Privacy Notice

1. Purpose of Data Processing 

MNV shall process personal data in accordance with the State Assets Act, its Implementation Decree in force at any given time, the National Assets Act and its Implementation Decree, and other legislation, in particular, but not exclusively, the Act on Public Finances in force at any given time, the Accounting Act in force at any given time, and the Annual Budget Act in force at any given time, for the purpose of the professional performance of public duties by the MNV, which is the management of state assets.

2. Legal Basis for Data Processing

Statutory data processing pursuant to Section 5(1)(a) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Privacy Act), voluntary, informed consent of the applicant pursuant to Section 5(1)(b) of the Privacy Act, and Article 6(1)(a), (b) and (c) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).

3. Data Protection Officer

Name: dr. Roland Srágli

Address: H-1133 Budapest, Pozsonyi út 56

Telephone number:  (06 1) 237-4400

Email: dpo@mnv.hu

Email address for personal data breach notifications: adatvedelmiincidens@mnv.hu

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed.

Some examples of personal data breaches:

• unauthorised access to or verbal communication of personal data, unlawful disclosure to the general public,
• sending personal data to the wrong recipient,
• phishing, hacking into IT systems
• loss or theft of a device, loss or unauthorised opening of a letter,
• loss, theft, improper destruction of a paper-based document, or leaving it in an unsecure place, etc.

4. Data Controller

Name: Hungarian National Asset Management Inc.

Registered office: H-1133 Budapest, Pozsonyi út 56 

Company registration number: 01-10-045784, registered at the Company Registry Court of Budapest-Capital Regional Court

Tax number: 14077340-2-44

Email: info@mnv.hu

Data Protection Officer: dr. Roland Srágli

Contact info for the Data Protection Officer: dpo@mnv.hu

 

5. Scope and Processing of Personal Data

Types of personal data processed by MNV:

• Administrative personal data processing is related to the registration (filing) and processing of the case. Its main purpose is to provide the data necessary for the administration of the relevant case, the identification of the data subjects and the completion of the case. During administrative data processing personal data are only included in the file of the case; their processing for this purpose is only possible until the relevant file is disposed of.
• Data processing for filing purposes creates a set of personal data consisting of data types collected on the basis of predefined data categories pursuant to Section 25/E and 25/F of the Privacy Act and other legislation, ensuring that during the period of data processing the data are retrievable and queryable on the basis of various characteristics.
• The personal data processed in connection with the Electronic Auction System (EAR) are included in the Terms of Use and the Privacy Policy of the Electronic Auction System in effect from time to time, which are publicly available on the MNV website.
• Processing of employees’ personal data
• MNV is governed by the regulations in force at the time for the management and maintenance of its personnel records.
• Data on the trade union or advocacy group membership may be processed with the written consent of the employee concerned. MNV will only take measures necessary for the transfer of trade union or advocacy group membership fees if the trade union or advocacy organisation has obtained the relevant members’ voluntary and written consent to the processing of their personal data and has sent a copy of this consent to MNV.
• The rules on the processing of personal data of applicants for employment with MNV are set out in the Privacy Notice on MNV’s careers site.

6. Duration of Data Processing 

Duration of Data Processing

• administrative and registration data are preserved, scrapped and transferred to the archives in accordance with the Archives Act in force at the time and the archives plan approved by the competent archives, and MNV is entitled to preserve the data contained in such records without a time limit;
• data relating to the succession by the State of necessity (succession by the State) pursuant to Act V of 2013 on the Civil Code (Civil Code) shall be retained by MNV without a time limit, given that under the Civil Code claims to ownership have no time limit;
• MNV retains employees' personal data within the framework of Act I of 2012 on the Labour Code (Labour Code) and other legislation applicable to employment, and employees' personal data relating to certain tax categories (e.g. relating to the deduction of personal income tax advances), certain tax benefits, fringe benefits, social security based on period of employment, etc. are retained in accordance with the provisions of the social security and tax legislation in force at the time;
• retention of data relating to asset declarations: in accordance with the provisions of the internal regulations in force at the time on the transfer of asset declarations of MNV employees, the registration of asset declarations and the protection of personal data contained in asset declarations, as well as the provisions of the policy in force at the time on the transfer and registration of asset declarations of senior executives and members of the supervisory board of majority state-owned entities and the protection of personal data included in asset declarations;
• the personal data of applicants for employment with MNV are stored in accordance with the Privacy Note on the MNV career site and applicants are informed in advance of any data processing issues in order to exercise their rights in relation to data processing;

 

Unless otherwise provided by law, where the personal data have been collected with the consent of the data subject, the data controller may process the personal data collected for the purposes of complying with the legal obligation to which the data controller is subject, or for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject's consent, including data transfer.

7. Transfer and Processing of Data

1. MNV may transfer data to PRIV-DAT Kft. for archiving purposes.
2. MNV may transfer data to KIVING Kft. for the performance of certain custodial tasks (maintenance) related to certain state-owned real estate assets, in order to ensure the full performance of custodial tasks.
3. MNV may transfer data to HSSC Kft. for the performance of financial and accounting tasks.
4. MNV may transfer data to ÁVNY Kft. for the establishment and maintenance of the state property register.
5. In these cases, the recipient of the data is considered a data processor of MNV.
6. In the context of its data processing activities, the processor may use additional processors only with the prior written consent of MNV Zrt.

