Ensuring fair and transparent data processing in relation to data processing operations, processes and circumstances related to the provision of services by Espell Zrt.

• Name of the controller: Espell Fordítás és Lokalizáció Zártkörűen Működő Részvénytársaság (Espell Translation and Localization Ltd.)
• Registered office: 1068 Budapest, Városligeti fasor 24. 1. em. 1. ajtó, Hungary
• Court of registration: Company Registry Court of Budapest-Capital Regional Court
• Company registration number: Cg. 01-10-047514
• Contact details:‍
  
  • e-mail: espell@espell.com
  • phone: +36 (1) 239-8043, +36 (1) 201-8575
  • website: www.espell.com‍
• Person responsible for data processing: Andrea Téry
• E-mail address for issues of data processing: dataprotection@espell.com

• dataset means all data processed in a single register;
• technical processing means the totality of processing operations performed by the processor acting on behalf of, or instructed by, the controller;
• processor means a natural or legal person, or an organisation without legal personality which, within the framework and under the conditions laid down in an Act or in a binding legal act of the European Union, acting on behalf, or according to the instructions, of the controller, processes personal data;
• processing means any operation or set of operations performed on personal data or data files, whether or not by automated means; in particular collection, entering, recording, organisation, structuring, storage, adaptation and alteration, consultation, use, retrieval, disclosure, data transfer, dissemination, publication, alignment or combination, restriction, blocking, erasure and destruction, as well as the prevention of the further use of data; taking photos and making audio or visual recordings, as well as the recording of physical characteristics suitable for identification (such as fingerprints or palm prints, DNA samples and iris scans);
• restriction of processing means the blocking of stored data by marking them with the aim of limiting their processing in the future;
• record of data processing activities means the record kept by the controller under its responsibility of its data processing activities relating to personal data under its control, personal data breaches and measures taken in relation to the data subject's rights of access;‍
• controller means the natural or legal person or organisation without legal personality which, within the framework laid down in an Act or in a binding legal act of the European Union, alone or jointly with others, determines the purposes of the processing of data, makes decisions concerning processing (including the means used) and implements such decisions or has them implemented by a processor;‍
• data destruction means the complete physical destruction of the data-storage medium that contains the data;‍
• data transfer means making the data available to a specific third party;‍
• data erasure means making the data unrecognisable in such a way that restoration is no longer possible;‍
• personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised transfer or disclosure of, or unauthorised access to, personal data transferred, stored or otherwise processed;‍
• identifiable natural person means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;‍
• pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
• recipient means a natural or legal person, or an organisation without legal personality, to which the controller or the processor makes personal data available;‍
• EEA State means any Member State of the European Union and any other State Party to the Agreement on the European Economic Area, as well as any other state not party to the Agreement on the European Economic Area whose nationals enjoy the same legal status as the nationals of State Parties to the Agreement on the European Economic Area on the basis of an international treaty between the European Union and its Member States and the state concerned;
• data subject means a natural person identified or identifiable based on any information;
• third country means any state other than an EEA State;
• third party means a natural or legal person, or an organisation without legal personality other than the data subject, controller, processor and persons who, under the direct direction of the controller or processor, carry out operations aimed at processing personal data;
• authority means the National Authority for Data Protection and Freedom of Information, whose task is to monitor and promote the enforcement of the right to the protection of personal data and the right of access to data of public interest and data accessible on public interest grounds, as well as to promote the free flow of personal data within the European Union;
• consent means any freely given, specific, informed and unambiguous indication of the data subject's wishes, by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
• joint controller means the controller which, within the framework laid down in an Act or in a binding legal act of the European Union, jointly with one or more other controllers, determines the purposes and means of processing, and, jointly with one or more other controllers, makes decisions concerning processing (including the means used) and implements such decisions or has them implemented by a processor;
• sensitive data means all data falling within the special categories of personal data, that is, personal data revealing racial or ethnic origin, political opinion, religious belief or worldview, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation;
• international organisation means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more states;
• disclosure means making the data accessible to anyone;
• profiling means any form of automated processing of personal data which is aimed at evaluating, analysing or predicting certain personal aspects relating to a data subject, in particular aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
• personal data means any information relating to the data subject;

‍

Data of individuals may only be processed on (at least) one of the following legal bases:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

‍

Processing of data of natural persons representing business partners

The following defines the processing of company contact details of natural persons representing or acting as contact persons for customers, clients and suppliers (companies, institutions) who are not considered data subjects.

With regard to data processing, Espell Zrt. is only a processor, because Espell Zrt.'s legal entity partner designates its own contact persons and the personal data made available to Espell Zrt. during the course of contact. In this case, Espell Zrt.'s legal entity partner shall be considered the controller of such data, and Espell Zrt. shall, as a processor, process the contact information provided by the legal entity partner acting as controller for the purpose of maintaining contact.

