GENERAL DATA MANAGEMENT AND PRIVACY POLICY

(1) Details of Data Manager:
a) Name of Data Manager: DBH Group B.V.
b) Registered Office: 5657 EA Eindhoven, Luchthavenweg 81.037
c) Court Registered Number: 14029628
d) Postal address: 1027 Budapest, Kacsa u. 15-23. / 5657 EA Eindhoven, Luchthavenweg 81.037
e) E-mail: info@dbh-group.com

Data Protection Officer:
E-mail: gdpr@dbh-group.com
Phone: +36 1 803 7900

(2) The purpose of this Privacy Statement is to determine the scope how personal data is processed and the way in which it is managed and to ensure the application of the constitutional principles of data protection, data security requirements, and to prevent unauthorized access, data modification and unauthorized disclosure or usage of data, in order to ensure respect of natural person’s privacy.

(3) Referring the purpose stated in paragraph 2, your personal data will be treated confidentially, in accordance with the applicable legal requirements, will ensure data security, implement technical and organizational measures, and establish the procedural rules to enforce the relevant legal provisions and other recommendations required.

Primarily the below provisions are applicable for our Data Management practices:

• Act of V. of 2013, section 2:43§ (e) on the Civil Code
• Act of CXII. of 2011 (“Infotv.”) about Informational Self-determination and Freedom of information;
• Regulation (EU) 2016/679 of the European Parliament and Council („GDPR”)
• Act of CVIII. of 2001 on certain issues of electronic commerce services and information society services („Eker. tv.”);
• Act of XLVIII. of 2008 on Basic Requirements and Certain Restriction of Commercial Advertising Activities („Grt. tv.”)
• Act of VI. of 1998 based on the Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data;
• Act of CXIX. of 1995 on the management of name and address data related to research and direct marketing purposes („Katv.”)

Your personal information provided through the Portal is managed according to the applicable privacy law, based on your express, prior and voluntary consent.

Upon the customer related data managed by DBH Group we inform you about the following.

1./ Data Management regulations defined in this Policy may serve the following purposes:

a) Regarding the services provided by the company:

• Identification of the persons eligible for provision
• Identification of the beneficial owner
• Manage data of client, employees of client and the persons eligible for provisions in order to fulfill the contract with the client
• Invoicing services
• Invoicing of repair and maintenance associated services
• Fulfill data requests in relation of public interest

b) Related to other data management:

• Registration of students with traineeship contracts or other apprenticeship contracts
• Recruitment

2./ In order to comply with legal obligations our Company performs the following data management:

a) Identification of the Beneficial Owner/ Chief

Purpose of data management: comply with legal obligation Scope of managed data: name, birth name, place and date of birth, nationality, address, Social Security Number, Tax ID Legal basis of data management: comply with legal obligation (Act LIII of 2017 on the Prevention and Control of Money Laundering and the Prevention of Terrorist Financing, § 7- 8, hereinafter referred to Pmtv.) Duration of Data Management: 8 years from the date of data registration

b) Copies and details of documents:

Purpose of Data Management: the prevention and control of money laundering and terrorist financing, the proper fulfillment of legal obligations according to Pmtv, the full implementation of the obligation of due diligence and the effective performance of the necessary surveillance. Legal basis of Data Management: Pmtv. 7. § (8) Article
Scope of managed data:

• In case of Hungarian citizens: ID card, Certificate of domicile, Social Security Card, Tax card
• In case of foreign nationals: travel document or ID card if it entitles for Hungarian residence, document certifying the right of residence or document authorize for residence.

