Company Name: Monk Solutions LTD.
Head Office: 2112 Veresegyház, Baragödör Street 10
Tax Number: 25927809-2-13
Company Registration Number: 13-09-202195
1. Purpose of the Policy
The purpose of the Data Protection Policy is to implement and consistently apply measures that ensure the precise and secure handling of personal data of employees (hereinafter referred to as “Data Subjects”) in compliance with applicable EU and national data protection regulations, uniformly at the level of BJ81 Suite Hotel (hereinafter referred to as the “Company”).
Additionally, the Data Protection Policy provides a concise, transparent, and easily accessible guide for Data Subjects regarding access to their personal data processed by the Company, and it outlines and informs about the rules the Company applies to ensure the rights of Data Subjects.
2. Scope of the Policy
Personal Scope
This policy applies to the Company and all natural persons whose personal data is processed by the Company. The data processing activities set forth in this policy pertain to the personal data of natural persons. The policy does not cover personal data processing related to legal entities or businesses established as legal persons, including their name, form, and contact details. A legal entity may be an association, a corporation, a cooperative, a union, or a foundation.
Temporal Scope
This policy is in force from the date of its adoption until further notice or until the day it is revoked.
3. Principles of Data Processing
Before starting the processing of personal data, it must always be carefully considered whether it is genuinely necessary. Personal data should only be processed if it can be unambiguously justified that the purpose cannot be achieved by other means.
The Company must handle the personal data of Data Subjects lawfully, fairly, and transparently. No one should suffer any disadvantage as a result of initiating a procedure, seeking legal remedy, or making a complaint to the Company or any other authority specified in this policy, or because they refused or withdrew their consent when it is the basis for processing.
Personal data must be collected for specific, clear, and lawful purposes. The Company must avoid and eliminate any data processing that is inconsistent with the purpose for which the data was collected. The Company is only entitled to process personal data to the necessary extent and must delete any personal data when the purpose of processing no longer exists or the legal basis for the processing cannot be justified.
The Company is required to implement control mechanisms to ensure that:
- Personal data aligns with the purposes of the processing from the moment of collection and throughout the processing duration.
- The scope and duration of the processing are limited to what is necessary.
The personal data processed by the Company must be accurate and up-to-date. The Company is required to take all reasonable steps to ensure that accurate personal data is processed, including:
- Deleting unnecessary or redundant personal data without delay.
- Correcting or deleting inaccurate personal data.
Personal data must be stored in a manner that allows the identification of Data Subjects only as long as necessary to achieve the purpose of the processing.
Data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, by using suitable technical or organizational measures.
4. Lawfulness of Data Processing
Determining the correct legal basis for processing and complying with the conditions associated with the selected legal basis is a prerequisite for lawful data processing. Thus, the requirement of lawfulness means both having an appropriate legal basis for processing and ensuring that processing complies with the regulations relevant to the chosen legal basis.
Given the nature of its activities, the Company may choose from the following primary legal bases for processing the personal data of Data Subjects, depending on the nature and circumstances of the processing. The main legal bases mentioned in the first section apply to all personal data except special categories, while the second section sets out specific rules regarding the processing of special categories of data.
4.1 Personal Data (excluding special categories)
The Company may process the personal data of Data Subjects (excluding special categories of data) on the following legal grounds:
Consent: The Company may process personal data with the explicit consent of the Data Subject, provided that consent is demonstrably voluntary. In the case of services offered to children under the age of 16, data processing related to information society services is lawful only if the consent is given or authorized by the parent or guardian. Data Subjects give consent voluntarily and may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Contract preparation or performance: This legal basis applies to data processing necessary for the performance of a contract (e.g., service contract, employment contract) where the Data Subject is a party or if the data processing is required to take steps at the request of the Data Subject before entering into a contract.
Compliance with a legal obligation: This basis applies when data processing is required by EU or national law.
Legitimate interest: This basis applies to data processing necessary to protect the legitimate interests of the Company or a third party. The Company’s or third-party’s legitimate interest must be recorded in the relevant data processing policy.
Other legal grounds may include protecting the vital interests of the Data Subject or another person, public interest, or processing related to tasks carried out in the exercise of official authority.
If the Company collects data from the Data Subject and they do not provide the requested data, the consequence may be the refusal or impossibility of contract preparation or performance (e.g., failure to establish an employment relationship).
4.2 Special Categories of Data
Due to their sensitive nature, special categories of data require enhanced protection. The Company may process special categories of data (including health data) under the following grounds:
GDPR Article 9(2)(a): The Data Subject may provide explicit consent for the processing of their personal data, provided the voluntariness of the consent can be proven. Data Subjects may withdraw consent at any time without affecting the lawfulness of prior processing.