• Scope of personal data processed: name of the natural person and his or her position within the represented company, address, telephone number, e-mail address, and online identifier.
• Purpose of personal data processing:
  
  • ‍to create and fulfil contracts with Espell Zrt.'s legal entity partners, as well as maintaining business contact;
  • to fulfil tax and record-keeping obligations related to the contract;
  • to resolve disputes arising from the contract.
• Legal basis for processing:‍
  
  • in order to fulfil the tax and record-keeping obligations arising from the contract, Espell Zrt. processes the data as a controller for the purpose of fulfilling its legal obligations;
  • when creating and fulfilling contracts with legal entity partners and processing data for the purpose of maintaining business contact, Espell Zrt. processes the data provided by the legal entity partner (as controller) as a processor.
• Recipients or categories of recipients of the data concerned by the processing: employees, contributors, and processors of Espell Zrt. performing tasks related to maintaining contact.
• Duration of processing:‍
  
  • in the case of financial and accounting documents directly or indirectly supporting accounting records, at least 8 years in accordance with Section 169 of Act C of 2000 on Accounting;
  • for other records, until the conclusion of the contract with a legal entity partner and until the expiry of the period for enforcing claims arising from the contractual relationship, or until the legal entity partner acting as controller instructs otherwise.
• Location and method of data storage: in the case of paper-based data processing, at the offices of Espell Zrt.; electronically, on the file server of Espell Zrt.
• Other possible processors: processors used by Espell Zrt. and the legal basis for data processing: until the expiry of the claim enforcement period arising from the contractual relationship.
  
  • the company performing accounting services for Espell Zrt. – compliance with legal obligations (tax legislation)
  • the operator of Espell Zrt.'s invoicing program – performance of contract; compliance with legal obligations (tax legislation)

‍

Processing operations related to translation and related activities

Espell Zrt. receives the text that is the subject of the language services from the party ordering the language services and provides the language services ordered in relation to that text, regardless of the content of the text.

The content of the text to be translated is known and may be accessed by Espell Zrt.'s internal or external staff members and subcontractors only to the extent necessary to ensure that the translation meets the required quality standards. The content of the text is strictly confidential and may not be used for any purpose other than the fulfilment of the order.

The translation is done with IT support (translation software). In this support system, the text to be translated is stored in a so-called translation memory, which helps to ensure that the translation is carried out efficiently and in a manner that meets the required quality standards. The individual translation memories are therefore part of Espell Zrt.'s translation support software system, but may only be used for the texts of the customer in question.

After completion of the translation order, the original text and its translation will normally remain available in the translation memory. Text pairs stored in this manner are protected by strict access rights and may only be used for subsequent translation orders from the same customer on a similar topic.

If the text to be translated contains personal (or sensitive personal) data, it will be treated with the same confidentiality as any other material to be translated, without the customer having to make a specific request.

The controller for such personal data contained in the texts to be translated is the customer who ordered the translation. Espell Zrt., acting as a processor, i.e. on behalf of the customer acting as controller, carries out the processing of personal data, which means the translation of personal data, by following the customer's instructions.

• Scope of personal data processed: personal data contained in the text to be translated.
• Purpose of personal data processing: translating the text to be translated in a manner that meets the required quality standards.
• Legal basis for processing: the execution of the order given to Espell Zrt. (as processor) by the customer (as controller); the customer (as controller) is responsible for the lawfulness of processing.
• Recipients or categories of recipients of the data concerned by the processing: internal or external staff (as processors) carrying out the translation (or related activities), or the customer of the translation (as controller).
• Duration of processing: the time required to complete the translation assignment and the time period required by the relevant legislation.
• Location and method of data storage: in the protected translation memory of the translation support IT system of Espell Zrt. (as processor).
• Ensuring guaranteed rights of the natural persons concerned and the obligation to provide information: it is the task and responsibility of the customer ordering the translation as the controller.

‍

Processing on the controller's website

Principles:

• Cookies are data files with minimal content that are placed on the user's computer by the website visited. The purpose of a cookie is to facilitate the provision of a given infocommunication or internet service and to make its use more convenient.
• Cookies do not contain personal information and are not suitable for identifying individual users. Cookies often contain a unique identifier – a secret, randomly generated sequence of numbers – that is stored on the user's device. Some cookies are deleted after the website is closed and some are stored on the user's computer for longer periods.
• Users can delete cookies from their computer or set their browser to reject the use of cookies.  
• Under European Union directives and legislation, certain cookies can only be placed on the user's device with the user's permission.

‍

Use of cookies by the controller:

• The controller does not manage or use any cookies on its website.  
• The controller uses Google Analytics on its website for the purpose of evaluating visitor statistics and improving the website. This service uses certain cookies for the purpose of evaluating visits. These cookies, with the exception of cookies necessary for the operation of the website, can be enabled or disabled by the website visitor when opening the website.
• These cookies are not known, used or managed by Espell Zrt. as a controller. The controller receives and processes only visitor statistics through the cookies managed by the Google Analytics provider, and these statistics do not contain any personal data about individual users.

