provider on the website. 2. Cookies Cookies often contain a unique identifier - a secret, accidentally generated sequence of numbers - that is stored by the device of the person visiting the website. Some cookies will be discontinued after the site is closed and some will be stored for a longer period of time on the computer of the website visitor. If a User visiting the site does not accept the use of cookies, certain features may not be available to it. Please find further information on the deletion of cookies at the following links: Internet Explorer: Firefox: Chrome: Categories of data processed Data subjects mean visitors to the Data Controller s website, who consented to the use of cookies by clicking the I agree button appearing on the website. Data processed in the case of Google Adwords cookies: Session ID Data processed in the case of Google Analytics cookies: Unique ID assigned to a registered user, which anonymously differentiates users and their browsing habits. Data qualifying as personal data will not be included in cookies. Details: Purpose and legal basis of data processing The purpose of data processing related to cookies is to identify, distinguish visitors, to identify the current session of visitors, to store data provided in the course thereof, to prevent data loss, and to collect information related to browser specifications. The legal basis for data processing is the user s prior voluntary consent based on Article 6 (1) (a) of the GDPR. Duration of data processing 8

9 In the case of Google Adwords cookies and Google Analytics cookies, maximum 2 years. Users may enable or disable cookies by changing browser settings. Since the options vary by browser, Users can find more information in the Help menu of their own browser. Those entitled to access personal data, data processing Only those employees of the Company are entitled to data processing whose duties justify such activity. Data processing shall be performed for the Data Controller by the data processor acting in respect of website operation, maintenance, and sending of newsletters, and hosting services, i.e.: WellUnic Kft. (registered seat: 1126 Budapest, Orbánhegyi út 50.; Cg ; info@wellunic.hu). 3. Facebook Plug-ins There may be plug-ins operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA ( Facebook ) at the website. Such Plug-in may be the Facebook Like button. If such a plug-in is installed on any page of the website, the User s Internet browser will create a direct link to the Facebook server and via this connection the plug-in will appear on the User s screen. As a result of the direct link between the embedded Plug-in and Facebook, the Facebook server will be notified of which part of the website was visited by the User. For more information on data processing on behalf of Facebook, visit Facebook s Privacy Policy at: 3. RIGHTS AND REMEDIES OF THE DATA SUBJECTS In this chapter, the Data Controller informs data subjects about their rights and options to enforce their rights regarding their personal data disclosed to the Company, concerning the data processing activities detailed in this Notice. A. Right to access (know) personal data The data subjects have the right to know the personal data processed by the Data Controller and information related to the processing of the same, and they also have the right to have access to their personal data. Data subjects request to access the data shall be communicated to the Data Controller in writing. The Data Controller shall provide the requested data in writing (electronically or by post) within 25 days from the submission of the request, and shall not give verbal information in this context. When exercising the right to access, data subjects may request information regarding the following: the types of personal data processed by the Data Controller, the purpose for which and the legal basis on which data are processed, the duration of processing, the source of data processed, the recipients, the date of transfer (disclosure) of data by the Data Controller, and the categories of data involved in such transfer (disclosure). The Data Controller shall provide data subjects with a copy of the personal data on paper or in electronic format free of charge for the first time. For additional copies requested by data subjects, the Data Controller may charge a reasonable fee based on administrative costs. After the receipt of the information, data subjects may request a rectification, correction, erasure, limitation of the processing of the personal data concerning them, they may object to the processing of such personal data, and may initiate proceedings as specified in Item G (remedies) if they disagree with the data processing or the accuracy of the data processed. 9

10 B. Right to correct or supplement personal data At the request of the data subject, the Data Controller shall correct the inaccurate personal data indicated in writing by the data subject, or shall complete the incomplete data with the content indicated by the data subject within 25 days. If the Data Controller fails to comply with the data subject s request for correction (supplementation), the Data Controller shall provide written information regarding the grounds for refusing the correction (supplementation). The Data Controller shall inform all recipients to whom the personal data was disclosed earlier, of the correction, supplementation, unless such proves to be impossible or requires disproportionate effort. C. Right to erasure (to be forgotten) At the request of the data subject, the Data Controller shall delete the personal data relating to the data subject within 25 days if any of the reasons given below exists: the personal data are no longer needed for the purpose for which they have been collected or otherwise processed by the Data Controller; in the case of data supply based on the data subject s consent, if the data subject requires the deletion of its data (withdrawal of the consent on which data processing is based) and no other legal basis for data processing exists (e.g. compliance with legal obligations); the erasure of the data was required by the law, the Authority or the court; data processing is unlawful; the data subject objects to the processing of its personal data - with DM tools - for direct marketing purposes (see F/b.). If the Data Controller fails to comply with the data subject s request for erasure, the Data Controller shall provide written information regarding the grounds for refusing the erasure. The data subject may not use its right to erasure, to be forgotten if data processing is performed by the Data Controller for compliance with a statutory requirement. The Data Controller deletes the personal data from its IT systems irrevocably (if possible) and makes sure that the deletion of the personal data is also effected in the archived version of the IT system. If unrecoverable deletion is not feasible for IT reasons, the Data Controller performs a logical deletion of the data. In the context of a logical deletion, personal data shall be exchanged for an identifier that prevents further data relating to the personal data from being linked to the data subject later on. In the case of paper-based documentation, the erasure of data shall be recorded in minutes. The Data Controller shall withdraw the authorisation of its employees with access rights to the electronic copy of the paper-based documentation that is uploaded to the IT system. The Data Controller shall inform all recipients to whom the personal data was disclosed earlier, of the erasure, unless such proves to be impossible or requires disproportionate effort. D. Right to restriction of processing The data subject shall be entitled to have the processing of data, in the case of a written request, restricted by the Data Controller within 25 days if 10

