Privacy Policy for Personal Data Processing During the Use of the "Hulladék 112" Application by GYHG Győr Waste Management Non-Profit Ltd.

Publikálva: 2024-12-12 Utolsó módosítás: 2024-12-19

Magyar verzió

1. Purpose of the Policy:

The GYHG Győr Waste Management Non-Profit Ltd. /9024 Győr, Bartók Béla út 29. ground floor 4. Hereinafter: Company/ as the data controller, conducts its data processing activities in accordance with Act CXII of 2011 on Informational Self-Determination and Freedom of Information /Info Act/ and Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"). The purpose of this policy is to provide information to natural persons using the Company's "Hulladék 112" application about the data processed by the Company and other related activities. The terms used in this policy correspond to the definitions in Regulation (EU) 2016/679 ("GDPR").

2. Definitions:

  • "Personal Data":
    Any information related to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • "Data Processing":
    Any operation or set of operations performed on personal data or data sets, whether by automated or non-automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • "Restriction of Processing":
    The marking of stored personal data with the aim of limiting their processing in the future.
  • "Profiling":
    Any form of automated processing of personal data that involves the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  • "Pseudonymization":
    The processing of personal data in such a manner that the data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  • "Filing System":
    Any structured set of personal data, whether centralized, decentralized, or dispersed according to functional or geographical criteria, that are accessible according to specific criteria.
  • "Data Controller":
    A natural or legal person, public authority, agency, or other body that determines, alone or jointly with others, the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
  • "Data Processor":
    A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
  • "Recipient":
    A natural or legal person, public authority, agency, or another body to whom or which the personal data are disclosed, whether a third party or not. However, public authorities that may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.
  • "Third Party":
    A natural or legal person, public authority, agency, or other body that is not the data subject, the controller, the processor, or persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  • "Consent of the Data Subject":
    A freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
  • "Data Breach":
    A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
  • "Genetic Data":
    Personal data relating to the inherited or acquired genetic characteristics of a natural person that provide unique information about the physiology or health of that person and which result, in particular, from the analysis of a biological sample from the individual in question.
  • "Biometric Data":
    Personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (fingerprints).
  • "Health Data":
    Personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about that person's health status.
  • "Main Establishment":
    • a) For a controller with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the authority to implement such decisions, in which case the establishment that took the decisions shall be considered the main establishment.
    • b) For a processor with establishments in more than one Member State, the place of its central administration in the Union, or if the processor has no central administration in the Union, the establishment in the Union where the main processing activities take place in the context of the processor's activities, to the extent that the processor is subject to specific obligations under this Regulation.
  • "Representative": A natural or legal person established in the Union, who is designated by the controller or processor in writing in accordance with Article 27 and represents the controller or processor with regard to their respective obligations under this Regulation.
  • "Enterprise": A natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity.
  • "Group of Enterprises": A controlling undertaking and its controlled undertakings.
  • "Binding Corporate Rules": Policies regarding the protection of personal data adopted by a controller or processor established in the territory of a Member State, applicable to the transfer of personal data or a set of transfers within a group of undertakings or group of enterprises engaged in a joint economic activity to a controller or processor in one or more third countries.
  • "Supervisory Authority": An independent public authority established by a Member State pursuant to Article 51.
  • "Concerned Supervisory Authority": A supervisory authority which is concerned with the processing of personal data because:
    1. the controller or processor is established in the territory of the Member State of that supervisory authority;
    2. data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
    3. a complaint has been lodged with that supervisory authority.
  • "Cross-border processing of personal data":
    1. Processing of personal data within the Union that takes place in connection with the activities of an establishment of a controller or processor in more than one Member State; or
    2. Processing of personal data within the Union that takes place in connection with the activities of a single establishment of a controller or processor but which substantially affects or is likely to substantially affect data subjects in more than one Member State.
  • "Relevant and reasoned objection": An objection submitted against the draft decision concerning whether this regulation has been violated and whether the proposed measure regarding the controller or processor is in line with the regulation; the objection must clearly demonstrate the significance of the risks posed by the draft decision to the fundamental rights and freedoms of the data subjects, as well as, where applicable, the free flow of personal data within the Union.
  • "Information society service":
    A service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.

  • "International organization":
    An organization subject to public international law, or any subordinate bodies thereof, or any other body established by, or based on, an agreement between two or more countries.

3. Principles for Data Processing:

At the Company, personal data must be processed legally and fairly, with a specific purpose, sparingly, accurately, with limited storage, confidentially, and in an accountable and transparent manner for the data subject.

Personal data:

  • May be collected only for specific, clear, and lawful purposes
  • May be processed exclusively in a manner compatible with these purposes
  • Must be adequate and relevant
  • Must be limited to the necessary minimum
  • Must be accurate and, if necessary, up-to-date
  • Must be stored in a form that allows identification of data subjects only for the duration necessary to achieve the purposes of data processing
  • During processing, data must be secured appropriately, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage

4. Personal data processed in connection with the use of the “Waste 112” application:

Purpose of data processing:
To record the position and quantity of illegally dumped waste with a photo to facilitate its removal, to provide a waste calendar, to submit selective container emptying requests, and to communicate with natural persons using the application via push notifications.

Scope of data subjects:
Natural persons who install and use the “Waste 112” application.

Scope of data processed during the use of the application:

  • Reporting illegally dumped waste: Content of the description associated with the photo of the waste and GPS location.
  • Selective container emptying request: Content of the description associated with the photo of selective waste collection containers.
  • Providing a waste calendar: Name of the settlement, street, and house number.

Legal basis for using the application:
Article 6(1)(a) of EU Regulation 2016/679 (“GDPR”) (voluntary consent).

Duration of personal data processing submitted during the application’s use:
Until the application is used or until the consent for data processing is withdrawn.

