PRIVACY AND DATA MANAGEMENT POLICY

Official name: Jonatán-Sodalitas Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság

Translated from: Jonatán-Sodalitas Commercial and Service Limited Company

Application of the Data Protection and Data Management Policy

Name of the organization:	Jonatán-Sodalitas Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
The seat of the organization shall be:	4029 Debrecen, Eötvös street 45.
Person responsible for the content of the policy:	Sándor Ungvári Managing Director
Date of entry into force of the policy:	5 March 2022

This Policy lays down rules on the protection of natural persons about the processing of personal data and on the free movement of personal data. The provisions of this Policy shall apply to specific data processing activities and the issuing of instructions and information governing data processing.

The obligation to appoint a Data Protection Officer covers all public authorities or other bodies with a public service mission (regardless of what data it processes) and other entities whose main activity is systematic, large-scale surveillance of individuals or which handle a large number of specific categories of personal data.

Your organization a data protection officer X employs □ does not employ

If a Data Protection Officer is employed:

Name:	Andrea Ungvári
Capacity:	Managing Director
Availability:	dpo@eprayapp.org

Scope of the Code

This policy applies until revoked and applies to the officers, employees and data protection officer of the organization.

Debrecen, 5 March 2022

....................................................

head of the organization

Purpose of the policy

The purpose of this Policy is to harmonize the requirements of other internal policies of the organization about data processing activities to protect the fundamental rights and freedoms of natural persons and to ensure the proper processing of personal data when using EprayApp (IOS and Android) and https://eprayapp.org website.

In its activities, the organization intends to fully comply with the legal requirements for the processing of personal data, in particular those of Regulation (EU) No 2016/679 of the European Parliament and the Council (EU).

Furthermore, the critical purpose of issuing this Policy is to enable employees of the organization to lawfully process the data of natural persons by knowing and complying with it.

Essential concepts and definitions

GDPR:(General Data Protection Regulation) is the new Data Protection Regulation of the European Union
data controller: means a natural or legal person, public authority, agency, or any other body that determines the purposes and means of personal processing data independently or together with others; where the purposes and means of processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may be determined by Union or Member State law;
data processing:any operation or set of operations performed on personal data or data files by automated or non-automated means, such as collection, recording, organization, layout, storage, conversion or alteration, query, consultation, use, communication, transmission, dissemination, or otherwise making available, alignment or interconnection, restriction, erasure or destruction;
data processor:means any natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the controller;
personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
third party:means a natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, or the persons authorized to process personal data under the direct direction of the controller or processor;
consent of the data subject: a voluntary, specific and informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by an unambiguous, affirmative action, indicates his or her consent to the processing of personal data concerning him or her;
restriction of processing: indication of stored personal data to limit their future processing;
pseudonymization: the processing of personal data in such a way that it is no longer possible to determine which specific natural person the personal data relate to without the use of additional information, provided that such additional information is stored separately and that technical and organizational measures are taken to ensure that such personal data cannot be linked to identified or identifiable natural persons;
record-keeping system: means any structured set of personal data, whether centralized, decentralized or functional or geographically, accessible based on specific criteria;
personal data breach: means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed;

Guidelines for data processing

The processing of personal data should be carried out lawfully, fairly, and transparently for the data subject.

Personal data may only be collected for specific, explicit, and legitimate purposes.

The purpose of the processing of personal data should be appropriate and relevant and should only be to the extent necessary.

Personal data must be accurate and up-to-date. Inaccurate personal data shall be deleted without delay.

Personal data should be stored in such a way as to allow the identification of the data subjects only for a necessary period. Personal data may be stored for a more extended period only if stored for archiving purposes in the public interest, for scientific and historical research purposes, or statistical purposes.

The processing of personal data shall be carried out in such a way as to ensure the adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, by applying appropriate technical or organizational measures.

The principles of data protection shall apply to all information relating to an identified or identifiable natural person.

The organization's employee responsible for the lawful processing of personal data is reliable for disciplinary, compensation, misconduct, and criminal liability. If the staff member becomes aware that the personal data processed by him is incorrect, incomplete, or timely, he shall rectify it or initiate his rectification with the staff member responsible for recording the data.

Processing of personal data

As natural persons can be associated with online identifiers such as IP addresses and cookie IDs provided by the devices, applications, devices, and protocols they use, this data can be combined with other information to create a profile of natural persons and to identify that person.