Duration of Data Management: 8 years from the date of data registration

c) Contracts for traineeship or apprenticeship

Purpose of Data Management: registering students with traineeship or apprenticeship contracts
Legal basis of Data Management: Act of CLXXXVII of 2011. in section 42.§ – 55.§ on professional trainings
Managed data: name, name of the mother, place and date of birth, ID card number, address (in case of minors: name, address, phone number of legal representative), Social Security Number, Tax ID
Duration of Data Management: 5 years
Transfer of data: for related county chambers of commerce and industry, and for the schools providing education

d) Invoicing services

Purpose of Data Management: sales associated invoicing
Legal basis of Data Management: Act of CXXVII. Of 2007, Article 169. § d) and e) about value added tax and the Act of C. of 2000, Article 169. § (1) about accounting
Managed data: name, address, tax ID
Duration of Data Management: 8 years

e) Invoicing of repair and maintenance associated services

Purpose of Data Management: Invoicing of repair and maintenance associated services
Legal basis of Data Management: Act of CXXVII. Of 2007, Article 169. § d) and e) about value added tax and the Act of C. of 2000, Article 169. § (1) about accounting
Managed data: name, address, premise
Duration of Data Management: 8 years

f) Fulfill data requests in relation of public interest

Purpose of Data Management: Fulfill data requests in relation of public interest and invoicing associated with that Legal basis of Data Management: Act of CXII. of 2011 (“Infotv.”), Article 26.-31. § about Informational Self-determination and Freedom of information;
Managed Data: name, address, telephone number, e-mail address
Duration of Data Management: until accomplishing the aim or until requesting deletion

g) Managing Resumes/Job applications
Purpose of Data Management: filling the advertised position, storing your application with your agreement in order to inform you about open positions that are relevant to your degree, professional qualifications and interests. Legal bases of Data Management: your previous, voluntary consent by submitting your Resume to our company. Duration of Data Management:

• If you are not selected for the position you have applied for or before filling the position you withdraw your application, the purpose of data management is terminated. In case you withdraw your application and explicitly indicate us your request for deleting your data, we will immediately delete your details and your resume. If you do not express your request for deleting your data while informing you about the results of your application or by withdrawal of your application, you agree to keep your application up to 24 months and to inform you about open positions that are relevant to your degree, professional qualifications and interests. After 24 months, we will lock or render your data anonymous, or delete your details and your resume.
• If you are selected for the position, your data will be managed in accordance with the regulations of managing our employee’s personal data, about you will be notified in details by the establishment of your employment.

Persons entitled for being aware of personal data:

• HR staff involved in the recruitment and selection process, leader of the team concerned in hiring the new employee, to the extent and time necessary to perform their duties.

Legal bases of Data Management: your previous, voluntary consent. From any other purposes described above we manage your personal data if we informed you about the purpose of data management and you agreed. About the data management that is not described in this policy, you will be informed when the data is recorded. Your personal data will be managed for a period of time appropriate to the purpose of the data management (e.g. recovery of the enforced claim, etc.) or until your consent is with drawn or tax, consumer protection, property protection and other regulations related to the data management operations.

h) Processing for direct marketing purposes

The purpose of processing is to present the services in the DBH Group portfolio to potential business partners and circulate commercial advertisements and newsletters for the purpose of direct marketing.

Legal basis for processing: In view of the fact that direct marketing letters are sent exclusively to the electronic contact details (electronic contact address in the company register) of potential business partners who are not natural persons, the legal basis for processing electronic contact addresses (e-mail address containing the name of the natural person), which may constitute personal data, is our legitimate interest in carrying out our economic activity and direct marketing (Article 6(1)(f) of the GDPR).

Scope of the data processed: Electornic contact address (e-mail address).

Data source: Direct marketingdatabase purchased from Opten Informatikai Kft.

Duration of processing: Until the natural person concerned objects.

If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes.

As a result of the balancing test carried out with regard to the legal basis, we have concluded that the interests of the data subject do not necessarily override our legitimate interest in processing and that processing does not restrict the privacy of the data subject.

a./ Newsletter
At the Site you are able to subscribe to our Newsletter. We will only send you the newsletter if you select the check box at the Site to express your consent to receive our newsletter. In order to send you our Newsletter we will manage the below data of yours:

• Full name
• E-mail address

Purpose of Data Management: as a subscribed user, you will be constantly informed about our services and our latest news. You can unsubscribe from the newsletter without limitation or justification at any time for free of charge. In this case, we will delete your details immediately from our database. You can withdraw your previous consent:

• by clicking on the unsubscribe link in the newsletter

Legal bases of Data Management: your previous, voluntary consent. Duration of Data Management: until the withdrawal of your consent.

