Thales Rail Signalling Solutions Kft. (registered office: 1123 Budapest, Alkotás út 53.; "Company"; represented by György Mikics, managing director) informs you, in accordance with the provisions stipulated in Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (”GDPR”) in connection with processing your personal data by the Company on the basis of the contract made between the Company and your employer as set out in this Information Notice.
1. Legal basis of processing and the scope of the data processed
1.1 In accordance with point f) of paragraph (1) of Article 6 of the GDPR processing of your data is in the Company’s legitimate economic interests.
The Company wins the significant majority of its orders in public procurement procedures. During public procurement procedures, to certify eligibility or as evaluation criteria, the expertise and experience of the experts involved in the performance of the contract may be presented in the form and with the content prescribed by the contracting authority. (Processed data: name, address, date of birth, citizenship, highest level of schooling, qualifications, chamber membership, places of work, professional experience).
During performance of public procurement contracts, if applicable, it is also necessary to provide your name, scope of work, e-mail address, telephone number, possibly chamber identifier.
You might be indicated as a contact person in an agreement concluded by the Company and your employer. In this case the Company processes your contact details (i.e: name, e-mail address, telephone number), and other data that is relevant for the performance of the agreement (i.e. job).
The Company has carefully deliberated the effect produced by processing on data subjects and found that it does not entail any disproportionate restriction of unnecessary extent for the interests, fundamental rights and freedoms of the data subjects. Processing is indispensably necessary. Without processing the participation in the public procurement procedures by the Company and performance of the contracts would not be possible. The scope of the data so processed is restricted by the Company on an ad hoc basis every time to the most necessary extent.
During processing the Company acts pursuant to the GDPR, the provisions stipulated in Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act).
In accordance with paragraph (1) of Article 5 of the GDPR
„Personal data shall be
…
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;…(“purpose limitation”)”;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
…”
2. Controller
The controller of your personal data determined above (controller) is the Company.
3. Purpose of processing
The purpose of processing of your personal data determined in the above section 1.1 is successful participation in public procurement procedures and performance of the contracts concluded by the Company in line with the terms and conditions of the contract.
We do not process your personal data that are not necessary for achieving this purpose. If data not necessary for achieving the purpose are also provided, we shall immediately erase them.
4. Duration of processing
The Company is obliged to retain the data determined in section 1.1 above for 5 years from conclusion of the public procurement procedure and/or at least for 8 years from performance of the contract.
5. Description of storage of the data and technical and organisational measures applied to ensure data security
We store your personal data at the Company’s registered office (1123 Budapest, Alkotás út 53.).
IT security specifications of the storage of personal data, technical and organisational measures taken to ensure data security:
The file server designed to store the data is located at the registered office of Thales RSS Kft. in a locked server room. Access to the network is possible only through dedicated computers owned by Thales from the office and through the VPN. For use of the workstations, it is every time necessary to use an AD identifier and the password belonging to it. It is on the basis of this user identifier that restriction of access to files (ACL) is carried out. For using the correspondence system, the use of a second identifier and password completely independent of the former is required. The hard disc of mobile workstations is every time encrypted; to undo encryption users need an identification card and the PIN code belonging to it. Use of the VPN access is carried out with the same identification procedure.
6. Scope of persons having access to the data, transfers of the data
Only the Company’s employees assigned to managing tenders and handling contracts are entitled to access to the personal data determined in section 1.1 above.
We transfer your personal data determined in section 1.1 above to contracting authorities (if applicable).
7. The rights you are entitled to in connection with processing (data subject’s rights)
Concerning the processing of your personal data you are entitled to the following rights:
a) right of access (Article 15 of the GDPR): you shall have the right to obtain from the Company information as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the information appearing in this notice.
The Company will, upon request, make the copy of the personal data constituting the subject of processing available to you. For further copies requested by you, the Company may charge a fee of reasonable rate based on the administrative costs. If you have filed your request electronically, we shall make the information available to you in extensively used electronic format, except when you request it otherwise.
b) right to rectification (Article 16 of the GDPR): you shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning you. You shall also have the right to have incomplete personal data completed.
c) right to erasure (Article 17 of the GDPR): you shall have the right to obtain from the Company the erasure of personal data concerning you without delay and the Company shall have the obligation to erase personal data without delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- if the legal basis of processing is your consent and you withdraw such consent and where there is no other legal ground for the processing;
- you object to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject.
The above provisions as set out in this point c) shall not be applied, if (i) it is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject, or (ii) processing is necessary for the establishment, exercise or defence of legal claims.
d) right to restriction of processing (Article 18 of the GDPR): you shall have the right to obtain from the Company restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by you, for a period enabling the Company to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
- you have objected to processing; pending the verification whether the legitimate grounds of the Company override those of you.
e) right to object (Article 21 of the GDPR): you shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. The Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In view of the fact that the processing as specified in this Information Notice is carried out for enforcing legal obligation or legitimate interests, the exercise of the right to object will not result in termination of processing as specified in this Information Notice.
f) right to information concerning the above rights (Article 12 of the GDPR): the Company will provide information to you without delay but in any event within one month of receipt of your request as set out in points a)-e) above of the circumstances of the processing in a concise, transparent, intelligible form in clear and plain language. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
The information will be provided free of charge. Where your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either: i) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or ii) refuse to act on the request. The Company shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
The Company will inform all recipients of the terms set out in points b)-d) above (i.e., of all rectifications, erasures or restrictions of processing) to whom the personal data have been disclosed, except when this proves impossible or involves a disproportionate effort. At your request, the Company will inform you of these recipients.
g) right to lodge a complaint (Article 77 of the GDPR):
you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The complaint may be lodged with the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; telephone: +36 1 391 1400; fax: +36 1 391 1410; www.naih.hu; ugyfelszolgalat@naih.hu).
h) right to file a petition to the court (Article 79 of the GDPR): you shall have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in non-compliance with the GDPR. Proceedings against the Company shall be brought before the courts of the Member State where the Company has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.
8. You may request information concerning the processing of your personal data in the following manner and from the following person:
Further information in connection with the processing of your personal data can be requested from Tünde Sembery in a letter (1123 Budapest, Alkotás út 53.) or by email (tuende.sembery@thalesgroup.com). At your request, oral information can be also provided, of which a protocol must be taken. If you request oral information (e.g. by phone), you should verify your identity to the Company. When exercising your rights determined above, you should again contact Tünde Sembery.