‍

Communication with a natural person via the controller's website

• Visitors to the controller's website may send e-mails to the controller directly from the website.
• In the e-mail sending function of the website, senders need to enter their name, e-mail address and message. The function forwards the message to the central e-mail address of the controller. The e-mails sent in this way are stored on the website's system, but are regularly deleted by the web administrator acting on behalf of the controller.
• The website does not further process personal data in this way.
• Apart from the above, the e-mail sent will be processed in the same way as any other e-mail sent directly to the controller by a client, user, business partner or other legal or natural person – and in which case the sender of the e-mail has provided the personal data necessary for the identification of the e-mail (name, e-mail address) with his or her consent by sending the e-mail.

‍

Maintenance of social media pages

• The controller maintains social media pages, primarily for marketing and recruitment purposes, where the content provision and management of the page is moderated.
• Users interacting with social media pages officially maintained by the controller allow the data posted on their own pages or profiles to be known by the service provider. The controller of the data published on social media pages is the provider of the social media platform. Social media platform providers communicate the way and the rules for processing such data to their users through their own privacy notices.
• The controller does not collect, maintain or record the activities and communications of visitors to its officially maintained social media pages, and does not process such data.

‍

• For all its processing operations, the controller shall take all technical and organisational measures to ensure the security of personal data that safeguard the rights of data subjects beyond legal and IT aspects. To this end, it has established specific policies for both employees and persons performing IT tasks, which form part of the documentation for the information security management system of the controller.
• The controller prevents accidental or unlawful damage, alteration, destruction, loss, unauthorised disclosure of or access to personal data by internal procedures and measures.
• The controller protects its IT system with a regularly updated firewall and virus protection.
• The controller ensures adequate physical and administrative protection of the data and the media and documents carrying them. Access to data, files and documents relevant to the work in progress is restricted to the authorised persons concerned. Paper files containing personnel, payroll, employment and other personal data are physically locked away in a secure place.
• When processing personal data by automated means, the controller and the processor take additional measures to:
  
  • prevent the unauthorised input of data;
  • prevent the use of automated data processing systems by unauthorised persons using data transmission equipment;
  • ensure the verifiability and ascertainability of the entities to which personal data have been or may be transferred using data transmission equipment;
  • ensure the verifiability and ascertainability of which personal data have been entered into automated data processing systems, when and by whom;
  • ensure the recoverability of the installed systems in the event of a failure, and
  • report errors that occur during automated processing.
• The controller also ensures the security of personal data by operating a certified international ISO/IEC 27001-based information security management system within the controller's organisation.

‍

Right to prior information

• The individual concerned has the right at any time to obtain intelligible information about the facts and information relating to the processing. This right shall also apply prior to the start of the processing.

‍

Right of access

• The individual concerned has the right to obtain from the controller a concise and intelligible answer as to whether his or her personal data are currently being processed. Where that is the case, the data subject has the right to access personal data concerning him or her and related information as defined in the EU Regulation (GDPR).

‍

Right to rectification

• The individual concerned shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall have the right to have inaccurate or incomplete personal data amended or completed.

‍

Right to erasure / ‘right to be forgotten’

• The individual concerned shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data concerning the data subject without undue delay in certain cases (as determined in the GDPR).
• This right of the data subject applies in particular to personal data processed on the basis of his or her consent. In certain other cases, such as data processed to comply with a legal obligation, this right is explicitly limited.

‍

Right to restriction of processing

• The data subject shall have the right to obtain from the controller restriction of processing if certain conditions (as specified in the GDPR) are met. This category of cases is mostly used to record a specific processing situation, which may be a precursor to a dispute or the specific dispute itself.

‍

Notification obligation regarding rectification or erasure of personal data or restriction of processing

• The controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of processing. Exception: this obligation cannot be expected to be fulfilled if it proves impossible or requires disproportionate effort.

‍

Right to data portability

• The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

‍

Right to object

• The individual concerned shall have the right to object to the processing of his or her personal data at any time if
  
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

‍

Automated individual decision-making, including profiling

• The individual concerned shall have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning him or her or similarly significantly affects him or her. The individual concerned can then request manual, human intervention and decision-making.

‍

Communication of a personal data breach to the data subject

• When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

‍

Right to apply to a public authority

• Every individual concerned shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the General Data Protection Regulation.

‍

Right to an effective judicial remedy against a supervisory authority

• All natural and legal persons shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
• This right also applies where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

‍

Right to an effective judicial remedy against a controller or processor

• Every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights have been infringed as a result of the processing of his or her personal data in non-compliance with the General Data Protection Regulation.
• You have the right to lodge a complaint with the supervisory authority (the Hungarian National Authority for Data Protection and Freedom of Information, abbreviated as NAIH; www.naih.hu; H-1055 Budapest, Falk Miksa utca 9-11), if you consider that the processing of the personal data related to you infringes the General Data Protection Regulation of the European Union (GDPR) or the effective Hungarian laws on data processing.

‍