b./ Initiate contact via the Site
At the Site we provide you the opportunity to contact us by entering specific information. Personal information required to initiate contact:

• Full name
• Email address
• Phone number
• Text message: that might contain other personal information your enter

Purpose of Data Management: initiate contact Legal bases of Data Management: your previous, voluntary consent. Duration of Data Management: according to the Documentation and Data archive regulation.

c./ Using Cookies
Cookies are a standard feature of websites that allow us to store small amounts of data on your computer about your visit to the Site. Legal bases of Data Management: your previous, voluntary consent. Duration of Data Management: until the withdrawal of your consent. For further information about the cookies we use, please visit here.

d./ Log files
While using our services our system automatically logs the below data:

• dynamic or static IP address of your computer
• depending on your computer’s settings it logs the type of your browser and operation system
• your activity at our Site

Purpose of Data Management: using these data includes technical goals, such as analysis of safe and efficient operation of servers and subsequent verification, and on the other hand, these data are used to generate page usage statistics and to analyze user needs to increase the quality of services. The above data are not suitable for your identification and are not linked to other personal data.

Duration of Data Management: log files are deleted in a period as regulated in the valid IT Information Security Policy. Your personal information for any other purpose than those specified above – especially for enhancing service provided to you or for market research – can only be managed by us based on prior defined purpose of data management and with your consent.

These data cannot be linked to your identifying data and cannot be transferred to third parties without your consent. Before starting to use our services and while you are using our services we ensure you to know which type of data we are managing referring on data management purposes, including managing data that is not directly related to you.

For the full implementation of the services, certain personal data will be provided to third parties, temporarily, for the purpose of data processing or data management, with your consent, in particular:

• In order to obtain independent site visit and other web analytical data we use Google Analytics software. In case of these data Google Inc. acts as data processer. The Privacy Policy of Google Inc. is available at the following link: http://www.google.com/intl/hu ALL/privacypolicy.html.

By using the Site you consent to that your data is processed by Google.

• Data of server provider: Neostratus Zrt., 4025 Debrecen, Arany János u. 55.

We reserve the right to involve other data processors in addition to the above listed by publishing the name and address of the additional processors for the users latest at the time when data processing begins.

They are our own employees, agents and other contributors who need to know the data they are managing to fulfill their duties or to accomplish their tasks. We are obliged to ensure that who are eligible to know the data we manage is always complied with this Privacy Policy and with the applicable legislation.

We ensure that the personal data you provided is only accessible – to persons who are holder of the post – to the extent necessary to perform their duties, by applying high level access controls. In addition, a legal adviser or lawyer representing the company will also being aware of your personal data if your case requires legal process or legal opinion.

At the request of authorities (police, court, prosecutor’s office, tax authorities, NAIH) and national security services, we disclose the personal data we manage. Based on the regulations on filing and on our internal filing process we transfer your personal data file – if it is not allowed to be scrapped – to the competent Archives after the retention period has elapsed.

We notify all third party to whom the data is transfered or handed over to ensure to meet with data privacy obligations.

We do not use the services of other companies to store your personal information. Appropriate measures are taken to protect personal data we treat and to prevent accidental destruction, unauthorized use or unauthorized alteration.

8.1 Right to request information

(1) Upon your request, we will inform you in writing, including the electronic way, no later than 25 days from the date your submission – about your data managed by us, the data is processed by other parties on behalf of us, the source, the purpose, the legal basis and the duration of the data processing, about the name, address and the activity related to data management of the data processor and, in case of your personal data is transferred – we will inform you about the legal basis and whom it was addressed.

(2) Providing information is free of charge. However your request is manifestly unfounded or, in particular, because of its repeated nature, is excessive, we should take into consideration the administrative costs of providing information or provisional measurements and are allowed to:

• a) charge a reasonable fee, or
• b) refuse further measures regarding the request.

Proving that the request was manifestly unfounded or excessive is our responsibility.

