1. Right to information
The Company takes appropriate measures to make sure that all communications mentioned in Articles 13 and 14 of GDPR regarding the processing of personal data and all information mentioned in Articles 15-22 and 34 of GDPR are provided to Data Subjects in a brief, transparent, comprehensible and easy-to-access manner, formulated clearly and understandably.
The right to information may be exercised in writing through the contacts specified in Chapter II of this Information.
Oral information may also be provided upon the Data Subject's request provided that the Data Subject was identified in another manner.
The Company must provide information upon the Data Subject's request in writing within the shortest possible time from the receipt of the request but within 25 days at the latest in understandable form.
2. Right of access
The Data Subject has the right to receive feedback from the Company on whether his or her personal data is being processed and if such data is being processed, the Data Subject has the right to have access to the personal data and to the information listed below.
a) the purposes of processing;
b) categories of the personal data of the Data Subject;
c) recipients or categories of recipients to whom the personal data was or will be communicated, in particular, third country recipients or international organizations;
d) if relevant, the planned period of keeping of the personal data or, if this cannot be specified, the aspects of determining the period of keeping;
e) the Data Subject's right to request from the data controller the rectification, deleting or restriction of processing of the personal data relating to him or her and to object to the processing of such data;
f) the right to submit complaints to any supervisory authority;
g) if the data was not collected from the Data Subject, all information available regarding the source of the data;
h) the existence of automated decision-making, including profiling and, at least in those cases, information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject.
The Company will make a copy of the processed personal data available to the Data Subject. The Company may charge a reasonable fee based on the relating administrative expense for further copies requested by the Data Subject. Upon the Data Subject's request, the Company will provide the information in electronic form.
3. Right to rectification
The Data Subject has the right to the rectification of his or her inaccurate personal data by the Company upon the Data Subject's request without unjustified delay. Taking the purpose of processing into account, the Data Subject also has the right to request supplementation of incomplete personal data (among others, by submitting a supplementary declaration).
4. Right to erasure
The Data Subject has the right to the erasure of his or her personal data by the Company upon the Data Subject's request without unjustified delay and the Company is obliged to erase the personal data relating to the Data Subject without unjustified delay if any of the following conditions apply:
a) the personal data is no longer necessary for the purpose for which it was collected or otherwise processed;
b) the Data Subject withdraws his or her consent forming the basis of processing and the processing of the data has no other legal basis;
c) the Data Subject objects to the processing of the data and there is no overriding legitimate cause for the processing of the data or the Data Subject objects to processing;
d) the personal data was processed illegitimately;
e) the personal data has to be erased in order to fulfil a legal obligation prescribed by EU or member state law applicable to Company;
f) the personal data was collected in relation to the offering of information society services.
5. Right to be forgotten
Where the controller has made the personal data public and is obliged to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
6. Right to the restriction of processing
The Data Subject has the right to the restriction of the processing of data by the Company upon his or her request if any of the following conditions is fulfilled:
a) the Data Subject challenges the accuracy of the personal data in which case the restriction will apply to the period that is necessary for the Company to verify the correctness of the personal data;
b) processing of the data is illegitimate and the Data Subject objects to the deleting of the data and instead requests a restriction of their use;
c) the Company no longer needs the personal data for processing but the Data Subject requests the keeping of the data for the submission, enforcement or protection of legal claims;
d) the Data Subject objected to the processing of the data in which case the restriction will apply to the period until the priority of the Company's legitimate interests to the Data Subject's legitimate interests is determined.
7. Right to data portability
The Data Subject has the right to receive the personal data relating to him or her that he or she provided to the Company in a structured, widely used and computer readable form and has the right to forward such data to another data controller.
8. Right to object
The Data Subject has the right to object to the processing of his or her personal data at any time for reasons relating to his or her situation if the personal data is processed for the Company's legitimate interest.
9. Resort to court
In the case of infringement of the Data Subject's rights relating to data processing, the Data Subject may resort to court in the cases defined in the Privacy Act.
10. Indemnification and compensation
If the Data Subject suffers any damage in relation to data processing, he or she may claim indemnification according to the provisions of the Privacy Act.
If the Company infringes rights relating to the personality of the Data Subject by the illegitimate processing of his or her data or non-compliance with data security requirements, the Data Subject may claim compensation from the Company.
11. Procedural rules
The Company must, without unjustified delay but within one month from the receipt of the relevant request, inform the Data Subject of the measures taken in accordance with point 2-8 of this Chapter III. If necessary, with regard to the complexity of the request and the number of requests, this deadline may be extended by two further months. The Company must notify the Data Subject of the extension of the deadline within one month of the receipt of the request, naming the causes of the delay. If the request was submitted by the Data Subject electronically, the notice shall, if possible, also be given electronically unless requested otherwise by the Data Subject.
If the data controller does not take measures based on the Data Subject's request, it must notify the Data Subject without delay but within one months of the receipt of the request at the latest of the causes for not taking any measures and of the fact that the Data Subject may submit a complaint with any supervisory authority and may exercise his or her right to legal remedy in court.
The Company will provide the requested information and notices and take the requested measures free of charge. If the Data Subject's request is manifestly unfounded or excessive, in particular because of its repetitive character, the Company may, with regard to the administrative costs involved in the provision of the requested information or notice or the taking of the requested measure:
a) charge a reasonable fee or
b) refuse to act on the request.
The burden of proof of the request being manifestly unfounded or excessive lies with the Company.
Data Subjects may submit complaints concerning the data processing of the Company to National Authority for Data Protection and Freedom of Information (NAIH):
Name: National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
For any matters not regulated herein, the provisions of the Privacy Act and GDPR shall apply.
Erste Asset Management Ltd.