The Mayor’s Office of the City of Debrecen (hereinafter: the Office), in order to fulfill its obligation to provide information included in point a) Section (1) § 15 and § 16 of Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: the Information Act) and in Article 13 of Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such
data as well as on the repealing of Regulation (EC) No 95/46 (General Data Protection Regulation), (hereinafter: GDPR), shall provide information on data processing carried out by the Office:
I. GENERAL PROVISIONS
I.1. Purpose of the privacy notice
The present notice summarizes the principles that determine the Office's personal data protection policy and day-to-day practice, it presents the procedures and processes for requesting personal data from data subjects and clients; furthermore, as part of the notice, the Office declares the purpose and method of using such data and how it ensures the retention and protection of personal data. This notice has been prepared on the basis of the city clerk’s instructions on the Office’s – internal –
data protection and data security regulations.
I.2. Scope of the privacy notice
The scope of the notice covers all personal and special data processed in the performance of the Office’s tasks (hereinafter together: personal data), as well as all administrative and case management procedures related to personal data in the Office. The scope of the notice is limited to the processing of personal data concerning natural persons. Individual entrepreneurs, sole proprietorships, persons acting in the capacity of primary producer shall be considered as natural persons. The notice does not cover the processing of personal data concerning legal persons, including the name and form of the legal person and the contact details of the legal person.
I.3. Ensuring the right to informational self-determination
The Office treats personal data confidentially, in accordance with the provisions of the applicable legal regulations, in particular the provisions of the Information Act and the GDPR, ensures their security, takes the technical and organisational measures and establishes the procedural rules that comply with the relevant legal provisions and other recommendations.
At the request of the data subject / client, the Office shall in all cases provide detailed information on the personal data processed, the purpose, legal basis, duration of data processing and the activities related to data processing, as set out in their request.
The data subject / client may address his or her request / complaint related to data processing to the Office at the contact details set out in Section I.4 of the present notice.
This notice contains term in accordance with the interpretative provisions of the Information Act.
The Office manages personal data at all times in accordance with the principles set out in the Information Act.
I.4. Name and contact details of the data controller and the data protection officer:
Name: Mayor’s Office of the City of Debrecen
Seat: 4024 Debrecen, Piac utca 20.
Mailing address: 4024 Debrecen, Piac u. 20. 4001 Debrecen,
4026 Debrecen, Kálvin tér 11. 4002
Debrecen, Pf.: 220
Registry identification number: 461009
KSH statistical number: 15461009-8411-325-09
National budget unique identifier: 728977
Tax number: 15461009-2-09
E-mail address: firstname.lastname@example.org
Telephone number: 06-52/511-400; 06-52/517-700
Name of representative: Dr. Antal Szekeres, Titular City Clerk
Name of Data Protection Officer: Controll Holding Zrt.
Telephone number: 06 1 319 3071
E-mail address: email@example.com
DATA PROTECTION AND DATA SECURITY REGULATIONS
II. LEGAL BASIS FOR DATA PROCESSING
II.1. Certain procedures and the related personal data processing within the Office’s remit may be initiated by the Office or at the request of the client. The legal basis of data processing: points a), c) and d) of Section (1) § 5 of the Information Act and points b)-f) Section (1) Article 6 of the GDPR, in accordance with the sectoral legislation applicable to the type of case.
III. PURPOSE OF DATA PROCESSING
III.1. The purpose of data processing: to perform tasks under the legal framework by the Office, and to administer them.
IV. SUBJECT OF DATA PROCESSING
IV.1. Personal data processed: in the course of the administration, the Office requests only such data that are necessary in accordance with the provisions of the legislation applicable to the given type of case or for the settlement of the given case.
The source of data collection is the application in proceedings initiated on request and the public registers in proceedings initiated ex officio.
V. DURATION OF DATA PROCESSING
V.1. Duration of data processing: the period specified by the sectoral legislation applicable to the type of case and the current records management rules.
VI. EXERCISE OF THE RIGHTS OF THE DATA SUBJECT
VI.1. If any of the data subjects / clients requests the deletion of their personal data, the Office shall do so without delay by deleting the relevant data previously indicated by the data subject / client from its database.
The Office may not delete the data of the data subject / client if the data processing has been ordered by law.
VI.2. The request for cancellation can be submitted electronically at the e-mail address of the Office indicated in the present privacy notice, or by sending a letter to the Office's seat, or orally. The Office shall send a written confirmation of the oral request for cancellation to the data subject / client.
If the request for cancellation is complied with, the data processed by the Office shall not be processed from the date of receipt of the request.