GDPR Article 9(2)(b): The Company may process special categories of data when necessary to fulfill its obligations or exercise its specific rights in the field of employment and social security and social protection law under EU or national law or a collective agreement.
GDPR Article 9(2)(f): This legal basis applies when processing is necessary for establishing, exercising, or defending legal claims.
5. The Company’s Obligation to Provide Information and its Actions
The Company is required to provide certain information to the Data Subject in a concise, transparent, and easily accessible manner, clearly and comprehensibly, and inform the Data Subject of their rights. Furthermore, upon the Data Subject’s request, the Company may take actions in compliance with certain procedural rules.
5.1 Data Management Information
Depending on whether personal data is collected from the Data Subject or not, the Company is obliged to provide certain information regarding data processing. The common and specific rules of this data management information are summarized in the subchapters below.
5.1.1 Common Rules
Based on its obligation to provide information, the Company must inform the Data Subject about the following:
- a) The identity and contact details of the Company and, if applicable, its representative,
b) The purpose of the intended data processing and the legal basis for processing,
c) In the case of data processing based on Article 6(1)(f) of the GDPR, the legitimate interests of the Company or a third party,
d) Where applicable, the recipients or categories of recipients of the personal data, if any,
e) Where applicable, the fact that the Company intends to transfer personal data to a third country or international organization, as well as the existence or absence of an adequacy decision by the European Commission, or in the case of a transfer based on Article 46, 47, or the second subparagraph of Article 49(1) of the GDPR, a reference to the appropriate and suitable safeguards and the means to obtain a copy of them or where they are available,
f) The duration of the storage of personal data or, if that is not possible, the criteria used to determine that duration,
g) The Data Subject’s right to request from the data controller access to and rectification or erasure of personal data concerning them or restriction of processing or to object to such processing, as well as the right to data portability,
h) In the case of processing based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal,
i) The right to lodge a complaint with a supervisory authority,
j) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in such cases, meaningful information about the logic involved and the significance and envisaged consequences of such processing for the Data Subject.
5.1.2 Information to be Provided When Data is Collected from the Data Subject
When personal data is collected from the Data Subject, the Company is also obliged to inform the Data Subject whether the provision of personal data is a statutory or contractual requirement or a prerequisite for entering into a contract, and whether the Data Subject is obliged to provide the personal data, as well as the possible consequences of failure to provide such data. This information must be provided at the time the personal data is obtained. However, if the Data Subject already has the aforementioned information, there is no need to provide it.
5.1.3 Information to be Provided When Data is Not Collected from the Data Subject
When personal data is not collected from the Data Subject, in addition to the above, the Company must inform the Data Subject about the categories of personal data concerned, the source of the data, and, if applicable, whether it comes from publicly accessible sources.
The Company must provide this information:
- a) Within a reasonable period of obtaining the personal data, but at the latest within one month, considering the specific circumstances of the processing of the personal data,
b) If the personal data is used to communicate with the Data Subject, at the latest at the time of the first communication with the Data Subject, or
c) If disclosure to another recipient is envisaged, at the latest when the personal data is first disclosed.
There is no need to provide the above information if:
- a) The Data Subject already has the information,
b) The provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR, or insofar as the obligation referred to in Article 14(1) is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller must take appropriate measures, including making the information publicly available, to protect the rights and freedoms and legitimate interests of the Data Subject,
c) The acquisition or disclosure of the data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the Data Subject’s legitimate interests, or
d) The personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
5.2 Persons Entitled to Access the Data
Personal data may be accessed by the employees of the Company with appropriate access rights related to the specific data management purpose, as well as by persons or organizations performing data processing activities on behalf of the Company under service agreements, to the extent necessary for the performance of their activities.
5.3 Rights of the Data Subject
The Data Subject may request access to, rectification, erasure, or restriction of processing of their personal data from the Company and may object to the processing of such personal data. The Data Subject also has the right to data portability and the right to seek legal remedies, as well as the right to a decision regarding automated decision-making in individual cases, including profiling.
The Company is obliged to provide information about certain Data Subject rights as part of the information described in section 5.1.
5.4 Procedural Rules
The Company is obliged to act in accordance with the requirements outlined above when fulfilling its information obligations and taking actions. Beyond the specific rules mentioned above, the Company must adhere to the following provisions.
6. Limitations
(1) Union or Member State law applicable to the controller or processor may restrict the scope of the rights and obligations provided for in Articles 12–22 and 34, as well as the provisions of Article 5, through legislative measures if the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society, for:
- National security,
b. Defense,
c. Public security,
d. Prevention, investigation, detection, or prosecution of criminal offenses, or the execution of criminal penalties, including safeguarding against and preventing threats to public security,
e. Other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or a Member State, including monetary, budgetary, and taxation matters, public health, and social security,
f. Safeguarding the independence of the judiciary and judicial proceedings,
g. Prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions,
h. Monitoring, inspection, or regulatory functions connected, even occasionally, with the exercise of official authority in the cases referred to in points a–e and g,
i. Protection of the Data Subject or the rights and freedoms of others,
j. The enforcement of civil law claims.
