/\

Sensa Consulting – Privacy policy

 

 

 

 

 

 

 

PRIVACY POLICY

 

 

 

 

 

 

 

Sensa Consulting Consultancy and Service Provider Ltd.

(registered seat: 1028 Budapest, Harmatcsepp utca 53.

Company registration number: 01-09-725763, Tax number: 13249559-2-41)

 

Annexes:

Annex 1: Agreement

Annex 2: Data Processing Records (framework)

Annex 3: Data Transfer Records (framework)

2018

(updated on 15 October 2018)

 

 

 

 

 

 

 

 

 

PRIVACY POLICY
Effective updated version: from 15 October 2018 until revoked

  1. 1.    Introduction

Sensa Consulting Consultancy and Service Provider Ltd. (registered seat: 1028 Budapest, Harmatcsepp u. 53.; company registration number: 01-09-725763; tax number: 13249559-2-41;) (hereinafter: “Sensa”) has drawn up the present Privacy Policy (hereinafter: “Policy”).

Sensa is committed to the protection of the personal data of their clients and partners, and highlights the importance of informational self-determination. Sensa treats personal data confidentially, and takes all security, technical and organisational measures in order to guarantee the security of personal data. The present Policy presents Sensa’s data protection practices.

 

  1. 2.    Definitions

 

Business consultancy:

Sensa provides comprehensive consultancy services to its Partners in the following areas –based on the needs and orders of the Partners –, which services may include:

a)    Preliminary needs assessment – discussion with the Partner about needs and the required services.

b)    Preliminary assessments and surveys – tests and questionnaires filled in by the Collaborator, or preliminary on-the-job observation of the Collaborator, which serve the mapping of the Collaborator’s activities and mechanisms.

c)    Coaching – individual on-the-job development – a service by which the trainer/coach helps the Collaborator deepen their practical knowledge and enhance their performance.

d)    Training – group development – targeted development of the theoretical and practical knowledge of the Collaborators.

 

Partner:

An employer in contractual relationship with Sensa, the employees of which directly collaborate during the performance of Business consultancy services provided to the Partner.

 

Collaborator:

an employee of the Partner who as such becomes a subject of the Business consultancy services, including the contact person appointed by the Partner.

 

Data controller:

The natural or legal person, or organisation without a legal personality, who or which, alone or jointly with others, determines the purposes of the processing of personal data, makes and executes decisions regarding the processing of personal data (including the means used), or appoints a data processor to execute those decisions on the data controller’s behalf. The data controller is the natural or legal person, or organisation without a legal personality, who or which, for the data processing purposes defined by law, has the right to process personal or personally identifiable data, or in certain cases, Special category or Health data.

 

Data processor:

the data processor may exclusively process personal data on behalf of the data controller.

 

Personal data:

any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 

Personally identifiable information:

Any or all of the following information: family or first name, birth name, gender, place and date of birth, the mother’s family name at birth and first name, place of residence, location, social security number, if the data subject is or could be identifiable based on that information.

 

Special category data:

personal data relating to race, ethnic origin, political beliefs or party affiliation, religious or other ideological beliefs, trade union membership, sex life, health, addiction or criminal background.

 

Data concerning health:

means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.

 

Data processing:

means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Consent:

means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data transfer:

means making the data available to a specific third party.

 

Disclosure:             

means making the data available to anyone.

 

Erasure of data:

means making the data unrecognisable in a way that makes their restoration impossible.

 

Restriction of processing:

means marking the stored personal data with the aim of limiting their processing in the future.

 

Personal data breach:

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

 

  1. 3.    Purpose of Privacy Policy

The purpose of the present Policy is to ensure that the data processing practices of Sensa Consulting Consultancy and Service Provider Ltd. comply with the provisions of applicable law.

The purpose of the Policy is to specify the range of Collaborator data processed by Sensa, the mode, purpose and legal basis of processing, and to ensure the enforcement of the constitutional principles of privacy and the regulations of data protection, as well as to prevent unauthorised access to, the alteration of and unauthorised disclosure or use of the Collaborator’s data.