In the event of deletion, the Office shall delete all communications from the system involving all data lawfully processed prior to the receipt of the request.
VI.3. If there has been a change in the data processed, the data subject / client may request that it be changed. The request for amendment may be submitted electronically to the Office’s e-mail address indicated in the present privacy notice, or by sending a letter to the Office’s seat, or orally. The Office shall send a written confirmation of the oral request for amendment to the data subject / client.
VI.4. Instead of deleting, the Office shall block the personal data if the data subject / client requests so or if, on the basis of the available information, it can be assumed that the deletion would harm the data subject’s / client’s legitimate interests. Personal data blocked in this way may only be stored for as long as the purpose of data processing – which precluded the deletion of personal data – exists. With the exception of storage, restricted data may only be processed with the consent of the data
subject / client, or for the submission, enforcement or protection of legal claims, or for the protection of the rights of other natural or legal persons, or for important public interests (right to restrict data processing).
VI.5. If the Office does not comply with the data subject's request for rectification, blocking or cancellation, it shall, within 25 days of receipt of the request, communicate in writing the factual and legal reasons for rejecting the request for rectification, blocking or deletion. If the request for rectification, erasure or blocking is rejected, the Office shall inform the data subject / client of the possibility of legal redress and recourse to the supervisory authority.
VI.6. The data subject / client may object to the processing of his or her personal data
- (a) where the processing or transfer of personal data is necessary solely for the performance of a legal obligation to the Office or in the legitimate interest of the controller, the recipient or a third party, except in the case of compulsory processing;
- b) where the use or transfer of personal data is for the direct acquisition of business, public opinion polling or scientific research; and
- c) in other cases specified by law.
In the event of objection by the data subject / client, the Office shall not be entitled to further data processing, unless it proves that the data processing is justified by overriding legitimate reasons which take precedence over the data subject’s / client’s interests and rights, or which relate to the presentation, enforcement or protection of legal claims.
With regard to data processed on a legal basis under points d) and f) Section (1) Article 6 of the GDPR (legitimate interest), the data subject / client may object to the processing of his data instead of requesting the deletion.
The Office shall examine the objection as soon as possible after the submission of the application, but not later than within 15 days, and shall take a decision on its merits and shall inform the data subject / client thereof in writing.
VI.7. Data subjects / clients may request information on the processing of their personal data. The request for information may be submitted electronically to the Office’s e-mail address indicated in the present privacy notice, or by sending a letter to the Office’s seat, or orally. The Office shall send a written confirmation of the oral request for information to the data subject / client.
At the request of the data subject / client, the Office shall provide information on the data related to the data subject / client it processes, as well as the purpose, legal basis, duration of data processing, the fact of data transfer, its legal basis, the name and address of the recipient as well as all his or her activities related to the data processing. The Office is obliged to provide the information in writing in a comprehensible form at the request of the data subject / client as soon as possible, but not later than within 25 days from the submission of the request.
The information mentioned above is free of charge.
The Office may refuse to inform the data subject only in cases specified in the Information Act. If the information is refused, the Office shall notify the data subject in writing of the provisions of this Act on the basis of which the refusal of information was made. In the event of a refusal to provide information, the Office shall inform the data subject / client of the possibility of legal redress and recourse to the National Authority for Data Protection and Freedom of Information.
VI.8. Data portability
The data subject / client is entitled to receive the data provided by him or her to the Office in a structured, widely used, machine-readable format, as well as to forward it to another data controller.
The data subject / client may request the direct transfer of the data to the other data controller if this is technically feasible.
The request for data transfer may be submitted electronically by contacting the Office by e-mail indicated in this data management information, or by sending a letter to the Office’s seat, or orally. The Office shall send a written confirmation of the oral request for data transfer to the data subject / client.
If the Office does not comply with the data subject’s / client's request for data transfer, it shall state the factual and legal reasons for the rejection of the request in writing within 25 days of receipt of the request. If the request for data transfer is rejected, the Office shall inform the data subject about the possibility of legal redress and recourse to the supervisory authority.
With regard to data processed on a legal basis under points d) and f) Section (1) Article 6 of the GDPR (legitimate interest), the data subject is not entitled to the right of data portability.
VI.9. Legal remedy:
On the basis of the provisions of the GDPR and the Information Act, anybody may initiate an ivestigation by notifying the National Authority for Data Protection and Freedom of Information, on the grounds that a breach of law has occurred in connection with the processing of personal data or there is a direct risk of it.
