General Data Protection Regulation (GDPR)
|The Juventus Language Group (further as Juventus), as a partner in corporate training, carries out data processing and management activities to fulfill its training activities. The basis of data management / processing activity is: Act LXXVII of 2013 on Adult Education and its implementing decree, the individual data management and data processing agreement concluded with our corporate partner, the Juventus quality management system and its internal GDPR regulation.
The General Data Protection Regulation of the European Union (EU 2016/679, valid from May 25, 2018) is a law regulating personal data, and it affects Juventus as an entity managing personal data.
Juventus is committed to protecting the personal data of its employees and partners. We comit to ensuring that the processing of data related to our activities complies with the requirements set out in European and applicable national legislation, and that we treat personal data confidentially and take all security, technical and organizational measures that guarantee the security of personal data and the provisions and obligations of the data management agreement concluded with our partner.
B a s i c c o n c e p t s
- Personal data
Any information that relates to an identified or identifiable person, that is, a person who has been identified by a personal identifier, a name, an identification number, a residence or an online identifier, etc. or can be identified directly or indirectly.
- Special categories of personal data
Any personal data regarding the race or ethnicity, the political, religious or philosophical views, trade union membership, or any other personal information about e.g. the medical records or data about physical or mental health, or the sexual orientation of a natural person.
- Data management
Any operation or series of operations performed on personal data, whether by automatic means or manually, such as collecting, recording, sorting, organizing, storing, employing, altering, retrieving, using, forwarding, distributing or otherwise making available, ordering or merging, restricting, deleting or destroying.
- Data subject
Any living person to whom personal data or special categories of personal data apply, e.g. employees, job advertisers, former employees, other (non-employed) partners, including entrepreneurs, and direct relatives of employees. This may also apply to business contacts.
- Data controller
A natural or legal person who, alone or together with others, decides on the purpose and means of the processing of personal data.
- Data processor
A natural or legal person who processes personal data or on behalf of or following the authorization of the data controller.
Any form of management of personal data, where the personal data is used in order to evaluate, analyze or predict certain personal qualities, characteristics, properties of a natural person, including but not limited to qualities related to work performance, financial status, physical or mental health, personal preferences, interests, reliability, behavior, location or movement data.
- Third party
A natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who have been authorized to process personal data under the direct control of the controller or processor.
- Consent of the data subject
A voluntary, concrete, well-informed and unambiguous statement of the will of the data subject, by which he or she indicates his or her consent to the processing of personal data concerning him or her by means of an unambiguous statement of confirmation.
- Data protection incident
A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal information that is transmitted, stored, or otherwise handled.
T h e t y p e s o f p e r s o n a l d a t a h a n d l e d
- Personal data: personal datas, e-mail address, educational identification number – if he / she has one -, qualification, employer, phon number – optional-.
- Training data: name, form and place of training, number of lessons, start date and planned date of completion, level and final result of the training, attandance rate.
H o w d a t a i s h a n d l e d
Scope of those entitled to data management
Personal data can only be accessed by the employees of Juventus who are entitled to data management. Our company defines the rights of access to a given set of personal data in an internal process description. Juventus imposes a duty of confidentiality on the handling of personal data for the employees involved in data management.
Use of third parties (data controllers)
Before concluding a contract with a third party as a data processor, Juventus, as a data controller, always makes sure that external service providers apply high-level data protection processes when handling the data of natural persons. In addition, Juventus Training Center Kft. undertakes an external data processing declaration to take care of the handling, storage and transmission of data, the security of data management and the provision of rights related to the processing of personal data of natural persons in accordance with the provisions of the Decree. External data processors adhere to the Data Protection Regulations, and technical, organizational and security processes that ensure the legally correct processing of the personal data provided by Juventus, as a data controller.
Transfer of personal data to third parties
The transfer of data by Juventus does not take place across national borders, there are no members of the group of companies operating in the EU. The data will not be passed on to third parties, with the exception of legal obligations. The authority responsible for the observance of the Adult Education Regulation is the Pest County Government Office and the Adult Education Data Management System, FAR (https://far.nive.hu/)
Data security measures
- Juventus is obliged to take the technical and organizational measures and to establish the procedural regulations necessary for the enforcement of the Decree in order to ensure the security of personal data in relation to its legal data management. As a data controller, it shall protect the data by appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access.
- Juventus protects IT systems with a firewall and virus protection. The Company performs electronic data processing and registration by means of a computer program that meets the requirements of data security. The program ensures that only those persons who need it in order to perform their duties have access to the data only for a specific purpose and under controlled conditions.
Measures of the data controller and the data processor taken during the electronic processing of personal data
Preventing unauthorized data entry; preventing the use of automatic data-processing systems by unauthorized persons using data communication equipment; the verifiability and traceability of the entities to which personal data have been or may be transmitted using data communication equipment; the verifiability and traceability of which personal data have been input into automated data-processing systems, when and by whom; the resilience of installed systems in the event of a breakdown.
For paper based documents, the following physical security measures are applied:
Locking away paper-based documents and keeping office areas and workstations clear; removing sensitive data from the printer as soon as possible.
The following IT security measures are applied:
Controling access to databases and systems in use, ensuring data backup; applying password protection to devices, including mobile devices; encrypting passwords and avoiding sharing them; using laptops and other mobile devices with encryption. We ensure the control of incoming and outgoing electronic communications in order to protect personal data; the sharing of personal data processed by us on the Internet is prohibited and will not be passed on to third parties.
Storage period of personal data
Stored personal data must be appropriate and relevant to the aim of the data management, and must be restricted to a necessary minimum in quantity. This implies that the time period for which the data is stored must also be minimized. In order to ensure that the data is only stored for the minimum necessary period, it is necessary to set the date when the data will either be permanently deleted or evaluated to determine whether managing it is still necessary. According to the law, the storage duration of data is 8 years.
H a n d l i n g d a t a p r o t e c t i o n i n c i d e n t s
The prevention and management of data protection incidents and the observance of the relevant legal regulations is the responsibility of the manager of Juventus. Access and access attempts to IT systems should be logged and continuously monitored.
If the company’s authorized employees detect a data protection incident in the course of their duties, they must notify the manager immediately. Other stakeholders can report any such incidents or security vulnerabilities to email@example.com. A record of data protection incidents shall be kept, including:
- the types of personal data involved,
- the list and number of people involved in the incident,
- the time and date of the incident,
- the circumstances and effects of the incident,
- the steps taken in order to remedy the situation,
- all other data according to the law regulating data management.
In the case of most data protection incidents, Juventus is obliged to report it without undue delay, no later than 72 hours after becoming aware of the data protection incident. In some cases, the persons concerned must also be informed immediately. The company manager of Juventus is responsible for reporting and investigating the data protection incident and for taking measures to prevent further incidents. Data on data protection incidents shall be kept on file for 3 years after the official closure of the case.
Our contact details:
Name: Juventus Language Group Kft.
Tax number: 12191831-2-43
Registered address: H-1117 Budapest, Bercsényi u. 21. A. ép. 1. em. 8.
Offices: H-1117 Budapest, Karinthy F. út 13. III/4. and 6722 Szeged, Jósika utca 2. Fszt./1
Phone: +36 (1) 951-0470
If you have a complaint, you may file it at the aforementioned contacts, but you also have a right to file a complaint at the national data protection jurisdiction:
Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Phone: +36 1 3911 400
Valid from: 2018.05.25.