Introduction 1
1. You can object to data processing 2
Individual data management 3
1. Shift Hungary Kft. data management related to its activities 3
Rights of the data subjects whose personal data is processed during data processing 6
Data security 10
1. Storage of personal data and security of data management 10
2. The data protection incident and its management 11
Legal remedy, right of complaint, judicial remedy 12
List of legislation applied in connection with data management 14
Contact

1. Introduction

THEShift Hungary Kft.(hereinafter “Shift Hungary Kft.”, or “data controller”).developed the application called “SHIFT” (hereinafter: “application”), the purpose of which is, on the one hand, to enable employees to take on casual work in restaurants, and on the other hand, to enable restaurants to employ employees for casual work.

THEAs a data controller, Shift Hungary Kft. handles your personal data (hereinafter referred to as “data subject”) in accordance with this data management information sheet (hereinafter: “information sheet” or “regulations”). The data management of Shift Hungary Kft. complies with the regulations contained in the current legislation and these regulations.

If you do not understand certain parts of these regulations or if you have any questions, please feel free to contact us using the contact information provided in the Contact section of these regulations so that we can answer your questions.

THEShift Hungary Kft.handles your personal data exclusively for the data management specified in these regulations and for the data management purposes specified therein. We process your data only to the extent, for the time and in the manner necessary, as we consider your privacy and respect for your right to informational self-determination to be of utmost importance. In order to keep your data safe aShift Hungary Kft.takes all necessary and available security measures, both in a technical sense and in the procedure of the persons involved in data management, or according to his activity.

This information describes theShift Hungary Kft.the details and rules of its data management, which govern both the data controllers and its partners involved in data management.

Shift Hungary Kft. handles the above personal data primarily in order to provide its users with a high-quality service. During data management in connection with your personal data, the data controller is Shift Hungary Kft.

The “Data Controller” is the natural or legal person who determines the purposes and means of processing personal data independently or together with others.

THEShift Hungary Kft.in the data management carried out by several persons, or actor participates.

In connection with data management aShift Hungary Kft.you can use the help of other companies in the implementation of data management purposes (e.g.: home delivery, accounting, server services, etc.). In such a case, a contributing partner company takes part in the management of your personal data as a data processor.

The “Data Processor” is the natural or legal person who processes personal data on behalf of the data controller and mostly only executes instructions or does not make decisions in terms of data management, or the data processor does not determine the means of data management.

The data controller is primarily responsible for the data management towards the usersShift Hungary Kft.is responsible. The data processor is only liable for damages if it violated the rules applicable to the data processor or did not follow the lawful instructions of the data controller. The data controller is solely responsible for errors made by the data controller. THEShift Hungary Kft.so it receives your personal data directly from you.

You can object to data processing

As the data subject, you have the right to object to the processing of your personal data at any time for reasons related to your own situation. In this case, the data controller, i.e. theShift Hungary Kft.personal data may not be processed any further, unless the data controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are related to the presentation, enforcement or defense of legal claims.

2. Individual data management

2.1. Shift Hungary Kft. data management related to its activities

Purpose of data management

Shift Hungary Kft. developed the application called SHIFT.

The application is available on Android and Apple systems. After downloading the application, users can register in the application as an employee and a restaurant. If you register in the application as an employee, you can take on occasional jobs from among the shifts advertised by the restaurants. If you register as a restaurant, you can announce shifts via the application, which users registered as employees of the application can apply for.

The operation of Shift Hungary Kft.’s application requires data management so that you, as a restaurant, can announce your shifts and you, as an employee, can apply for the shifts. We process your personal data with your consent in order to operate the application.

Expected impact of data management on the user (data subject)

For the user, the data management does not result in any special effects, nor does it carry any outstanding risks. Data management is necessary for the operation of the application.

The data controller and its contact details

In the above data management, the data controller is Shift Hungary Kft.

registered office: 6753 Szeged Major utca 15

e-mail: martin.tihanyi9@gmail.com

phone: 0670 232 5414

Shift Hungary Kft.’s representative: Managing Director Martin Tihanyi

representative e-mail address:martin.tihanyi9@gmail.com

The scope and type of persons and stakeholders affected by data management

Those who download the application of Shift Hungary Kft. and register in the application. From the point of view of data management, the person whose personal data is being processed is called the “data subject”. Users are typically affected in this data management.

The processed personal data

Your following personal data is managed by the application of Shift Hungary Kft.:

If you register as an employee:

personal identification data	employee’s name, employee’s address or place of residence, employee’s place and time of birth, location data, CV

contact details	e-mail, telephone number

If you register as a restaurant:

We would like to inform you that if you register as a restaurant, we only process personal data if the restaurant’s e-mail address contains the name of a natural person or the telephone number is linked to a natural person.

contact details

e-mail, telephone number

Legal basis for data management

Data management is based on the consent of the data subject. Consent to data management is given electronically during registration. Your location data is shared by sharing it with the application, i.e. it is based on your consent.