Contact details of the National Authority for Data Protection and Freedom of Information:
In the event of a violation of the law related to the processing of personal data, there is also a possibility for judicial enforcement. The natural person concerned may institute legal proceedings, the adjudication of which falls within the jurisdiction of the Court of Law of Debrecen. If the data subject prefers so, the case may also be brought before the court of his or her place of residence.
VII. Additional provisions for the camera system
The Office operates cameras within and outside the buildings of the Old City Hall located at 20 Piac Street, and of the New City Hall at 11 Kálvin Square.
In order to comply strictly with the purpose limitation principle and the interest balance test, the viewing angle of the cameras is limited to the area consistent with the purpose of the observation.
The Office carries out recorded surveillance with all cameras.
It informs clients and other visitors to the Office's buildings about the operation of the cameras by displaying signs with the text “camera surveillance area” and by placing information on camera surveillance.
The purpose of using the camera system
- a) the protection of the Office's assets, assets of significant value or other valuables,
- b) the protection of the valuables of persons employed by the Office,
- c) the protection of the life, physical integrity and personal liberty of staff and of clients and other visitors to the Office,
- d) ensuring the performance of the Office's tasks, its official activities, the protection of its operational order, and monitoring compliance with the rules of procedure.
The Office processes personal data recorded by the camera system on the basis of point c) Section (1) § 5 of the Information Act and points d) and f) Section (1) Article 6 of the GDPR, proportionate to the limitation of the rights to the protection of personal data, and in order to enforce its own legitimate interests and those of third parties.
The recordings recorded by the cameras are stored by the Mayor’s Office on the recording hardware devices. Recordings made by cameras shall be deleted by the Office three working days after the recording.
The Office shall transmit the recordings recorded by the cameras and the data recorded by the electronic access system to the acting bodies only in the framework of judicial or other official proceedings, upon their request.
The Office shall provide protection against unauthorized access, transmission and deletion, alteration, disclosure, accidental destruction and damage to recordings made by the cameras and data recorded by the access control system.
Copies recorded by cameras and data recorded by the access control system may not be copied unless necessary for the proceedings of a court or other authority.
A person whose right or legitimate interest is affected by the record or the recording of his or her other personal data is entitled to view the recording made by the cameras or to get to know the data recorded by the electronic access system in accordance with the procedure specified above.
At the request of the data subject, the Office shall provide information on the personal data processed by it, their source, the purpose, legal basis and duration of the data processing, and – in the case of transfer of the data subject’s personal data – the legal basis and recipient of the data transfer.
VIII. Anonymous User ID (cookie) placement and web beacons
IX. Data storage, processing, data transmission
XI.1. Data storage
The Office stores the processed data on a physical server, using a commissioned external organisation. The commissioned agent does not have access to the data.
XI.2. Data processing
The Office does not employ a data processor, and the data may be accessed only by employees of the Office who are involved in the performance of its duties and who are subject to an appropriate obligation of confidentiality.
XI.3. Data transmission
The Office transmits data only in cases specified by law, in order to perform the tasks included in its Organisational and Operational Regulations.
X. Data security measures
X.1. Data security measures
The Office acts with the utmost care in relation to the processing and storage of personal data provided by the data subjects / clients. In the field of information security, the Office uses the most efficient, state-of-the-art tools and procedures reasonably available.
The Office shall plan and carry out data processing operations in such a way as to ensure the protection of the privacy of data subjects / clients. The Office ensures the security of the data; furthermore, it takes the technical and organisational measures and has established the procedural rules necessary for the enforcement of the Information Act and other data and confidentiality protection rules. The Office has Archiving Regulations governing the recording of data security measures and procedures, data processed in the IT system related to electronic administration and the archiving of data in IT systems, and it also has IT Security Regulations on the technical and professional protection measures, as well as a Records Management Regulation and a Document Management Regulation.
XI. Fulfillment of official requests
XI.1. The court, the prosecutor, the investigating authority, the infringement authority, the administrative authority, the data protection commissioner or other bodies may contact the Office for the purpose of providing information, disclosing data, transferring documents or making documents available.
XI.2. The Office shall provide personal data to the authorities only to the extent strictly necessary for the purpose of the request, provided that the authority has indicated the precise purpose and scope of the data.
XII. Establishment and amendment of the notice
The city clerk is entitled to establish and amend the present notice by making the amendments available to the data subjects / clients at least 15 days before the entry into force of each amendment by publishing it on the Office’s website.
Written in Debrecen, on 25 January, 2019.
Dr. Antal Szekeres
Titular City Clerk