Sensa processes personal data exclusively as data processor on behalf of and as appointed by the Partner, for the implementation of the purposes, the exercise of rights and performance of obligations specified in their service agreement. Every phase of data processing is in line with the purpose of data processing. The recording and processing of data is conducted in a fair and lawful way. Sensa endeavours to process only such personal data as indispensable and appropriate for the achievement of the purpose of data processing. The personal data can only be processed to the extent and for the duration necessary for the achievement of the purpose. Sensa processes personal data after informing the data subject in a concise, readily accessible and easy-to-understand, clear and plain language.

The present Policy also serves to ensure compliance with the provisions of Regulation EU2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of data and on the free movement of such data and repealing directive 95/46/EC – General Data Protection Regulation – (GDPR).

 

  1. 4.    The range of personal data processed during the performance of business consultancy activities, and the purpose of data processing

Sensa, based on the consent of the Collaborators and the applicable regulations, as well as the present Policy, processes exclusively such data during the performance of Business consultancy activities that are indispensable for the fulfilment of the Partner’s assignment and the carrying out of Business consultancy services, exclusively with the explicit consent of the Collaborators, after they have read and understood the contents of the present Policy and the Privacy Notice.

The purpose of data processing is the carrying out of Business consultancy services, as well as settling accounts related to Business consultancy services with Partners.

Sensa guarantees, based on the provisions of the agreements made with the subcontractors participating in the performance of Business consultancy services and the awareness and acceptance of the Internal Privacy Policy, that the subcontractors participating in the data transfer offer appropriate and suitable safeguards during their processes, and that the processes of the subcontractors participating in the performance Business consultancy services comply fully with the effective norms and regulations, in particular the provisions of GDPR.

Sensa is in a contractual relationship with the Partners, and the Collaborators are employees of the Partners.

Regardless of the fact that the role of Data Controller is fulfilled by the Partners, which means that requesting and verifying the consent of the Collaborators is the responsibility of the Partners, Sensa shall do everything within its power to facilitate compliance with and enforcement of the privacy rules and regulations, including preparing the Collaborators’ statement, to the extent that Sensa has the means and the opportunity to do so.

In the interest of the GDPR-compliant collaboration of the Partners generating the assignment of the Collaborators and Sensa, and acting at the same time as Data Controllers – with particular regard to the confirmation of Collaborators’ freely given consent – Sensa as Data Transferor considers it expedient and recommends to the Partner – hereby and in any other suitable manner – the use of the Agreement enclosed to this Privacy Policy as Annex 1.

Sensa performs Business consultancy activities primarily in the form of group or individual development/consultancy services as per the following:

 

4.1.    Preliminary needs assessment

Purpose of data processing:

Oral assessment of the Partner’s needs, through which Sensa understands or, based on an initial written quotation, interprets the Partner’s problems, on which Sensa then builds a written proposal and discusses it with the Partner.

The range of processed data:

Business data of the participants of the preliminary needs assessment meeting.

Data transfer:

If the involvement of further actors becomes expedient as early as during the preliminary needs assessment – in the interest of assurance of professional quality –, Sensa will transfer data to their subcontractors participating in the potential Business consultancy services.

The list of potentially involved subcontractors can be found annexed to the Data Transfer Records and can be viewed upon the Partner’s request at any time.

 

4.2.    Preliminary assessments and surveys

Purpose of data processing: tests and questionnaires filled in by the Collaborator, or preliminary on-the-job observation of the Collaborator, which serve the mapping of the Collaborator’s activities and mechanisms, as well as the objective base for planning individual or group development processes.

The range of processed data:

-          Collaborator’s name

-          Collaborator’s email address

-          Collaborator’s job title and/or potential job title

-          The results of the test – behaviour and competency mapping

Data transfer:

The list of potentially involved subcontractors (suppliers) can be found annexed to the Data Transfer Records and can be viewed upon the Partner’s request at any time.

In the Statement of Consent, the Collaborator authorises Sensa to transfer data to the subcontractors related to the Partner’s order, as relevant recipients of data transfer, and specified on the list of subcontractors (suppliers).