8.2 Right to cancellation

We are obliged to delete or anonymize personal information if
a) Managing data is unlawful;

b) You revoke the consent of the data management or requests your data to be deleted or there is no other legal basis for managing data;

c) It is incomplete or incorrect – and this status cannot be legally remedied – provided that the deletion is not excluded by law;

d) Purpose of data management ceases or the deadline for data storage defined by law has expired;

e) The cancellation of the data is ordered by the court or the authority. For user request or based on available information it may be assumed that deletion would violate your legitimate interests we will block personal data instead of deleting. Personal data locked pursuant to above mentioned, can only be managed as long as there is a purpose of data management that excludes deletion of personal data.

8.3 Right to access

You are entitled to receive information from us whether your personal data is being managed by us. If your personal data is managed by us, you are entitled to have access to the personal data and the following information:

• Purpose of data management;
• Type of personal data concerned;
• Recipients to whom we shared or planning to share your personal data, in particular third country recipients and international organizations;
• Duration of storage of personal data or if it is not available, then criteria for determining that period
• Your right to request correction, deletion or limitation of your personal data and may object the management of your personal
• data;
• Right of lodging a complaint to the supervisory authority;
• Any available information about data source, if data was not collected from you

We will provide you with a copy of personal data that is being processed by us. By submitting your application electronically, we provide this information in a widely used electronic format, unless you request otherwise.

8.4 Right to rectification

(1) At your request we will correct your inaccurate personal information without undue delay.
(2) If correct or additional data is not available, based on a supplementary declaration we will make any necessary adaption.

8.5 Right to object

(1) You may object to manage your personal data,

• if management or transfer of personal data is only necessary to fulfill our legal obligation or to enforce the legitimate interests of the third party, the only exception is if the data management is binding;
• if the purpose of processing and transfer of personal data is related to direct marketing, opinion poll or scientific research;
• or any other statutory task.

(2) With simultaneous suspension of data management, your claim will be examined within the shortest possible time, but latest within 15 days of the submission of the claim, and you will be informed in writing about the result.

In case your objection is justified, we are obliged to discontinue data management – including further data collection and transfer – and block data; as well as inform about objection and related measures those to whom concerned personal data has been transferred and who shall take measures to enforce the right of objection.

If you do not agree with the decision or if we fail to comply with the 15 day deadline, you may bring the matter directly to the Court of Justice, within the 30 days from the date of notification or from the last day of the deadline

8.6 Right to restrict Data Management

(1) We restrict the management of your personal data, if at least one of the following applies:

• You dispute the accuracy of your personal data;
• Data management is illegal and you opposed of data deletion and instead of deletion you request restriction on the use of your data;
• we no longer need personal data for data management but you require them to submit, enforce, or protect legal claims; or
• you have objected to data management.

(2) If data management is restricted, such personal information may only be managed – excluding data storage – with the sole purpose of your consent or submission, enforcement or protection of legal claims or other rights of a natural or legal person, or in the public interest of the Union or of a Member State.

8.7. Right to data portability

If your personal data is managed with your consent or based on a contract and is managed automatically, you are entitled to receive personal information provided to us on a structured, widely used, machine-readable format – if it is technically feasible. In case your request for correction, restriction or deletion is not applicable, you will be informed in write about the legal and factual reasons of refusal within the 25 days of receiving your request.

Your rights defined in Section 8 may be restricted by the law to the external and internal security of the State, such as national defense, national security, the prevention or prosecution of criminal offenses, the security of the execution of penalties and the economic or financial interest of the State or local government economic and financial interests, as well as disciplinary and ethical misconduct, labor law and safety at work breaches related to the exercise of occupations, including in all cases inspection and surveillance, and to protect you or others’ rights.

When infringement may occur, you may apply for remedies:

a.) National Agency for Data Protection

Registered address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, Pf. 5.
Phone: 06 -1- 391-1400 Fax: 06-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

b.) Court of the place of resident or the place of stay.

However, please contact DBH Group B.V. with your data management issues at the specified contact details. The Privacy Policy is in accordance with the principles of the Act of CXII. Of 2011 Informational Self-determination and Freedom of information (“Infotv.”) and the protection of individuals with regard to the processing of personal data and the free movement of such data and EU Regulation 2016/679 (Decree 95/46 / EK) (hereinafter: GDPR) and we are deemed to be binding on the purposes of managing data regulated by law.