The processing of personal data is lawful based on Article 6 (1) a) of the GDPR, if the data subject has given his consent to the processing of his personal data for one or more specific purposes.

Who can access the user’s (data subject) personal data

The user’s personal data defined above can be accessed by Shift Hungary Kft. and its employees, which performs data management.

In addition, the following data processors have access to your personal data:

Hosting provider:

Company name: Google Firebase

Company name:Google Firestore

Google Firebase andGoogle FirestoreYou can find out more about our data protection activities on the following website:https://policies.google.com/privacy

If you have any questions regarding the management of your personal data or wish to exercise your rights, please contact the data controller, i.e. Shift Hungary Kft.

If you have any questions regarding data processing carried out by a data processor, or if you wish to exercise your rights, please contactto Google.

Users registered as restaurants in the application:

We inform users registered as employees that if they apply for a shift in the application, their personal data indicated above will be forwarded to the restaurant announcing the shift.

Is the user (data subject) obliged to provide his personal data?

You are not obliged to provide your personal data. However, if you do not provide these personal data, you will not be able to use the Shift Hungary Kft. application. Therefore, providing your personal data above is in our common interest.

Data management and storage time

The data is processed with the consent of the data subject, i.e. you.

You can revoke your data management consent at any time by deleting the application from your device. If you no longer allow location sharing for the application on your mobile device, the application will no longer have access to your location data.

Transfer of personal data to a third country

The user’s personal data will not be transferred to third countries. By third country we mean those countries which are not members of the European Union.

Automated decision-making and profiling in relation to data management

In connection with the above data management, profiling is not carried out through our company. Our company does not perform profiling.

“Profiling” is any form of automated processing of personal data in which personal data is used to assess certain personal characteristics of a natural person, in particular work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement used to analyze or predict related characteristics.

The purpose of profiling is to offer you more interesting and important products, or we can provide you with products that are better suited to your shopping habits. Profiling only covers your shopping habits and preferences. Profiling does not have adverse consequences or any restrictions for you.

3. Rights of the data subjects whose personal data is processed during data processing

You, as a data subject whose personal data is processed, have the following rights in relation to data management. We would like to inform you that you can exercise your rights below primarily against the data controller. In this data management, Shift Hungary Kft. is the data manager.

Your rights as a data subject in relation to data management

right to information,
right of access,
right to rectification,
right to erasure, “right to be forgotten”,
right to restriction,
right to protest,
your right to data portability,
right to withdraw consent,
right of complaint,
right to judicial remedy.

Right to information

General rules for informing the data subject and the right to information

Before starting data management, the data controller must inform the data subject in detail at the latest upon obtaining the data subject’s personal data. In relation to data management, about the information contained in this data management information sheet.

The data controller is responsible for providing preliminary information. In addition to the above preliminary information, you can request information from the data controller at any stage of data management as follows. In this case, the data controller must provide the information immediately, but within 25 days at the latest. The 25-day deadline can only be extended by a maximum of 2 months in justified cases.

The data controller can only refuse the information if it proves that the data subject cannot be identified.

If the data controller does not take action, i.e. does not comply with its obligation to provide information, it must inform the data subject within 25 days of the failure to take action, the reason for it, and the data subject’s right to file a complaint in connection with data processing, or you can go to court. The complaint or regarding the details of judicial remedies, this information sheet contains detailed information below.

The information and measures must be provided by the data controller free of charge to the data subject. However, the data controller may charge an exceptionally reasonable fee or refuse to provide information and action if the data subject’s request is clearly unfounded, repetitive or excessive.

The data subject’s right of access

The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed, and if such data processing is underway, he is entitled to access the personal data and the following information:

Based on the right of access, the data subject must be informed of the following information upon request: a) the purposes of data management; b) categories of personal data concerned; c) recipients or categories of recipients to whom or to whom the personal data has been or will be disclosed, including in particular third-country recipients, or international organizations; d) where appropriate, the planned period of storage of personal data; e) the right of the data subject to request from the data controller the correction, deletion or restriction of processing of personal data concerning him and to object to the processing of such personal data; f) the right to submit a complaint to the supervisory authority (NAIH); g) if the data were not collected from the data subject, all available information about their source; h) the fact of automated decision-making, including profiling, or the lack thereof, as well as, at least in these cases, comprehensible information about the logic used and the significance of such data management and the expected consequences for the data subject.

The data controller provides a copy of the personal data that is the subject of data management to the data subject. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.

If the data subject submitted the request electronically, the information must be provided in a widely used electronic format, unless the data subject requests otherwise.

