Thales Rail Signalling Solutions Kft. (registered office: 1123 Budapest, Alkotás út 53.; "Company"; represented by György Mikics, managing director) informs you in connection with processing your personal data by the Company, in accordance with the provisions stipulated in Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (”GDPR”) as set out in this Information Notice.
The purpose of this Data Processing Information Notice is to inform the data subject of how the Company uses his or her personal data that comes into its possession with regard to the sound recording - after the consent has been given - and what rights the data subject has in relation to data processing.
1. Legal basis of processing and the scope of the data processed
1.1 The legal basis of processing is your freely given, specific, informed and unambiguous consent (point a) of paragraph (1) of Article 6 of the GDPR).
When you use the Company’s call center, your voice will be recorded, and the recorded sound material may also contain personal data (for example, name, correspondence address, telephone number, email address). At the beginning of the telephone conversation, you declare whether you give your consent or not. If you do, then the consent given orally itself will be also recorded by sound recoding.
If you do not consent to recording of the conversation, then we shall not record it. However, in this case you will not be able to use the services of the call center. You can give your order in writing only.
During processing the Company acts pursuant to the GDPR, the provisions stipulated in Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act).
In accordance with paragraph (1) of Article 5 of the GDPR
„Personal data shall be
…
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;…(“purpose limitation”)”;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
…”
2. Controller
The controller of your personal data determined above (controller) is the Company.
3. Purpose of processing
The purpose of the processing of your personal data determined in section 1.1 above is performance of the contract(s) made between MÁV Zrt. and the Company. The call center is a service set out in the contracts.
4. Duration of processing
The recorded calls are recorded primarily by the Company’s processor, Arenim Technologies Korlátolt Felelősségű Társaság (registered office: 1117 Budapest, Infópark sétány 1., company register number: 01-09-330669; tax number: 12904327243) (“Processor”) and are stored by them for 45 days.
The Company is obliged to retain the data determined in section 1.1 above for 5 years from performance of the contract.
5. Description of storage of the data and technical and organisational measures applied to ensure data security
We store your personal data on our Processor’s server and at the Company’s registered office (1123 Budapest, Alkotás út 53.).
IT security specifications of the storage of personal data, technical and organisational measures taken to ensure data security:
The file server designed to store the data is located at the registered office of Thales RSS Kft. in a locked server room. Access to the data stored in the network is possible only through dedicated computers owned by Thales from the office and through the VPN. The entire hard disc of mobile workstations is encrypted; to undo encryption and use the workstations every time requires multi-level identification.
The Processor stores calls protected by AES 256 bit encryption and the reliability of storage is 99.9999%. The Processor backups data on daily basis and stores the backup for 6 days, stores weekly backups for 4 weeks. Their servers are redundant and represent total backup.
6. Scope of persons having access to the data, transfers of the data
The Company’s IT manager and the administration staff managing call center related cases are entitled to access to the personal data determined in section 1.1 above.
Access to backups made by the Processor is allowed only to the technical manager and the DevOps staff responsible for backups.
We transmit the sound recording, at the special request of your employer, MÁV Zrt., to MÁV Zrt. No transmission of data to third countries is carried out.
7. The rights you are entitled to in connection with processing (data subject’s rights)
Concerning the processing of your personal data you are entitled to the following rights:
a) right of access (Article 15 of the GDPR): you shall have the right to obtain from the Company information as to whether or not your personal data are being processed, and, where that is the case, access to the personal data and the information appearing in this notice.
The Company will, upon request, make the copy of the personal data constituting the subject of processing available to you. For further copies requested by you, the Company may charge a fee of reasonable rate based on the administrative costs. If you have filed your request electronically, we shall make the information available to you in extensively used electronic format, except when you request it otherwise.
b) right to rectification (Article 16 of the GDPR): you shall have the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning you. You shall also have the right to have incomplete personal data completed.
c) right to erasure (Article 17 of the GDPR): you shall have the right to obtain from the Company the erasure of personal data concerning you without delay and the Company shall have the obligation to erase personal data without delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- if the legal basis of processing is your consent and you withdraw such consent and where there is no other legal ground for the processing;
- you object to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject.
The above provisions as set out in this point c) shall not be applied, if (i) it is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject, or (ii) processing is necessary for the establishment, exercise or defence of legal claims.
d) right to restriction of processing (Article 18 of the GDPR): you shall have the right to obtain from the Company restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by you, for a period enabling the Company to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- the Company no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
- you have objected to processing; pending the verification whether the legitimate grounds of the Company override those of you.
e) right to object (Article 21 of the GDPR): you shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. The Company shall no longer process the personal data unless the Company demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In view of the fact that the processing as specified in this Information Notice is carried out for enforcing legal obligation or legitimate interests, the exercise of the right to object will not result in termination of processing as specified in this Information Notice. If you do not intend to sign in in the future by using the fingerprint scanner, then we shall erase the hash code referred to above promptly and the Company will provide you with a manner of signing in as specified above.
f) right to information concerning the above rights (Article 12 of the GDPR): the Company will provide information to you without delay but in any event within one month of receipt of your request as set out in points a)-e) above of the circumstances of the processing in a concise, transparent, intelligible form in clear and plain language. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Company shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
The information will be provided free of charge. Where your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the Company may either: i) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or ii) refuse to act on the request. The Company shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
The Company will inform all recipients of the terms set out in points b)-d) above (i.e., of all rectifications, erasures or restrictions of processing) to whom the personal data have been disclosed, except when this proves impossible or involves a disproportionate effort. At your request, the Company will inform you of these recipients.
g) right to lodge a complaint (Article 77 of the GDPR): you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The complaint may be lodged with the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; telephone: +36 1 391 1400; fax: +36 1 391 1410; www.naih.hu; ugyfelszolgalat@naih.hu).
h) right to file a petition to the court (Article 79 of the GDPR): you shall have the right to an effective judicial remedy where you consider that your rights under the GDPR have been infringed as a result of the processing of your personal data in non-compliance with the GDPR. Proceedings against the Company shall be brought before the courts of the Member State where the Company has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.
8. You may request information concerning the processing of your personal data in the following manner and from the following person:
Further information in connection with the processing of your personal data can be requested from Tünde Sembery in a letter (1123 Budapest, Alkotás út 53.) or by email (tuende.sembery@thalesgroup.com). At your request, oral information can be also provided, of which a protocol must be taken. If you request oral information (e.g. by phone), you should verify your identity to the Company. When exercising your rights determined above, you should again contact Tünde Sembery.