Data processing may only occur if the data subject gives his or her voluntary, specific, informed, and unambiguous consent to the data processing by an explicit affirmative action, such as a written statement, including an electronically made or oral notice.

Consent to data processing is also considered the case if the data subject ticks a box when visiting the website. Silence, pre-ticked packages, or non-action are not considered contributions.

The consent shall also be deemed to be the fact that a user makes technical adjustments to this effect when using electronic services or makes a statement or action that indicates the consent of the data subject to the processing of his or her data in that context.

Personal health data include data on the health status of the data subject that contain information about the data subject's past, present or future physical or psychological health. This includes:

registration for health services;
the number, symbol, or data assigned to it for individual identification of the natural person for health purposes;
information resulting from the testing or testing of a body part or of the material constituting the body, including genetic data and biological samples;
information on the disease, disability, risk of disease, medical history, clinical treatment, or physiological or biomedical status of the data subject, regardless of the source thereof, such as a doctor or other healthcare worker, hospital, medical device, or diagnostic test.

The genetic data shall be defined as personal data relating to the natural person's inherited or acquired genetic characteristics. They shall result from an analysis of a biological sample taken from the person concerned, particularly a chromosome analysis or an examination of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or any other element enabling information to be obtained from it to be accepted.

The controller informs the persons using the service provided by him that he processes health data only if the user enters the data into the EprayApp system. The data controller does not make the data uploaded by the users to the system during the use of the service to third parties or, at the user's request, remove it within 15 days. The user removes the data introduced from the system itself by using the "delete project button left."

Children's data deserve special protection as they are less aware of the risks, consequences and guarantees, and rights associated with the processing of personal data. This specific protection should mainly apply to using children's data for marketing purposes or establishing individual or user profiles.

Personal data should be processed in such a way as to ensure an adequate level of security and confidentiality, including to prevent unauthorized access to or unauthorized use of personal data and the means used to process personal data.

All reasonable steps must be taken to rectify or delete inaccurate personal data.

Lawfulness of data processing

The processing of personal data is lawful if one of the following is fulfilled:

the data subject has given his or her consent to the processing of his or her data for one or more specific purposes;
the processing is necessary for the performance of a contract in which the data subject is one of the parties or is necessary to take steps at the request of the data subject before the conclusion of the contract;
the processing is necessary for the fulfillment of the legal obligation of the controller;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the processing is necessary for the performance of a task carried out in the public interest or the exercise of official authority conferred on the controller;
the processing is necessary to enforce the legitimate interests of the controller or a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, particularly where the child concerned is concerned..

According to the above, the processing is considered lawful if necessary in the context of a contract or intention to enter into a contract.

Where processing takes place in the context of the fulfillment of a legal obligation to which the controller is subject, or where it is necessary for the performance of a task of public interest or the exercise of public authority, the processing shall have a legal basis under Union law or the law of a Member State.

Processing shall be deemed lawful when it is carried out to protect the life of the data subject or the interests of another natural person mentioned above. Personal data processing may in principle only take place on grounds relating to the vital interests of another natural person if the processing in question cannot be carried out on any other legal basis.

Some types of personal data processing may serve both essential public interests and the vital interests of the data subject, for example, where the processing is necessary for humanitarian reasons, including when necessary to monitor epidemics and their spread, or in humanitarian emergencies, in particular in the case of natural or artificial disasters.

The controller's legitimate interest, including the controller to whom the personal data may be disclosed or of a third party, may provide a legal basis for the processing. Such a legitimate interest may be, for example, where there is a relevant and appropriate relationship between the data subject and the controller, for instance, in cases where the data subject is or employed by the controller's client.

The processing of personal data strictly necessary for preventing fraud also constitutes the legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes can also be based on legitimate interests.

To establish the existence of legitimate interest, it is essential to examine carefully, among other things, whether the data subject can reasonably expect that the processing may take place for that purpose at the time and in connection with the collection of the personal data. The interests and fundamental rights of the data subject may take precedence over the controller's interests if the personal data are processed in circumstances where the data subjects do not expect further processing.

The legitimate interest of the data controller concerned is the personal data processing carried out by public authorities, computer emergency response units, network security incident management units, providers of electronic communications networks and services, as well as security technology service providers, which is strictly necessary and proportionate to guarantee network and IT security.

The processing of personal data for purposes other than the original purpose for which they were collected is permitted only if the processing is compatible with the initial purposes for which the personal data were initially collected. In this case, there is no need for a separate legal basis other than that which allowed the collection of personal data.