Right to rectification

The data subject has the right to request that the data controller correct inaccurate personal data relating to him without undue delay. Taking into account the purpose of the data management, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

Right to erasure, “right to be forgotten”

As a data subject, you are entitled to have the data controller delete your personal data without undue delay upon your request, and the data controller is obliged to delete the personal data concerning the data subject without undue delay if one of the following reasons exists:

a) the personal data are no longer needed for the purpose for which they were collected or otherwise processed;

b) if the data processing is based on the data subject’s consent (e.g. sending a newsletter), and the data subject withdraws his consent to the data processing, and there is no other legal basis for the data processing;

c) the data subject objects to the data processing and there is no overriding legal reason for the data processing;

d) personal data were handled unlawfully;

e) personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller;

f) the collection of personal data took place in connection with the offering of services related to the information society.

If the data controller has disclosed the personal data and is obliged to delete it pursuant to paragraph (1), it will take reasonable steps, including technical measures, taking into account the available technology and the costs of implementation, in order to inform the data controllers that process the data that the the data subject requested from them the links to the personal data in question or a copy of this personal data, or deletion of its duplicate.

In the above cases, the data controller is not obliged to comply with the deletion request if the data processing is necessary: a) for the purpose of exercising the right to freedom of expression and information; b) fulfillment of the obligation according to the EU or Member State law applicable to the data controller, which prescribes the processing of personal data, or for the purpose of performing a task in the public interest or in the exercise of a public authority granted to the data controller; c) on the basis of public interest in the field of public health; d) for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, and the right to erasure would likely make this data management impossible or seriously jeopardize it; or e) to present or assert legal claims, or for protection.

The right to restrict data processing

The data subject has the right to have the data controller limit data processing at his request, if one of the following is met: a) the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period that allows the data controller to check the accuracy of the personal data ; b) the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use; c) the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims; or d) the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions based on the above, such personal data, with the exception of storage, will only be processed with the consent of the data subject, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of another natural or legal person, or the Union, or can be handled in the important public interest of a member state.

The data controller informs the data subject, at whose request the data processing was restricted based on the above, of the lifting of the data processing restriction in advance.

To correct or delete personal data, or notification obligation related to the limitation of data management

The data controller is obliged to inform all recipients of the correction, deletion or restriction of data processing, to whom or to whom the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort.

At the request of the data subject, the data controller informs about these recipients.

The right to data portability

The data subject has the right to receive the personal data concerning him/her provided by him/her to a data controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without being hindered by the data controller whose provided the personal data if: a) the data processing is based on the consent of the data subject (e.g. sending a newsletter) or based on the fulfillment of a contractual obligation between the parties; and b) data management is performed in an automated manner.

When exercising the right to data portability as described above, the data subject is entitled to – if this is technically possible – request the direct transmission of personal data between data controllers.

Exercising the right to data portability cannot violate the right to erasure. The right to data portability must not adversely affect the rights and freedoms of others.

Right to protest

As the data subject, you have the right to object to the processing of your personal data at any time for reasons related to your own situation. In this case, the data controller may not process the personal data further, unless the data controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or which are necessary for the presentation, enforcement or defense of legal claims. are connected.

If the processing of personal data is carried out for the purpose of obtaining direct business (e.g. sending marketing letters to customers), the data subject has the right to object at any time to the processing of his personal data for this purpose, including profiling, if it is related to the direct acquisition of business . If the data subject objects to the processing of personal data for the purpose of direct business acquisition, then the personal data may no longer be processed for this purpose.

Right to withdraw consent

The data subject has the right to withdraw his consent to data management at any time if the legal basis for data management is the consent of the data subject (e.g. sending a newsletter for marketing purposes). However, by withdrawing the consent, the data processing before the withdrawal does not become unlawful.

4. Data security

Storage of personal data and security of data management

Shift Hungary Kft.’s IT infrastructure, storage facilities and other data storage locations are located at its headquarters and locations.

The IT tools and solutions used for data management, especially the security systems, are chosen and used in such a way that the processed personal data is accessible to those authorized to do so, its authenticity and authentication are ensured, its immutability can be verified, and it is protected against unauthorized access.

We protect your personal data with appropriate measures, especially against unauthorized access, alteration, data protection incident, data theft, data leakage, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as inaccessibility resulting from changes in the technology used.

In order to protect the data files managed in its records, Shift Hungary Kft. uses an appropriate technical solution to ensure that the stored data – except in the case of legal authorization – cannot be directly connected, or can be assigned to the person concerned.

Taking into account the current level of technical development, we ensure the security and protection of our data management with technical, organizational and organizational measures that ensure an adequate level of protection for your personal data.

The IT system and network of Shift Hungary Kft. and its partners are both protected against computer-supported dangerous human (e.g. fraud, espionage, sabotage, vandalism, computer viruses, computer break-ins, etc.), or against natural (e.g. fire and flood) or other causes (e.g. service outage, etc.) harmful effects. Shift Hungary Kft. ensures the security of its data with server and software level protection procedures and services.

