Privacy Notice
1. Introduction
Fressnapf-Hungária Kft. operates an internal whistleblowing system in accordance with the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23
October 2019 on the protection of persons who report breaches of Union law and Act XXV of 2023 on complaints, notifications of public interest and rules relating to whistleblowing (hereinafter: Complaints Act).
In this privacy notice, we inform data subjects about the data processing activities related to the operation of the internal whistleblowing system in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter "GDPR").
2. Definitions
This notice uses the terms defined in the GDPR and the Complaints Act.
Fressnapf-Hungária Kft. operates an internal whistleblowing system in accordance with the provisions of Directive (EU) 2019/1937 of the European Parliament and of the Council of 23
October 2019 on the protection of persons who report breaches of Union law and Act XXV of 2023 on complaints, notifications of public interest and rules relating to whistleblowing (hereinafter: Complaints Act).
In this privacy notice, we inform data subjects about the data processing activities related to the operation of the internal whistleblowing system in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter "GDPR").
2. Definitions
This notice uses the terms defined in the GDPR and the Complaints Act.
- personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- reporting person: someone who makes a report through the internal whistleblowing system.
3. Controller
Name: Fressnapf Hungária Kft.
Representatives:
Mihály Széles Managing Director (method of representation: joint)
Kisgergely Dániel Managing Director (method of representation: joint)
Miklós Nádasdi (method of representation: joint)
Vaszkóné Barbácsy Virág Éva (method of representation: joint)
Ákos Páldi Managing Director (method of representation: joint)
Office: 1095 Budapest, Lechner Ödön fasor 10/B.
E-mail: HR_HU.Team@hu.fressnapf.eu
The Data Protection Officer and contact details: Vaszkóné Barbácsy Virág Éva HR_HU.Team@hu.fressnapf.eu
4. Purpose and legal basis of the processing, the data processed and the data subjects concerned
The Data Controller processes personal data of data subjects to the extent necessary for the performance of its tasks in relation to the operation of the whistleblowing system, to the extent strictly necessary for the investigation of the report.
Purpose of the processing:
Performing tasks related to the operation of the internal whistleblowing system, investigating the report and remedying or terminating the conduct that is the subject of the report.
Data subjects:
- the reporting person,
- the person whose conduct or omission gave rise to the report,
- the person who may have material information on the subject matter of the report.
Scope of the data processed:
The fact of the report, personal data essential for its investigation.
Legal basis for processing:
The legal basis for data processing is the fulfilment of a legal obligation according to Article 6(1)(c) of the GDPR. The basis for this legal obligation is Directive 2019/1937 and Chapter V, Section II of the Complaints Act.
Following the conclusion of the investigative phase, the legal basis for data processing is legitimate interests according to Article 6(1)(f) of the GDPR. After the maximum duration of 3 months for the investigative phase has ended, we will continue to store the data in a restricted manner within the 5-year civil statute of limitations period. We will only use the data in case of a potential complaint (e.g., to the NAIH), official proceedings, or judicial remedies, for purposes such as substantiating compliance, enabling the evidence process, establishing the facts accurately, and making lawful decisions – all in the interest of legitimate interests.
5. Duration of processing
We will store the personal data of the data subjects for a maximum of 3 months for the purpose of investigating the report. Following the closure of the investigation, we will retain the personal data for 5 years for the purpose of asserting and defending legal claims. Personal data that are not necessary for the conduct of an investigation will be deleted without delay, unless the retention of the data is required by law.
6. Recipients of the processing
The internal whistleblowing system is operated in such a way that the personal data of the reporting person who discloses his or her identity and of the person concerned cannot be disclosed to anyone other than the authorised persons. The persons investigating the report will, pending the conclusion of the investigation or the initiation of formal prosecution as a result of the investigation, share information about the content of the report and the person concerned, in addition to informing the person concerned, with other departments or employees of the controller to the extent strictly necessary for the conduct of the investigation.
Where the effective conduct of the investigation requires the involvement of a group department or employee, personal data processed under the internal whistleblowing system may only be transferred to such person or department if the person concerned has given his or her prior consent.
As a general rule, the controller does not transfer data to a third country or international organisation outside the European Union or the contracting states of the European Union and the European Economic Area. Such transfers may take place in respect of data processed under the internal whistleblowing system only in exceptional cases, subject to a legal undertaking by the recipient of the transfer to comply with the rules on whistleblowing set out in the Complaints Act and subject to the provisions on the protection of personal data.
