1. Data controller

Name: Gill & Murry Kft.

Address: 1023 Budapest, Árpád fejedelem útja 26-28.

Data controller representative: András Zsolt Sándor

Contact information of the Data Controller regarding data protection: adatvedelem@gillandmurry.com

 

This information is a unilateral commitment of the data controller in accordance with Regulation (EU) 2016/679 of the European Parliament and Council (April 27, 2016) and the relevant national legislation. 

 

This information may be unilaterally modified and/or revoked by the Data Controller at any time, with the simultaneous notification of the Data Subjects. The information is published on the website or, depending on the nature of the change, by direct notification of the interested parties.

​

2. Purpose of data management

2.1 Contact with partners, customers, suppliers

Keeping in touch,  issuing quotations, concluding contracts, managing and recording contact information.  Contact data reconciliation and data updating, documentation related to consulting and partner visits, project management, contact along the lines of participation in a consortium or supplier group. 

In the case of an online store, identifying the user, distinguishing him from other customers, users and inquirers, sending system message(s) related to the service, taking orders by phone. 

Event-related data management, invitation, participation registration.  
Legal basis for data management: Enforcement of the legitimate interest of the data controller (Article 6, (1) f)). It is the legitimate interest of the Data Controller to register contact details for the performance of contracts

Scope of processed data: Name, address, email address, telephone, unique identifier

Planned deadline for data management: The last working day of March of the 4th year following the termination of the partnership agreement or until the Data Subject objects.

 

Purpose of data management other than collection: N/A 

New data processing deadline:N/A 

​

2.2 Data management necessary for the provision of consultancy, educational and project management services for legal persons _cc781905-5cde-3194-bb3b-136bad5cf58d

Identification and registration of training participants identification of partners, distinguishing them from other partners or project participants, maintaining contact,  sending system message(s) related to the service, conclusion of contract, management and registration of contact information,_cc781905-5cde- 3194-bb3b-136bad5cf58d_
Legal basis for data management: Validation of the legitimate interest of the data controller (Article 6, (1) f)). It is the legitimate interest of the Data Controller to manage personal data obtained in the Client's IT system or documents in relation to the service during the performance of the service.

Scope of managed data: Name, address, e-mail address, telephone, unique identifier, personal data learned during the project

Planned deadline for data management: The last working day of March of the 4th year following data entry or until the Data Subject objects.

 

Purpose of data management other than collection: N/A 

New data processing deadline:N/A 

 

2.3 Issuance of an invoice, as well as the issuance of related mandatory documentation for the performance of services, storage of analytical data required to certify compliance with the Accounting Act

Issuance of an invoice, as well as the issuance of related mandatory documentation for the performance of services
Legal basis for data management: Fulfilling the legal obligation of the data controller (Article 6, (1), c)). xxx

Scope of processed data: Billing name and address, e-mail address, contact name, position

Planned deadline for data management: At least 8 years

 

Purpose of data management other than collection: N/A 

New data processing deadline:N/A 

 

2.4 Management and filing of contracts

Management and filing of contracts, Filing of contracts related to the activities of the data controller, managing the contact details of the contracting party when the contract is concluded and keeping them up-to-date,   the details of the contracting party's representatives and keeping them up-to-date
Legal basis for data management: Validation of the data controller's legitimate interest (Article 6, (1) f)) - The data controller has a legitimate interest in keeping the data of the contact person.

Scope of processed data: Name, telephone, position, e-mail, signature

Planned deadline for data management: The last working day of March of the 4th year following the termination of the contract or until the Data Subject objects.

 

2.5 Advertising service(s), providing information to partners, sending newsletters

About new or renewed services, inquiries for direct business acquisition or marketing purposes with advertising content, customer satisfaction measurement, surveys, invitations to marketing events, eDM, telephone inquiries with the involvement of telemarketing service personnel. 
Legal basis for data management: Data subject consent (Article 6, (1) a))

Scope of processed data: Name, company name, e-mail address, telephone

Planned deadline for data management: Until the data subject withdraws his consent

 

2.6 Advertising service(s), providing information to partners, sending newsletters, direct business acquisition on the basis of legitimate interest. 