Public authorities' processing of personal data to achieve the objectives of officially recognized religious organizations laid down in constitutional or public international law shall be considered to be of general interest.

Consent of the person concerned, conditions

Where the processing is based on consent, the controller should demonstrate that he or she has consented to the processing of the personal data of the data subject.
Where the data subject gives his or her consent in the context of a written declaration that also applies to other matters, the request for approval shall be communicated in a manner distinguishable from those other matters.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of data processing based on consent before the withdrawal. The data subject shall be informed before giving his or her consent. Withdrawal of consent should be possible in the same simple way as granting it.
In determining whether the consent is voluntary, account shall be taken as far as possible of the fact, among other things, whether consent to the processing of personal data which is not necessary for the performance of the contract has been made conditional on the version of the agreement, including the provision of services.
The processing of personal data relating to information society services offered directly to children is lawful if the child is over 16. In the case of a child under the age of 16, the processing of children's data is permitted only if and to the extent that consent has been given or authorized by the holder of parental authority over the child.

The processing of personal data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data to uniquely identify natural persons, health data, and personal data relating to the sexual life or sexual orientation of natural persons, shall be prohibited unless the data subject has given his or her express consent to the processing of such personal data for one or more specific purposes. Manage.

Personal data relating to decisions on the establishment of criminal liability and criminal offenses or related security measures may only be processed if a public authority processes them.

Data processing that does not require identification

If the purposes for which the controller processes the personal data do not or no longer require the identification of the data subject by the controller, the controller shall not be obliged to retain additional information.

If the controller can prove that he is not able to identify the data subject, he or she shall, as far as possible, inform him/her accordingly.

Information and rights of the person concerned

The principle of fair and transparent data processing requires that the data subject be informed of the fact and purposes of the processing.

Where personal data are collected from the data subject, the data subject should also be informed of his or her obligation to disclose the personal data and the consequences of not providing it. Standardized icons may supplement this information to provide the data subject with general information on the intended processing visible, easy-to-understand, and legible form.

Information relating to the processing of personal data concerning the data subject shall be provided to the data subject at the time of collection or, if the data have been collected from another source other than the data subject, within a reasonable time, taking into account the circumstances of the case.

The data subject has the right to have access to the data collected concerning him or her and exercise this right simply and at reasonable intervals to establish and verify the lawfulness of the processing. All data subjects should have the right to know, in particular, the purposes for which the personal data are processed and, where possible, the period for which the processing of personal data relates,

In particular, the data subject shall have the right to have his or her data deleted and no longer processed if the collection or other processing of personal data is no longer necessary in connection with the original purposes of the processing or if the data subjects have withdrawn their consent to the processing of the data.

Where personal data are processed for direct marketing purposes, the data subject should have the right to object at any time free of charge to the processing of personal data relating to him or her for that purpose.

Review of personal data

To ensure that the storage of personal data is limited to the necessary period, the controller shall set deadlines for erasure or regular review.

Regular review period set by the head of the organization: 1 year.

Tasks of the controller

The controller applies appropriate internal data protection rules for lawful data processing. This regulation covers the powers and responsibilities of the controller.

The controller must implement appropriate and effective measures and demonstrate that the processing activities comply with the legislation in force.

This regulation should consider the nature, scope, circumstances, and purposes of the processing and the risk to the rights and freedoms of natural persons.

The controller shall implement appropriate technical and organizational measures, considering the nature, scope, circumstances, and purposes of the processing and the risk to the rights and freedoms of natural persons of varying probability and severity. Based on these Regulations, other internal regulations shall be reviewed and, if necessary, updated.

The controller or processor shall keep an appropriate record of the processing activities carried out under its competence. All controllers and processors shall cooperate with the supervisory authority and make these records available on request to verify the processing operations concerned.

Rights related to data processing

Right to request information

Any person may request information through the contact details provided about what data the organization processes, on what legal basis, for what purpose of data processing, from what source, for how long. At your request, the information shall be sent without delay, but within a maximum of 30 days, to the contact details provided.

Right to rectification

Any person may request any modification of any of their data through the contact details provided. This shall be done without delay, but within a maximum of 30 days, and information shall be sent to the contact details provided.

Right to erasure

Any person may request the deletion of their data through the contact details provided. At your request, this shall be done without delay, but within a maximum of 30 days, and information shall be sent to the contact details provided.