Persons authorized to access the data:
Representatives of the Company, customer service employees, employees of data processing companies, and the data protection officer.

5. Visitor Statistics

During the use of the application, the operator utilizes external services provided by Google Firebase for statistical data services:

  • Google Analytics Application: The data controller uses the Google Analytics application, an analytics service provided by Google Inc. (“Google”), during the use of the application. Google Analytics uses so-called "cookies," text files that facilitate the analysis of the downloaded application's usage. Information related to the application used by the user is typically transferred to and stored on a Google server in the USA. On behalf of the application operator, Google will use this information to evaluate how the user utilizes the application, to prepare reports on application activity for the operator, and to provide other services related to application usage.
  • Crashlytics Application: The Crashlytics service is a crash-reporting software that logs the usage data of the downloaded application, providing information about the details of application usage, including device status, usage and location data, and the analysis of unique device identifiers.

For information about Google’s data protection practices, please visit the following website:
https://policies.google.com/privacy

6. Data Processing During Application Use:

In the course of operating the application, the Company engages the following data processors:

  • BlueSpot Kft, 9086 Töltéstava, Karácsony Sándor utca 9.
  • One Signal, 201 S B St, San Mateo, CA 94401 USA
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

7. Rights of Persons Using the Application:

  • Right of Access:
    The data subject is entitled to receive confirmation from the data controller about whether personal data processing is ongoing, and if such processing is in progress, is entitled to access the personal data collected by the data controller.
  • Right to Rectification:
    The data subject is entitled to request that the data controller rectify inaccurate personal data without undue delay. Taking into account the purpose of data processing, the data subject is entitled to request the completion of incomplete personal data, including through supplementary statements.
  • Right to Erasure:
    The data subject is entitled to request that the data controller erase personal data without undue delay, and the data controller is obliged to erase personal data without undue delay under the conditions specified in Article 17(1) of EU Regulation 2016/679.
  • Right to Be Forgotten:
    If the data controller has made the personal data public and is obliged to erase it, it shall take reasonable steps, taking into account available technology and implementation costs, to inform data controllers processing the data that the data subject has requested the deletion of links to or copies of the personal data in question.
  • Right to Restriction of Processing: The data subject is entitled to request that the data controller restrict processing if any of the following conditions are met:
    • The data subject contests the accuracy of the personal data, in which case the restriction applies for a period that allows the data controller to verify the accuracy of the personal data
    • The processing is unlawful, and the data subject opposes deletion and instead requests restriction of use
    • The data controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims
    • The data subject has objected to processing; in this case, the restriction applies until it is determined whether the data controller's legitimate grounds override the data subject's legitimate grounds.

  • Right to Data Portability:
    The data subject is entitled to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, machine-readable format, and is entitled to transmit these data to another data controller without hindrance from the data controller to which the personal data were provided, if the data processing is based on consent under Article 6(1)(a) of EU Regulation 2016/679 and the processing is carried out by automated means.

  • Automated Decision-Making, Including Profiling: The data subject is entitled not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them.

    The previous paragraph does not apply if the decision:

    • Is necessary for the conclusion or performance of a contract between the data subject and the data controller

    • Is authorized by Union or Member State law applicable to the data controller, which also establishes appropriate measures to safeguard the data subject's rights, freedoms, and legitimate interests, or

    • Is based on the data subject's explicit consent.

8. Response Timeframes:

The Company will provide information about measures taken in response to data processing requests within 1 month of receiving the request. This deadline may be extended by 2 months for valid reasons. The data controller will provide information about the reason for the delay within 1 month of receiving the request. If the data controller does not take action on the data subject's request, they will provide an explanation for the lack of action without delay, but no later than one month after receiving the request, and inform about the method of filing a complaint with the supervisory authority and court.

9. Security Measures:

The data controller and data processor shall implement appropriate technical and organizational measures to ensure a level of data security commensurate with the risk, taking into account the state of technology and implementation costs, the nature, scope, context, and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons. These may include:

  1. Pseudonymization and encryption of personal data
  2. Ensuring the ongoing confidentiality, integrity, availability, and resilience of data processing systems and services
  3. The ability to restore access to and availability of personal data in a timely manner in the event of a physical or technical incident
  4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring data security.

10. Notification of Data Subjects About Potential Data Breaches and Reporting to the Supervisory Authority:

The Data Controller shall report the data breach without undue delay, but no later than 72 hours after becoming aware of it, to the competent supervisory authority, except when the data breach is unlikely to pose a risk to the rights and freedoms of natural persons.

If the data breach is likely to pose a high risk to the rights and freedoms of the affected persons, the data controller will promptly notify the data subject about the data breach without undue delay.

11. Person Authorized to Delete, Modify, or Restrict Personal Data Processing:

  • Dr. Erős László Péter Data Protection Officer
  • Postal Address: 9024 Győr, Bartók Béla út 29. ground floor 4.
  • Email: info@gyhg.hu
  • Phone: +36 30 650 1718
12. Legal Remedies:

In the event of a violation of rights or observations, the data subject can make a statement through the following channels:

  • By post to GYHG Győr Waste Management Non-Profit Ltd., 9024 Győr, Bartók Béla út 29. ground floor 4.
  • By email to info@gyhg.hu
  • By phone at +36 96 677 777

In case of rights violations, you can contact the following authorities:

  • The Győr Court of Law (competent court at the data controller's headquarters) or the Court of Law at the data subject's place of residence or place of stay. The competent courts can be found at https://birosag.hu/birosag-kereso
  • National Authority for Data Protection and Freedom of Information: Address: 1055 Budapest, Falk Miksa u. 9-11.
    Postal Address: 1363 Budapest, Pf. 9.Email: ugyfelszolgalat@naih.hu Online case initiation: www.naih.hu