About new or renewed services, inquiries for direct business acquisition or marketing purposes with advertising content, customer satisfaction measurement, surveys, invitations to marketing events, eDM, telephone inquiries with the involvement of a telemarketing service. 

Source of data:Purchased database, collection of public data from websites or print media, data provided to Gill & Murry for other data management purposes
Legal basis for data management: Enforcement of the Data Controller's legitimate interest (Article 6, (1) f)) - The Data Controller's legitimate interest is direct business acquisition, for which the Data Controller has completed the necessary interest balancing test.

Scope of processed data: Name, company name, e-mail address, telephone

Planned deadline for data management: Until the Data Subject protests.

 

2.7 Event photo, video recording and social media publication. 

The data controller takes photos and videos of the events it organizes, which can be published on the Data Controller's website and Facebook page, as well as stored in its own organizational databases. 
Legal basis for data management: Validation of the legitimate interest of the Data Controller (Article 6, (1) f)) – The legitimate interest of the Data Controller is the personalized communication of the company on its website and in social media.

Scope of processed data: face and body image

Planned deadline for data management: Until the protest of the person concerned

 

2.8 Registration for education, training, events and conclusion of contract

Organization of trainings and events. Registration of participants, management of attendance sheets, registration of contracts. 
Legal basis for data management: Performance of contract, (Article 6 (1) b)).

Scope of managed data: Name, e-mail, telephone, type of training

Planned deadline for data management: The last working day of December 8 years after the exam.

 

2.9 Transmission of exam results to the organization certifying the exam

Forwarding the exam result and exam copy to the organization certifying the exam 
Legal basis for data management: Performance of contract, (Article 6 (1) b)).  

Scope of managed data: Name, address, exam result, training, education designation

Planned deadline for data management: Until the last working day of March of the 4th year following the completion of the service.

 

2.10 Exam application, exam results and certificate registration

Filing the management of the examination application document. Informing the person concerned about the result of the exam.
Legal basis for data management: Performance of contract, (Article 6 (1) b)).

Scope of processed data: Name, address, exam result, title of training, education, email address

Planned deadline for data management: The last working day of December 8 years after the exam.

 

2.11 Register of Club Membership

Identification of members, distinguishing them from other members.  Maintaining contact, sending system message(s) related to the service or membership, matching and updating contact information, registration of payment of membership fees. 
Legal basis for data management: Consent of the person concerned (Article 6, (1) a)).

Scope of processed data: Name, address, telephone, e-mail address, membership fee, membership ID, bank account number

Planned deadline for data management: Until the Data Subject's consent is revoked.

 

2.12 Data management necessary to serve individual customer needs and questions

The data manager keeps a record of individual customer requests and individual customer requests sent by phone   or via the website.
Legal basis for data management: Validation of the Data Controller's legitimate interest (Article 6, (1) f)) - The Data Controller has a legitimate interest in registering individual customer needs and requests.  

Scope of managed data: Name, phone number, customer ID, email address, company

Planned deadline for data management: Until the Data Subject protests.

 

2.13 Teacher occupancy register and data management related to educational services

Registration of lecturers' availability. Management of instructors' resumes and references during projects and quotations
Legal basis for data management: Enforcement of the legitimate interest of the data controller (Article 6, (1) f)) – The legitimate interest of the data controller is to manage the data of its teachers under contract.

Scope of processed data: Name, address, CV, photo

Planned deadline for data management: The last working day of March of the 4th year following data entry or until the Data Subject objects.

 

2.14 Mail handling, shipment handling

Register of registered and registered mail items related to the activity of the data controller, as well as items sent with other service providers 
Legal basis for data management: Validation of the data controller's legitimate interest (Article 6, (1) f)) - The data controller has a legitimate interest in keeping the data of the contact person.

Scope of processed data: Name, telephone, position, e-mail, signature

Planned deadline for data management: The last working day of March of the 4th year following data entry or until the Data Subject objects.