If it becomes apparent that the reporting person has communicated false data or information in bad faith and
- a) there are indications that a criminal or administrative offence has been committed, personal data must be handed over to the authority or person responsible for the procedure,
- b) there are reasonable grounds for believing that he or she has caused unlawful damage or other legal harm to another person, his or her personal data must be disclosed at the request of the body or person entitled to initiate or conduct the proceedings.
The data processor of the controller is the hosting service provider who contributes to the storage of the electronic data. The controller uses the services of Magyar Telekom Nyrt (registered office: 1097 Budapest, Könyves Kálmán körút 36.; company registration number: 01 10 041928; website: www.telekom.hu) as data processor for telephone communication and Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6.; company registration number: Cg.01-10-042463; website: www.posta.hu) as data processor for postal correspondence. The hosting service provider of the controller is CANCOM Managed Services GmbH (registered office: Erika-Mann-Straße 69 80636 München Deutschland; company registration number: HRB 249726 München; electronic delivery address: support.fressnapf@cancom.de).
7. Rights of data subjects
The data subject's rights may be exercised, only if the data subject is identifiable, in the manner provided in this notice. If a request is made, the controller will respond without delay and at the latest within one month.
Right of access: you may request information from the controller about the purposes and the way of the processing, to whom the personal data may be disclosed, and request a copy of the data held by the controller. We will comply with these requests free of charge, on a first per data basis. Your rights of access and use will only be granted after prior identification, precisely in order to protect your data.
Please note that under the Complaints Act, in exercising the right to information and access, the personal data of the reporting person as data subject may not be disclosed to the person requesting the information.
Right to rectification: as a data subject, you have the right to obtain from the controller, at your request and without undue delay, the rectification of inaccurate personal data concerning you and have incomplete personal data completed. It is in the best interest of the controller and its processors to keep your personal data accurate and up to date, so please notify the controller immediately of any changes to your data or if your data is inaccurate or incorrect.
The right to erasure: You may request the erasure of personal data processed by the controller if the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; where you have withdrawn your consent and there is no other legal basis for the processing; where you have objected to the processing and there is no overriding legitimate ground for the processing; or where you consider that the personal data are unlawfully processed; or where the personal data must be erased in order to comply with a legal obligation under European Union or Member State law to which the controller is subject.
Right to restriction of processing: You may request the restriction of processing if you contest the accuracy of the personal data processed (in which case the restriction applies for the period of time necessary to allow the controller to verify the accuracy of the personal data); if you consider that the personal data are unlawfully processed but you oppose their erasure and instead request the restriction of the use of the data; if you consider that the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, but you request them for the establishment, exercise or defence of legal claims; or if you have objected to the processing (in which case the restriction will apply for a period of time until it is established whether the legitimate grounds of the controller override those of the data subject). In the case of restriction of processing, personal data other than storage may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.
Right to object: you may object to processing based on the legitimate interests of the controller at any time on grounds relating to your particular situation. In the event of an objection, the controller may no longer process the personal data, unless it demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The right to submit a complaint with a supervisory authority: If the data subject considers that the processing of personal data concerning him or her infringes the provisions of the GDPR or the data protection legislation in force, he or she may submit a complaint with the supervisory authority competent in the Member State of his or her habitual residence, place of work or place of the alleged infringement, in Hungary with the National Authority for Data Protection and Freedom of Information.
Contact details of the National Authority for Data Protection and Freedom of Information:
- postal address: 1363 Budapest, Pf. 9.
- address: 1055 Budapest, Falk Miksa utca 9-11.
- phone: +36 (1) 391-1400
- fax: +36 (1) 391-1410
- e-mail: ugyfelszolgalat@naih.hu
- web: www.naih.hu
Irrespective of the right to submit a complaint, the data subject may also take legal action against the unlawful processing of his or her personal data or the infringement of his or her rights relating to the right to information self-determination. In Hungary, legal proceedings may be brought before the competent court of the place of residence or domicile of the data subject, or, on the basis of the seat of the controller, before the Capital Regional Court (seat: 1055 Budapest, Markó utca 27; postal address: 1363 Budapest, Pf. 16.)
To exercise your rights, please contact the controller using the contact details listed in point 3.
8. Scope of the privacy notice
The information provided herein relates only to the processing described in this privacy notice and in the context of the internal whistleblowing system. This privacy notice of the controller is without prejudice to other privacy notices or privacy notices not specifically prepared for the internal abuse reporting system. This applies, for example, to the controller's general privacy notice or to privacy notices on specific internet sites (websites).
9. Publication status and changes to the privacy notice
Publication date of the privacy notice: 1 June 2023
Changes in legal and/or regulatory requirements may require changes to the privacy notice. In this case, we will publish the corresponding updated privacy notice.