Right to block or restrict

Any person can request the blocking of their data through the contact details provided. The siege will last as long as the reason indicated necessitates the storage of the data. This shall be done without delay on request, but within a maximum of 30 days, and information shall be sent to the contact details provided.

Right to protest

Any person may object to the processing through the contact details provided. The objection shall be examined as soon as possible after applying, but not later than 15 days. A decision shall be taken on its merits, and information on the decision shall be sent to the contact details provided.

Possibility of enforcing data processing

National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, Pf.: 5.

Address: 1125 Budapest, Elisabeth Szilágyi Fasor 22/c Phone: +36 (1) 391-1400 Fax: +36 (1) 391-1410 E-mail: customer service (at) naih.hu URL: https://naih.hu Coordinates: N 47°30'56''; K 18°59'57''

In a violation of the data subject's rights, the data importer may bring a court case against the controller. The court will hear the point out of turn. At his/her option, the person concerned may get the action before the court with jurisdiction over his or her place of residence or residence.

Responsibilities of the organization for adequate data protection

Privacy awareness. Professional competence must be ensured in compliance with the law. It is essential to prepare the staff professionally and to get to know the regulations.
The purpose, the criteria of the data processing, the concept of personal data processing must be reviewed. Lawful processing and processing should be ensured by the data protection and data management policy.
Adequate information of the person involved in the processing. It should be observed that if the processing is based on the data subject's consent, it is for the controller to prove in case of doubt that the data subject has consented to the processing.
The information provided to the person concerned should be concise, easily accessible, and easy to understand and should therefore be drafted and displayed in a clear and comprehensible language.
Transparent data processing requires that the data subject is informed about the fact and purposes of the data processing. The information must be provided before starting the data processing, and the data subject has the right to be informed until the data processing ceases to exist.
The primary rights of the data subject are:
- access to personal data relating to him or her;
- rectification of personal data;
- erasure of personal data;
- restricting the processing of personal data;
- objection to profiling and automated processing;
- the right to data portability.

The controller shall inform the data subject without undue delay but no later than one month after receipt of the request. Where necessary, considering the complexity of the application and the number of applications, this time limit may be extended by a further two months. The obligation to provide information can be ensured by operating a secure online system through which the data subject can easily and quickly access the necessary information.
The organization's data processing should be reviewed, and the right to informational self-determination should be ensured. At the data subject's request, his/her data shall be deleted without delay if the data subject withdraws the consent on which the processing is based.
The consent of the data subject must unambiguously show that the data subject consents to the processing. If the processing is based on the support of the data subject, in case of doubt, the controller must prove that the data subject has consented to the processing operation.
In the case of personal data processing of children, special attention should be paid to compliance with the data management rules. The processing of personal data relating to information society services offered directly to children is lawful if the child is over 16. In the case of a child under the age of 16, processing children's data is permitted only if and to the extent that consent has been given or authorized by the holder of parental authority over the child.
In the event of unlawful processing or processing of personal data, a notification obligation arises to the supervisory authority. The controller shall report to the supervisory authority without undue delay, if possible no later than 72 hours after the personal data breach has become known unless the personal data breach is not likely to result in a risk to the natural person's rights.
In some cases, it may be appropriate for the controller to carry out a data protection impact assessment before the processing. The impact assessment shall examine how the planned processing operations affect the protection of personal data. If the data protection impact assessment establishes that the processing will likely result in a high risk, the controller shall consult the supervisory authority before processing the personal data.
Where the main activities involve processing operations which, by their nature, scope or purpose, require regular and systematic large-scale monitoring of data subjects, a Data Protection Officer shall be appointed. The appointment of a Data Protection Officer is intended to strengthen data security.

Security

In particular, the data shall be protected by appropriate measures against unauthorized access, alteration, transmission, disclosure, erasure, or destruction, against accidental destruction and damage, as well as against inaccessibility due to changes in the technique used.

To protect electronically managed files in registers, it is necessary to ensure, by appropriate technical means, that the data stored in the records cannot be directly linked and assigned to the data subject.

When designing and applying data security, accounts shall be taken of the state of the world. Several possible data processing solutions should be chosen to ensure a higher level of personal data protection unless this would be disproportionately difficult for the controller.