 

2.15 Management and filing of contracts

Management and filing of contracts, Filing of contracts related to the activities of the data controller, managing the contact details of the contracting party when the contract is concluded and keeping them up-to-date,   the details of the contracting party's representatives and keeping them up-to-date
Legal basis for data management: Enforcement of the legitimate interest of the data controller (Article 6, (1) f)) – The legitimate interest of the data controller is to record the data of the contact person.

Scope of processed data: The transmitted data are not suitable for identifying the person concerned

Planned deadline for data management: Service  until the last working day of March of the 4th year following the performance or until the Data Subject protests.

 

2.16 Google Analytics

The website measures visitor data, in which the transmitted data is not suitable for identifying the persons concerned
Legal basis for data management: Validation of the Data Controller's legitimate interest (Article 6, (1) f)) - The Data Controller's legitimate interest is to optimize and monitor its services.

Scope of processed data: IP address

Planned deadline for data management: The last working day of March of the 4th year following the end of data management.

 

2.17 Google AdWords

Remarketing function, with the help of which the website displays relevant ads to users who have already visited the website
Legal basis for data management: Enforcement of the data controller's legitimate interest (Article 6, (1) f)) - The data controller's legitimate interest is direct business acquisition.

Scope of processed data: IP Address

Planned deadline for data management: The last working day of March of the 4th year following the end of data management.

 

2.18 Management of cookies

Identification of users, registration of the "shopping cart" and tracking of visitors
Legal basis for data management: Validation of the legitimate interest of the Data Controller (Article 6, (1) f)) – The legitimate interest of the Data Controller is to optimize and monitor its services.

Scope of processed data: unique identification number, dates, times

Planned deadline for data management: The last working day of March of the 4th year following the end of data management.

 

2.19 Handling the data of recipients of press communications

The data controller keeps a record of the data of the data subjects for issuing press releases, sending invitations to press briefings, and communicating with journalists and social media contacts.
Legal basis for data management: Validation of the legitimate interest of the data controller (Article 6, (1) f)) – The legitimate interest of the data controller is to carry out business communication solely for the purpose of press communication to the contact details of media communication specialists that have been made public, personally provided or provided during press communication. 

Scope of managed data: Name, address, e-mail address, medium

Planned deadline for data management: Until the Data Subject protests.

 

2.20 Telephone contact with online call center support

The phone number of incoming and outgoing calls is recorded in the Data Controller's IP phone system. The data controller will call back telephone inquiries rejected due to busyness or outside of working hours.
Legal basis for data management: Validation of the legitimate interest of the data controller (Article 6, (1) f)) – It is the legitimate interest of the organization to manage the personal data of those who establish contact with it for the fulfillment of services and inquiries.

Scope of managed data: Phone number 

Planned deadline for data management: The last working day of March of the 4th year following the end of data management.

 

2.21 Management of educational materials, exams and other supporting materials related to the Data Controller's educational service using a digital educational platform.  

Management of access to content published on the website of the data controller or on the cloud storage managed by it
Legal basis for data management: Contract performance, (Article 6 (1) b)). 

Scope of processed data: Name,  e-mail address, unique identifiers, data provided in the exam and workbook, exam results, data provided for issuing a certificate

Planned deadline for data management: Until the Data Subject's consent is revoked.

 

Purpose of data management other than collection: Compliance with adult education laws and uploading data to the FAR system.

New data processing deadline: Last day of the 8th year from the conclusion of the contract.

 

2.22 Compliance with adult education laws and uploading data to the FAR system.

The collected data is collected and managed by the Data Controller for the purpose of concluding the contract required by law and in order to fulfill the mandatory data provision. The data is digitally uploaded to the FAR system within the deadline set by law. In the form, we only collect data that the data manager must provide during the data entry in the FAR system in order to successfully upload it. The collected data will be transferred exclusively to the Pest County Government Office and will not be transferred to third parties.
Legal basis for data management: Performance of a legal obligation for the data controller (Article 6, (1), c)).

Scope of processed data: Gender, education identifier, highest educational qualification, name, birth name, mother's name, place of birth, date of birth, tax identification number, e-mail address, address, citizenship, phone number, TB identification number

Planned deadline for data management: Until the last day of the eighth year from the conclusion of the contract.