The specific recipient – and any other required data related to the transfer – is specified in the Data Transfer Records.

Sensa informs the Partners of the performed activities after the conclusion of the preliminary assessments and surveys, including the above-specified data, and in particular the results of the test.

 

4.3.    Coaching – individual on-the-job development

Purpose of data processing: the Collaborator’s development in a specific work situation, with feedback.

The range of processed data:

-          Collaborator’s name

-          Collaborator’s email address

-          Collaborator’s phone number

-          Collaborator’s job title

Data transfer:

The list of potentially involved subcontractors can be found annexed to the Data Transfer Records and can be viewed upon the Partner’s request at any time.

In the Statement of Consent, the Collaborator authorises Sensa to transfer data to the subcontractors related to the Partner’s order, as relevant recipients of data transfer, and specified on the list of subcontractors.

The specific recipient – and any other required data related to the transfer – is specified in the Data Transfer Records.

4.4.    Training – group development

Purpose of data processing: targeted development of the Collaborators’ theoretical and practical knowledge.

The range of processed data:

-          Collaborator’s name

-          Collaborator’s email address

-          Collaborator’s phone number

-          Collaborator’s job title

Data transfer:

The list of potentially involved subcontractors can be found annexed to the Data Transfer Records and can be viewed upon the Partner’s request at any time.

In the Statement of Consent, the Collaborator authorises Sensa to transfer data to the subcontractors related to the Partner’s order, as relevant recipients of data transfer, and specified on the list of subcontractors.

The specific recipient – and any other required data related to the transfer – is specified in the Data Transfer Records.

 

  1. 5.    Legal grounds for data processing

Sensa processes the personal data specified in the present Policy based on Sections 5 (1) and 6 (5) of the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, and Article 6 Section (1) subsection a) of the GDPR, for the purposes specified in the present Policy, arising from the performance of contract, based on the freely given, explicit consent of the Collaborator natural person.

 

  1. 6.    Duration of data processing

Sensa processes the data specified in Section 4 and related to the Collaborator for the duration necessary for the performance of Business consultancy services and for settling accounts with the related Partners, but for no longer than 36 months.

 

  1. 7.    Data protection laws

Laws of particular significance to the present Policy:

a)    Regulation EU2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of data and on the free movement of such data and repealing directive 95/46/EC – General Data Protection Regulation – (GDPR) – “Regulation”;

b)    The Fundamental Law of Hungary;

c)    Section 2:42 of Act V of 2013 on the Civil Code;

d)    Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Information Act);

e)      Act XLVII of 1997 on the processing and protection of health care data and associated personal data;

f)     Act LXVI of 1992 on keeping records on the personal data and address of citizens;

g)    Any amended and in force version of the Regulation, and judicial practices and recommendations formulated based on the Regulation by the European Commission and the competent supervisory authority according to the registered seat of the Data Controller.

 

  1. 8.    Principles of data processing

-         Sensa, in keeping with the requirements of good faith and fairness, must act in cooperation with the data subjects. Sensa must exercise its rights and perform its obligations in accordance with their intended function.

-         Personal data shall retain its status as such for the duration of data processing for as long as its relation to the Collaborator is restorable. Relation to the Collaborator is considered restorable if Sensa possesses the technical conditions for restoration.

-         Sensa ensures the accuracy and completeness of the data during data processing, and if necessary for the purpose of data processing, also ensures that it is kept up to date, and that the data permits identification with the Collaborator for no longer than it is necessary for the purposes for which the data is processed.

-         Sensa must process the personal data lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”).

-         Personal data must only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”);

-         Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).

-         Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that where personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay (“accuracy”).

-         Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”).

-         Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

-         Sensa is responsible for, and must be able to demonstrate compliance with the principles of data processing (“accountability”).

 

  1. 9.    Freely given consent

Sensa as data processor processes the personal data, as specified in the present Policy, of the Collaborator natural persons based on the freely given, informed and explicit written consent of the Collaborators (Statement of Consent).

