Psychosocial Risk Survey
1. The data controller
The Alternative Consulting Group Limited Liability Company (registered company number, 13 09 150909, registered office: 2100 Gödöllő Juhar u. 2, hereinafter referred to as "Data Controller") complies with EU Regulation 2016/679 (GDPR) and 2011 on the right to self-determination of information and freedom of information. CXII of . Act, in order to fully comply with the legal provisions, creates the present data protection and data management regulations and information (hereinafter: "Regulations"), which is made available to its Customers on the website www.stressz-m.hu. These regulations regulate the scope, manner, purpose and other conditions of use of the personal data of the Company providing the data and its employees (hereinafter: "Client"). The Regulation is also a data protection information sheet.
2.1. Affected person: any natural person identified or - directly or indirectly - identified on the basis of personal data (Client, Employee);
2.2. Data controller: the legal person who, independently or jointly with others, determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or has them implemented with the data processor;
2.3. Data management: regardless of the procedure used, any operation performed on the data or the set of operations, including in particular collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, locking, deletion and destruction, and preventing the further use of the data, taking photographs, audio or video recordings;
2.4. Personal data: data that can be associated with the data subject - especially the data subject's name, email address, telephone number, and the conclusion that can be drawn from the data regarding the data subject;
2.5. Consent: the voluntary and decisive declaration of the data subject's will, which is based on adequate information, and with which he gives his unequivocal consent to the processing of his personal data - in full or covering certain operations;
2.6. Data processing: performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;
2.7. Data processor: a natural or legal person, or an organization without legal personality, who processes data on the basis of a contract - including a contract concluded under the provisions of the law.
2.8. Data transfer: making the data available to a specific third party;
2.9. Data deletion: making data unrecognizable in such a way that their recovery is no longer possible;
2.10. Data protection incident: an incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.
3. Name of the Data Controller
Company name: Alternativa Consulting Group Ltd.
Headquarters: H-2100 Gödöllő Juhar street. 2.
Company registration number: 13 09 150909
Tax number: 23557974-2-13.
Managing Director: István Faragó
When handling the Customer's personal data, the Data Controller complies with Regulation 2016/679/EU (GDPR), CXII of 2011 on the right to self-determination of information. the provisions of the law.
4. Legal basis of data management, purpose of data management, scope of managed data
4.1. The online survey, which provides a data management solution for mapping psychosocial risks, provides a correct and professional diagnosis for private individuals/employees using the services provided by Stressz-M and provides corresponding advice/feedback and development. Data management is carried out on the basis of a voluntary and informed declaration. By accepting the statement, the Customer gives his express consent to the use of his personal data.
The Customer's consent to the handling of the above-mentioned data is given by the acceptance of the declaration after prior knowledge of this data protection regulation. The Customer gives his explicit and voluntary consent in this regard to the Data Controller managing and storing his data and preparing comprehensive personal and anonymous group and corporate feedback. If the performance of the contract requires it, the Data Controller shall send you inquiries containing information materials and current programs for informational purposes.
4.2. The purpose of data management is to assess psychosocial risks and negative stress effects, and to prepare correct and professional individual, group and company-level reports from the collected data, to provide adequate information that matches the problems that have arisen, and, if necessary, to provide further development, contact and information.
The Data Controller stores the data provided by the data subject exclusively for the above purposes.
The way it is used by the data controller is as follows:
during the use of the services, it serves the purposes of keeping in touch, providing an individual report, as well as providing informative, developmental and informational materials for the Customer. The Data Controller provides the Customer with information about the services it provides by e-mail.
The recorded data serve identification, contact, health status, habits, ability to cope, social relations, manager-subordinate relations and screening of organizational processes, as well as follow-up and development purposes.
4.3. The data manager does not check the personal data provided to him. The person providing the data is solely responsible for the accuracy of the data provided.
4.4. Scope of processed data:
The range of data managed by the Data Controller at the Data Controller's headquarters and premises for the purposes defined in the regulations covers the following personal data provided:
- employee ID
- year, month, day of birth
- company e-mail
- personal data and information provided in the questionnaire and during registration
The Customer's data is stored in the database in order to fulfill the above objectives.
For the purposes indicated in these regulations, the Data Controller may process personal data only upon prior determination of the data management purpose and on the basis of the Customer's clear and prior consent, which the Customer accepts voluntarily and online after appropriate information. After reading the Data Protection Declaration, the Customer consents to the processing of the provided data.