 

2.23 Data management necessary to optimize work. 

Data storage in order to optimize data logging tasks until the date of the next annual bulk data logging. 
Legal basis for data management: Enforcement of the Data Controller's legitimate interest (Article 6, (1) f)) - The Data Controller's legitimate interest is to summarize the daily data disposal tasks and optimize the disposal work. 

Scope of processed data: The data provided for the specific data management purpose.

Planned deadline for data management: Until the first annual mass data disposal after the end of the data management purpose.

 

2.24 Registration managed in the GS Tools system

Management of access data required to use the system.
Legal basis for data management: Data subject consent (Article 6, (1) a))

Scope of processed data: Name, email

Planned deadline for data management: Validity of License or Withdrawal of Consent.

 

2.25 Data management related to the GDPR regulation

Data management related to the GDPR regulation.
Legal basis for data management: Performance of a legal obligation for the data controller (Article 6, (1), c)).

Scope of processed data: Name, Data Protection ID, Data subject request, date, type, content, Result of data subject request, Incident date, documentation, result

Planned deadline for data management: Not to be scrapped.

 

3. Consequences of failure to provide data

Possible consequence of failure to provide data: Failure of the purpose of data management.

 

4. Scope of stakeholders

The partners who have a contract with the data controller and the contact persons provided by them, as well as representatives of natural persons or legal entities who purchase the Organization's products or use its services. 

​

5. Range of mandatory data

The Data Controller does not mark the data that must be filled in separately on the individual data entry interfaces, on which all data must be entered. On interfaces where not all data is mandatory, the data management star* indicates the mandatory data fields. 

 

6. Children

Our products and services are not intended for persons under the age of 18 and do not fall under the scope of services related to the Information Society. We ask that persons under the age of 18 do not provide Personal Data to the Data Controller. If we become aware that we have collected personal data from a child under the age of 18, we will take the necessary steps to delete the data as soon as possible.

 

7. Information on the use of a data processor

During data management, the data controller forwards the data to the data processor(s) contracted with it to fulfill the contract.

Recipient categories: Authority, Social media sites, Hungarian Post, IP telephone service provider, Implementation assistants, IT service provider, Application service provider, Google Classroom, far.nive.hu, Jira, Zoho

Categories of data processors: Management system operator, IT provider, Fulfillment assistants, Management system provider, Management system developer, Newsletter provider, Website provider, Website operator, Certop, IRCA, TÜV, Reseller partners, Microsoft - Forms, Web developer

The range of persons entitled to access the data:

The data controller will not transfer the acquired data to third parties, with the exception of the data processor(s) and recipients specified in point 7.

 

7.1    Access to IT backup data 

The Data Controller stores IT backups separately under access control. The saved data can only be accessed by colleagues working in the IT operations subject to appropriate documentation procedures. In case of restoration from a data backup, it has a documented procedure for the review process of the data restored from the data backup before live use.

 

8. Management of data received from third parties

If the User/Partner does not provide his/her own data to the Data Controller, but another natural person, in this case the User/Partner is solely responsible for providing the data with the consent, knowledge and adequate information of this natural person. The Data Controller is not obliged to investigate their existence. The Data Controller draws the attention of the User/Partner to the fact that if he does not comply with this obligation, and therefore the Data Subject asserts a claim against the Data Controller, the Data Controller may pass on the asserted claim and the amount of the related damage to the User/Partner.

​

9. Data transmission to a third country or international organization

In the case of data transmission to countries outside the EEA, the Data Controller forwards the users' data to the following recipients as a data processor in accordance with the following guarantees. 

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

10. Rights of data subjects

The Data Subject at the contact details indicated in Point 1 with the Data Controller,

• you can ask to be given access to a copy of your personal data managed by the controller.

• you can request the correction of your data,

• you can request information about the purpose and legal basis of data management

• you can request the deletion of your personal data and restriction of data management,

 

The affected person can use the above rights at any time. 

The Data Subject can also send it to the Data Controller at one of the contact addresses indicated in Point 1. 

