Data Processing Terms and Conditions
This document contains the data processing terms and conditions governing the data processing activities related to the Anico eChat service (hereinafter referred to as the "Service") operated by Anico Kft. (Company Registration Number: 15-09-061153; Tax Number: 10647776-2-15; Registered Office: 4400 Nyíregyháza, Debreceni street 127., hereinafter referred to as the "Contractor") in accordance with the General Data Protection Regulation 2016/679 (hereinafter referred to as the "Regulation").
These Terms and Conditions are accepted by the Customer of the Service (hereinafter referred to as "Customer") by signing the individual contract between the parties.
1 INTERPRETATIVE PROVISIONS
Personal data: means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Controller, for the purposes of this Annex, the Contractor.
Recipient: means the natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.
Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
2 SCOPE OF CONTRACT, DATA PROCESSING ACTIVITY
Under the present data processing contract, the Contractor is instructed to ensure the operation of Anico eChat as a communication service in the framework of the provision of the Service, in accordance with the technical and technical parameters presented in advance by the Contractor, including:
· ensure the transmission of communications and messages within the Service (emphasizing that the Service does not qualify as a communications service under Act C of 2033 on Electronic Communications, and therefore the mandatory data retention requirements under the said Act do not apply to the Service),
· store the communication on the storage media used in the operation of the Service for the duration of the technical specification,
· the Customer's request to transfer the stored communication to the Customer.
Passage of Data through the servers
Communication between devices used by end users goes through servers. The information is passed through the server in a digitally encrypted format, where it is stored only for the time necessary to transmit the message..
Data/information stored for longer periods
Some information/data is stored for longer than the above:
a) Audio recordings of conversations between terminals in each subscriber fleet. These are stored on the servers for 7 days, after which they are automatically deleted. The voice recordings can be accessed or downloaded remotely by persons authorised by the subscriber, using the so-called "dispatching terminal" software. Voice recording is optional and the Customer shall state separately whether he/she requires it. Recording is fleet-level, i.e. either all of the Customer's terminals' voice traffic is recorded, or none. Server-side voice recording can be activated by the Contractor at the Customer's request, but the end-user of the terminal cannot switch voice recording on/off or request Contractor to turn it on or off.
b) GPS positions of terminals in each subscriber fleet. The GPS history can be searched for and downloaded remotely by persons authorised by the Customer, using the so-called "dispatching terminal". The sending of GPS data can be turned on or off by the Customer through the administration interface or by having this setting done through the Contractor's customer service. The switching on/off can be set separately for each terminal. It cannot be set by the end user of the terminal, only by the Customer.
c) Text, photo or video messages sent by terminals in each subscriber fleet. These can be accessed or downloaded remotely by persons authorised by the Customer, using the so-called "dispatching terminal", and are of course the recipients of the messages. The messages sent cannot be withdrawn or deleted by end-users.
d) Dispatcher terminals with a suitable license can remotely connect the camera and microphone of other end-user terminals, if necessary, so that the dispatcher can remotely receive audio and/or video from the end-user terminal. This is mainly for security purposes: e.g. in case of an emergency, the dispatcher can receive information about the end-user's (e.g. police, patrol) location.
3 PRINCIPLES OF DATA PROCESSING, RIGHTS AND OBLIGATIONS OF THE PARTIES IN RELATION TO THE PROCESSING OF DATA
The Customer and the Contractor shall ensure the protection of the right to privacy and the fundamental rights and freedoms of the Data Subjects in the processing of their data, taking into account the provisions of the Regulation.
The Customer shall ensure that personal data is processed in accordance with the principle of data protection by design and by default, and in such a way that it is necessary for the achievement of the specific purposes of the processing and the Customer's legal obligations. This obligation relates to the amount of personal data collected, the extent to which they are processed, the duration of their storage and their availability.
The Customer shall ensure that the personal data provided to the Contractor for the purposes of the processing are only accessible to persons who have a specific task within the Contractor's organisation.
The Contractor shall inform the Customer if it is required to carry out data processing in order to comply with a legal obligation. The notification shall state precisely which legal obligation is required by law and which data are covered.
4 THE right to command
- undertakes to only process the personal data on behalf of the Customer in accordance with the instructions set out in the specific contract between the Parties, the Technical Specification and these Terms and Conditions, and if for any reason it is unable to comply with these requirements, it shall immediately inform the Customer thereof.