With regard to the confirmation of freely given consent, the rights of the Collaborators and the facilitation of the regularity of data processing, Sensa as Data Transferor considers it expedient and recommends to the Partner – hereby and in any other suitable manner – the use of the Agreement enclosed to this Privacy Policy as Annex 1

Filling in and signing the statement of consent is on a freely given basis, and consent can be withdrawn free of charge at any time without restriction or justification. The statement of withdrawal (with identification details) can be submitted in any of the following ways:

SENSA CONSULTING Ltd.:

by post to:

1028 Budapest, Harmatcsepp u. 53. or 1125 Budapest, Diós árok 5.

or

by electronic mail to: zsiska.k@sensa.hu

 

10. Transfer and receipt of data

Sensa may exclusively transfer the data processed by Sensa as data processor to the employees of the participants of the Business consultancy services and to the collaborating persons and organisations taking part in the performance of those services, to the extent required for the fulfilment of the purpose of data processing.

Sensa is obliged to inform the data subject employees and all third parties involved in the performance of Business consultancy services of the contents of the present Policy, and is obliged to enforce compliance with said contents.

Furthermore, Sensa is obliged to ensure that the person participating in the transfer or receipt of data shall process the data exclusively to the extent as it is necessary for the fulfilment of the purpose of data processing.

The Collaborator shall be informed of the fact of data transfer and forwarding and/or the authorisation to transfer or forward the data to a new recipient shall be supported by the drawing up of a new Statement of consent supplemented or adjusted with the new recipient of the data transfer.

In case of a person lacking full legal capacity, information must be given to the legal representative, who will exercise the data subject’s right to give a statement.

  1. 11.  Potential consequences of the failure to provide data:

Sensa will not be able to provide the ordered Business consultancy services to the Partner.

                                     

12. Data recording method

The Collborator participates in the Business consultancy services based on the service agreement concluded between Sensa and the Partner. When contacted, Sensa as Data processor informs the Collaborator – with expedient completeness – of the range of data that needs to be processed for the use of the service, the duration of data processing, the purpose of data use, the fact of data transfer, the recipients of the transfer, while at the same time calling the Partner’s attention, repeatedly if necessary, to their obligations as Data Controller, particularly as relates to the awareness and availability of the Privacy Policy.

 

13. Data Transfer

Data can only be transferred based on the consent of the data subject or as authorised by law. Sensa can only transfer personal data if the legal basis for the transfer is clear, and the purpose of the data transfer and the person of recipient is precisely specified. Sensa shall document the data transfer in every case, in a way that the process and lawfulness of the transfer can be demonstrated.

Sensa shall not disclose any data on the Collaborators – including the data specified in Section 4 of the present Policy – to third parties other than the subcontractors and employees of the project’s contracting Partner and Sensa.

Sensa shall fulfil the data transfer requirements prescribed by law.

Sensa has the right, at the mutual, unanimous request and authorisation of the Collaborator and the Partner, to transfer the Personal data specified in the authorisation to the third party specified in the authorisation, for the purpose and duration specified in the authorisation. Regarding the processing of the transferred data, the data processing provisions of the third party shall be governing.

In addition to the above, personal data may only be transferred with the unambiguous and explicit consent of the data subject.

 

14. Rectification and erasure of personal data

The data subject has the right to obtain from Sensa without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purpose of data processing, the data subject has the right to have incomplete personal data on them completed, including by means of providing a supplementary statement.

The data subject has the right to obtain from Sensa the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
c) the data subject objects to the processing;
d) the personal data of the data subject has been unlawfully processed;
e) The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

The data subject shall have the right to obtain from Sensa restriction of processing where one of the following applies:

a)    accuracy of the personal data is contested by the data subject, for a period enabling Sensa to verify the accuracy of the personal data;

b)    the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c)    Sensa no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

d)    the data subject has objected to processing of data, in which case processing is restricted pending the verification whether the legitimate grounds of Sensa override those of the data subject.

15. Rights of Collaborators regarding the processing of their personal data

Collaborators have the right to request information on the processing of their personal data. Sensa shall respond to requests from the Collaborator without undue delay and at the latest within one month and give information on the data of the Collaborator processed by Sensa, the source of such data, the purpose of, legal grounds for and the duration of processing, the name and address of the data processor, and the activity related to the processing of data.