(2) The legislative measures referred to in paragraph (1) contain, where relevant, specific provisions at least concerning:
- The purposes of the processing or categories of processing,
b. The categories of personal data,
c. The scope of the restrictions introduced,
d. The safeguards to prevent abuse or unlawful access or transfer,
e. The specification of the controller or categories of controllers,
f. The storage periods and applicable safeguards considering the nature, scope, and purposes of the processing or processing categories,
g. The risks to the rights and freedoms of Data Subjects, and
h. The Data Subject’s right to be informed about the restriction, unless it may adversely affect the purpose of the restriction.
7. Data Transfer
The Company may transfer personal data for specified purposes, in particular to fulfill a contract with a third party or comply with a legal obligation, or for employment-related employer obligations.
In the case of data transfer—except for transfers required by law—the Company will only transfer the Data Subject’s personal data to recipients within the European Union or to entities that provide adequate guarantees that their data processing meets the GDPR requirements.
If the Company transfers personal data to a third country (i.e., outside the European Union) or to an international organization, it must ensure that the recipient in the third country or the international organization provides a level of protection equivalent to that provided by the Company, in accordance with Chapter V of the GDPR.
If personal data is transferred to a third country or international organization that does not ensure an adequate level of protection as defined by Chapter V of the GDPR (e.g., certain Asian or African countries), the transfer may only take place without the Data Subject’s consent if it complies with Article 49 of the GDPR; otherwise, explicit consent from the Data Subject is required for the transfer of personal data.
8. Data Protection Incident
In the event of a data protection incident, the Company is required to adhere to and act according to the following rules:
8.1 Notification to the Supervisory Authority
The Company must notify the supervisory authority of the data protection incident concerning the data it processes without undue delay, and if possible, no later than 72 hours after becoming aware of it, with at least the following information: a) A description of the nature of the data protection incident, including the categories and approximate number of data subjects, the categories and approximate number of data affected by the incident, b) The name and contact details of the data protection officer or other contact person providing further information, c) The likely consequences of the data protection incident, d) The measures taken or proposed by the data controller to remedy the data protection incident, including measures aimed at mitigating any adverse effects.
If it is not possible to provide all of the above information at once, the information may be provided in phases without undue delay. If the notification is not made within 72 hours, reasons for the delay must be provided.
A data protection incident does not need to be reported if it is unlikely to pose a risk to the rights and freedoms of natural persons. The likelihood and severity of the risk should be assessed objectively, taking into account the nature, scope, circumstances, and purposes of the processing. Risks may include, for example, adverse discrimination, identity theft, financial loss, reputational damage, or other significant economic or social disadvantages to the data subjects.
8.2 Notification of the Data Subjects
If a data subject, particularly an employee of the Company, becomes aware of a data protection incident, they are required to immediately inform a representative of the Company.
In any case where a data protection incident is likely to result in a high risk to the rights and freedoms of one or more data subjects, and the Company becomes aware of the incident, it must notify the data subject(s) without undue delay. The notification must clearly and understandably include: a) The nature of the data protection incident, b) The name and contact details of the data protection officer or other contact person providing further information, c) The likely consequences of the data protection incident, d) The measures taken or proposed by the Company to remedy the data protection incident, including measures aimed at mitigating any adverse consequences.
Notification to the data subject is not required if any of the following conditions are met: a) The Company has implemented appropriate technical and organizational protection measures, such as encryption, which render the personal data unintelligible to unauthorized persons, b) The Company has taken further measures after the data protection incident to ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize, c) Providing the notification would involve disproportionate effort. In such cases, the data subjects should be informed through publicly available means or by other similar measures that ensure the data subjects are effectively informed.
If the Company has not yet notified the data subject of the data protection incident, the supervisory authority may, after assessing whether the incident is likely to result in a high risk, order the notification of the data subject or determine that one of the above conditions is met and that notification is not necessary.
9. Data Processing Records
9.1 Record of Data Processing Activities
The Company and its representatives are required to maintain a written record of data processing activities, including electronic documents, in accordance with Article 30 of the GDPR, which must include the following information: a) The name and contact details of the Company, b) The purposes of the data processing, c) The categories of data subjects and personal data categories, d) The categories of recipients to whom personal data are or will be disclosed, including recipients in third countries or international organizations, e) If applicable, information on the transfer of personal data to a third country or an international organization, including the identification of the third country or international organization and the description of appropriate safeguards under Article 49(1) of the GDPR, f) Where possible, the time limits for erasure of different categories of data, g) Where possible, a general description of the technical and organizational measures referred to in Article 32(1) of the GDPR.