The Data Controller ensures that the Customer's Statement can be withdrawn at any time, without limitation or justification, after which the Data Controller will delete the Customer's name and other provided data within 3 (three) working days and will no longer send information to the Customer thereafter.
5. Duration of data management
5.1. The processing of the provided data begins with the data collection related to the survey and the acceptance of the data management statement and lasts until its deletion. You can request the change or deletion of the recorded data - if the conditions for this are met - in an email sent to the data controller.
5.2. The above provisions do not affect the fulfillment of the statutory retention obligations, as well as the data necessary to prove the fulfillment later.5.3. At the end of the data management period, the Data Controller is obliged to delete the Customer's personal data in a way that makes identification with the data subject impossible.
6. Scope of data access, data transfer
6.1. The Customer's personal data can be accessed by the Data Controller and its employees and agents, who are obliged to fulfill the same data protection and confidentiality obligations as the Data Controller. The data is used exclusively by the Data Controller, and information is forwarded anonymously to the employee in the form of aggregated reports. They are not released to third parties.
6.2. A service provider can use a data processor (e.g. system operator, developer, expert). The service provider is not responsible for the data management practices of such external actors.
6.3. Data transfer, data connection:
Personal data can be transferred, and different data processing can be linked, if the data subject has consented to it, or if the law allows it, and if the conditions for data processing are met for each individual piece of personal data. The Data Controller does not forward data to third countries.
The Data Controller informs the Customer that the operator of our web server:
Name: Máté Kaszás e.v.
Address: 1094 Budapest Balázs Béla utca 3. III.em 37.
Tax number: 66156198-1-43
7. Obligations of the Data Controller, data security
7.1. The Data Controller will do everything possible to protect the personal data it manages against unauthorized access, change, disclosure, deletion, damage, destruction, as well as against the deletion, damage, or destruction of other data.
7.2. The Data Controller, or the data processor within the scope of their activities, is obliged to ensure the security of the data, and is also obliged to take the technical and organizational measures and establish the procedural rules that are necessary to enforce the data management law and other data and privacy protection rules.
7.3. The data must be protected in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage. In order to ensure the technical protection of personal data, the Data Controller, the data processor, or the operator of the telecommunications or IT device must take special protection measures if the personal data is transmitted via a network or other IT device.
8. Customer's rights
8.1. The Customer has the right to request information about the personal data managed by the Data Controller and to modify them at any time, if the legal conditions for modifying the relevant data exist. The customer is also entitled to request the deletion of their data via the contact details provided in this point.
8.2. At the Customer's request, the Data Controller provides information about the data it handles, the purpose, legal basis, and duration of the data processing, as well as who and for what purpose receives or has received its data. The data controller shall provide the requested information in writing within 30 (thirty) days from the date of submission of the request.
8.3. The data subject can exercise his rights at the following contact details:
Mailing address: H-2100 Godollo Juhar street. 2.
Data protection representative: István Faragó
With any questions or comments related to data management, the Customer can contact the Data Controller's staff via the contact details above.
8.4. The Customer is entitled to request the correction or deletion of his/her incorrectly recorded data at any time. The data manager will delete the data within 3 (three) working days from the receipt of the request, in which case they will not be recoverable. The deletion does not apply to the data processing required by law, which will be kept by the Data Controller for the necessary period of time.
8.5. If the Customer/Employer perceives/assumes that data is being processed unlawfully, they have the right to:
The right to lodge a complaint with a supervisory authority: without prejudice to other administrative or judicial remedies, all data subjects have the right to lodge a complaint with a supervisory authority – in particular in the Member State of their habitual residence, place of work or the place of the alleged infringement – if the judgment of the data subject According to the Data Controller, the processing of personal data relating to him is violated.
The right to an effective judicial remedy against the supervisory authority: without prejudice to other administrative or non-judicial remedies, every natural and legal person is entitled to an effective judicial remedy against the legally binding decision of the supervisory authority. Proceedings against the supervisory authority must be initiated before the court of the Member State where the supervisory authority is based.
The right to an effective judicial remedy against the data controller or the data processor: without prejudice to the available administrative or non-judicial remedies, including the right to file a complaint with the supervisory authority, all data subjects are entitled to an effective judicial remedy if, in their judgment, their personal data does not comply with the regulation his rights were violated as a result of his inappropriate treatment. Proceedings against the data controller or data processor must be initiated before the court of the Member State where the data controller or data processor operates. Such a procedure can also be initiated before the court of the Member State of the habitual residence of the person concerned, unless the data controller or the data processor is a public authority of a Member State acting in the capacity of public authority.
