RECORD OF PROCESSING ACTIVITIES
From data controller The records to be kept by the controller must contain the following information:
- the name and contact details of the controller (and, where applicable, the name and contact details of the joint controller, the controller’s representative and the Data Protection Officer);
- the purposes of the processing (some typical purposes (the list is not exhaustive): processing of employee data in connection with the employment relationship; operation of a CCTV system; monitoring of the use of email/laptop/Internet by employees; employer abuse reporting system; direct marketing; processing of customer data; processing of data under B2B contracts; organisation of a prize draw; operation of a webshop; use of a debt management company, etc.);
- a description of the categories of data subjects and the categories of personal data;
- the categories of recipients to whom the personal data are or will be disclosed, including recipients in third countries or international organisations;
- where applicable, information on the transfer of personal data to a third country or international organisation, including the identification of the third country or international organisation and a description of the appropriate safeguards;
- the time limit foreseen for the deletion of different categories of data;
- a general description of the technical and organisational measures taken to maintain data security (e.g. who has access to the data; the IT security level applied).
It is also recommended to describe the processing activity in a few sentences and to specify the legal basis for the purpose (possible legal bases are set out in Article 6(1) and, for special categories of personal data, in Article 9(2)).
Name of data controller: Trendidivat Fashion Kft. Phone: +36 …. E-mail: trendidivatfashionkft@gmail.com Data Controller’s representative: József Katona Phone: +36 …. E-mail: trendidivatfashionkft@gmail.com
| Purpose of data processing | Legal basis for data processing | Categories of persons concerned | Categories of personal data | Recipients
(with whom personal data are shared) |
3. transfers to the country and guarantees | Time limits foreseen for cancellation | Technical and organisational measures taken to ensure the security of data processing (if possible) |
| processing of employee data
for the fulfilment of legal (notification) obligations, establishment, maintenance and termination of employment relationships, contact management, payment of wages… |
performance of an employment contract,
performance of a legal obligation, consent of the data subject |
workers | name, address, date and place of birth, mother’s name, social security number, tax identification number, telephone number, e-mail address, education, bank account number, number of children,
|
data are transferred to the company carrying out the accounting, payroll services in order to fulfil a legal obligation, no other data are transferred | No transfer to country 3. | processing necessary for compliance with a legal obligation for the period specified in the legislation,
processing based on consent for an indefinite period or until the withdrawal of the data subject’s consent |
employee information, training, IT system protection: firewall, virus protection, password protection |
| customer data management
for issuing invoices, contacting the customer, contract fulfilment |
consent of the data subject, performance of the contract | customer, contact person provided by the customer, | name, e-mail address,
telephone number, basic data necessary for issuing the invoice (name, address/address, tax number) and all personal data, including sensitive data, which are collected in the course of the performance of the matter covered by the mandate |
transmission of invoice data to accountancy firms, other data transmission to authorities, courts, if necessary | No transfer to country 3. | indefinitely or until the withdrawal of the data subject’s consent | employee information, training, IT system protection: firewall, virus protection, password protection |
| managing partner data
(suppliers), contacting the partner |
consent of the data subject, performance of the contract | partner, contact person provided by partner | name, e-mail address,
phone number
|
transmission of invoice data to an accounting firm, no other data transmission | No transfer to country 3. | indefinitely or until the withdrawal of the data subject’s consent | employee information, training, IT system protection: firewall, virus protection, password protection |
DATA PROTECTION INCIDENT RECORD
A data breach is a breach of security thatresults in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach may cause physical, pecuniary or non-pecuniary damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse, financial loss, unauthorised impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy or other significant economic or social harm to the natural persons concerned. The data protection incident must be notified to the data protection authority (using a so-called ‘model data protection incident report ‘, the content of which is specified in the GDPR) without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. The data breach notification must include:
- describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
- the name and contact details of the Data Protection Officer or other contact person who can provide further information;
- explain the likely consequences of the data breach;
- describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
If the notification isnot made within 72 hours, it must be accompanied by the reasons justifying the delay. It is also the responsibility of the data processor to notify the data controller of the personal data breach without undue delay after becoming aware of it. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subjects of the personal data breach without undue delay. The notification shall include the information referred to in points (b)(c)(d). The data subject need not be informed if one of the following conditions is met:
- has implemented protection measures for the data affected by the data breach, such as encryption that makes the data unintelligible to unauthorised persons;
- the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
- information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.
The data controller shall keep a record of the data breaches, which shall be recorded in the register:
- the facts related to the data breach
- the impact of the data breach
- the measures taken to remedy the data breach
The supervisory authority may request the production of records during the inspection and use them as a basis for checking compliance with the requirements relating to data protection incidents.
DATA PROTECTION INCIDENT RECORD
Name of data controller: Trendidivat Fashion Kft. Phone: +36 …. E-mail: trendidivatfashionkft@gmail.com Data Controller’s representative: József Katona Phone: +36 …. E-mail: trendidivatfashionkft@gmail.com
| Serial number | Date
Date |
Facts related to the data breach (nature of the breach, categories and approximate number of data subjects, categories and approximate number of data subjects affected by the breach) | Impact of the data breach, likely consequences | Measures taken to remedy/mitigate a data breach | Has the supervisory authority / stakeholders been informed, if yes, when |
DATA BREACH NOTIFIER
A data breach is a breach of security thatresults in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach may cause physical, pecuniary or non-pecuniary damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse, financial loss, unauthorised impersonation, damage to reputation, damage to the confidentiality of personal data protected by professional secrecy or other significant economic or social harm to the natural persons concerned. The data protection incident must be notified to the data protection authority (using a so-called ‘model data protection incident report ‘, the content of which is specified in the GDPR) without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. The data breach notifier must include:
- describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data subjects affected by the breach;
- the name and contact details of the Data Protection Officer or other contact person who can provide further information;
- explain the likely consequences of the data breach;
- describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
If the notification isnot made within 72 hours, it must be accompanied by the reasons justifying the delay. It is also the responsibility of the data processor to notify the data controller of the personal data breach without undue delay after becoming aware of it. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subjects of the personal data breach without undue delay. The notification shall include the information referred to in points (b)(c)(d). The data subject need not be informed if one of the following conditions is met:
- has implemented protection measures for the data affected by the data breach, such as encryption that makes the data unintelligible to unauthorised persons;
- the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
- information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.
The data controller shall keep a record of the data breaches, which shall be indicated in the record:
- the facts related to the data breach
- the impact of the data breach
- the measures taken to remedy the data breach
The supervisory authority may request the production of records during the inspection and use them as a basis for checking compliance with the requirements relating to data protection incidents.
DATA BREACH NOTIFIER
Name of data controller: Trendidivat Fashion Kft. Phone: +36 … E-mail: trendidivatfashionkft@gmail.com Representative of the Data Controller: József Katona Phone: +36 … E-mail: trendidivatfashionkft@gmail.com
| Serial number | Date
Date |
Nature of the data breach,
categories of data subjects and approximate number of data subjects, categories of data affected by the incident and approximate number of data subjects |
Data Protection Officer / Contact Name | Contact | Likely consequences | Measures taken to remedy/mitigate a data breach |