- is not aware that the legislation to which it is subject prevents it from complying with the instructions given to it by the Customer and with its obligations under the contract..
The Contractor shall be liable for any infringements resulting from a procedure other than those instructed by the Client or without the Client's instructions.
By signing this contract, the Customer expressly authorises the Contractor, or any other person holding the copyright to the service, to develop the underlying IT systems of the service, to make modifications to them and to modify the technical specifications in the context of the technical development of the service..
5 Employment of additional data processors
Co-location hosting, monitoring and administration services are provided to the Contractor by Giganet Internetszolgáltató Kft (Internet Service Provider).
6 SUPPORT FOR DATA MANAGEMENT OPERATIONS
Contractor supports the Customer:
- to carry out an impact assessment under Article 35 of the GDPR, by providing that if the Customer prepares an impact assessment that also concerns data processing, the Contractor shall provide a written response to specific questions raised by the Customer regarding data processing within 20 days,
- in handling data protection incidents by:
o if the Contractor becomes aware of a data breach of any level, it will report it to the Customer within 24 hours,
o the Contractor shall cooperate in the investigation of the incident within this framework:
§ in the event of a high level data breach, it shall without delay, but no later than 24 hours, carry out the necessary investigations to determine whether the cause of the breach is related to its activities and inform the Customer of the results of the investigation and, if the cause of the breach is related to its activities, it shall cooperate in taking the measures necessary to deal with the breach, and shall take all reasonable steps to deal with it within a reasonable time;
§ in the event of a low-level personal data breach, it shall carry out the necessary investigations within 7 working days to determine whether the cause of the breach is related to its activities and inform the Customer of the results of the investigation and, if the cause of the breach is related to its activities, assist in taking the necessary measures to deal with the breach, and take all reasonable steps to deal with it within a reasonable time;
o In the data breach notification, the Contractor shall provide the following information:
§ scope of personal data concerned,
§ scope and number of data subjects affected by the personal data breach,
§ date of the incident,
§ circumstances of the incident,
§ impact of the incident,
§ action taken by the Contractor to remedy the incident,
§ other data relating to the incident.
In the event of a data protection incident, the Parties shall jointly classify the incident into the following levels:
- Low level personal data breach: unauthorised disclosure, alteration, disclosure, intentional or accidental deletion or destruction of insignificant amounts of personal data or unauthorised access to personal data. This is in particular the case where the data cannot be linked to a natural person.
- High level data breach:
o the unauthorised alteration, disclosure, unauthorised transmission, disclosure, intentional or unintentional deletion or destruction of, or unauthorised access to, a wide range of personal data,
o irrespective of the scope of the data, any case where the incident is likely to have a serious adverse effect on the data subject or where the adverse effect is certain to occur.
- The Contractor shall provide the possibility for the Customer to check the functioning of the service in a personal consultation, if required.
- The Contractor shall inform the Customer without delay if any of its instructions is, in the opinion of the Contractor, in breach of the applicable data protection requirements. If the instruction is maintained by the Customer after the notification, the Contractor shall be relieved of any liability in relation to the processing activity concerned.
7 SUPPORT FOR THE EXERCISE OF THE RIGHTS OF PERSONS CONCERNED
The Contractor supports the exercise of the right of persons concerned as follows:
- The Customer shall have the right to make a request to the Contractor at any time if the exercise of a right by the data subjects requires the assistance of the Contractor, in such cases the Contractor shall comply with the request within 20 days in agreement with the Customer.
8 OBLIGATION TO KEEP RECORDS
The Contractor shall keep records of the Data Processing activities it carries out.
he Contractor undertakes to treat as confidential any personal data and any other information that may come to its knowledge in the course of the performance of its data processing activities under this Contract and any other information that may come to its knowledge in the course of the data processing activities of the Customer or the Contractor and to use such data solely for the performance of the tasks specified in this Contract.
10 OBLIGATIONS AFTER THE CESSATION OF DATA PROCESSING
The Customer and the Contractor agree that, in the event of termination of the specific contract between the Parties, the Contractor shall delete or irretrievably anonymise all data processed in the context of the Service in accordance with the Customer's request no later than 30 days after the termination of the contract.