16. Potential modification of the Pivacy Policy

Sensa reserves the right to unilaterally modify the present Policy. The modification and the consolidated text of the Privacy Policy incorporating the modifications must be published in the same manner and place as the present Policy, and shared with all persons who Sensa explicitly send the present Policy or inform of it in any other suitable way.

17. Data security measures

Sensa shall ensure the security of data and to that end shall implement all the necessary technical and organisational measures regarding both the data stored on IT devices and the data stored on traditional, paper-based data carriers. Sensa ensures that the data security rules laid down by the relevant legislation shall be enforced. Sensa shall ensure the security of the data and take the technical and organisational measures and establish the rules of procedure that are necessary for the enforcement of governing legislation and the rules of privacy and confidentiality.

Sensa shall take all reasonable measures in order to protect the data in particular from unauthorised access, alteration, transfer, disclosure, erasure or destruction, as well as from accidental destruction or damage, and inaccessibility due to a change in the applied technology.

When determining and implementing the measures that serve the security of data, Sensa takes into account the respective level of technological development. Out of the several available data processing solutions, Sensa shall choose the one that ensures a higher level of protection of personal data, except in cases when it would entail disproportionate difficulties.

 

18. Procedure for personal data breach

Sensa – as data processor – notifies the personal data breach to the Partner without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. When such notification cannot be achieved within 72 hours, the reasons for the delay will accompany the notification.

If the data controller Partner becomes aware that a personal data breach has occurred, the Controller should notify the personal data breach to the supervisory authority and to Sensa as Data Processor without undue delay.

Sensa shall keep records of personal data breaches, specifying the facts related to the personal data breach, the impact and any remedial actions taken.

Sensa communicates to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person.

Sensa shall communicate the nature of the personal data breach to the data subject in clear and plain language, and include the information specified in the Regulation as well as the actions taken.

Where Sensa has not yet notified the data subject of the personal data breach, the supervisory authority, after considering whether the personal data breach is likely to result in a high risk, may require Sensa to inform the data subject, or ascertain that the notification of the data subject can be disregarded.

  1. 19.  Data protection officer

Data subjects can turn to the data protection officer in all issues relating to the processing of their personal data by the Data Processor and the exercise of their rights according to applicable laws.

The name and contact information of the data protection officer appointed by Sensa:

name: Zsiska Krisztina

postal address: 1125 Budapest, Diós árok 5.

email: zsiska.k@sensa.hu

 

20. Enforcement of rights

a.)   If you have any questions or concerns regarding the data processing or data transfer activities of Sensa Consulting Consultancy and Service Provider Ltd., please contact our Data protection officer using any of the contact information specified in Section 19 above. The data protection officer shall answer your privacy related questions, and in case of a problem or complaint, shall conduct a thorough investigation jointly with Sensa, and notify you of the results.

b.)   The data subject may also seek judicial remedy against the data controller if the data subject’s rights are injured. The court will give the case priority. Court cases initiated in the protection of personal data are free of court fees.

c.)   The data subject may submit their complaints to the National Authority for Data Protection and Freedom of Information (mailing address: 1534 Budapest, Pf.: 834; address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c).

 

21. Publication of Privacy Policy

Sensa must directly send – or share in another way – the present Policy and all its amendments to the Partner.

Partner must in due time give the Collaborator the opportunity to read and understand the present Policy before the start of the performance of Business consultancy services specified in the contract concluded with Sensa.

 

  1. 22.  Final provisions

The present Policy takes effect on the day on which it is signed.

The provisions of the present Policy shall be applied to data processing activities undertaken after the Policy has taken effect.

The provisions of the present Policy shall also be applied to data processing activities in progress when the Policy takes effect.

For the matters not regulated by the present Policy, the provisions of the laws specified in Section 7 shall be governing.

When the present Policy takes effect, the previous privacy policies of Sensa shall lose effect.

15 October 2018, Budapest

Elérhetőségeink

Tel: +36 1 3916144

Mobil: +36 20 2036079

http://www.sensa.hu/kapcsolat/