11 the data subject disputes the accuracy of the personal data, but the inaccuracy of the disputed personal data cannot be established clearly, in this case the restriction applies to the period during which the Data Controller checks the accuracy of the personal data, the Data Controller no longer needs the personal data for data processing, but the data subject still requires those to submit and enforce a legal claim (e.g. for use as proof in a procedure before an authority). If the Data Controller fails to comply with the data subject s request for restriction, the Data Controller shall provide written information regarding the grounds for refusing the restriction. If data processing is subject to restriction, the restricted personal data may only be processed with the consent of the data subject or for the assertion of legal claims, except for storage. The Data Controller shall inform all recipients to whom the personal data was disclosed earlier, of the restriction, unless this proves impossible or requires disproportionate effort. E. Right to data portability The data subject shall have the right to receive the personal data pertaining to it, disclosed by it to the Data Controller in a machine-readable, widely used, machine-readable format and to transmit these data to another data controller. The right to data portability is only granted to the data subject if the legal basis for data processing is a consent by the data subject or the performance of a contract (that is, it is not applicable in the case of data processing based on statutory obligation) and data processing is performed in an automated manner. F. Right to object to the processing of personal data You are entitled to object to the processing of your personal data at any time if: a) the legal basis for processing by the Data Controller is the legitimate interest of the Company or the execution of a task related to a public authority licence (which does not arise during any of the data management activities specified herein); b) the use or transfer of personal data is done for direct marketing purposes (including profiling), polling or scientific research. Where you object in writing to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by the Data Controller. You may submit your objection to data processing in a letter sent to the mailing address: 6000 Kecskemét, Szolnoki út 35. or the address: marketing@univer.hu, or adatkezeles.product@univer.hu (or, in the case of newsletters, by clicking on the unsubscribe link in the newsletter). G. Right to lodge a complaint with a supervisory authority (right to official remedy) If you do not agree with the data processing of the Company and its actions taken in this regard, please contact our Company at the contact details above. Please be informed that, regarding data processing that you believe is prejudicial you may seek assistance with the Hungarian National Authority for Data Protection and Freedom of Information (1125 Budapest, Erzsébet Szilágyi fasor 22/c, postal address: 1530 Budapest, Pf.: 5, phone: +36 (1) ; ugyfelszolgalat@naih.hu; website: or you may enforce your rights concerning the processing of your personal data before the competent Court having jurisdiction according to Act CXXX of 2016 on the 11

12 Code of Civil Procedure (at your own discretion, the Regional Court having jurisdiction at your address or place of stay). 4. DATA SECURITY The Data Controller undertakes to ensure the security of the data, to take the technical and organizational measures and to establish the procedural rules that ensure that the data recorded, stored or managed are protected and to prevent their destruction or unauthorized use and unauthorized alteration. The Data Controller shall ensure that no unauthorized person has access to, may disclose, transmit, or modify or delete the data processed. The data processed may only be disclosed to the Data Controller, its employees and the Data Processor used by it, and they will not be transferred to any third party that does not have any right to access the data. The Data Controller will use its best endeavours to ensure that the data are not accidentally damaged or destroyed. The undertaking above is required by the Data Controller from employees involved in data processing activities. The User acknowledges and agrees that if its personal data are provided on the website, the protection of data cannot be fully guaranteed on the Internet, even if the Data Controller has advanced security tools in place to prevent unauthorized access to data or interception regarding data. In the event of unauthorized access or data disclosure in spite of our efforts, the Data Controller shall not be responsible for any such data acquisition or unauthorized access or for any damages caused to the User as a result of the same. The Data Controller shall in no case collect special data, i.e. data that pertain to racial origin, membership of a national or ethnic minority, political opinion or party affiliation, religious or other belief in the world, membership of an interest representation organization, state of health, addiction, sexual life, and criminal record. The Data Controller provides continuous access to the Notice at the website: csoport/univer Product Zrt./adatkezelési tájékoztató, while maintaining the right to unilaterally modify the Notice. The User accepts the applicable provisions of this Notice by entering the site the next time. 12

13 Annex No. 1 to the Data Processing and Data Protection Notice DECLARATION OF CONSENT to the processing of personal data I, the Undersigned, Name: Place and date of birth: Mother s name: Address: by submitting my CV to Univer-Product Zrt. (registered seat: 6000 Kecskemét, Szolnoki út 5.; Cg ), I hereby voluntarily consent to the Company s processing of my personal information contained in my CV and my motivation letter - only for recruitment purposes based on Article 6 (1) (a) of the General Data Protection Regulation (GDPR) No. 2016/679 (EU). I hereby declare that, prior to making this Declaration, I have read the relevant parts of the Data Processing and Data Protection Notice of the Company and have understood and accepted them (available atwww.univer.hu/univer Group/Univer Product Zrt./Data Management Notice Website). Dated:.. 13