Data Protection Officer

The appointment of a Data Protection Officer is mandatory based on the following criteria:

the processing is carried out by public authorities or other bodies with a public service mission, except courts acting in their judicial functions;
the main activities of the controller or processor involve processing operations which, by their nature, scope or purpose, require regular and systematic large-scale monitoring of data subjects;
The main activities of the controller or processor relate to the processing of a large number of data relating to decisions and offenses relating to the establishment of criminal liability for personal data.

Where the appointment of a Data Protection Officer is mandatory, the following rules shall apply:

The DPO shall be appointed based on professional competence and knowledge of data protection law and practice at an expert level and suitability to carry out the processing.

The DPO may be an employee of the controller or processor but may also carry out his or her duties under a service contract.

The controller or processor shall publish the name and contact details of the Data Protection Officer and shall also communicate them to the supervisory authority.

Status of data protection officer

The controller shall ensure that the DPO is involved in all matters relating to protecting personal data in an appropriate and timely manner. It is necessary to ensure that the resources needed to maintain the DPO's knowledge at the expert level are available.

The DPO shall not take instructions from anyone about the performance of his duties. The controller or processor shall neither dismiss the data protection officer nor impose a sanction in performing his or her duties. The DPO shall be directly responsible for the top management of the controller or processor.

Data subjects may contact the Data Protection Officer on all matters relating to the processing of their data and the exercise of their rights.

The DPO shall be bound by an obligation of confidentiality or the confidentiality of data about the performance of his or her duties.

The DPO may perform other duties, but there shall be no conflict of interest about the tasks.

Duties of the Data Protection Officer

Provide information and professional advice to the controller or processor, as well as to the employees responsible for the processing;
verify compliance with the internal rules of the controller or processor relating to the protection of personal data;
provide technical advice on the data protection impact assessment on request and monitor the implementation of the impact assessment;
cooperate with the supervisory authority.

Privacy incident

A personal data breach is a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data transmitted, stored, or otherwise processed.

In the absence of appropriate and timely action, a personal data breach may cause physical, material, or non-material damage to natural persons, including loss of control over their data or restriction of their rights, discrimination, identity theft, or identity theft.

A personal data breach shall be reported to the competent supervisory authority without undue delay, no later than 72 hours, unless it can be demonstrated, by the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The person concerned shall be informed without delay if the personal data breach is likely to result in a high risk to the rights and freedoms of the natural person to take the necessary precautions.

Data processing for administrative and record-keeping purposes

The organization may also process personal data in cases related to its activities or for administrative and record-keeping purposes.

The processing is based on voluntary and explicit consent based on the appropriate information of the data subject. After the detailed information, which covers the purpose, legal basis, and duration of the processing and the rights of the data subject, the data subject should be warned about the voluntary nature of the processing. Consent to data processing shall be recorded in writing.

Data processing for administrative and registration purposes serves the following purposes:

the processing of members and employees of the organization, based on a legal obligation;
the processing of persons in an agency relationship with the organization for contact, settlement, and registration;
contact details of other entities, institutions, and undertakings doing business with the organization, which may include contact details and identification data of natural persons;

The above data processing is based on a legal obligation on the one hand, and on the other hand, the data subject has expressly consented to the processing of his data (e.g., for an employment contract or registered as a partner on a website, etc.).

In the case of documents sent to the organization in written form, including personal data (e.g., CV, job search application, other submissions, etc.), the person's consent shall be presumed. Once the case has been closed, the documents shall be destroyed without permission for re-use. The fact of destruction shall be recorded in the minutes.

In the case of data processing for administrative purposes, personal data are only included in the documents and records of the matter in question. The processing of this data will last until the paper on which the processing is based is scrapped.

To ensure that the storage of personal data is limited to the necessary period, the processing for administrative and record-keeping purposes should be reviewed annually, and inaccurate personal data should be deleted without delay.

In the case of processing for administrative and record-keeping purposes, compliance with the law should also be ensured.

Processing for other purposes

If the organization wishes to carry out data processing that is not included in this Policy, it is necessary to properly supplement this internal Policy and attach the sub-rules corresponding to the new data management purpose.

Legislation on which data processing is based

Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation).
Act CXII of 2011 on the right to informational self-determination and freedom of information.
Act LXVI of 1995 on public documents, public archives, and the protection of private libraries.
Regulation (EC) No 335/2005 of the ECHR of 29.1.2005 on general requirements for managing documents by bodies with a public service mission Gov. Decree.
Act CVIII of 2001 on certain aspects of e-commerce services and information society services.
Act C of 2003 on Electronic Communications.