• you can request the transfer of your data to another data controller, if the data management is based on a contract or consent and is handled by the Organization within the framework of an automated procedure. 

• can provide for the withdrawal of your previously given consent to data management

The Data Controller will deal with or reject the report (provided with reasons) within 1 month at the latest after the submission of the request - in exceptional cases, within a longer time limit than permitted by law.  The person concerned will be informed in writing about the results of the investigation. 

​

10.1  Cost of information

The Organization provides the measures and the necessary information free of charge for the first time. 

If the Data Subject requests the same data for the 2nd time within a month, which have not changed during this time, the Data Controller will charge an administrative fee.

• The basis for accounting for administrative costs is the hourly cost of the current minimum wage, as an hourly rate. 

• The number of working hours used for information is calculated at the above hourly rate. 

• Furthermore, in the case of a paper-based information request, the printing cost of the answer is at cost price and the cost of postage.

 

10.2 Refusal of Information

If the data subject's request is clearly unfounded, he is not entitled to information, or the Organization, as a data controller, is able to prove that the Data Subject has the requested information, the data controller will reject the request for information.

 

If the data subject's request is excessive due to its repetitive nature, the Organization may refuse to take action based on the request if

• For the third time within a month, the person concerned lives in the same subject area 15-22. with a request to exercise your rights under Art.

 

10.3 Right to Object

The data subject has the right to object at any time to the processing of his personal data based on the legal basis of legitimate interest or public authority.  

In this case, the Organization may no longer process the personal data, unless it proves that the data processing is justified by compelling, legitimate reasons that take priority over the interests, rights and freedoms of the data subject, or that are related to the presentation, enforcement or defense of legal claims . 

If you establish that the legal basis of the protest is well-founded, you will terminate the data management as soon as possible - including data transfer and further data collection. It notifies all those to whom it has previously forwarded the Data Subject's data about the objection.

Processing the request is free of charge, except for unfounded or excessive requests, for which the Data Controller may charge a reasonable fee corresponding to its administrative costs. If the Data Subject does not agree with the decision made by the Data Controller, he may go to court.

 

11. Information on data security measures

The Data Controller manages the data in a closed system based on the requirements of the Information Security Policy.

Data manager takes care of default and built-in data protection. To this end, the Data Controller applies appropriate technical and organizational measures in order to:

 

• accurately regulates access to data;

• grant access only to persons who need the data in order to perform the task with it, and even then only the data that is minimally necessary to perform the task may be accessed;

• carefully select the data processors you entrust and ensure the security of the data with a suitable data processor contract; 

• ensure the immutability (data integrity), authenticity and protection of the processed data.

 

The Data Controller applies reasonable physical, technical and organizational security measures to protect Data Subjects, especially against their accidental, unauthorized or illegal destruction, loss, alteration, transmission, use, access or processing. The Data Controller shall immediately notify the Data Subject in the event of unauthorized access to or use of personal data that is known to pose a high risk to the data subject.

 

If it is necessary to transmit the Data Subject, the Data Controller will ensure the appropriate protection of the transmitted data, for example by encrypting the data file. The Data Controller is fully responsible for the processing of Data Subjects carried out by third parties.

 

The Data Controller ensures that the Data Subject's data is protected against destruction or loss with appropriate and regular backups.

​

12. Remedy

Any affected, if in its judgment

1. the Data Controller restricts the enforcement of its rights or rejects its request to this effect, the National Data Protection and Freedom of Information Authority may initiate an investigation by notification in order to investigate the legality of the Data Controller's action;

2. during the processing of your personal data, the Data Controller violates the legal requirements for the processing of personal data, 

   • may request the conduct of the official data protection procedure of the National Data Protection and Freedom of Information Authority, or

   • you can go to court against the Data Controller, and you can also initiate a lawsuit before the competent court according to your place of residence or place of residence.

 

Contact details of the National Data Protection and Freedom of Information Authority:

 

President: dr. Attila Péterfalvi,

Address: 1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1363 Budapest, Pf. 9.

Phone: +36-1-3911400

Email: ugyfelszolgalat@naih.hu

www.naih.hu

 

Budapest, July 08, 2021