8. Data Subject's Rights in relation to Data Processing

8.1 Right to Request Information

The data subject may request information from the Data Controller in writing via the contact details provided in Section 3.

Upon the data subject’s request, the Data Controller shall provide information on the data processed by it, the purposes, legal basis and duration of processing and its activity related to processing, as well as the persons who have received or may receive the personal data of the data subjects, along with the purpose of such receipt. The Data Controller shall provide the information in writing, using clear and plain language, within the shortest possible time from the date of the request, which shall not exceed 25 days. Information is free of charge if the person requesting information has not yet submitted an information request to the Data Controller in the current year and for the same field. Otherwise the Data Controller may charge a fee.

8.2. Modification and Erasure of Data

The data subject may request the modification or erasureof their data recorded in the system at any time, except for mandatory data processing required by law. If the data subject so requests, the personal data will be permanently erased from the system and cannot be restored subsequently. 

The Data Controller shall erase the personal data:

• if the processing thereof has been unlawful,
• if the data subject so requests;
• if the purpose of the processing no longer applies;
• if the specified time limit for storing the data has expired,
• if ordered to do so by a court or the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: Authority).

The Data Controller shall notify the data subject of the rectification and erasure, as well as all those to whom the data were previously transmitted for processing. The notification shall be omitted if, having regard to the purposes of the processing, it does not harm the legitimate interests of the data subject.

8.3. Blocking of Data

The data subject may, except for processing based on law, request in writing through the contact details provided in Section 3 that their personal data be blocked by the Data Controller. The blocking shall last until the date indicated by the data subject. In such case, the Data Controller shall continue to store the personal data until requested by the competent authorities (such as the Authority or a court) and shall delete them thereafter.

8.4. Objection

The data subject may object in writing to the processing of their personal data using the contact details provided in Section 3, if

• it is necessary solely for the performance of MNV Zrt.’s legal obligations or for the enforcement of MNV Zrt.’s or a third party’s legitimate interests, unless the processing is required by law;
• the data are used or transferred for direct marketing, public opinion polling or scientific research purposes;
• in other cases specified by law. 

MNV Zrt. shall examine the objection within the shortest possible time from the submission thereof, but not later than 15 days, and shall inform the applicant in writing of the outcome. If the objection is justified, MNV Zrt. shall cease data processing, including any further data collection and transmission, and block the data, furthermore it shall notify of the objection and the measures taken on the basis thereof all those to whom the personal data concerned by the objection were previously transmitted and who are obliged to take action to enforce the right to object.

 

9. Data Security

• Data Storage Methods and the Security of Data Processing:

The Data Controller shall take the technical and organisational measures necessary:

a) for the application(s) to operate in accordance with the IT Security Policy (ISP);

b) to ensure that authorised users have access to the functions and data of the application according to their level of authorisation;

c) to ensure the backup and archiving of such data.

The Data Controller shall comply with the procedural rules necessary to enforce the requirements of the data protection legislation set out in Section 12. The Data Controller shall subject uploaded files to virus scanning and other security filtering.

The Data Controller shall ensure the security of data processing by technical and organisational measures in order to provide a level of protection appropriate to the risks associated with the processing by choosing the IT tools used and by operating them in such a way that:

a) the data processed are accessible to those authorised to have access to it (availability);

b) the authentication and authenticity of the data are ensured (authenticity of processing);

c) the immutability of the data are verifiable (data integrity);

d) the data processed are accessible only to the authorised person and protected against unauthorised access (data confidentiality).

10. Legal Remedies and Other Information

If the data subject objects to the processing of their personal data, the Data Controller shall examine the objection within the shortest possible period of time from the date of the request, which shall not exceed 15 days, and shall inform the data subject in writing of the outcome of the examination. If the objection is justified, the Data Controller shall cease data processing, including any further data collection and transmission, and block the data, furthermore it shall notify of the objection and the measures taken on the basis thereof all those to whom the personal data concerned by the objection were previously transmitted and who are obliged to take action to enforce the right to object.

In the event of a breach of the data subject’s rights, or if the data subject disagrees with the decision taken by the Data Controller in the context of their objection, the data subject may, within 30 days of its notification, bring an action against the Data Controller before the competent court of their place of residence or domicile. The court shall give priority to the case.

 

The data subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information:

Name: Hungarian National Authority for Data Protection and Freedom of Information

Registered office / Postal address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Telephone: (+36-1) 391-1400

Telefax: (+36-1) 391-1410

Email: ugyfelszolgalat@naih.hu

The Data Controller excludes all liability for any damage or loss resulting from any failure or malfunction of the Telecommunications link.   

If the data subject has any comments or objections regarding the processing of their data, the Data Protection Officer can be contacted at dpo@mnv.hu.

11. Relevant Legislation

- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Privacy Act);

- Act V of 2013 on the Civil Code (Civil Code);

- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR);

• Act CVI of 2007 on State Assets (State Assets Act),
• Government Decree 254/2007 (X. 4.) on the Management of State Assets (Implementation Decree),
• Act CXCVI of 2011 on National Assets (National Assets Act),
• Act I of 2012 on the Labour Code (Labour Code)

Hungarian National Asset Management Inc.