The Company and its representatives must make the record available to the supervisory authority upon request.
9.2 Record of Data Protection Incidents
The Company must record data protection incidents with the following information: a) The facts related to the data protection incident, b) The effects of the incident, c) The measures taken to remedy the incident.
The supervisory authority may inspect this record to verify compliance with Article 33 of the GDPR.
10. Data Protection Impact Assessment
In conducting a data protection impact assessment, the Company must perform an assessment for data processing operations likely to result in a high risk to the rights and freedoms of natural persons. The assessment must include at least the following information: a) A systematic description of the proposed data processing operations and the purposes of the processing, including, if applicable, the legitimate interests pursued by the data controller, b) An assessment of the necessity and proportionality of the processing operations in relation to their purposes, c) An assessment of the risks to the rights and freedoms of the data subjects, d) The measures taken to address the risks, including safeguards, security measures, and mechanisms to ensure compliance with the GDPR and to protect the rights and legitimate interests of data subjects.
11. Rules on Data Processing
11.1 General Rules on Data Processing
The Company engages external data processors to perform the following tasks:
- Operation and maintenance of the website,
- Fulfillment of tax and accounting obligations,
- Performance of ordered services.
The data controller determines the rights and obligations related to the processing of personal data by the data processor within the limits set by law and specific regulations.
The Company declares that during the data processing activities, the data processor does not have decision-making authority over the data processing and may only process personal data according to the instructions of the data controller. The data processor is not authorized to use the personal data for its own purposes and must store and retain the data according to the instructions of the data controller.
The Company is responsible for the legality of instructions given to the data processor regarding the data processing activities.
The Company must inform the data subjects about the identity of the data processor and the location of the data processing.
The Company does not authorize the data processor to engage any further data processors.
A written contract must be established for data processing. Data processing cannot be entrusted to an organization that has a business interest in the processed personal data.
11.2 Data Processing Activities Performed by the Company
The Company commits to providing appropriate guarantees to ensure compliance with the requirements of the Regulation and to implement adequate technical and organizational measures to protect the rights of data subjects.
The Company, as a data processor, must immediately inform the data controller if it believes that any instruction from the data controller violates this Regulation or other data protection laws.
The Company processes the data according to the instructions of the data controller and complies with the contractual obligations known to it.
The Company does not modify, delete, copy, or combine the data with other databases, nor use the data for any purposes other than those specified by the data controller, except as expressly directed by the data controller and necessary for the data processing purposes.
The Company is not authorized to represent the data controller or make legal statements on behalf of the data controller, except as explicitly authorized by agreement or other documents.
The Company acknowledges that the data controller is solely responsible for determining the purpose and manner of processing the data provided to the data processor.
The Company, as a data processor, must ensure the security of the data, implement all necessary technical and organizational measures to enforce data protection rules, and protect against unauthorized access, alteration, transmission, disclosure, destruction, or loss of data. The Company must also take measures against accidental loss, damage, and inaccessibility due to technical changes.
The Company commits to fully complying with the data security provisions in this policy and ensuring that these provisions apply to its data processing activities.
The Company, as a data processor, will only provide access to data to employees who need it to perform their data processing activities and will inform those with access about compliance with security requirements and confidentiality obligations.
The Company, as a data processor, commits to cooperating with the data controller to ensure that the data controller can meet its legal obligations, particularly in relation to responding to requests for access, deletion, and correction of data.
The Company, as a data processor, commits to modifying, supplementing, correcting, blocking, or deleting data as instructed by the data controller.
The Company must promptly notify the data controller of any security incidents or risks affecting the data, take necessary measures, and fully cooperate with the data controller.
The Company agrees to fully cooperate with the data controller and its representatives during any audits or inspections related to data processing, ensuring that authorized personnel have access to relevant records, data, and procedures.
12. Scope and Review Procedure
The Data Protection Policy comes into effect on May 25, 2018, and remains valid until revoked. With the adoption of the Data Protection Policy, all previously effective internal policies and employer instructions related to personal data processing under the Data Protection Policy become invalid.
The Data Protection Policy will be reviewed at least once a year. If necessary, the Company will amend the policy to reflect legal and internal organizational changes, ensure the implementation and announcement of the revised policy, and ensure that persons affected by the policy are informed of the changes.
Compliance with the provisions of the Data Protection Policy is mandatory for all representatives, officers, and appointees of the Company. They must perform their duties in full accordance with the provisions of the Data Protection Policy.
In the event of legal changes or other reasons for amending this policy, the Policy must be revised in accordance with the legal changes or other reasons, and the updated text must be communicated to the data subjects.
Budapest, May 30, 2024