8.6. At the Customer's request, the Data Controller provides information about the data managed by it or processed by the processor commissioned by it, the purpose, legal basis, duration of the data processing, the name, address (headquarters) of the data processor and its activities related to data processing, as well as who and for what purpose receive or have received the data.
The data controller is obliged to provide the information in writing in an understandable form as soon as possible, but no later than 30 (thirty) days after the submission of the request. The Data Controller may refuse to inform the data subject, but is obliged to inform the data subject of the reason for refusing information.
8.7. Personal data must be deleted if:
a) its handling is illegal,
b) At the customer's request,
c) it is incomplete or incorrect - and this state cannot be legally corrected - provided that deletion is not excluded by law,
d) the purpose of data management has ceased, or the statutory period for data storage has expired,
e) it was ordered by the court or the data protection commissioner.
8.8. The Customer, as well as all those to whom the data was previously forwarded for the purpose of data management, must be notified of the correction and deletion. The notification can be omitted if this does not violate the legitimate interests of the Customer in view of the purpose of the data management.
8.9. Right to protest:
The Data Subject may object to the processing of his personal data if
a) the processing (transmission) of personal data is necessary only to assert the rights or legitimate interests of the Data Controller or the data recipient, unless the data processing is mandated by law;
b) the exercise of the right to protest is otherwise permitted by law.
The Data Controller - with the simultaneous suspension of data management - is obliged to examine the objection as soon as possible from the submission of the request, but no later than 30 (thirty) days, and to inform the applicant in writing of the result. If the protest is justified, the Data Controller is obliged to terminate the data management - including further data collection and transmission - and to lock the data, as well as to notify all those to whom the personal data affected by the protest was previously transmitted about the protest and the measures taken based on it, and who are obliged to take measures to enforce the right to protest.
If the Data Subject does not agree with the above decision of the Data Controller, he may appeal to the court within 30 (thirty) days from the date of its notification.
9.1. Court route:
In the event of a violation of their rights, the Data Subject may apply to court against the Data Controller. The court acts out of sequence in the case. The Data Controller is obliged to prove that the data management complies with the provisions of the law. The court at the seat (residence) of the Data Controller has jurisdiction over the lawsuit. The lawsuit can also be initiated - at the Data Subject's choice - in the court of the Data Subject's place of residence (place of stay). If the court approves the request, it obliges the Data Controller to provide information, correct or delete the data, cancel the automated individual decision, and release the requested data, taking into account the data subject's right to protest. The court can order the publication of its judgment - by publishing the identification data of the Data Controller - if it is required by the interests of data protection and the rights of a larger number of stakeholders protected by this law.
9.2. Procedure of the Data Protection Commissioner: If the Customer feels that he has been violated in connection with the handling of his personal data, he may initiate a procedure before the National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.).
10. Other provisions
10.1. Its data management system collects data on user activity, which can be linked to other data provided by users during registration. The purpose of data collection is the efficient implementation of company-level development programs.
10.2. In any case, if the Data Controller intends to use the provided data for a purpose other than the purpose of the original data collection, the user will be informed of this, and the user's prior express consent will be obtained, and the user will be given the opportunity to prohibit the use.
10.3. The data manager undertakes to ensure the security of the data, and to take technical measures to ensure that the recorded, stored and managed data are protected, and to do everything possible to prevent their destruction, unauthorized use and unauthorized alteration. You also undertake to call on all third parties to whom you may forward or transfer the data to fulfill their obligations in this regard.
10.4. The Data Controller reserves the right to unilaterally amend these Regulations with prior notice to the Customers. After the amendment enters into force, the Customer accepts the contents of the amended Regulations by using the service.
10.5. Inform the data subject about the data protection incident: if the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, inform the data subject about the data protection incident without undue delay. In the information given to the person concerned, the nature of the data protection incident must be clearly and comprehensibly described, and at least the information and measures mentioned in points b), c) and d) of Article 33 (3) of the Regulation must be communicated.
10.6. The data controller provides the information, information on the Customer's rights and measures free of charge. If the Customer's request is clearly unfounded or - especially due to its repetitive nature - excessive, the Data Controller may refuse to take action based on the request, taking into account the administrative costs associated with providing the requested information or information or taking the requested action.
11. Governing laws
In other matters not regulated in these Regulations, the following legislation shall govern:
a) Act V of 2013 on the Civil Code 2:43. §-the;
b) CXII of 2011 on the right to information self-determination and freedom of information. law.
c) Regulation 2016/679/EU (GDPR)
11 of November 2021. Budapest
I hereby declare that I have read and accept the Data Protection Policy!