The purpose of this notice is to properly inform data subjects about the data processing activities carried out by the data controller.
The Data Controller informs data subjects that, in the course of its data processing activities, it complies with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: "GDPR"), as well as with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: "Information Act").
Name: Duna Aszfalt Zrt.
Registered seat/postal address: 6060 Tiszakécske, Béke u. 150., Hungary
E-mail address: adatvedelem@dunaaszfalt.hu
Website: www.dunaaszfalt.hu
The Data Controller processes the following personal data relating to its contractual partners and their contractual employees, authorized representatives, and agents:
The Data Controller sets out, in the table below, the purpose and legal basis of the data processing activities it carries out, as well as the retention period of the processing.
| Data Processing Activity | Purpose of Processing | Legal Basis of Processing | Retention Period |
|---|---|---|---|
| Personal data relating to the contractual partner, provided by the contractual partner. | Performance of contracts concluded with contractual partners, and enforcement of claims arising therefrom. | Processing necessary for the performance of a contract, GDPR Article 6(1)(b). | A minimum of 5 years, but no later than the final deadline for enforceability of claims arising from the contract. |
| Personal data relating to the employees, authorized representatives and agents of contractual partners, provided by the contractual partners. | Performance of contracts concluded with contractual partners, maintaining contact, and enforcement of claims arising from the contract. | Processing based on legitimate interest1, GDPR Article 6(1)(f). | A minimum of 5 years, but no later than the final deadline for enforceability of claims arising from the contract. |
| Identification data provided by contractual partners. | Performance of activities necessary for compliance with legal obligations (e.g. bookkeeping, tax-related activities). | Processing necessary for compliance with a legal obligation, GDPR Article 6(1)(c). | Accounting documents and records: 8 years; other documents: no later than the final deadline for enforceability of claims arising from the contract. |
The Data Controller transfers the personal data of data subjects to the following recipients:
The legal basis and purpose of the data transfers are set out in the table below:
| Data Processing Activity | Purpose of Processing | Legal Basis of Processing |
|---|---|---|
| Data transfer to contractual partners and within the corporate group. | Performance of contracts concluded with contractual partners, and enforcement of claims arising therefrom. | Processing based on legitimate interest2, GDPR Article 6(1)(f). |
| Data transfer to organizations providing postal and parcel delivery services. | Cooperative communication and the proper exercise of rights arising from the contract, in the course of contract performance. | Processing necessary for the performance of a contract, GDPR Article 6(1)(b). |
| Data transfer required to comply with reporting and disclosure obligations arising from law. | Performance of activities necessary for compliance with legal obligations (e.g. bookkeeping, tax matters, law enforcement activities). | Processing necessary for compliance with a legal obligation, GDPR Article 6(1)(c). |
| Data transfer to a company carrying out data processing activities. | Execution and performance of data processing within the purposes and system established by the Data Controller. | Processing necessary for the performance of a contract, GDPR Article 6(1)(b). |
| Transfer to an independent insurance broker experienced in claims matters. | Obtaining insurance expert opinions in connection with damage events arising during construction activities. | Processing based on legitimate interest3, GDPR Article 6(1)(f). |
In connection with data transfers to contractual partners and within the corporate group, data is transferred to companies that participate, as contracting partners (e.g. consortium partner, developer, etc.), in the construction activities of a given project and cooperate in the implementation under the relevant contract.
In connection with data transfers to organizations providing postal and parcel delivery services, data is transferred primarily to Magyar Posta (the Hungarian national postal service) and, secondarily, to other parcel delivery organizations.
In connection with the fulfilment of reporting and disclosure obligations arising from law, public authorities are those organizations that carry out public administrative functions in the performance of their statutory duties. Such organizations include, without limitation, local and central tax authorities, social security bodies, and other supervisory authorities and organizations.
The independent insurance broker experienced in claims matters is the person who mediates between the insurance companies and our company, as the insured party, in establishing the legitimacy of a claim for damages.
Data processing activities are carried out on our company's behalf by the company or companies engaged for this purpose, on the basis of a contractual agreement concluded between our company and the data processor.
Pursuant to Article 13(1)(f) of the GDPR, the Data Controller informs data subjects that it does not transfer the personal data it processes to any data controller located in a third country or to any international organization.
Data subjects are informed that they may request access to the personal data concerning them, as well as its rectification, erasure, or restriction of processing, and may also exercise their right to data portability.
The content of these rights is described to data subjects as follows:
If a data subject wishes to exercise their rights, they may contact our colleague at any of the contact details provided in Section 1 of this notice. Requests submitted electronically or in paper form will be examined without undue delay, and the data subject will be informed of the measures taken no later than one month following receipt of the request. Where the request is complex or additional information or measures are required to comply with it, this deadline may be extended by a further two months.
If a data subject disagrees with any data processing activity carried out by the Data Controller, they may lodge a complaint with the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság), at the following contact details: address: 1055 Budapest, Falk Miksa utca 9-11, Hungary; postal address: 1363 Budapest, Pf.: 9, Hungary; e-mail: ugyfelszolgalat@naih.hu; telephone: +36 (1) 391-1400. In addition, the data subject has the right to bring a claim before the competent court in order to enforce their rights relating to their personal data.
1 The legitimate interest assessment test required to identify the legitimate interest relating to the personal data of the employees, authorized representatives and agents of contractual partners is contained in the annex to our Data Protection Policy.
2 The legitimate interest assessment test required to identify the legitimate interest relating to data transfers within the corporate group is contained in the annex to our Data Protection Policy.
3 The legitimate interest assessment test required to identify the legitimate interest relating to claims for damages is contained in the annex to our Data Protection Policy.
Date of issue: 5 October 2020