During data processing, Shift Hungary Kft. protects your personal data so that only those who are entitled to access it (confidentiality), the accuracy and completeness of your personal data and the method of processing (integrity), ensures that when authorized users need have access to the personal data, then they can really access the desired data and be available (availability).

We would like to inform those concerned that the personal data is partially transmitted to Shift Hungary Kft. via the Internet. Regardless of the protocol used (email, web, ftp, etc.), the security of data and electronic messages transmitted over the Internet is vulnerable to network threats aimed at unfair activity, contract disputes, or the disclosure or modification of information. In order to eliminate such dangers, Shift Hungary Kft. takes all the safety measures expected of it.

The data protection incident and its management

According to the European Data Protection Regulation (GDRP), a data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled. Therefore, any event or situation in which your personal data may fall into unauthorized hands is considered a data protection incident.

In the event of a data protection incident, we report the incident to the competent supervisory authority immediately, but no later than 72 hours after the data protection incident came to our attention. we will also inform you, as the person involved in data management, if the data protection incident is likely to pose a risk to the rights and freedoms of natural persons.

5. Legal remedy, right of complaint, judicial remedy

That is, what can you do if you think your personal data is not being handled properly?

Right of complaint

As the data subject, you have the right to file a complaint with a supervisory authority – especially in the Member State of your usual place of residence, workplace or the place of the suspected infringement – if, in the opinion of the data subject, the processing of your personal data violates the law. In Hungary, the competent supervisory authority is the National Data Protection and Freedom of Information Authority (NAIH).

Exercising the right to complain does not exclude the possibility that you, as a data subject, if you consider thatyour personal data is being handled in a way that violates the law, you should seek other administrative or judicial remedies. Therefore, even in the case of exercising your right to complain, you can also initiate administrative or judicial remedies at the same time.

Complaints can be made to the National Data Protection and Freedom of Information Authority, whose contact details are as follows:

Name: National Data Protection and Freedom of Information Authority

Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: 06 1 391 1400

Fax: 06 1 391 1410

Website:http://www.naih.hu

E-mail:ugyfelszolgalat@naih.hu

Right to judicial remedy against the decision of the NAIH or other supervisory authority

If you have contacted the supervisory authority (NAIH) regarding your data management and the authority has made a decision in your case, you, as the data subject, have the right to initiate a judicial remedy against this decision, i.e. challenge the decision in court. You have the right to the above judicial remedy even if the competent supervisory authority (NAIH) does not deal with the complaint or does not inform the person concerned about the procedural developments related to the complaint or its result within three months.

Proceedings against the supervisory authority (NAIH) must be initiated before the court of the Member State where the supervisory authority is located.

The right to a judicial remedy against the controller or data processor

You, as the data subject, are entitled to seek legal remedies if, in your opinion, your rights in relation to data management have been violated as a result of non-legal processing of your personal data. Exercising the right to judicial redress does not exclude the possibility that you, as a data subject, may turn to other administrative or judicial remedies or exercise your right to complain if you consider that your personal data is being processed in a manner that violates the law.

Proceedings against the data controller or data processor must be initiated before the court of the Member State where the data controller or data processor operates. In the case of Shift Hungary Kft., the court of its place of business is the Hungarian courts. While the competent court according to the seat of Shift Hungary KftSzeged District Court,respectively in case of special powers aCourt of Szeged.

The judicial remedy procedure can also be initiated before the court of the Member State of the habitual residence of the person concerned, unless the data controller or the data processor is a public authority of a Member State acting in its public authority.

Liability for damages and damages

That is, how the data controller is responsible, or data processor against the data subject in case of damage?

If the inappropriate data management caused damage to you as the data subject, then the data controller is responsible for compensation for the damage. We can talk about damages in the event that the data processing was in violation of the law or breach of contract, and the data subject suffered a financial disadvantage. In the case of illegal data processing, the person concerned may also demand damages.

You can assert your claim for compensation or damages primarily against the data controller. The data processor is only liable for damages if it only violated the rules applicable to it or if it did not follow the legal instructions of the data controller. In other words, the data processor is not responsible for errors made by the data controller.

6. List of legislation applied in connection with data management

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation) (GDPR);

CXII of 2011 Act – on the right to self-determination of information and freedom of information (Infotv.);

Act C of 2000 – on accounting (Act);

CVIII of 2001 Act – on certain issues of electronic commercial services and services related to the information society (Ektv.);

XLVIII of 2008 Act – on the basic conditions and certain limitations of economic advertising activity (Grt.);

Act V of 2013 – on the Civil Code (Ptk.).

7. Contact

If you have any questions regarding the management of your personal data or wish to exercise your rights in connection with our data management, please contactShift Hungary Kft.as a data controller.

THEShift Hungary Kft.his contact details are as follows: